[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Call for testing: glibc 2.19-18+deb8u4

Dear all,

I have recently uploaded glibc 2.19-18+deb8u4 to jessie-proposed-updates
fixing an old security bug in pt_chown, aka CVE-2013-2207 [1]. This bug
has been opened for a lot of time, as the fix which is simply to remove
pt_chown has a tendency to break systems [2]. Indeed not using pt_chown
requires to mount the devpts with the correct options, and it is
relatively easy to break them by mounting the devpts filesystem a second
time, for example in a chroot.

Recently two alternatives have appeared to overcome this issue, one on 
the kernel side [3] and on the other side [4]. The glibc patch is
present in stretch/sid for more than 2 months and given we haven't
received any new bug report, I believe it works correctly. It has
therefore been backported to jessie and is now available in jessie
proposed updates as version 2.19-18+deb8u4.

It would be nice if people can install glibc version 2.19-18+deb8u4 on
their system and report any regression compared to 2.19-18+deb8u3
(either by mail or via a bug report). One can try to install the
corresponding packages by adding the following entry in apt 

   deb http://ftp.debian.org/debian jessie-proposed-updates main

Provided there are no regressions, this package will be made available
in the next jessie point release.


[1] https://security-tracker.debian.org/tracker/CVE-2013-2207
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806882
[3] https://lkml.org/lkml/2015/12/11/760
[4] https://sourceware.org/git/?p=glibc.git;a=commit;h=77356912e83601fd0240d22fe4d960348b82b5c3

Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Attachment: signature.asc
Description: PGP signature

Reply to: