Bug#1106777: nmu: binNMU against glibc (>= 2.36-9+deb12u11) for CVE-2025-4802

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + confirmed

On Thu, 2025-05-29 at 18:24 +0200, Aurelien Jarno wrote:
> An untrusted LD_LIBRARY_PATH environment variable vulnerability has
> been found in the GNU libc, affecting *static* binaries (CVE-2025-
> 4802).
> It allows attacker controlled loading of dynamically shared library
> in *statically* compiled setuid binaries that call dlopen.
> 
> The issue is fixed in glibc/2.36-9+deb12u11, once accepted in
> bookworm-pu (see bug #1106761). I haven't found any static binary
> with setuid or setgid bit set in the archive, but I think we should
> rebuild all static binaries in cases some users have changed the
> permission of some of them.
> 
> This is the list of binNMU computed using Built-Using, assuming that
> d-i and dini will get an upload anyway for the point release:

Thanks for the list.

Scheduled, with added " . bookworm ", and the versions updated to
reference +deb12u12.

Regards,

Adam