[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1066965: bookworm-pu: package newlib/3.3.0-2



Hi

[disclaimer, not an authoritative answer as not part of the stable
release managers]

On Sat, Mar 16, 2024 at 09:09:05AM +0100, Petter Reinholdtsen wrote:
> 
> Package: release.debian.org
> 
> The <URL: https://tracker.debian.org/pkg/newlib > package got an open
> security problem with malloc and friends in stable and oldstable, see
> <URL: https://bugs.debian.org/984446 > for the CVE issue.  The package
> is orphaned.
> 
> I would like to fix the bug at least in stable, and propose the
> following upload.  The change is already in the git repo on salsa in the
> debian/bookworm branch.  The problem is already fixed in unstable and
> testing with a new version of the upstream code.  The fix to stable is
> only the minimal patch to solve the issue.
> 
> I propose to use the version number 3.3.0-2, but am open to better
> proposals.  The version in testing is 4.4.0.20231231-2.

Usually you would choose for this update 3.3.0-1.3+deb12u1, but given
3.3.0-2 was never present in unstable and the version later moved on,
this is in theory possible.

> 
> Complete proposed patch is below:
> 
> diff --git a/debian/changelog b/debian/changelog
> index b3e3ef851..1c8ddc5cb 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +newlib (3.3.0-2) bookworm; urgency=medium
> +
> +  * QA upload.
> +  * Orphan package to reflect status in Unstable.
> +  * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow
> +    check in malloc and friends.

I would add as well the bug closer for #984446.

Regards,
Salvatore


Reply to: