Apologies for exposing my ignorance in public like this, but can somebody tell me how I'd know if my Debian Bookworm system has been patched to ensure it's no longer vulnerable to the "Looney Tunables" privilege escalation (https://www.debian.org/security/2023/dsa-5514)? The fix is apparently in the most recent glibc source package. I don't seem to have that glibc package installed (and it's a source package, not a binary?), but I read that stock installs of Debian (and most linuxes) are vulnerable. Which actual binary packages need to be updated to fix the vulnerability in the dynamic loader, and how does this relate to the source package?
Hello Jamie.
Good Linux communities are always open to questions and providing
help.
According to https://security-tracker.debian.org/tracker/CVE-2023-4911 this is fixed in the security release 2.36-9+deb12u3.
Make sure that you have the following line in
/etc/apt/sources.list, or in a file with a .list extension within
the sources.list.d directory:
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
Run `apt update` and then `apt upgrade` and this should get that update if you don't have it already.
As you saw, glibc-source is a source package which you are
unlikely to have unless you compile executables on that machine,
and so I think the main package you need to check is libc-bin
(edit: and libc6).
To see what version you are running run `apt show libc-bin` (and repeat for libc6) and look at the 'Version' line.
In my case I'm still on Bullseye, but checking the package changelog confirms that the version I have has been patched. The Bookworm changelog is at https://metadata.ftp-master.debian.org/changelogs/main/g/glibc/glibc_2.36-9+deb12u3_changelog
Gavin