Bug#1064624: Hard to short-stroke an encrypted drive

[Matthew Wilcox]

Package: debian-installer

The partitioner "guided partitioning" offers me:

 - use the largest continuous free space
 - use entire disk
 - use entire disk and set up LVM
 - use entire disk and set up encrypted LVM

I want "use largest contiguous space and set up encrypted LVM".
That would let me reserve 200GB of my SSD as unencrypted free space,
which will improve the write endurance of my SSD.


Also once I start partitioning, eg, "and set up LVM", I can't delete the
partitions again.  Well, I can, but I have to switch to a terminal,
run dmsetup remove_all.  Which sometimes confuses the partitioner and it
gets stuck printing "??? ???"  If that happens, I can neither "go back",
nor "continue".

Bug#1064617: Passwords should not be changed frequently

[Matthew Wilcox]

Package: debian-installer

I just did an installation with the 2024-02-24
debian-testing-amd64-netinst.iso image.  I forget the exact wording
used, but when setting up a user, d-i printed advice that user passwords
should be changed frequently.  This is no longer current good advice
(since 2017):

 "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
 (e.g., periodically).  However, verifiers SHALL force a change if there
 is evidence of compromise of the authenticator."

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

I happen to like their suggestion of providing a password-strength meter,
but that would be a separate bug.  This bug is simply a request to remove
this outdated suggestion text from d-i.

Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5

[Aurelien Jarno]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gl...@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:glibc

[ Reason ]
The upstream stable branch got a few fixes in the last months, and this
update pulls them into the debian package.

[ Impact ]
In case the update isn't approved, systems will be left with a few
issues, and the differences with upstream will increase, which might
make next fixes more difficult to review.

[ Tests ]
The upstream fixes come with additional tests, which represent a
significant part of the diff.

[ Risks ]
The changes to do not affect critical part of the library, and come with
additional tests. The upstream changes have been in testing/sid for
about 3 weeks.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Please find below the changelog with additional explanations:

* debian/patches/git-updates.diff: update from upstream stable branch:
  - any/local-CVE-2023-4911.patch: upstreamed.
  - any/local-CVE-2023-6246.patch: upstreamed.
  - any/local-CVE-2023-6779.patch: upstreamed.
  - any/local-CVE-2023-6780.patch: upstreamed.

=> Those patches went upstream, with some additional tests.

  - Revert fix to always call destructors in reverse constructor order due
to unforeseen application compatibility issues.

=> This fix introduced some regression, even if none have been reported to
   Debian, so they have been reverted to come back to the previous situation.

  - Fix a DTV corruption due to a reuse of a TLS module ID following dlclose
with unused TLS.

=> This issue affect the Mesa crocus driver that is shipped in bookworm, even
   if we haven't got any report on the Debian side. The fix is a very simple
   one liner. More details can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=29039

  - Fix the DTV field load on x32.

=> The testcase added for the above issue, uncovered an issue on x32. For
   stable architectures, this only affects the libc6-x32 package. More details
   can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=31184

  - Fix the TCB field load on x32.

=> Debugging the above x32 issue, uncovered a similar bug. For
   stable architectures, this only affects the libc6-x32 package. More details
   can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=31185

[ Other info ]
debian-boot is in Cc: as glibc has one udeb.
diff --git a/debian/changelog b/debian/changelog
index 8e1ee881..b708d99d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+glibc (2.36-9+deb12u5) bookworm; urgency=medium
+
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+- any/local-CVE-2023-4911.patch: upstreamed.
+- any/local-CVE-2023-6246.patch: upstreamed.
+- any/local-CVE-2023-6779.patch: upstreamed.
+- any/local-CVE-2023-6780.patch: upstreamed.
+- Revert fix to always call destructors in reverse constructor order due
+  to unforeseen application compatibility issues.
+- Fix a DTV corruption due to a reuse of a TLS module ID following dlclose
+  with unused TLS.
+- Fix the DTV field load on x32.
+- Fix the TCB field load on x32.
+
+ -- Aurelien Jarno   Sat, 24 Feb 2024 16:49:22 +0100
+
 glibc (2.36-9+deb12u4) bookworm-security; urgency=medium
 
   * debian/patches/any/local-CVE-2023-6246.patch: Fix a heap buffer overflow
diff --git a/debian/patches/any/local-CVE-2023-4911.patch 
b/debian/patches/any/local-CVE-2023-4911.patch
deleted file mode 100644
index 4c4c2094..
--- a/debian/patches/any/local-CVE-2023-4911.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
-From: Siddhesh Poyarekar 
-Date: Mon, 11 Sep 2023 18:53:15 -0400
-Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
-
-The string parsing routine may end up writing beyond bounds of tunestr
-if the input tunable string is malformed, of the form name=name=val.
-This gets processed twice, first as name=name=val and next as name=val,
-resulting in tunestr being name=name=val:name=val, thus overflowing
-tunestr.
-
-Terminate the parsing loop at the first instance itself so that tunestr
-does not overflow.

-Changes from v1:
-
-- Also null-terminate tunestr before exiting.
-
- elf/dl-tunables.c | 17 ++---
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
-index 8e7ee9df10..76cf8b9da3 100644
 a/elf/dl-tunables.c
-+++ b/elf/dl-tunables.c
-@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
-   /* If we reach the end of the string before getting a valid name-value
-pair,