Bug#1106777: nmu: binNMU against glibc (>= 2.36-9+deb12u11) for CVE-2025-4802
Control: tags -1 + confirmed
On Thu, 2025-05-29 at 18:24 +0200, Aurelien Jarno wrote:
> An untrusted LD_LIBRARY_PATH environment variable vulnerability has
> been found in the GNU libc, affecting *static* binaries (CVE-2025-
> 4802).
> It allows attacker controlled loading of dynamically shared library
> in *statically* compiled setuid binaries that call dlopen.
>
> The issue is fixed in glibc/2.36-9+deb12u11, once accepted in
> bookworm-pu (see bug #1106761). I haven't found any static binary
> with setuid or setgid bit set in the archive, but I think we should
> rebuild all static binaries in cases some users have changed the
> permission of some of them.
>
> This is the list of binNMU computed using Built-Using, assuming that
> d-i and dini will get an upload anyway for the point release:
Thanks for the list.
Scheduled, with added " . bookworm ", and the versions updated to
reference +deb12u12.
Regards,
Adam
Reply to: