[DM365] Is there any new toolchain version for fix the security hole [CVE-2015-0235]

user4269841

Dear All

Our DM365 platform are using "arm-davinci-linux-gnueabi" toolchain which using glibc V2.6 which have the GHOST security hole [CVE-2015-0235],

Is there any new version of toolchain or glibc library available to fix it?

Or anyother way to fix this issue?

TheGHOST security hole [CVE-2015-0235]:

http://grahamcluley.com/2015/01/ghost-vulnerability-faq/

over 10 years ago

0 Titusrathinaraj Stalin over 10 years ago

TI__Guru** 116100 points

Hi,
As far as I know, DM365 use the montavista toolchain (arm_v5t_le-)
DM365 is a legacy product and support is very limited so you can contact your Local TI FAE.

0 Prabhakar Lad over 10 years ago

Guru 11260 points

Hello,

You can use the arm-none-linux-gnueabi- toolcahin from codesourcery [1].

[1] processors.wiki.ti.com/.../Linux_Toolchain

Regards,
--Prabhakar Lad

0 Chris Meng over 10 years ago in reply to Prabhakar Lad

TI__Mastermind 37726 points

Prabhakar,

I tested arm-none-linux-gnueabi- toolcahin and it is also vulnerable.

0 Luke Lin over 10 years ago in reply to Chris Meng

TI__Expert 3250 points

You may visit below link to check vulnerable versions.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235

Vulnerable software and versions

I've checked IPNC_RDK_DM36x_V5.1.0. The version of glibc is 2.9 which is not vulnerable.

root@ubuntu:~/IPNC_RDK_DM36x_V5.1.0/Source/dvsdk_ipnctools/linux-devkit/arm-arago-linux-gnueabi/lib $ ls -la libc-*

-rwxr-xr-x 1 40502 3355 1176904 2013-01-28 16:13 libc-2.9.so

For the releases still using Montavista tool chan, the version of glibc is 2.5.90, which is not vulnerable either.

root@ubuntu:~/tmp/v3.00-140425/toolchain-src/DM368/mv_pro_5.0/montavista/pro/devkit/arm/v5t_le/target/lib $ ls -la libc-*

-rwxr-xr-x 1 root root 1472179 2008-08-30 14:41 libc-2.5.90.so

If your glibc is vulnerable, you have to

1. Patch then re-build the tool-chain.

2. Re-build all your applications with the new tool-chain

3. If you are using share lib, make sure the libc in the new tool-chain has been copied to targe file system

Best Regards,

Luke Lin

0 Diego Santa Cruz over 10 years ago in reply to Luke Lin

Intellectual 360 points

As far as the list of version numbers go I would not blindly trust it. If it is listed it is vulnerable, if it is not listed then it may or may not be.

Personally I have a system using glibc-2.3.3, which is not listed as affected above, but which I have tested as being vulnerable. From what I've read all glibc versions between 2.2 and 2.17 are vulnerable, unless patched by your vendor.

I would strongly suggest you to compile and run the test program at www.openwall.com/.../9 to see if your system is vulnerable.

Patching glibc is easy (the patch can be found at sourceware.org/git;a=commitdiff;h=d5dd618), but rebuilding it and deploying the rebuilt lib may not be.

Sincerely,

Diego

Processors

Processors forum

[DM365] Is there any new toolchain version for fix the security hole [CVE-2015-0235]