Debian Bug report logs -
#920047
glibc: CVE-2016-10739: getaddrinfo should reject IP addresses with trailing characters
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#920047; Package glibc.
(Mon, 21 Jan 2019 20:54:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Mon, 21 Jan 2019 20:54:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: glibc
Version: 2.28-5--src
Severity: normal
Tags: patch security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=20018
Control: found -1 2.24-11+deb9u3
Control: found -1 2.24-11
Hi,
The following vulnerability was published for glibc.
CVE-2016-10739[0]:
| In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo
| function would successfully parse a string that contained an IPv4
| address followed by whitespace and arbitrary characters, which could
| lead applications to incorrectly assume that it had parsed a valid
| string, without the possibility of embedded HTTP headers or other
| potentially dangerous substrings.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=20018
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions 2.24-11+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 21 Jan 2019 20:54:07 GMT) (full text, mbox, link).
Marked as found in versions 2.24-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 21 Jan 2019 20:54:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#920047; Package glibc.
(Mon, 21 Jan 2019 21:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Mon, 21 Jan 2019 21:27:05 GMT) (full text, mbox, link).
Message #14 received at 920047@bugs.debian.org (full text, mbox, reply):
* Salvatore Bonaccorso:
> CVE-2016-10739[0]:
> | In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo
> | function would successfully parse a string that contained an IPv4
> | address followed by whitespace and arbitrary characters, which could
> | lead applications to incorrectly assume that it had parsed a valid
> | string, without the possibility of embedded HTTP headers or other
> | potentially dangerous substrings.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-10739
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739
> [1] https://sourceware.org/bugzilla/show_bug.cgi?id=20018
>
> Please adjust the affected versions in the BTS as needed.
Would it help if I put a backport on the 2.24 upstream branch?
Bug reassigned from package 'glibc' to 'src:glibc'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 22 Jan 2019 20:12:05 GMT) (full text, mbox, link).
No longer marked as found in versions 2.24-11, 2.28-5--src, and 2.24-11+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 22 Jan 2019 20:12:05 GMT) (full text, mbox, link).
Marked as found in versions glibc/2.28-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 22 Jan 2019 20:12:06 GMT) (full text, mbox, link).
Marked as found in versions glibc/2.24-11+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 22 Jan 2019 20:12:07 GMT) (full text, mbox, link).
Marked as found in versions glibc/2.24-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 22 Jan 2019 20:12:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#920047; Package src:glibc.
(Thu, 24 Jan 2019 11:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Thu, 24 Jan 2019 11:30:05 GMT) (full text, mbox, link).
Message #29 received at 920047@bugs.debian.org (full text, mbox, reply):
On 2019-01-21 22:17, Florian Weimer wrote:
> * Salvatore Bonaccorso:
>
> > CVE-2016-10739[0]:
> > | In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo
> > | function would successfully parse a string that contained an IPv4
> > | address followed by whitespace and arbitrary characters, which could
> > | lead applications to incorrectly assume that it had parsed a valid
> > | string, without the possibility of embedded HTTP headers or other
> > | potentially dangerous substrings.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-10739
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739
> > [1] https://sourceware.org/bugzilla/show_bug.cgi?id=20018
> >
> > Please adjust the affected versions in the BTS as needed.
>
> Would it help if I put a backport on the 2.24 upstream branch?
>
That would indeed help, then we can just pull that branch for the
stretch package. Note that there is already an upload in the pipeline
(bug #917620), I guess we should get that one into stretch first.
Thanks,
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:21:13 GMT) (full text, mbox, link).
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Tue, 05 Feb 2019 19:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 05 Feb 2019 19:39:07 GMT) (full text, mbox, link).
Message #36 received at 920047-close@bugs.debian.org (full text, mbox, reply):
Source: glibc
Source-Version: 2.28-6
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 920047@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 Feb 2019 19:55:42 +0100
Source: glibc
Architecture: source
Version: 2.28-6
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 761300 908928 920047 921165
Changes:
glibc (2.28-6) unstable; urgency=medium
.
[ Samuel Thibault ]
* debian/patches/hurd-i386/git-AT_EMPTY_PATH.diff: New patch, fixes qt's
file size query.
* debian/patches/hurd-i386/git-altstack.diff: New patch, fixes altstack
initial state.
.
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix a buffer overflow in string/memory functions on x32 (CVE-2019-6488).
- Reject IP addresses with trailing characters (CVE-2016-10739). Closes:
#920047.
- Fix wrong return value for memcmp on amd64 and x32 due to mishandling
of most significant bit (CVE-2019-7309).
* Update Russian debconf translation, by Lev Lamberov. Closes:
#921165.
* debian/patches/any/local-ldso-disable-hwcap.diff: only check for
/etc/ld.so.nohwcap on alpha, hurd-i386 and i386. Based on a patch from
Josh Triplett. Closes: #908928.
* debian/patches/any/git-libio-stdout-putc.diff: fix puts and putchar output
with change stdout pointer. Closes: #761300.
* debhelper.in/locales.bug-presubj: drop obsolete file, the dependency
mechanism for locales has been changes a lot of time ago.
Checksums-Sha1:
c09451059d222a7b4615af2f5547437d570f9025 8885 glibc_2.28-6.dsc
e32156b4d0791ec0af883685e726f618160c1284 873424 glibc_2.28-6.debian.tar.xz
455f82ecf3fe6c42c28048462e3ee74da2b2ed5c 7303 glibc_2.28-6_source.buildinfo
Checksums-Sha256:
469d2e7c196f3be89ec55f8cf28a5d8d0ef276ac227be063f782d1b9f85a65a8 8885 glibc_2.28-6.dsc
e94e20f890cd3e1b3bcb9e5dc3cc4725b91e9101a8a93c2588b506f73b688924 873424 glibc_2.28-6.debian.tar.xz
a1dacf4de9985443c1e80d9332e2e8bea963abbfcffa1b30e33cf637c8b05bf3 7303 glibc_2.28-6_source.buildinfo
Files:
9ef64b9ffb224bb9f67441398348154b 8885 libs required glibc_2.28-6.dsc
fea4aa332e15e9acbe37484470e9e47f 873424 libs required glibc_2.28-6.debian.tar.xz
f219b499b86ca6b5dc46f30347b7f828 7303 libs required glibc_2.28-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAlxZ3MMACgkQE4jA+Jno
M2sE7A//T/b1hPRFPGVg3a2kC9WQjpiFjlh0mk2uqYLrNtQ1HVvwHNwl3kMxns28
GWI5TDZNhxulkTAn5xR6PDlRzC1MDcKVq94WTTHvFvLmJWoWb6awr9vnkZ9wo6wh
hS916WJYqZ3Wy27j5uJyz9LWT9q6IBPstnuNmOyame6Koj21R2iCiAD9qvhFUbVL
d7Iug017+P9zKAoriThy2dICGGrRZkpxmIaz5MNmW9jOrtSoZ6gDh4haNY5WMFrU
hbajwiTdoEXeolx69baDwtsl+Wh4vySGxhBz245QHJTyNUaxblOwT1ECAWAtQ3u9
QBcLsR+WFH+h4DJYbbZezkGa1/pXuq6NPv35FP4p831HO3oYOX6LmaVvC7rgwWcf
FgYyy6TpqwkZb3FUJ27gpmRvarw00GWH7pqtvzK3V4VUQa55hC8agLM/eCFgYLJv
oG0WEgI6y/Qfac0dL3J2FYk9IITneLg2qpxcMaPUOEzcCnhmW8+4xKcI+M7LbOsD
XlNzad1ZB91aiwWLc+ruLKdhp/HU0NSJhiThCybHn7bJRrGi3qjY3Mi0LxY8VqcT
wdSMCqu71FEqooa2Qryl0Z42PhjThf41lLFh4ADAjXhvhKz+fC3Zqmghd2epW2LV
OcjyzefmwMkk4IVPKDP2zSSdJMvpxH6pqwjx+LUFK20bmRQN1q0=
=0o+S
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 26 Apr 2019 07:26:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:58:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon