Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

* Aurelien Jarno: I have just committed the fix, I am planning to do an upload soon to unstable. Do you think we should also fix it in stable? via a security release? FYI, I have uploaded eglibc 2.11.2-6+squeeze1 to testing-security. -- To UNSUBSCRIBE, email to

Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

On Thu, Oct 21, 2010 at 03:43:59PM -0400, Michael Gilbert wrote: On Thu, 21 Oct 2010 19:36:04 +0200, Aurelien Jarno wrote: On Mon, Oct 18, 2010 at 06:58:45PM -0400, Michael Gilbert wrote: package: eglibc version: 2.11.2-6 severity: grave tag: patch an issue has been disclosed

Processing of glibc_2.7-18lenny6_amd64.changes

glibc_2.7-18lenny6_amd64.changes uploaded successfully to localhost along with the files: glibc-doc_2.7-18lenny6_all.deb glibc-source_2.7-18lenny6_all.deb locales_2.7-18lenny6_all.deb libc6_2.7-18lenny6_amd64.deb libc6-dev_2.7-18lenny6_amd64.deb libc6-prof_2.7-18lenny6_amd64.deb

Processing of glibc_2.7-18lenny6_source.changes

glibc_2.7-18lenny6_source.changes uploaded successfully to localhost along with the files: glibc_2.7-18lenny6.dsc glibc_2.7-18lenny6.diff.gz Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org

glibc_2.7-18lenny6_source.changes REJECTED

Reject Reasons: source only uploads are not supported. Notes: Mapping stable-security to proposed-updates. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- To UNSUBSCRIBE, email

glibc_2.7-18lenny6_amd64.changes REJECTED

Reject Reasons: no source found for glibc 2.7-18lenny6 (libc6-prof_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (locales_2.7-18lenny6_all.deb). no source found for glibc 2.7-18lenny6 (libc6_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6

Processing of eglibc_2.11.2-6+squeeze1_amd64.changes

eglibc_2.11.2-6+squeeze1_amd64.changes uploaded successfully to localhost along with the files: eglibc_2.11.2-6+squeeze1.dsc eglibc_2.11.2.orig.tar.gz eglibc_2.11.2-6+squeeze1.diff.gz glibc-doc_2.11.2-6+squeeze1_all.deb eglibc-source_2.11.2-6+squeeze1_all.deb

Re: glibc_2.7-18lenny6_source.changes REJECTED

* Debian FTP Masters: Reject Reasons: source only uploads are not supported. Notes: Mapping stable-security to proposed-updates. Ahem. Should I upload a newer version to stable-proposed-updates, or is this a spurious error message? -- To UNSUBSCRIBE, email to

eglibc_2.11.2-6+squeeze1_amd64.changes ACCEPTED into testing-proposed-updates

Warnings: Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable

eglibc override disparity

There are disparities between your recently accepted upload and the override file for the following file(s): libc6-i386_2.11.2-6+squeeze1_amd64.deb: package says priority is optional, override says standard. locales-all_2.11.2-6+squeeze1_amd64.deb: package says section is localization, override