Your message dated Thu, 18 Jun 2026 20:42:54 +0000
with message-id <[email protected]>
and subject line Bug#1134544: fixed in glibc 2.42-17
has caused the Debian Bug report #1134544,
regarding glibc: CVE-2026-5928
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134544: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134544
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glibc
Version: 2.42-15
Severity: important
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=33998
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for glibc.
CVE-2026-5928[0]:
| Calling the ungetwc function on a FILE stream with wide characters
| encoded in a character set that has overlaps between its single byte
| and multi-byte character encodings, in the GNU C Library version
| 2.43 or earlier, may result in an attempt to read bytes before an
| allocated buffer, potentially resulting in unintentional disclosure
| of neighboring data in the heap, or a program crash. A bug in the
| wide character pushback implementation (_IO_wdefault_pbackfail in
| libio/wgenops.c) causes ungetwc() to operate on the regular
| character buffer (fp->_IO_read_ptr) instead of the actual wide-
| stream read pointer (fp->_wide_data->_IO_read_ptr). The program
| crash may happen in cases where fp->_IO_read_ptr is not initialized
| and hence points to NULL. The buffer under-read requires a special
| situation where the input character encoding is such that there are
| overlaps between single byte representations and multibyte
| representations in that encoding, resulting in spurious matches. The
| spurious match case is not possible in the standard Unicode
| character sets.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5928
https://www.cve.org/CVERecord?id=CVE-2026-5928
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=33998
[2]
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0010
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.42-17
Done: Aurelien Jarno <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <[email protected]> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Jun 2026 21:48:16 +0200
Source: glibc
Architecture: source
Version: 2.42-17
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <[email protected]>
Changed-By: Aurelien Jarno <[email protected]>
Closes: 1133139 1134543 1134544
Changes:
glibc (2.42-17) unstable; urgency=medium
.
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix buffer overflow in scanf %mc (CVE-2026-5450). Closes: #1134543.
- Fix ungetwc operating on byte stream (CVE-2026-5928). Closes: #1134544.
- Save/restore VFP registers inPLT trampolines on arm. Closes: #1133139.
- Suppress iconv intermediate errors with //TRANSLIT.
- debian/patches/hurd-i386/git-run-iconv-test.sh.diff: rebased.
* debian/rules.d/build.mk: append extra_cflags to CFLAGS and ASFLAGS.
* debian/control.in/libc: stop suggesting libnss-nisplus.
* debian/debhelper.in/libc-bin.lintian-overrides: add a
statically-linked-binary override for the ldconfig binary.
* debian/control.in/main: build-depends on libselinux-dev instead of
libselinux1-dev.
.
[ Miao Wang ]
* debian/libc6.symbols.loong64: add.
.
[ Samuel Thibault ]
* debian/patches/hurd-i386/git-SO_TIMESTAMP.diff: Add SO_TIMESTAMP macro.
Checksums-Sha1:
853c76d4926af85e1eb47cfadf665e3d6cd3cbaf 8575 glibc_2.42-17.dsc
ae0e7f2dd7f1ef10f9847c9e93532044a5e95acf 447488 glibc_2.42-17.debian.tar.xz
b32f8e34e86d37e31f82938ecae9eb114e70b05e 9474 glibc_2.42-17_source.buildinfo
Checksums-Sha256:
d004ab83368dec1f86aec110d13d1eaf21b261416e5f7c74f18c8b9ce2d02b79 8575
glibc_2.42-17.dsc
89b79a67661b89a4160ef1b2f01a1eb7b428c686f18de463581b408ba9765e62 447488
glibc_2.42-17.debian.tar.xz
d1720e1efee2058a8c307845a71a549cc5c4281b3df55b6c23e17726ea9777eb 9474
glibc_2.42-17_source.buildinfo
Files:
59ba9441424493ab42de86e0cb47af8d 8575 libs required glibc_2.42-17.dsc
fc88b43e4437d8388a5e79558d3243b8 447488 libs required
glibc_2.42-17.debian.tar.xz
7b6a7870542517c4b89f316ac9ce5619 9474 libs required
glibc_2.42-17_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmo0TCQACgkQE4jA+Jno
M2vCUw/+OKPA4+V6kCy4U86/X/rBzhA7G+ZRvYSaoBDfP8B8h+UDSXq3N4MmVKPx
hWAVtpzOiFo/aKmiy6DGKKdM6Wb50TZ0vvx+07c4sNAVpQh5ZR+MrbPvP82jNG2o
t7qP4VqVEToMSflhRYwBR+pMOazy5C+Mw71r7aAkDOiqhos4lgFutvNGOX3bVuts
UPuWND2S/KCMn9qgUp3bnlfYK/OXArQzH4MBYjGB3uHOXGg+xLKWPZQO39ufAGKA
m3GbgfCneO/dVp0qzCQeCdjZ5e3gvqR/GfKPRq59/9Zr58nq3bji1zyKfiMb7UxG
I7chnsOeL2k1SN8+b/mg0RpCWbeMGXdSRfIL39KBxypvGt+rRxlWpqcNYBlZuVaI
nhqBPjOSbz5Ox7QjZdVhpaojt9yxWk+Is+0hZrl1mkxIC4qang821KuW3d8UGjua
vTkGhKZGjYqcSsSpQs+iuOxaX4I/QsDnTNHv8MT9zG3HaYazSO8Fqh/lorjJySms
hUhIbpIBWkhqYgZcZKVNWQKjGaUwHZpCjdfYsON5OLMV/MvXAfFkokZMQFpr9A0x
9E/MqFPvckZWAGvaXSwAylDLyUCdMF6mHfHCHJd8m3c4Y66uJKSA27YbSwIsRwAH
7ZEm07fOR1eUF7CcocGvapnRsXCLpErc9tUOs2itNUsiBcQKHKo=
=kmrf
-----END PGP SIGNATURE-----
pgpIJZAHNZDFP.pgp
Description: PGP signature
--- End Message ---
