[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

On 2017-04-23 21:18, Adam D. Barratt wrote:
> On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote:
> > I would like to upload a new glibc package for the next jessie release.
> > Here is the changelog with some additional comment:
> > 
> >   * Update from upstream stable branch:
> >     - Fix PowerPC sqrt inaccuracy.  Closes: #855606.
> > 
> > This fixes a regression introduced in glibc 2.19-18+deb8u7, which
> > slightly lower the precision of the sqrt function on PowerPC. This
> > notably causes failures in the postgresql testsuite. This code is
> > already present in stretch/sid.
> > 
> >   * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
> >     NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
> >     QTYPE (CVE-2015-5180).  Closes: #796106.
> > 
> > This is a long standing security issue that has been fixed recently.
> > It basically change the value of a constant so that it can't only be
> > generated internally. The patch is already present in stretch/sid.
> While I doubt that either of the above should have any noticeable effect
> on the installer, I'd appreciate a d-i ack in any case; CCing.

As said on IRC, I have been pointed that the second patch actually
breaks the breaks libnss/libnss-dns ABI. This means that the resolver
might not work correctly if all the binaries using libnss are restarted.
The same way there might be an issue on the d-i side if the libc in d-i
and libnss-dns-udeb are out of sync.

Therefore I'll do a new upload without the patch fixing CVE-2015-5180,
leaving only the PowerPC fix. That should be either today or tomorrow.

Sorry about this complication.


Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Attachment: signature.asc
Description: PGP signature

Reply to: