Re: Call for testing: glibc update for buster

To: Sylvain Beucler <beuc@beuc.net>
Cc: debian-lts@lists.debian.org
Subject: Re: Call for testing: glibc update for buster
From: Helmut Grohne <helmut@subdivi.de>
Date: Mon, 17 Oct 2022 10:00:40 +0200
Message-id: <[🔎] Y00LqDJ1A4yA0BCi@alf.mars>
Mail-followup-to: Helmut Grohne <helmut@subdivi.de>, Sylvain Beucler <beuc@beuc.net>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 51c6b21d-1d4f-4106-0168-551c1dca7b5a@beuc.net>
References: <[🔎] Y0VuxtDlTJg9YAdF@alf.mars> <[🔎] 51c6b21d-1d4f-4106-0168-551c1dca7b5a@beuc.net>

Hi Sylvain,

On Wed, Oct 12, 2022 at 03:45:11PM +0200, Sylvain Beucler wrote:
> I'll give it some testing on my buster system.

Thank you. I take the absense of a further reponse as "nothing broke".

> A couple things I noticed right now:
> 
> - dist in debian/changelog should be 'buster-security' (not 'buster')

Thank you. Updated.

> - debdiff|diffstat shows spurious '.pc' work files from quilt
> (plus a change in a patches/README which maybe adds more noise than it helps
> in a security upload, but that's a matter of taste)

Yeah, I noticed them as well after performing all the builds (including
armhf) and left them in as a canary to see whether anyone even opens the
.debdiff. ;)

Thank you for the review!

> - a methodology point: if there's some uncertainty on CVE-2016-10228 (note:
> which is a 2020 fix really), that neither secteam nor the maintainers
> decided to fix in other Debian dists, maybe it's not worth the risk to fix
> it in LTS.
> I read your note that other distros (ubuntu, redhat) did so though,
> contacting the maintainers could help evaluate the risk better.

Yeah. I'm fixing quite a number of issues that were not previously
considered. Even though these were non-trivial to fix, I believe that we
should fix them. Leaving them as is would mean that character conversion
involving untrusted inputs is not supported at all. Seems like a hard
sell, right?

My understanding now is that the only user of these private symbols is
iconv itself. So you'd have to run the new iconv (i.e. libc-bin
unpacked) with the old libc6 or vice versa. A relatively unlikely race
condition to win. It shouldn't affect long-running processes as the
dynamically loaded conversion modules themselves don't use the affected
private symbols.

Given my own tests on this, I will go ahead and upload the butser lts.

Other changes:
 * Fixed iconv test to work with old transliteration.
 * Understood iconv test failure: It's actually testing the wrong thing.
   Building it twice (with the previous build installed) makes the test
   succeed. Documented rather than fixed.
 * Fixed conformance tests. -lrt should not require symbols from
   -lpthread. Vendored the affected function.
 * Fixed setting of error code in clnt_create. Fault in backporting by
   me.

Helmut

Reply to:

Follow-Ups:
- Re: Call for testing: glibc update for buster
  - From: Sylvain Beucler <beuc@beuc.net>

References:
- Call for testing: glibc update for buster
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Call for testing: glibc update for buster
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: Cannot read newsgroups with new Thunderbird
Next by Date: Re: Call for testing: glibc update for buster
Previous by thread: Re: Call for testing: glibc update for buster
Next by thread: Re: Call for testing: glibc update for buster
Index(es):
- Date
- Thread