Package: libc6; Maintainer for libc6 is GNU Libc Maintainers <debian-glibc@lists.debian.org>; Source for libc6 is src:glibc (PTS, buildd, popcon).
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 22 Oct 2017 10:45:06 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version glibc/2.24-17
Fixed in versions glibc/2.26-0experimental0, glibc/2.25-3
Done: Aurelien Jarno <aurel32@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://sourceware.org/bugzilla/show_bug.cgi?id=22325
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>
:
Bug#879500
; Package libc6
.
(Sun, 22 Oct 2017 10:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>
.
(Sun, 22 Oct 2017 10:45:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libc6 Version: 2.24-17 Severity: important Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak). Upstream bug is https://sourceware.org/bugzilla/show_bug.cgi?id=22325 Fix is here: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c66c908230169c1bab1f83b071eb585baa214b9f Cheers, Moritz
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 27 Oct 2017 15:33:07 GMT) (full text, mbox, link).
Set Bug forwarded-to-address to 'https://sourceware.org/bugzilla/show_bug.cgi?id=22325'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 27 Oct 2017 16:09:08 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org
.
(Sat, 18 Nov 2017 13:18:05 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug#879500.
(Sat, 18 Nov 2017 13:18:09 GMT) (full text, mbox, link).
Message #14 received at 879500-submitter@bugs.debian.org (full text, mbox, reply):
tag 879500 pending thanks Hello, Bug #879500 reported by you has been fixed in the Git repository. You can see the changelog below, and you can check the diff of the fix at: https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?id=80f1bf4 --- commit 80f1bf4829f404bedc2286c2906071ab228a03b9 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Sat Nov 18 14:06:22 2017 +0100 debian/patches/git-updates.diff: update from upstream stable branch: * debian/patches/git-updates.diff: update from upstream stable branch: - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: #879501. - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: #879500. diff --git a/debian/changelog b/debian/changelog index 9ed3c70..5a87a5b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -32,8 +32,6 @@ glibc (2.26-0experimental0) UNRELEASED; urgency=medium defining __HAVE_FLOAT128 on NVIDIA's CUDA compilers (LP: #1717257) - debian/patches/arm/git-arm64-memcmp.diff: Backport optimized memcmp for AArch64, improving performance from 25% to 500% (LP: #1720832) - - debian/patches/amd64/git-x86_64-search.diff: Backport upstream commit - to put x86_64 back in the search path, like in 2.25 (LP: #1718928) - debian/control.in/libc: Drop ancient Breaks satisfied in oldoldstable. - debian/{debhelper.in/libc.preinst,sysdeps/amd64.mk,sysdeps/i386.mk}: Bump MIN_KERNEL_SUPPORTED to 3.2 on x86, following upstream's change. @@ -104,6 +102,13 @@ glibc (2.26-0experimental0) UNRELEASED; urgency=medium - testsuite-xfail-debian.mk: Update. - testsuite-xfail-debian.mk: Remove now-removed XPG3 entries. + [ Aurelien Jarno ] + * debian/patches/git-updates.diff: update from upstream stable branch: + - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: + #879501. + - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: + #879500. + -- Adam Conrad <adconrad@0c3.net> Sat, 02 Sep 2017 12:15:10 -0600 glibc (2.25-1) unstable; urgency=medium
Reply sent
to Aurelien Jarno <aurel32@debian.org>
:
You have taken responsibility.
(Sun, 19 Nov 2017 12:24:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sun, 19 Nov 2017 12:24:03 GMT) (full text, mbox, link).
Message #19 received at 879500-close@bugs.debian.org (full text, mbox, reply):
Source: glibc Source-Version: 2.26-0experimental0 We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 879500@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 19 Nov 2017 12:49:13 +0100 Source: glibc Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67 Architecture: source Version: 2.26-0experimental0 Distribution: experimental Urgency: medium Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> Changed-By: Aurelien Jarno <aurel32@debian.org> Description: glibc-doc - GNU C Library: Documentation glibc-source - GNU C Library: sources libc-bin - GNU C Library: Binaries libc-dev-bin - GNU C Library: Development binaries libc-l10n - GNU C Library: localization files libc0.1 - GNU C Library: Shared libraries libc0.1-dbg - GNU C Library: detached debugging symbols libc0.1-dev - GNU C Library: Development Libraries and Header Files libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64 libc0.1-pic - GNU C Library: PIC archive library libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb) libc0.3 - GNU C Library: Shared libraries libc0.3-dbg - GNU C Library: detached debugging symbols libc0.3-dev - GNU C Library: Development Libraries and Header Files libc0.3-pic - GNU C Library: PIC archive library libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb) libc0.3-xen - GNU C Library: Shared libraries [Xen version] libc6 - GNU C Library: Shared libraries libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64 libc6-dbg - GNU C Library: detached debugging symbols libc6-dev - GNU C Library: Development Libraries and Header Files libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64 libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64 libc6-pic - GNU C Library: PIC archive library libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64 libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC libc6-udeb - GNU C Library: Shared libraries - udeb (udeb) libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64 libc6-xen - GNU C Library: Shared libraries [Xen version] libc6.1 - GNU C Library: Shared libraries libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized) libc6.1-dbg - GNU C Library: detached debugging symbols libc6.1-dev - GNU C Library: Development Libraries and Header Files libc6.1-pic - GNU C Library: PIC archive library libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb) locales - GNU C Library: National Language (locale) data [support] locales-all - GNU C Library: Precompiled locale data multiarch-support - Transitional package to ensure multiarch compatibility nscd - GNU C Library: Name Service Cache Daemon Closes: 879500 879501 Changes: glibc (2.26-0experimental0) experimental; urgency=medium . [ Adam Conrad ] * New upstream release (LP: #1703368), with git updates to 2017-10-10: - debian/{symbols.wildcards,control}: Update and regen for 2.26. - debian/patches/alpha/submitted-termios_h.diff: upstreamed. - debian/patches/arm/submitted-strip-bit-0.diff: upstreamed. - debian/patches/hurd-i386/git-__inet6_scopeid_pton.diff: upstreamed. - debian/patches/any/submitted-string2-strcmp.diff: obsolete. - debian/patches/any/local-tst-writev.diff: fixed upstream. - debian/patches/any/local-dynamic-resolvconf.diff: fixed upstream. - debian/patches/any/submitted-unicode-9.0.0.diff: obsolete. - debian/patches/any/cvs-malloc-hardening.diff: upstreamed. - debian/patches/any/local-bits-sigstack.diff: fixed upstream. - debian/patches/powerpc/submitted-tst-tlsopt-powerpc.diff: upstreamed. - debian/patches/i386/local-cmov.diff: dropped, no longer useful. - debian/patches/all/local-ldd.diff: rebased. - debian/patches/any/local-ldso-disable-hwcap.diff: rebased. - debian/patches/any/local-tcsetaddr.diff: rebased. - debian/patches/any/submitted-resolv-unaligned.diff: rebased. - debian/patches/arm/local-arm-futex.diff: rebased. - debian/patches/hurd-i386/local-ED.diff: rebased. - debian/patches/hurd-i386/tg-EGREGIOUS-fr.diff: rebased. - debian/patches/hurd-i386/tg-EIEIO-fr.diff: rebased. - debian/patches/kfreebsd/submitted-auxv.diff: rebased. - debian/patches/kfreebsd/submitted-waitid.diff: rebased. - debian/patches/localedata/locales-fr.diff: rebased. - debian/patches/sparc/submitted-sparc64-socketcall.diff: rebased. - debian/patches/localedata/local-hu_HU-sort.diff: Make testsuite agree with the sorting we see in Debian, may need another look. - debian/patches/any/local-cudacc-float128.diff: Local patch to prevent defining __HAVE_FLOAT128 on NVIDIA's CUDA compilers (LP: #1717257) - debian/patches/arm/git-arm64-memcmp.diff: Backport optimized memcmp for AArch64, improving performance from 25% to 500% (LP: #1720832) - debian/control.in/libc: Drop ancient Breaks satisfied in oldoldstable. - debian/{debhelper.in/libc.preinst,sysdeps/amd64.mk,sysdeps/i386.mk}: Bump MIN_KERNEL_SUPPORTED to 3.2 on x86, following upstream's change. - debian/sysdeps/{powerpc.mk,ppc64.mk,s390x.mk}: Disable lock-elision on powerpc and s390, following IBM's recommendation. - debian/testsuite-xfail-debian.mk: Re-enable xfailed resolv tests. - debian/testsuite-xfail-debian.mk: Allow tst-create-detached to fail on all platforms; the design of this test is such that the outcome relies on cache sizes and noisiness of the build system, which is unreliable. - debian/rules.d/build.mk: Configure with --enable-obsolete-nsl until we sort out a reasonable nsswitch migration strategy from compat to files. . [ Samuel Thibault ] * Adjust hurd-i386 patches to restore build and functionality with 2.26: - patches/hurd-i386/tg-gsync-libc.diff: rebased. - patches/hurd-i386/tg-hurdsig-global-dispositions.diff: rebased. - patches/hurd-i386/tg-pipe2.diff: rebased. - patches/hurd-i386/tg-socket_flags.diff: rebased. - patches/hurd-i386/tg2.25-tls.diff: rebased. - patches/hurd-i386/tg2.26-sched_param.diff: New patch. - patches/hurd-i386/git-sigsetops.h.diff: New patch. - patches/hurd-i386/git-sigsetops-2.h.diff: New patch. - patches/hurd-i386/git-sigsetops-3.h.diff: New patch. - patches/hurd-i386/tg2.26-sigsetops.h.diff: New patch. - patches/hurd-i386/git-bits_socket.h.diff: New patch. - patches/hurd-i386/git-preadwritev2.diff: New patch. - patches/hurd-i386/git-preadwritev2-2.diff: New patch. - patches/hurd-i386/git-preadwritev2-3.diff: New patch. - patches/hurd-i386/git-rtld-access.diff: New patch. - patches/hurd-i386/git-rtld-sbrk.diff: New patch. - patches/hurd-i386/git-rtld-sbrk-2.diff: New patch. - patches/hurd-i386/git-divdi.diff: New patch. - patches/hurd-i386/git-feraiseexcept.diff: New patch. - patches/hurd-i386/cvs-libpthread.diff: Update. - patches/hurd-i386/git-libpthread-2.26.diff: New patch. - patches/hurd-i386/git-i386-implies-x86.diff: New patch. - patches/hurd-i386/git-x86-tunables.diff: New patch. - patches/hurd-i386/git-rtld-strtoul_internal.diff: New patch. - patches/hurd-i386/git-clone.diff: New patch. - patches/hurd-i386/git-gethostname.diff: New patch. - patches/hurd-i386/cvs-libpthread-sigstate.diff: Remove unused merged patch. - patches/hurd-i386/cvs-send-recv-posix.diff: Remove unused merged patch. - patches/hurd-i386/cvs-truncate64.diff: Remove unused merged patch. - patches/hurd-i386/git-tst-udp-timeout.diff: New patch. - patches/hurd-i386/git-tst-udp-nonblocking.diff: New patch. - patches/hurd-i386/unsubmitted-exp-hidden-jump.diff: New patch. - patches/hurd-i386/git-hidden-def.diff: New patch. - patches/hurd-i386/git-hidden-def.diff-2: New patch. - patches/hurd-i386/git-dl-sysdep-check.diff: New patch. - patches/hurd-i386/git-socket-limit.diff: New patch. - patches/hurd-i386/tg-thread-linkspace.diff: New patch. - patches/hurd-i386/git-clock_gettime_gettimeofday.diff: New patch. - patches/hurd-i386/tg-gsync-libc.diff: Update. - patches/hurd-i386/tg-libpthread-gsync-mutex.diff: Update. - patches/hurd-i386/tg-sendmsg-SCM_CREDS.diff: Update. - patches/hurd-i386/git-sigsuspend_not_cancel.diff: New patch. - patches/hurd-i386/tg-sysvshm.diff: Update. - patches/hurd-i386/tg-ifaddrs_v6.diff: Update. - patches/hurd-i386/git-dirfd-linknamespace.diff: New patch. - patches/hurd-i386/git-revoke-linknamespace.diff: New patch. - patches/hurd-i386/git-seekdir-linknamespace.diff: New patch. - patches/hurd-i386/git-ifaddrs-linknamespace.diff: New patch. - patches/hurd-i386/git-NO_HIDDEN.diff: New patch. - patches/hurd-i386/unsubmitted-NO_HIDDEN.diff: Remove patch. - patches/hurd-i386/unsubmitted-exp-hidden-jump.diff: Remove patch. - testsuite-xfail-debian.mk: Update. - testsuite-xfail-debian.mk: Remove now-removed XPG3 entries. . [ Aurelien Jarno ] * debian/patches/git-updates.diff: update from upstream stable branch: - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: #879501. - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: #879500. * debian/rules, debian/control.in/main: build with GCC 7. * debian/testsuite-xfail-debian.mk: remove a few XFAIL on s390x that were due to GCC 6 issues. * debian/testsuite-xfail-debian.mk: drop support for s390. * debian/testsuite-xfail-debian.mk: Use granular fma XFAIL on mips*. * debian/testsuite-xfail-debian.mk: mark misc/tst-set_ppr as XFAIL on powerpc as it requires a recent CPU or a recent kernel for CPU feature detection. * debian/patches/any/local-libgcc-compat-{abilists,main,ports}.diff: drop workaround for binaries built with some broken versions of GCC 3.2 more than 10 years ago. * debian/testsuite-xfail-debian.mk: remove many XFAIL from mips, mipsel and mips64el. Checksums-Sha1: 1e18de8b86b6ecc4791b62ac11e225a79da1ec31 8241 glibc_2.26-0experimental0.dsc 3e7cab60063b32c1eb15e71065e3380e81d29222 15270760 glibc_2.26.orig.tar.xz 5027e213fa408bdb8f82e536e5d31a45bc47614a 1053392 glibc_2.26-0experimental0.debian.tar.xz a198dffb282480a700f9a7bb81c1d8256ec70c47 7507 glibc_2.26-0experimental0_source.buildinfo Checksums-Sha256: ccdca9afc387175c29f379f577de334c694a4624340c14d6f4142063a1be246d 8241 glibc_2.26-0experimental0.dsc 38afc835050aa0850fbe15b10a7b18b7c1c70dc5a2fdf980762f3ad49e771870 15270760 glibc_2.26.orig.tar.xz 5c0b0fd2909d3b96728ec2f2c2dfd8b82803bcf55a4727ac1869a6feca21eed0 1053392 glibc_2.26-0experimental0.debian.tar.xz feb0d6e6dcaea6fe2305346de77dd8f2867dde9e3c1c882a56b3420532e0b113 7507 glibc_2.26-0experimental0_source.buildinfo Files: 24984ce7e27a948453e34e59446aab40 8241 libs required glibc_2.26-0experimental0.dsc 666ae66c12aeedd26a3a4c550ee79eaf 15270760 libs required glibc_2.26.orig.tar.xz 9173ae85f2d5af45d0dbe020007c9507 1053392 libs required glibc_2.26-0experimental0.debian.tar.xz 1ac44d995509e0e76dd006e8a6d7a5f2 7507 libs required glibc_2.26-0experimental0_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh4djJsFAloRcL0ACgkQupx4Bh4d jJsDORAAuGa3frswNKfHZIkSLgTnNrhE4NZ6+Y2gg5WIhVHNFmQwf+ub4zLQzwFD EJmpzZDnVerTw9+74EPXzTxJgaIW/0YiP93tPGAMLR19v/5FkQUvCYmlCX/T/aTc clb0UkBLbVfQrdslimp+fKoBJ+ulInbjBhKkz2TiPWqQcfNFAIyH1+awydmZ6G+t jANNH75SrTSYwNmP8zz5PiFLRSx9Aau0M18oqG7Y/tbv9PiJ0TXzvLICHdOZAZDV 7e36ep+/J0c7RDhwQhHDs2Govy4EdSyG6oah6XFbqq/MkPn4tLAC7LtzzR3IbwQG 8Q2Z6zvGIcJS6cNLZd+s2O404O5Mprah93mP07+ZvzKcDujpiM5HERDUeQ+jV5pJ BNE7Da5TL8DheyrSpzomhjrcnY66sWBq7LSmYbdIkURnHpHB1+jthqzlB2N6FnfC X7r/G44FCVWKJeBwJux4Gjs5jaJ3qp2cAT5haaflWVYxGLgKb5fEMNbmn19hLteS BBmyA0lNl7l6mJPVkSPhZ7w0VOyLUU2/KhXuakVvBOId5pepafj2WRmu+HGuxx31 e79y7yNCmHz2Iw2BJSU3eHy/VW3IpPkOl9Jk6mmvuHjVysSIwOVhl5eSGPW+uYoK jLkRCNQUoSiEOmLd1gxMQJ4FH4WoGe5g8x3cBeU9yriVV32kr8s= =/i8d -----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org
.
(Sat, 02 Dec 2017 10:09:02 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug#879500.
(Sat, 02 Dec 2017 10:09:09 GMT) (full text, mbox, link).
Message #24 received at 879500-submitter@bugs.debian.org (full text, mbox, reply):
tag 879500 pending thanks Hello, Bug #879500 reported by you has been fixed in the Git repository. You can see the changelog below, and you can check the diff of the fix at: https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?id=edb4b06 --- commit edb4b06a022b194efbf1b7b3a72e2de1cb302035 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Sat Dec 2 11:05:46 2017 +0100 debian/patches/git-updates.diff: update from upstream stable branch: * debian/patches/git-updates.diff: update from upstream stable branch: - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: #879501. - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: #879500. - Fix a buffer overflow in glob with GLOB_TILDE in unescaping (CVE-2017-15804). Closes: #879955. diff --git a/debian/changelog b/debian/changelog index d133153..e072fe9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,12 @@ glibc (2.25-3) UNRELEASED; urgency=medium - Fix assertion failure in posix_spawn(). Closes: #882794. - Fix missing posix_fadvise64 from static mips64el build. Closes: #883186. + - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: + #879501. + - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: + #879500. + - Fix a buffer overflow in glob with GLOB_TILDE in unescaping + (CVE-2017-15804). Closes: #879955. * debian/patches/any/local-dlfptr.diff: remove, it's not used anymore by HPPA and causes issues on IA64. Closes: #882874. * debian/patches/submitted-ldconfig-c-collation.diff: New patch to process
Reply sent
to Aurelien Jarno <aurel32@debian.org>
:
You have taken responsibility.
(Sat, 02 Dec 2017 11:51:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sat, 02 Dec 2017 11:51:09 GMT) (full text, mbox, link).
Message #29 received at 879500-close@bugs.debian.org (full text, mbox, reply):
Source: glibc Source-Version: 2.25-3 We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 879500@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 Dec 2017 11:07:17 +0100 Source: glibc Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67 Architecture: source Version: 2.25-3 Distribution: unstable Urgency: medium Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> Changed-By: Aurelien Jarno <aurel32@debian.org> Description: glibc-doc - GNU C Library: Documentation glibc-source - GNU C Library: sources libc-bin - GNU C Library: Binaries libc-dev-bin - GNU C Library: Development binaries libc-l10n - GNU C Library: localization files libc0.1 - GNU C Library: Shared libraries libc0.1-dbg - GNU C Library: detached debugging symbols libc0.1-dev - GNU C Library: Development Libraries and Header Files libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64 libc0.1-pic - GNU C Library: PIC archive library libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb) libc0.3 - GNU C Library: Shared libraries libc0.3-dbg - GNU C Library: detached debugging symbols libc0.3-dev - GNU C Library: Development Libraries and Header Files libc0.3-pic - GNU C Library: PIC archive library libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb) libc0.3-xen - GNU C Library: Shared libraries [Xen version] libc6 - GNU C Library: Shared libraries libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64 libc6-dbg - GNU C Library: detached debugging symbols libc6-dev - GNU C Library: Development Libraries and Header Files libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64 libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64 libc6-pic - GNU C Library: PIC archive library libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64 libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC libc6-udeb - GNU C Library: Shared libraries - udeb (udeb) libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64 libc6-xen - GNU C Library: Shared libraries [Xen version] libc6.1 - GNU C Library: Shared libraries libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized) libc6.1-dbg - GNU C Library: detached debugging symbols libc6.1-dev - GNU C Library: Development Libraries and Header Files libc6.1-pic - GNU C Library: PIC archive library libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb) locales - GNU C Library: National Language (locale) data [support] locales-all - GNU C Library: Precompiled locale data multiarch-support - Transitional package to ensure multiarch compatibility nscd - GNU C Library: Name Service Cache Daemon Closes: 879500 879501 879955 882255 882794 882874 883012 883186 883285 Changes: glibc (2.25-3) unstable; urgency=medium . [ Aurelien Jarno ] * debian/patches/git-updates.diff: update from upstream stable branch: - Fix assertion failure in posix_spawn(). Closes: #882794. - Fix missing posix_fadvise64 from static mips64el build. Closes: #883186. - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: #879501. - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: #879500. - Fix a buffer overflow in glob with GLOB_TILDE in unescaping (CVE-2017-15804). Closes: #879955. * debian/patches/any/local-dlfptr.diff: remove, it's not used anymore by HPPA and causes issues on IA64. Closes: #882874. * debian/patches/submitted-ldconfig-c-collation.diff: New patch to process include directives in ldconfig using the C/POSIX collation. * debian/patches/ia64/git-ia64-crash-thread-exit.diff: Fix crash on thread exit on IA64. Closes: #883285. * debian/sysdeps/x32.mk: set the minimum kernel version to 2.6.32 for the libc6-amd64:x32 and libc6-i386:x32 flavours, to match libc6:amd64 and libc6:i386. Closes: #882255. * debian/sysdeps/linux.mk: note that all builds for a given gnu triplet have the same minimum kernel version. . [ Samuel Thibault ] * libc0.3.symbols.hurd-i386: Update against newer hurd definitions. * control: Bump dependency accordingly. . [ Jason Duerstock ] * debian/control.in/libc, debian/control.in/main, debian/rules.d/control.mk: Add support for IA64. Closes: #883012. Checksums-Sha1: 6975a163c1c5515b3dfc70033c4b82de375fd2fe 8788 glibc_2.25-3.dsc 86dc90eb5a3cb068ec07038d3da0eaea67a3354a 1038528 glibc_2.25-3.debian.tar.xz 4591850d2b15bd352d2666e9ecc3eb1a250f8089 7498 glibc_2.25-3_source.buildinfo Checksums-Sha256: 2e201c23c968b7fad1e431c789bf0bb80675f7a2f2ea6032edb29c3ceadd114f 8788 glibc_2.25-3.dsc 307057c235aef50baaa464a8ef4fab71158434fa88bbeaed38581aee69f58bad 1038528 glibc_2.25-3.debian.tar.xz efa91ce059300d692edf54ff01fb4f0830b9f090e97b668e86285d5b6a754d48 7498 glibc_2.25-3_source.buildinfo Files: 3b3f24fb097fab7fb76f330f52c55d28 8788 libs required glibc_2.25-3.dsc 87916b29d45ad65fb206d95656a2dccd 1038528 libs required glibc_2.25-3.debian.tar.xz 4ddc5c5e7eb78c2c522a8a3d96df74bb 7498 libs required glibc_2.25-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh4djJsFAloij2sACgkQupx4Bh4d jJt0TA//VCquE18kjKcF682x52rcqtF4/Ud4NdBVv9hJC/w0EusnH042DgPLVg3T hKNJx1GAApgdcALXlMCbFibMURQlPfsPUSEsROwBHIy3dpuLsaeW5UUVYPEcbVLE 5dzaI8vMnJxuOoncsX6EqcHOL5juh4XgGHJsbycH9pb8s71pG0hoNmpub+tuxQEE CrapFVoRJ13ZLTIPpT7lyVIkga9tMNrBFmDFIeFnbCdQegkztLi4XkrrpM3j+dX3 08BfkMw2gdbBYcscAF/y3nJYUaVKN6A+RXtwhhEvM2S8lj20gPe4szbkdA0LmOJR QVGd6NTueYt+1ltioy+v7r7pcjoeDtINHMYhfFQOToa8f5hmGgVRvRE13wf2eG6b el17hu1Z0yfM+Goa++GtaU/NkPJ515ps1bYMHiKe/3MyOv3Wfy3GcfjDR7d6kGdg OsG05TnWUoa8S1crGdUCuxf7BwQlqgGJZQYvPv7VORZHCQXihFN8yDP83vUQfKJs 8p+VQR0SIT0SHEBWsTi+/Iya//Mt2fMQN2kCFkh46Wd7NyXuXa1B4DtlCyCfYrTr EwTKMpSr5P15c9sQL93XcceUxEZI7drvilT+IfCsru/yku3O91KpLo2uYxuMooNW zm7LF06SgJe3pt3GKaxfbPpZkrrRH3+5rLhnR9pnHPr3zVQ3JyQ= =s4yi -----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 05 Jan 2018 07:24:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.