Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gl...@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:glibc
[ Reason ]
The upstream stable branch got a few fixes during the bookworm freeze
period, and this update pulls them into the debian package. In short:
- Fix a buffer overflow and memory corruption in the gmon
functionality.
- Fix a deadlock in getaddrinfo() and system() functions
- Fix y2038 support in strftime on 32-bit architectures.
- Fix possible segmentation fault in applications using sgetsgent()
when /etc/gshadow contains very long lines
- Fix support for old C90 compilers.
In addition this include a Slovak translation update fixing typos, that
also arrived during the bookworm freeze.
[ Impact ]
In case the update isn't approved, systems will be left with the above
issues which are not critical but can affect some applications.
[ Tests ]
The upstream fixes come with additional tests, which represent a
significant part of the diff.
[ Risks ]
The changes to do not affect critical part of the library, and come with
additional tests. The upstream changes have been in some distribution
for a few months and in experimental for more than a month, and the
translation changes in experimental for more than 3 weeks. All of them
are in sid for more than ten days.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Please find below the changelog with additional explanations:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Affecting bookworm release architectures:
- Improve mcount overflow handling in gmon.
- Fix a buffer overflow in gmon (CVE-2023-0687).
- Fix a memory corruption when incorrectly calling gmon functions
repeatedly on in wrong order.
=> Those are three security issues affecting the gmon feature of
glibc, one of them has a CVE entry, but it is disputed. The binaries
we ship in packages are not gmon enabled, but users might do that
and use them in production, so it's better to fix them. More
details can be found on the upstream BTS:
https://sourceware.org/bugzilla/show_bug.cgi?id=27576
https://sourceware.org/bugzilla/show_bug.cgi?id=29444
https://sourceware.org/bugzilla/show_bug.cgi?id=30101
- Fix a deadlock in getaddrinfo (__check_pf) with deferred cancellation.
=> This fixes a deadlock that can happen in some rare cases
involving thread cancellation. It is known to affect zookeeper,
however it is not clear if it can be reproduced with the Debian
package. More details can be found on the upstream BTS:
https://sourceware.org/bugzilla/show_bug.cgi?id=20975
- Fix y2038 support in strftime on 32-bit architectures.
=> This fixes the %s format specification of strftime to return the
correct string after y2038 instead of failing and returning -1 on
32-bit architectures when compiling with -D_TIME_BITS=64. There are
very few packages building that way yet, but coreutils is one of
them and is likely affected. More details can be found on the
upstream BTS:
https://sourceware.org/bugzilla/show_bug.cgi?id=30053
- Fix corner case parsing of /etc/gshadow which can return bad pointers
causing segfaults in applications.
=> This fixes the parsing of /etc/gshadow when it contains very long
lines, and causes sgetsgent() to not return any data while still
indicating success. This can cause a segmentation fault in
applications using this function. More details can be found on the
upstream BTS: https://sourceware.org/bugzilla/show_bug.cgi?id=30151
- Fix a deadlock in system() when called concurrently from multiple
threads.
=> This fix an issue when system() is called from multiple threads.
While the upstream BTS contains a reproducer, it is not clear if it
is affect more than custom code or if Debian packages are affected.
More details can be found on the upstream BTS:
https://sourceware.org/bugzilla/show_bug.cgi?id=30163
- cdefs: limit definition of fortification macros to __FORTIFY_LEVEL > 0
to support old C90 compilers.
=> This fixes the glibc headers to correctly support for old C90
compilers that user might use on their system. It's not clear if we
ship such a compiler as a Debian package though.
- Not affecting bookworm release architectures:
- Fix LFS POSIX lock constants for powerpc64.
- Fix GL(dl_phdr) and GL(dl_phnum) for static builds. Closes: #1028200.
- Not affecting debian architectures:
- Fix LFS POSIX lock constants on 32 bit arch with 64 bit default
time_t.
=> The above fixes are fixing upstream which do not concern bookworm
release
