Control: tags -1 + confirmed On Thu, 2025-05-29 at 18:24 +0200, Aurelien Jarno wrote: > An untrusted LD_LIBRARY_PATH environment variable vulnerability has > been found in the GNU libc, affecting *static* binaries (CVE-2025- > 4802). > It allows attacker controlled loading of dynamically shared library > in *statically* compiled setuid binaries that call dlopen. > > The issue is fixed in glibc/2.36-9+deb12u11, once accepted in > bookworm-pu (see bug #1106761). I haven't found any static binary > with setuid or setgid bit set in the archive, but I think we should > rebuild all static binaries in cases some users have changed the > permission of some of them. > > This is the list of binNMU computed using Built-Using, assuming that > d-i and dini will get an upload anyway for the point release:
Thanks for the list. Scheduled, with added " . bookworm ", and the versions updated to reference +deb12u12. Regards, Adam
