Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2021-06-04 Thread Florian Weimer 
* Aurelien Jarno:

>> > Is it possible to commit those patches to the upstream 2.28 branch? If
>> > so, I guess we can simply pull the branch in the Debian package, fixing
>> > many other security bugs at the same time.
>> 
>> I'm concerned about the GLIBC_PRIVATE internal ABI change, it causes
>> issues if the update is applied without a reboot:
>> 
>>   glibc: After upgrade, before reboot, systemd services using USER= do
>>   not start (caused by fix for bug 1871397)
>>   
>
> That issue looks problematic for Debian, we usually do not require a
> (immediate) reboot after applying a security upgrade.

I submitted a merge request that should work around it, using the
patch from CentOS 8 (and eventually Red Hat Enterprise Linux, of
course):

  

Please let me know what you think.  The new glibc seems to work okay
in general.

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2021-06-04 Thread Aurelien Jarno 
On 2021-06-04 21:51, Florian Weimer wrote:
> * Aurelien Jarno:
> 
> > On 2021-06-04 20:34, Florian Weimer wrote:
> >> * Moritz Mühlenhoff:
> >> 
> >> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
> >> >> control: forcemerge 967938 969926
> >> >> 
> >> >> Hi,
> >> >> 
> >> >> On 2020-09-09 02:58, Bernd Zeimetz wrote:
> >> >> > Source: glibc
> >> >> > Version: 2.28-10
> >> >> > Severity: serious
> >> >> > Tags: security upstream patch
> >> >> > X-Debbugs-Cc: Debian Security Team 
> >> >> > 
> >> >> > Hi,
> >> >> > 
> >> >> > we are running into the bug
> >> >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338
> >> >> > causing systemd-sysusers to segfault.
> >> >> > 
> >> >> > Patch is available in the linked bug report.
> >> >> 
> >> >> This has already been reported, Florian will work on a backport, as it
> >> >> is not straightforward to backport it to buster due to the usage of
> >> >> private symbols.
> >> >
> >> > Florian, did you manage to backport this to 2.31? It would be nice to 
> >> > get this
> >> > fixed for a Buster point release still.
> >> 
> >> Do you mean 2.28?  DJ Delorie did the backport, and Carlos O'Donell
> >> implemented the GLIBC_PRIVATE ABI compatibility fix.  I'll see if I
> >> can get the patches to apply to Debian's 2.28 tree.
> >
> > Is it possible to commit those patches to the upstream 2.28 branch? If
> > so, I guess we can simply pull the branch in the Debian package, fixing
> > many other security bugs at the same time.
> 
> I'm concerned about the GLIBC_PRIVATE internal ABI change, it causes
> issues if the update is applied without a reboot:
> 
>   glibc: After upgrade, before reboot, systemd services using USER= do
>   not start (caused by fix for bug 1871397)
>   

That issue looks problematic for Debian, we usually do not require a
(immediate) reboot after applying a security upgrade.

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2021-06-04 Thread Florian Weimer 
* Aurelien Jarno:

> On 2021-06-04 20:34, Florian Weimer wrote:
>> * Moritz Mühlenhoff:
>> 
>> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
>> >> control: forcemerge 967938 969926
>> >> 
>> >> Hi,
>> >> 
>> >> On 2020-09-09 02:58, Bernd Zeimetz wrote:
>> >> > Source: glibc
>> >> > Version: 2.28-10
>> >> > Severity: serious
>> >> > Tags: security upstream patch
>> >> > X-Debbugs-Cc: Debian Security Team 
>> >> > 
>> >> > Hi,
>> >> > 
>> >> > we are running into the bug
>> >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338
>> >> > causing systemd-sysusers to segfault.
>> >> > 
>> >> > Patch is available in the linked bug report.
>> >> 
>> >> This has already been reported, Florian will work on a backport, as it
>> >> is not straightforward to backport it to buster due to the usage of
>> >> private symbols.
>> >
>> > Florian, did you manage to backport this to 2.31? It would be nice to get 
>> > this
>> > fixed for a Buster point release still.
>> 
>> Do you mean 2.28?  DJ Delorie did the backport, and Carlos O'Donell
>> implemented the GLIBC_PRIVATE ABI compatibility fix.  I'll see if I
>> can get the patches to apply to Debian's 2.28 tree.
>
> Is it possible to commit those patches to the upstream 2.28 branch? If
> so, I guess we can simply pull the branch in the Debian package, fixing
> many other security bugs at the same time.

I'm concerned about the GLIBC_PRIVATE internal ABI change, it causes
issues if the update is applied without a reboot:

  glibc: After upgrade, before reboot, systemd services using USER= do
  not start (caused by fix for bug 1871397)
  

I guess we can use Carlos' patch for upstream as well.

However, I would also have to backport it to 2.28, 2.29, 2.30, 2.31,
so that we have bug fix monotonicity.  2.31 is probably doable, which
should help bullseye.  It's mostly a psychological thing for me, I'm
very busy with getting patches into glibc 2.34 at work, and downstream
Debian work would be at least slightly different.

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2021-06-04 Thread Aurelien Jarno 
On 2021-06-04 20:34, Florian Weimer wrote:
> * Moritz Mühlenhoff:
> 
> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
> >> control: forcemerge 967938 969926
> >> 
> >> Hi,
> >> 
> >> On 2020-09-09 02:58, Bernd Zeimetz wrote:
> >> > Source: glibc
> >> > Version: 2.28-10
> >> > Severity: serious
> >> > Tags: security upstream patch
> >> > X-Debbugs-Cc: Debian Security Team 
> >> > 
> >> > Hi,
> >> > 
> >> > we are running into the bug
> >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338
> >> > causing systemd-sysusers to segfault.
> >> > 
> >> > Patch is available in the linked bug report.
> >> 
> >> This has already been reported, Florian will work on a backport, as it
> >> is not straightforward to backport it to buster due to the usage of
> >> private symbols.
> >
> > Florian, did you manage to backport this to 2.31? It would be nice to get 
> > this
> > fixed for a Buster point release still.
> 
> Do you mean 2.28?  DJ Delorie did the backport, and Carlos O'Donell
> implemented the GLIBC_PRIVATE ABI compatibility fix.  I'll see if I
> can get the patches to apply to Debian's 2.28 tree.

Is it possible to commit those patches to the upstream 2.28 branch? If
so, I guess we can simply pull the branch in the Debian package, fixing
many other security bugs at the same time.

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2021-06-04 Thread Florian Weimer 
* Moritz Mühlenhoff:

> Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
>> control: forcemerge 967938 969926
>> 
>> Hi,
>> 
>> On 2020-09-09 02:58, Bernd Zeimetz wrote:
>> > Source: glibc
>> > Version: 2.28-10
>> > Severity: serious
>> > Tags: security upstream patch
>> > X-Debbugs-Cc: Debian Security Team 
>> > 
>> > Hi,
>> > 
>> > we are running into the bug
>> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338
>> > causing systemd-sysusers to segfault.
>> > 
>> > Patch is available in the linked bug report.
>> 
>> This has already been reported, Florian will work on a backport, as it
>> is not straightforward to backport it to buster due to the usage of
>> private symbols.
>
> Florian, did you manage to backport this to 2.31? It would be nice to get this
> fixed for a Buster point release still.

Do you mean 2.28?  DJ Delorie did the backport, and Carlos O'Donell
implemented the GLIBC_PRIVATE ABI compatibility fix.  I'll see if I
can get the patches to apply to Debian's 2.28 tree.

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2021-06-04 Thread Moritz Muehlenhoff 
On Fri, Jun 04, 2021 at 08:34:50PM +0200, Florian Weimer wrote:
> * Moritz Mühlenhoff:
> 
> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
> >> control: forcemerge 967938 969926
> >> 
> >> Hi,
> >> 
> >> On 2020-09-09 02:58, Bernd Zeimetz wrote:
> >> > Source: glibc
> >> > Version: 2.28-10
> >> > Severity: serious
> >> > Tags: security upstream patch
> >> > X-Debbugs-Cc: Debian Security Team 
> >> > 
> >> > Hi,
> >> > 
> >> > we are running into the bug
> >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338
> >> > causing systemd-sysusers to segfault.
> >> > 
> >> > Patch is available in the linked bug report.
> >> 
> >> This has already been reported, Florian will work on a backport, as it
> >> is not straightforward to backport it to buster due to the usage of
> >> private symbols.
> >
> > Florian, did you manage to backport this to 2.31? It would be nice to get 
> > this
> > fixed for a Buster point release still.
> 
> Do you mean 2.28?  DJ Delorie did the backport, and Carlos O'Donell
> implemented the GLIBC_PRIVATE ABI compatibility fix.  I'll see if I
> can get the patches to apply to Debian's 2.28 tree.

Yeah, sorry for the confusion. I meant Buster's 2.28.

Cheers,
Moritz

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2021-06-01 Thread Moritz Mühlenhoff 
Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
> control: forcemerge 967938 969926
> 
> Hi,
> 
> On 2020-09-09 02:58, Bernd Zeimetz wrote:
> > Source: glibc
> > Version: 2.28-10
> > Severity: serious
> > Tags: security upstream patch
> > X-Debbugs-Cc: Debian Security Team 
> > 
> > Hi,
> > 
> > we are running into the bug
> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338
> > causing systemd-sysusers to segfault.
> > 
> > Patch is available in the linked bug report.
> 
> This has already been reported, Florian will work on a backport, as it
> is not straightforward to backport it to buster due to the usage of
> private symbols.

Florian, did you manage to backport this to 2.31? It would be nice to get this
fixed for a Buster point release still.

Cheers,
Moritz

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2020-09-09 Thread Bernd Zeimetz 

Hi,


This has already been reported, Florian will work on a backport, as it
is not straightforward to backport it to buster due to the usage of
private symbols.



Thanks!


As it was flagged security in the upstream bugtracker, I'm doing the
same here.


The bug is actually tagged as security- in the upstream bug tracker,
which means it has been reviewed from the security point of view, and
hasn't been considered as a security issue.


oh well, I've missed that - in the middle of the night. Sorry for the 
noise,


Bernd


--
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Processed (with 1 error): Re: Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2020-09-09 Thread Debian Bug Tracking System 
Processing control commands:

> forcemerge 967938 969926
Bug #967938 [libc6] libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent
Bug #967940 [libc6] libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent
Unable to merge bugs because:
package of #969926 is 'src:glibc' not 'libc6'
Failed to forcibly merge 967938: Did not alter merged bugs.


-- 
967938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967938
967940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967940
969926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969926
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2020-09-09 Thread Aurelien Jarno 
control: forcemerge 967938 969926

Hi,

On 2020-09-09 02:58, Bernd Zeimetz wrote:
> Source: glibc
> Version: 2.28-10
> Severity: serious
> Tags: security upstream patch
> X-Debbugs-Cc: Debian Security Team 
> 
> Hi,
> 
> we are running into the bug
> https://sourceware.org/bugzilla/show_bug.cgi?id=20338
> causing systemd-sysusers to segfault.
> 
> Patch is available in the linked bug report.

This has already been reported, Florian will work on a backport, as it
is not straightforward to backport it to buster due to the usage of
private symbols.

> As it was flagged security in the upstream bugtracker, I'm doing the
> same here.

The bug is actually tagged as security- in the upstream bug tracker,
which means it has been reviewed from the security point of view, and
hasn't been considered as a security issue.

Regards,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

2020-09-08 Thread Bernd Zeimetz 
Source: glibc
Version: 2.28-10
Severity: serious
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team 

Hi,

we are running into the bug
https://sourceware.org/bugzilla/show_bug.cgi?id=20338
causing systemd-sysusers to segfault.

Patch is available in the linked bug report.

As it was flagged security in the upstream bugtracker, I'm doing the
same here.

A fix in buster would be appreciated.

Thanks a lot,

Bernd


-- 
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F