Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5

2024-03-24 Thread Aurelien Jarno 
On 2024-03-14 04:40, Cyril Brulebois wrote:
> Hi,
> 
> Aurelien Jarno  (2024-03-13):
> > The date of the next point release is slowly approaching, could you
> > please have a look at this?
> 
> Sorry, lost track of that one. Feel free to upload.
> 

Thanks, I have just done that.

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net


signature.asc
Description: PGP signature

Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5

2024-03-13 Thread Cyril Brulebois 
Hi,

Aurelien Jarno  (2024-03-13):
> The date of the next point release is slowly approaching, could you
> please have a look at this?

Sorry, lost track of that one. Feel free to upload.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5

2024-03-13 Thread Aurelien Jarno 
Hi Cyril,

On 2024-02-25 13:45, Jonathan Wiltshire wrote:
> Control: tag -1 d-i
> 
> Hi,
> 
> On Sat, Feb 24, 2024 at 04:59:10PM +0100, Aurelien Jarno wrote:
> > [ Reason ]
> > The upstream stable branch got a few fixes in the last months, and this
> > update pulls them into the debian package.
> > 
> > [ Impact ]
> > In case the update isn't approved, systems will be left with a few
> > issues, and the differences with upstream will increase, which might
> > make next fixes more difficult to review.
> 
> I'm happy with it from SRM point of view, but as you say d-i ack needed.

The date of the next point release is slowly approaching, could you
please have a look at this?

Thanks
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net

Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5

2024-03-13 Thread Aurelien Jarno 
Hi Cyril,

On 2024-02-25 13:45, Jonathan Wiltshire wrote:
> Control: tag -1 d-i
> 
> Hi,
> 
> On Sat, Feb 24, 2024 at 04:59:10PM +0100, Aurelien Jarno wrote:
> > [ Reason ]
> > The upstream stable branch got a few fixes in the last months, and this
> > update pulls them into the debian package.
> > 
> > [ Impact ]
> > In case the update isn't approved, systems will be left with a few
> > issues, and the differences with upstream will increase, which might
> > make next fixes more difficult to review.
> 
> I'm happy with it from SRM point of view, but as you say d-i ack needed.

The date of the next point release is slowly approaching, could you
please have a look at this?

Thanks
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net

Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5

2024-02-25 Thread Jonathan Wiltshire 
Control: tag -1 d-i

Hi,

On Sat, Feb 24, 2024 at 04:59:10PM +0100, Aurelien Jarno wrote:
> [ Reason ]
> The upstream stable branch got a few fixes in the last months, and this
> update pulls them into the debian package.
> 
> [ Impact ]
> In case the update isn't approved, systems will be left with a few
> issues, and the differences with upstream will increase, which might
> make next fixes more difficult to review.

I'm happy with it from SRM point of view, but as you say d-i ack needed.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5

2024-02-24 Thread Aurelien Jarno 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gl...@packages.debian.org, debian-b...@lists.debian.org
Control: affects -1 + src:glibc

[ Reason ]
The upstream stable branch got a few fixes in the last months, and this
update pulls them into the debian package.

[ Impact ]
In case the update isn't approved, systems will be left with a few
issues, and the differences with upstream will increase, which might
make next fixes more difficult to review.

[ Tests ]
The upstream fixes come with additional tests, which represent a
significant part of the diff.

[ Risks ]
The changes to do not affect critical part of the library, and come with
additional tests. The upstream changes have been in testing/sid for
about 3 weeks.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Please find below the changelog with additional explanations:

* debian/patches/git-updates.diff: update from upstream stable branch:
  - any/local-CVE-2023-4911.patch: upstreamed.
  - any/local-CVE-2023-6246.patch: upstreamed.
  - any/local-CVE-2023-6779.patch: upstreamed.
  - any/local-CVE-2023-6780.patch: upstreamed.

=> Those patches went upstream, with some additional tests.

  - Revert fix to always call destructors in reverse constructor order due
to unforeseen application compatibility issues.

=> This fix introduced some regression, even if none have been reported to
   Debian, so they have been reverted to come back to the previous situation.

  - Fix a DTV corruption due to a reuse of a TLS module ID following dlclose
with unused TLS.

=> This issue affect the Mesa crocus driver that is shipped in bookworm, even
   if we haven't got any report on the Debian side. The fix is a very simple
   one liner. More details can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=29039

  - Fix the DTV field load on x32.

=> The testcase added for the above issue, uncovered an issue on x32. For
   stable architectures, this only affects the libc6-x32 package. More details
   can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=31184

  - Fix the TCB field load on x32.

=> Debugging the above x32 issue, uncovered a similar bug. For
   stable architectures, this only affects the libc6-x32 package. More details
   can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=31185

[ Other info ]
debian-boot is in Cc: as glibc has one udeb.
diff --git a/debian/changelog b/debian/changelog
index 8e1ee881..b708d99d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+glibc (2.36-9+deb12u5) bookworm; urgency=medium
+
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+- any/local-CVE-2023-4911.patch: upstreamed.
+- any/local-CVE-2023-6246.patch: upstreamed.
+- any/local-CVE-2023-6779.patch: upstreamed.
+- any/local-CVE-2023-6780.patch: upstreamed.
+- Revert fix to always call destructors in reverse constructor order due
+  to unforeseen application compatibility issues.
+- Fix a DTV corruption due to a reuse of a TLS module ID following dlclose
+  with unused TLS.
+- Fix the DTV field load on x32.
+- Fix the TCB field load on x32.
+
+ -- Aurelien Jarno   Sat, 24 Feb 2024 16:49:22 +0100
+
 glibc (2.36-9+deb12u4) bookworm-security; urgency=medium
 
   * debian/patches/any/local-CVE-2023-6246.patch: Fix a heap buffer overflow
diff --git a/debian/patches/any/local-CVE-2023-4911.patch 
b/debian/patches/any/local-CVE-2023-4911.patch
deleted file mode 100644
index 4c4c2094..
--- a/debian/patches/any/local-CVE-2023-4911.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
-From: Siddhesh Poyarekar 
-Date: Mon, 11 Sep 2023 18:53:15 -0400
-Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
-
-The string parsing routine may end up writing beyond bounds of tunestr
-if the input tunable string is malformed, of the form name=name=val.
-This gets processed twice, first as name=name=val and next as name=val,
-resulting in tunestr being name=name=val:name=val, thus overflowing
-tunestr.
-
-Terminate the parsing loop at the first instance itself so that tunestr
-does not overflow.

-Changes from v1:
-
-- Also null-terminate tunestr before exiting.
-
- elf/dl-tunables.c | 17 ++---
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
-index 8e7ee9df10..76cf8b9da3 100644
 a/elf/dl-tunables.c
-+++ b/elf/dl-tunables.c
-@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
-   /* If we reach the end of the string before getting a valid name-value
-pair,