Re: Call for testing: glibc update for buster

To: Helmut Grohne <helmut@subdivi.de>, debian-lts@lists.debian.org
Subject: Re: Call for testing: glibc update for buster
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 12 Oct 2022 15:45:11 +0200
Message-id: <[🔎] 51c6b21d-1d4f-4106-0168-551c1dca7b5a@beuc.net>
In-reply-to: <[🔎] Y0VuxtDlTJg9YAdF@alf.mars>
References: <[🔎] Y0VuxtDlTJg9YAdF@alf.mars>

Hi,

I'll give it some testing on my buster system.

A couple things I noticed right now:

- dist in debian/changelog should be 'buster-security' (not 'buster')

- debdiff|diffstat shows spurious '.pc' work files from quilt

(plus a change in a patches/README which maybe adds more noise than ithelps in a security upload, but that's a matter of taste)

- a methodology point: if there's some uncertainty on CVE-2016-10228(note: which is a 2020 fix really), that neither secteam nor themaintainers decided to fix in other Debian dists, maybe it's not worththe risk to fix it in LTS.I read your note that other distros (ubuntu, redhat) did so though,contacting the maintainers could help evaluate the risk better.


Cheers!
Sylvain

On 11/10/2022 15:25, Helmut Grohne wrote:

I've prepared a LTS update for glibc and seek people testing it. Builds
for amd64 and armfh as well as a .debdiff are available from
http://subdivi.de/~helmut/glibc_lts.

I plan to fix no less than 14 CVEs. Those mostly fall into one of the
following categories:
  * 4 * iconv
  * 2 * unix sockets
  * setuid environment filtering
  * getcwd
  * glob
  * memcpy on armhf
  * mq_notify
  * sinl
  * wordexp
  * nscd
Please refer to debian/changelog and the respective patches for details.

If you happen to have applications covering any of these, feedback is
welcome.

Beware that this update changes two private glibc symbols for fixing
CVE-2016-10228. These symbols are used for testing the change via
iconv_prog, which happens to not be installed into a binary package.
I've not located any uses in any other glibc library. As a result, I
believe that these symbol changes to be harmless even though Aurelien
Jarno cautioned about it. My judgement is partially confirmed by RedHat
and Canonical shipping these symbol changes in their security updates.
On the flip side, I'm observing a number of unexpected references to one
symbol that did change prototype, see
https://codesearch.debian.net/search?q=__gconv_open&literal=1. Most of
these uses are broken since bullseye, so I hope that they're all dead
code. More eyeballs appreciated.

You see this is glibc, so I'd rather give it more testing than brick
user systems.

Please Cc me in replies.

Reply to:

Follow-Ups:
- Re: Call for testing: glibc update for buster
  - From: Helmut Grohne <helmut@subdivi.de>

References:
- Call for testing: glibc update for buster
  - From: Helmut Grohne <helmut@subdivi.de>

Prev by Date: Re: Cannot read newsgroups with new Thunderbird
Next by Date: Re: Bug#1021648: buster-pu: package node-xmldom/0.1.27+ds-1+deb10u1
Previous by thread: Call for testing: glibc update for buster
Next by thread: Re: Call for testing: glibc update for buster
Index(es):
- Date
- Thread