0

I'm planning to upgrade glibc on several servers due to CVE-2015-7547.

https://googleonlinesecurity.blogspot.jp/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Before upgrading glibc, I would like to make a rough estimate of which services and programs are involved with glibc so that I won't screw things up.

Are there any good way to do this?

ernix
  • 123
  • 3

1 Answers1

0

Pretty much every single binary on a *nix system uses it, but if you want to run some specific checks, you could do something like this:

$ for i in sort dig nc httpd nginx postfix tail head named awk sed; do ldd $(which $i) | grep -qw libc && echo $i; done
sort
dig
nc
httpd
nginx
postfix
tail
head
named
awk
sed

The output will be only the binaries which reference libc, which as you can see, on the short list I have chosen above, is everything.

Normally an upgrade like this requires a restart of all services. For a library as major as this, I normally schedule a complete reboot of the system if at all possible, but I realise that this may not be possible, and in some cases, may not be required (a restart of services is usually enough).

FYI, the above script mostly works because:

$ ldd /usr/bin/dig | grep -w libc
    libc.so.6 => /lib64/libc.so.6 (0x00007f2b1158a000)
$ rpm -q --whatprovides /lib64/libc.so.6
    glibc-2.12-1.166.el6_7.7.x86_64
parkamark
  • 1,128
  • 7
  • 11
  • Hmm, I'm pretty sure there are *nix systems free of glibc (OpenBSD, for example), and then even some linux systems that use a not-glibc libc. – thrig Feb 17 '16 at 17:02
  • @thrig Yes, you're probably right, but I've only ever dealt with mainstream Linux distros, so I know of nothing else. :) – parkamark Feb 17 '16 at 17:15