Glibc bug in Arch

[SlF]

[waves]

I have posted a similar question in the bug section
post11798.html

[PeteB]

Can you be more specific please?

I am not one to take security issues lightly, but I have read some of the articles about glibc, and I don't see why the average diy'er or Rune Audio user should be too concerned. If you could be more specific about what is at risk, I would be happy to comment.

I mean what can happen? will someone delete my audio library (it's backed up). Can they use my Rune player to access files on my server? Nope, that hole has been closed for a while... Can someone download punk music into my jazz library? Ummmm, maybe, but it could use a little fresh air anyway...



Pete

[SlF]

[PeteB]

I am not convinced that this is an issue on a Rune player, probably because I don't understand how the "bad" code with the exploit would get on a device such as this one.

The only time DNS is used is when a domain name needs to be translated into an ipaddress. On a Rune player, this is not often (I think). For example, when I use ssh to log into the Rune player from a terminal to perform some maintenance task, and then run a command like, ping bbc.com.

Only other time I can think of offhand is when a web radio address is used.

Aside from that, you can identify the version of Gnu libc by typing ldd --version, and you can see your name server in /etc/resolv.conf. If you comment out the nameserver line, then name resolution will stop (ping bbc.com will fail, web radio will not work).

Having said all that, I would be interested in reading any other comments, especially as related to a Pi, since I use mine for other things besides Rune Audio

[waves]

[SlF]

[PeteB]

@waves: Dirble and similar services occured to me, but since I am not using them, I can't really comment (I do use a few web radio stations, so I know those only work with name lookup of some kind).

I just don't see an exploit based on radio streams, unless someone first hacks a web radio station, and inserts code tailored to execute on a Pi... unlikely, except as a thought experiment. I did not think of the album cover lookup, but it seems equally unlikely.

I think the larger problem is for all networked devices including those based on the Pi because the software is semi-embedded and can't be updated by the user as effortlessly as Linux on a PC, but it CAN be altered maliciously. Your smart phone, your TV, even the ever-so-friendly "Fire TV Stick w. Voice Remote" can be used against you.

@sif: Thanks for the explanation above. I think that if you have any device with embedded code connected to the same network as your Windows or Linux box, you can't really protect your net. It's like asking, if I leave my doors and windows unlocked, how can I protect myself against thieves? The only answer that makes sense, is to lock your doors and windows. Welcome to the brave new Internet of Things...

edit:

If e-cigs can infect your system with malware, just think what an Airmouse is capable of...

[SlF]

[waves]