Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications
On 2021-06-04 21:51, Florian Weimer wrote:
> * Aurelien Jarno:
>
> > On 2021-06-04 20:34, Florian Weimer wrote:
> >> * Moritz Mühlenhoff:
> >>
> >> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
> >> >> control: forcemerge 967938 969926
> >> >>
> >> >> Hi,
> >> >>
> >> >> On 2020-09-09 02:58, Bernd Zeimetz wrote:
> >> >> > Source: glibc
> >> >> > Version: 2.28-10
> >> >> > Severity: serious
> >> >> > Tags: security upstream patch
> >> >> > X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> >> >> >
> >> >> > Hi,
> >> >> >
> >> >> > we are running into the bug
> >> >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338
> >> >> > causing systemd-sysusers to segfault.
> >> >> >
> >> >> > Patch is available in the linked bug report.
> >> >>
> >> >> This has already been reported, Florian will work on a backport, as it
> >> >> is not straightforward to backport it to buster due to the usage of
> >> >> private symbols.
> >> >
> >> > Florian, did you manage to backport this to 2.31? It would be nice to get this
> >> > fixed for a Buster point release still.
> >>
> >> Do you mean 2.28? DJ Delorie did the backport, and Carlos O'Donell
> >> implemented the GLIBC_PRIVATE ABI compatibility fix. I'll see if I
> >> can get the patches to apply to Debian's 2.28 tree.
> >
> > Is it possible to commit those patches to the upstream 2.28 branch? If
> > so, I guess we can simply pull the branch in the Debian package, fixing
> > many other security bugs at the same time.
>
> I'm concerned about the GLIBC_PRIVATE internal ABI change, it causes
> issues if the update is applied without a reboot:
>
> glibc: After upgrade, before reboot, systemd services using USER= do
> not start (caused by fix for bug 1871397)
> <https://bugzilla.redhat.com/show_bug.cgi?id=1927040>
That issue looks problematic for Debian, we usually do not require a
(immediate) reboot after applying a security upgrade.
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
Reply to: