Require GHOST [CVE-2015-0235] patch for glibc-2.7 version

[Jithin Balakrishnan]

Hi All,

Can anyone provide official patch or the fix for the mentioned security BUG.

Thanks in Advance.

Regards,
Jithin

Bug#776659: libc6: missing newline after "cannot allocate TLS data structures for initial thread"

[Jakub Wilk]

Package: libc6
Version: 2.19-13
Severity: minor

$ ulimit -v 3524; bash -c '' || echo '<-- missing newline here'
cannot allocate TLS data structures for initial thread<-- missing newline here


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libc6:i386 depends on:
ii  libgcc1  1:4.9.2-10

Versions of packages libc6:i386 recommends:
ii  libc6-i686  2.19-13

Versions of packages libc6:i386 suggests:
ii  debconf [debconf-2.0]  1.5.55
ii  glibc-doc  2.19-13
ii  locales2.19-13

--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150130175146.ga6...@jwilk.net

Bug#776671: glibc: integer overflow in bsearch(3)

[Jakub Wilk]

Source: glibc
Version: 2.19-13
Tags: patch

The way bsearch() computes indices is subject to integer overflow. This 
should be only a problem on 32-bit systems, where it's possible to 
allocate more than SIZE_MAX/2 bytes of memory.


The attached patch should fix this bug, but it was only lightly tested.

I also attached test case, which currently loops forever on 32-bit 
systems. (Beware that it allocates 3GB of memory. Don't run it on a 
system that is short of RAM!)


--
Jakub Wilk
diff --git a/bits/stdlib-bsearch.h b/bits/stdlib-bsearch.h
--- a/bits/stdlib-bsearch.h
+++ b/bits/stdlib-bsearch.h
@@ -28,7 +28,7 @@
   __u = __nmemb;
   while (__l < __u)
 {
-  __idx = (__l + __u) / 2;
+  __idx = __l + (__u - __l) / 2;
   __p = (void *) (((const char *) __base) + (__idx * __size));
   __comparison = (*__compar) (__key, __p);
   if (__comparison < 0)
#include 
#include 

int cmp(const void *this, const void *other)
{
	return 
		*((const char *)this) -
		*((const char *)other);
}

int main(int argc, char **argv)
{
	char key = 42;
	size_t size = 3UL << 30;
	char* base = calloc(1, size);
	base[size - 1] = key + 1;
	base[size - 2] = key;
	void *found = bsearch(&key, base, size, 1, cmp);
	assert(found == base + size - 2);
	return 0;
}

r6342 - tzdata/trunk/debian

[Clint Adams]

Author: clint
Date: 2015-01-31 03:22:42 + (Sat, 31 Jan 2015)
New Revision: 6342

Modified:
   tzdata/trunk/debian/changelog
Log:
2015a

Modified: tzdata/trunk/debian/changelog
===
--- tzdata/trunk/debian/changelog   2015-01-27 16:10:06 UTC (rev 6341)
+++ tzdata/trunk/debian/changelog   2015-01-31 03:22:42 UTC (rev 6342)
@@ -1,3 +1,9 @@
+tzdata (2015a-1) unstable; urgency=medium
+
+  * New upstream release.
+
+ -- Clint Adams   Fri, 30 Jan 2015 21:53:01 -0500
+
 tzdata (2014j-1) unstable; urgency=high
 
   * New upstream release, with an ammendment for a change that was
@@ -15,7 +21,7 @@
 
   [ Debconf translations ]
   * Dutch (Frans Spiesscha).  Closes: #763458
-  
+
   [ Aurelien Jarno ]
   * debian/control: Update Standards-Version to 3.9.6, no changes.
 
@@ -23,7 +29,7 @@
 
 tzdata (2014h-1) unstable; urgency=medium
 
-  * New upstream release. 
+  * New upstream release.
 
  -- Aurelien Jarno   Sun, 28 Sep 2014 20:29:16 +0200
 
@@ -248,7 +254,7 @@
 
 tzdata (2011n-1) unstable; urgency=critical
 
-  * New upstream veersion, fixing DST for: 
+  * New upstream veersion, fixing DST for:
 - Cuba.
 - Fidji.
 - Pridnestrovian Moldavian Republic.
@@ -324,7 +330,7 @@
 the old and the new path, to avoid adding a versioned dependency on
 openjdk-6-jre-headless that would prevent migration to testing.  Closes:
 #640276.
-  * Set urgency to medium to avoid delaying too much migration to testing 
+  * Set urgency to medium to avoid delaying too much migration to testing
 with this upload.
 
   [ Debconf translations ]
@@ -340,9 +346,9 @@
 
 tzdata (2011h-4) unstable; urgency=low
 
-  * Add build-arch and build-indep targets. 
+  * Add build-arch and build-indep targets.
   * Remove hardlinks to comply with the policy, by replacing identical
-files with symlinks. It also reduces the package size by 38% and 
+files with symlinks. It also reduces the package size by 38% and
 the installed size by 35%.
   * Change the source compression format to "xz", .po files in plenty of
 different languages compress very well.
@@ -351,14 +357,14 @@
 
 tzdata (2011h-3) unstable; urgency=low
 
-  * Correctly handle empty debconf values (how is that possible for a 
+  * Correctly handle empty debconf values (how is that possible for a
 select entry?).  Closes: #545146, #631878.
 
  -- Aurelien Jarno   Mon, 04 Jul 2011 19:53:21 +0200
 
 tzdata (2011h-2) unstable; urgency=low
 
-  * Ignore debconf errors, return default values in that case. 
+  * Ignore debconf errors, return default values in that case.
 Closes: #631878.
 
  -- Aurelien Jarno   Tue, 28 Jun 2011 07:23:04 +0200


-- 
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1yhodu-0003i2...@moszumanska.debian.org

Processing of tzdata_2015a-1_amd64.changes

[Debian FTP Masters]

tzdata_2015a-1_amd64.changes uploaded successfully to localhost
along with the files:
  tzdata_2015a-1.dsc
  tzdata_2015a.orig.tar.gz
  tzdata_2015a-1.debian.tar.xz
  tzdata_2015a-1_all.deb
  tzdata-java_2015a-1_all.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1yhoeq-0001ji...@franck.debian.org

r6343 - tzdata/tags

[Clint Adams]

Author: clint
Date: 2015-01-31 03:24:09 + (Sat, 31 Jan 2015)
New Revision: 6343

Added:
   tzdata/tags/2015a-1/
Log:
Create tag 2015a-1


-- 
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1yhofj-0003yh...@moszumanska.debian.org

tzdata_2015a-1_amd64.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 30 Jan 2015 21:53:01 -0500
Source: tzdata
Binary: tzdata tzdata-java
Architecture: source all
Version: 2015a-1
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers 
Changed-By: Clint Adams 
Description:
 tzdata - time zone and daylight-saving time data
 tzdata-java - time zone and daylight-saving time data for use by java runtimes
Changes:
 tzdata (2015a-1) unstable; urgency=medium
 .
   * New upstream release.
Checksums-Sha1:
 60628d5430038d4507dbbf6771ecf3a06125351b 2087 tzdata_2015a-1.dsc
 b08b129f32ad9f5d260c8f519dbcafeb33118e34 292131 tzdata_2015a.orig.tar.gz
 daa866bc6e70b64538a0d5f9923ad4d1de0b00cb 99980 tzdata_2015a-1.debian.tar.xz
 5d29eb357bb2a4bab1a066b8ddbfa19ba3f352ba 190008 tzdata_2015a-1_all.deb
 d251febc6be009e97a5ebd29ce5d2f3b6f02a9cd 80380 tzdata-java_2015a-1_all.deb
Checksums-Sha256:
 5220673d49f96a85f162b4372694bed8c497a4ce282ec241f84b978807bd3e73 2087 
tzdata_2015a-1.dsc
 c52490917d00a8e7fc9b5f0b1b65ef6ec76d612b5b20c81bf86a04147af18e4c 292131 
tzdata_2015a.orig.tar.gz
 4a77c41812b8feb15a1b6beb3d1ab27107a80a479452a1ef13599c4cf97b2712 99980 
tzdata_2015a-1.debian.tar.xz
 1bfaf99b785475170318be203b3df3d7f1e342ca964bf9e8333223c7313e9050 190008 
tzdata_2015a-1_all.deb
 e94160451381766100d3f449a608662d0edf534dc54312cd93460fbaf6509f7a 80380 
tzdata-java_2015a-1_all.deb
Files:
 ca267f1fc57c7fec288927089da47431 2087 localization required tzdata_2015a-1.dsc
 4ed11c894a74a5ea64201b1c6dbb8831 292131 localization required 
tzdata_2015a.orig.tar.gz
 f4586ac049a06c8838019c34c21ad2e5 99980 localization required 
tzdata_2015a-1.debian.tar.xz
 60cddafd84e7a06ff11aacc7e14bd001 190008 localization required 
tzdata_2015a-1_all.deb
 10415080a1515ce8376f1cbc7ac925a1 80380 java optional 
tzdata-java_2015a-1_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Debian!

iQJ8BAEBCgBmBQJUzEmzXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3NTgxRUM4NzQwNTNFNkM4MDc3OTFCOUI1
NTkyMzMxRTE5OUQzOEE4AAoJEFWSMx4ZnTio3DEP/ilLFQhJrgskPj9ib5SRsdCf
5U7+BB446OdjKS6fAewVjrBKGPoR07LH8obc4woN/0mNai5dpptc3klFFDnZyknw
9hRwUfjsE9dP6L+KboE/Db2zFxNOtZ9IWXvoQfss8JeGx7NxhGrUJ6TwODluoYr2
UCMRTP8VfX/bPjTd6AVJ4+g76PArv629ltIbWNuwicmyh6Td1NpmGwEpNn2LNmFH
Tr4Lwf6+QW7UQap6vx3Pcv6ydNha4o7fRnapg25kg69RYBCDhAddN79IOjiIx5GS
21L0x2pL87bL6AvapxdCyRKZgZqbs9pFxN+khP0J1KuazcEaT9TGlMOJvLd7z68H
7AN/NuyMvREqb1Efp2NxoTt48y+8lm5Zz+u0Fy200Pz3K4TjxkKUa/oHHjb9lQY2
HrFE1taJpOTLOQ9lD428yzIKkC0wDtzW3wQNi7AGIGch48fEyZ/EYpOXifAzzlkS
PgmycpqrNfjXR8TVkyrMwXVE+Kz1bZPK4nClE6/wL4kobAIt/4gKGVN/ef7TL0sF
DFSiOC5hpBYkFtAS4edGubClsNlpVtavkmdcDdfGhtOKUR3Q9Y4QhxLIORsw6LlF
B7CDXhDY6cdKYm+J8HSIQTx9cJY535NV0ndNdtI9JC5Bu9IIgCgAoLZ4jfwS4mIs
R5bTzZphgSKHfDRmYy+2
=c2Ro
-END PGP SIGNATURE-


Thank you for your contribution to Debian.


-- 
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1yhoq6-0003p7...@franck.debian.org