Dear all, I have recently uploaded glibc 2.19-18+deb8u4 to jessie-proposed-updates fixing an old security bug in pt_chown, aka CVE-2013-2207 [1]. This bug has been opened for a lot of time, as the fix which is simply to remove pt_chown has a tendency to break systems [2]. Indeed not using pt_chown requires to mount the devpts with the correct options, and it is relatively easy to break them by mounting the devpts filesystem a second time, for example in a chroot. Recently two alternatives have appeared to overcome this issue, one on the kernel side [3] and on the other side [4]. The glibc patch is present in stretch/sid for more than 2 months and given we haven't received any new bug report, I believe it works correctly. It has therefore been backported to jessie and is now available in jessie proposed updates as version 2.19-18+deb8u4. It would be nice if people can install glibc version 2.19-18+deb8u4 on their system and report any regression compared to 2.19-18+deb8u3 (either by mail or via a bug report). One can try to install the corresponding packages by adding the following entry in apt sources.list: deb http://ftp.debian.org/debian jessie-proposed-updates main Provided there are no regressions, this package will be made available in the next jessie point release. Thanks, Aurelien [1] https://security-tracker.debian.org/tracker/CVE-2013-2207 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806882 [3] https://lkml.org/lkml/2015/12/11/760 [4] https://sourceware.org/git/?p=glibc.git;a=commit;h=77356912e83601fd0240d22fe4d960348b82b5c3 -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net
Attachment:
signature.asc
Description: PGP signature