Your message dated Sat, 11 Jul 2026 08:25:39 +0100
with message-id
<9797a79d169c319a4419eb95231d064e0c7e72a1.ca...@adam-barratt.org.uk>
and subject line Re: Bug#1106777: nmu: binNMU against glibc (>=
2.36-9+deb12u11) for CVE-2025-4802
has caused the Debian Bug report #1106777,
regarding nmu: binNMU against glibc (>= 2.36-9+deb12u11) for CVE-2025-4802
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106777: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106777
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm security
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: binnmu
Control: block -1 by 1106761
Dear release team,
An untrusted LD_LIBRARY_PATH environment variable vulnerability has been
found in the GNU libc, affecting *static* binaries (CVE-2025-4802). It
allows attacker controlled loading of dynamically shared library in
*statically* compiled setuid binaries that call dlopen.
The issue is fixed in glibc/2.36-9+deb12u11, once accepted in
bookworm-pu (see bug #1106761). I haven't found any static binary with
setuid or setgid bit set in the archive, but I think we should rebuild
all static binaries in cases some users have changed the permission of
some of them.
This is the list of binNMU computed using Built-Using, assuming that d-i
and dini will get an upload anyway for the point release:
nmu 9 bash_5.2.15-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 5 busybox_1:1.35.0-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 16 cdebootstrap_0.7.8 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 6 chkrootkit_0.57-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 5 dar_2.7.8-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 2 docker.io_20.10.24+dfsg1-1+deb12u1 . ANY . -m 'Rebuild against glibc
2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu qemu_1:7.2+dfsg-7+deb12u13 . ANY . -m 'Rebuild against glibc
2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 23 sash_3.8-5 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 10 supermin_5.2.2-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 13 tripwire_2.4.3.7-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 7 zsh_5.9-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
I also found the additional following ones by scanning the archive:
nmu 5 balboa_2.0.0+ds-5 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 2 catatonit_0.1.7-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu e2fsprogs_1.47.0-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu gnupg2_2.2.40-1.1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu integrit_4.1-3 . arm64 armel armhf mips64el ppc64el s390x -m 'Rebuild
against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>=
2.36-9+deb12u11)' # Some architectures use dietlibc
nmu libcap2_1:2.66-4+deb12u1 . ANY . -m 'Rebuild against glibc
2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu lxc_1:5.0.2-1+deb12u3 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 6 snapd_2.57.6-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 3 tini_0.19.0-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 3 tsocks_1.8beta5+ds1-1 . ANY . -m 'Rebuild against glibc
2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 2 ydotool_0.1.8-3 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11'
--extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
In addition, the following packages will need a sourceful upload as they
can't be binNMUed:
cross-toolchain-base_66
cross-toolchain-base-mipsen_24
cross-toolchain-base-ports_62
Regards
Aurelien
--- End Message ---
--- Begin Message ---
On Thu, 2025-05-29 at 18:24 +0200, Aurelien Jarno wrote:
> An untrusted LD_LIBRARY_PATH environment variable vulnerability has
> been found in the GNU libc, affecting *static* binaries (CVE-2025-
> 4802). It allows attacker controlled loading of dynamically shared
> library in *statically* compiled setuid binaries that call dlopen.
>
> The issue is fixed in glibc/2.36-9+deb12u11, once accepted in
> bookworm-pu (see bug #1106761). I haven't found any static binary
> with setuid or setgid bit set in the archive, but I think we should
> rebuild all static binaries in cases some users have changed the
> permission of some of them.
I think this was all done a while ago.
Regards,
Adam
--- End Message ---