Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
Control: tags -1 + pending On Wed, 2016-07-13 at 00:45 +0200, Aurelien Jarno wrote: > On 2016-07-12 21:33, Adam D. Barratt wrote: > > On Wed, 2016-06-08 at 00:28 +0200, Aurelien Jarno wrote: > > > On 2016-05-29 17:19, Adam D. Barratt wrote: > > > > Control: tags -1 -moreinfo +confirmed > > > > > > > > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote: > > > > > > > > > Can we get this into jessie-proposed-updates just after the 8.5 > > > > > release, > > > > > so that it doesn't happen again for 8.6? Most of these changes were > > > > > ready in our git repository for over a month, it's just I didn't got > > > > > time > > > > > this week to finish preparing the final upload. > > > > > > > > That sounds like a good plan. > > > > > > Now that the 8.5 release is out, I would like to upload glibc version > > > 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below, > > > it only differs to the previous one by the addition of the CVE-2016-4429 > > > fix. > > > > Please go ahead; apologies for the delay. > > Thanks, I have just uploaded it. Flagged for acceptance; thanks. Regards, Adam
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
On 2016-07-12 21:33, Adam D. Barratt wrote: > On Wed, 2016-06-08 at 00:28 +0200, Aurelien Jarno wrote: > > On 2016-05-29 17:19, Adam D. Barratt wrote: > > > Control: tags -1 -moreinfo +confirmed > > > > > > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote: > > > > > > > Can we get this into jessie-proposed-updates just after the 8.5 release, > > > > so that it doesn't happen again for 8.6? Most of these changes were > > > > ready in our git repository for over a month, it's just I didn't got > > > > time > > > > this week to finish preparing the final upload. > > > > > > That sounds like a good plan. > > > > Now that the 8.5 release is out, I would like to upload glibc version > > 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below, > > it only differs to the previous one by the addition of the CVE-2016-4429 > > fix. > > Please go ahead; apologies for the delay. Thanks, I have just uploaded it. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net signature.asc Description: PGP signature
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
On Wed, 2016-06-08 at 00:28 +0200, Aurelien Jarno wrote: > On 2016-05-29 17:19, Adam D. Barratt wrote: > > Control: tags -1 -moreinfo +confirmed > > > > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote: > > > > > Can we get this into jessie-proposed-updates just after the 8.5 release, > > > so that it doesn't happen again for 8.6? Most of these changes were > > > ready in our git repository for over a month, it's just I didn't got time > > > this week to finish preparing the final upload. > > > > That sounds like a good plan. > > Now that the 8.5 release is out, I would like to upload glibc version > 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below, > it only differs to the previous one by the addition of the CVE-2016-4429 > fix. Please go ahead; apologies for the delay. Regards, Adam
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
On 2016-06-08 00:28, Aurelien Jarno wrote: > On 2016-05-29 17:19, Adam D. Barratt wrote: > > Control: tags -1 -moreinfo +confirmed > > > > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote: > > > > > Can we get this into jessie-proposed-updates just after the 8.5 release, > > > so that it doesn't happen again for 8.6? Most of these changes were > > > ready in our git repository for over a month, it's just I didn't got time > > > this week to finish preparing the final upload. > > > > That sounds like a good plan. > > Now that the 8.5 release is out, I would like to upload glibc version > 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below, > it only differs to the previous one by the addition of the CVE-2016-4429 > fix. Ping. Thanks, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net signature.asc Description: PGP signature
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
On 2016-05-29 17:19, Adam D. Barratt wrote: > Control: tags -1 -moreinfo +confirmed > > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote: > > > Can we get this into jessie-proposed-updates just after the 8.5 release, > > so that it doesn't happen again for 8.6? Most of these changes were > > ready in our git repository for over a month, it's just I didn't got time > > this week to finish preparing the final upload. > > That sounds like a good plan. Now that the 8.5 release is out, I would like to upload glibc version 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below, it only differs to the previous one by the addition of the CVE-2016-4429 fix. Regards, Aurelien diff --git a/debian/changelog b/debian/changelog index db98ce0..b619b11 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +glibc (2.19-18+deb8u5) UNRELEASED; urgency=medium + + [ Aurelien Jarno ] + * Update from upstream stable branch: +- Drop debian/patches/any/local-CVE-2015-7547.diff. +- Refresh debian/patches/any/cvs-resolv-first-query-failure.diff. +- Fix assertion failure with unconnectable name server addresses. + (regression introduced by CVE-2015-7547). Closes: #816669. +- Fix *context functions on s390x. +- Fix a buffer overflow in the glob function (CVE-2016-1234). +- Fix a stack overflow in nss_dns_getnetbyname_r (CVE-2016-3075). +- Fix a stack overflow in getaddrinfo function (CVE-2016-3706). +- Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429). + + -- Aurelien JarnoSun, 01 May 2016 16:38:48 +0200 + glibc (2.19-18+deb8u4) stable; urgency=medium [ Aurelien Jarno ] diff --git a/debian/patches/any/cvs-resolv-first-query-failure.diff b/debian/patches/any/cvs-resolv-first-query-failure.diff index d99e636..856d850 100644 --- a/debian/patches/any/cvs-resolv-first-query-failure.diff +++ b/debian/patches/any/cvs-resolv-first-query-failure.diff @@ -44,11 +44,11 @@ diff --git a/resolv/res_send.c b/resolv/res_send.c if (recvresp1 || (buf2 != NULL && recvresp2)) { *resplen2 = 0; return resplen; -@@ -1368,7 +1369,6 @@ send_dg(res_state statp, +@@ -1527,7 +1528,6 @@ send_dg(res_state statp, goto wait; } - next_ns: - __res_iclose(statp, false); /* don't retry if called from dig */ if (!statp->pfcode) + return close_and_return_error (statp, resplen2); diff --git a/debian/patches/any/local-CVE-2015-7547.diff b/debian/patches/any/local-CVE-2015-7547.diff deleted file mode 100644 index 0a93cd5..000 --- a/debian/patches/any/local-CVE-2015-7547.diff +++ /dev/null @@ -1,541 +0,0 @@ a/resolv/nss_dns/dns-host.c -+++ b/resolv/nss_dns/dns-host.c -@@ -1052,7 +1052,10 @@ - int h_namelen = 0; - - if (ancount == 0) --return NSS_STATUS_NOTFOUND; -+{ -+ *h_errnop = HOST_NOT_FOUND; -+ return NSS_STATUS_NOTFOUND; -+} - - while (ancount-- > 0 && cp < end_of_message && had_error == 0) - { -@@ -1229,7 +1232,14 @@ - /* Special case here: if the resolver sent a result but it only - contains a CNAME while we are looking for a T_A or T_ record, - we fail with NOTFOUND instead of TRYAGAIN. */ -- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; -+ if (canon != NULL) -+{ -+ *h_errnop = HOST_NOT_FOUND; -+ return NSS_STATUS_NOTFOUND; -+} -+ -+ *h_errnop = NETDB_INTERNAL; -+ return NSS_STATUS_TRYAGAIN; - } - - -@@ -1243,11 +1253,101 @@ - - enum nss_status status = NSS_STATUS_NOTFOUND; - -+ /* Combining the NSS status of two distinct queries requires some -+ compromise and attention to symmetry (A or queries can be -+ returned in any order). What follows is a breakdown of how this -+ code is expected to work and why. We discuss only SUCCESS, -+ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns -+ that apply (though RETURN and MERGE exist). We make a distinction -+ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). -+ A recoverable TRYAGAIN is almost always due to buffer size issues -+ and returns ERANGE in errno and the caller is expected to retry -+ with a larger buffer. -+ -+ Lastly, you may be tempted to make significant changes to the -+ conditions in this code to bring about symmetry between responses. -+ Please don't change anything without due consideration for -+ expected application behaviour. Some of the synthesized responses -+ aren't very well thought out and sometimes appear to imply that -+ IPv4 responses are always answer 1, and IPv6 responses are always -+ answer 2, but that's not true (see the implemetnation of send_dg -+ and send_vc to see response can arrive in any order, particlarly
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
Control: tags -1 -moreinfo +confirmed On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote: > On 2016-05-29 16:07, Adam D. Barratt wrote: > > On Sun, 2016-05-29 at 14:48 +0200, Aurelien Jarno wrote: > > > On 2016-05-29 12:03, Adam D. Barratt wrote: > > > > Control: tags -1 + moreinfo > > > > > > > > On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote: > > > > > I would like to upload a new glibc package for the next jessie > > > > > release. > > > > > It's basically a pull from the upstream stable branch. It mostly fixes > > > > > security issues which do not warrant a separate DSA, a regression > > > > > introduced by CVE-2015-7547, and issues with *context functions on > > > > > s390x > > > > > preventing docker to work. > > > > [...] > > > > > I am really sorry for sending that so late with regards to the > > > > > deadline, > > > > > I really hope it can be included in the 8.5 release. > > > > > > > > It is rather late, yes, particularly for such a key package. :-( > > > > > > > > What's the urgency with getting this in for 8.5? > > > > > > > > > > The idea is mostly to avoid having known security issues opened for too > > > long, but I understand it is quite late. > > > > Are any of them a particular issue in practical terms? Whilst I > > appreciate the desire to not have known issues unfixed, and your work on > > the package, I fear we're too late for 8.5 now. > > Not as far as I know, but with the libc it depends how these functions > are used in the programs. Anyway I understand it is too late for 8.5. Understood, thanks. > Can we get this into jessie-proposed-updates just after the 8.5 release, > so that it doesn't happen again for 8.6? Most of these changes were > ready in our git repository for over a month, it's just I didn't got time > this week to finish preparing the final upload. That sounds like a good plan. Regards, Adam
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
On 2016-05-29 16:07, Adam D. Barratt wrote: > On Sun, 2016-05-29 at 14:48 +0200, Aurelien Jarno wrote: > > On 2016-05-29 12:03, Adam D. Barratt wrote: > > > Control: tags -1 + moreinfo > > > > > > On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote: > > > > I would like to upload a new glibc package for the next jessie release. > > > > It's basically a pull from the upstream stable branch. It mostly fixes > > > > security issues which do not warrant a separate DSA, a regression > > > > introduced by CVE-2015-7547, and issues with *context functions on s390x > > > > preventing docker to work. > > > [...] > > > > I am really sorry for sending that so late with regards to the deadline, > > > > I really hope it can be included in the 8.5 release. > > > > > > It is rather late, yes, particularly for such a key package. :-( > > > > > > What's the urgency with getting this in for 8.5? > > > > > > > The idea is mostly to avoid having known security issues opened for too > > long, but I understand it is quite late. > > Are any of them a particular issue in practical terms? Whilst I > appreciate the desire to not have known issues unfixed, and your work on > the package, I fear we're too late for 8.5 now. Not as far as I know, but with the libc it depends how these functions are used in the programs. Anyway I understand it is too late for 8.5. Can we get this into jessie-proposed-updates just after the 8.5 release, so that it doesn't happen again for 8.6? Most of these changes were ready in our git repository for over a month, it's just I didn't got time this week to finish preparing the final upload. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
On Sun, 2016-05-29 at 14:48 +0200, Aurelien Jarno wrote: > On 2016-05-29 12:03, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote: > > > I would like to upload a new glibc package for the next jessie release. > > > It's basically a pull from the upstream stable branch. It mostly fixes > > > security issues which do not warrant a separate DSA, a regression > > > introduced by CVE-2015-7547, and issues with *context functions on s390x > > > preventing docker to work. > > [...] > > > I am really sorry for sending that so late with regards to the deadline, > > > I really hope it can be included in the 8.5 release. > > > > It is rather late, yes, particularly for such a key package. :-( > > > > What's the urgency with getting this in for 8.5? > > > > The idea is mostly to avoid having known security issues opened for too > long, but I understand it is quite late. Are any of them a particular issue in practical terms? Whilst I appreciate the desire to not have known issues unfixed, and your work on the package, I fear we're too late for 8.5 now. Regards, Adam
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
On 2016-05-29 12:03, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote: > > I would like to upload a new glibc package for the next jessie release. > > It's basically a pull from the upstream stable branch. It mostly fixes > > security issues which do not warrant a separate DSA, a regression > > introduced by CVE-2015-7547, and issues with *context functions on s390x > > preventing docker to work. > [...] > > I am really sorry for sending that so late with regards to the deadline, > > I really hope it can be included in the 8.5 release. > > It is rather late, yes, particularly for such a key package. :-( > > What's the urgency with getting this in for 8.5? > The idea is mostly to avoid having known security issues opened for too long, but I understand it is quite late. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
Control: tags -1 + moreinfo On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote: > I would like to upload a new glibc package for the next jessie release. > It's basically a pull from the upstream stable branch. It mostly fixes > security issues which do not warrant a separate DSA, a regression > introduced by CVE-2015-7547, and issues with *context functions on s390x > preventing docker to work. [...] > I am really sorry for sending that so late with regards to the deadline, > I really hope it can be included in the 8.5 release. It is rather late, yes, particularly for such a key package. :-( What's the urgency with getting this in for 8.5? Regards, Adam
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Dear stable release managers, I would like to upload a new glibc package for the next jessie release. It's basically a pull from the upstream stable branch. It mostly fixes security issues which do not warrant a separate DSA, a regression introduced by CVE-2015-7547, and issues with *context functions on s390x preventing docker to work. All those changes are already in testing/unstable/experimental for a few weeks. You will find the diff below. It is a bit big given the patch we were using for CVE-2015-7547 has been merged upstream, so it actually appears twice in the diff. I am really sorry for sending that so late with regards to the deadline, I really hope it can be included in the 8.5 release. Thanks, Aurelien diff --git a/debian/changelog b/debian/changelog index db98ce0..c96e478 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +glibc (2.19-18+deb8u5) UNRELEASED; urgency=medium + + [ Aurelien Jarno ] + * Update from upstream stable branch: +- Drop debian/patches/any/local-CVE-2015-7547.diff. +- Refresh debian/patches/any/cvs-resolv-first-query-failure.diff. +- Fix assertion failure with unconnectable name server addresses. + (regression introduced by CVE-2015-7547). Closes: #816669. +- Fix *context functions on s390x. +- Fix a buffer overflow in the glob function (CVE-2016-1234). +- Fix a stack overflow in nss_dns_getnetbyname_r (CVE-2016-3075). +- Fix a stack overflow in getaddrinfo function (CVE-2016-3706). + + -- Aurelien JarnoSun, 01 May 2016 16:38:48 +0200 + glibc (2.19-18+deb8u4) stable; urgency=medium [ Aurelien Jarno ] diff --git a/debian/patches/any/cvs-resolv-first-query-failure.diff b/debian/patches/any/cvs-resolv-first-query-failure.diff index d99e636..856d850 100644 --- a/debian/patches/any/cvs-resolv-first-query-failure.diff +++ b/debian/patches/any/cvs-resolv-first-query-failure.diff @@ -44,11 +44,11 @@ diff --git a/resolv/res_send.c b/resolv/res_send.c if (recvresp1 || (buf2 != NULL && recvresp2)) { *resplen2 = 0; return resplen; -@@ -1368,7 +1369,6 @@ send_dg(res_state statp, +@@ -1527,7 +1528,6 @@ send_dg(res_state statp, goto wait; } - next_ns: - __res_iclose(statp, false); /* don't retry if called from dig */ if (!statp->pfcode) + return close_and_return_error (statp, resplen2); diff --git a/debian/patches/any/local-CVE-2015-7547.diff b/debian/patches/any/local-CVE-2015-7547.diff deleted file mode 100644 index 0a93cd5..000 --- a/debian/patches/any/local-CVE-2015-7547.diff +++ /dev/null @@ -1,541 +0,0 @@ a/resolv/nss_dns/dns-host.c -+++ b/resolv/nss_dns/dns-host.c -@@ -1052,7 +1052,10 @@ - int h_namelen = 0; - - if (ancount == 0) --return NSS_STATUS_NOTFOUND; -+{ -+ *h_errnop = HOST_NOT_FOUND; -+ return NSS_STATUS_NOTFOUND; -+} - - while (ancount-- > 0 && cp < end_of_message && had_error == 0) - { -@@ -1229,7 +1232,14 @@ - /* Special case here: if the resolver sent a result but it only - contains a CNAME while we are looking for a T_A or T_ record, - we fail with NOTFOUND instead of TRYAGAIN. */ -- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; -+ if (canon != NULL) -+{ -+ *h_errnop = HOST_NOT_FOUND; -+ return NSS_STATUS_NOTFOUND; -+} -+ -+ *h_errnop = NETDB_INTERNAL; -+ return NSS_STATUS_TRYAGAIN; - } - - -@@ -1243,11 +1253,101 @@ - - enum nss_status status = NSS_STATUS_NOTFOUND; - -+ /* Combining the NSS status of two distinct queries requires some -+ compromise and attention to symmetry (A or queries can be -+ returned in any order). What follows is a breakdown of how this -+ code is expected to work and why. We discuss only SUCCESS, -+ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns -+ that apply (though RETURN and MERGE exist). We make a distinction -+ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). -+ A recoverable TRYAGAIN is almost always due to buffer size issues -+ and returns ERANGE in errno and the caller is expected to retry -+ with a larger buffer. -+ -+ Lastly, you may be tempted to make significant changes to the -+ conditions in this code to bring about symmetry between responses. -+ Please don't change anything without due consideration for -+ expected application behaviour. Some of the synthesized responses -+ aren't very well thought out and sometimes appear to imply that -+ IPv4 responses are always answer 1, and IPv6 responses are always -+ answer 2, but that's not true (see the implemetnation of send_dg -+