Bug#989147: glibc: CVE-2021-33574: mq_notify does not handle separately allocated thread attributes
Hi Aurelien, 
On Wednesday, 8 September 2021 21:56:51 CEST you wrote:
> On 2021-09-08 13:25, Jonas Andradas wrote:
> > Hi,
> > 
> > On Sat, 21 Aug 2021 20:14:52 +0200 Aurelien Jarno <aurelien@aurel32.net>
> > 
> > wrote:
> > > Version: 2.32-0experimental0
> > > 
> > > On 2021-05-26 21:57, Salvatore Bonaccorso wrote:
> > > > Source: glibc
> > > > Version: 2.31-12
> > > > Severity: important
> > > > Tags: security upstream
> > > > Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=27896
> > > > X-Debbugs-Cc: carnil@debian.org, Debian Security Team
> > 
> > <team@security.debian.org>
> > 
> > [...snip...]
> > 
> > > This bug has been fixed in the glibc 2.32-0experimental0 upload to
> > > experimental, but wasn't close due to a typo in the changelog. Closing
> > > the bug manually.
> > 
> > Is there an estimated timeline for when the experimental, fixed package
> > would transition to sid (and possibly testing/bookworm)?  Is there an
> > estimate for
> The fix is already in sid for a few days. Transition to testing/bookworm
> depends on many factors that are out of control of the glibc
> maintainers.
> 
I did not see this in the tracker [1] (or I interpreted it wrong), so I 
assumed it was not there yet.  Thanks for clarifying!
[1] https://security-tracker.debian.org/tracker/CVE-2021-33574
> > when the fix will be backported to bullseye?
> 
> Unfortunately the fixes are not trivial to get backported, as they
> depend on new symbols exported through GLIBC_PRIVATE. This is something
> in progress, but I have no ETA so far.
> 
Also thank you for the insight here, as it helps knowing when backporting the 
fix is not trivial, to plan and manage the expectations of addressing the issue 
in production accordingly.
> Best regards,
> Aurelien
Best Regards,
Jonas.
Reply to: