Bug#1066965: bookworm-pu: package newlib/3.3.0-2
Hi
[disclaimer, not an authoritative answer as not part of the stable
release managers]
On Sat, Mar 16, 2024 at 09:09:05AM +0100, Petter Reinholdtsen wrote:
>
> Package: release.debian.org
>
> The <URL: https://tracker.debian.org/pkg/newlib > package got an open
> security problem with malloc and friends in stable and oldstable, see
> <URL: https://bugs.debian.org/984446 > for the CVE issue. The package
> is orphaned.
>
> I would like to fix the bug at least in stable, and propose the
> following upload. The change is already in the git repo on salsa in the
> debian/bookworm branch. The problem is already fixed in unstable and
> testing with a new version of the upstream code. The fix to stable is
> only the minimal patch to solve the issue.
>
> I propose to use the version number 3.3.0-2, but am open to better
> proposals. The version in testing is 4.4.0.20231231-2.
Usually you would choose for this update 3.3.0-1.3+deb12u1, but given
3.3.0-2 was never present in unstable and the version later moved on,
this is in theory possible.
>
> Complete proposed patch is below:
>
> diff --git a/debian/changelog b/debian/changelog
> index b3e3ef851..1c8ddc5cb 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +newlib (3.3.0-2) bookworm; urgency=medium
> +
> + * QA upload.
> + * Orphan package to reflect status in Unstable.
> + * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow
> + check in malloc and friends.
I would add as well the bug closer for #984446.
Regards,
Salvatore
Reply to: