[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Call for testing: glibc update for buster

Hi Sylvain,

On Wed, Oct 12, 2022 at 03:45:11PM +0200, Sylvain Beucler wrote:
> I'll give it some testing on my buster system.

Thank you. I take the absense of a further reponse as "nothing broke".

> A couple things I noticed right now:
> - dist in debian/changelog should be 'buster-security' (not 'buster')

Thank you. Updated.

> - debdiff|diffstat shows spurious '.pc' work files from quilt
> (plus a change in a patches/README which maybe adds more noise than it helps
> in a security upload, but that's a matter of taste)

Yeah, I noticed them as well after performing all the builds (including
armhf) and left them in as a canary to see whether anyone even opens the
.debdiff. ;)

Thank you for the review!

> - a methodology point: if there's some uncertainty on CVE-2016-10228 (note:
> which is a 2020 fix really), that neither secteam nor the maintainers
> decided to fix in other Debian dists, maybe it's not worth the risk to fix
> it in LTS.
> I read your note that other distros (ubuntu, redhat) did so though,
> contacting the maintainers could help evaluate the risk better.

Yeah. I'm fixing quite a number of issues that were not previously
considered. Even though these were non-trivial to fix, I believe that we
should fix them. Leaving them as is would mean that character conversion
involving untrusted inputs is not supported at all. Seems like a hard
sell, right?

My understanding now is that the only user of these private symbols is
iconv itself. So you'd have to run the new iconv (i.e. libc-bin
unpacked) with the old libc6 or vice versa. A relatively unlikely race
condition to win. It shouldn't affect long-running processes as the
dynamically loaded conversion modules themselves don't use the affected
private symbols.

Given my own tests on this, I will go ahead and upload the butser lts.

Other changes:
 * Fixed iconv test to work with old transliteration.
 * Understood iconv test failure: It's actually testing the wrong thing.
   Building it twice (with the previous build installed) makes the test
   succeed. Documented rather than fixed.
 * Fixed conformance tests. -lrt should not require symbols from
   -lpthread. Vendored the affected function.
 * Fixed setting of error code in clnt_create. Fault in backporting by


Reply to: