Your message dated Sat, 10 Feb 2024 13:02:59 +0000
with message-id <e1ryn0v-002xts...@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1062006,
regarding bullseye-pu: package glibc/2.31-13+deb11u8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1062006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062006
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gl...@packages.debian.org
Control: affects -1 + src:glibc
[ Reason ]
A memory corruption was discovered in the glibc's qsort()
function, due to missing bounds check and when called by a program
with a non-transitive comparison function and a large number of
attacker-controlled elements. As the use of qsort() with a
non-transitive comparison function is undefined according to POSIX and
ISO C standards, this is not considered a vulnerability in the glibc
itself (hence no CVE number has been assigned).
However as misbehaving callers seems to be relatively common, it is
still a security issue and the qsort() function needs to be hardened
against them.
[ Impact ]
Installations will be left vulnerable to the qsort() security issue.
[ Tests ]
There is no specific test added for that change, however there are a few
upstream tests checking qsort().
[ Risks ]
The code change is very simple, and has been reviewed as part of
DSA-561-11. In addition a similar change went upstream a few weeks ago:
https://sourceware.org/git/?p=glibc.git;a=commit;h=e4d8117b82065dc72e8df80097360e7c05a349b9
https://sourceware.org/git/?p=glibc.git;a=commit;h=b9390ba93676c4b1e87e218af5e7e4bb596312ac
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The change basically just add a bounds check to a test. This is what got
uploaded in 2.36-9+deb12u4 for bookworm-security and 2.37-15 for
unstable.
[ Other info ]
Given the limited changes, I have already uploaded the package to the
archive. Thanks for considering.
diff -Nru glibc-2.31/debian/changelog glibc-2.31/debian/changelog
--- glibc-2.31/debian/changelog 2023-10-02 22:22:57.000000000 +0200
+++ glibc-2.31/debian/changelog 2024-01-28 23:58:14.000000000 +0100
@@ -1,3 +1,10 @@
+glibc (2.31-13+deb11u8) bullseye; urgency=medium
+
+ * debian/patches/any/local-qsort-memory-corruption.patch: Fix a memory
+ corruption in qsort() when using nontransitive comparison functions.
+
+ -- Aurelien Jarno <aure...@debian.org> Sun, 28 Jan 2024 23:58:14 +0100
+
glibc (2.31-13+deb11u7) bullseye-security; urgency=medium
* debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the
diff -Nru glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
--- glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
1970-01-01 01:00:00.000000000 +0100
+++ glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
2024-01-28 23:58:14.000000000 +0100
@@ -0,0 +1,13 @@
+diff -rup a/stdlib/qsort.c b/stdlib/qsort.c
+--- a/stdlib/qsort.c 2023-07-31 10:54:16.000000000 -0700
++++ b/stdlib/qsort.c 2024-01-15 09:08:25.596167959 -0800
+@@ -224,7 +224,8 @@ _quicksort (void *const pbase, size_t to
+ while ((run_ptr += size) <= end_ptr)
+ {
+ tmp_ptr = run_ptr - size;
+- while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0)
++ while (tmp_ptr != base_ptr
++ && (*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0)
+ tmp_ptr -= size;
+
+ tmp_ptr += size;
diff -Nru glibc-2.31/debian/patches/series glibc-2.31/debian/patches/series
--- glibc-2.31/debian/patches/series 2023-10-02 22:18:17.000000000 +0200
+++ glibc-2.31/debian/patches/series 2024-01-28 23:58:14.000000000 +0100
@@ -170,3 +170,4 @@
any/git-ld.so-cache-endianness-markup.diff
any/local-CVE-2021-33574-mq_notify-use-after-free.diff
any/local-CVE-2023-4911.patch
+any/local-qsort-memory-corruption.patch
--- End Message ---
--- Begin Message ---
Version: 11.9
The upload requested in this bug has been released as part of 11.9.
--- End Message ---
