glibc bug: Amahi impacts?

[mcinroy]

Hello.

Was reading this article this morning:
"Extremely severe bug leaves dizzying number of software and devices vulnerable | Ars Technica"
http://arstechnica.com/security/2016/02 ... ulnerable/

Was wondering if anyone else had read about it, or whether anyone could comment on how it impacts Amahi?

[cpg]

Yes, we saw that article. Quite alarmist. If you read through it ... you can see that

... weaponized exploits that successfully execute malicious code are "possible, but not straightforward" ...

Which is a little less worrying. Since the result is a crash, it's not an immediate code execution risk. For now. It may become an issue later.

We do not advice our users to open up their HDA to the wild wild internet, so that makes it such that an attacker would have to have access to the local network to begin with.

For people that open up their ssh or VPN (or web server), this may become an attack vector, though that makes it quite a smaller attack surface.

All in all, it's something we have to watch for. We may release an update that forces a glibc update soon, just to be safe.

Thanks for the post. Keeps us on our toes!

[mcinroy]

Y... Quite alarmist.

... less worrying.

... smaller attack surface.

Yes, agreed 100% on all fronts.

I felt it probably wasn't a significant risk. Mainly wondered whether there might be something included in the next release of Amahi to address the issue. I expect Fedora will be patched. Having Amahi covered would be great, too.

(Would also be good to know which Amahi apps might be at risk. I guess that may be up to each developer...)

Thanks for your response!

[bigfoot65]

If Fedora gets patched, then Amahi is covered. The exploit would come from the OS.