CVE-2013-2207: Remove pt_chown

Debian Bug report logs - #717544
CVE-2013-2207: Remove pt_chown

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2013-2207: pt_chown

Date: Mon, 22 Jul 2013 08:31:28 +0200

Package: libc-bin
Severity: important
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2207

Message #10 received at 717544@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 717544@bugs.debian.org, control@bugs.debian.org

Subject: Patch for CVE-2013-2207

Date: Fri, 23 Aug 2013 14:13:40 +0200

[Message part 1 (text/plain, inline)]

tags #717544 + patch

Hi.

A patch for CVE-2013-2207 is available on
http://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2013-2207

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 717544-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Arne Wichmann <aw@anhrefn.saar.de>

Cc: 717544-done@bugs.debian.org

Subject: Re: Patch for CVE-2013-2207

Date: Sat, 1 Mar 2014 13:21:44 +0100

Version: 2.18-1

On Fri, Aug 23, 2013 at 02:13:40PM +0200, Arne Wichmann wrote:
> tags #717544 + patch
> 
> Hi.
> 
> A patch for CVE-2013-2207 is available on
> http://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2013-2207

Fixed in sid with commit
https://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1dd2adc91982fd151d5ba4f761d69

Message #22 received at 717544@bugs.debian.org (full text, mbox, reply):

From: Adam Conrad <adconrad@debian.org>

To: 717544@bugs.debian.org

Cc: control@bugs.debian.org

Subject: CVE-2013-2207: pt_chown

Date: Sat, 1 Mar 2014 05:43:50 -0700

reopen 717544
kthxbye

This isn't done, actually.  After breaking several systems of my own
and fellow developers turning it off in Ubuntu very briefly, I flipped
it back on.

This needs some solid thought on how we can prevent users from shooting
themselves in the foot, since the default mount options for /dev/pts
and /dev/ptmx break running systems *and* people are used to doing
things like "mount -t devpts devpts-foo chroot-foo/dev/pts", which will
update the mount options for the system devpts as well.

I think the sanest approach would be to hardcode the defaults into
mount itself (which I plan to do when I get the round tuits), and maybe
even suggest a default in the kernel as well, and then push the mount
and glibc changes together, especially if we intend to backport this
to stable releases.

... Adam

Message #31 received at 717544@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 717544@bugs.debian.org

Subject: Re: Patch for CVE-2013-2207

Date: Tue, 4 Mar 2014 15:00:44 +0100

[Message part 1 (text/plain, inline)]

begin  quotation  from Moritz Muehlenhoff (in <20140301122144.GA11049@inutil.org>):
> Version: 2.18-1
> 
> On Fri, Aug 23, 2013 at 02:13:40PM +0200, Arne Wichmann wrote:
> > tags #717544 + patch
> > 
> > Hi.
> > 
> > A patch for CVE-2013-2207 is available on
> > http://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2013-2207
> 
> Fixed in sid with commit
> https://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1dd2adc91982fd151d5ba4f761d69

What about stable?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 717544@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Arne Wichmann <aw@anhrefn.saar.de>, 717544@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#717544: Patch for CVE-2013-2207

Date: Tue, 4 Mar 2014 17:54:03 +0100

[Message part 1 (text/plain, inline)]

Hi Arne,

On Tue, Mar 04, 2014 at 03:00:44PM +0100, Arne Wichmann wrote:
> begin  quotation  from Moritz Muehlenhoff (in <20140301122144.GA11049@inutil.org>):
> > Version: 2.18-1
> > 
> > On Fri, Aug 23, 2013 at 02:13:40PM +0200, Arne Wichmann wrote:
> > > tags #717544 + patch
> > > 
> > > Hi.
> > > 
> > > A patch for CVE-2013-2207 is available on
> > > http://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2013-2207
> > 
> > Fixed in sid with commit
> > https://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1dd2adc91982fd151d5ba4f761d69
> 
> What about stable?

See https://bugs.debian.org/717544#22 for details. The patch was
reverted and the bug reopened.

HTH,

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 717544@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 717544@bugs.debian.org

Subject: Workaround for CVE-2013-2207

Date: Mon, 16 Mar 2015 13:36:21 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

So, as this seems to be around for a bit longer I thing mentioning the
workarounds would be helpful:

- - Make sure user_allow_other is not set in /etc/fuse.conf
- - Remove the SUID bit from /usr/lib/pt_chown

This is mostly inferred from [1]. Does this work? When does this not work?
Any comment?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2207

cu

AW
- -- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVBs5EAAoJEENYfBy4DUs+5vgP/07qI3cTAKOeTbPH5BcBS+XB
fNJFmOtTUdXaC9FW0YMAf/kLDtCeI5WXypY0gERyaoh4OaIdEhiWQ1nEIcBD/C0T
Z09s0D1L/1lypK3sCz+PO34IlFHmkRNTwlF0TLsYE/8oGAIQgWLEfj9Zxg1szr96
FX+QaM4+IVl9ZYMzrsq8uGZil24X5rkSyBItG+Av+4KqkelD/5wDT91f+YNhWAIN
j5zXGzTMPPNpYl1Owux2wltPc1Yd90ZUdn0ZSR8nFPfarlx00TvB4Y7pc3EA1cPi
dS8KWzqueswbleilhyMSjpq505rcbBTsMKl45cY4cKa6n7WVn/ruLLU4AfgZ1mB5
EkeYBp+v1BmXP0FtLIbOnTKQD21mVaXIAN7HCsvw8NFJaTf+fQm2FXzbp5MVi/vo
MZnyzXIUFxmhgr/CJf1ICviFdIawm7ISGdqdf9yjVgLBbPC1Cl5Kdd9G2wCEx4U1
wJhrGDmpVzU+r+nsNUswyAO9aCLkmGfLHx27s0OX5VjzLo18YW/nSmI9t/MC8/g1
xc+BV9QR2LXewxfT46THQwidCT0yFveFd1N2yBSugEKT1yrvx3+61p/Ox+i+DGUn
TCANbn818IEm4H9Nji42n2uOTyYS0vR6aWVbnCeAsTijrky1oBCNAmiGbWd30fBO
p87pLEBhfA+Tf8daTnDP
=TtDT
-----END PGP SIGNATURE-----

Message #46 received at 717544@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: 717544@bugs.debian.org

Cc: 717544-submitter@bugs.debian.org, control@bugs.debian.org

Subject: CVE-2013-2207: Remove pt_chown

Date: Thu, 06 Aug 2015 07:15:01 +0200

retitle 717544 CVE-2013-2207: Remove pt_chown
thanks

Can we please make another attempt at removing pt_chown, either
completely or by removing the SUID bit?  The current devpts file
system is set up in such a way that this is not necessary.  Fedora and
Red Hat Enterprise Linux 7 already ship without pt_chown, apparently
without ill effects.  The Debian software I have checked sets up
/dev/pts with the gid=5 option, which means that pt_chown should be
unnecessary as well.

We also need to get this change into stable, maybe even oldstable.

Message #56 received at 717544@bugs.debian.org (full text, mbox, reply):

From: Samuel Thibault <sthibault@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>, 717544@bugs.debian.org

Cc: 717544-submitter@bugs.debian.org

Subject: Re: Bug#717544: CVE-2013-2207: Remove pt_chown

Date: Thu, 6 Aug 2015 20:24:58 +0200

Hello,

Florian Weimer, le Thu 06 Aug 2015 07:15:01 +0200, a écrit :
> retitle 717544 CVE-2013-2207: Remove pt_chown
> thanks
> 
> Can we please make another attempt at removing pt_chown, either
> completely or by removing the SUID bit?

On linux ports only, please, kfreebsd and hurd still need it.  Removing
pt_chown breaks 'screen' for instance.

Samuel

Message #64 received at 717544@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Samuel Thibault <sthibault@debian.org>

Cc: 717544@bugs.debian.org

Subject: Re: Bug#717544: CVE-2013-2207: Remove pt_chown

Date: Sun, 23 Aug 2015 17:04:25 +0200

* Samuel Thibault:

> Hello,
>
> Florian Weimer, le Thu 06 Aug 2015 07:15:01 +0200, a écrit :
>> retitle 717544 CVE-2013-2207: Remove pt_chown
>> thanks
>> 
>> Can we please make another attempt at removing pt_chown, either
>> completely or by removing the SUID bit?
>
> On linux ports only, please, kfreebsd and hurd still need it.  Removing
> pt_chown breaks 'screen' for instance.

Noted.

I really want to make this change, though, and push it to
stable/oldstable eventually.  What needs to happen for that?

Message #69 received at 717544-close@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurel32@debian.org>

To: 717544-close@bugs.debian.org

Subject: Bug#717544: fixed in glibc 2.21-0experimental1

Date: Sat, 29 Aug 2015 13:00:21 +0000

Source: glibc
Source-Version: 2.21-0experimental1

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 717544@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 29 Aug 2015 00:43:02 +0200
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-i686 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
Architecture: source all amd64
Version: 2.21-0experimental1
Distribution: experimental
Urgency: medium
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
 glibc-doc  - GNU C Library: Documentation
 glibc-source - GNU C Library: sources
 libc-bin   - GNU C Library: Binaries
 libc-dev-bin - GNU C Library: Development binaries
 libc-l10n  - GNU C Library: localization files
 libc0.1    - GNU C Library: Shared libraries
 libc0.1-dbg - GNU C Library: detached debugging symbols
 libc0.1-dev - GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc0.1-i686 - GNU C Library: Shared libraries [i686 optimized]
 libc0.1-pic - GNU C Library: PIC archive library
 libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3    - GNU C Library: Shared libraries
 libc0.3-dbg - GNU C Library: detached debugging symbols
 libc0.3-dev - GNU C Library: Development Libraries and Header Files
 libc0.3-i686 - GNU C Library: Shared libraries [i686 optimized]
 libc0.3-pic - GNU C Library: PIC archive library
 libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - GNU C Library: Shared libraries [Xen version]
 libc6      - GNU C Library: Shared libraries
 libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - GNU C Library: detached debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
 libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
 libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
 libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
 libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
 libc6-i686 - GNU C Library: Shared libraries [i686 optimized]
 libc6-loongson2f - GNU C Library: Shared libraries (Loongson 2F optimized)
 libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
 libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - GNU C Library: PIC archive library
 libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
 libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
 libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc6-x32  - GNU C Library: X32 ABI Shared libraries for AMD64
 libc6-xen  - GNU C Library: Shared libraries [Xen version]
 libc6.1    - GNU C Library: Shared libraries
 libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - GNU C Library: detached debugging symbols
 libc6.1-dev - GNU C Library: Development Libraries and Header Files
 libc6.1-pic - GNU C Library: PIC archive library
 libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - GNU C Library: NSS helper for files - udeb (udeb)
 locales    - GNU C Library: National Language (locale) data [support]
 locales-all - GNU C Library: Precompiled locale data
 multiarch-support - Transitional package to ensure multiarch compatibility
 nscd       - GNU C Library: Name Service Cache Daemon
Closes: 717544 766877 775179 781245 782198 788352 796105
Changes:
 glibc (2.21-0experimental1) experimental; urgency=medium
 .
   [ Samuel Thibault ]
   * patches/hurd-i386/cvs-libpthread.diff: Update from upstream.
   * patches/hurd-i386/cvs-libpthread-dlopen.diff: Merged.
   * patches/hurd-i386/cvs-libpthread-libc-lockP2.diff: Merged.
   * patches/hurd-i386/cvs-bind_umask.diff: Merged.
   * patches/hurd-i386/cvs-fork_ss_hang.diff: Merged.
   * patches/hurd-i386/cvs-munmap-0.diff: Merged.
   * patches/hurd-i386/cvs-static-dlopen.diff: Merged.
   * patches/hurd-i386/cvs-tcbhead_t.diff: Merged.
   * patches/hurd-i386/cvs-libpthread_versions.diff: Rebased.
   * patches/hurd-i386/local-disable-tst-xmmymm.diff: Dropped.
   * patches/hurd-i386/local-hurdsig-global-dispositions-version.diff: Rebased.
   * patches/hurd-i386/submitted-exec_filename.diff: Rebased.
   * patches/hurd-i386/submitted-net.diff: Rebased.
   * patches/hurd-i386/tg-EIEIO-fr.diff: Rebased.
   * patches/hurd-i386/tg-af_local_strlen.diff: Rebased.
   * patches/hurd-i386/tg-chflags.diff: Rebased.
   * patches/hurd-i386/tg-tls-threadvar.diff: Update.
   * patches/hurd-i386/tg-tls.diff: Rebased.
   * patches/hurd-i386/tg-tls_thread_leak.diff: Rebased.
   * patches/hurd-i386/unsubmitted-NO_HIDDEN.diff: Rebased.
   * patches/hurd-i386/tg-no-hp-timing.diff: Update.
   * patches/series: Re-enable all hurd patches.
   * patches/hurd-i386/libpthread-versions.diff: New patch, updates to new
     version engine.
   * patches/hurd-i386/cvs-revert-gnu-gnu-cleanup.diff: New patch, reverts
     cleanup of the gnu-gnu hack.
   * patches/hurd-i386/libpthread_pthread_types.diff: New patch, fixes
     inclusion of pthread_types.h
   * patches/hurd-i386/unsubmitted-libc_alloca_cutoff.diff: New patch,
     implements alloca cutoff limit.
   * patches/hurd-i386/cvs-unwind-resume.diff: New patch, fixes unwind-resume
     build.
   * patches/hurd-i386/unsubmitted-libpthread-semaphore.h.diff: New patch,
     fixes semaphore header inclusion.
   * patches/hurd-i386/unsubmitted-timer_routines.diff: New patch, fixes
     timer_routines build.
   * patches/hurd-i386/cvs-libc-modules.h.diff: New patch, adds missing
     dependency on libc-modules.h.
   * patches/hurd-i386/cvs-warnings.diff: New patch, fixes warnings.
   * patches/hurd-i386/cvs-check-local-headers.diff: New patch, clears spurious
     local-header warnings.
   * sysdeps/hurd.mk: Disable -Werror since MIG currently generates warnings.
   * testsuite-checking/expected-results-{i586-gnu-libc,i686-gnu-
     {i386,i686,xen}}: update testsuite results
 .
   [ Adam Conrad ]
   * debian/{rules.d/debhelper.mk,sysdeps/*}: Define per-platform pldd
     variable to control installation of usr/bin/pldd in libc-bin, and
     leverage the same trick to decide to install usr/lib/pt_chown too.
   * debian/patches/kfreebsd/local-no-pldd.diff: Drop, no longer used.
   * debian/patches/alpha/submitted-PTR_MANGLE.diff: Use IS_IN macros.
   * debian/patches/powerpc/cvs-ppc-sqrt.diff: Fix sqrt() on powerpc.
   * debian/patches/powerpc/cvs-ppc-sqrtf.diff: Likewise for sqrtf().
   * debian/patches/powerpc/cvs-ppc-pow.diff: Likewise for pow().
   * debian/patches/powerpc/cvs-ppc-feraiseexcept.diff: Fix inline
     feraiseexcept and feclearexcept macro input conversion on PPC.
   * debian/patches/any/submitted-longdouble.diff: Refresh for above.
   * debian/patches/any/local-disable-test-tgmath4.diff: Likewise.
   * debian/patches/any/cvs-logbl-accuracy.diff: Fix ldbl-128ibm logbl.
   * debian/patches/powerpc/local-math-logb.diff: Refresh and move to
     debian/patches/any/local-math-logb.diff, as it's not PPC-specific.
   * debian/patches/any/cvs-localplt-new-readelf.diff: Preemptively
     fix localplt test breakage with binutils 2.26 before it lands.
   * debian/patches/any/cvs-make-typo.diff: Fix typo in elf/Makefile.
   * debian/patches/powerpc/cvs-power7-strncpy.diff: Optimize strncpy
     for POWER7 drastically (10-70%) on strings longer than 16 chars.
   * debian/patches/powerpc/cvs-ppc-tabort-le.diff: Fix TABORT encoding
     when building on toolchains without HTM support (no-op on gcc-4.9)
   * debian/patches/arm/cvs-arm-sfi_breg.diff: Fix LDR_GLOBAL macro.
   * debian/patches/arm/cvs-memcpy-memmove-always-bx.diff: Fix memcpy
     and memmove for the ARM_ALWAYS_BX class of hardware like ArmadaXP.
   * debian/{control.in/*,debhelper.in/*,rules.d/*}: Stop hardcoding our
     upstream version all over the place and use GLIBC_VERSION instead.
   * debian/debhelper.in/libc.preinst: Unconditionally wipe ld.so.cache
     on major version upgrades, which is significantly less error-prone.
 .
   [ Aurelien Jarno ]
   * debian/patches/any/local-libgcc-compat-main.diff: Fix definition of
     __floatdisf for sparc.
   * debian/patches/any/local-libgcc-compat-ports.diff: Fix definition of
     __floatdisf for mips. Remove usage of INTUSE (Closes: #782198).
   * debian/sysdeps/linux.mk, debhelper.in/libc.preinst: bump minimal Linux
     kernel version to 3.2 (ie the version in Wheezy).
   * debian/patches/localedata/locale-C.diff: fix d_fmt time format (Closes:
     #775179).
   * Create source tarball in a deterministic manner: adjust file modification
     time, user, group, permissions, and file order (addresses: #783210).
   * Update from upstream stable branch:
     - Fix a buffer overflow in overflow in getanswer_r (CVE-2015-1781)
       Closes: #796105.
   * sysdeps/linux.mk: don't build pt_chown (CVE-2013-2207). Closes: #717544.
   * Move translation to a new libc-l10n package from the locales packages.
     Add a dependency from locales and locales-all to libc-l10n, so that they
     both provide the same feature. Closes: #788352.
   * control.in/main: Bump Standards-Version to 3.9.6 (no changes).
 .
   [ Breno Leitao ]
   * Remove --without-cvs that is not used anymore as a valid configuration.
     It was removed in commit 92963737c4376bcfd65235d5c325fa7f48302f89
     (Closes: #781245).
 .
   [ Matthias Klose ]
   * Fix multilib enabled stage1 cross builds (closes: #766877).
Checksums-Sha1:
 d61af29d082d6d557d72d6fbe6e0d5f5c82a6010 8327 glibc_2.21-0experimental1.dsc
 2f8c4269a8ba8c30c8f6c66cfacfcf041caa87a4 972228 glibc_2.21-0experimental1.debian.tar.xz
 71cf6a29e87041a8eb2f878602190755ae4dd1c0 2351200 glibc-doc_2.21-0experimental1_all.deb
 5ef0cf0f646650f588e3324dcff65a13ebbe594d 14014956 glibc-source_2.21-0experimental1_all.deb
 cbf6138158bcee90672fcd760b8a56e99150faad 784776 libc-l10n_2.21-0experimental1_all.deb
 29e1677514fcf78fd9ff6a65e2ed79a909d78708 3337440 locales_2.21-0experimental1_all.deb
Checksums-Sha256:
 58459e5338faaf2d8f1240b0204752bd048b3a2dc130f988b19ec20f2abf97cb 8327 glibc_2.21-0experimental1.dsc
 cd1881e9fa51fb33e9cece843fb17f40f0c945f80d2e9c19732c6b6ddf40b3a6 972228 glibc_2.21-0experimental1.debian.tar.xz
 bdc1db55cb5732f5b66322b9956887725484d0006942e39415a1955ff71af274 2351200 glibc-doc_2.21-0experimental1_all.deb
 fa9fd08053e53d07952b3192d653def36cad17f233362c29573fc0fc60b2814a 14014956 glibc-source_2.21-0experimental1_all.deb
 205e77af78fa0bc04327ef7c63293dd3cd47de6088f4e7540844b1f7d3fc261a 784776 libc-l10n_2.21-0experimental1_all.deb
 d42a3b9e21fb18fcb35d7acd5e0190aafb6d018185e07f9c147c2381eaf291af 3337440 locales_2.21-0experimental1_all.deb
Files:
 e79df7ffb7b6e2176f017aca68be886c 8327 libs required glibc_2.21-0experimental1.dsc
 ec53c2241fc99b680a4df743f65d4464 972228 libs required glibc_2.21-0experimental1.debian.tar.xz
 fc875c1f16055bb395c3863cdf046672 2351200 doc optional glibc-doc_2.21-0experimental1_all.deb
 ad27f1b064276ca1919fdf2e7b8d1af8 14014956 devel optional glibc-source_2.21-0experimental1_all.deb
 5537158eb7e1208615d277aa33eca45b 784776 localization standard libc-l10n_2.21-0experimental1_all.deb
 bd8382066e25814d23f1e99d7661aee6 3337440 localization standard locales_2.21-0experimental1_all.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV4PNHAAoJELqceAYd3YybKx4P/3C8QIZmfy/Mrw69HI+fYx8z
oHAJxRIl32zItYVA5CGXeKu04eLjfkVcmq14wwZeUS2d8IW86k6j4CQjte4i3yG3
bccr4FFsEq17RS725wGRP1kG9f5w/xYOkRC7DjQlxqJe0XWKYCBs+AqDYqWETrLJ
//OmsoHpzcyOfREtncDhbs8BI8SsrVV8rOxKewO11ugvq4kAYBnv7TNrnfDIy6uO
VwMgm+pgNyL+Qdwhj4fLg26hofM/7R334FXCLcVEfeX862esmRurp2udm6DgxyIZ
laBbB5hTUB+Jwa8+/0abNLwx7cBYgMdSKSi6TwGRhnombmXJXrZX877wvggsJduj
pulLDI72OBDHmF4w9BnzPMr874G2NqKyZV0MSepF+Cqism9bVbBCC0w7BIklAdPU
K9zjX/rxMGH5zaJY0lbRNltIUarS0Cz3wLiKZDJRLMpAsFGiZ/uVylbHaTXnjNpN
pOWVerG9DmMgL7Y+Gtx2eK8fQxsY2WQ5onuiHaAU6FvxpDgBeFPzigrbYBhWhOvJ
jwa+qh9lqrffw/EKhmiF/xdh+dC1LdwUBuhV+r4wRomFfE5p1Bq7XQ3vBPfYrTEV
5Z3aBHqg2Gto/H6lXp9o1nRooSMjYT2w69xUO5RvLqc7md7eh4d0zAf7grzt6Wlw
MiTXjAc2gJeq/9b5nsLl
=GCZs
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.