Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1053130: bookworm-pu: package glibc/2.36-9+deb12u2
19 views
Skip to first unread message
Aurelien Jarno
Sep 27, 2023, 6:00:05 PM9/27/23
to
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gl...@packages.debian.org, debian...@lists.debian.org, debia...@lists.debian.org
Control: affects -1 + src:glibc
[ Reason ]
The upstream glibc stable branch got a few fixes since the latest point
released, including two security fixes.
[ Impact ]
Installations will be left vulnerable to security issues.
[ Tests ]
The upstream fixes come with additional tests, which represent a
significant part of the diff.
[ Risks ]
The risk can be considered low, as all the changes except the one for
CVE-2023-5156 have been tested in testing/sid for a few days. The one
for CVE-2023-5156 has just been uploaded to sid, but comes with a test.
In addition those fixes have been committed on a few upstream branches
and have been used by other distributions to provide security updates.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All the changes come from the upstream stable branch, and are summarized
in the debian changelog. Let me comment it:
- Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on
ppc64el. Closes: #1050592.
This fixes a regression introduced in the previous point release and
testing/sid. On ppc64el, the values of F_GETLK/F_SETLK/F_SETLKW changed
when __USE_FILE_OFFSET64 is in use. While this is handled transparently
at the glibc level, it breaks some packages which use the values
internally like perl.
- Fix a stack read overflow in getaddrinfo in no-aaaa mode
(CVE-2023-4527). Closes: #1051958.
This fixes a security issue in a new feature introduced in glibc 2.36,
which has not been considered serious enough by the security team to
issue a DSA.
- Fix use after free in getcanonname (CVE-2023-4806, CVE-2023-5156).
This fixes a security issue that might happen with some NSS modules
which implement some hooks but not some others, however there are no
known modules implemented that way. Unfortunately the initial fix
introduced a memory leak which got assigned CVE-2023-5156.
- Update the x86 cacheinfo code to look at the per-thread L3 cache to
determine the non-temporal threshold. This improves memory and string
functions on modern CPUs.
This changes the way the cache sizes are interpreted, properly taking
into account the L3 cache on modern CPUs. The memory and string
functions are unchanged, only some threshold are changed.
- Fix _dl_find_object to return correct values even during early startup.
It has been found that _dl_find_object is can wrongly return 1 during
early startup. Currently no impact has been found, but as this functions
is used by some external unwiders (for instance GCC), it's better to fix
it to be future proof.
- Always call destructors in reverse constructor order.
This fixes a regression introduced in glibc 2.36, which causes
destructors to be called in a different order than the constructors when
there are cyclic dependencies. This causes issues with some
applications.
[ Other info ]
debian-boot is in Cc: as glibc has one udeb.
Severity: normal
Tags: bookworm
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gl...@packages.debian.org, debian...@lists.debian.org, debia...@lists.debian.org
Control: affects -1 + src:glibc
[ Reason ]
The upstream glibc stable branch got a few fixes since the latest point
released, including two security fixes.
[ Impact ]
Installations will be left vulnerable to security issues.
[ Tests ]
The upstream fixes come with additional tests, which represent a
significant part of the diff.
[ Risks ]
The risk can be considered low, as all the changes except the one for
CVE-2023-5156 have been tested in testing/sid for a few days. The one
for CVE-2023-5156 has just been uploaded to sid, but comes with a test.
In addition those fixes have been committed on a few upstream branches
and have been used by other distributions to provide security updates.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All the changes come from the upstream stable branch, and are summarized
in the debian changelog. Let me comment it:
- Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on
ppc64el. Closes: #1050592.
This fixes a regression introduced in the previous point release and
testing/sid. On ppc64el, the values of F_GETLK/F_SETLK/F_SETLKW changed
when __USE_FILE_OFFSET64 is in use. While this is handled transparently
at the glibc level, it breaks some packages which use the values
internally like perl.
- Fix a stack read overflow in getaddrinfo in no-aaaa mode
(CVE-2023-4527). Closes: #1051958.
This fixes a security issue in a new feature introduced in glibc 2.36,
which has not been considered serious enough by the security team to
issue a DSA.
- Fix use after free in getcanonname (CVE-2023-4806, CVE-2023-5156).
This fixes a security issue that might happen with some NSS modules
which implement some hooks but not some others, however there are no
known modules implemented that way. Unfortunately the initial fix
introduced a memory leak which got assigned CVE-2023-5156.
- Update the x86 cacheinfo code to look at the per-thread L3 cache to
determine the non-temporal threshold. This improves memory and string
functions on modern CPUs.
This changes the way the cache sizes are interpreted, properly taking
into account the L3 cache on modern CPUs. The memory and string
functions are unchanged, only some threshold are changed.
- Fix _dl_find_object to return correct values even during early startup.
It has been found that _dl_find_object is can wrongly return 1 during
early startup. Currently no impact has been found, but as this functions
is used by some external unwiders (for instance GCC), it's better to fix
it to be future proof.
- Always call destructors in reverse constructor order.
This fixes a regression introduced in glibc 2.36, which causes
destructors to be called in a different order than the constructors when
there are cyclic dependencies. This causes issues with some
applications.
[ Other info ]
debian-boot is in Cc: as glibc has one udeb.
Adam D. Barratt
Sep 28, 2023, 4:10:05 PM9/28/23
to
Control: tags -1 confirmed
On Wed, 2023-09-27 at 23:47 +0200, Aurelien Jarno wrote:
> The upstream glibc stable branch got a few fixes since the latest
> point
> released, including two security fixes.
>
Please go ahead.
Regards,
Adam
On Wed, 2023-09-27 at 23:47 +0200, Aurelien Jarno wrote:
> The upstream glibc stable branch got a few fixes since the latest
> point
> released, including two security fixes.
>
Regards,
Adam
Aurelien Jarno
Sep 28, 2023, 5:10:05 PM9/28/23
to
Regards
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aure...@aurel32.net http://aurel32.net
Adam D Barratt
Sep 29, 2023, 4:40:05 PM9/29/23
to
package release.debian.org
tags 1053130 = bookworm pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.
Thanks for your contribution!
Upload details
==============
Package: glibc
Version: 2.36-9+deb12u2
Explanation: fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on ppc64el; fix a stack read overflow in getaddrinfo in no-aaaa mode [CVE-2023-4527]; fix use after free in getcanonname [CVE-2023-4806 CVE-2023-5156]; fix _dl_find_object to return correct values even during early startup
tags 1053130 = bookworm pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.
Thanks for your contribution!
Upload details
==============
Package: glibc
Version: 2.36-9+deb12u2
Explanation: fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on ppc64el; fix a stack read overflow in getaddrinfo in no-aaaa mode [CVE-2023-4527]; fix use after free in getcanonname [CVE-2023-4806 CVE-2023-5156]; fix _dl_find_object to return correct values even during early startup
0 new messages