Your message dated Fri, 23 Jul 2021 22:40:15 +0200
with message-id <26ad9deb-7d88-8801-86be-26c63c1b8...@debian.org>
and subject line Re: Bug#991372: unblock: glibc/2.31-13
has caused the Debian Bug report #991372,
regarding unblock: glibc/2.31-13
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
991372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991372
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-b...@lists.debian.org
Please unblock package glibc
[ Reason ]
This new version fixes one serious bug (#990069) in the maintainer
scripts preventing the sshd daemon following a glibc upgrade on systems
where the ssh meta-package is not installed.
It also fixes a security issue in the wordexp() function
(CVE-2021-35942, #990542) by pulling the upstream stable branch.
[ Impact ]
On systems where the ssh meta-package is not installed, following the
upgrade from buster to bullseye, incoming SSH connections are not
accepted until the sshd daemon is restarted manually or the system is
rebooted. This can be an issue for systems upgraded remotely.
[ Tests ]
The change to the maintainer scripts are not covered by automatic tests
(except maybe by piuparts). They have however been manually tested by
multiple persons.
The change to the wordexp() function is covered by the upstream
testsuite. A new test has actually been added to catch the security
issue.
[ Risks ]
The change to the maintainer scripts is relatively simple and just
follow what is already done for other daemons where the package name is
not the same than the daemon name. The package has been in sid for 2
weeks, and no regression have been reported. The risk is therefore very
low.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
d-i team is Cc:ed.
unblock glibc/2.31-13
diff --git a/debian/changelog b/debian/changelog
index 7197d373..138f350a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+glibc (2.31-13) unstable; urgency=medium
+
+ [ Colin Watson ]
+ * debian/debhelper.in/libc.postinst, script.in/nsscheck.sh: Look for
+ openssh-server package rather than ssh. Closes: #990069
+
+ [ Aurelien Jarno ]
+ * debian/patches/git-updates.diff: update from upstream stable branch:
+ - Fix an arbitrary read in wordexp() (CVE-2021-35942). Closes:
+ #990542.
+
+ -- Aurelien Jarno <aure...@debian.org> Tue, 06 Jul 2021 21:16:59 +0200
+
glibc (2.31-12) unstable; urgency=medium
* debian/po/de.po: fix encoding declaration. Closes: #986450.
diff --git a/debian/debhelper.in/libc.postinst
b/debian/debhelper.in/libc.postinst
index 0b312dfa..f52a1430 100644
--- a/debian/debhelper.in/libc.postinst
+++ b/debian/debhelper.in/libc.postinst
@@ -33,9 +33,10 @@ then
check="$check boa cucipop courier-authdaemon cron cups exim"
check="$check exim4-base dovecot-common cucipop incron lprng lpr"
check="$check lpr-ppd mysql-server nis openbsd-inetd"
- check="$check openldapd postgresql-common proftpd postfix
postfix-tls"
- check="$check rsync samba sasl2-bin slapd smail sendmail snmpd ssh"
- check="$check spamassassin vsftpd wu-ftpd wu-ftpd-academ wwwoffle"
+ check="$check openldapd openssh-server postgresql-common proftpd"
+ check="$check postfix postfix-tls rsync samba sasl2-bin slapd"
+ check="$check smail sendmail snmpd spamassassin vsftpd"
+ check="$check wu-ftpd wu-ftpd-academ wwwoffle"
check="$check webmin dropbear gdm"
# NSS services check:
__NSS_CHECK__
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 0e5aefae..e1cac4a1 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -3647,6 +3647,31 @@ index cba9cd1819..4580cefb9f 100644
dirlen = home_len + rest_len;
dirname_modified = 1;
}
+diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
+index ed1b22308e..cb3f989cba 100644
+--- a/posix/wordexp-test.c
++++ b/posix/wordexp-test.c
+@@ -183,6 +183,7 @@ struct test_case_struct
+ { 0, NULL, "$var", 0, 0, { NULL, }, IFS },
+ { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },
+ { 0, NULL, "", 0, 0, { NULL, }, IFS },
++ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },
+
+ /* Flags not already covered (testit() has special handling for these) */
+ { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index e082d94895..56289503a1 100644
+--- a/posix/wordexp.c
++++ b/posix/wordexp.c
+@@ -1399,7 +1399,7 @@ envsubst:
+ /* Is it a numeric parameter? */
+ else if (isdigit (env[0]))
+ {
+- int n = atoi (env);
++ unsigned long n = strtoul (env, NULL, 10);
+
+ if (n >= __libc_argc)
+ /* Substitute NULL. */
diff --git a/stdlib/Makefile b/stdlib/Makefile
index 45214b59e4..4615f6dfe7 100644
--- a/stdlib/Makefile
diff --git a/debian/script.in/nsscheck.sh b/debian/script.in/nsscheck.sh
index 623278c0..8406a543 100644
--- a/debian/script.in/nsscheck.sh
+++ b/debian/script.in/nsscheck.sh
@@ -12,6 +12,7 @@
-e's/\blpr\b/lpd/g' \
-e's/\blpr-ppd\b/lpd-ppd/g' \
-e's/\bmysql-server\b/mysql/g' \
+ -e's/\bopenssh-server\b/ssh/g' \
-e's/\bsasl2-bin\b/saslauthd/g' \
-e's/\bsamba\b/smbd/g' \
-e's/\bpostgresql-common\b/postgresql/g' \
--- End Message ---
--- Begin Message ---
Hi,
On 21-07-2021 22:36, Paul Gevers wrote:
> Control: tags -1 confirmed d-i
>
> Hi Aurelien,
>
> On 21-07-2021 22:31, Aurelien Jarno wrote:
>> Please unblock package glibc
>
> Thanks, waiting for the ACK from kibi.
This should be good to go next britney run.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
