Ask Klaus

DNS Security Bug

What's the easiest way to get rid of the dangerous "DNS resolver" security bug that was recently detected (CVE-2015-7547)? Security lists tell me that all programs that resolve Internet names to IP addresses are affected, such as Firefox, LibreOffice, and various KDE and Gnome programs. Do I have to upgrade all of them?

It is the GLIBC implementation of the C libraries getaddrinfo() function that causes a stack overflow in case of specially crafted answers from a direct name server query. Programs can crash or execute arbitrary code due to this bug, but in order to exploit it, the attacker must first manipulate a DNS server that's queried by your client system. If your Linux system is behind an access point or router that acts as a DNS proxy, chances are that you are safe, because the DNS proxy may already replace bad replies by an "address not available" response. However, you should upgrade as soon as possible anyway – not the entire system, but definitely the glibc libraries that contain the vulnerability.

For Debian-based systems, updating the libc6 package is sufficient to fix all programs dynamically linked with libc6; these are the commands for Knoppix/Debian:

sudo apt-get update
sudo apt-get install -t unstable libc6

I use the "unstable" branch here just because it contains the newest version of libc6. With regular updates of Ubuntu and others, the libc version may get updated automatically from the "security" branches of the distribution.

Printer Problem

Klaus: I am having a printer issue. I have a desktop with a fresh install using Intel Core i5 CPU running OS Linux Peppermint 5, 64-bit version. I formatted the hard drive, thereby wiping out all underlying information. I have two HP OfficeJet P3015 laser printers connected via Ethernet on the LAN as follows:

192.168.0.10, HP-OfficeJet-P3015a
192.168.0.11, HP-OfficeJet-P3015b.

I configured these printers using the web browser interface supplied by Hewlett-Packard.

On my computer, I configured only the first printer (P3015a) using the GUI printer application: Start Menu | System Tools | Printers in the Printers – localhost dialog box (system-config-printer). I never added the second printer (P3015b).

If I launch LibreOffice and print a document, I can only see the first printer (P3015a). If I launch Firefox and print a document, I can see both printers: (P3015a and P3015b). Why is this? Do the separate applications use different mechanisms to print to the printer?

You may ask why I did not configuration both printers using the GUI on Peppermint from the outset. I did this once before; however, I was getting a conflict. Whenever I would try to print from my machine, say at IP 192.168.0.34, I could see both printers from LibreOffice, but when I did the same from Firefox, I could also see both printers, but the second one (P3015b) had a grayed out Print button. This was my only solution.

--Kevin

Indeed, just as you suspected, each program can use a different mechanism to acquire the list of available printers! Although most Linux distros use the CUPS printing system as back end to printer filters and printer features nowadays, the front ends may differ between native CUPS protocol printing (maybe using the http interface on port 631 directly), or the Berkeley-style front ends lpq or "lpr" or the SystemV syntax with lpstat and lp.

Your second printer may have been autodetected because you already configured the first one and installed the driver module, probably using CUPS and hplip, which is HP's suite of printer drivers for many multifunction, Inkjet, and Laserjet printers.

Usually, when configuring several printers with the same driver in CUPS, you don't get any conflicts that would keep programs from accessing any of the printers. However, depending on the printer front end, your printers may have to be given dedicated internal names. So, for example, the lpr -P printername front end knows which printer you want to print on. And, this may have been the problem: Two identical printers with identical names (or no explicit name set) may be a problem for some programs.

The obvious solution is, entering the printer config, and assigning unique names to each printer, following the Unix scheme: Just use lower+uppercase letters and numbers, but no spaces or other special symbols for the "nickname" of the printer. You can use anything you like in the printer's description, though.

Figure 1 shows the setting of a HPLIP printer in the CUPS web GUI, which is an alternative to the "printer configuration" in your system menu. Here, I set the name of the printer to printer1, and you could set the second printers name to printer2, so it's easy for programs to distinguish between those two, regardless of using the same driver and settings for both. With two different names, they should both be accessible from any program.

Figure 1: Provide a name for each printer.

However, if one of the printers gets stuck with an error message, this can also lead to a grayed out Print button. I usually check abort-job (on error) instead of stop printer, so a defective print job just gets discarded and will not try to block the printer indefinitely (Figure 2).

Figure 2: Use "abort-job" to stop a print job.

dd Command

Dear Klaus, Just to let you know that I tried dd again, but with the conv=sync,noerror options. The second USB backup hard disk is booting fine now!

I assume that a small disk error on the primary USB hard disk could have caused the second USB hard disk copy to shift, perhaps rendering it unbootable.

Unfortunately, I haven't been able to rescue data from a persistent partition yet. An option in Knoppix to save user data could perhaps be helpful to users?

Best regards, Theo

I assume you did a

dd if=/dev/sdb1 of=/media/sdc1/sdb1-backup.img bs=1M conv=sync,noerror

to create a backup image of your USB disks first partition on a second drives first partition.

Note that on read errors, the dd command may still behave erroneously, and noerror alone will not replace read errors by zeroes but skip data on the input, shifting data backward on the output after the error, unless you also add the sync option (which you did).

Still, I would prefer dd_rescue for the task of reading from a partly defective hard disk, because it can approach to the location of a defective sector from both sides, which in some cases works better than linear reading.

In regard to your second question of rescuing data from the persistent Knoppix (/dev/sdb2, as an example) partition: This partition is usually formatted with the ReiserFS filesystem, not ext2, 3, or 4, because from my experience, ReiserFS is easier to handle and auto-recovers after a crash simply by mounting.

If ReiserFS is not included in your kernel, you may have to force load the ReiserFS filesystem module by explicitly stating the filesystem for mounting the partition backup (sdb2-backup.img in this example):

sudo mount -t reiserfs -o loop sdb2-backup.img /mnt

You should then be able to access the persistent partitions data at /mnt, create a tar archive from it by

cd /mnt; tar zcpPvf /media/sdc1/knoppix-data.tar.gz

Sorry, I have no shortcut for this in Knoppix yet.