Debian Bug report logs -
#799966
glibc: CVE-2015-5277: data corruption while reading the NSS files database
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#799966; Package src:glibc.
(Thu, 24 Sep 2015 18:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Thu, 24 Sep 2015 18:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: glibc
Severity: important
Tags: security
This was assigned CVE-2015-5277:
https://sourceware.org/bugzilla/show_bug.cgi?id=17079
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ac60763eac3d43b7234dd21286ad3ec3f17957fc
Cheers,
Moritz
Marked as found in versions glibc/2.19-18.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Sep 2015 05:57:04 GMT) (full text, mbox, link).
Changed Bug title to 'glibc: CVE-2015-5277: data corruption while reading the NSS files database' from 'CVE-2015-5277'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Sep 2015 05:57:05 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Sep 2015 05:57:07 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Sep 2015 06:30:04 GMT) (full text, mbox, link).
Marked as fixed in versions glibc/2.21-0experimental0.
Request was from Aurelien Jarno <aurel32@debian.org>
to control@bugs.debian.org.
(Sun, 18 Oct 2015 20:57:04 GMT) (full text, mbox, link).
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility.
(Tue, 01 Dec 2015 10:51:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 01 Dec 2015 10:51:15 GMT) (full text, mbox, link).
Message #22 received at 799966-done@bugs.debian.org (full text, mbox, reply):
Version: 2.21-1
> This was assigned CVE-2015-5277:
> https://sourceware.org/bugzilla/show_bug.cgi?id=17079
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ac60763eac3d43b7234dd21286ad3ec3f17957fc
Fixed upstream in 2.20 and thus in 2.21-1 in unstable.
Cheers,
Moritz
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Fri, 01 Jan 2016 15:51:29 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 01 Jan 2016 15:51:29 GMT) (full text, mbox, link).
Message #27 received at 799966-close@bugs.debian.org (full text, mbox, reply):
Source: glibc
Source-Version: 2.19-18+deb8u2
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 799966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 28 Dec 2015 21:39:40 +0100
Source: glibc
Binary: libc-bin libc-dev-bin glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-i686 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
Architecture: source all
Version: 2.19-18+deb8u2
Distribution: stable
Urgency: medium
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
glibc-doc - GNU C Library: Documentation
glibc-source - GNU C Library: sources
libc-bin - GNU C Library: Binaries
libc-dev-bin - GNU C Library: Development binaries
libc0.1 - GNU C Library: Shared libraries
libc0.1-dbg - GNU C Library: detached debugging symbols
libc0.1-dev - GNU C Library: Development Libraries and Header Files
libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
libc0.1-i686 - GNU C Library: Shared libraries [i686 optimized]
libc0.1-pic - GNU C Library: PIC archive library
libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3 - GNU C Library: Shared libraries
libc0.3-dbg - GNU C Library: detached debugging symbols
libc0.3-dev - GNU C Library: Development Libraries and Header Files
libc0.3-i686 - GNU C Library: Shared libraries [i686 optimized]
libc0.3-pic - GNU C Library: PIC archive library
libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3-xen - GNU C Library: Shared libraries [Xen version]
libc6 - GNU C Library: Shared libraries
libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
libc6-dbg - GNU C Library: detached debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files
libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
libc6-i686 - GNU C Library: Shared libraries [i686 optimized]
libc6-loongson2f - GNU C Library: Shared libraries (Loongson 2F optimized)
libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
libc6-pic - GNU C Library: PIC archive library
libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64
libc6-xen - GNU C Library: Shared libraries [Xen version]
libc6.1 - GNU C Library: Shared libraries
libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
libc6.1-dbg - GNU C Library: detached debugging symbols
libc6.1-dev - GNU C Library: Development Libraries and Header Files
libc6.1-pic - GNU C Library: PIC archive library
libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
libnss-dns-udeb - GNU C Library: NSS helper for DNS - udeb (udeb)
libnss-files-udeb - GNU C Library: NSS helper for files - udeb (udeb)
locales - GNU C Library: National Language (locale) data [support]
locales-all - GNU C Library: Precompiled locale data
multiarch-support - Transitional package to ensure multiarch compatibility
nscd - GNU C Library: Name Service Cache Daemon
Closes: 779587 798316 798515 799966 800523 800574 801691 802256 803927
Changes:
glibc (2.19-18+deb8u2) stable; urgency=medium
.
[ Aurelien Jarno ]
* Update from upstream stable branch:
- Fix getaddrinfo sometimes returning uninitialized data with nscd.
Closes: #798515.
- Fix data corruption while reading the NSS files database
(CVE-2015-5277). Closes: #799966.
- Fix buffer overflow (read past end of buffer) in internal_fnmatch.
- Fix _IO_wstr_overflow integer overflow.
- Fix unexpected closing of nss_files databases after lookups,
causing denial of service (CVE-2014-8121). Closes: #779587.
- Fix NSCD netgroup cache. Closes: #800523.
* patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to
unconditionally disable LD_POINTER_GUARD. Closes: #798316, #801691.
* patches/any/cvs-mangle-tls_dtor_list.diff: new patch from upstream to
mangle function pointers in tls_dtor_list. Closes: #802256.
* patches/any/cvs-strxfrm-buffer-overflows.diff: new patch from upstream
to fix memory allocations issues that can lead to buffer overflows on
the stack. Closes: #803927.
.
[ Henrique de Moraes Holschuh ]
* Replace patches/amd64/local-blacklist-on-TSX-Haswell.diff by
local-blacklist-for-Intel-TSX.diff also blacklisting some Broadwell
models. Closes: #800574.
Checksums-Sha1:
e4386b9b316fb3366323a25c5626df580b3dd100 8236 glibc_2.19-18+deb8u2.dsc
9a766804327f12ab4424afab959c97d930421f1a 1040948 glibc_2.19-18+deb8u2.debian.tar.xz
bbf48a19e71e8c9367d8514ff2e1131d34f0134e 2267136 glibc-doc_2.19-18+deb8u2_all.deb
35528d07531cc05b48fe0a3405de48e2ab91491b 13976542 glibc-source_2.19-18+deb8u2_all.deb
0b0f9e53d313deb1965e7994c386b5384be66bc2 3954372 locales_2.19-18+deb8u2_all.deb
Checksums-Sha256:
f87e7448c2e460aac9b1a420469b7848b057a5d4e9f716b26d0277446eabac13 8236 glibc_2.19-18+deb8u2.dsc
0e407d1610ba95adfe641d7030ddac13105682f638cf8ff1286dfd1c44d24aa3 1040948 glibc_2.19-18+deb8u2.debian.tar.xz
24366700536fe92feb1570b5ce733d09fac4d1956a5904e330ad7bb642a2a167 2267136 glibc-doc_2.19-18+deb8u2_all.deb
b940f7c54a40513b5915ff6534b89d5f6b2154c2e78980bfe37b08264f55f90d 13976542 glibc-source_2.19-18+deb8u2_all.deb
e7694d8bfafffbf78b3ebb79f9e3218d699f0e13b761e1f4c7848705eebc9fe2 3954372 locales_2.19-18+deb8u2_all.deb
Files:
645a3775c11f5c216a25683b37db0f80 8236 libs required glibc_2.19-18+deb8u2.dsc
f7c75b3bdf661a84abf51420f15b6933 1040948 libs required glibc_2.19-18+deb8u2.debian.tar.xz
80e5c2d6537a71b13c549f628e2fdf71 2267136 doc optional glibc-doc_2.19-18+deb8u2_all.deb
fa2a8d49a5d97782a4f17aaea6edb642 13976542 devel optional glibc-source_2.19-18+deb8u2_all.deb
f3090452ea4d882d1891f265b90a5979 3954372 localization standard locales_2.19-18+deb8u2_all.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJWgb0OAAoJELqceAYd3Yyb8FcP/3FJ4wWofgVMLI/u8Po9Iq2e
s3YRCwQNyCR7yGPiQS4Ow5OX3z/McXAG9MptMrWJUPetlFYttMqJJ7oW6Sgx5gZq
oZqbU2bI3pvH3qzy/VJfhJSD9r9qYoDRg+5N1LJtpF8D42CbEnKZDNT0KEAFo2qB
5lQcesVhfOGJt8GywiI8W+E10qSaAioWE/qD+D5QSpzoO25suB+9b8spGRZKIT/9
5B36o0DZFfcooPWjjkzab245TKu4SSSmC721whR2HcS4u3mcx9ZdqTEpsEk0DNWm
Hq25r0UJ8nvBffrgBY23odYRWgWeSNQcVml07RFY0dkNyz6FaX1x0917wnBzLvgX
0QAM+gSNs07e6QQV1AnrGzpXRUXsD3KTVklMrkKrKlZ0qmVZjKwzIm3COrIdEXUD
2FU/nSO49zLAvH+kUGMSeDQRDg4pgG2A/uhIq+ty8oBzkDiQvOpZNO8XZ8x2f43O
g1l/RcUF46yzu3WJjKOGoyukKvLMnhywppTHkD4S7fVL+p1mtpBr6p+lNQ9wZuHk
lxYJH4VcmcN1r2mEG6NcR8vdnSWueFIANaFRb/gSiz+oFo0inGLVFgC82a7moD05
yKXLR5BQo5fBNu0upLIrPHK1td9+bAaCyl2O5KlER2YzLtEqVJWcj2J5W/8itYaV
3XIC0DPL18g5+v9LXDpC
=+T4w
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 26 Sep 2016 07:34:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:04:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon