Bug#751774: eglibc: CVE-2014-4043: posix_spawn_file_actions_addopen fails to copy the path argument
Source: eglibc Version: 2.19-1 Severity: normal Tags: security upstream fixed-upstream Hi, the following vulnerability was published for eglibc. CVE-2014-4043[0,1]: posix_spawn_file_actions_addopen fails to copy the path argument If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-4043 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1109263 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140616143740.777.39904.report...@lorien.valinor.li
Bug#727786: eglibc 2.13-38+deb7u2 not available
Hi Rafael, On Thu, Jul 10, 2014 at 08:10:00PM +0200, Rafael Varela Pet wrote: > On Tue, 27 May 2014 22:47:07 Aurelien Jarno said: > > > Source: eglibc > > Source-Version: 2.13-38+deb7u2 > > Format: 1.8 > > Date: Sun, 25 May 2014 20:01:05 +0200 > > Source: eglibc > > Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all > > nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic > > libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic > > libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic > > libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic > > libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 > > libc6-s390 libc6-dev-s390 libc6-s390x libc6-dev-s390x libc6-amd64 > > libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 > > libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 > > libc0.1-dev-i386 libc6-i686 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen > > libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb > > Architecture: source all amd64 > > Version: 2.13-38+deb7u2 > > Distribution: wheezy > > I cannot find the 2.13-38+deb7u2 version in the Debian repositories(*) > > Does anybody know what happened to this revision of the package? It is/was scheduled for the upcoming Wheezy point release of next weekend, see [1]. But it will be also included in the (just going to be released) +deb7u3 for a security update[2]. [1] https://lists.debian.org/debian-stable-announce/2014/07/msg0.html https://release.debian.org/proposed-updates/stable.html [2] https://security-tracker.debian.org/tracker/DSA-2976-1 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140710182900.GA14687@eldamar.local
Bug#772705: libc6: buffer overflow in tzset
Hi This should be addressed with the followign commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42261ad731 See: http://www.openwall.com/lists/oss-security/2015/04/24/3 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150424185449.GA1279@eldamar.local
Bug#812441: glibc: CVE-2015-8778: Integer overflow in hcreate and hcreate_r
Source: glibc Version: 2.19-18 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=18240 Hi, the following vulnerability was published for glibc. CVE-2015-8778[0]: Integer overflow in hcreate and hcreate_r If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-8778 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=18240 Regards, Salvatore
Bug#812445: glibc: CVE-2015-8776: Segmentation fault caused by passing out-of-range data to strftime()
Source: glibc Version: 2.19-18 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=18985 Hi, the following vulnerability was published for glibc. CVE-2015-8776[0]: Passing out of range data to strftime() causes a segfault If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-8776 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=18985 Regards, Salvatore
Bug#812455: glibc: CVE-2015-8779: Unbounded stack allocation in catopen function
Source: glibc Version: 2.19-18 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=17905 Hi, the following vulnerability was published for glibc. CVE-2015-8779[0]: catopen() Multiple unbounded stack allocations If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-8779 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=17905 Regards, Salvatore
Bug#813187: glibc: CVE-2014-9761: Unbounded stack allocation in nan* functions
Source: glibc Version: 2.19-18 Severity: normal Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=16962 Hi, the following vulnerability was published for glibc, reporting it as well to the BTS to have a BTS <-> security-tracker cross reference. CVE-2014-9761[0]: nan function unbounded stack allocation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-9761 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1300310 [2] https://sourceware.org/bugzilla/show_bug.cgi?id=16962 Regards, Salvatore
Bug#544544: nscd: Missing description for max-db-size and auto-propagate in manpage
Package: nscd Version: 2.7-18 Severity: minor Hi In manpage for nscd.conf there seems to be the description for max-db-size and auto-propagate missing. Bests Salvatore -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow
Package: eglibc Severity: important Tags: security upstream Hi, the following vulnerability was published for eglibc. CVE-2013-1914[0]: getaddrinfo() stack overflow If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914 http://security-tracker.debian.org/tracker/CVE-2013-1914 [1] https://bugzilla.novell.com/show_bug.cgi?id=813121 [2] http://marc.info/?l=oss-security&m=136498744329621&w=2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130403174046.6406.28070.report...@elende.valinor.li
Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow
Control: tags -1 + patch Hi Only a small update. Upstream commit: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1cef1b19089528db11f221e938f60b9b048945d7 see: http://marc.info/?l=oss-security&m=136515592721172&w=2 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130405103553.GA30166@elende
Bug#727181: eglibc: CVE-2013-4458: Stack (frame) overflow in getaddrinfo() when called with AF_INET6
Package: eglibc Severity: important Tags: security upstream Hi, the following vulnerability was published for eglibc. CVE-2013-4458[0]: Stack (frame) overflow in getaddrinfo() when called with AF_INET6 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4458 http://security-tracker.debian.org/tracker/CVE-2013-4458 [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4458 [2] https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html [3] https://sourceware.org/bugzilla/show_bug.cgi?id=16072 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131023045147.26177.56809.report...@lorien.valinor.li
Bug#717544: Patch for CVE-2013-2207
Hi Arne, On Tue, Mar 04, 2014 at 03:00:44PM +0100, Arne Wichmann wrote: > begin quotation from Moritz Muehlenhoff (in > <20140301122144.ga11...@inutil.org>): > > Version: 2.18-1 > > > > On Fri, Aug 23, 2013 at 02:13:40PM +0200, Arne Wichmann wrote: > > > tags #717544 + patch > > > > > > Hi. > > > > > > A patch for CVE-2013-2207 is available on > > > http://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2013-2207 > > > > Fixed in sid with commit > > https://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1dd2adc91982fd151d5ba4f761d69 > > What about stable? See https://bugs.debian.org/717544#22 for details. The patch was reverted and the bug reopened. HTH, Regards, Salvatore signature.asc Description: Digital signature
Bug#833302: glibc: CVE-2016-5417: per-thread memory leak in __res_vinit with IPv6 nameservers
Source: glibc Version: 2.23-4 Severity: important Tags: security upstream fixed-upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=19257 Hi, the following vulnerability was published for glibc. CVE-2016-5417[0]: per-thread memory leak in __res_vinit with IPv6 nameservers If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5417 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=19257 Regards, Salvatore
Bug#833302: glibc: CVE-2016-5417: per-thread memory leak in __res_vinit with IPv6 nameservers
Hi Aurelien, On Wed, Aug 03, 2016 at 12:14:26AM +0200, Aurelien Jarno wrote: > control: reassign -1 libc6 > control: severity 818178 important > control: forcemerge 818178 -1 > > On 2016-08-02 19:54, Salvatore Bonaccorso wrote: > > Source: glibc > > Version: 2.23-4 > > Severity: important > > Tags: security upstream fixed-upstream > > Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=19257 > > > > Hi, > > > > the following vulnerability was published for glibc. > > > > CVE-2016-5417[0]: > > per-thread memory leak in __res_vinit with IPv6 nameservers > > Before being identified as a security issue, it has been reported as bug > #818178. Merging the bugs. Thanks, and apologies, have missed that. Regards, Salvatore
Bug#834752: glibc: CVE-2016-6323: Missing unwind information on ARM
Source: glibc Version: 2.23-4 Severity: normal Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=20435 Hi, the following vulnerability was published for glibc, filling to track the issue. CVE-2016-6323[0]: Missing unwind information on ARM If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-6323 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=20435 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#856503: glibc: CVE-2016-10228: iconv(1) with -c option hangs on illegal multi-byte sequences
Source: glibc Version: 2.19-18 Severity: important Tags: upstream security Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=19519 Hi, the following vulnerability was published for glibc. CVE-2016-10228[0]: glibc iconv program can hang when invoked with the -c option If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=19519 Regards, Salvatore
Bug#862086: glibc: CVE-2017-8804: Memory leak after deserialization failure in xdr_bytes, xdr_string
Source: glibc Version: 2.19-18 Severity: important Tags: upstream security Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=21461 Hi, the following vulnerability was published for glibc, opening the bug to track the issue as well in the BTS. CVE-2017-8804[0]: | The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc | or libc6) 2.25 mishandle failures of buffer deserialization, which | allows remote attackers to cause a denial of service (virtual memory | allocation, or memory consumption if an overcommit setting is not used) | via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8804 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=21461 Regards, Salvatore
Bug#870648: glibc: CVE-2017-12133: Use-after-free in error path in clntudp_call
Source: glibc Version: 2.22-10 Severity: important Tags: upstream security patch fixed-upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=21115 Control: found -1 2.19-18+deb8u5 Hi, the following vulnerability was published for glibc. CVE-2017-12133[0]: Use-after-free in error path in clntudp_call If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12133 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12133 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=21115 Regards, Salvatore
Bug#870650: glibc: CVE-2017-12132
Source: glibc Version: 2.24-11 Severity: important Tags: upstream security patch fixed-upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=21361 Hi, the following vulnerability was published for glibc. CVE-2017-12132[0]: | The DNS stub resolver in the GNU C Library (aka glibc or libc6) before | version 2.26, when EDNS support is enabled, will solicit large UDP | responses from name servers, potentially simplifying off-path DNS | spoofing attacks due to IP fragmentation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12132 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=21361 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#879955: glibc: CVE-2017-15804
Source: glibc Version: 2.19-18 Severity: important Tags: patch security upstream fixed-upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=22332 Hi, the following vulnerability was published for glibc. CVE-2017-15804[0]: | The glob function in glob.c in the GNU C Library (aka glibc or libc6) | before 2.27 contains a buffer overflow during unescaping of user names | with the ~ operator. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15804 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15804 Please adjust the affected versions in the BTS as needed. Unless I wrongly triaged the problematic code is in versions all back to 2.19. But please double-check and correct me if I'm wrong. Regards, Salvatore
Bug#989147: glibc: CVE-2021-33574: mq_notify does not handle separately allocated thread attributes
Source: glibc Version: 2.31-12 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=27896 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for glibc, basically purely to track the upstream issue and fix once coming downstream. CVE-2021-33574[0]: | The mq_notify function in the GNU C Library (aka glibc) through 2.33 | has a use-after-free. It may use the notification thread attributes | object (passed through its struct sigevent parameter) after it has | been freed by the caller, leading to a denial of service (application | crash) or possibly unspecified other impact. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33574 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33574 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=27896 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#994542: glibc: Regressions in lchmod and fchmodat when /proc is not mounted
Source: glibc Version: 2.32-3 Severity: important Tags: upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=26401 X-Debbugs-Cc: car...@debian.org Control: affects -1 rsync Control: clone -1 -2 Control: reassing -2 src:rsync 3.2.3-6 Control: retitle -2 rsync: Workaround glibc bug BZ#26401 (regression in lchmod and fchmodat when /proc is not mountet) Control: forwarded -2 https://github.com/WayneD/rsync/issues/109 Hi There is a regression in lchmod and fchmodat when /proc is not mounted, the upstream report about it is at [1] and affects as well e.g. rsync[2]. It relates to #951191. [1] https://sourceware.org/bugzilla/show_bug.cgi?id=26401 [2] https://github.com/WayneD/rsync/issues/109 For rsync the following where applied: https://github.com/WayneD/rsync/commit/85b8dc8abaca96fc3ea7421e09101b6ac41b6718 https://github.com/WayneD/rsync/commit/9dd62525f3b98d692e031f22c02be8f775966503 Regards, Salvatore
Bug#994542: Bug#994543: Workaround glibc bug BZ#26401 (regression in lchmod and fchmodat when /proc is not mounted)
Control: retitle -1 Workaround glibc bug BZ#26401 (regression in lchmod and fchmodat when /proc is not mounted) Hi On Fri, Sep 17, 2021 at 03:29:26PM +0200, Salvatore Bonaccorso wrote: > Source: glibc > Version: 2.32-3 > Severity: important > Tags: upstream > Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=26401 > X-Debbugs-Cc: car...@debian.org > Control: affects -1 rsync > Control: clone -1 -2 > Control: reassing -2 src:rsync 3.2.3-6 > Control: retitle -2 rsync: Workaround glibc bug BZ#26401 (regression in > lchmod and fchmodat when /proc is not mountet) > Control: forwarded -2 https://github.com/WayneD/rsync/issues/109 > > Hi > > There is a regression in lchmod and fchmodat when /proc is not > mounted, the upstream report about it is at [1] and affects as well > e.g. rsync[2]. It relates to #951191. > > [1] https://sourceware.org/bugzilla/show_bug.cgi?id=26401 > [2] https://github.com/WayneD/rsync/issues/109 > > For rsync the following where applied: > > https://github.com/WayneD/rsync/commit/85b8dc8abaca96fc3ea7421e09101b6ac41b6718 > https://github.com/WayneD/rsync/commit/9dd62525f3b98d692e031f22c02be8f775966503 FWIW, the autopkgtest regresssons are maybe related to this. I encountered it while perfoming a linux build in a chroot where /proc was not mounted. Tested cherry-picking the workaround on top of 3.2.3-6. Regards, Salvatore
Bug#994542: reply confusion
Hi Apoligies I mixed up the cloned bug while replying for the rsync workaround. Fixed up now as well the broken retitlings in the BTS. 994542 for glibc 994543 accordingly for rsync. Regards, Salvatore
Bug#987266: preinst check for kernel release > 255 may no longer be needed
Hi Aurelien, On Tue, Apr 20, 2021 at 06:36:33PM +0200, Andras Korn wrote: > Package: libc6 > Version: 2.31-11 > Severity: normal > > Hi, > > due to > https://salsa.debian.org/glibc-team/glibc/-/commit/6ddfa57577af0d96df9ddd7be401f5ce9a9bcc0f > (a commit from 2004) the preinst script for glibc checks whether the > "z" in the "x.y.z" of the kernel version is less than 255. If yes, > the package refuses to install. > > I hit this problem on a box with a custom 4.9.266 kernel. > > Based on this lkml thread: > https://lore.kernel.org/lkml/7pR0YCctzN9phpuEChlL7_SS6auHOM80bZBcGBTZPuMkc6XjKw7HUXf9vZUPi-IaV2gTtsRVXgywQbja8xpzjGRDGWJsVYSGQN5sNuX1yaQ=@protonmail.com/T/, > the check is no longer needed because the kernel caps the version > code it reports to 255, even if uname prints a higher number. > > Of course, you could conceivably still hit the problem with earlier > kernels, so I suppose the logic of the check should be modified, not > removed entirely, to be technically correct. > > If forced at gunpoint to make a guess, I would guess, though, that > removing the check would have very little actual impact; it also > doesn't protect the user from installing a kernel with an > unsupported version number after having installed glibc. Prompted by https://lore.kernel.org/stable/yvaholtsb0nk0...@kroah.com/T/#t and given this was addressed with https://salsa.debian.org/glibc-team/glibc/-/commit/b3c76cf1cd0c8b6e4844c6362a45143c136a2900 is this something we should do consider as well for the older releases where it is not acutally needed for people compiling their own custom kernels? Regards, Salvatore
Bug#987266: preinst check for kernel release > 255 may no longer be needed
Hi Aurelien, On Sun, Sep 26, 2021 at 01:21:16PM +0200, Aurelien Jarno wrote: > Hi, > > On 2021-09-26 09:57, Salvatore Bonaccorso wrote: > > Hi Aurelien, > > > > On Tue, Apr 20, 2021 at 06:36:33PM +0200, Andras Korn wrote: > > > Package: libc6 > > > Version: 2.31-11 > > > Severity: normal > > > > > > Hi, > > > > > > due to > > > https://salsa.debian.org/glibc-team/glibc/-/commit/6ddfa57577af0d96df9ddd7be401f5ce9a9bcc0f > > > (a commit from 2004) the preinst script for glibc checks whether the > > > "z" in the "x.y.z" of the kernel version is less than 255. If yes, > > > the package refuses to install. > > > > > > I hit this problem on a box with a custom 4.9.266 kernel. > > > > > > Based on this lkml thread: > > > https://lore.kernel.org/lkml/7pR0YCctzN9phpuEChlL7_SS6auHOM80bZBcGBTZPuMkc6XjKw7HUXf9vZUPi-IaV2gTtsRVXgywQbja8xpzjGRDGWJsVYSGQN5sNuX1yaQ=@protonmail.com/T/, > > > the check is no longer needed because the kernel caps the version > > > code it reports to 255, even if uname prints a higher number. > > > > > > Of course, you could conceivably still hit the problem with earlier > > > kernels, so I suppose the logic of the check should be modified, not > > > removed entirely, to be technically correct. > > > > > > If forced at gunpoint to make a guess, I would guess, though, that > > > removing the check would have very little actual impact; it also > > > doesn't protect the user from installing a kernel with an > > > unsupported version number after having installed glibc. > > > > Prompted by > > https://lore.kernel.org/stable/yvaholtsb0nk0...@kroah.com/T/#t and > > given this was addressed with > > https://salsa.debian.org/glibc-team/glibc/-/commit/b3c76cf1cd0c8b6e4844c6362a45143c136a2900 > > is this something we should do consider as well for the older releases > > where it is not acutally needed for people compiling their own custom > > kernels? > > The bug has been reported with severity normal, and it seemed it was > limited to a rather small range of users. Now if you thing it is a more > widespread issue, feel free to raise the severity so that we can > consider it from buster and bullseye. The fix has been in testing/sid > for a few weeks, so this should be acceptable for older releases. > > At least for bullseye, we have an update scheduled, currently being > under review by the release team (bug #992693). But we won't be able to > fix Raspbian ;-). It is probalby not that widespread, because I guess the case where user install older custom kernel from 4.4.y and 4.9.y series on buster and newer is not that frequent and at time of writing the stable series supported are 4.4.285, 4.9.284, so the two problematic ones, 4.14.248, 4.19.208, 5.4.149, 5.10.69 and 5.14.8. But at some point upstream will reach 256 minor version as well forthe 4.14.y, 4.19.y and 5.10.y series. So maybe it is worth of fixing this as for bullseye and buster point releases (not the next ones). So no I have no strong opinion but I stumbled over the above on the stable list. Regards, Salvatore
Bug#998622: glibc: CVE-2021-43396: Conversion from ISO-2022-JP-3 with iconv may emit spurious NUL character on state reset
Source: glibc Version: 2.31-10 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=28524 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for glibc. CVE-2021-43396[0]: | In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, | remote attackers can force iconv() to emit a spurious '\0' character | via crafted ISO-2022-JP-3 data that is accompanied by an internal | state reset. This may affect data integrity in certain iconv() use | cases. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-43396 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43396 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=28524 Regards, Salvatore
Re: checking on bookworm freeze dates proposal
Hi Paul, On Tue, Mar 01, 2022 at 12:03:51PM +0100, Paul Gevers wrote: > Dear colleagues, > > The Release Team would like to propose a bookworm freeze timeline. Don't > worry, the timeline is a plan, if serious (timing) issues come up we will > adapt. However, before making the plan public in a wider audience, we'd like > to know from you if you already foresee clashes in timing from the kernel, > gcc, binutils and glibc that we should take into account. Does the following > timeline seem reasonable to you considering plans of your upstream? > > (the bullseye schedule + 2 years): > 2023-01-12 - Milestone 1 - Transition and Toolchain freeze > 2023-02-12 - Milestone 2 - Soft Freeze > 2023-03-12 - Milestone 3 - Hard Freeze > TBA- Milestone 4 - Full Freeze For the kernel-team: We need to pick for the bookworm release again a longterm maintenance release. This means the following: Greg will usually pick the "last" released kernel of the year to be the LTS one. It is thus not that important how many stable released already happened for that particular brnach as it will the longterm maintained. But we defintively need to pick the correct one on this regard. Regards, Salvatore
Bug#1051958: glibc: CVE-2023-4527
Source: glibc Version: 2.37-8 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.36-9+deb12u1 Control: found -1 2.36-9 Hi, The following vulnerability was published for glibc. CVE-2023-4527[0]: | Stack read overflow in getaddrinfo in no- mode If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4527 https://www.cve.org/CVERecord?id=CVE-2023-4527 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=30842 Regards, Salvatore
Bug#1053002: glibc: CVE-2023-5156: Memory leak in getaddrinfo after fix for CVE-2023-4806
Source: glibc Version: 2.37-10 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=30884 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for glibc. Filling mainly for tracking of the issue. CVE-2023-5156[0]: | A flaw was found in the GNU C Library. A recent fix for | CVE-2023-4806 introduced the potential for a memory leak, which may | result in an application crash. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-5156 https://www.cve.org/CVERecord?id=CVE-2023-5156 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=30884 Regards, Salvatore
Bug#1069191: glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
Source: glibc Version: 2.37-17 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.37-15 Control: found -1 2.36-9+deb12u5 Control: found -1 2.36-9+deb12u4 Control: found -1 2.36-9 Control: found -1 2.31-13+deb11u8 Control: found -1 2.31-13 Hi, The following vulnerability was published for glibc. CVE-2024-2961[0]: | The iconv() function in the GNU C Library versions 2.39 and older | may overflow the output buffer passed to it by up to 4 bytes when | converting strings to the ISO-2022-CN-EXT character set, which may | be used to crash an application or overwrite a neighbouring | variable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2961 https://www.cve.org/CVERecord?id=CVE-2024-2961 [1] https://www.openwall.com/lists/oss-security/2024/04/17/9 Regards, Salvatore
Bug#883729: glibc: CVE-2017-17426: malloc returns pointer from tcache_get when should return NULL
Source: glibc Version: 2.26-0experimental1 Severity: important Tags: patch security upstream fixed-upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=22375 Hi, the following vulnerability was published for glibc (only affecting experimental) CVE-2017-17426[0]: | The malloc function in the GNU C Library (aka glibc or libc6) 2.26 | could return a memory block that is too small if an attempt is made to | allocate an object whose size is close to SIZE_MAX, potentially leading | to a subsequent heap overflow. This occurs because the per-thread cache | (aka tcache) feature enables a code path that lacks an integer overflow | check. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17426 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17426 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=22375 Regards, Salvatore
Bug#884132: glibc: CVE-2017-1000408
Source: glibc Version: 2.19-18 Severity: important Tags: security upstream Hi, the following vulnerability was published for glibc, this is just to track the issue. A DSA is not warranted for this issue only and can be addressed in a point release. The issues are already not-exploitable as describedin [1]. CVE-2017-1000408[0]: memory leak If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-1000408 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000408 [1] http://www.openwall.com/lists/oss-security/2017/12/11/4 Regards, Salvatore
Bug#884133: glibc: CVE-2017-1000409
Source: glibc Version: 2.19-18 Severity: important Tags: security upstream Hi, the following vulnerability was published for glibc, this is just to track the issue. A DSA is not warranted for this issue only and can be addressed in a point release. The issues are already not-exploitable as describedin [1]. CVE-2017-1000409[0]: buffer overflow If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-1000409 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000409 [1] http://www.openwall.com/lists/oss-security/2017/12/11/4 Regards, Salvatore
Bug#887001: glibc: CVE-2018-1000001: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation
Source: glibc Version: 2.19-18 Severity: grave Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=18203 Hi glibc maintainers, the following vulnerability was published for glibc, filling as grave due to the privilege escalation potential, but by default in Debian unprivileged userns clone is not enabled, so the attack reduced. The issue should we think preferably be fixed in a point release. CVE-2018-101[0]: Libc Realpath Buffer Underflow If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-101 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-101 [1] http://www.openwall.com/lists/oss-security/2018/01/11/5 [2] https://sourceware.org/bugzilla/show_bug.cgi?id=18203 [3] https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ Regards, Salvatore
Bug#914837: glibc: CVE-2018-19591: Linux if_nametoindex() does not close descriptor
Source: glibc Version: 2.27-8 Severity: important Tags: patch security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=23927 Hi, The following vulnerability was published for glibc. CVE-2018-19591[0]: Linux if_nametoindex() does not close descriptor If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19591 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19591 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=23927 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#920047: glibc: CVE-2016-10739: getaddrinfo should reject IP addresses with trailing characters
Package: glibc Version: 2.28-5--src Severity: normal Tags: patch security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=20018 Control: found -1 2.24-11+deb9u3 Control: found -1 2.24-11 Hi, The following vulnerability was published for glibc. CVE-2016-10739[0]: | In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo | function would successfully parse a string that contained an IPv4 | address followed by whitespace and arbitrary characters, which could | lead applications to incorrectly assume that it had parsed a valid | string, without the possibility of embedded HTTP headers or other | potentially dangerous substrings. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10739 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=20018 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#945250: glibc: CVE-2019-19126
Source: glibc Version: 2.29-3 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=25204 Control: found -1 2.28-10 Control: found -1 2.24-11+deb9u1 Control: found -1 2.24-11+deb9u4 Control: found -1 2.24-11 Hi, The following vulnerability was published for glibc, filling this bug mainly for tracking purpose, it was reported upstream at [1]. CVE-2019-19126[0]: | On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 | fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable | during program execution after a security transition, allowing local | attackers to restrict the possible mapping addresses for loaded | libraries and thus bypass ASLR for a setuid program. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19126 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19126 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=25204 Regards, Salvatore
Bug#953108: glibc: CVE-2020-10029
Source: glibc Version: 2.29-10 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=25487 Hi, The following vulnerability was published for glibc. CVE-2020-10029[0]: | The GNU C Library (aka glibc or libc6) before 2.32 could overflow an | on-stack buffer during range reduction if an input to an 80-bit long | double function contains a non-canonical bit pattern, a seen when | passing a 0x5d41414141414141 value to sinl on x86 targets. This is | related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-10029 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10029 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=25487 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#953788: glibc: CVE-2020-1752: use-after-free in glob() function when expanding ~user
Source: glibc Version: 2.30-2 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=25414 Control: found -1 2.16-0experimental0 Control: found -1 2.19-18+deb8u10 Control: found -1 2.24-11+deb9u1 Control: found -1 2.24-11+deb9u4 Control: found -1 2.28-10 Control: found -1 2.29-10 Hi, The following vulnerability was published for glibc. CVE-2020-1752[0]: use-after-free in glob() function when expanding ~user If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-1752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=25414 Regards, Salvatore
Bug#973914: glibc: CVE-2020-27618
Source: glibc Version: 2.31-4 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=26224 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.28-10 Hi, The following vulnerability was published for glibc. CVE-2020-27618[0]: | iconv when processing invalid multi-byte input sequences fails to | advance the input state, which could result in an infinite loop If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-27618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27618 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=26224 Regards, Salvatore
Bug#976391: glibc: CVE-2020-29562
Source: glibc Version: 2.31-5 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=26923 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.31-4 Hi, The following vulnerability was published for glibc. CVE-2020-29562[0]: | The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to | 2.32, when converting UCS4 text containing an irreversible character, | fails an assertion in the code path and aborts the program, | potentially resulting in a denial of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-29562 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29562 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=26923 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#976391: glibc: CVE-2020-29562
On Fri, Dec 04, 2020 at 03:03:58PM +0100, Salvatore Bonaccorso wrote: > Source: glibc > Version: 2.31-5 > Severity: important > Tags: security upstream > Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=26923 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > Control: found -1 2.31-4 > > Hi, > > The following vulnerability was published for glibc. > > CVE-2020-29562[0]: > | The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to > | 2.32, when converting UCS4 text containing an irreversible character, > | fails an assertion in the code path and aborts the program, > | potentially resulting in a denial of service. The issue may be introduced due to fix for https://sourceware.org/bugzilla/show_bug.cgi?id=18830 and so due to https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4802be92c891903caaf8cae47f685da6f26d4b9a in 2.30 only onwards. At least the testcase does not trigger in buster, but please double check. Regards, Salvatore
Bug#979273: glibc: CVE-2019-25013
Source: glibc Version: 2.31-7 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=24973 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.28-10 Hi, The following vulnerability was published for glibc, filling for tracking in the BTS. CVE-2019-25013[0]: | The iconv feature in the GNU C Library (aka glibc or libc6) through | 2.32, when processing invalid multi-byte input sequences in the EUC-KR | encoding, may have a buffer over-read. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-25013 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25013 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=24973 [2] https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b Regards, Salvatore
Bug#981198: glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters
Source: glibc Version: 2.31-9 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.28-10 Hi Filling for tracking the upstream issue BZ#27256: > Tavis Ormandy reported that when converting from ISO-2022-JP-3 to > UTF-8, the gconv module could trigger an assertion failure in > iconv/skeleton.c if the second wide character in a two-wide-character > sequence cannot be written to the output buffer during character set > conversion. > > If glibc is built with assertions, this assertion failure can > typically be triggered by applications (such as mail clients) which > use the glibc iconv subsystem for MIME character set processing. Regards, Salvatore
Bug#983479: glibc: CVE-2021-27645: double-free in nscd
Source: glibc Version: 2.31-9 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=27462 X-Debbugs-Cc: car...@debian.org, Debian Security Team ,f...@debian.org Control: found -1 2.28-10 Control: found -1 2.28-1 Hi, The following vulnerability was published for glibc. CVE-2021-27645[0]: | The nameserver caching daemon (nscd) in the GNU C Library (aka glibc | or libc6) 2.29 through 2.33, when processing a request for netgroup | lookup, may crash due to a double-free, potentially resulting in | degraded service or Denial of Service on the local system. This is | related to netgroupcache.c. Upstream this has been introduced in 2.29 but AFAICS we have the problematic change since 2.28-1 in Debian itself due to [2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27645 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27645 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=27462 [2] https://salsa.debian.org/glibc-team/glibc/-/commit/aea56157b456d4d9bef337d0149e952a41a7d919 Regards, Salvatore
Bug#1109803: glibc: CVE-2025-8058
Source: glibc Version: 2.41-10 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.36-9+deb12u7 Control: found -1 2.36-9+deb12u10 Control: found -1 2.36-9 Control: forwarded -1 https://sourceware.org/bugzilla/show_bug.cgi?id=33185 Hi, The following vulnerability was published for glibc. CVE-2025-8058[0]: | The regcomp function in the GNU C library version from 2.4 to 2.41 | is subject to a double free if some previous allocation fails. It | can be accomplished either by a malloc failure or by using an | interposed malloc that injects random malloc failures. The double | free can allow buffer manipulation depending of how the regex is | constructed. This issue affects all architectures and ABIs | supported by the GNU C library. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-8058 https://www.cve.org/CVERecord?id=CVE-2025-8058 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=33185 [2] https://sourceware.org/git/?p=glibc.git;a=commit;h=7ea06e994093fa0bcca0d0ee2c1db271d8d7885d [3] https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2025-0005 Regards, Salvatore
