在Debian系统上,防范GCC相关的安全问题可以通过以下几种方法进行:
sudo apt update && sudo apt upgrade -y
security.debian.org 仓库:deb http://security.debian.org/debian-security bullseye-security main
deb-src http://security.debian.org/debian-security bullseye-security main
然后再次运行更新命令:
sudo apt update && sudo apt upgrade -y
sudo apt install debian-goodies reboot-notifier
bash <(curl -s https://raw.githubusercontent.com/vulsio/vulsctl/master/install-host/install.sh)
配置Vuls后,使用以下命令扫描系统:
vuls -h
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp;
int main() {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
size_t len = sizeof(temp.buffer) - 16 * sizeof(unsigned char) - 2 * sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
printf("vulnerable
");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
printf("not vulnerable
");
exit(EXIT_SUCCESS);
}
printf("should not happen
");
exit(EXIT_FAILURE);
}
然后在服务器上执行:
gcc -o CVE-2015-0235 gistfile1.c ./CVE-2015-0235
如果提示“vulnerable”,则说明存在漏洞。
unattended-upgrades 包并启用自动更新:sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades
可以选择自动安装更新并在安装后通知你,或者完全自动安装更新。
通过以上步骤,可以有效地防范Debian系统上GCC相关的安全问题,确保系统的稳定性和安全性。建议定期进行安全扫描和更新,并保持对Debian官方安全公告的关注。