SECURITY: bug in PHP/GLIBC that impacts any Dolibarr installation

Hey

Allegedly there is a bug in GLIBC that impacts PHP which impacts any Dolibarr installation on Linux, and there are hints that it might be remotely exploitable just by sending an HTTP header which you can do even before logging in.

If you can upgrade GLIBC (to something new enough) you should do that, but there is also another method which might be worth doing anyway because the mitigation probably does not cause any trouble for most of you.

It is all related to CN-EXT which is an extension to Chinese character set ISO-2022-CN, so my guess is that the mitigation has no impact for most of you.

On your Dolibarr installation on Linux, any Linux, any Dolibarr, run these commands:

  1. iconv -l | grep -i CN | grep -i EXT

and you should get a line like this: ISO-2022-CN-EXT//

  1. find / -iname gconv

I got this output: /usr/lib/x86_64-linux-gnu/gconv

  1. cd /usr/lib/x86_64-linux-gnu/gconv

  2. ls -la gconv-modules

  3. cp gconv-modules backup.gconv-modules

  4. edit gconv-modules and put # infront of the lines with CN EXT which in my case is this result

#alias ISO2022CNEXT// ISO-2022-CN-EXT//
#module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1
#module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT

  1. run the command iconvconfig

  2. check that the change was made by running the command from #1 again
    iconv -l | grep -i CN | grep -i EXT
    and you should get NO output

  3. that should be it, I got the mitigation from “thenickdude” here https://www.reddit.com/r/PHP/comments/1c9lslg/comment/l0o3tp2/?rdt=35527

10, maybe watch this less than 9 minute video

And if you are a pro with sysadmin, (never modify your system directly), you can check your system :

Debian 12:

dpkg -l | grep libc6

You should see : 2.36-9+deb12u6
(Debian -- Details of package libc6 in bookworm)

Ubuntu jammy:

dpkg -l | grep libc6

You should see : 2.35-0ubuntu3.7
(https://changelogs.ubuntu.com/changelogs/pool/main/g/glibc/glibc_2.35-0ubuntu3.7/changelog)

And you can update your system (debian or ubuntu) :

apt update
apt upgrade
1 Like
  1. It might not always be possible to update your system
  2. Even if it is possible to update, there might not be a new glibc package available
  3. Even if a glibc package is available it might be for other reasons than fixing this bug