Your message dated Sat, 21 Aug 2021 20:14:52 +0200
with message-id <[email protected]>
and subject line Bug#989147: glibc: CVE-2021-33574: mq_notify does not handle
separately allocated thread attributes
has caused the Debian Bug report #989147,
regarding glibc: CVE-2021-33574: mq_notify does not handle separately allocated
thread attributes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989147
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glibc
Version: 2.31-12
Severity: important
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=27896
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for glibc, basically purely
to track the upstream issue and fix once coming downstream.
CVE-2021-33574[0]:
| The mq_notify function in the GNU C Library (aka glibc) through 2.33
| has a use-after-free. It may use the notification thread attributes
| object (passed through its struct sigevent parameter) after it has
| been freed by the caller, leading to a denial of service (application
| crash) or possibly unspecified other impact.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33574
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33574
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=27896
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 2.32-0experimental0
On 2021-05-26 21:57, Salvatore Bonaccorso wrote:
> Source: glibc
> Version: 2.31-12
> Severity: important
> Tags: security upstream
> Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=27896
> X-Debbugs-Cc: [email protected], Debian Security Team
> <[email protected]>
>
> Hi,
>
> The following vulnerability was published for glibc, basically purely
> to track the upstream issue and fix once coming downstream.
>
> CVE-2021-33574[0]:
> | The mq_notify function in the GNU C Library (aka glibc) through 2.33
> | has a use-after-free. It may use the notification thread attributes
> | object (passed through its struct sigevent parameter) after it has
> | been freed by the caller, leading to a denial of service (application
> | crash) or possibly unspecified other impact.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-33574
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33574
> [1] https://sourceware.org/bugzilla/show_bug.cgi?id=27896
>
> Please adjust the affected versions in the BTS as needed.
This bug has been fixed in the glibc 2.32-0experimental0 upload to
experimental, but wasn't close due to a typo in the changelog. Closing
the bug manually.
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
[email protected] http://www.aurel32.net
--- End Message ---
