Debian Bug report logs -
#884132
glibc: CVE-2017-1000408
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 11 Dec 2017 19:39:01 UTC
Severity: important
Tags: security, upstream
Found in version glibc/2.19-18
Fixed in version glibc/2.25-5
Done: Aurelien Jarno <aurel32@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#884132; Package src:glibc.
(Mon, 11 Dec 2017 19:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Mon, 11 Dec 2017 19:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: glibc
Version: 2.19-18
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for glibc, this is just to
track the issue. A DSA is not warranted for this issue only and can be
addressed in a point release. The issues are already not-exploitable
as describedin [1].
CVE-2017-1000408[0]:
memory leak
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000408
[1] http://www.openwall.com/lists/oss-security/2017/12/11/4
Regards,
Salvatore
Added tag(s) pending.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(Sat, 16 Dec 2017 14:39:07 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#884132.
(Sat, 16 Dec 2017 14:39:09 GMT) (full text, mbox, link).
Message #10 received at 884132-submitter@bugs.debian.org (full text, mbox, reply):
tag 884132 pending
thanks
Hello,
Bug #884132 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?id=5d5bd4b
---
commit 5d5bd4b533c43d6887101493e7ffaca89ac501a1
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Sat Dec 16 15:37:33 2017 +0100
debian/patches/git-updates.diff: update from upstream stable branch:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix memory leak in ld.so (CVE-2017-1000408). Closes: #884132.
- Fix buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133.
diff --git a/debian/changelog b/debian/changelog
index f23313e..340239a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,9 @@ glibc (2.25-5) UNRELEASED; urgency=medium
[ Aurelien Jarno ]
* debian/rules.d/debhelper.mk: strip all *crt*.o files, unless
DEB_BUILD_OPTIONS contains nostrip. Closes: #884524.
+ * debian/patches/git-updates.diff: update from upstream stable branch:
+ - Fix memory leak in ld.so (CVE-2017-1000408). Closes: #884132.
+ - Fix buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133.
-- Aurelien Jarno <aurel32@debian.org> Tue, 12 Dec 2017 23:52:07 +0100
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Sat, 16 Dec 2017 16:06:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 16 Dec 2017 16:06:10 GMT) (full text, mbox, link).
Message #15 received at 884132-close@bugs.debian.org (full text, mbox, reply):
Source: glibc
Source-Version: 2.25-5
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Dec 2017 15:37:43 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.25-5
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
glibc-doc - GNU C Library: Documentation
glibc-source - GNU C Library: sources
libc-bin - GNU C Library: Binaries
libc-dev-bin - GNU C Library: Development binaries
libc-l10n - GNU C Library: localization files
libc0.1 - GNU C Library: Shared libraries
libc0.1-dbg - GNU C Library: detached debugging symbols
libc0.1-dev - GNU C Library: Development Libraries and Header Files
libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
libc0.1-pic - GNU C Library: PIC archive library
libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3 - GNU C Library: Shared libraries
libc0.3-dbg - GNU C Library: detached debugging symbols
libc0.3-dev - GNU C Library: Development Libraries and Header Files
libc0.3-pic - GNU C Library: PIC archive library
libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3-xen - GNU C Library: Shared libraries [Xen version]
libc6 - GNU C Library: Shared libraries
libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
libc6-dbg - GNU C Library: detached debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files
libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
libc6-pic - GNU C Library: PIC archive library
libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64
libc6-xen - GNU C Library: Shared libraries [Xen version]
libc6.1 - GNU C Library: Shared libraries
libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
libc6.1-dbg - GNU C Library: detached debugging symbols
libc6.1-dev - GNU C Library: Development Libraries and Header Files
libc6.1-pic - GNU C Library: PIC archive library
libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
locales - GNU C Library: National Language (locale) data [support]
locales-all - GNU C Library: Precompiled locale data
multiarch-support - Transitional package to ensure multiarch compatibility
nscd - GNU C Library: Name Service Cache Daemon
Closes: 884132 884133 884524
Changes:
glibc (2.25-5) unstable; urgency=medium
.
[ Samuel Thibault ]
* hurd-i386/git-rtld-access.diff: Fix spurious errno update.
.
[ Aurelien Jarno ]
* debian/rules.d/debhelper.mk: strip all *crt*.o files, unless
DEB_BUILD_OPTIONS contains nostrip. Closes: #884524.
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix memory leak in ld.so (CVE-2017-1000408). Closes: #884132.
- Fix buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133.
Checksums-Sha1:
9d600997bfcaaa9ada861ca313bf7d72992643b8 8792 glibc_2.25-5.dsc
11939f3bab2febdf21a2e1662a9b90628c3ff07f 1040564 glibc_2.25-5.debian.tar.xz
64c32a36dc7e1d0dcace9332e3c6235ddea1a98c 7568 glibc_2.25-5_source.buildinfo
Checksums-Sha256:
a738d2987ed3ba53305141d7bcc969f062e8575958be69d9adc8601e8a011946 8792 glibc_2.25-5.dsc
44d12cadc6810901e2ea3f9830c5b4a3bae9b6973fa036bce5199fcead99e5e3 1040564 glibc_2.25-5.debian.tar.xz
49f7c74adfc067d2ba2566b759a1a498dd592b3c0260e4f8cfe61928de95f508 7568 glibc_2.25-5_source.buildinfo
Files:
f0949daa70de46e96736556f49bc47a6 8792 libs required glibc_2.25-5.dsc
4e6270a810751dc8b608800c017ef061 1040564 libs required glibc_2.25-5.debian.tar.xz
168198c478982d5bac3a67690db73bad 7568 libs required glibc_2.25-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh4djJsFAlo1MEYACgkQupx4Bh4d
jJtxnQ//Q7ZBkEL/5fvteY5e6blnmN4DkkzjSfjkDFSit9R9z3qgB2Z2E2HOXVbv
KAib2VigveNh45opwgVKqbTWei/YIsPgfJOuiqeTKkV5nn2fpXdl7KXDasv2Dcdg
3ZC/DXtXMAimIaVskAFeizJsFgxXeNaBx8VdX+5LBoayW+ZVJjbICnECvX0FUax4
zHYL/jDdXK2oxWDBsKwTftwrBARVfz6UbFqCWawM9GSUHqmozViirv7+Y9nlb6eb
oGxpbUBGIGdb0Kx3Q0Dk0mEH9UlbN5xEbdamPBZI/3OcDehJvu7oEYq+EJVpPbzo
+zLN7cxssKOi+Wp3A3J0k4aX6oW8lLKInaDgzjjmzfNfRG9NSqMwk04jOzEpJdNo
CmbnR02FSL+0ZNConim305tAyCVRJXTVHqPknawB+N6mOpKq2Zc2p9grwI1AnZki
oyqIJ+4rpQmLZoXSg7gLINwALK6aDtUOr9a2t5SZe3UftxLtzUVDFUu8ktrjrtc+
UCwv5SdJYe7rfN1CRQuaCK/4IqCYfcnW8Zqu51yi4dS/QLv6WYUPS6c3OlzeVcf+
ACPE+4VVvpTH2P7rinZcZggb8e5WM+3Vw3li7y8CE1evklzNVH08hY+HA5IIJQhp
GQoU/3+7R41S1kiBYYdf+7lBZQHU5jDGsKA1iD5HE+doRVEfxh0=
=lCk5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 25 Mar 2018 07:29:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:44:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon