Bug#991372: unblock: glibc/2.31-13

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#991372: unblock: glibc/2.31-13
From: Aurelien Jarno <aurel32@debian.org>
Date: Wed, 21 Jul 2021 22:31:36 +0200
Message-id: <[🔎] 162689949608.624533.8405038658085931233.reportbug@ohm.local>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 991372@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-boot@lists.debian.org

Please unblock package glibc

[ Reason ]
This new version fixes one serious bug (#990069) in the maintainer
scripts preventing the sshd daemon following a glibc upgrade on systems
where the ssh meta-package is not installed. 

It also fixes a security issue in the wordexp() function
(CVE-2021-35942, #990542) by pulling the upstream stable branch.

[ Impact ]
On systems where the ssh meta-package is not installed, following the
upgrade from buster to bullseye, incoming SSH connections are not
accepted until the sshd daemon is restarted manually or the system is
rebooted. This can be an issue for systems upgraded remotely.

[ Tests ]
The change to the maintainer scripts are not covered by automatic tests
(except maybe by piuparts). They have  however been manually tested by
multiple persons.

The change to the wordexp() function is covered by the upstream
testsuite. A new test has actually been added to catch the security
issue.

[ Risks ]
The change to the maintainer scripts is relatively simple and just
follow what is already done for other daemons where the package name is
not the same than the daemon name. The package has been in sid for 2
weeks, and no regression have been reported. The risk is therefore very
low.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
d-i team is Cc:ed.

unblock glibc/2.31-13



diff --git a/debian/changelog b/debian/changelog
index 7197d373..138f350a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+glibc (2.31-13) unstable; urgency=medium
+
+  [ Colin Watson ]
+  * debian/debhelper.in/libc.postinst, script.in/nsscheck.sh: Look for
+    openssh-server package rather than ssh.  Closes: #990069
+
+  [ Aurelien Jarno ]
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+    - Fix an arbitrary read in wordexp() (CVE-2021-35942).  Closes:
+      #990542.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Tue, 06 Jul 2021 21:16:59 +0200
+
 glibc (2.31-12) unstable; urgency=medium
 
   * debian/po/de.po: fix encoding declaration.  Closes: #986450.
diff --git a/debian/debhelper.in/libc.postinst b/debian/debhelper.in/libc.postinst
index 0b312dfa..f52a1430 100644
--- a/debian/debhelper.in/libc.postinst
+++ b/debian/debhelper.in/libc.postinst
@@ -33,9 +33,10 @@ then
 	    check="$check boa cucipop courier-authdaemon cron cups exim"
 	    check="$check exim4-base dovecot-common cucipop incron lprng lpr"
 	    check="$check lpr-ppd mysql-server nis openbsd-inetd"
-	    check="$check openldapd postgresql-common proftpd postfix postfix-tls"
-	    check="$check rsync samba sasl2-bin slapd smail sendmail snmpd ssh"
-	    check="$check spamassassin vsftpd wu-ftpd wu-ftpd-academ wwwoffle"
+	    check="$check openldapd openssh-server postgresql-common proftpd"
+	    check="$check postfix postfix-tls rsync samba sasl2-bin slapd"
+	    check="$check smail sendmail snmpd spamassassin vsftpd"
+	    check="$check wu-ftpd wu-ftpd-academ wwwoffle"
 	    check="$check webmin dropbear gdm"
 	    # NSS services check: 
 	    __NSS_CHECK__
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 0e5aefae..e1cac4a1 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -3647,6 +3647,31 @@ index cba9cd1819..4580cefb9f 100644
  		dirlen = home_len + rest_len;
  		dirname_modified = 1;
  	      }
+diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
+index ed1b22308e..cb3f989cba 100644
+--- a/posix/wordexp-test.c
++++ b/posix/wordexp-test.c
+@@ -183,6 +183,7 @@ struct test_case_struct
+     { 0, NULL, "$var", 0, 0, { NULL, }, IFS },
+     { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },
+     { 0, NULL, "", 0, 0, { NULL, }, IFS },
++    { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },
+ 
+     /* Flags not already covered (testit() has special handling for these) */
+     { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index e082d94895..56289503a1 100644
+--- a/posix/wordexp.c
++++ b/posix/wordexp.c
+@@ -1399,7 +1399,7 @@ envsubst:
+   /* Is it a numeric parameter? */
+   else if (isdigit (env[0]))
+     {
+-      int n = atoi (env);
++      unsigned long n = strtoul (env, NULL, 10);
+ 
+       if (n >= __libc_argc)
+ 	/* Substitute NULL. */
 diff --git a/stdlib/Makefile b/stdlib/Makefile
 index 45214b59e4..4615f6dfe7 100644
 --- a/stdlib/Makefile
diff --git a/debian/script.in/nsscheck.sh b/debian/script.in/nsscheck.sh
index 623278c0..8406a543 100644
--- a/debian/script.in/nsscheck.sh
+++ b/debian/script.in/nsscheck.sh
@@ -12,6 +12,7 @@
 			-e's/\blpr\b/lpd/g' \
 			-e's/\blpr-ppd\b/lpd-ppd/g' \
 			-e's/\bmysql-server\b/mysql/g' \
+			-e's/\bopenssh-server\b/ssh/g' \
 			-e's/\bsasl2-bin\b/saslauthd/g' \
 			-e's/\bsamba\b/smbd/g' \
 			-e's/\bpostgresql-common\b/postgresql/g' \

Reply to:

Follow-Ups:
- Re: Bug#991372: unblock: glibc/2.31-13
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Re: DebianInstaller Help Request
Next by Date: Bug#991403: mtools: mcopy fails on arm*, breaks d-i builds
Previous by thread: Re: DebianInstaller Help Request
Next by thread: Re: Bug#991372: unblock: glibc/2.31-13
Index(es):
- Date
- Thread