The security fixes for usr/klibc/zlib/ are not included in the upstream release 2.0.14.
-- You received this bug notification because you are a member of Debcrafters packages, which is subscribed to klibc in Ubuntu. https://bugs.launchpad.net/bugs/2112018 Title: Merge klibc from Debian Unstable for questing Status in klibc package in Ubuntu: New Bug description: Scheduled-For: ubuntu-25.06 Ubuntu: 2.0.13-4ubuntu1 Debian Unstable: 2.0.14-1 A new release of klibc is available for merging from Debian Unstable. If it turns out this needs a sync rather than a merge, please change the tag 'dcr-merge' to 'dcr-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the questing Release Notes: https://discourse.ubuntu.com/t/questing-quokka-release-notes/ ### New Debian Changes ### klibc (2.0.14-1) unstable; urgency=medium * New upstream version: - parisc: Fix build with Linux 6.10+ (Closes: #1075820) -- Ben Hutchings <[email protected]> Tue, 04 Mar 2025 04:37:02 +0100 ### Old Ubuntu Delta ### klibc (2.0.13-4ubuntu1) oracular; urgency=medium * SECURITY UPDATE: improper pointer arithmetic - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization in usr/klibc/zlib/inftrees.c. - CVE-2016-9840 * SECURITY UPDATE: improper pointer arithmetic - debian/patches/CVE-2016-9841.patch: remove offset pointer optimization in usr/klibc/zlib/inffast.c. - CVE-2016-9841 * SECURITY UPDATE: memory corruption during compression - debian/patches/CVE-2018-25032.patch: addresses a bug that can crash deflate on rare inputs when using Z_FIXED. - CVE-2018-25032 * SECURITY UPDATE: heap-based buffer over-read - debian/patches/CVE-2022-37434-1.patch: adds an extra condition to check if state->head->extra_max is greater than len before copying, and moves the len assignment to be placed before the check in usr/klibc/zlib/inflate.c. - debian/patches/CVE-2022-37434-2.patch: in the previous patch, the placement of the len assignment was causing issues so it was moved within the conditional check. - CVE-2022-37434 -- Ian Constantin <[email protected]> Tue, 21 May 2024 11:39:40 +0300 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/2112018/+subscriptions -- Mailing list: https://launchpad.net/~debcrafters-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~debcrafters-packages More help : https://help.launchpad.net/ListHelp
