Re: Call for testing: glibc update for buster
Hi Sylvain,
On Wed, Oct 12, 2022 at 03:45:11PM +0200, Sylvain Beucler wrote:
> I'll give it some testing on my buster system.
Thank you. I take the absense of a further reponse as "nothing broke".
> A couple things I noticed right now:
>
> - dist in debian/changelog should be 'buster-security' (not 'buster')
Thank you. Updated.
> - debdiff|diffstat shows spurious '.pc' work files from quilt
> (plus a change in a patches/README which maybe adds more noise than it helps
> in a security upload, but that's a matter of taste)
Yeah, I noticed them as well after performing all the builds (including
armhf) and left them in as a canary to see whether anyone even opens the
.debdiff. ;)
Thank you for the review!
> - a methodology point: if there's some uncertainty on CVE-2016-10228 (note:
> which is a 2020 fix really), that neither secteam nor the maintainers
> decided to fix in other Debian dists, maybe it's not worth the risk to fix
> it in LTS.
> I read your note that other distros (ubuntu, redhat) did so though,
> contacting the maintainers could help evaluate the risk better.
Yeah. I'm fixing quite a number of issues that were not previously
considered. Even though these were non-trivial to fix, I believe that we
should fix them. Leaving them as is would mean that character conversion
involving untrusted inputs is not supported at all. Seems like a hard
sell, right?
My understanding now is that the only user of these private symbols is
iconv itself. So you'd have to run the new iconv (i.e. libc-bin
unpacked) with the old libc6 or vice versa. A relatively unlikely race
condition to win. It shouldn't affect long-running processes as the
dynamically loaded conversion modules themselves don't use the affected
private symbols.
Given my own tests on this, I will go ahead and upload the butser lts.
Other changes:
* Fixed iconv test to work with old transliteration.
* Understood iconv test failure: It's actually testing the wrong thing.
Building it twice (with the previous build installed) makes the test
succeed. Documented rather than fixed.
* Fixed conformance tests. -lrt should not require symbols from
-lpthread. Vendored the affected function.
* Fixed setting of error code in clnt_create. Fault in backporting by
me.
Helmut
Reply to: