Bug#1021977: marked as done (Tzdata timezone files corruption after clean debian 11 installation)
Your message dated Tue, 18 Oct 2022 23:40:53 +0200 with message-id and subject line Re: Bug#1021977: Fwd: Tzdata timezone files corruption after clean debian 11 installation has caused the Debian Bug report #1021977, regarding Tzdata timezone files corruption after clean debian 11 installation to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1021977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021977 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: tzdata Version: 2021a-1+deb11u7 Dear Debian, I wanted to change my timezone from europe/amsterdam to utc. when i viewed the europe/amsterdam timezone file. I got corruption or malware as I included in this email. All zone files as I can see contain either corruption or malware. This is on a fresh install of debian 11. I am going to reinstall the tzdata package if possible; but it is quite a breach. Yours truly, Satish Binda The Netherlands (ultra violence / agent 1 / kick some dust) --- End Message --- --- Begin Message --- Ok, thanks for your answer, closing the bug On 2022-10-18 22:56, Satish Binda wrote: > Thank you for the clarification. > > On Tue, Oct 18, 2022, 22:24 Aurelien Jarno wrote: > > > Dear Satish, > > > > On 2022-10-18 22:17, Satish Binda wrote: > > > because normally it is just one line ascii or ansi or utf-8, perhaps > > utf-16 > > > but not an easy to digest binary file, at length, that no one knows about > > > > That is not correct. The file format is described by RFC8536 [1] and is > > a binary format. > > > > Regards > > Aurelien > > > > [1] https://datatracker.ietf.org/doc/html/rfc8536 > > > > -- > > Aurelien Jarno GPG: 4096R/1DDD8C9B > > aurel...@aurel32.net http://www.aurel32.net > > -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net--- End Message ---
Bug#1021977: Fwd: Tzdata timezone files corruption after clean debian 11 installation
Thank you for the clarification. On Tue, Oct 18, 2022, 22:24 Aurelien Jarno wrote: > Dear Satish, > > On 2022-10-18 22:17, Satish Binda wrote: > > because normally it is just one line ascii or ansi or utf-8, perhaps > utf-16 > > but not an easy to digest binary file, at length, that no one knows about > > That is not correct. The file format is described by RFC8536 [1] and is > a binary format. > > Regards > Aurelien > > [1] https://datatracker.ietf.org/doc/html/rfc8536 > > -- > Aurelien Jarno GPG: 4096R/1DDD8C9B > aurel...@aurel32.net http://www.aurel32.net >
Bug#1021977: Fwd: Tzdata timezone files corruption after clean debian 11 installation
Dear Satish, On 2022-10-18 22:17, Satish Binda wrote: > because normally it is just one line ascii or ansi or utf-8, perhaps utf-16 > but not an easy to digest binary file, at length, that no one knows about That is not correct. The file format is described by RFC8536 [1] and is a binary format. Regards Aurelien [1] https://datatracker.ietf.org/doc/html/rfc8536 -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Processed: tagging 1016886
Processing commands for cont...@bugs.debian.org:
> tags 1016886 + security
Bug #1016886 {Done: Aurelien Jarno } [libc6] CVE-2020-1752:
'glob' use-after-free bug
Added tag(s) security.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
1016886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016886
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#1021977: Fwd: Tzdata timezone files corruption after clean debian 11 installation
Dear Satish, Thanks for the attachement. It indeed matches the file provided in the tzdata package in version 2021a-1+deb11u7. Can you please tell me why do you believe it is corrupted or affected by a malware? Regards Aurelien On 2022-10-18 20:44, Satish Binda wrote: > Dear Aurel, > > I included the attachment this time. > > Yours truly, > > Satish > -- Forwarded message - > From: Satish Binda > Date: Tue, Oct 18, 2022 at 10:04 AM > Subject: Tzdata timezone files corruption after clean debian 11 installation > To: > Cc: > > > Package: tzdata > Version: 2021a-1+deb11u7 > > Dear Debian, > > I wanted to change my timezone from europe/amsterdam to utc. > when i viewed the europe/amsterdam timezone file. I got corruption or > malware > as I included in this email. > > All zone files as I can see contain either corruption or malware. > > This is on a fresh install of debian 11. > > I am going to reinstall the tzdata package if possible; but it is quite a > breach. > > Yours truly, > > Satish Binda > The Netherlands > (ultra violence / agent 1 / kick some dust) -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Bug#1016886: marked as done (CVE-2020-1752: 'glob' use-after-free bug)
Your message dated Tue, 18 Oct 2022 20:38:24 +0200
with message-id
and subject line Re: CVE-2020-1752: 'glob' use-after-free bug
has caused the Debian Bug report #1016886,
regarding CVE-2020-1752: 'glob' use-after-free bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1016886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016886
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libc6
Version: 2.28-10+deb10u1
Severity: normal
Tags: patch
The CVE-2020-1752 was reported to glibc bugzilla[1].
CVE-2020-1752 description from NVD.
A use-after-free vulnerability introduced in glibc upstream version 2.14 was
found in the way the tilde expansion was carried out. Directory paths
containing an initial tilde followed by a valid username were affected by this
issue. A local attacker could exploit this flaw by creating a specially crafted
path that, when processed by the glob function, would potentially lead to
arbitrary code execution. This was fixed in version 2.32.
This CVE has been fixed in release/2.28/master branch[2] about two years ago
but there is no new upstream release for 2.28 series yet.
I ported upstream patch to 2.28-10+deb10u1.
1. https://sourceware.org/bugzilla/show_bug.cgi?id=25414
2.
https://sourceware.org/git/?p=glibc.git;a=patch;h=21344a3d62a29406fddeec069ee4eb3c341369f9
*** submitted-Fix-use-after-free-in-glob-when-expanding-user-bug.diff
Index: glibc-2.28/NEWS
===
--- glibc-2.28.orig/NEWS
+++ glibc-2.28/NEWS
@@ -69,6 +69,7 @@ The following bugs are resolved with thi
[24228] old x86 applications that use legacy libio crash on exit
[24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
[24744] io: Remove the copy_file_range emulation.
+ [25414] 'glob' use-after-free bug (CVE-2020-1752)
Security related changes:
@@ -97,6 +98,10 @@ Security related changes:
CVE-2019-9169: Attempted case-insensitive regular-expression match
via proceed_next_node in posix/regexec.c leads to heap-based buffer
over-read. Reported by Hongxu Chen.
+
+ CVE-2020-1752: A use-after-free vulnerability in the glob function when
+ expanding ~user has been fixed.
+
Version 2.28
Index: glibc-2.28/posix/glob.c
===
--- glibc-2.28.orig/posix/glob.c
+++ glibc-2.28/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags,
{
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
- char *d;
+ char *d, *newp;
+ bool use_alloca = glob_use_alloca (alloca_used,
+ home_len + rest_len + 1);
- if (__glibc_unlikely (malloc_dirname))
- free (dirname);
- malloc_dirname = 0;
-
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
- dirname = alloca_account (home_len + rest_len + 1,
- alloca_used);
+ if (use_alloca)
+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
- dirname = malloc (home_len + rest_len + 1);
- if (dirname == NULL)
+ newp = malloc (home_len + rest_len + 1);
+ if (newp == NULL)
{
scratch_buffer_free ();
retval = GLOB_NOSPACE;
goto out;
}
- malloc_dirname = 1;
}
- d = mempcpy (dirname, p->pw_dir, home_len);
+ d = mempcpy (newp, p->pw_dir, home_len);
if (end_name != NULL)
d = mempcpy (d, end_name, rest_len);
*d = '\0';
+ if (__glibc_unlikely (malloc_dirname))
+ free (dirname);
+ dirname = newp;
+ malloc_dirname = !use_alloca;
+
dirlen = home_len + rest_len;
dirname_modified = 1;
}
-- System Information:
Debian Release: 10.12
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-21-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh
Bug#1021977: Tzdata timezone files corruption after clean debian 11 installation
Hi, On 2022-10-18 10:04, Satish Binda wrote: > Package: tzdata > Version: 2021a-1+deb11u7 > > Dear Debian, > > I wanted to change my timezone from europe/amsterdam to utc. > when i viewed the europe/amsterdam timezone file. I got corruption or Can you please give some details about what you tried to do, for instance which command did you try to "view" the timezone file? > malware > as I included in this email. I do not find anything included in the email, can you please give some more details? Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Processed: Re: Bug#1021973: iconv: undefined symbol after upgrade
Processing control commands: > tags -1 + confirmed Bug #1021973 [libc-bin] iconv: undefined symbol after upgrade Added tag(s) confirmed. -- 1021973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021973 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1021973: iconv: undefined symbol after upgrade
Control: tags -1 + confirmed On Tue, Oct 18, 2022 at 09:13:05AM +0200, Guillaume Lefranc wrote: > after upgrading libc-bin from 2.28-10+deb10u1 to 2.28-10+deb10u2, the > following error appeared after running iconv the following way: > > iconv -cs -f 'UTF-8' -t 'UTF-8' /tmp/510754/import/import.1 > > iconv: relocation error: iconv: symbol __gconv_create_spec version > GLIBC_PRIVATE not defined in file libc.so.6 with link time reference I'm sorry for having missed this. The fix for this issue is quite obvious. libc-bin needs a tighter version constraint on libc6. Also libc6 needs to break old libc-bin. I don't think this is worth an update on its own though, because partial upgrades are an unusual thing to do. Indeed apt in unstable will make this even more difficult to perform. If there happens to be a regression update for other reasons, this should be fixed as well. Helmut
Bug#1021973: iconv: undefined symbol after upgrade
I think it was when a libc6 update broke NSS sometime in 2017, though I can
find only a reference to it in the Ubuntu bug tracker.
https://launchpad.net/ubuntu/+source/glibc/2.23-0ubuntu6
We could certainly unblacklist libc6 or blacklist both. I personally think
libc-bin should depend on an equivalent libc6 version but if you don't want
to make the change it's understandable as well
Regards
Guillaume
On Tue, 18 Oct 2022 at 12:11, Emilio Pozuelo Monfort
wrote:
> On 18/10/2022 11:59, Guillaume Lefranc wrote:
> > Yes.
> > The upgrade was automatically done by unattended-upgrades, but we have
> > libc6 blacklisted due to issues we encountered previously
>
> What kind of issues? Are they still relevant? Is there a bug report we
> could
> look at?
>
> In this case, I suggest you also block/pin libc-bin to the same version as
> libc6.
>
> Helmut, libc-bin could have a depends on libcX (>= ${binary:Version}),
> although
> this is such a corner case that I don't think an update is necessary just
> for this.
>
> Cheers,
> Emilio
>
> >
> > Unattended-Upgrade::Origins-Pattern {
> >
> "origin=Debian,codename=${distro_codename},label=Debian-Security";
> > };
> >
> > Unattended-Upgrade::Package-Blacklist {
> >"libc6";
> > };
> >
> > On Tue, 18 Oct 2022 at 09:23, Emilio Pozuelo Monfort
> > wrote:
> >
> >> On 18/10/2022 09:13, Guillaume Lefranc wrote:
> >>> Package: libc-bin
> >>> Version: 2.28-10+deb10u2
> >>> Severity: normal
> >>>
> >>> Dear Maintainer,
> >>>
> >>> after upgrading libc-bin from 2.28-10+deb10u1 to 2.28-10+deb10u2, the
> >> following error appeared after running iconv the following way:
> >>>
> >>> iconv -cs -f 'UTF-8' -t 'UTF-8' /tmp/510754/import/import.1
> >>>
> >>> iconv: relocation error: iconv: symbol __gconv_create_spec version
> >> GLIBC_PRIVATE not defined in file libc.so.6 with link time reference
> >>
> >> Any particular reason you upgraded libc-bin but not libc6?
> >>
> >> Cheers,
> >> Emilio
> >>
> >
> >
>
>
Processed: notfound 1021973 in glibc/2.31-13
Processing commands for cont...@bugs.debian.org: > notfound 1021973 glibc/2.31-13 Bug #1021973 [libc-bin] iconv: undefined symbol after upgrade Ignoring request to alter found versions of bug #1021973 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 1021973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021973 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 1021973 in glibc/2.28-10+deb10u1
Processing commands for cont...@bugs.debian.org: > found 1021973 glibc/2.28-10+deb10u1 Bug #1021973 [libc-bin] iconv: undefined symbol after upgrade Marked as found in versions glibc/2.28-10+deb10u1. > thanks Stopping processing here. Please contact me if you need assistance. -- 1021973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021973 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1021973: iconv: undefined symbol after upgrade
On 18/10/2022 11:59, Guillaume Lefranc wrote:
Yes.
The upgrade was automatically done by unattended-upgrades, but we have
libc6 blacklisted due to issues we encountered previously
What kind of issues? Are they still relevant? Is there a bug report we could
look at?
In this case, I suggest you also block/pin libc-bin to the same version as
libc6.
Helmut, libc-bin could have a depends on libcX (>= ${binary:Version}), although
this is such a corner case that I don't think an update is necessary just for this.
Cheers,
Emilio
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {
"libc6";
};
On Tue, 18 Oct 2022 at 09:23, Emilio Pozuelo Monfort
wrote:
On 18/10/2022 09:13, Guillaume Lefranc wrote:
Package: libc-bin
Version: 2.28-10+deb10u2
Severity: normal
Dear Maintainer,
after upgrading libc-bin from 2.28-10+deb10u1 to 2.28-10+deb10u2, the
following error appeared after running iconv the following way:
iconv -cs -f 'UTF-8' -t 'UTF-8' /tmp/510754/import/import.1
iconv: relocation error: iconv: symbol __gconv_create_spec version
GLIBC_PRIVATE not defined in file libc.so.6 with link time reference
Any particular reason you upgraded libc-bin but not libc6?
Cheers,
Emilio
Bug#1021973: iconv: undefined symbol after upgrade
Yes.
The upgrade was automatically done by unattended-upgrades, but we have
libc6 blacklisted due to issues we encountered previously
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {
"libc6";
};
On Tue, 18 Oct 2022 at 09:23, Emilio Pozuelo Monfort
wrote:
> On 18/10/2022 09:13, Guillaume Lefranc wrote:
> > Package: libc-bin
> > Version: 2.28-10+deb10u2
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > after upgrading libc-bin from 2.28-10+deb10u1 to 2.28-10+deb10u2, the
> following error appeared after running iconv the following way:
> >
> > iconv -cs -f 'UTF-8' -t 'UTF-8' /tmp/510754/import/import.1
> >
> > iconv: relocation error: iconv: symbol __gconv_create_spec version
> GLIBC_PRIVATE not defined in file libc.so.6 with link time reference
>
> Any particular reason you upgraded libc-bin but not libc6?
>
> Cheers,
> Emilio
>
--
*Guillaume Lefranc* | Director of Engineering - Technical Operations
g...@productsup.com | +33 6 82 42 58 93 <+4930609858366>
www.productsup.com
*Products Up GmbH*
A globally operative company - *office locations*
HQ: Alex-Wedding-Str. 5, 10178 Berlin, Germany
HRB 214376 B Berlin Charlottenburg; VAT ID DE270578435; Tax No. 30/479/35480
Bug#1021977: Tzdata timezone files corruption after clean debian 11 installation
Package: tzdata Version: 2021a-1+deb11u7 Dear Debian, I wanted to change my timezone from europe/amsterdam to utc. when i viewed the europe/amsterdam timezone file. I got corruption or malware as I included in this email. All zone files as I can see contain either corruption or malware. This is on a fresh install of debian 11. I am going to reinstall the tzdata package if possible; but it is quite a breach. Yours truly, Satish Binda The Netherlands (ultra violence / agent 1 / kick some dust)
Bug#1021973: iconv: undefined symbol after upgrade
On 18/10/2022 09:13, Guillaume Lefranc wrote: Package: libc-bin Version: 2.28-10+deb10u2 Severity: normal Dear Maintainer, after upgrading libc-bin from 2.28-10+deb10u1 to 2.28-10+deb10u2, the following error appeared after running iconv the following way: iconv -cs -f 'UTF-8' -t 'UTF-8' /tmp/510754/import/import.1 iconv: relocation error: iconv: symbol __gconv_create_spec version GLIBC_PRIVATE not defined in file libc.so.6 with link time reference Any particular reason you upgraded libc-bin but not libc6? Cheers, Emilio
Bug#1021973: iconv: undefined symbol after upgrade
Package: libc-bin Version: 2.28-10+deb10u2 Severity: normal Dear Maintainer, after upgrading libc-bin from 2.28-10+deb10u1 to 2.28-10+deb10u2, the following error appeared after running iconv the following way: iconv -cs -f 'UTF-8' -t 'UTF-8' /tmp/510754/import/import.1 iconv: relocation error: iconv: symbol __gconv_create_spec version GLIBC_PRIVATE not defined in file libc.so.6 with link time reference -- System Information: Debian Release: 10.2 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libc-bin depends on: ii libc6 2.28-10 Versions of packages libc-bin recommends: ii manpages 4.16-2 libc-bin suggests no packages. -- no debconf information
