[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Call for testing: glibc update for buster


I've prepared a LTS update for glibc and seek people testing it. Builds
for amd64 and armfh as well as a .debdiff are available from

I plan to fix no less than 14 CVEs. Those mostly fall into one of the
following categories:
 * 4 * iconv
 * 2 * unix sockets
 * setuid environment filtering
 * getcwd
 * glob
 * memcpy on armhf
 * mq_notify
 * sinl
 * wordexp
 * nscd
Please refer to debian/changelog and the respective patches for details.

If you happen to have applications covering any of these, feedback is

Beware that this update changes two private glibc symbols for fixing
CVE-2016-10228. These symbols are used for testing the change via
iconv_prog, which happens to not be installed into a binary package.
I've not located any uses in any other glibc library. As a result, I
believe that these symbol changes to be harmless even though Aurelien
Jarno cautioned about it. My judgement is partially confirmed by RedHat
and Canonical shipping these symbol changes in their security updates.
On the flip side, I'm observing a number of unexpected references to one
symbol that did change prototype, see
https://codesearch.debian.net/search?q=__gconv_open&literal=1. Most of
these uses are broken since bullseye, so I hope that they're all dead
code. More eyeballs appreciated.

You see this is glibc, so I'd rather give it more testing than brick
user systems.

Please Cc me in replies.


Reply to: