Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1005949: bullseye-pu: package glibc/2.31-13+deb11u3
49 views
Skip to first unread message
Aurelien Jarno
Feb 17, 2022, 5:20:04 PM2/17/22
to
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
[ Reason ]
There are multiple fixes in this upload:
- 4 security bugs
- a fix to avoid preinst script failure when running on kernel x.y.z
with z > 255.
- a fix to avoid changes to /etc/nsswitch.conf to be reverted on upgrade
[ Impact ]
Installation will be left vulnerable to security issues and upgrade
from buster will fail when running recent upstream stable kernels.
[ Tests ]
Those changes are all in testing for some time so have been tested by
many users already. In addition the security fixes come with additional
tests.
[ Risks ]
The risk can probably be considered low, as the changes have been tested
in testing/sid and upstream or on other distributions for the security
bugs.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Let me comment the changelog:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix bad conversion from ISO-2022-JP-3 with iconv (CVE-2021-43396).
Closes: #998622.
This fixes a security issue.
- Remove PIE check on amd64 to fix FTBFS with binutils 2.37.
This is actually not something that is strictly needed in bullseye, as it runs
binutils 2.35. As it comes from the upstream stable branch and it is just about
removing code for an outdated check in a configure script (the version test on
binutils already ensures that), it has not impact on the binaries shipped in
the package. Therefore I didn't judged necessary to revert that change, it
makes my life easier when the upstream stable branch can be used.
- Fix a buffer overflow in sunrpc svcunix_create (CVE-2022-23218).
- Fix a buffer overflow in sunrpc clnt_create (CVE-2022-23219).
This fixes two similar security issues.
* debian/debhelper.in/libc-bin.postinst: stop replacing older versions from
/etc/nsswitch.conf. Closes: #998008.
This is a forgotten leftover from the move of that file from base-files in Wheezy.
* debian/debhelper.in/libc.preinst: simplify the version comparison by only
comparing the two first parts, now that kernel 2.X are not supported
anymore. Closes: #1004861.
* debian/debhelper.in/libc.preinst: drop the check for kernel release > 255
now that glibc and preinstall script are fixed. Closes: #987266.
These two just drop the comparison for the z part in kernel version x.y.z, as z
is not relevant anymore since kernel 3.0, and the minimum supported kernel
version since buster is 3.2. This fixes cases where z > 255 as with recent
upstream stable kernels. Incidentally it also fixes the weird case where z is
not a numeric value.
* debian/patches/local-CVE-2021-33574-mq_notify-use-after-free.diff:
fix a possible use-after-free in mq_notify (CVE-2021-33574). Closes:
#989147.
This security fix does not come from the upstream stable branch, as a simple
backport would change the GLIBC_PRIVATE ABI and will cause issue with online
upgrades. Instead the corresponding code is included as a static function (see
the top of the patch for more details). Overall the code is the same as in
later glibc versions, just not ending up in the same library.
Severity: normal
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
[ Reason ]
There are multiple fixes in this upload:
- 4 security bugs
- a fix to avoid preinst script failure when running on kernel x.y.z
with z > 255.
- a fix to avoid changes to /etc/nsswitch.conf to be reverted on upgrade
[ Impact ]
Installation will be left vulnerable to security issues and upgrade
from buster will fail when running recent upstream stable kernels.
[ Tests ]
Those changes are all in testing for some time so have been tested by
many users already. In addition the security fixes come with additional
tests.
[ Risks ]
The risk can probably be considered low, as the changes have been tested
in testing/sid and upstream or on other distributions for the security
bugs.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Let me comment the changelog:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix bad conversion from ISO-2022-JP-3 with iconv (CVE-2021-43396).
Closes: #998622.
This fixes a security issue.
- Remove PIE check on amd64 to fix FTBFS with binutils 2.37.
This is actually not something that is strictly needed in bullseye, as it runs
binutils 2.35. As it comes from the upstream stable branch and it is just about
removing code for an outdated check in a configure script (the version test on
binutils already ensures that), it has not impact on the binaries shipped in
the package. Therefore I didn't judged necessary to revert that change, it
makes my life easier when the upstream stable branch can be used.
- Fix a buffer overflow in sunrpc svcunix_create (CVE-2022-23218).
- Fix a buffer overflow in sunrpc clnt_create (CVE-2022-23219).
This fixes two similar security issues.
* debian/debhelper.in/libc-bin.postinst: stop replacing older versions from
/etc/nsswitch.conf. Closes: #998008.
This is a forgotten leftover from the move of that file from base-files in Wheezy.
* debian/debhelper.in/libc.preinst: simplify the version comparison by only
comparing the two first parts, now that kernel 2.X are not supported
anymore. Closes: #1004861.
* debian/debhelper.in/libc.preinst: drop the check for kernel release > 255
now that glibc and preinstall script are fixed. Closes: #987266.
These two just drop the comparison for the z part in kernel version x.y.z, as z
is not relevant anymore since kernel 3.0, and the minimum supported kernel
version since buster is 3.2. This fixes cases where z > 255 as with recent
upstream stable kernels. Incidentally it also fixes the weird case where z is
not a numeric value.
* debian/patches/local-CVE-2021-33574-mq_notify-use-after-free.diff:
fix a possible use-after-free in mq_notify (CVE-2021-33574). Closes:
#989147.
This security fix does not come from the upstream stable branch, as a simple
backport would change the GLIBC_PRIVATE ABI and will cause issue with online
upgrades. Instead the corresponding code is included as a static function (see
the top of the patch for more details). Overall the code is the same as in
later glibc versions, just not ending up in the same library.
Adam D. Barratt
Mar 15, 2022, 4:40:04 PM3/15/22
to
Control: tags -1 + confirmed d-i
On Thu, 2022-02-17 at 23:15 +0100, Aurelien Jarno wrote:
> There are multiple fixes in this upload:
> - 4 security bugs
> - a fix to avoid preinst script failure when running on kernel x.y.z
> with z > 255.
> - a fix to avoid changes to /etc/nsswitch.conf to be reverted on
> upgrade
>
> [ Impact ]
> Installation will be left vulnerable to security issues and upgrade
> from buster will fail when running recent upstream stable kernels.
>
This looks OK to me, thanks.
As glibc produces a udeb, this will want a KiBi-ack; CCing and tagging
accordingly.
Regards,
Adam
On Thu, 2022-02-17 at 23:15 +0100, Aurelien Jarno wrote:
> There are multiple fixes in this upload:
> - 4 security bugs
> - a fix to avoid preinst script failure when running on kernel x.y.z
> with z > 255.
> - a fix to avoid changes to /etc/nsswitch.conf to be reverted on
> upgrade
>
> [ Impact ]
> Installation will be left vulnerable to security issues and upgrade
> from buster will fail when running recent upstream stable kernels.
>
As glibc produces a udeb, this will want a KiBi-ack; CCing and tagging
accordingly.
Regards,
Adam
Adam D. Barratt
Mar 17, 2022, 2:00:04 PM3/17/22
to
free to upload.
Regards,
Adam
Aurelien Jarno
Mar 17, 2022, 6:10:04 PM3/17/22
to
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aure...@aurel32.net http://www.aurel32.net
Cyril Brulebois
Mar 18, 2022, 4:20:04 AM3/18/22
to
Adam D. Barratt <ad...@adam-barratt.org.uk> (2022-03-15):
Cheers,
--
Cyril Brulebois (ki...@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
> This looks OK to me, thanks.
Looks fine to me as well, thanks.
Cheers,
--
Cyril Brulebois (ki...@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Adam D Barratt
Mar 19, 2022, 6:00:03 AM3/19/22
to
package release.debian.org
tags 1005949 = bullseye pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: glibc
Version: 2.31-13+deb11u3
Explanation: fix bad conversion from ISO-2022-JP-3 with iconv [CVE-2021-43396]; fix buffer overflow issues [CVE-2022-23218 CVE-2022-23219]; fix use-after-free issue [CVE-2021-33574]; stop replacing older versions of /etc/nsswitch.conf; simplify the check for supported kernel versions, as 2.x kernels are no longer supported; support installation on kernels with a release number greater than 255
tags 1005949 = bullseye pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: glibc
Version: 2.31-13+deb11u3
Explanation: fix bad conversion from ISO-2022-JP-3 with iconv [CVE-2021-43396]; fix buffer overflow issues [CVE-2022-23218 CVE-2022-23219]; fix use-after-free issue [CVE-2021-33574]; stop replacing older versions of /etc/nsswitch.conf; simplify the check for supported kernel versions, as 2.x kernels are no longer supported; support installation on kernels with a release number greater than 255
0 new messages