CVE-2012-3406: glibc formatted printing vulnerabilities

Debian Bug report logs - #681888
CVE-2012-3406: glibc formatted printing vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2012-3404 CVE-2012-3405 CVE-2012-3406

Date: Fri, 13 Jul 2012 15:41:23 +0200

Package: eglibc
Severity: important
Tags: security

Hi,
please see http://www.openwall.com/lists/oss-security/2012/07/11/17 for details
and references to upstream patches.

The security impact is rather low IMO; if the format strings are under control
of a attacker, this opens a whole can of worms anyway.

Still, it would be nice to get these fixed for Wheezy and for Squeeze in a point
update.

Cheers,
        Moritz

Message #14 received at 681888@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 681888@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Patch for CVE-2012-3406

Date: Fri, 21 Sep 2012 18:27:38 +0200

[Message part 1 (text/plain, inline)]

tag 681888 + patch
thanks

There is a fix for CVE-2012-3406 in
https://bugzilla.redhat.com/attachment.cgi?id=594722

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #21 received at 681888@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Arne Wichmann <aw@anhrefn.saar.de>, 681888@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#681888: Patch for CVE-2012-3406

Date: Sat, 22 Sep 2012 16:07:43 +0200

tag 681888 - patch
thanks

On Fri, Sep 21, 2012 at 06:27:38PM +0200, Arne Wichmann wrote:
> tag 681888 + patch
> thanks
> 
> There is a fix for CVE-2012-3406 in
> https://bugzilla.redhat.com/attachment.cgi?id=594722
> 

As already explained earlier before this bug was cloned, I don't think
we should use this patch:

| I'll add the patches for CVE-2012-3404 and CVE-2012-3405 as they come
| from upstream and look correct. For CVE-2012-3406 RedHat, as usual, 
| hasn't submitted the patch upstream and thus it hasn't been reviewed. I
| have looked at it quickly and I have to say I don't really like it. 
| Replacing a call to alloca() by a call to malloc() without checking the
| return value is only a small improvement when the attacker can control
| the allocation size. Also it means the attacker can DoS the system or 
| crash the program. To finish malloc() + memmove() + free() is not the 
| best way to reallocate big chunks of memory when realloc() exists.
|
| I am therefore not planning to apply this patch in the current state,
| and thus I am cloning this bug to keep this CVE entry separated from the
| others.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Message #30 received at 681888@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 681888@bugs.debian.org

Subject: CVE-2012-3406: exploits in the wild, upstream report?

Date: Tue, 5 Feb 2013 17:56:15 +0100

[Message part 1 (text/plain, inline)]

Hi, just for information: [1] suggests that exploits for one of 340[456]
may be out in the wild.

Moreover I did not find an upstream glibc-bug about this yet. Is there one?

[1] https://bugs.launchpad.net/ubuntu/%2Bsource/eglibc/%2Bbug/1031301

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 681888@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 681888@bugs.debian.org

Subject: Re: CVE-2012-3406: exploits in the wild, upstream report?

Date: Sat, 17 Jan 2015 15:44:16 +0100

On Tue, Feb 05, 2013 at 05:56:15PM +0100, Arne Wichmann wrote:
> Hi, just for information: [1] suggests that exploits for one of 340[456]
> may be out in the wild.
> 
> Moreover I did not find an upstream glibc-bug about this yet. Is there one?
> 
> [1] https://bugs.launchpad.net/ubuntu/%2Bsource/eglibc/%2Bbug/1031301

This has now been fixed upstream, can you please merge this into jessie ?
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5985c6ea868db23380977a35a2167549f9a3653b

Cheers,
        Moritz

Message #42 received at 681888-close@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurel32@debian.org>

To: 681888-close@bugs.debian.org

Subject: Bug#681888: fixed in glibc 2.19-14

Date: Sun, 01 Feb 2015 10:04:29 +0000

Source: glibc
Source-Version: 2.19-14

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681888@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 01 Feb 2015 00:32:31 +0100
Source: glibc
Binary: libc-bin libc-dev-bin glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-i686 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
Architecture: source all amd64
Version: 2.19-14
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
 glibc-doc  - GNU C Library: Documentation
 glibc-source - GNU C Library: sources
 libc-bin   - GNU C Library: Binaries
 libc-dev-bin - GNU C Library: Development binaries
 libc0.1    - GNU C Library: Shared libraries
 libc0.1-dbg - GNU C Library: detached debugging symbols
 libc0.1-dev - GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc0.1-i686 - GNU C Library: Shared libraries [i686 optimized]
 libc0.1-pic - GNU C Library: PIC archive library
 libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3    - GNU C Library: Shared libraries
 libc0.3-dbg - GNU C Library: detached debugging symbols
 libc0.3-dev - GNU C Library: Development Libraries and Header Files
 libc0.3-i686 - GNU C Library: Shared libraries [i686 optimized]
 libc0.3-pic - GNU C Library: PIC archive library
 libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - GNU C Library: Shared libraries [Xen version]
 libc6      - GNU C Library: Shared libraries
 libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - GNU C Library: detached debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
 libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
 libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
 libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
 libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
 libc6-i686 - GNU C Library: Shared libraries [i686 optimized]
 libc6-loongson2f - GNU C Library: Shared libraries (Loongson 2F optimized)
 libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
 libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - GNU C Library: PIC archive library
 libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
 libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
 libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc6-x32  - GNU C Library: X32 ABI Shared libraries for AMD64
 libc6-xen  - GNU C Library: Shared libraries [Xen version]
 libc6.1    - GNU C Library: Shared libraries
 libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - GNU C Library: detached debugging symbols
 libc6.1-dev - GNU C Library: Development Libraries and Header Files
 libc6.1-pic - GNU C Library: PIC archive library
 libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - GNU C Library: NSS helper for files - udeb (udeb)
 locales    - GNU C Library: National Language (locale) data [support]
 locales-all - GNU C Library: Precompiled locale data
 multiarch-support - Transitional package to ensure multiarch compatibility
 nscd       - GNU C Library: Name Service Cache Daemon
Closes: 681888 763705 775572
Changes:
 glibc (2.19-14) unstable; urgency=medium
 .
   [ Samuel Thibault ]
   * patches/hurd-i386/libpthread_spin-lock.diff: New patch to fix spin-lock.h
     inclusion order.
   * patches/hurd-i386/tg-WRLCK-upgrade.diff: New patch to fix atomicity of
     changing between rd locks and wr locks.
   * patches/hurd-i386/cvs-static-dlopen.diff: New patch to fix dlopen from
     static binaries, busybox notably.
   * control.in/main: Bump mig dependency to get _routines@ symbols, bump
     gnumach-dev dependency to get protected payload symbols.
   * libc0.3.symbols.hurd-i386: Update symbols.
   * patches/hurd-i386/submitted-startup-pid2.diff: Remove, replaced by...
   * patches/hurd-i386/tg-reboot-startup.diff: ... new patch to make reboot
     lookup startup through /servers/startup instead of guessing its pid and
     using its message port.
 .
   [ Adam Conrad ]
   * debian/rules.d/tarball.mk: Fix update-from-upstream manual/* filter rule.
 .
   [ Petr Salinger ]
   * kfreebsd/local-sysdeps.diff: update to revision 5688 (from glibc-bsd).
     Do not return EINTR from sigwait. Closes: #763705.
 .
   [ Aurelien Jarno ]
   * debian/patches/any/cvs-wordexp.diff: new patch from upstream to fix a
     command execution in wordexp() with WRDE_NOCMD specified (CVS-2014-7817).
   * debian/patches/any/cvs-getnetbyname.diff: new patch from upstream to fix
     an infinite loop in getnetbyname (CVE-2014-9402). Closes: #775572.
   * debian/patches/any/cvs-vfprintf.diff: new patch from ustream to fix a
     stack overflow in vfprintf (CVE-2012-3406). Closes: #681888.
   * debian/patches/git-updates.diff: update to the latest commit of the 2.19
     branch to fix a few buffer overflow, unbounded stack allocation or memory
     leaks that have not been (yet ?) tagged as security issue. This branch
     includes a few patches already applied manually:
     - drop patches/localedata/unsubmitted-tst-setlocale3-ENV.diff (merged
       upstream).
     - drop patches/s390/cvs-s390-abi-reversal.diff (merged upstream).
     - update patches/any/cvs-resolv-first-query-failure.diff
     - drop patches/any/cvs-resolv-reuse-fd.diff (merged upstream).
     - drop patches/any/cvs-posix_spawn_file_actions_addopen.diff (merged
       upstream).
     - drop patches/any/cvs-setlocale-alloca.diff (merged upstream).
     - drop patches/any/cvs-CVE-2014-0475.diff (merged upstream).
     - drop patches/any/cvs-CVE-2014-5119.diff (merged upstream).
     - drop patches/any/cvs-CVE-2014-6040.diff (merged upstream).
Checksums-Sha1:
 fa83e18f01a595c7a85e6757e4511719ff850ec9 8208 glibc_2.19-14.dsc
 39de9884c187375ca31b7660e097ebabdda03a4c 1023596 glibc_2.19-14.debian.tar.xz
 1a0e9bcd8f5e0d63656f9cf9da73799ff14a8970 2264594 glibc-doc_2.19-14_all.deb
 723b2fd7206a8ab60736468d7e052441b875b7f7 13880538 glibc-source_2.19-14_all.deb
 2701c2e82c7f5175f6bf9b67fc155224ad21ed3c 3954862 locales_2.19-14_all.deb
 de087fe53979f7e3cb6e1ea2d54890ab6fd89463 4831666 libc6_2.19-14_amd64.deb
 85ac2a73f998a4a1f32fa03e0b5c74757fec1550 2001398 libc6-dev_2.19-14_amd64.deb
 efb3ba1d8b7e5887cc7281c0d99dbbdc148c4359 1473754 libc6-pic_2.19-14_amd64.deb
 f88dc81758d8d3393550734b3ce5fad8dfcef299 1284466 libc-bin_2.19-14_amd64.deb
 60ecccc5a63c117a97268029705df2972acac009 236022 libc-dev-bin_2.19-14_amd64.deb
 dafba55b02c35f46f97f63db716d3fc539fd8d5b 178164 multiarch-support_2.19-14_amd64.deb
 64b05d99fe580156ff6db900231b69c7a7994197 3537636 locales-all_2.19-14_amd64.deb
 a9f13b902cec06459e563cf63bdfe54f91a5422b 2377218 libc6-i386_2.19-14_amd64.deb
 e3b60657a16d43dadbcc2be03a9eb8c73a7dcbb4 1315826 libc6-dev-i386_2.19-14_amd64.deb
 b2aeebef9d1349c001c71e25071f609941349c33 2602690 libc6-x32_2.19-14_amd64.deb
 abb0cbaa4f0cb5a1bf6cd38c7b13f9499ea2a620 1583782 libc6-dev-x32_2.19-14_amd64.deb
 f601c0874374e986d50f9bb717ab1b10f0931916 241746 nscd_2.19-14_amd64.deb
 59118ccb7b380d0124f68bc1d782fa218771bc67 3424446 libc6-dbg_2.19-14_amd64.deb
 b7eaa8013e06e801f998241d1bdd65203a5260e9 1054106 libc6-udeb_2.19-14_amd64.udeb
 3db585e2684bfd5ebab1dd080777b25e63e94e65 10054 libnss-dns-udeb_2.19-14_amd64.udeb
 10fb19f3df0ac779bd50f6612bebf5495f0c2721 16442 libnss-files-udeb_2.19-14_amd64.udeb
Checksums-Sha256:
 12d7d16c4f55a8dac8b37c500a85165b2e28241f4ff43d55849c3e23506bf750 8208 glibc_2.19-14.dsc
 f45a4d536174981b967f314315a7a92e638c7fea701de75e46382fb35fc7b3c6 1023596 glibc_2.19-14.debian.tar.xz
 a6d10ccecdae3ff49186197d1e549426b596cbea9a5ad451f947e5c14457a962 2264594 glibc-doc_2.19-14_all.deb
 ec8c1faa80a304b835293d83c51e1635a110d437680a2833fb3d1fa216309613 13880538 glibc-source_2.19-14_all.deb
 4f526667a622e13e950142ec181fbffd1a31c9d548f1b9e7379c2ac8ca315656 3954862 locales_2.19-14_all.deb
 f214e35f9f0be652be3388094f74aad8e4e32c83fb0fa69ace8bbea0af1b1733 4831666 libc6_2.19-14_amd64.deb
 a30f5077ca40dbc319398ac7f46f34cc29d95312c4ff2d987b27753c57639eb2 2001398 libc6-dev_2.19-14_amd64.deb
 e9bac0efd164c7427612efffb5df37638c092b89ed632a50473bb16a9d6d48ae 1473754 libc6-pic_2.19-14_amd64.deb
 1f72ef7587cd15de55f6cc5d1638e62c17fbfc4f30cb585f70447c5401f713ae 1284466 libc-bin_2.19-14_amd64.deb
 481746cf9b6ed1e0379ecc068e8cad8c51cf2e3222094bf924501cc82a103464 236022 libc-dev-bin_2.19-14_amd64.deb
 0040e89a5d62edbaddef22722a342e80e674eeacce4c2013f61cb41583a0917e 178164 multiarch-support_2.19-14_amd64.deb
 60b778594c5ab6e41a4b19a6634e1db65bc4453e761fd02dc62f80bd12c646d7 3537636 locales-all_2.19-14_amd64.deb
 bb432925acb1b328c599636838be358ae806756889b263465d1a2be920bb30a2 2377218 libc6-i386_2.19-14_amd64.deb
 f89703cf194eabd1a263f3da47eddf9747f32f391bdfa2b69e082ac06350a43e 1315826 libc6-dev-i386_2.19-14_amd64.deb
 2f4a0485d7d5e723592b7f6fd6f18bcb6162224d81bf60871cc043f6e0f56cb9 2602690 libc6-x32_2.19-14_amd64.deb
 931b6a01902dee173003f59d5308b22111fc9630d9142ff8886d84cd69f7a660 1583782 libc6-dev-x32_2.19-14_amd64.deb
 b60ff2e335164cb574a23da63112f771755828db7b61a0e71a18754abfa7aa1d 241746 nscd_2.19-14_amd64.deb
 c3db2852cc40909a83652d3f4f5ecc7329bf6c38caebe8e26cb7ecf588584ed2 3424446 libc6-dbg_2.19-14_amd64.deb
 6e008f33b72f9ab5e7e0ccad3af3dafadfa95e86248dabe2ba5393fb8f5aceb1 1054106 libc6-udeb_2.19-14_amd64.udeb
 9f66f76cbf5a928771b775b81de51a0556c64d974837bd67e0d0d6f73cce8d7c 10054 libnss-dns-udeb_2.19-14_amd64.udeb
 ddd2fa7474322e203d8fee97761c600f1a31c97fd42051e81d898fc670665b7d 16442 libnss-files-udeb_2.19-14_amd64.udeb
Files:
 a8cd9ea0cfeb0e7a5bc6aac4b328a8fc 8208 libs required glibc_2.19-14.dsc
 d31e89db3368fd2c946f4b94ae12a140 1023596 libs required glibc_2.19-14.debian.tar.xz
 8d81c9a90a464523bad6505ec5b8b30e 2264594 doc optional glibc-doc_2.19-14_all.deb
 fb54a0f7980a5735e886c2e86cf4c813 13880538 devel optional glibc-source_2.19-14_all.deb
 ac93451e54f83925a08990d884253507 3954862 localization standard locales_2.19-14_all.deb
 e5ec9c2a0c96e2940905c3f040f05673 4831666 libs required libc6_2.19-14_amd64.deb
 bb2b6e101ed9256f75dfabd5df35797b 2001398 libdevel optional libc6-dev_2.19-14_amd64.deb
 95b0d27529e9005218fc81cb90acc6d5 1473754 libdevel optional libc6-pic_2.19-14_amd64.deb
 3e7aa8320beebdea0ff9b8fe983fd18b 1284466 libs required libc-bin_2.19-14_amd64.deb
 76adfb2c2ecd9de7751365c53636411a 236022 libdevel optional libc-dev-bin_2.19-14_amd64.deb
 d591da9597e34b81d03778f7b19a1a9a 178164 libs required multiarch-support_2.19-14_amd64.deb
 ff52260e8a1c529addbd96e27c156d37 3537636 localization extra locales-all_2.19-14_amd64.deb
 c72ff6da61372f6a05ab88cea28e6de8 2377218 libs optional libc6-i386_2.19-14_amd64.deb
 3b455083b5d1d0e120444e15e3b1ee43 1315826 libdevel optional libc6-dev-i386_2.19-14_amd64.deb
 6a59ca8cd86fa28c4b2890b7c3ff2f17 2602690 libs optional libc6-x32_2.19-14_amd64.deb
 a4156186d1b173bc35789c8a1d7dd6e2 1583782 libdevel optional libc6-dev-x32_2.19-14_amd64.deb
 b3699f99c381b8ed30b25b3cd55ff722 241746 admin optional nscd_2.19-14_amd64.deb
 348ce8d507d6a354d850bf0f1803d074 3424446 debug extra libc6-dbg_2.19-14_amd64.deb
 62a1fcd79bc2fc3b9a389a77e1503d83 1054106 debian-installer extra libc6-udeb_2.19-14_amd64.udeb
 348984679b0ec27ecf98ee25b42760be 10054 debian-installer extra libnss-dns-udeb_2.19-14_amd64.udeb
 a129b114cd6ecf3ccf13eab247b6bf4d 16442 debian-installer extra libnss-files-udeb_2.19-14_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUzdnTAAoJELqceAYd3Yyb1w8P/37fxZNb9RKhj7XQAyYuI6ht
Ji/xmNUCePpTzFyxE1AnWU6kxSZr/UkLC9NOQ931XQko2XH1oWHdiTsdcORoViuH
kEH9X514ejZ4OndezC7ABF/xzD3DUDSP0bdZdcb79OsohmGKJQfl4gZDfLKKTR3v
dShzTKHlJcQYFcZmXkSPqUq7JuWatqDVl0WvqSZT4uN7cBEZisOQHZ+cyu/1w2QM
k6D4pLlmU6Qb6VjQkQWfK77WLYWBTw02VKJw52k5sF+3F1RKwNKwnUVFGI02u7Uv
q3p68bgA2IP+FfuSVkkKbJ0Z/KCBjyllfa9+4sVS+cNg8PJmza50gtlCVqv42QdY
BASy3rW8rIFK5BM8rJnUVuzux0dj+I5EOACwfVDWCQOzRxk91r+mBzYrcqHQjgeI
kOj8gxXNtIGScQlYOdBosyiMAluVvEu/3aiQdIj16GZJPVOcDdHVHa+kYidOqlM/
znraoe9a4Z45hwuNaJ5DRghV0quwMuasBCMej1StTOhnwYIrkBG/9ZMYa3ziwdxx
oQLvhP8sOPukHgmyp5B1W+btD0bQtQQ3LI+8nwrWdTSaJFZ4fgyPzd3BCxbfYvjG
G+jO5ZO+65avdgulTBdcCGruTQCT1lF+8iHZlQiRjznM17ekf262FvVpNXzSkz3t
4SOU9izPqMVFWePuIULS
=1BPx
-----END PGP SIGNATURE-----

Message #47 received at 681888@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 681888@bugs.debian.org

Subject: Re: CVE-2012-3406: glibc formatted printing vulnerabilities

Date: Sun, 01 Feb 2015 12:15:02 -0000

Package: src:glibc

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.8) - use target "oldstable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/681888/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #54 received at 681888-close@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurel32@debian.org>

To: 681888-close@bugs.debian.org

Subject: Bug#681888: fixed in eglibc 2.13-38+deb7u8

Date: Sat, 28 Feb 2015 18:02:32 +0000

Source: eglibc
Source-Version: 2.13-38+deb7u8

We believe that the bug you reported is fixed in the latest version of
eglibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681888@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated eglibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Feb 2015 09:49:50 +0100
Source: eglibc
Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-i686 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
Architecture: source all
Version: 2.13-38+deb7u8
Distribution: wheezy-security
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description: 
 eglibc-source - Embedded GNU C Library: sources
 glibc-doc  - Embedded GNU C Library: Documentation
 libc-bin   - Embedded GNU C Library: Binaries
 libc-dev-bin - Embedded GNU C Library: Development binaries
 libc0.1    - Embedded GNU C Library: Shared libraries
 libc0.1-dbg - Embedded GNU C Library: detached debugging symbols
 libc0.1-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - Embedded GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - Embedded GNU C Library: 32bit shared libraries for AMD64
 libc0.1-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc0.1-pic - Embedded GNU C Library: PIC archive library
 libc0.1-prof - Embedded GNU C Library: Profiling Libraries
 libc0.1-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc0.3    - Embedded GNU C Library: Shared libraries
 libc0.3-dbg - Embedded GNU C Library: detached debugging symbols
 libc0.3-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc0.3-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc0.3-pic - Embedded GNU C Library: PIC archive library
 libc0.3-prof - Embedded GNU C Library: Profiling Libraries
 libc0.3-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - Embedded GNU C Library: Shared libraries [Xen version]
 libc6      - Embedded GNU C Library: Shared libraries
 libc6-amd64 - Embedded GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - Embedded GNU C Library: detached debugging symbols
 libc6-dev  - Embedded GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - Embedded GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - Embedded GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips64 - Embedded GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - Embedded GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - Embedded GNU C Library: 32bit powerpc development libraries for p
 libc6-dev-ppc64 - Embedded GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390 - Embedded GNU C Library: 32bit Development Libraries for IBM zSeri
 libc6-dev-s390x - Embedded GNU C Library: 64bit Development Libraries for IBM zSeri
 libc6-dev-sparc64 - Embedded GNU C Library: 64bit Development Libraries for UltraSPAR
 libc6-i386 - Embedded GNU C Library: 32-bit shared libraries for AMD64
 libc6-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc6-loongson2f - Embedded GNU C Library: Shared libraries (Loongson 2F optimized)
 libc6-mips64 - Embedded GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - Embedded GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - Embedded GNU C Library: PIC archive library
 libc6-powerpc - Embedded GNU C Library: 32bit powerpc shared libraries for ppc64
 libc6-ppc64 - Embedded GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-prof - Embedded GNU C Library: Profiling Libraries
 libc6-s390 - Embedded GNU C Library: 32bit Shared libraries for IBM zSeries
 libc6-s390x - Embedded GNU C Library: 64bit Shared libraries for IBM zSeries
 libc6-sparc64 - Embedded GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc6-xen  - Embedded GNU C Library: Shared libraries [Xen version]
 libc6.1    - Embedded GNU C Library: Shared libraries
 libc6.1-alphaev67 - Embedded GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - Embedded GNU C Library: detached debugging symbols
 libc6.1-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc6.1-pic - Embedded GNU C Library: PIC archive library
 libc6.1-prof - Embedded GNU C Library: Profiling Libraries
 libc6.1-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - Embedded GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - Embedded GNU C Library: NSS helper for files - udeb (udeb)
 locales    - Embedded GNU C Library: National Language (locale) data [support]
 locales-all - Embedded GNU C Library: Precompiled locale data
 multiarch-support - Transitional package to ensure multiarch compatibility
 nscd       - Embedded GNU C Library: Name Service Cache Daemon
Closes: 681888 751774 775572 777197
Changes: 
 eglibc (2.13-38+deb7u8) wheezy-security; urgency=medium
 .
   * debian/patches/any/cvs-wscanf.diff: new patch from upstream to fix a
     heap buffer overflow in wscanf (CVE-2015-1472, CVE-2015-1473). Closes:
     #777197.
   * debian/patches/any/cvs-vfprintf.diff: new patch from ustream to fix a
     stack overflow in vfprintf (CVE-2012-3406). Closes: #681888.
   * debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff: new patch
     from upstream to fix a vulnerability in posix_spawn_file_actions_addopen
     (CVE-2014-4043). Closes: #751774.
   * debian/patches/any/cvs-getnetbyname.diff: new patch from upstream to fix
     an infinite loop in getnetbyname (CVE-2014-9402). Closes: #775572.
   * debian/patches/any/cvs-getaddrinfo-idn.diff: new patch from upstream to
     fix a invalid-free when using getaddrinfo with IDN (CVE-2013-7424).
Checksums-Sha1: 
 3f6024c33cbbc28cfb7408cf1bd71158dbe65b25 5387 eglibc_2.13-38+deb7u8.dsc
 ad16463f72e7a6ad264e8b1f55d715aa6c150ee1 2025161 eglibc_2.13-38+deb7u8.diff.gz
 6bf967beca00993870856d92ab374a08efe1f9d5 1898264 glibc-doc_2.13-38+deb7u8_all.deb
 a992fd0b8381153cd9a599875ac9fe87372b1e70 13418902 eglibc-source_2.13-38+deb7u8_all.deb
 6c04e6f5231c8792096221e0b7b3f4735534fa84 5708190 locales_2.13-38+deb7u8_all.deb
Checksums-Sha256: 
 761e09d1e83fd7ff5f9b584ff3d4433f974ed56e5c9f58a180ed348d8a67ea3f 5387 eglibc_2.13-38+deb7u8.dsc
 752897b2dbc581bbea10077e441c93bee1d6824c055b4ddfe3ca1809c4d2ca31 2025161 eglibc_2.13-38+deb7u8.diff.gz
 3823cab9e753bea3257eafce36579c9a9a7e4442ae3e7ebe40d6e48a1890e24d 1898264 glibc-doc_2.13-38+deb7u8_all.deb
 2d271f80e9270847df12f95e4d9b89682c959ce0577fdefc74b4397f84b2ced9 13418902 eglibc-source_2.13-38+deb7u8_all.deb
 fbdec82cc2790947d1c1ddefb9086a386de2ce632afcc03161029a1953836e93 5708190 locales_2.13-38+deb7u8_all.deb
Files: 
 6a68d1b168b660d1e8d91757ab680dc4 5387 libs required eglibc_2.13-38+deb7u8.dsc
 027e0ddf239ee6e61957392600a14604 2025161 libs required eglibc_2.13-38+deb7u8.diff.gz
 05b799c7293911693044cb7cb76114c8 1898264 doc optional glibc-doc_2.13-38+deb7u8_all.deb
 865c319d96eb093222f1de12701058b2 13418902 devel optional eglibc-source_2.13-38+deb7u8_all.deb
 7b8e6d7c91f624195b951ba7d10908af 5708190 localization standard locales_2.13-38+deb7u8_all.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJU6aGJAAoJELqceAYd3YybtXsQAJivjjk+19Db+uZYp7Tf99t4
aWf9k7SMjt7jbsg+zl39p4T/cGxGnz0dzDmqmKxTwm8Wn2viNV9x8xxJCzTcv1gZ
9llEj3ucD2AsYxQJdRoqYvuRnMkQFxfVx04jrZbZgpwEfm3IbmWfQOpYBBVa1ilu
OOlHm2s54K3tQvAF7htZsMuHNwmofgMv9e7SKQlg2lg31yXTwGakAnkifW0Kdvgt
emJ+mMvUIfsCOr/ZMYZxzeFc3+W9qng1L4/0HE5DT2TLMUCfLQHjhZwYUf8kKhgx
i3+aJxmWlPfUhXd8s/k5xCRphHmH8aDrV2StHguaZnViBqobNPRgjhNSTJvQPT+m
O95pivwJZOa79Wq15CX/0k6gwWfQOr1ADcoLxzhkm3zAMlOxFSrJ1GCL1acon9Hj
5aht/D0qpho3YPCq6e1+DFevj48egRFP4v5QccpyVESWAB+4q6oRox6r9poyVUF1
CBQXNN6ENbago4DGZdTP015ysIsOdlyaV7M160VGxfsihkESPWAnoB9OG4vA7hDA
YuJC1J9/DKxx2p0figp50H+R2zNs1JBAO6YRcxkin1bjpS2cf5vYkvO8zXsOvVTA
pzZAcDCGFPILxdbBSKsrqAndInK/QneZjYzMgfvWrT/csduVz+lnM+yw0NtxKV/w
jQW1UI4FM3WnS5c0n2F7
=KGAX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.