Re: Bug#1053130: bookworm-pu: package glibc/2.36-9+deb12u2

2023-09-28 Thread Aurelien Jarno 
On 2023-09-28 20:58, Adam D. Barratt wrote:
> Control: tags -1 confirmed
> 
> On Wed, 2023-09-27 at 23:47 +0200, Aurelien Jarno wrote:
> > The upstream glibc stable branch got a few fixes since the latest
> > point
> > released, including two security fixes.
> > 
> 
> Please go ahead.
> 

Thanks for the fast review, I have just uploaded it.

Regards
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net

Re: Bug#1053130: bookworm-pu: package glibc/2.36-9+deb12u2

2023-09-28 Thread Adam D. Barratt 
Control: tags -1 confirmed

On Wed, 2023-09-27 at 23:47 +0200, Aurelien Jarno wrote:
> The upstream glibc stable branch got a few fixes since the latest
> point
> released, including two security fixes.
> 

Please go ahead.

Regards,

Adam

Bug#1053130: bookworm-pu: package glibc/2.36-9+deb12u2

2023-09-27 Thread Aurelien Jarno 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gl...@packages.debian.org, debian-gl...@lists.debian.org, 
debian-boot@lists.debian.org
Control: affects -1 + src:glibc

[ Reason ]
The upstream glibc stable branch got a few fixes since the latest point
released, including two security fixes.
 
[ Impact ]
Installations will be left vulnerable to security issues.

[ Tests ]
The upstream fixes come with additional tests, which represent a
significant part of the diff.

[ Risks ]
The risk can be considered low, as all the changes except the one for
CVE-2023-5156 have been tested in testing/sid for a few days. The one
for CVE-2023-5156 has just been uploaded to sid, but comes with a test.
In addition those fixes have been committed on a few upstream branches
and have been used by other distributions to provide security updates. 

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

All the changes come from the upstream stable branch, and are summarized
in the debian changelog. Let me comment it:

 - Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on
   ppc64el.  Closes: #1050592.

This fixes a regression introduced in the previous point release and
testing/sid. On ppc64el, the values of F_GETLK/F_SETLK/F_SETLKW changed
when __USE_FILE_OFFSET64 is in use. While this is handled transparently
at the glibc level, it breaks some packages which use the values
internally like perl.

 - Fix a stack read overflow in getaddrinfo in no- mode
   (CVE-2023-4527).  Closes: #1051958.

This fixes a security issue in a new feature introduced in glibc 2.36,
which has not been considered serious enough by the security team to
issue a DSA.

 - Fix use after free in getcanonname (CVE-2023-4806, CVE-2023-5156).

This fixes a security issue that might happen with some NSS modules
which implement some hooks but not some others, however there are no
known modules implemented that way. Unfortunately the initial fix
introduced a memory leak which got assigned CVE-2023-5156.

 - Update the x86 cacheinfo code to look at the per-thread L3 cache to
   determine the non-temporal threshold. This improves memory and string
   functions on modern CPUs.

This changes the way the cache sizes are interpreted, properly taking
into account the L3 cache on modern CPUs. The memory and string
functions are unchanged, only some threshold are changed.

 - Fix _dl_find_object to return correct values even during early startup.

It has been found that _dl_find_object is can wrongly return 1 during
early startup. Currently no impact has been found, but as this functions
is used by some external unwiders (for instance GCC), it's better to fix
it to be future proof.

 - Always call destructors in reverse constructor order.

This fixes a regression introduced in glibc 2.36, which causes
destructors to be called in a different order than the constructors when
there are cyclic dependencies. This causes issues with some
applications.

[ Other info ]
debian-boot is in Cc: as glibc has one udeb.
diff --git a/debian/changelog b/debian/changelog
index aafd6e3a..146c85d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+glibc (2.36-9+deb12u2) UNRELEASED; urgency=medium
+
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+- Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on
+  ppc64el.  Closes: #1050592.
+- Fix a stack read overflow in getaddrinfo in no- mode
+  (CVE-2023-4527).  Closes: #1051958.
+- Fix use after free in getcanonname (CVE-2023-4806, CVE-2023-5156).
+- Update the x86 cacheinfo code to look at the per-thread L3 cache to
+  determine the non-temporal threshold. This improves memory and string
+  functions on modern CPUs.
+- Fix _dl_find_object to return correct values even during early startup.
+- Always call destructors in reverse constructor order.
+
+ -- Aurelien Jarno   Sat, 23 Sep 2023 15:08:08 +0200
+
 glibc (2.36-9+deb12u1) bookworm; urgency=medium
 
   [ Aurelien Jarno ]
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 9203223b..cdb02b1d 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -68,10 +68,10 @@ index d1e139d03c..09c0cf8357 100644
  else  # -s
  verbose   :=
 diff --git a/NEWS b/NEWS
-index f61e521fc8..9f6b48b63d 100644
+index f61e521fc8..ae55ffb53a 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,65 @@ See the end for copying conditions.
+@@ -5,6 +5,85 @@ See the end for copying conditions.
  Please send GNU C library bug reports via 
  using `glibc' in the "product" field.
  
@@ -91,6 +91,21 @@ index