Bug#987808: unblock: klibc/2.0.8-6

[Ben Hutchings]

On Sat, 2021-05-01 at 21:46 +0200, Paul Gevers wrote:
> Hi,
> 
> On 30-04-2021 04:24, Ben Hutchings wrote:
> > Please unblock package klibc
> 
> unblocked.
> 
> Paul
> 
> PS: 0001-klibc-signal-Note-another-reason-to-define-_KLIBC_NE.patch
> looked a bit overdone for the freeze, but alas.

Sorry about that.  This was a result of my uploading the signal fixes
to experimental originally and failing to do an unstable upload until
now.

Ben.

-- 
Ben Hutchings
Time is nature's way of making sure that
everything doesn't happen at once.


signature.asc
Description: This is a digitally signed message part

Bug#987808: unblock: klibc/2.0.8-6

[Ben Hutchings]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-ker...@lists.debian.org

Please unblock package klibc

[ Reason ]
Fix some possible integer overflows in the heap manager and the cpio
command.  These are probably not too serious considering how klibc is
normally used in Debian, but should still be fixed.

On s390x (plus some non-release architectures), remove the need for
programs to run with an executable stack.  This is a security
mitigation.

[ Impact ]
Close some possible security vulnerabilities.

[ Tests ]
The heap manager and signal handling are covered by automated tests
that run on every package build.

I have tested the changes to the cpio command manually.

[ Risks ]
klibc is used in the initramfs on most Debian systems that need one.
Regressions could result in boot failure.  However, I believe these
changes are adequately covered by tests.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock klibc/2.0.8-6
diff -Nru klibc-2.0.8/debian/changelog klibc-2.0.8/debian/changelog
--- klibc-2.0.8/debian/changelog2020-08-21 02:34:13.0 +0200
+++ klibc-2.0.8/debian/changelog2021-04-30 03:05:23.0 +0200
@@ -1,3 +1,46 @@
+klibc (2.0.8-6) unstable; urgency=medium
+
+  * Upload to unstable
+  * malloc: Set errno on failure
+  * malloc: Fail if requested size > PTRDIFF_MAX (CVE-2021-31873)
+  * calloc: Fail if multiplication overflows (CVE-2021-31870)
+  * cpio: Fix possible integer overflow on 32-bit systems (CVE-2021-31872)
+  * cpio: Fix possible crash on 64-bit systems (CVE-2021-31871)
+
+ -- Ben Hutchings   Fri, 30 Apr 2021 03:05:23 +0200
+
+klibc (2.0.8-5) experimental; urgency=medium
+
+  * alpha: Fix definitions of _NSIG and struct sigaction
+  * ia64: Fix definition of struct sigaction
+
+ -- Ben Hutchings   Fri, 28 Aug 2020 17:41:47 +0100
+
+klibc (2.0.8-4) experimental; urgency=medium
+
+  * signal: Note another reason to define _KLIBC_NEEDS_SA_RESTORER
+  * signal: Add sysconfig setting to force SA_SIGINFO on
+  * s390: Force SA_SIGINFO on and use rt_sigreturn
+  * alpha: Force SA_SIGINFO on
+  * sparc: Force SA_SIGINFO on
+
+ -- Ben Hutchings   Tue, 25 Aug 2020 01:49:14 +0100
+
+klibc (2.0.8-3) experimental; urgency=medium
+
+  * s390: Define __sigreturn() on both s390 and s390x
+  * Revert "alpha: Set sa_restorer for signals and disable executable stack"
+  * alpha: Pass restorer to rt_sigaction() and disable executable stack
+
+ -- Ben Hutchings   Sun, 23 Aug 2020 15:24:00 +0100
+
+klibc (2.0.8-2) experimental; urgency=medium
+
+  * {alpha,s390,sparc}: Set sa_restorer for signals and disable executable
+stack
+
+ -- Ben Hutchings   Sat, 22 Aug 2020 21:35:52 +0100
+
 klibc (2.0.8-1) unstable; urgency=medium
 
   [ Ben Hutchings ]
diff -Nru 
klibc-2.0.8/debian/patches/0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch
 
klibc-2.0.8/debian/patches/0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch
--- 
klibc-2.0.8/debian/patches/0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch
  1970-01-01 01:00:00.0 +0100
+++ 
klibc-2.0.8/debian/patches/0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch
  2021-04-30 02:55:10.0 +0200
@@ -0,0 +1,103 @@
+From: Ben Hutchings 
+Date: Thu, 27 Aug 2020 01:58:19 +0100
+Subject: [klibc] alpha: Fix definitions of _NSIG and struct sigaction
+Origin: 
https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=1cd11aaed1dece773c6b1ce2e99a0fe98b51321e
+
+We use the RT signals API, but include the kernel UAPI header
+that defines _NSIG and struct sigaction for the old API.
+
+Copy over all the definitions and fix those two.
+
+Signed-off-by: Ben Hutchings 
+---
+ usr/include/arch/alpha/klibc/archsignal.h | 78 ++-
+ 1 file changed, 76 insertions(+), 2 deletions(-)
+
+diff --git a/usr/include/arch/alpha/klibc/archsignal.h 
b/usr/include/arch/alpha/klibc/archsignal.h
+index 2193a352..78be832a 100644
+--- a/usr/include/arch/alpha/klibc/archsignal.h
 b/usr/include/arch/alpha/klibc/archsignal.h
+@@ -8,7 +8,81 @@
+ #ifndef _KLIBC_ARCHSIGNAL_H
+ #define _KLIBC_ARCHSIGNAL_H
+ 
+-#include 
+-/* No special stuff for this architecture */
++/*
++ * This is identical to , *except* for _NSIG and struct
++ * sigaction, where it has the old definition and we need the new (RT)
++ * definition.
++ */
++
++struct siginfo;
++
++#define NSIG  64
++
++typedef unsigned long sigset_t;
++
++#define SIGHUP 1
++#define SIGINT 2
++#define SIGQUIT3
++#define SIGILL 4
++#define SIGTRAP5
++#define SIGABRT6
++#define SIGEMT 7
++#define SIGFPE 8
++#define SIGKILL9
++#define