How to patch CVE-2015-0235 (GHOST) on Debian Lenny and Squeeze?

There is a right way to patch GHOST on Debian Lenny and Squeeze?

According to this link there are no plans to patch Lenny https://security-tracker.debian.org/tracker/CVE-2015-0235

Thanks!


Install devscripts

Get the patch for lenny from http://pastebin.com/Hhsut197 (based on the official glibc patch, removed ChangeLog, NEWS stuff, adapted Makefile for lenny, removed patch #2 for getXXbyYY_r.c)

Run: apt-get update && apt-get source libc6; apt-get build-dep libc6

Copy your patch in glibc-2.7/debian/patches/all

Add the patch name in glibc-2.7/debian/patches/series

Run rebuild (or install devscripts package and run debuild) and you should be done

The idea should be the same for etch. Adapted patch for etch is here: pastebin.com/UXGnJd6A

Squeeze is patched (libc6-2.11.3-4+deb6u4) only if you have squeeze-lts repository in your sources.list:

deb http://ftp.uk.debian.org/debian squeeze-lts main

You can also use the eglibc patch from Squeeze LTS to build patched Lenny packages: http://sources.debian.net/data/main/e/eglibc/2.11.3-4+deb6u4/debian/patches/any/cvs-gethostbyname.diff

Put it in glibc-2.7/debian/patches/any and add it to the end of the glibc-2.7/debian/patches/series file. Now build the packages, upgrade your system with them and test your system with the GHOST tool: https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c

Jeremy


I've recompiled the glibc-2.7 sources for Debian Lenny including the CVE-2015-0235 patch of Debian Squeeze LTS.

As it takes quite some time to compile these packages you may grab a copy via https://flo.sh/debian-lenny-cve-2015-0235-glibc-patch/

Vulnerability check looks ok, now: [00:15:26] root@[...]: /usr/src/ghost> ./ghost not vulnerable

Thank you guys for adding this compact summary on this issue, -Flo