This minor Linux bug fix created a much more serious problem

(Image credit: Shutterstock)

While studying the patch for a recently fixed vulnerability in the GNU C library (glibc), cybersecurity engineers discovered another issue, which they say affected every Linux distro.

CloudLinux engineer Nikita Popov chanced upon what can essentially be classified as a denial-of-service vulnerability in the upstream glic. Popov believes the bug, tracked as CVE-2021-38604, can be exploited to cause a segmentation fault, causing an application to crash.

“Bear in mind that glibc provides the main system primitives and is linked with most, if not all, other Linux applications, including other language compilers and interpreters. It is the second most important component of a system after the Kernel itself,” wrote CloudLinux in a blog post.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="" data-link-merchant=""" target="_blank">Click here to start the survey in a new window <<

According to Popov’s analysis, the vulnerability was introduced ironically in the patch that was devised to fix the earlier glibc vulnerability, tracked as CVE-2021-33574.

A patchy fix

Reporting on the development, ZDNet claims that the first glibc issue wasn’t particularly bad. In fact, a Red Hat engineer explained the bug wasn’t easily exploitable and required several conditions to be met before it could negatively impact any app.

The bug still needed to be fixed, but the patch introduced the denial-of-service vulnerability that can reportedly be triggered without much trouble.

CloudLinux published information about the vulnerability and a fix, which has since been rolled into the upstream glibc. Furthermore, it has also submitted a new test for glibc’s automated test suite to prevent the bug from rearing its head again. 

“Sometimes, changes in unrelated code paths can lead to behaviours changing elsewhere in the code and the programmer not being aware of it. This test will catch this situation,” writes CloudLinux.

Via ZDNet

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.