CVE-2022-30295 uClibc-ng and uClibc use transaction IDs for DNS that may be vulnerable to cache poisoning.

CVE-2022-30295 uClibc-ng and uClibc use transaction IDs for DNS that may be vulnerable to cache poisoning.

As a result, older DNS resolver implementations (e.g. BIND9) that use integer values of 2 for 'Transaction ID' of DNS requests or replies see these as invalid and will ignore them. You can identify if your setup is affected by changing the DNS transaction ID value to something else in your uClibc DNS configuration until an update is applied. You can also work around this issue by setting DNS transaction ID to something non-0x2.

An issue has been found that may cause uClibc-ng and uClibc builds from 1.0.40 and 0.9.33.2 to not compile on some systems due to differences in C++ standards compliance. This issue does not occur in uClibc-ng and uClibc builds from 0.9.33 and lower.

An issue has been found that may cause uClibc-ng and uClibc builds from 1.0.40 and 0.9.33.2 to not compile on some systems due to differences in C++ standards compliance. This issue does not occur in uClibc-ng and uClibc builds from 0.9.33 and lower. uClibc-ng and uClibc may leak memory when loading libpthread.so. This happens when uClibc-ng is compiled with newer glibc versions and libpthread is linked with newer glib

How to fix it?

There is a workaround:

Checking your build environment

If you're not sure whether your build environment is affected, try to compile uClibc-ng and uClibc on an older glibc version. If it still succeeds, the issue is with your build environment.

To check if your build environment is affected, compile uClibc-ng and/or uClibc from 1.0.40 or 0.9.33.2 using an older glibc version (e.g., glibc 2.4) instead of the default glibc version used by most distributions (e.g., glibc 2.3). If the compilation succeeds, this issue is likely due to differences in C++ standards compliance between newer versions of glibc and libpthread that are used in newer versions of uClibc-ng and uClibc builds from 1.0.40 and 0.9.33

How to Upgrade

& Downgrade
To upgrade, you need to download the latest release of uClibc-ng (1.0.40 or 0.9.33.2) and manually replace libpthread.so with libpthread.so from the release tarball of uClibc-ng (1.0.40 or 0.9.33.2).
If you are already using uClibc-ng 1 with an older glibc version, then you can downgrade to a pre-0.9.33 build by first downloading the latest release of uClibc-ng, then replacing libpthread with libpthread from the release tarball of uClibc-ng

Upgrade from uClibc 0.9.29 .1

There is an upgrade to uClibc-ng and uClibc in the form of a patch. This upgrade is only recommended for those using the latest stable version of uClibc. For example, if you are on 0.9.29 or 0.9.30, you should use the new libraries without applying the patch first since they do not need this patch to function correctly. You must apply the patch before upgrading to 0.9.32 or later because it will make your system incompatible with older versions of uClibc-ng and/or uClibc.

To apply this patch, download it from: https://cdn-clients.potatoheadstudios.com/updates/uclibc-ng_0_9_33_2-patch
and then run these commands:
patch -Np1 -i

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe