Your message dated Tue, 3 Oct 2023 21:29:47 +0200 with message-id <27aaed3b-cecd-4cd2-8b3c-d98f095831f4@debian.org> and subject line Re: Bug#1053419: unblock: glibc/2.37-12 has caused the Debian Bug report #1053419, regarding unblock: glibc/2.37-12 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1053419: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053419 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: glibc/2.37-12
- From: Aurelien Jarno <aurel32@debian.org>
- Date: Tue, 03 Oct 2023 21:14:36 +0200
- Message-id: <[🔎] 169636047649.4023676.6968626972106100794.reportbug@ohm.local>
Package: release.debian.org Severity: normal Tags: security User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: glibc@packages.debian.org Control: affects -1 + src:glibc [ Reason ] glibc/2.37-12 fixes a local root vulnerability, I believe the package should migrate as soon as the possible in testing, bypassing the debci tests. [ Impact ] Users of testing will be left with a local root vulnerability. [ Tests ] The testsuite has been updated to check for the security issue. In addition manual testing has been done to confirm the security vulnerability has been fixed. [ Risks ] The diff between glibc/2.37-11 and glibc/2.37-12 are minimal, with the exception of XFAILing a test on hurd-i386, and slightly adjusting the allowed accuracy in the test of the y0_towardzero function. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Without packages with flaky autopkgtests, glibc/2.37-11 should have been in testing for a few days already, so I have considered that version as a basis for filling this unblock.diff --git a/debian/changelog b/debian/changelog index deca040f..c3f116c3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +glibc (2.37-12) unstable; urgency=critical + + [ Samuel Thibault ] + * debian/testsuite-xfail-debian.mk: Update xfails for hurd-i386. + + [ Aurelien Jarno ] + * debian/patches/git-updates.diff: update from upstream stable branch: + - Fix a buffer overflow in the dynamic loader's processing of the + GLIBC_TUNABLES environment variable (CVE-2023-4911). + * Set urgency to critical given the security issue. + + -- Aurelien Jarno <aurel32@debian.org> Tue, 03 Oct 2023 19:14:06 +0200 + glibc (2.37-11) unstable; urgency=medium [ Samuel Thibault ] diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index d8549680..ecaf3162 100644 --- a/debian/patches/git-updates.diff +++ b/debian/patches/git-updates.diff @@ -1,10 +1,10 @@ GIT update of https://sourceware.org/git/glibc.git/release/2.37/master from glibc-2.37 diff --git a/NEWS b/NEWS -index ad5196a5f1..3725cc4820 100644 +index ad5196a5f1..b351537a78 100644 --- a/NEWS +++ b/NEWS -@@ -5,6 +5,50 @@ See the end for copying conditions. +@@ -5,6 +5,55 @@ See the end for copying conditions. Please send GNU C library bug reports via <https://sourceware.org/bugzilla/> using `glibc' in the "product" field. @@ -34,6 +34,11 @@ index ad5196a5f1..3725cc4820 100644 + an application calls getaddrinfo for AF_INET6 with AI_CANONNAME, + AI_ALL and AI_V4MAPPED flags set. + ++ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the ++ environment of a setuid program and NAME is valid, it may result in a ++ buffer overflow, which could be exploited to achieve escalated ++ privileges. This flaw was introduced in glibc 2.34. ++ +The following bugs are resolved with this release: + + [20975] Deferred cancellation triggers in __check_pf and looses lock leading to deadlock @@ -55,7 +60,7 @@ index ad5196a5f1..3725cc4820 100644 Version 2.37 Major new features: -@@ -105,6 +149,8 @@ The following bugs are resolved with this release: +@@ -105,6 +154,8 @@ The following bugs are resolved with this release: coincides with offset change [30039] stdio: __vsprintf_internal does not handle unspecified buffer length in fortify mode @@ -638,6 +643,42 @@ index d35a725415..32a8bfcf74 100644 #endif /* Store the result for later runs. */ +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index 327b9eb52f..985b69c180 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) + /* If we reach the end of the string before getting a valid name-value + pair, bail out. */ + if (p[len] == '\0') +- { +- if (__libc_enable_secure) +- tunestr[off] = '\0'; +- return; +- } ++ break; + + /* We did not find a valid name-value pair before encountering the + colon. */ +@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) + } + } + +- if (p[len] != '\0') +- p += len + 1; ++ /* We reached the end while processing the tunable string. */ ++ if (p[len] == '\0') ++ break; ++ ++ p += len + 1; + } ++ ++ /* Terminate tunestr before we leave. */ ++ if (__libc_enable_secure) ++ tunestr[off] = '\0'; + } + #endif + diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index a685f5cdbc..695ba7192e 100644 --- a/elf/dl-tunables.list @@ -999,6 +1040,97 @@ index f6ab991398..f6dfbbe202 100644 /* Verify that dlmopen creates a new namespace. */ void *dlmopen_handle = xdlmopen (LM_ID_NEWLM, LIBC_SO, RTLD_NOW); TEST_VERIFY (dlmopen_handle != handle); +diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c +index 807b426012..1f5e7f4f06 100644 +--- a/elf/tst-env-setuid-tunables.c ++++ b/elf/tst-env-setuid-tunables.c +@@ -52,6 +52,8 @@ const char *teststrings[] = + "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", + "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", + "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.check=2", + "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", + "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", + ":glibc.malloc.garbage=2:glibc.malloc.check=1", +@@ -70,6 +72,8 @@ const char *resultstrings[] = + "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "", + "", + "", + "", +@@ -84,11 +88,18 @@ test_child (int off) + const char *val = getenv ("GLIBC_TUNABLES"); + + #if HAVE_TUNABLES ++ printf (" [%d] GLIBC_TUNABLES is %s\n", off, val); ++ fflush (stdout); + if (val != NULL && strcmp (val, resultstrings[off]) == 0) + return 0; + + if (val != NULL) +- printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); ++ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", ++ off, val, resultstrings[off]); ++ else ++ printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off); ++ ++ fflush (stdout); + + return 1; + #else +@@ -117,21 +128,26 @@ do_test (int argc, char **argv) + if (ret != 0) + exit (1); + +- exit (EXIT_SUCCESS); ++ /* Special return code to make sure that the child executed all the way ++ through. */ ++ exit (42); + } + else + { +- int ret = 0; +- + /* Spawn tests. */ + for (int i = 0; i < array_length (teststrings); i++) + { + char buf[INT_BUFSIZE_BOUND (int)]; + +- printf ("Spawned test for %s (%d)\n", teststrings[i], i); ++ printf ("[%d] Spawned test for %s\n", i, teststrings[i]); + snprintf (buf, sizeof (buf), "%d\n", i); ++ fflush (stdout); + if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0) +- exit (1); ++ { ++ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i); ++ support_record_failure (); ++ continue; ++ } + + int status = support_capture_subprogram_self_sgid (buf); + +@@ -139,9 +155,14 @@ do_test (int argc, char **argv) + if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) + return EXIT_UNSUPPORTED; + +- ret |= status; ++ if (WEXITSTATUS (status) != 42) ++ { ++ printf (" [%d] child failed with status %d\n", i, ++ WEXITSTATUS (status)); ++ support_record_failure (); ++ } + } +- return ret; ++ return 0; + } + } + diff --git a/elf/tst-ldconfig-p.sh b/elf/tst-ldconfig-p.sh new file mode 100644 index 0000000000..ec937bf4ec @@ -2982,6 +3114,19 @@ index 66b3ff9763..28daf3f89b 100644 -#define DL_FIXUP_BINDNOW_RELOC(value, new_value, st_value) \ +#define DL_FIXUP_BINDNOW_RELOC(l, reloc, value, new_value, st_value, lazy) \ *(value) = *(DL_FIXUP_VALUE_TYPE *) ((uintptr_t) (new_value) & ~2) +diff --git a/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps b/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps +index 8705a7822c..6f50cec761 100644 +--- a/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps ++++ b/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps +@@ -1617,7 +1617,7 @@ ldouble: 5 + + Function: "y0_towardzero": + double: 4 +-float: 8 ++float: 9 + float128: 3 + ldouble: 8 + diff --git a/sysdeps/ia64/dl-lookupcfg.h b/sysdeps/ia64/dl-lookupcfg.h index 0e47e529fe..64218fa7bb 100644 --- a/sysdeps/ia64/dl-lookupcfg.h diff --git a/debian/testsuite-xfail-debian.mk b/debian/testsuite-xfail-debian.mk index 51217bc6..718daa30 100644 --- a/debian/testsuite-xfail-debian.mk +++ b/debian/testsuite-xfail-debian.mk @@ -375,6 +375,7 @@ test-xfail-tst-nss-gai-actions = yes # new in 2.37 test-xfail-tst-fcntl-lock = yes test-xfail-tst-fcntl-lock-lfs = yes +test-xfail-tst-nss-gai-hv2-canonname = yes # missing RLIMIT_AS support test-xfail-tst-vfprintf-width-prec-mem = yes
--- End Message ---
--- Begin Message ---
- To: Aurelien Jarno <aurel32@debian.org>, 1053419-done@bugs.debian.org
- Subject: Re: Bug#1053419: unblock: glibc/2.37-12
- From: Paul Gevers <elbrus@debian.org>
- Date: Tue, 3 Oct 2023 21:29:47 +0200
- Message-id: <27aaed3b-cecd-4cd2-8b3c-d98f095831f4@debian.org>
- In-reply-to: <[🔎] 169636047649.4023676.6968626972106100794.reportbug@ohm.local>
- References: <[🔎] 169636047649.4023676.6968626972106100794.reportbug@ohm.local>
Hi Aurelien, On 03-10-2023 21:14, Aurelien Jarno wrote:glibc/2.37-12 fixes a local root vulnerability, I believe the package should migrate as soon as the possible in testing, bypassing the debci tests.hint added. PaulAttachment: OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---