Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Adam D. Barratt]

Control: tags -1 + pending

On Wed, 2016-07-13 at 00:45 +0200, Aurelien Jarno wrote:
> On 2016-07-12 21:33, Adam D. Barratt wrote:
> > On Wed, 2016-06-08 at 00:28 +0200, Aurelien Jarno wrote:
> > > On 2016-05-29 17:19, Adam D. Barratt wrote:
> > > > Control: tags -1 -moreinfo +confirmed
> > > > 
> > > > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote:
> > > > 
> > > > > Can we get this into jessie-proposed-updates just after the 8.5 
> > > > > release,
> > > > > so that it doesn't happen again for 8.6? Most of these changes were
> > > > > ready in our git repository for over a month, it's just I didn't got 
> > > > > time
> > > > > this week to finish preparing the final upload.
> > > > 
> > > > That sounds like a good plan.
> > > 
> > > Now that the 8.5 release is out, I would like to upload glibc version
> > > 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below,
> > > it only differs to the previous one by the addition of the CVE-2016-4429
> > > fix.
> > 
> > Please go ahead; apologies for the delay.
> 
> Thanks, I have just uploaded it.

Flagged for acceptance; thanks.

Regards,

Adam

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Aurelien Jarno]

On 2016-07-12 21:33, Adam D. Barratt wrote:
> On Wed, 2016-06-08 at 00:28 +0200, Aurelien Jarno wrote:
> > On 2016-05-29 17:19, Adam D. Barratt wrote:
> > > Control: tags -1 -moreinfo +confirmed
> > > 
> > > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote:
> > > 
> > > > Can we get this into jessie-proposed-updates just after the 8.5 release,
> > > > so that it doesn't happen again for 8.6? Most of these changes were
> > > > ready in our git repository for over a month, it's just I didn't got 
> > > > time
> > > > this week to finish preparing the final upload.
> > > 
> > > That sounds like a good plan.
> > 
> > Now that the 8.5 release is out, I would like to upload glibc version
> > 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below,
> > it only differs to the previous one by the addition of the CVE-2016-4429
> > fix.
> 
> Please go ahead; apologies for the delay.

Thanks, I have just uploaded it.

Regards,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Adam D. Barratt]

On Wed, 2016-06-08 at 00:28 +0200, Aurelien Jarno wrote:
> On 2016-05-29 17:19, Adam D. Barratt wrote:
> > Control: tags -1 -moreinfo +confirmed
> > 
> > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote:
> > 
> > > Can we get this into jessie-proposed-updates just after the 8.5 release,
> > > so that it doesn't happen again for 8.6? Most of these changes were
> > > ready in our git repository for over a month, it's just I didn't got time
> > > this week to finish preparing the final upload.
> > 
> > That sounds like a good plan.
> 
> Now that the 8.5 release is out, I would like to upload glibc version
> 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below,
> it only differs to the previous one by the addition of the CVE-2016-4429
> fix.

Please go ahead; apologies for the delay.

Regards,

Adam

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Aurelien Jarno]

On 2016-06-08 00:28, Aurelien Jarno wrote:
> On 2016-05-29 17:19, Adam D. Barratt wrote:
> > Control: tags -1 -moreinfo +confirmed
> > 
> > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote:
> > 
> > > Can we get this into jessie-proposed-updates just after the 8.5 release,
> > > so that it doesn't happen again for 8.6? Most of these changes were
> > > ready in our git repository for over a month, it's just I didn't got time
> > > this week to finish preparing the final upload.
> > 
> > That sounds like a good plan.
> 
> Now that the 8.5 release is out, I would like to upload glibc version
> 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below,
> it only differs to the previous one by the addition of the CVE-2016-4429
> fix.

Ping.

Thanks,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Aurelien Jarno]

On 2016-05-29 17:19, Adam D. Barratt wrote:
> Control: tags -1 -moreinfo +confirmed
> 
> On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote:
> 
> > Can we get this into jessie-proposed-updates just after the 8.5 release,
> > so that it doesn't happen again for 8.6? Most of these changes were
> > ready in our git repository for over a month, it's just I didn't got time
> > this week to finish preparing the final upload.
> 
> That sounds like a good plan.

Now that the 8.5 release is out, I would like to upload glibc version
2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below,
it only differs to the previous one by the addition of the CVE-2016-4429
fix.

Regards,
Aurelien


diff --git a/debian/changelog b/debian/changelog
index db98ce0..b619b11 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+glibc (2.19-18+deb8u5) UNRELEASED; urgency=medium
+
+  [ Aurelien Jarno ]
+  * Update from upstream stable branch:
+- Drop debian/patches/any/local-CVE-2015-7547.diff.
+- Refresh debian/patches/any/cvs-resolv-first-query-failure.diff.
+- Fix assertion failure with unconnectable name server addresses.
+  (regression introduced by CVE-2015-7547).  Closes: #816669.
+- Fix *context functions on s390x.
+- Fix a buffer overflow in the glob function (CVE-2016-1234).
+- Fix a stack overflow in nss_dns_getnetbyname_r (CVE-2016-3075).
+- Fix a stack overflow in getaddrinfo function (CVE-2016-3706).
+- Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
+
+ -- Aurelien Jarno   Sun, 01 May 2016 16:38:48 +0200
+
 glibc (2.19-18+deb8u4) stable; urgency=medium
 
   [ Aurelien Jarno ]
diff --git a/debian/patches/any/cvs-resolv-first-query-failure.diff 
b/debian/patches/any/cvs-resolv-first-query-failure.diff
index d99e636..856d850 100644
--- a/debian/patches/any/cvs-resolv-first-query-failure.diff
+++ b/debian/patches/any/cvs-resolv-first-query-failure.diff
@@ -44,11 +44,11 @@ diff --git a/resolv/res_send.c b/resolv/res_send.c
if (recvresp1 || (buf2 != NULL && recvresp2)) {
  *resplen2 = 0;
  return resplen;
-@@ -1368,7 +1369,6 @@ send_dg(res_state statp,
+@@ -1527,7 +1528,6 @@  send_dg(res_state statp,
goto wait;
  }
  
 -  next_ns:
-   __res_iclose(statp, false);
/* don't retry if called from dig */
if (!statp->pfcode)
+ return close_and_return_error (statp, resplen2);
diff --git a/debian/patches/any/local-CVE-2015-7547.diff 
b/debian/patches/any/local-CVE-2015-7547.diff
deleted file mode 100644
index 0a93cd5..000
--- a/debian/patches/any/local-CVE-2015-7547.diff
+++ /dev/null
@@ -1,541 +0,0 @@
 a/resolv/nss_dns/dns-host.c
-+++ b/resolv/nss_dns/dns-host.c
-@@ -1052,7 +1052,10 @@
-   int h_namelen = 0;
- 
-   if (ancount == 0)
--return NSS_STATUS_NOTFOUND;
-+{
-+  *h_errnop = HOST_NOT_FOUND;
-+  return NSS_STATUS_NOTFOUND;
-+}
- 
-   while (ancount-- > 0 && cp < end_of_message && had_error == 0)
- {
-@@ -1229,7 +1232,14 @@
-   /* Special case here: if the resolver sent a result but it only
-  contains a CNAME while we are looking for a T_A or T_ record,
-  we fail with NOTFOUND instead of TRYAGAIN.  */
--  return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-+  if (canon != NULL)
-+{
-+  *h_errnop = HOST_NOT_FOUND;
-+  return NSS_STATUS_NOTFOUND;
-+}
-+
-+  *h_errnop = NETDB_INTERNAL;
-+  return NSS_STATUS_TRYAGAIN;
- }
- 
- 
-@@ -1243,11 +1253,101 @@
- 
-   enum nss_status status = NSS_STATUS_NOTFOUND;
- 
-+  /* Combining the NSS status of two distinct queries requires some
-+ compromise and attention to symmetry (A or  queries can be
-+ returned in any order).  What follows is a breakdown of how this
-+ code is expected to work and why. We discuss only SUCCESS,
-+ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
-+ that apply (though RETURN and MERGE exist).  We make a distinction
-+ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
-+ A recoverable TRYAGAIN is almost always due to buffer size issues
-+ and returns ERANGE in errno and the caller is expected to retry
-+ with a larger buffer.
-+
-+ Lastly, you may be tempted to make significant changes to the
-+ conditions in this code to bring about symmetry between responses.
-+ Please don't change anything without due consideration for
-+ expected application behaviour.  Some of the synthesized responses
-+ aren't very well thought out and sometimes appear to imply that
-+ IPv4 responses are always answer 1, and IPv6 responses are always
-+ answer 2, but that's not true (see the implemetnation of send_dg
-+ and send_vc to see response can arrive in any order, particlarly

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote:
> On 2016-05-29 16:07, Adam D. Barratt wrote:
> > On Sun, 2016-05-29 at 14:48 +0200, Aurelien Jarno wrote:
> > > On 2016-05-29 12:03, Adam D. Barratt wrote:
> > > > Control: tags -1 + moreinfo
> > > > 
> > > > On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote:
> > > > > I would like to upload a new glibc package for the next jessie 
> > > > > release.
> > > > > It's basically a pull from the upstream stable branch. It mostly fixes
> > > > > security issues which do not warrant a separate DSA, a regression
> > > > > introduced by CVE-2015-7547, and issues with *context functions on 
> > > > > s390x
> > > > > preventing docker to work.
> > > > [...]
> > > > > I am really sorry for sending that so late with regards to the 
> > > > > deadline,
> > > > > I really hope it can be included in the 8.5 release.
> > > > 
> > > > It is rather late, yes, particularly for such a key package. :-(
> > > > 
> > > > What's the urgency with getting this in for 8.5?
> > > > 
> > > 
> > > The idea is mostly to avoid having known security issues opened for too
> > > long, but I understand it is quite late.
> > 
> > Are any of them a particular issue in practical terms? Whilst I
> > appreciate the desire to not have known issues unfixed, and your work on
> > the package, I fear we're too late for 8.5 now.
> 
> Not as far as I know, but with the libc it depends how these functions
> are used in the programs. Anyway I understand it is too late for 8.5.

Understood, thanks.

> Can we get this into jessie-proposed-updates just after the 8.5 release,
> so that it doesn't happen again for 8.6? Most of these changes were
> ready in our git repository for over a month, it's just I didn't got time
> this week to finish preparing the final upload.

That sounds like a good plan.

Regards,

Adam

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Aurelien Jarno]

On 2016-05-29 16:07, Adam D. Barratt wrote:
> On Sun, 2016-05-29 at 14:48 +0200, Aurelien Jarno wrote:
> > On 2016-05-29 12:03, Adam D. Barratt wrote:
> > > Control: tags -1 + moreinfo
> > > 
> > > On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote:
> > > > I would like to upload a new glibc package for the next jessie release.
> > > > It's basically a pull from the upstream stable branch. It mostly fixes
> > > > security issues which do not warrant a separate DSA, a regression
> > > > introduced by CVE-2015-7547, and issues with *context functions on s390x
> > > > preventing docker to work.
> > > [...]
> > > > I am really sorry for sending that so late with regards to the deadline,
> > > > I really hope it can be included in the 8.5 release.
> > > 
> > > It is rather late, yes, particularly for such a key package. :-(
> > > 
> > > What's the urgency with getting this in for 8.5?
> > > 
> > 
> > The idea is mostly to avoid having known security issues opened for too
> > long, but I understand it is quite late.
> 
> Are any of them a particular issue in practical terms? Whilst I
> appreciate the desire to not have known issues unfixed, and your work on
> the package, I fear we're too late for 8.5 now.

Not as far as I know, but with the libc it depends how these functions
are used in the programs. Anyway I understand it is too late for 8.5.

Can we get this into jessie-proposed-updates just after the 8.5 release,
so that it doesn't happen again for 8.6? Most of these changes were
ready in our git repository for over a month, it's just I didn't got time
this week to finish preparing the final upload.

Regards,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Adam D. Barratt]

On Sun, 2016-05-29 at 14:48 +0200, Aurelien Jarno wrote:
> On 2016-05-29 12:03, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> > 
> > On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote:
> > > I would like to upload a new glibc package for the next jessie release.
> > > It's basically a pull from the upstream stable branch. It mostly fixes
> > > security issues which do not warrant a separate DSA, a regression
> > > introduced by CVE-2015-7547, and issues with *context functions on s390x
> > > preventing docker to work.
> > [...]
> > > I am really sorry for sending that so late with regards to the deadline,
> > > I really hope it can be included in the 8.5 release.
> > 
> > It is rather late, yes, particularly for such a key package. :-(
> > 
> > What's the urgency with getting this in for 8.5?
> > 
> 
> The idea is mostly to avoid having known security issues opened for too
> long, but I understand it is quite late.

Are any of them a particular issue in practical terms? Whilst I
appreciate the desire to not have known issues unfixed, and your work on
the package, I fear we're too late for 8.5 now.

Regards,

Adam

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Aurelien Jarno]

On 2016-05-29 12:03, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote:
> > I would like to upload a new glibc package for the next jessie release.
> > It's basically a pull from the upstream stable branch. It mostly fixes
> > security issues which do not warrant a separate DSA, a regression
> > introduced by CVE-2015-7547, and issues with *context functions on s390x
> > preventing docker to work.
> [...]
> > I am really sorry for sending that so late with regards to the deadline,
> > I really hope it can be included in the 8.5 release.
> 
> It is rather late, yes, particularly for such a key package. :-(
> 
> What's the urgency with getting this in for 8.5?
> 

The idea is mostly to avoid having known security issues opened for too
long, but I understand it is quite late.

Regards,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Sat, 2016-05-28 at 23:43 +0200, Aurelien Jarno wrote:
> I would like to upload a new glibc package for the next jessie release.
> It's basically a pull from the upstream stable branch. It mostly fixes
> security issues which do not warrant a separate DSA, a regression
> introduced by CVE-2015-7547, and issues with *context functions on s390x
> preventing docker to work.
[...]
> I am really sorry for sending that so late with regards to the deadline,
> I really hope it can be included in the 8.5 release.

It is rather late, yes, particularly for such a key package. :-(

What's the urgency with getting this in for 8.5?

Regards,

Adam

Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5

[Aurelien Jarno]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release managers,

I would like to upload a new glibc package for the next jessie release.
It's basically a pull from the upstream stable branch. It mostly fixes
security issues which do not warrant a separate DSA, a regression
introduced by CVE-2015-7547, and issues with *context functions on s390x
preventing docker to work.

All those changes are already in testing/unstable/experimental for a few
weeks. You will find the diff below. It is a bit big given the patch we
were using for CVE-2015-7547 has been merged upstream, so it actually
appears twice in the diff.

I am really sorry for sending that so late with regards to the deadline,
I really hope it can be included in the 8.5 release.

Thanks,
Aurelien


diff --git a/debian/changelog b/debian/changelog
index db98ce0..c96e478 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+glibc (2.19-18+deb8u5) UNRELEASED; urgency=medium
+
+  [ Aurelien Jarno ]
+  * Update from upstream stable branch:
+- Drop debian/patches/any/local-CVE-2015-7547.diff.
+- Refresh debian/patches/any/cvs-resolv-first-query-failure.diff.
+- Fix assertion failure with unconnectable name server addresses.
+  (regression introduced by CVE-2015-7547).  Closes: #816669.
+- Fix *context functions on s390x.
+- Fix a buffer overflow in the glob function (CVE-2016-1234).
+- Fix a stack overflow in nss_dns_getnetbyname_r (CVE-2016-3075).
+- Fix a stack overflow in getaddrinfo function (CVE-2016-3706).
+
+ -- Aurelien Jarno   Sun, 01 May 2016 16:38:48 +0200
+
 glibc (2.19-18+deb8u4) stable; urgency=medium
 
   [ Aurelien Jarno ]
diff --git a/debian/patches/any/cvs-resolv-first-query-failure.diff 
b/debian/patches/any/cvs-resolv-first-query-failure.diff
index d99e636..856d850 100644
--- a/debian/patches/any/cvs-resolv-first-query-failure.diff
+++ b/debian/patches/any/cvs-resolv-first-query-failure.diff
@@ -44,11 +44,11 @@ diff --git a/resolv/res_send.c b/resolv/res_send.c
if (recvresp1 || (buf2 != NULL && recvresp2)) {
  *resplen2 = 0;
  return resplen;
-@@ -1368,7 +1369,6 @@ send_dg(res_state statp,
+@@ -1527,7 +1528,6 @@  send_dg(res_state statp,
goto wait;
  }
  
 -  next_ns:
-   __res_iclose(statp, false);
/* don't retry if called from dig */
if (!statp->pfcode)
+ return close_and_return_error (statp, resplen2);
diff --git a/debian/patches/any/local-CVE-2015-7547.diff 
b/debian/patches/any/local-CVE-2015-7547.diff
deleted file mode 100644
index 0a93cd5..000
--- a/debian/patches/any/local-CVE-2015-7547.diff
+++ /dev/null
@@ -1,541 +0,0 @@
 a/resolv/nss_dns/dns-host.c
-+++ b/resolv/nss_dns/dns-host.c
-@@ -1052,7 +1052,10 @@
-   int h_namelen = 0;
- 
-   if (ancount == 0)
--return NSS_STATUS_NOTFOUND;
-+{
-+  *h_errnop = HOST_NOT_FOUND;
-+  return NSS_STATUS_NOTFOUND;
-+}
- 
-   while (ancount-- > 0 && cp < end_of_message && had_error == 0)
- {
-@@ -1229,7 +1232,14 @@
-   /* Special case here: if the resolver sent a result but it only
-  contains a CNAME while we are looking for a T_A or T_ record,
-  we fail with NOTFOUND instead of TRYAGAIN.  */
--  return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-+  if (canon != NULL)
-+{
-+  *h_errnop = HOST_NOT_FOUND;
-+  return NSS_STATUS_NOTFOUND;
-+}
-+
-+  *h_errnop = NETDB_INTERNAL;
-+  return NSS_STATUS_TRYAGAIN;
- }
- 
- 
-@@ -1243,11 +1253,101 @@
- 
-   enum nss_status status = NSS_STATUS_NOTFOUND;
- 
-+  /* Combining the NSS status of two distinct queries requires some
-+ compromise and attention to symmetry (A or  queries can be
-+ returned in any order).  What follows is a breakdown of how this
-+ code is expected to work and why. We discuss only SUCCESS,
-+ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
-+ that apply (though RETURN and MERGE exist).  We make a distinction
-+ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
-+ A recoverable TRYAGAIN is almost always due to buffer size issues
-+ and returns ERANGE in errno and the caller is expected to retry
-+ with a larger buffer.
-+
-+ Lastly, you may be tempted to make significant changes to the
-+ conditions in this code to bring about symmetry between responses.
-+ Please don't change anything without due consideration for
-+ expected application behaviour.  Some of the synthesized responses
-+ aren't very well thought out and sometimes appear to imply that
-+ IPv4 responses are always answer 1, and IPv6 responses are always
-+ answer 2, but that's not true (see the implemetnation of send_dg
-+