Debian Bug report logs -
#870648
glibc: CVE-2017-12133: Use-after-free in error path in clntudp_call
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#870648; Package src:glibc.
(Thu, 03 Aug 2017 19:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Thu, 03 Aug 2017 19:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: glibc
Version: 2.22-10
Severity: important
Tags: upstream security patch fixed-upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=21115
Control: found -1 2.19-18+deb8u5
Hi,
the following vulnerability was published for glibc.
CVE-2017-12133[0]:
Use-after-free in error path in clntudp_call
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12133
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=21115
Regards,
Salvatore
Marked as found in versions glibc/2.19-18+deb8u5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 03 Aug 2017 19:45:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(Sun, 13 Aug 2017 18:03:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#870648.
(Sun, 13 Aug 2017 18:03:30 GMT) (full text, mbox, link).
Message #12 received at 870648-submitter@bugs.debian.org (full text, mbox, reply):
tag 870648 pending
thanks
Hello,
Bug #870648 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?id=b07991b
---
commit b07991b329a1352457ca14d94fde9ff81c6e5e12
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun Aug 13 19:58:44 2017 +0200
debian/patches/git-updates.diff: update from upstream stable branch:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Avoid use-after-free read access in clntudp_call (CVE-2017-12133).
Closes: #870648.
diff --git a/debian/changelog b/debian/changelog
index 206c453..f11bd24 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
glibc (2.24-15) UNRELEASED; urgency=medium
[ Aurelien Jarno ]
+ * debian/patches/git-updates.diff: update from upstream stable branch:
+ - Avoid use-after-free read access in clntudp_call (CVE-2017-12133).
+ Closes: #870648.
* debian/control.in/*: Change back gcc-multilib to a Recommends for
biarch packages. It provides the /usr/include/linux/asm symlink.
* debian/control.in/x32: Add a gcc-multilib Recommends for libc6-dev-x32.
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Sun, 20 Aug 2017 13:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 20 Aug 2017 13:39:09 GMT) (full text, mbox, link).
Message #17 received at 870648-close@bugs.debian.org (full text, mbox, reply):
Source: glibc
Source-Version: 2.24-15
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 20 Aug 2017 15:12:10 +0200
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.24-15
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
glibc-doc - GNU C Library: Documentation
glibc-source - GNU C Library: sources
libc-bin - GNU C Library: Binaries
libc-dev-bin - GNU C Library: Development binaries
libc-l10n - GNU C Library: localization files
libc0.1 - GNU C Library: Shared libraries
libc0.1-dbg - GNU C Library: detached debugging symbols
libc0.1-dev - GNU C Library: Development Libraries and Header Files
libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
libc0.1-pic - GNU C Library: PIC archive library
libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3 - GNU C Library: Shared libraries
libc0.3-dbg - GNU C Library: detached debugging symbols
libc0.3-dev - GNU C Library: Development Libraries and Header Files
libc0.3-pic - GNU C Library: PIC archive library
libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3-xen - GNU C Library: Shared libraries [Xen version]
libc6 - GNU C Library: Shared libraries
libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
libc6-dbg - GNU C Library: detached debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files
libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
libc6-pic - GNU C Library: PIC archive library
libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64
libc6-xen - GNU C Library: Shared libraries [Xen version]
libc6.1 - GNU C Library: Shared libraries
libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
libc6.1-dbg - GNU C Library: detached debugging symbols
libc6.1-dev - GNU C Library: Development Libraries and Header Files
libc6.1-pic - GNU C Library: PIC archive library
libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
locales - GNU C Library: National Language (locale) data [support]
locales-all - GNU C Library: Precompiled locale data
multiarch-support - Transitional package to ensure multiarch compatibility
nscd - GNU C Library: Name Service Cache Daemon
Closes: 870648 872025
Changes:
glibc (2.24-15) unstable; urgency=medium
.
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch:
- Avoid use-after-free read access in clntudp_call (CVE-2017-12133).
Closes: #870648.
* debian/control.in/*: Change back gcc-multilib to a Recommends for
biarch packages. It provides the /usr/include/linux/asm symlink.
* debian/control.in/x32: Add a gcc-multilib Recommends for libc6-dev-x32.
* Update French debconf translation, by Alban Vidal. Closes: #872025.
* debian/control.in/main: Change gcc-multiarch to priority optional and
section oldlibs.
* debian/control.in/opt: Remove transitional packages libc0.1-i686,
libc0.3-i686, libc6-i686.
* debian/control.in/libc, debian/control.in/main, debian/control.in/opt:
change the priority of libc0.1-dbg, libc0.1-udeb, libc0.3-dbg,
libc0.3-udeb, libc0.3-xen, libc6.1-alphaev67, libc6.1-dbg, libc6.1-udeb,
libc6-dbg, libc6-udeb, libc6-xen and locales-all to optional.
Checksums-Sha1:
44d308658fcc46d3adc93665d7c301c25aee594b 8226 glibc_2.24-15.dsc
341406f3accb87d7a4853618de11c0c7febce01c 1035256 glibc_2.24-15.debian.tar.xz
46e9fef079ea3cc0d17c07d85f971963125c7dbd 6981 glibc_2.24-15_source.buildinfo
Checksums-Sha256:
77d8da7203c7c368ce898f4e0bd734f96fc3b404e4449d3e927f4902177f52f9 8226 glibc_2.24-15.dsc
c7038438b9d8043102bb8ab347ed1ea0274a36a2cf4753d1139d1b342d7119f3 1035256 glibc_2.24-15.debian.tar.xz
627cb2e0b2e61e050e23096a9113a99af3357935c4dfe5ed145f23346680b45f 6981 glibc_2.24-15_source.buildinfo
Files:
70f42cb31452e92f262496a3984e9ebb 8226 libs required glibc_2.24-15.dsc
27e29083de275c8298d99a44d1425b42 1035256 libs required glibc_2.24-15.debian.tar.xz
a2a0b019235d3cdc95ace5ec31284087 6981 libs required glibc_2.24-15_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh4djJsFAlmZjIQACgkQupx4Bh4d
jJstBRAAo/MxU8ms+2/P6/xrKo+ox9nA2lhSvk/CQtEmv1JOnbm57hw1WIRZYdyF
Xcqj7MvUZiySJqxFMh0SFjeOdZU24e0nM/A61oDc7wTj0D9VQHw9YXpdba5Z820K
s/mKlqyMyosyKCB6418HjNmdrs1RUst1i2FWJSlHg90oFCFKAbCb6USMx5+WUYbO
Q3vIkMcwl1WxIEr0lhYEAw8Ak+Ly1qPOeBSYXOJlzdcdpfS+nszmWvOqguiUWabm
rV2pq5IRBM6rgi3Ta/2K/cCT6oAi0lTgXTD6ipAMcceAmLvFP8LP0d90bQvA7GHs
p01w6/6tjKEsrS/vLzfDuaLRBPhjWCh4ixZyl1xaCqNqWJLOhSqEPiM4E98bmWD3
B5uPAaX/wAYUTHaJHKoYk+zdwInPiGhQ37q2DyCoFjQ5CoggmubUDzFtWxzcxr3O
R30xaS/TARnYAiLgt8ADrpUhqps9fsnAQiGm7e3AVZQZHvs6hI6BxlyBfG4Kb6f4
v3f2R0rVcTpdwnJWB/P0LyyGHtZlaXqP3/dzbYpTG10oVv/y1iGB1JemgXFoQlwP
MNzVulI3Lu808mJA3eVJmWDlt2GVzQW6RlVigpJadGU1ZSAX0sCzbStp1I0TuMBf
IiLhKU4OCxjXtR19rSQP5THozIb3MDerCzS2EkLGgeZlBsQHzRQ=
=6uHw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Sep 2017 07:28:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:11:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon