Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
On 2014-10-16 16:35, Aurelien Jarno wrote: On Thu, Oct 16, 2014 at 03:08:31PM +0100, Adam D. Barratt wrote: On 2014-10-16 15:04, Aurelien Jarno wrote: >As discussed on IRC, this update introduced a serious regression when >using nscd (see bugs #765506, #765526, #765562), due to the patch >cvs-CVE-2013-4357.diff. Sorry about that. > >The upstream commit is broken and a later commit that I missed is >fixing >that. I have included it in the new version 2.13-38+deb7u6. I also >updated >the changelog entry for 2.13-38+deb7u5 as discussed in the bug report. > >You will find the debdiff against 2.13-38+deb7u5 below. Is it fine to >upload it? Please go ahead; thanks. Thanks, I have just uploaded it. Flagged for acceptance; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
On Thu, Oct 16, 2014 at 03:08:31PM +0100, Adam D. Barratt wrote: > On 2014-10-16 15:04, Aurelien Jarno wrote: > >As discussed on IRC, this update introduced a serious regression when > >using nscd (see bugs #765506, #765526, #765562), due to the patch > >cvs-CVE-2013-4357.diff. Sorry about that. > > > >The upstream commit is broken and a later commit that I missed is > >fixing > >that. I have included it in the new version 2.13-38+deb7u6. I also > >updated > >the changelog entry for 2.13-38+deb7u5 as discussed in the bug report. > > > >You will find the debdiff against 2.13-38+deb7u5 below. Is it fine to > >upload it? > > Please go ahead; thanks. Thanks, I have just uploaded it. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
On 2014-10-16 15:04, Aurelien Jarno wrote: As discussed on IRC, this update introduced a serious regression when using nscd (see bugs #765506, #765526, #765562), due to the patch cvs-CVE-2013-4357.diff. Sorry about that. The upstream commit is broken and a later commit that I missed is fixing that. I have included it in the new version 2.13-38+deb7u6. I also updated the changelog entry for 2.13-38+deb7u5 as discussed in the bug report. You will find the debdiff against 2.13-38+deb7u5 below. Is it fine to upload it? Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
On Fri, Oct 10, 2014 at 08:37:15AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + pending
>
> On 2014-10-09 0:16, Aurelien Jarno wrote:
> >On Wed, Oct 08, 2014 at 11:27:30PM +0100, Adam D. Barratt wrote:
> >>Control: tags -1 + confirmed
> >>
> >>On Wed, 2014-10-08 at 23:49 +0200, Aurelien Jarno wrote:
> >>> I would like to do an update of eglibc in wheezy, with the patches we
> >>> have accumulated in the SVN over the last months. I understand that
> >>> it's a bit late with the stable release schedule, that said all this
> >>> patches have been upstream and in jessie/sid for months.
> >>[...]
> >>> +eglibc (2.13-38+deb7u5) wheezy; urgency=medium
> >>> +
> >>> + * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream
> >>> +to fix invalid file descriptor reuse while sending DNS query.
> >>> Closes:
> >>> +#722075, #756343.
> >>> + * debian/patches/any/cvs-CVE-2013-4357.diff: new patch from upstream to
> >>> +fix stack overflow issues. Closes: #742925.
> >>> + * debian/patches/any/submitted-CVE-2014-0475.diff: update from upstream
> >>> +to fix a localplt regression introduced in version 2.13-38+deb7u3.
> >>> + * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to
> >>> +fix a memory leak with dlopen() and thread-local storage variables.
> >>> +Closes: #763559.
> >>
> >>Please go ahead; thanks.
> >>
> >
> >Thanks! I have just uploaded it.
>
> Flagged for acceptance; thanks.
>
As discussed on IRC, this update introduced a serious regression when
using nscd (see bugs #765506, #765526, #765562), due to the patch
cvs-CVE-2013-4357.diff. Sorry about that.
The upstream commit is broken and a later commit that I missed is fixing
that. I have included it in the new version 2.13-38+deb7u6. I also updated
the changelog entry for 2.13-38+deb7u5 as discussed in the bug report.
You will find the debdiff against 2.13-38+deb7u5 below. Is it fine to
upload it?
Regards,
Aurelien
diff -u eglibc-2.13/debian/changelog eglibc-2.13/debian/changelog
--- eglibc-2.13/debian/changelog
+++ eglibc-2.13/debian/changelog
@@ -1,3 +1,13 @@
+eglibc (2.13-38+deb7u6) wheezy; urgency=medium
+
+ * Update 2.13-38+deb7u5 changelog to mention that some lost glibc-doc
+files have been re-added in this version.
+ * debian/patches/any/cvs-CVE-2013-4357.diff: update patch with upstream
+commit c8fc0c91 to fix segmentation faults when nscd is in use.
+Closes: #765506, #765526, #765562.
+
+ -- Aurelien Jarno Thu, 16 Oct 2014 15:29:00 +0200
+
eglibc (2.13-38+deb7u5) wheezy; urgency=medium
* debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream
@@ -10,6 +20,9 @@
* patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to
fix a memory leak with dlopen() and thread-local storage variables.
Closes: #763559.
+ * debian/TODO, debian/debhelper.in/glibc-doc.{install,links,manpage}:
+re-add files lost in the deb7u3 and deb7u4 security upgrades, causing
+the glibc-doc package to be almost empty.
-- Aurelien Jarno Wed, 08 Oct 2014 22:50:01 +0200
diff -u eglibc-2.13/debian/patches/any/cvs-CVE-2013-4357.diff
eglibc-2.13/debian/patches/any/cvs-CVE-2013-4357.diff
--- eglibc-2.13/debian/patches/any/cvs-CVE-2013-4357.diff
+++ eglibc-2.13/debian/patches/any/cvs-CVE-2013-4357.diff
@@ -1,3 +1,8 @@
+2011-05-31 Andreas Schwab
+
+ * nscd/nscd_getserv_r.c (nscd_getserv_r): Don't free non-malloced
+ memory. Use alloca_account. Fix memory leak when retrying.
+
2011-05-22 Ulrich Drepper
[BZ #12671]
@@ -134,7 +139,15 @@
const uint32_t *aliases_len = NULL;
const char *aliases_list = NULL;
int retval = -1;
-@@ -136,8 +148,22 @@ nscd_getserv_r (const char *crit, size_t critlen, const
char *proto,
+@@ -112,6 +124,7 @@ nscd_getserv_r (const char *crit, size_t critlen, const
char *proto,
+ s_name = (char *) (&found->data[0].servdata + 1);
+ serv_resp = found->data[0].servdata;
+ s_proto = s_name + serv_resp.s_name_len;
++alloca_aliases_len = 1;
+ aliases_len = (uint32_t *) (s_proto + serv_resp.s_proto_len);
+ aliases_list = ((char *) aliases_len
+ + serv_resp.s_aliases_cnt * sizeof (uint32_t));
+@@ -136,8 +149,24 @@ nscd_getserv_r (const char *crit, size_t critlen, const
char *proto,
if (((uintptr_t) aliases_len & (__alignof__ (*aliases_len) - 1))
!= 0)
{
@@ -146,7 +159,9 @@
+ + (serv_resp.s_aliases_cnt
+ * sizeof (uint32_t)));
+if (alloca_aliases_len)
-+ tmp = __alloca (serv_resp.s_aliases_cnt * sizeof (uint32_t));
++ tmp = alloca_account (serv_resp.s_aliases_cnt
++* sizeof (uint32_t),
++alloca_used);
+else
+ {
+tmp = malloc (serv_resp.s_aliases_cnt * sizeof
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
Control: tags -1 + pending On 2014-10-09 0:16, Aurelien Jarno wrote: On Wed, Oct 08, 2014 at 11:27:30PM +0100, Adam D. Barratt wrote: Control: tags -1 + confirmed On Wed, 2014-10-08 at 23:49 +0200, Aurelien Jarno wrote: > I would like to do an update of eglibc in wheezy, with the patches we > have accumulated in the SVN over the last months. I understand that > it's a bit late with the stable release schedule, that said all this > patches have been upstream and in jessie/sid for months. [...] > +eglibc (2.13-38+deb7u5) wheezy; urgency=medium > + > + * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream > +to fix invalid file descriptor reuse while sending DNS query. Closes: > +#722075, #756343. > + * debian/patches/any/cvs-CVE-2013-4357.diff: new patch from upstream to > +fix stack overflow issues. Closes: #742925. > + * debian/patches/any/submitted-CVE-2014-0475.diff: update from upstream > +to fix a localplt regression introduced in version 2.13-38+deb7u3. > + * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to > +fix a memory leak with dlopen() and thread-local storage variables. > +Closes: #763559. Please go ahead; thanks. Thanks! I have just uploaded it. Flagged for acceptance; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
On 2014-10-10 6:06, Aurelien Jarno wrote: On Thu, Oct 09, 2014 at 10:29:25PM +0100, Adam D. Barratt wrote: A few other changes appear to have been included: debian/TODO | 33 debian/debhelper.in/glibc-doc.install |4 debian/debhelper.in/glibc-doc.links | 17 debian/debhelper.in/glibc-doc.manpages |8 were those intentional? Oh I prepared my diff using the SVN and didn't notice that. It wasn't intentional to add them, but on the other hand they have been removed by mistake in the security team uploads deb7u3 and deb7u4. This means the current glibc-doc is missing most of the documentation compared to deb7u2, strange that we haven't got any bug report for that. Ah, I see. Thanks for the explanation. So we should keep these files to restore the documentation as it was before. Should I do another upload mentioning in the changelog these files have been added back? I don't think that's necessary at his point. It might not hurt to add a retrospective note so that it's included in +deb7u6 though. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
On Thu, Oct 09, 2014 at 10:29:25PM +0100, Adam D. Barratt wrote: > On Thu, 2014-10-09 at 01:16 +0200, Aurelien Jarno wrote: > > On Wed, Oct 08, 2014 at 11:27:30PM +0100, Adam D. Barratt wrote: > > > Control: tags -1 + confirmed > > > > > > On Wed, 2014-10-08 at 23:49 +0200, Aurelien Jarno wrote: > > > > I would like to do an update of eglibc in wheezy, with the patches we > > > > have accumulated in the SVN over the last months. I understand that > > > > it's a bit late with the stable release schedule, that said all this > > > > patches have been upstream and in jessie/sid for months. > [...] > > > Please go ahead; thanks. > > > > > > > Thanks! I have just uploaded it. > > A few other changes appear to have been included: > > debian/TODO | 33 > debian/debhelper.in/glibc-doc.install |4 > debian/debhelper.in/glibc-doc.links | 17 > debian/debhelper.in/glibc-doc.manpages |8 > > were those intentional? Oh I prepared my diff using the SVN and didn't notice that. It wasn't intentional to add them, but on the other hand they have been removed by mistake in the security team uploads deb7u3 and deb7u4. This means the current glibc-doc is missing most of the documentation compared to deb7u2, strange that we haven't got any bug report for that. So we should keep these files to restore the documentation as it was before. Should I do another upload mentioning in the changelog these files have been added back? Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
On Thu, 2014-10-09 at 01:16 +0200, Aurelien Jarno wrote: > On Wed, Oct 08, 2014 at 11:27:30PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Wed, 2014-10-08 at 23:49 +0200, Aurelien Jarno wrote: > > > I would like to do an update of eglibc in wheezy, with the patches we > > > have accumulated in the SVN over the last months. I understand that > > > it's a bit late with the stable release schedule, that said all this > > > patches have been upstream and in jessie/sid for months. [...] > > Please go ahead; thanks. > > > > Thanks! I have just uploaded it. A few other changes appear to have been included: debian/TODO | 33 debian/debhelper.in/glibc-doc.install |4 debian/debhelper.in/glibc-doc.links | 17 debian/debhelper.in/glibc-doc.manpages |8 were those intentional? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
On Wed, Oct 08, 2014 at 11:27:30PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2014-10-08 at 23:49 +0200, Aurelien Jarno wrote: > > I would like to do an update of eglibc in wheezy, with the patches we > > have accumulated in the SVN over the last months. I understand that > > it's a bit late with the stable release schedule, that said all this > > patches have been upstream and in jessie/sid for months. > [...] > > +eglibc (2.13-38+deb7u5) wheezy; urgency=medium > > + > > + * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream > > +to fix invalid file descriptor reuse while sending DNS query. Closes: > > +#722075, #756343. > > + * debian/patches/any/cvs-CVE-2013-4357.diff: new patch from upstream to > > +fix stack overflow issues. Closes: #742925. > > + * debian/patches/any/submitted-CVE-2014-0475.diff: update from upstream > > +to fix a localplt regression introduced in version 2.13-38+deb7u3. > > + * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to > > +fix a memory leak with dlopen() and thread-local storage variables. > > +Closes: #763559. > > Please go ahead; thanks. > Thanks! I have just uploaded it. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
Control: tags -1 + confirmed On Wed, 2014-10-08 at 23:49 +0200, Aurelien Jarno wrote: > I would like to do an update of eglibc in wheezy, with the patches we > have accumulated in the SVN over the last months. I understand that > it's a bit late with the stable release schedule, that said all this > patches have been upstream and in jessie/sid for months. [...] > +eglibc (2.13-38+deb7u5) wheezy; urgency=medium > + > + * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream > +to fix invalid file descriptor reuse while sending DNS query. Closes: > +#722075, #756343. > + * debian/patches/any/cvs-CVE-2013-4357.diff: new patch from upstream to > +fix stack overflow issues. Closes: #742925. > + * debian/patches/any/submitted-CVE-2014-0475.diff: update from upstream > +to fix a localplt regression introduced in version 2.13-38+deb7u3. > + * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to > +fix a memory leak with dlopen() and thread-local storage variables. > +Closes: #763559. Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Dear release managers, I would like to do an update of eglibc in wheezy, with the patches we have accumulated in the SVN over the last months. I understand that it's a bit late with the stable release schedule, that said all this patches have been upstream and in jessie/sid for months. This version fixes a regression introduced by the recent security uploads, a stack overflow that the security team hasn't consider it serious enough to warrant a DSA, and two annoying issues already fixed in jessie/sid for which users asked for a backport. Here is the corresponding changelog: | eglibc (2.13-38+deb7u5) wheezy; urgency=medium | | * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream | to fix invalid file descriptor reuse while sending DNS query. Closes: | #722075, #756343. This is a single line fix to reload a variable instead of keeping it initialized to the previous value. This bug got more attention now that more people use golang. | * debian/patches/any/cvs-CVE-2013-4357.diff: new patch from upstream to | fix stack overflow issues. Closes: #742925. This is yet another fix for stack overflow issues in the GNU libc, that have been missed in the previous CVEs. The idea is to not use alloca on bug amount of memory and either to fail or to use malloc instead. | * debian/patches/any/submitted-CVE-2014-0475.diff: update from upstream | to fix a localplt regression introduced in version 2.13-38+deb7u3. This is a very small patch to not access memmem through PLT for internal usage. See https://sourceware.org/glibc/wiki/Testing/Check-localplt | * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to | fix a memory leak with dlopen() and thread-local storage variables. | Closes: #763559. This patch fixes a memory leak happening mostly when loading a C++ library with dlopen(). | -- Aurelien Jarno Wed, 08 Oct 2014 22:50:01 +0200 You will find the full debdiff from the latest security update below. Thanks for considering. Aurelien diff -u eglibc-2.13/debian/changelog eglibc-2.13/debian/changelog --- eglibc-2.13/debian/changelog +++ eglibc-2.13/debian/changelog @@ -1,3 +1,18 @@ +eglibc (2.13-38+deb7u5) wheezy; urgency=medium + + * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream +to fix invalid file descriptor reuse while sending DNS query. Closes: +#722075, #756343. + * debian/patches/any/cvs-CVE-2013-4357.diff: new patch from upstream to +fix stack overflow issues. Closes: #742925. + * debian/patches/any/submitted-CVE-2014-0475.diff: update from upstream +to fix a localplt regression introduced in version 2.13-38+deb7u3. + * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to +fix a memory leak with dlopen() and thread-local storage variables. +Closes: #763559. + + -- Aurelien Jarno Wed, 08 Oct 2014 22:50:01 +0200 + eglibc (2.13-38+deb7u4) wheezy-security; urgency=high * Apply upstream patch to fix buffer overflow in __gconv_translit_find. diff -u eglibc-2.13/debian/patches/series eglibc-2.13/debian/patches/series --- eglibc-2.13/debian/patches/series +++ eglibc-2.13/debian/patches/series @@ -393,0 +394,3 @@ +any/cvs-resolv-reuse-fd.diff +any/cvs-CVE-2013-4357.diff +any/cvs-dlopen-tls-memleak.patch diff -u eglibc-2.13/debian/patches/any/submitted-CVE-2014-0475.diff eglibc-2.13/debian/patches/any/submitted-CVE-2014-0475.diff --- eglibc-2.13/debian/patches/any/submitted-CVE-2014-0475.diff +++ eglibc-2.13/debian/patches/any/submitted-CVE-2014-0475.diff @@ -123,0 +124,20 @@ +--- a/include/string.h b/include/string.h +@@ -86,6 +86,7 @@ libc_hidden_proto (__strtok_r) + extern char *__strsep_g (char **__stringp, __const char *__delim); + libc_hidden_proto (__strsep_g) + libc_hidden_proto (strnlen) ++libc_hidden_proto (memmem) + + libc_hidden_builtin_proto (memchr) + libc_hidden_builtin_proto (memcpy) +--- a/string/memmem.c b/string/memmem.c +@@ -74,5 +74,6 @@ memmem (const void *haystack_start, size_t haystack_len, + else + return two_way_long_needle (haystack, haystack_len, needle, needle_len); + } ++libc_hidden_def (memmem) + + #undef LONG_NEEDLE_THRESHOLD + --- eglibc-2.13.orig/debian/patches/any/cvs-dlopen-tls-memleak.patch +++ eglibc-2.13/debian/patches/any/cvs-dlopen-tls-memleak.patch @@ -0,0 +1,142 @@ +2011-04-10 Ulrich Drepper + + [BZ #12650] + * sysdeps/i386/dl-tls.h: Define TLS_DTV_UNALLOCATED. + * sysdeps/ia64/dl-tls.h: Likewise. + * sysdeps/powerpc/dl-tls.h: Likewise. + * sysdeps/s390/dl-tls.h: Likewise. + * sysdeps/sh/dl-tls.h: Likewise. + * sysdeps/sparc/dl-tls.h: Likewise. + * sysdeps/x86_64/dl-tls.h: Likewise. + * elf/dl-tls.c: Don't define TLS_DTV_UNALLOCATED here. + +nptl/ +2011-04-10 Ulrich Drepper + + [BZ #12650] + * allocatestack.c (get_cached
