Hi Florian, On 2026-04-01 16:01, Florian Bezdeka wrote: > Package: libc6 > Version: 2.36-9+deb12u13 > Severity: important > File: /lib/x86_64-linux-gnu/libc.so.6 > Tags: upstream > > Dear Maintainer, > > glibc as part of Debian Bookworm is affected by the following upstream > bug: https://sourceware.org/bugzilla/show_bug.cgi?id=25847 > > To avoid confusion I'm not repeating the details here. The result is a > broken synchronization primitive. condition variables might miss a > wakeup event. > > The issue is fixed in glibc 2.41 and newer.
Yes, this is bug #986724. > There is a patch series targeting the 2.36 branch available at > https://inbox.sourceware.org/libc-stable/[email protected]/ > > Upstream did not apply the series yet. There have been concerns about > breaking existing software - which should not affect Debian. More > details in the referenced upstream bug. Looking at the upstream details, it indeed seems that Debian is not affected by the RPM issue. That said, as we only restart processes for major glibc upgrades, I suspect than some other packages (using db5.3 or also using process-shared condition variables in files on disk) might be affected by the fix, as well as third party software. > The patches can be applied as is to the Debian bookworm glibc based on > 2.36. I'm running that for some time now, the reproducer is no longer > working inside a Debian 12 podman container. > > Is there a chance that we get this bug fixed in Debian bookworm? At this stage I am not fully convinced: - It is not clear to me which software is currently affected by this bug, and thus it's difficult to judge how important is it to fix this bug, especially given this is not a regression from bullseye (the bug is present in that version). Do you have some real examples of affected software that can show it's important to fix this bug in bookworm? - As said above, there is a risk of breakage, which many users would not expect now that bookworm is 2+ years old. The bookworm to trixie upgrade, is different because users expect some breakages for such a major upgrade and as it is a major glibc upgrade, services were restarted and systems are often rebooted afterwards. - We have fewer autopkgtest in bookworm than for trixie, which reduces the chances of catching regressions before they reach a point release. In the end we'll need to convince the release team that the bug is important to fix and there is minimal risk to include it in a point release. In any case I would prefer to avoid including this in the next bookworm point release (12.14, scheduled for 16 May) as there are already 5 CVE (+1 pending) to be fixed win this update. I would prefer to avoid the risk of delaying the glibc update to the next point release in case an issue is found. Best regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B [email protected] http://aurel32.net
