Debian Bug report logs -
#879500
CVE-2017-15671
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#879500; Package libc6.
(Sun, 22 Oct 2017 10:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Sun, 22 Oct 2017 10:45:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libc6
Version: 2.24-17
Severity: important
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671:
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27,
when invoked with GLOB_TILDE, could skip freeing allocated memory when processing
the ~ operator with a long user name, potentially leading to a denial of
service (memory leak).
Upstream bug is https://sourceware.org/bugzilla/show_bug.cgi?id=22325
Fix is here: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c66c908230169c1bab1f83b071eb585baa214b9f
Cheers,
Moritz
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 Oct 2017 15:33:07 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(Sat, 18 Nov 2017 13:18:05 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#879500.
(Sat, 18 Nov 2017 13:18:09 GMT) (full text, mbox, link).
Message #14 received at 879500-submitter@bugs.debian.org (full text, mbox, reply):
tag 879500 pending
thanks
Hello,
Bug #879500 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?id=80f1bf4
---
commit 80f1bf4829f404bedc2286c2906071ab228a03b9
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Sat Nov 18 14:06:22 2017 +0100
debian/patches/git-updates.diff: update from upstream stable branch:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes:
#879501.
- Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes:
#879500.
diff --git a/debian/changelog b/debian/changelog
index 9ed3c70..5a87a5b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -32,8 +32,6 @@ glibc (2.26-0experimental0) UNRELEASED; urgency=medium
defining __HAVE_FLOAT128 on NVIDIA's CUDA compilers (LP: #1717257)
- debian/patches/arm/git-arm64-memcmp.diff: Backport optimized memcmp
for AArch64, improving performance from 25% to 500% (LP: #1720832)
- - debian/patches/amd64/git-x86_64-search.diff: Backport upstream commit
- to put x86_64 back in the search path, like in 2.25 (LP: #1718928)
- debian/control.in/libc: Drop ancient Breaks satisfied in oldoldstable.
- debian/{debhelper.in/libc.preinst,sysdeps/amd64.mk,sysdeps/i386.mk}:
Bump MIN_KERNEL_SUPPORTED to 3.2 on x86, following upstream's change.
@@ -104,6 +102,13 @@ glibc (2.26-0experimental0) UNRELEASED; urgency=medium
- testsuite-xfail-debian.mk: Update.
- testsuite-xfail-debian.mk: Remove now-removed XPG3 entries.
+ [ Aurelien Jarno ]
+ * debian/patches/git-updates.diff: update from upstream stable branch:
+ - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes:
+ #879501.
+ - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes:
+ #879500.
+
-- Adam Conrad <adconrad@0c3.net> Sat, 02 Sep 2017 12:15:10 -0600
glibc (2.25-1) unstable; urgency=medium
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Sun, 19 Nov 2017 12:24:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 19 Nov 2017 12:24:03 GMT) (full text, mbox, link).
Message #19 received at 879500-close@bugs.debian.org (full text, mbox, reply):
Source: glibc
Source-Version: 2.26-0experimental0
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Nov 2017 12:49:13 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.26-0experimental0
Distribution: experimental
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
glibc-doc - GNU C Library: Documentation
glibc-source - GNU C Library: sources
libc-bin - GNU C Library: Binaries
libc-dev-bin - GNU C Library: Development binaries
libc-l10n - GNU C Library: localization files
libc0.1 - GNU C Library: Shared libraries
libc0.1-dbg - GNU C Library: detached debugging symbols
libc0.1-dev - GNU C Library: Development Libraries and Header Files
libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
libc0.1-pic - GNU C Library: PIC archive library
libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3 - GNU C Library: Shared libraries
libc0.3-dbg - GNU C Library: detached debugging symbols
libc0.3-dev - GNU C Library: Development Libraries and Header Files
libc0.3-pic - GNU C Library: PIC archive library
libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3-xen - GNU C Library: Shared libraries [Xen version]
libc6 - GNU C Library: Shared libraries
libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
libc6-dbg - GNU C Library: detached debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files
libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
libc6-pic - GNU C Library: PIC archive library
libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64
libc6-xen - GNU C Library: Shared libraries [Xen version]
libc6.1 - GNU C Library: Shared libraries
libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
libc6.1-dbg - GNU C Library: detached debugging symbols
libc6.1-dev - GNU C Library: Development Libraries and Header Files
libc6.1-pic - GNU C Library: PIC archive library
libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
locales - GNU C Library: National Language (locale) data [support]
locales-all - GNU C Library: Precompiled locale data
multiarch-support - Transitional package to ensure multiarch compatibility
nscd - GNU C Library: Name Service Cache Daemon
Closes: 879500 879501
Changes:
glibc (2.26-0experimental0) experimental; urgency=medium
.
[ Adam Conrad ]
* New upstream release (LP: #1703368), with git updates to 2017-10-10:
- debian/{symbols.wildcards,control}: Update and regen for 2.26.
- debian/patches/alpha/submitted-termios_h.diff: upstreamed.
- debian/patches/arm/submitted-strip-bit-0.diff: upstreamed.
- debian/patches/hurd-i386/git-__inet6_scopeid_pton.diff: upstreamed.
- debian/patches/any/submitted-string2-strcmp.diff: obsolete.
- debian/patches/any/local-tst-writev.diff: fixed upstream.
- debian/patches/any/local-dynamic-resolvconf.diff: fixed upstream.
- debian/patches/any/submitted-unicode-9.0.0.diff: obsolete.
- debian/patches/any/cvs-malloc-hardening.diff: upstreamed.
- debian/patches/any/local-bits-sigstack.diff: fixed upstream.
- debian/patches/powerpc/submitted-tst-tlsopt-powerpc.diff: upstreamed.
- debian/patches/i386/local-cmov.diff: dropped, no longer useful.
- debian/patches/all/local-ldd.diff: rebased.
- debian/patches/any/local-ldso-disable-hwcap.diff: rebased.
- debian/patches/any/local-tcsetaddr.diff: rebased.
- debian/patches/any/submitted-resolv-unaligned.diff: rebased.
- debian/patches/arm/local-arm-futex.diff: rebased.
- debian/patches/hurd-i386/local-ED.diff: rebased.
- debian/patches/hurd-i386/tg-EGREGIOUS-fr.diff: rebased.
- debian/patches/hurd-i386/tg-EIEIO-fr.diff: rebased.
- debian/patches/kfreebsd/submitted-auxv.diff: rebased.
- debian/patches/kfreebsd/submitted-waitid.diff: rebased.
- debian/patches/localedata/locales-fr.diff: rebased.
- debian/patches/sparc/submitted-sparc64-socketcall.diff: rebased.
- debian/patches/localedata/local-hu_HU-sort.diff: Make testsuite
agree with the sorting we see in Debian, may need another look.
- debian/patches/any/local-cudacc-float128.diff: Local patch to prevent
defining __HAVE_FLOAT128 on NVIDIA's CUDA compilers (LP: #1717257)
- debian/patches/arm/git-arm64-memcmp.diff: Backport optimized memcmp
for AArch64, improving performance from 25% to 500% (LP: #1720832)
- debian/control.in/libc: Drop ancient Breaks satisfied in oldoldstable.
- debian/{debhelper.in/libc.preinst,sysdeps/amd64.mk,sysdeps/i386.mk}:
Bump MIN_KERNEL_SUPPORTED to 3.2 on x86, following upstream's change.
- debian/sysdeps/{powerpc.mk,ppc64.mk,s390x.mk}: Disable lock-elision on
powerpc and s390, following IBM's recommendation.
- debian/testsuite-xfail-debian.mk: Re-enable xfailed resolv tests.
- debian/testsuite-xfail-debian.mk: Allow tst-create-detached to fail on
all platforms; the design of this test is such that the outcome relies
on cache sizes and noisiness of the build system, which is unreliable.
- debian/rules.d/build.mk: Configure with --enable-obsolete-nsl until we
sort out a reasonable nsswitch migration strategy from compat to files.
.
[ Samuel Thibault ]
* Adjust hurd-i386 patches to restore build and functionality with 2.26:
- patches/hurd-i386/tg-gsync-libc.diff: rebased.
- patches/hurd-i386/tg-hurdsig-global-dispositions.diff: rebased.
- patches/hurd-i386/tg-pipe2.diff: rebased.
- patches/hurd-i386/tg-socket_flags.diff: rebased.
- patches/hurd-i386/tg2.25-tls.diff: rebased.
- patches/hurd-i386/tg2.26-sched_param.diff: New patch.
- patches/hurd-i386/git-sigsetops.h.diff: New patch.
- patches/hurd-i386/git-sigsetops-2.h.diff: New patch.
- patches/hurd-i386/git-sigsetops-3.h.diff: New patch.
- patches/hurd-i386/tg2.26-sigsetops.h.diff: New patch.
- patches/hurd-i386/git-bits_socket.h.diff: New patch.
- patches/hurd-i386/git-preadwritev2.diff: New patch.
- patches/hurd-i386/git-preadwritev2-2.diff: New patch.
- patches/hurd-i386/git-preadwritev2-3.diff: New patch.
- patches/hurd-i386/git-rtld-access.diff: New patch.
- patches/hurd-i386/git-rtld-sbrk.diff: New patch.
- patches/hurd-i386/git-rtld-sbrk-2.diff: New patch.
- patches/hurd-i386/git-divdi.diff: New patch.
- patches/hurd-i386/git-feraiseexcept.diff: New patch.
- patches/hurd-i386/cvs-libpthread.diff: Update.
- patches/hurd-i386/git-libpthread-2.26.diff: New patch.
- patches/hurd-i386/git-i386-implies-x86.diff: New patch.
- patches/hurd-i386/git-x86-tunables.diff: New patch.
- patches/hurd-i386/git-rtld-strtoul_internal.diff: New patch.
- patches/hurd-i386/git-clone.diff: New patch.
- patches/hurd-i386/git-gethostname.diff: New patch.
- patches/hurd-i386/cvs-libpthread-sigstate.diff: Remove unused merged
patch.
- patches/hurd-i386/cvs-send-recv-posix.diff: Remove unused merged patch.
- patches/hurd-i386/cvs-truncate64.diff: Remove unused merged patch.
- patches/hurd-i386/git-tst-udp-timeout.diff: New patch.
- patches/hurd-i386/git-tst-udp-nonblocking.diff: New patch.
- patches/hurd-i386/unsubmitted-exp-hidden-jump.diff: New patch.
- patches/hurd-i386/git-hidden-def.diff: New patch.
- patches/hurd-i386/git-hidden-def.diff-2: New patch.
- patches/hurd-i386/git-dl-sysdep-check.diff: New patch.
- patches/hurd-i386/git-socket-limit.diff: New patch.
- patches/hurd-i386/tg-thread-linkspace.diff: New patch.
- patches/hurd-i386/git-clock_gettime_gettimeofday.diff: New patch.
- patches/hurd-i386/tg-gsync-libc.diff: Update.
- patches/hurd-i386/tg-libpthread-gsync-mutex.diff: Update.
- patches/hurd-i386/tg-sendmsg-SCM_CREDS.diff: Update.
- patches/hurd-i386/git-sigsuspend_not_cancel.diff: New patch.
- patches/hurd-i386/tg-sysvshm.diff: Update.
- patches/hurd-i386/tg-ifaddrs_v6.diff: Update.
- patches/hurd-i386/git-dirfd-linknamespace.diff: New patch.
- patches/hurd-i386/git-revoke-linknamespace.diff: New patch.
- patches/hurd-i386/git-seekdir-linknamespace.diff: New patch.
- patches/hurd-i386/git-ifaddrs-linknamespace.diff: New patch.
- patches/hurd-i386/git-NO_HIDDEN.diff: New patch.
- patches/hurd-i386/unsubmitted-NO_HIDDEN.diff: Remove patch.
- patches/hurd-i386/unsubmitted-exp-hidden-jump.diff: Remove patch.
- testsuite-xfail-debian.mk: Update.
- testsuite-xfail-debian.mk: Remove now-removed XPG3 entries.
.
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes:
#879501.
- Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes:
#879500.
* debian/rules, debian/control.in/main: build with GCC 7.
* debian/testsuite-xfail-debian.mk: remove a few XFAIL on s390x that were
due to GCC 6 issues.
* debian/testsuite-xfail-debian.mk: drop support for s390.
* debian/testsuite-xfail-debian.mk: Use granular fma XFAIL on mips*.
* debian/testsuite-xfail-debian.mk: mark misc/tst-set_ppr as XFAIL on
powerpc as it requires a recent CPU or a recent kernel for CPU feature
detection.
* debian/patches/any/local-libgcc-compat-{abilists,main,ports}.diff: drop
workaround for binaries built with some broken versions of GCC 3.2 more
than 10 years ago.
* debian/testsuite-xfail-debian.mk: remove many XFAIL from mips, mipsel and
mips64el.
Checksums-Sha1:
1e18de8b86b6ecc4791b62ac11e225a79da1ec31 8241 glibc_2.26-0experimental0.dsc
3e7cab60063b32c1eb15e71065e3380e81d29222 15270760 glibc_2.26.orig.tar.xz
5027e213fa408bdb8f82e536e5d31a45bc47614a 1053392 glibc_2.26-0experimental0.debian.tar.xz
a198dffb282480a700f9a7bb81c1d8256ec70c47 7507 glibc_2.26-0experimental0_source.buildinfo
Checksums-Sha256:
ccdca9afc387175c29f379f577de334c694a4624340c14d6f4142063a1be246d 8241 glibc_2.26-0experimental0.dsc
38afc835050aa0850fbe15b10a7b18b7c1c70dc5a2fdf980762f3ad49e771870 15270760 glibc_2.26.orig.tar.xz
5c0b0fd2909d3b96728ec2f2c2dfd8b82803bcf55a4727ac1869a6feca21eed0 1053392 glibc_2.26-0experimental0.debian.tar.xz
feb0d6e6dcaea6fe2305346de77dd8f2867dde9e3c1c882a56b3420532e0b113 7507 glibc_2.26-0experimental0_source.buildinfo
Files:
24984ce7e27a948453e34e59446aab40 8241 libs required glibc_2.26-0experimental0.dsc
666ae66c12aeedd26a3a4c550ee79eaf 15270760 libs required glibc_2.26.orig.tar.xz
9173ae85f2d5af45d0dbe020007c9507 1053392 libs required glibc_2.26-0experimental0.debian.tar.xz
1ac44d995509e0e76dd006e8a6d7a5f2 7507 libs required glibc_2.26-0experimental0_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh4djJsFAloRcL0ACgkQupx4Bh4d
jJsDORAAuGa3frswNKfHZIkSLgTnNrhE4NZ6+Y2gg5WIhVHNFmQwf+ub4zLQzwFD
EJmpzZDnVerTw9+74EPXzTxJgaIW/0YiP93tPGAMLR19v/5FkQUvCYmlCX/T/aTc
clb0UkBLbVfQrdslimp+fKoBJ+ulInbjBhKkz2TiPWqQcfNFAIyH1+awydmZ6G+t
jANNH75SrTSYwNmP8zz5PiFLRSx9Aau0M18oqG7Y/tbv9PiJ0TXzvLICHdOZAZDV
7e36ep+/J0c7RDhwQhHDs2Govy4EdSyG6oah6XFbqq/MkPn4tLAC7LtzzR3IbwQG
8Q2Z6zvGIcJS6cNLZd+s2O404O5Mprah93mP07+ZvzKcDujpiM5HERDUeQ+jV5pJ
BNE7Da5TL8DheyrSpzomhjrcnY66sWBq7LSmYbdIkURnHpHB1+jthqzlB2N6FnfC
X7r/G44FCVWKJeBwJux4Gjs5jaJ3qp2cAT5haaflWVYxGLgKb5fEMNbmn19hLteS
BBmyA0lNl7l6mJPVkSPhZ7w0VOyLUU2/KhXuakVvBOId5pepafj2WRmu+HGuxx31
e79y7yNCmHz2Iw2BJSU3eHy/VW3IpPkOl9Jk6mmvuHjVysSIwOVhl5eSGPW+uYoK
jLkRCNQUoSiEOmLd1gxMQJ4FH4WoGe5g8x3cBeU9yriVV32kr8s=
=/i8d
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(Sat, 02 Dec 2017 10:09:02 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#879500.
(Sat, 02 Dec 2017 10:09:09 GMT) (full text, mbox, link).
Message #24 received at 879500-submitter@bugs.debian.org (full text, mbox, reply):
tag 879500 pending
thanks
Hello,
Bug #879500 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?id=edb4b06
---
commit edb4b06a022b194efbf1b7b3a72e2de1cb302035
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Sat Dec 2 11:05:46 2017 +0100
debian/patches/git-updates.diff: update from upstream stable branch:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes:
#879501.
- Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes:
#879500.
- Fix a buffer overflow in glob with GLOB_TILDE in unescaping
(CVE-2017-15804). Closes: #879955.
diff --git a/debian/changelog b/debian/changelog
index d133153..e072fe9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,12 @@ glibc (2.25-3) UNRELEASED; urgency=medium
- Fix assertion failure in posix_spawn(). Closes: #882794.
- Fix missing posix_fadvise64 from static mips64el build. Closes:
#883186.
+ - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes:
+ #879501.
+ - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes:
+ #879500.
+ - Fix a buffer overflow in glob with GLOB_TILDE in unescaping
+ (CVE-2017-15804). Closes: #879955.
* debian/patches/any/local-dlfptr.diff: remove, it's not used anymore by
HPPA and causes issues on IA64. Closes: #882874.
* debian/patches/submitted-ldconfig-c-collation.diff: New patch to process
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Sat, 02 Dec 2017 11:51:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 02 Dec 2017 11:51:09 GMT) (full text, mbox, link).
Message #29 received at 879500-close@bugs.debian.org (full text, mbox, reply):
Source: glibc
Source-Version: 2.25-3
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Dec 2017 11:07:17 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.25-3
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
glibc-doc - GNU C Library: Documentation
glibc-source - GNU C Library: sources
libc-bin - GNU C Library: Binaries
libc-dev-bin - GNU C Library: Development binaries
libc-l10n - GNU C Library: localization files
libc0.1 - GNU C Library: Shared libraries
libc0.1-dbg - GNU C Library: detached debugging symbols
libc0.1-dev - GNU C Library: Development Libraries and Header Files
libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
libc0.1-pic - GNU C Library: PIC archive library
libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3 - GNU C Library: Shared libraries
libc0.3-dbg - GNU C Library: detached debugging symbols
libc0.3-dev - GNU C Library: Development Libraries and Header Files
libc0.3-pic - GNU C Library: PIC archive library
libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3-xen - GNU C Library: Shared libraries [Xen version]
libc6 - GNU C Library: Shared libraries
libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
libc6-dbg - GNU C Library: detached debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files
libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
libc6-pic - GNU C Library: PIC archive library
libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64
libc6-xen - GNU C Library: Shared libraries [Xen version]
libc6.1 - GNU C Library: Shared libraries
libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
libc6.1-dbg - GNU C Library: detached debugging symbols
libc6.1-dev - GNU C Library: Development Libraries and Header Files
libc6.1-pic - GNU C Library: PIC archive library
libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
locales - GNU C Library: National Language (locale) data [support]
locales-all - GNU C Library: Precompiled locale data
multiarch-support - Transitional package to ensure multiarch compatibility
nscd - GNU C Library: Name Service Cache Daemon
Closes: 879500 879501 879955 882255 882794 882874 883012 883186 883285
Changes:
glibc (2.25-3) unstable; urgency=medium
.
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix assertion failure in posix_spawn(). Closes: #882794.
- Fix missing posix_fadvise64 from static mips64el build. Closes:
#883186.
- Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes:
#879501.
- Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes:
#879500.
- Fix a buffer overflow in glob with GLOB_TILDE in unescaping
(CVE-2017-15804). Closes: #879955.
* debian/patches/any/local-dlfptr.diff: remove, it's not used anymore by
HPPA and causes issues on IA64. Closes: #882874.
* debian/patches/submitted-ldconfig-c-collation.diff: New patch to process
include directives in ldconfig using the C/POSIX collation.
* debian/patches/ia64/git-ia64-crash-thread-exit.diff: Fix crash on thread
exit on IA64. Closes: #883285.
* debian/sysdeps/x32.mk: set the minimum kernel version to 2.6.32 for the
libc6-amd64:x32 and libc6-i386:x32 flavours, to match libc6:amd64 and
libc6:i386. Closes: #882255.
* debian/sysdeps/linux.mk: note that all builds for a given gnu triplet
have the same minimum kernel version.
.
[ Samuel Thibault ]
* libc0.3.symbols.hurd-i386: Update against newer hurd definitions.
* control: Bump dependency accordingly.
.
[ Jason Duerstock ]
* debian/control.in/libc, debian/control.in/main, debian/rules.d/control.mk:
Add support for IA64. Closes: #883012.
Checksums-Sha1:
6975a163c1c5515b3dfc70033c4b82de375fd2fe 8788 glibc_2.25-3.dsc
86dc90eb5a3cb068ec07038d3da0eaea67a3354a 1038528 glibc_2.25-3.debian.tar.xz
4591850d2b15bd352d2666e9ecc3eb1a250f8089 7498 glibc_2.25-3_source.buildinfo
Checksums-Sha256:
2e201c23c968b7fad1e431c789bf0bb80675f7a2f2ea6032edb29c3ceadd114f 8788 glibc_2.25-3.dsc
307057c235aef50baaa464a8ef4fab71158434fa88bbeaed38581aee69f58bad 1038528 glibc_2.25-3.debian.tar.xz
efa91ce059300d692edf54ff01fb4f0830b9f090e97b668e86285d5b6a754d48 7498 glibc_2.25-3_source.buildinfo
Files:
3b3f24fb097fab7fb76f330f52c55d28 8788 libs required glibc_2.25-3.dsc
87916b29d45ad65fb206d95656a2dccd 1038528 libs required glibc_2.25-3.debian.tar.xz
4ddc5c5e7eb78c2c522a8a3d96df74bb 7498 libs required glibc_2.25-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh4djJsFAloij2sACgkQupx4Bh4d
jJt0TA//VCquE18kjKcF682x52rcqtF4/Ud4NdBVv9hJC/w0EusnH042DgPLVg3T
hKNJx1GAApgdcALXlMCbFibMURQlPfsPUSEsROwBHIy3dpuLsaeW5UUVYPEcbVLE
5dzaI8vMnJxuOoncsX6EqcHOL5juh4XgGHJsbycH9pb8s71pG0hoNmpub+tuxQEE
CrapFVoRJ13ZLTIPpT7lyVIkga9tMNrBFmDFIeFnbCdQegkztLi4XkrrpM3j+dX3
08BfkMw2gdbBYcscAF/y3nJYUaVKN6A+RXtwhhEvM2S8lj20gPe4szbkdA0LmOJR
QVGd6NTueYt+1ltioy+v7r7pcjoeDtINHMYhfFQOToa8f5hmGgVRvRE13wf2eG6b
el17hu1Z0yfM+Goa++GtaU/NkPJ515ps1bYMHiKe/3MyOv3Wfy3GcfjDR7d6kGdg
OsG05TnWUoa8S1crGdUCuxf7BwQlqgGJZQYvPv7VORZHCQXihFN8yDP83vUQfKJs
8p+VQR0SIT0SHEBWsTi+/Iya//Mt2fMQN2kCFkh46Wd7NyXuXa1B4DtlCyCfYrTr
EwTKMpSr5P15c9sQL93XcceUxEZI7drvilT+IfCsru/yku3O91KpLo2uYxuMooNW
zm7LF06SgJe3pt3GKaxfbPpZkrrRH3+5rLhnR9pnHPr3zVQ3JyQ=
=s4yi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 05 Jan 2018 07:24:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:25:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon