Your message dated Wed, 27 Aug 2025 19:32:27 +0000 with message-id <E1urLsh-00BHeC-08@fasolo.debian.org> and subject line Bug#1109803: fixed in glibc 2.36-9+deb12u13 has caused the Debian Bug report #1109803, regarding glibc: CVE-2025-8058 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1109803: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109803 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: glibc: CVE-2025-8058
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 24 Jul 2025 07:09:01 +0200
- Message-id: <175333374125.2244987.14279747949167794915.reportbug@eldamar.lan>
Source: glibc Version: 2.41-10 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Control: found -1 2.36-9+deb12u7 Control: found -1 2.36-9+deb12u10 Control: found -1 2.36-9 Control: forwarded -1 https://sourceware.org/bugzilla/show_bug.cgi?id=33185 Hi, The following vulnerability was published for glibc. CVE-2025-8058[0]: | The regcomp function in the GNU C library version from 2.4 to 2.41 | is subject to a double free if some previous allocation fails. It | can be accomplished either by a malloc failure or by using an | interposed malloc that injects random malloc failures. The double | free can allow buffer manipulation depending of how the regex is | constructed. This issue affects all architectures and ABIs | supported by the GNU C library. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-8058 https://www.cve.org/CVERecord?id=CVE-2025-8058 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=33185 [2] https://sourceware.org/git/?p=glibc.git;a=commit;h=7ea06e994093fa0bcca0d0ee2c1db271d8d7885d [3] https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2025-0005 Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 1109803-close@bugs.debian.org
- Subject: Bug#1109803: fixed in glibc 2.36-9+deb12u13
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 27 Aug 2025 19:32:27 +0000
- Message-id: <E1urLsh-00BHeC-08@fasolo.debian.org>
- Reply-to: Aurelien Jarno <aurel32@debian.org>
Source: glibc Source-Version: 2.36-9+deb12u13 Done: Aurelien Jarno <aurel32@debian.org> We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1109803@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 25 Aug 2025 21:11:05 +0200 Source: glibc Architecture: source Version: 2.36-9+deb12u13 Distribution: bookworm Urgency: medium Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> Changed-By: Aurelien Jarno <aurel32@debian.org> Closes: 1109803 Changes: glibc (2.36-9+deb12u13) bookworm; urgency=medium . * debian/patches/git-updates.diff: update from upstream stable branch: - Fix error reporting (false negatives) in SGID tests - Fix double-free after allocation failure in regcomp (GLIBC-SA-2025-0005 / CVE-2025-8058). Closes: #1109803. Checksums-Sha1: 1ade2f71d7b4c255f107219258b7473e2a553c29 9765 glibc_2.36-9+deb12u13.dsc 685316ee360f4b31963e317d383cbc82d910c5c0 908524 glibc_2.36-9+deb12u13.debian.tar.xz f971ee69e0189ad6a5950cbd67443e6b8189d00c 10258 glibc_2.36-9+deb12u13_source.buildinfo Checksums-Sha256: c034e180a28197c8a9d2b378bcf621d87766a49b3d1bb2d82cc25068ba398cac 9765 glibc_2.36-9+deb12u13.dsc 728086077548b13c37a348a99f74b9c7a437d6a8aed4aab5e2ed86b3a5ff6df6 908524 glibc_2.36-9+deb12u13.debian.tar.xz b611b6a4833f15e8f012b7fee69cf307274215ada725fcfb8410b341fc00e1f0 10258 glibc_2.36-9+deb12u13_source.buildinfo Files: 5459c588efa4e02c59784b8d07580d3e 9765 libs required glibc_2.36-9+deb12u13.dsc 25861cd110c61ea32a2e52ffa4e65ff2 908524 libs required glibc_2.36-9+deb12u13.debian.tar.xz 6d79d46d485fbf7d4357d5369ece09ca 10258 libs required glibc_2.36-9+deb12u13_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmistfwACgkQE4jA+Jno M2tJIxAAmUv5ozV4o2nwYO0K5gLwcwn9g2coqLf1LGNDE7ReY5b0oS9F6RLvhNrp C59+aYuQ0yVrIHAEdyqDww/9Ir2BSB3hdq6ccraVLejQN6taL9xfHxq75WzuHkMe Dy6NMvqAKV6fLEIZotj2HJUWT6zeUu99/PemWCmRoP4m5CabhY0fOWXUHhgxsf+R PRjPtiCff8ImyPziDHrL28GF1jjJiP9sN9mbReJ/ulRlHXw21bAkC9KlrzfHODqh Q9u1Xz7hj575vScJ26Yar/STPlSGiLP9qizIJXzYcYdQLpeiAUcCm7tVX8DnZg2N lgqiZTNHpuI6+2EiPuh/4TWLFS5E9WTlSxeZMikkPvpvSZk6SCUcamWpERaotgHL /ViXw0zUtuFVg6G9/n09WDNZQURgTfvHl8ZldV5k807I1dPw5jR/Nv56UWTXgjQC /QyePmEWc48hBOKL9T9zmrrbjkH+UMVZ7AjsreHa60rT5DxWpDwDsMDwc2sYWrN0 NsmNZc6u2XnmRlDWKUQljC0OM9bW5JcmUfVUi2vlj2fpva62Utjx4GOdJX39C/9X u+7vrOLlxq/DthG15laz+6wXzGnAQc075pzylrGa3q28IlxwBvfybV689zVEMp/R nkkM1UbmVPuLE6GzuUBYyor2kkfzkwiupTUdYWsUCsvTICl+vA8= =lL8Y -----END PGP SIGNATURE-----Attachment: pgpz4_LnYfAUT.pgp
Description: PGP signature
--- End Message ---