We have a number of BBB that are running Ubuntu 14.04. Everything I’ve found on this bug/patch indicates that ‘ldd --version’ should show the vulnerable version of libc as 2.19-0ubuntu6.6, and the patched one as 2.19-0ubuntu6.7. Both before and after running ‘apt-get install libc6’ all I see is ‘2.19-0ubuntu6’, with no minor version number.
I don’t know if this is because this is the ARMHF build, or for some other reason, but the bottom line is I don’t know whether these BBBs are vulnerable or not. Can someone suggest a simple alternate way of confirming which libc6 is installed, or shed light on this?
So if I updated today, that should be what I get. But as I said, what I actually see is not “2.19-0ubuntu6.7” but “2.19-0ubuntu6” ( no “.7”).
Am I checking incorrectly, or is ldd under-reporting, or is there some other relatively painless way to confirm which version is actually present?
$ dpkg-query --show libc6
Bingo! 'dpkg-query --show libc6 ’ does show 6.7.
Curious why ldd does not.
peter@black:~$ ldd --version
ldd (Ubuntu EGLIBC 2.19-0ubuntu6.7) 2.19
I don’t get that on my BBBs ( which have ubuntu 14.04, if that matters).
I’m speculating that since what ldd is actually showing, as I understand it, is the version number and dependencies of ldd itself, it is showing the version number of what it requires, i.e. any libc6, not the one actually in use, i.e. libc6.7. Or maybe more likely, libc6 is actually a link to libc6.x, and that’s what ldd is reporting? Pure speculation, tho’. I’d live to hear to the real story.
I don't get that on my BBBs ( which have ubuntu 14.04, if that matters).
It's beyond my power to see what you actually do get for output if you don't post it.
And I pulled that 'ldd --version' output from a 14.04 bbb as well.
The whole story:
vigil@VE1cba8ca9e5fb:~$ ldd --version ldd (Ubuntu EGLIBC 2.19-0ubuntu6) 2.19 Copyright (C) 2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper
But at this point I don’t care too much, it’s now merely academic curiosity and is not getting in the way of getting anything done.
ldd is a bash script; the version string is built-in at package creation
Maybe your libc-bin doesn't match your libc?
$ dpkg-query --show libc-bin