date:20171216

Bug#884524: libc6-dev: crt.o files are not stripped anymore

2017-12-16 Thread Aurelien Jarno

Package: libc6-dev
Version: 2.25-4
Severity: serious

glibc version 2.25-4 reorganized the way the files are put in the
libc6-dbg or the -dbgsym packages. Unfortunately this caused the 
*crt*.o from libc6-dev to not be stripped anymore. This causes in
turns at least the lintian testsuite to fail.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Processed: affects 884524

2017-12-16 Thread Debian Bug Tracking System

Processing commands for cont...@bugs.debian.org:

> affects 884524 lintian
Bug #884524 [libc6-dev] libc6-dev: *crt*.o files are not stripped anymore
Added indication that 884524 affects lintian
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
884524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

[glibc] 01/01: debian/rules.d/debhelper.mk: strip all crt.o files, unless DEB_BUILD_OPTIONS contains nostrip. Closes: #884524.

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch sid
in repository glibc.

commit 6c6484d2c22b1a60d3dec8af8fae2236530f18b0
Author: Aurelien Jarno 
Date:   Sat Dec 16 12:20:29 2017 +0100

debian/rules.d/debhelper.mk: strip all *crt*.o files, unless 
DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.
---
 debian/changelog|  4 
 debian/rules.d/debhelper.mk | 10 +-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 1a30046..f23313e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,10 @@ glibc (2.25-5) UNRELEASED; urgency=medium
   [ Samuel Thibault ]
   * hurd-i386/git-rtld-access.diff: Fix spurious errno update.
 
+  [ Aurelien Jarno ]
+  * debian/rules.d/debhelper.mk: strip all *crt*.o files, unless
+DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.
+
  -- Aurelien Jarno   Tue, 12 Dec 2017 23:52:07 +0100
 
 glibc (2.25-4) unstable; urgency=medium
diff --git a/debian/rules.d/debhelper.mk b/debian/rules.d/debhelper.mk
index 840e059..61972e9 100644
--- a/debian/rules.d/debhelper.mk
+++ b/debian/rules.d/debhelper.mk
@@ -55,13 +55,13 @@ ifeq ($(filter nostrip,$(DEB_BUILD_OPTIONS)),)
  $(DEB_HOST_GNU_TYPE)-strip --strip-debug 
--remove-section=.comment\
 --remove-section=.note $$f ;   
\
done ;  
\
-   for f in $$(find debian/$(curpass) -name \*crt\*.o) ; do
\
- $(DEB_HOST_GNU_TYPE)-strip --strip-debug 
--remove-section=.comment\
---remove-section=.note $$f ;   
\
-   done ;  
\
  else  
\
dh_strip -p$(curpass) -Xlibpthread; 
\
- fi
\
+ fi ;  
\
+ for f in $$(find debian/$(curpass) -name \*crt\*.o) ; do  
\
+   $(DEB_HOST_GNU_TYPE)-strip --strip-debug --remove-section=.comment  
\
+  --remove-section=.note $$f ; 
\
+ done ;
\
fi
 endif
 

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

Processed: Bug#884524 marked as pending

2017-12-16 Thread Debian Bug Tracking System

Processing commands for cont...@bugs.debian.org:

> tag 884524 pending
Bug #884524 [libc6-dev] libc6-dev: *crt*.o files are not stripped anymore
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
884524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

[glibc] branch sid updated (26312ce -> 6c6484d)

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a change to branch sid
in repository glibc.

  from  26312ce   hurd-i386/git-rtld-access.diff: Fix spurious errno update.
   new  6c6484d   debian/rules.d/debhelper.mk: strip all *crt*.o files, 
unless DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 debian/changelog|  4 
 debian/rules.d/debhelper.mk | 10 +-
 2 files changed, 9 insertions(+), 5 deletions(-)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

[glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch:

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch sid
in repository glibc.

commit 5d5bd4b533c43d6887101493e7ffaca89ac501a1
Author: Aurelien Jarno 
Date:   Sat Dec 16 15:37:33 2017 +0100

debian/patches/git-updates.diff: update from upstream stable branch:

* debian/patches/git-updates.diff: update from upstream stable branch:
  - Fix memory leak in ld.so (CVE-2017-1000408).  Closes: #884132.
  - Fix buffer overflow in ld.so (CVE-2017-1000409).  Closes: #884133.
---
 debian/changelog|   3 +
 debian/patches/git-updates.diff | 165 +---
 2 files changed, 157 insertions(+), 11 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index f23313e..340239a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,9 @@ glibc (2.25-5) UNRELEASED; urgency=medium
   [ Aurelien Jarno ]
   * debian/rules.d/debhelper.mk: strip all *crt*.o files, unless
 DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+- Fix memory leak in ld.so (CVE-2017-1000408).  Closes: #884132.
+- Fix buffer overflow in ld.so (CVE-2017-1000409).  Closes: #884133.
 
  -- Aurelien Jarno   Tue, 12 Dec 2017 23:52:07 +0100
 
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 234ce99..793c02f 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,30 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.25/master from 
glibc-2.25
 
 diff --git a/ChangeLog b/ChangeLog
-index f140ee67de..574ea60130 100644
+index f140ee67de..1868c7a7be 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,714 @@
+@@ -1,3 +1,734 @@
++2017-12-14  Florian Weimer  
++
++  [BZ #22607]
++  CVE-2017-1000409
++  * elf/dl-load.c (_dl_init_paths): Compute number of components in
++  the expanded path string.
++
++2017-12-14  Florian Weimer  
++
++  [BZ #22606]
++  CVE-2017-1000408
++  * elf/dl-load.c (system_dirs): Update comment.
++  (nsystem_dirs_len): Use array_length.
++  (_dl_init_paths): Use nsystem_dirs_len to compute the array size.
++
++2017-11-02  Florian Weimer  
++
++  Add array_length and array_end macros.
++  * include/array_length.h: New file.
++
 +2017-12-12  James Clarke 
 +
 +  * sysdeps/unix/sysv/linux/ia64/ipc_priv.h: New file defining
@@ -823,10 +843,10 @@ index e9194e54cf..43343f03ee 100644
| sed -n -f $< > $@.new
test -s $@.new
 diff --git a/NEWS b/NEWS
-index ec15dde761..0a8f20e371 100644
+index ec15dde761..2c4c9d63aa 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,47 @@ See the end for copying conditions.
+@@ -5,6 +5,55 @@ See the end for copying conditions.
  Please send GNU C library bug reports via 
  using `glibc' in the "product" field.
  
@@ -837,6 +857,10 @@ index ec15dde761..0a8f20e371 100644
 +* The DNS stub resolver limits the advertised UDP buffer size to 1200 bytes,
 +  to avoid fragmentation-based spoofing attacks.
 +
++  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
++  from a one-byte overflow during ~ operator processing (either on the stack
++  or the heap, depending on the length of the user name).
++
 +  CVE-2017-15671: The glob function, when invoked with GLOB_TILDE,
 +  would sometimes fail to free memory allocated during ~ operator
 +  processing, leading to a memory leak and, potentially, to a denial
@@ -846,6 +870,17 @@ index ec15dde761..0a8f20e371 100644
 +  without GLOB_NOESCAPE, could write past the end of a buffer while
 +  unescaping user names.  Reported by Tim Rühsen.
 +
++  CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
++  to the allocation of too much memory.  (This is not a security bug per se,
++  it is mentioned here only because of the CVE assignment.)  Reported by
++  Qualys.
++
++  CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
++  of the number of search path components.  (This is not a security
++  vulnerability per se because no trust boundary is crossed if the fix for
++  CVE-2017-1000366 has been applied, but it is mentioned here only because
++  of the CVE assignment.)  Reported by Qualys.
++
 +The following bugs are resolved with this release:
 +
 +  [20257] sunrpc: clntudp_call does not enforce timeout when receiving data
@@ -863,13 +898,6 @@ index ec15dde761..0a8f20e371 100644
 +  [21778] Robust mutex may deadlock
 +  [21972] assert macro requires operator== (int) for its argument type
 +  [22322] libc: [mips64] wrong bits/long-double.h installed
-+
-+Security related changes:
-+
-+  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
-+  from a one-byte overflow during ~ operator processing (either on the stack
-+  or the heap, depending on the length of the user name).
-+
 +
  Version 2.25
  
@@ -1128,6 +1156,

Processed: Bug#884133 marked as pending

2017-12-16 Thread Debian Bug Tracking System

Processing commands for cont...@bugs.debian.org:

> tag 884133 pending
Bug #884133 [src:glibc] glibc: CVE-2017-1000409
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
884133: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884133
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Bug#884132 marked as pending

2017-12-16 Thread Debian Bug Tracking System

Processing commands for cont...@bugs.debian.org:

> tag 884132 pending
Bug #884132 [src:glibc] glibc: CVE-2017-1000408
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
884132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884132
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

[glibc] branch sid updated (6c6484d -> 5d5bd4b)

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a change to branch sid
in repository glibc.

  from  6c6484d   debian/rules.d/debhelper.mk: strip all *crt*.o files, 
unless DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.
   new  5d5bd4b   debian/patches/git-updates.diff: update from upstream 
stable branch:

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 debian/changelog|   3 +
 debian/patches/git-updates.diff | 165 +---
 2 files changed, 157 insertions(+), 11 deletions(-)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

[glibc] 01/01: releasing package glibc version 2.25-5

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch sid
in repository glibc.

commit 6315687c70132992be79869e6b0325feddcff348
Author: Aurelien Jarno 
Date:   Sat Dec 16 15:37:50 2017 +0100

releasing package glibc version 2.25-5
---
 debian/changelog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 340239a..c4da8fd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-glibc (2.25-5) UNRELEASED; urgency=medium
+glibc (2.25-5) unstable; urgency=medium
 
   [ Samuel Thibault ]
   * hurd-i386/git-rtld-access.diff: Fix spurious errno update.
@@ -10,7 +10,7 @@ glibc (2.25-5) UNRELEASED; urgency=medium
 - Fix memory leak in ld.so (CVE-2017-1000408).  Closes: #884132.
 - Fix buffer overflow in ld.so (CVE-2017-1000409).  Closes: #884133.
 
- -- Aurelien Jarno   Tue, 12 Dec 2017 23:52:07 +0100
+ -- Aurelien Jarno   Sat, 16 Dec 2017 15:37:43 +0100
 
 glibc (2.25-4) unstable; urgency=medium
 

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

[glibc] branch sid updated (5d5bd4b -> 6315687)

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a change to branch sid
in repository glibc.

  from  5d5bd4b   debian/patches/git-updates.diff: update from upstream 
stable branch:
   new  6315687   releasing package glibc version 2.25-5

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 debian/changelog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

[glibc] annotated tag debian/2.25-5 created (now 1e053aa)

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a change to annotated tag debian/2.25-5
in repository glibc.

at  1e053aa   (tag)
   tagging  6315687c70132992be79869e6b0325feddcff348 (commit)
  replaces  debian/2.25-4
 tagged by  Aurelien Jarno
on  Sat Dec 16 15:37:50 2017 +0100

- Log -
tagging package glibc version debian/2.25-5
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAlo1L74ACgkQE4jA+Jno
M2v9NQ/9HbflHdHZ8CD5NFBxJQj6Gu/JQItNWGXNk+eX1jV4j+DKWvDiGsEzwA1P
8yRsKBn7cXcE1Hp/D6m2+qNMcKPjSmxrXogdFM3zR22ucYUke+M2SHndapOsi7XP
xp7RTlzysIjQk0egJlGMAUUhZLbzsYJnosiii0+A1JOcHAyUa7Lva6b8CUstffO/
1NiEokd8lHHgbV3vLJ1khKJESGxc4cd6wszA/avxEVWwUn1XiQrbB+HGUyOZ9W7B
Cch3BKnu2W3WxmRIhVb02oprkRQ4ONXyIFy2VAlUTo+9/dBVv4bIuevCt4Ho/J8i
SLpeDlaHTUiUsBa5EIm/4hQR6+qTUZnfGC+Up3xAgCjMrDjzy9bMRq4xaGTMTG40
dlWy81rPdmhguySl2XvjW8CESUeGccjNaO3ZwcWKDua0/ZamnKGJnCRoPl0/zdR+
CGFdL9RhJaVVuTYeH1de9OCS2l6pej1RKyu1kPrvmZccMuJBK7FNFhYiB1e7zndi
DHQ1ynhx+E1DZQg2MWubl3GPCBOMciCthcC5vm5DyZSNFpFBGhDf6PaSjRYuC+Y7
Fp7UBEq1zx75plTi/l2hCKtW7mHxXttBNVIx/mEYZbJYDaYYVt9LY51Z1p85l5IS
/Y6NbTo1xDS1dJqxkw6o1R8thXMkriJHBXv6I0jIo1vxlYsC6P4=
=97FD
-END PGP SIGNATURE-

Aurelien Jarno (4):
  New changelog entry
  debian/rules.d/debhelper.mk: strip all *crt*.o files, unless 
DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.
  debian/patches/git-updates.diff: update from upstream stable branch:
  releasing package glibc version 2.25-5

Samuel Thibault (1):
  hurd-i386/git-rtld-access.diff: Fix spurious errno update.

---

This annotated tag includes the following new commits:

   new  6315687   releasing package glibc version 2.25-5

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

Bug#884132: marked as done (glibc: CVE-2017-1000408)

2017-12-16 Thread Debian Bug Tracking System

Your message dated Sat, 16 Dec 2017 16:04:29 +
with message-id 
and subject line Bug#884132: fixed in glibc 2.25-5
has caused the Debian Bug report #884132,
regarding glibc: CVE-2017-1000408
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
884132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884132
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: glibc
Version: 2.19-18
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for glibc, this is just to
track the issue. A DSA is not warranted for this issue only and can be
addressed in a point release. The issues are already not-exploitable
as describedin [1].

CVE-2017-1000408[0]:
memory leak

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000408
[1] http://www.openwall.com/lists/oss-security/2017/12/11/4

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.25-5

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno  (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 16 Dec 2017 15:37:43 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales 
locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic 
libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 
libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev 
libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc 
libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 
libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 
libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 
libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 
libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.25-5
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers 
Changed-By: Aurelien Jarno 
Description:
 glibc-doc  - GNU C Library: Documentation
 glibc-source - GNU C Library: sources
 libc-bin   - GNU C Library: Binaries
 libc-dev-bin - GNU C Library: Development binaries
 libc-l10n  - GNU C Library: localization files
 libc0.1- GNU C Library: Shared libraries
 libc0.1-dbg - GNU C Library: detached debugging symbols
 libc0.1-dev - GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc0.1-pic - GNU C Library: PIC archive library
 libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3- GNU C Library: Shared libraries
 libc0.3-dbg - GNU C Library: detached debugging symbols
 libc0.3-dev - GNU C Library: Development Libraries and Header Files
 libc0.3-pic - GNU C Library: PIC archive library
 libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - GNU C Library: Shared libraries [Xen version]
 libc6  - GNU C Library: Shared libraries
 libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - GNU C Library: detached debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
 libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for 
ppc64
 libc6-dev-ppc64 - GNU C Library: 64bit Development Libr

Bug#884133: marked as done (glibc: CVE-2017-1000409)

2017-12-16 Thread Debian Bug Tracking System

Your message dated Sat, 16 Dec 2017 16:04:29 +
with message-id 
and subject line Bug#884133: fixed in glibc 2.25-5
has caused the Debian Bug report #884133,
regarding glibc: CVE-2017-1000409
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
884133: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884133
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: glibc
Version: 2.19-18
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for glibc, this is just to
track the issue. A DSA is not warranted for this issue only and can be
addressed in a point release. The issues are already not-exploitable
as describedin [1].

CVE-2017-1000409[0]:
buffer overflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000409
[1] http://www.openwall.com/lists/oss-security/2017/12/11/4

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.25-5

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno  (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 16 Dec 2017 15:37:43 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales 
locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic 
libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 
libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev 
libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc 
libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 
libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 
libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 
libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 
libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.25-5
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers 
Changed-By: Aurelien Jarno 
Description:
 glibc-doc  - GNU C Library: Documentation
 glibc-source - GNU C Library: sources
 libc-bin   - GNU C Library: Binaries
 libc-dev-bin - GNU C Library: Development binaries
 libc-l10n  - GNU C Library: localization files
 libc0.1- GNU C Library: Shared libraries
 libc0.1-dbg - GNU C Library: detached debugging symbols
 libc0.1-dev - GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc0.1-pic - GNU C Library: PIC archive library
 libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3- GNU C Library: Shared libraries
 libc0.3-dbg - GNU C Library: detached debugging symbols
 libc0.3-dev - GNU C Library: Development Libraries and Header Files
 libc0.3-pic - GNU C Library: PIC archive library
 libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - GNU C Library: Shared libraries [Xen version]
 libc6  - GNU C Library: Shared libraries
 libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - GNU C Library: detached debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
 libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for 
ppc64
 libc6-dev-ppc64 - GNU C Library: 64bit Development

Bug#884524: marked as done (libc6-dev: crt.o files are not stripped anymore)

2017-12-16 Thread Debian Bug Tracking System

Your message dated Sat, 16 Dec 2017 16:04:29 +
with message-id 
and subject line Bug#884524: fixed in glibc 2.25-5
has caused the Debian Bug report #884524,
regarding libc6-dev: *crt*.o files are not stripped anymore
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
884524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libc6-dev
Version: 2.25-4
Severity: serious

glibc version 2.25-4 reorganized the way the files are put in the
libc6-dbg or the -dbgsym packages. Unfortunately this caused the 
*crt*.o from libc6-dev to not be stripped anymore. This causes in
turns at least the lintian testsuite to fail.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.25-5

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno  (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 16 Dec 2017 15:37:43 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales 
locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic 
libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 
libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev 
libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc 
libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 
libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 
libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 
libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 
libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.25-5
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers 
Changed-By: Aurelien Jarno 
Description:
 glibc-doc  - GNU C Library: Documentation
 glibc-source - GNU C Library: sources
 libc-bin   - GNU C Library: Binaries
 libc-dev-bin - GNU C Library: Development binaries
 libc-l10n  - GNU C Library: localization files
 libc0.1- GNU C Library: Shared libraries
 libc0.1-dbg - GNU C Library: detached debugging symbols
 libc0.1-dev - GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc0.1-pic - GNU C Library: PIC archive library
 libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3- GNU C Library: Shared libraries
 libc0.3-dbg - GNU C Library: detached debugging symbols
 libc0.3-dev - GNU C Library: Development Libraries and Header Files
 libc0.3-pic - GNU C Library: PIC archive library
 libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - GNU C Library: Shared libraries [Xen version]
 libc6  - GNU C Library: Shared libraries
 libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - GNU C Library: detached debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
 libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for 
ppc64
 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
 libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
 libc6-dev-sparc64 - GNU C Lib

Processing of glibc_2.25-5_source.changes

2017-12-16 Thread Debian FTP Masters

glibc_2.25-5_source.changes uploaded successfully to localhost
along with the files:
  glibc_2.25-5.dsc
  glibc_2.25-5.debian.tar.xz
  glibc_2.25-5_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

glibc_2.25-5_source.changes ACCEPTED into unstable

2017-12-16 Thread Debian FTP Masters



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 16 Dec 2017 15:37:43 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales 
locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic 
libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 
libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev 
libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc 
libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 
libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 
libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 
libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 
libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.25-5
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers 
Changed-By: Aurelien Jarno 
Description:
 glibc-doc  - GNU C Library: Documentation
 glibc-source - GNU C Library: sources
 libc-bin   - GNU C Library: Binaries
 libc-dev-bin - GNU C Library: Development binaries
 libc-l10n  - GNU C Library: localization files
 libc0.1- GNU C Library: Shared libraries
 libc0.1-dbg - GNU C Library: detached debugging symbols
 libc0.1-dev - GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc0.1-pic - GNU C Library: PIC archive library
 libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3- GNU C Library: Shared libraries
 libc0.3-dbg - GNU C Library: detached debugging symbols
 libc0.3-dev - GNU C Library: Development Libraries and Header Files
 libc0.3-pic - GNU C Library: PIC archive library
 libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - GNU C Library: Shared libraries [Xen version]
 libc6  - GNU C Library: Shared libraries
 libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - GNU C Library: detached debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
 libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for 
ppc64
 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
 libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
 libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
 libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
 libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
 libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - GNU C Library: PIC archive library
 libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
 libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
 libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc6-x32  - GNU C Library: X32 ABI Shared libraries for AMD64
 libc6-xen  - GNU C Library: Shared libraries [Xen version]
 libc6.1- GNU C Library: Shared libraries
 libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - GNU C Library: detached debugging symbols
 libc6.1-dev - GNU C Library: Development Libraries and Header Files
 libc6.1-pic - GNU C Library: PIC archive library
 libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 locales- GNU C Library: National Language (locale) data [support]
 locales-all - GNU C Library: Precompiled locale data
 multiarch-support - Transitional package to ensure multiarch compatibility
 nscd   - GNU C Library: Name Service Cache Daemon
Closes: 884132 884133 884524
Changes:
 glibc (2.25-5) unstable; urgency=medium
 .
   [ Samuel Thibault ]
   * hurd-i386/git-rtld-access.diff: Fix spurious errno update.
 .
   [ Aurelien Jarno ]
   * debian/rules.d/debhelper.mk: strip all *crt*.o files, unless
 DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.
   * debian/patches/git-updates.diff: update from upstream stable branch:
 - Fix memory leak in ld.so (CVE-2017-1000408).  Closes: #884132.
 - Fix buffer overflow in ld.so (CVE-2017-1000409).  Closes:

[glibc] 01/01: Merge branch 'sid' into glibc-2.26

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch glibc-2.26
in repository glibc.

commit ec4e849086156fbc121a82b610d20207ae080a7b
Merge: 10c432c 6315687
Author: Aurelien Jarno 
Date:   Sat Dec 16 19:13:18 2017 +0100

Merge branch 'sid' into glibc-2.26

 debian/changelog  | 14 ++
 debian/patches/hurd-i386/git-rtld-access.diff |  3 +--
 debian/rules.d/debhelper.mk   | 10 +-
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --cc debian/changelog
index 88c5e5a,c4da8fd..aa616cd
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,164 -1,17 +1,178 @@@
 +glibc (2.26-0experimental2) UNRELEASED; urgency=medium
 +
 +  [ Aurelien Jarno ]
 +  * debian/testsuite-xfail-debian.mk: move double-lround XFAILs from mips64el
 +to mipsel.
 +  * debian/patches/git-updates.diff: update from upstream stable branch:
 +- Fix malloc returning pointer from tcache_get when it should returns
 +  NULL (CVE-2017-17426).  Closes: #883729.
 +- Drop debian/patches/ia64/git-ia64-crash-thread-exit.diff (merged
 +  upstream).
 +  * debian/control.in/libc: add a Breaks: libperl5.26 (<< 5.26.1-3) to
 +@libc@-dev to handle the xlocale.h removal.  Closes: #883392.
 +  * debian/control.in/main: point the Vcs-Git field to the glibc-2.26 branch
 +to shut up tracker.debian.org about missing commits.
 +  * debian/testsuite-xfail-debian.mk: x32: remove a bunch of conform issues,
 +add tst-platform-1, as this test has x86-64 specific expectations.
 +  * debian/sysdeps/sparc64.mk: don't force -mcpu=ultrasparc as that
 +miscompiles at least pthread_barrier_wait.c. Mark tst-realloc as XFAIL, as
 +there are way to trigger the issue on older libc and/or other
 +architectures.
 +
 + -- Aurelien Jarno   Wed, 22 Nov 2017 17:50:44 +0100
 +
 +glibc (2.26-0experimental1) experimental; urgency=medium
 +
 +  [ Samuel Thibault ]
 +  * debian/testsuite-xfail-debian.mk: Update hurd-i386 xfail with new test.
 +
 +  [ Aurelien Jarno ]
 +  * Bump build-dependency on binutils to >= 2.25, as required by glibc 2.26.
 +  * debian/testsuite-xfail-debian.mk: re-add double-lround XFAILs for
 +mips64el.
 +  * debian/patches/git-updates.diff: update from upstream stable branch.
 +
 + -- Aurelien Jarno   Wed, 22 Nov 2017 17:46:32 +0100
 +
 +glibc (2.26-0experimental0) experimental; urgency=medium
 +
 +  [ Adam Conrad ]
 +  * New upstream release (LP: #1703368), with git updates to 2017-10-10:
 +- debian/{symbols.wildcards,control}: Update and regen for 2.26.
 +- debian/patches/alpha/submitted-termios_h.diff: upstreamed.
 +- debian/patches/arm/submitted-strip-bit-0.diff: upstreamed.
 +- debian/patches/hurd-i386/git-__inet6_scopeid_pton.diff: upstreamed.
 +- debian/patches/any/submitted-string2-strcmp.diff: obsolete.
 +- debian/patches/any/local-tst-writev.diff: fixed upstream.
 +- debian/patches/any/local-dynamic-resolvconf.diff: fixed upstream.
 +- debian/patches/any/submitted-unicode-9.0.0.diff: obsolete.
 +- debian/patches/any/cvs-malloc-hardening.diff: upstreamed.
 +- debian/patches/any/local-bits-sigstack.diff: fixed upstream.
 +- debian/patches/powerpc/submitted-tst-tlsopt-powerpc.diff: upstreamed.
 +- debian/patches/i386/local-cmov.diff: dropped, no longer useful.
 +- debian/patches/all/local-ldd.diff: rebased.
 +- debian/patches/any/local-ldso-disable-hwcap.diff: rebased.
 +- debian/patches/any/local-tcsetaddr.diff: rebased.
 +- debian/patches/any/submitted-resolv-unaligned.diff: rebased.
 +- debian/patches/arm/local-arm-futex.diff: rebased.
 +- debian/patches/hurd-i386/local-ED.diff: rebased.
 +- debian/patches/hurd-i386/tg-EGREGIOUS-fr.diff: rebased.
 +- debian/patches/hurd-i386/tg-EIEIO-fr.diff: rebased.
 +- debian/patches/kfreebsd/submitted-auxv.diff: rebased.
 +- debian/patches/kfreebsd/submitted-waitid.diff: rebased.
 +- debian/patches/localedata/locales-fr.diff: rebased.
 +- debian/patches/sparc/submitted-sparc64-socketcall.diff: rebased.
 +- debian/patches/localedata/local-hu_HU-sort.diff: Make testsuite
 +  agree with the sorting we see in Debian, may need another look.
 +- debian/patches/any/local-cudacc-float128.diff: Local patch to prevent
 +  defining __HAVE_FLOAT128 on NVIDIA's CUDA compilers (LP: #1717257)
 +- debian/patches/arm/git-arm64-memcmp.diff: Backport optimized memcmp
 +  for AArch64, improving performance from 25% to 500% (LP: #1720832)
 +- debian/control.in/libc: Drop ancient Breaks satisfied in oldoldstable.
 +- debian/{debhelper.in/libc.preinst,sysdeps/amd64.mk,sysdeps/i386.mk}:
 +  Bump MIN_KERNEL_SUPPORTED to 3.2 on x86, following upstream's change.
 +- debian/sysdeps/{powerpc.mk,ppc64.mk,s390x.mk}: Disable lock-elision on
 +  powerpc and s390, following IBM's recommendation.
 +- debian/testsuite-xfail-debian.mk: Re-enable xfailed r

[glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch.

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch glibc-2.26
in repository glibc.

commit 807ce52ae4106c3dc2a6a98a88b4558a7f31d381
Author: Aurelien Jarno 
Date:   Sat Dec 16 19:20:07 2017 +0100

debian/patches/git-updates.diff: update from upstream stable branch.
---
 debian/patches/git-updates.diff | 200 +++-
 1 file changed, 196 insertions(+), 4 deletions(-)

diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 61dbf17..e112efc 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,35 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.26/master from 
glibc-2.26
 
 diff --git a/ChangeLog b/ChangeLog
-index 8dbfc7eaff..b90e7eb827 100644
+index 8dbfc7eaff..55a17414ab 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,1032 @@
+@@ -1,3 +1,1057 @@
++2017-12-14  Florian Weimer  
++
++  [BZ #22607]
++  CVE-2017-1000409
++  * elf/dl-load.c (_dl_init_paths): Compute number of components in
++  the expanded path string.
++
++2017-12-14  Florian Weimer  
++
++  [BZ #22606]
++  CVE-2017-1000408
++  * elf/dl-load.c (system_dirs): Update comment.
++  (nsystem_dirs_len): Use array_length.
++  (_dl_init_paths): Use nsystem_dirs_len to compute the array size.
++
++2017-11-02  Florian Weimer  
++
++  Add array_length and array_end macros.
++  * include/array_length.h: New file.
++
++2017-10-27  H.J. Lu  
++
++  * sysdeps/i386/fpu/libm-test-ulps: Regenerated for GCC 7 with
++  "-O2 -march=i586".
++
 +2017-12-13  Adhemerval Zanella  
 +
 +  * sysdeps/ia64/fpu/libm-test-ulps: Update.
@@ -1061,10 +1086,10 @@ index 9bb707c168..828a445f24 100644
  # Don't try to use -lc when making libc.so itself.
  # Also omits crti.o and crtn.o, which we do not want
 diff --git a/NEWS b/NEWS
-index 8295f20c0a..8810b57cd9 100644
+index 8295f20c0a..2c49212cb5 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,81 @@ See the end for copying conditions.
+@@ -5,6 +5,92 @@ See the end for copying conditions.
  Please send GNU C library bug reports via 
  using `glibc' in the "product" field.
  
@@ -1107,6 +1132,17 @@ index 8295f20c0a..8810b57cd9 100644
 +  instead of NULL.  This was a regression introduced with the new malloc
 +  thread cache in glibc 2.26.  Reported by Iain Buclaw.
 +
++  CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
++  to the allocation of too much memory.  (This is not a security bug per se,
++  it is mentioned here only because of the CVE assignment.)  Reported by
++  Qualys.
++
++  CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
++  of the number of search path components.  (This is not a security
++  vulnerability per se because no trust boundary is crossed if the fix for
++  CVE-2017-1000366 has been applied, but it is mentioned here only because
++  of the CVE assignment.)  Reported by Qualys.
++
 +The following bugs are resolved with this release:
 +
 +  [16750] ldd: Never run file directly.
@@ -1377,6 +1413,79 @@ index 0280fba8a7..8bbbf2a121 100644
  LDLIBS-crypt.so = -lfreebl3
  else
  libcrypt-routines += md5 sha256 sha512
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index c1b6d4ba0f..621403c05f 100644
+--- a/elf/dl-load.c
 b/elf/dl-load.c
+@@ -37,6 +37,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ 
+ #include 
+ #include 
+@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
+ static size_t max_capstrlen attribute_relro;
+ 
+ 
+-/* Get the generated information about the trusted directories.  */
++/* Get the generated information about the trusted directories.  Use
++   an array of concatenated strings to avoid relocations.  See
++   gen-trusted-dirs.awk.  */
+ #include "trusted-dirs.h"
+ 
+ static const char system_dirs[] = SYSTEM_DIRS;
+@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
+ {
+   SYSTEM_DIRS_LEN
+ };
+-#define nsystem_dirs_len \
+-  (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
+-
++#define nsystem_dirs_len array_length (system_dirs_len)
+ 
+ static bool
+ is_trusted_path (const char *path, size_t len)
+@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
++ ncapstr * sizeof (enum r_dir_status))
+   / sizeof (struct r_search_path_elem));
+ 
+-  rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
+-malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
+-  * round_size * sizeof (struct r_search_path_elem));
++  rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
++   * sizeof (*rtld_search_dirs.dirs[0]));
+   if (rtld_search_dirs.dirs[0] == NULL)
+ {
+   errstring = N_("cannot create cache for search path");
+@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp)
+ 
+   if (llp != NULL && *llp != '\0')
+ {
+-  size_t nllp;
+-  const char *cp = llp;

[glibc] branch glibc-2.26 updated (10c432c -> ec4e849)

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a change to branch glibc-2.26
in repository glibc.

  from  10c432c   debian/sysdeps/sparc64.mk: don't force -mcpu=ultrasparc 
as that miscompiles at least pthread_barrier_wait.c. Mark tst-realloc as XFAIL, 
as there are way to trigger the issue on older libc and/or other architectures.
  adds  b247d39   New changelog entry
  adds  26312ce   hurd-i386/git-rtld-access.diff: Fix spurious errno update.
  adds  6c6484d   debian/rules.d/debhelper.mk: strip all *crt*.o files, 
unless DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.
  adds  5d5bd4b   debian/patches/git-updates.diff: update from upstream 
stable branch:
  adds  6315687   releasing package glibc version 2.25-5
   new  ec4e849   Merge branch 'sid' into glibc-2.26

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 debian/changelog  | 14 ++
 debian/patches/hurd-i386/git-rtld-access.diff |  3 +--
 debian/rules.d/debhelper.mk   | 10 +-
 3 files changed, 20 insertions(+), 7 deletions(-)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

[glibc] branch glibc-2.26 updated (ec4e849 -> 807ce52)

2017-12-16 Thread Aurelien Jarno

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a change to branch glibc-2.26
in repository glibc.

  from  ec4e849   Merge branch 'sid' into glibc-2.26
   new  807ce52   debian/patches/git-updates.diff: update from upstream 
stable branch.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 debian/patches/git-updates.diff | 200 +++-
 1 file changed, 196 insertions(+), 4 deletions(-)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

Bug#884524: libc6-dev: crt.o files are not stripped anymore

Processed: affects 884524

[glibc] 01/01: debian/rules.d/debhelper.mk: strip all crt.o files, unless DEB_BUILD_OPTIONS contains nostrip. Closes: #884524.

Processed: Bug#884524 marked as pending

[glibc] branch sid updated (26312ce -> 6c6484d)

[glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch:

Processed: Bug#884133 marked as pending

Processed: Bug#884132 marked as pending

[glibc] branch sid updated (6c6484d -> 5d5bd4b)

[glibc] 01/01: releasing package glibc version 2.25-5

[glibc] branch sid updated (5d5bd4b -> 6315687)

[glibc] annotated tag debian/2.25-5 created (now 1e053aa)

Bug#884132: marked as done (glibc: CVE-2017-1000408)

Bug#884133: marked as done (glibc: CVE-2017-1000409)

Bug#884524: marked as done (libc6-dev: crt.o files are not stripped anymore)

Processing of glibc_2.25-5_source.changes

glibc_2.25-5_source.changes ACCEPTED into unstable

[glibc] 01/01: Merge branch 'sid' into glibc-2.26

[glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch.

[glibc] branch glibc-2.26 updated (10c432c -> ec4e849)

[glibc] branch glibc-2.26 updated (ec4e849 -> 807ce52)

21 matches

Site Navigation

Mail list logo

Footer information