dwarfutils: CVE-2024-2002 & mold - guidance?

To: 1065511@bugs.debian.org, 1098767@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, Paul Gevers <elbrus@debian.org>, debian-release <debian-release@lists.debian.org>
Subject: dwarfutils: CVE-2024-2002 & mold - guidance?
From: Sylvestre Ledru <sylvestre@debian.org>
Date: Sun, 9 Mar 2025 09:52:08 +0100
Message-id: <[🔎] 8ad4aea3-dd67-4f35-a64b-a0b716d1c8b0@debian.org>

Hello folks,

Because it will cause a removal of mold, I had a look to dwarfutils:https://salsa.debian.org/pkg-llvm-team/dwarfutils/

Given that dwarfutils hasn't been updated in Debian since Sept 2021, itseems that the easier path is to upload a new upstream release in thearchive which contains the security fixes.



Now, the bad news is that a lot of symbols have been removed:
https://salsa.debian.org/pkg-llvm-team/dwarfutils/-/blob/master/debian/libdwarf1.symbols.amd64?ref_type=heads

(grep for MISSING).

I don't know if they are internal or actually used.


I didn't bump the soname yet.

I see two paths:

* we go the clean way: bump of soname, migration (which should not betoo complex given that it is a leaf lib)

* we upload the current version. it will work for dwarfdump but mightbreak other libs (esp outside of Debian)


Please let me know what you would prefer.

Thanks
Sylvstre

Reply to:

Prev by Date: NEW changes in stable-new
Next by Date: Re: Status for RT on `Rules-Requires-Root: no` transition
Previous by thread: Bug#1098725: Bug#1098397: bookworm-pu: package curl/7.88.1-10+deb12u10
Next by thread: Re: Status for RT on `Rules-Requires-Root: no` transition
Index(es):
- Date
- Thread