Bug#1109941: unblock: glibc/2.41-11 (pre-approval)

2025-07-28 Thread Aurelien Jarno 
control: tag -1 - moreinfo

Hi,

On 2025-07-26 18:36, Ivo De Decker wrote:
> Control: tags -1 confirmed moreinfo
> 
> Hi,
> 
> On Sat, Jul 26, 2025 at 08:32:17PM +0200, Aurelien Jarno wrote:
> > Please unblock package glibc
> 
> Please go ahead with the upload and remove the moreinfo tag from this unblock
> request once the new upload has been in unstable for a few days, and you think
> it's ready to migrate.

I think that glibc is now ready to migrate, piuparts, reproducibility 
and autopkgtests are fine, and no issue have been reported.

Regards
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
[email protected] http://aurel32.net

Bug#1109941: unblock: glibc/2.41-11 (pre-approval)

2025-07-26 Thread Ivo De Decker 
Control: tags -1 confirmed moreinfo

Hi,

On Sat, Jul 26, 2025 at 08:32:17PM +0200, Aurelien Jarno wrote:
> Please unblock package glibc

Please go ahead with the upload and remove the moreinfo tag from this unblock
request once the new upload has been in unstable for a few days, and you think
it's ready to migrate.

Note that the upload would have to happen very soon to have any chance to
migrate to trixie.

Thanks,

Ivo

Bug#1109941: unblock: glibc/2.41-11 (pre-approval)

2025-07-26 Thread Aurelien Jarno 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:glibc
User: [email protected]
Usertags: unblock

Please unblock package glibc

[ Reason ]
The reason that triggered this upload is a security issue in regcomp
(CVE-2025-8058) that got fixed in the upstream stable branch. It also
includes a fix for iconv creating files with the wrong permissions.

[ Impact ]
If the unblock isn't granted, systems will be vulnerable to
CVE-2025-8058.

[ Tests ]
Tests have been added for both changes, and actually represent the
largest part of the debdiff.

[ Risks ]
Risks are quite low, besides the new tests, changes are small, easily
reviewable and covered by additional tests.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
If it comes to late for the initial Trixie release, this
could go in the first point release.

unblock glibc/2.41-11
diff --git a/debian/changelog b/debian/changelog
index 4ee8be6e..85356f8e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+glibc (2.41-11) unstable; urgency=medium
+
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+- Fix iconv to not create executable files with -o.
+- Fix double-free after allocation failure in regcomp (GLIBC-SA-2025-0005
+  / CVE-2025-8058).  Closes: #1109803.
+
+ -- Aurelien Jarno   Sat, 26 Jul 2025 20:29:12 +0200
+
 glibc (2.41-10) unstable; urgency=medium
 
   [ Samuel Thibault ]
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index f8df40b4..ac1e1c31 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -22,10 +22,10 @@ index d0108d2caa..aa547a443f 100644
  $(common-objdir):$(subst $(empty) ,:,$(patsubst 
../$(subdir),.,$(rpath-dirs:%=$(common-objpfx)%)))
  else  # build-static
 diff --git a/NEWS b/NEWS
-index b11422b060..90d090ea77 100644
+index b11422b060..89d0935beb 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,34 @@ See the end for copying conditions.
+@@ -5,6 +5,36 @@ See the end for copying conditions.
  Please send GNU C library bug reports via 
  using `glibc' in the "product" field.
  
@@ -56,6 +56,8 @@ index b11422b060..90d090ea77 100644
 +  [32981] ports: elf/tst-execstack-prog-static-tunable fails on
 +sparc64-linux-gnu
 +  [32987] elf: Fix subprocess status handling for tst-dlopen-sgid
++  [33164] iconv -o should not create executable files
++  [33185] Fix double-free after allocation failure in regcomp
 +
  Version 2.41
  
@@ -1589,6 +1591,43 @@ index 9f5990f340..8df6f5906e 100644
 +glibc.rtld.execstack: 1 (min: 0, max: 2)
  glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
  glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
+diff --git a/iconv/iconv_prog.c b/iconv/iconv_prog.c
+index 7dba5d8dff..558cfb11a3 100644
+--- a/iconv/iconv_prog.c
 b/iconv/iconv_prog.c
+@@ -436,7 +436,7 @@ input_error (const char *path)
+ static void
+ open_output_direct (void)
+ {
+-  output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_TRUNC, 0777);
++  output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_TRUNC, 0666);
+   if (output_fd < 0)
+ output_error ();
+ }
+@@ -457,7 +457,7 @@ prepare_output_file (char **argv)
+   else
+ {
+   /* If iconv creates the output file, no overlap is possible.  */
+-  output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_EXCL, 0777);
++  output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_EXCL, 0666);
+   if (output_fd >= 0)
+   output_buffer_size = copy_buffer_size;
+   else
+diff --git a/iconv/tst-iconv_prog-buffer.sh b/iconv/tst-iconv_prog-buffer.sh
+index 1c499d590d..40340c38fa 100644
+--- a/iconv/tst-iconv_prog-buffer.sh
 b/iconv/tst-iconv_prog-buffer.sh
+@@ -75,6 +75,10 @@ run_iconv () {
+ }
+ 
+ check_out_expected () {
++if test -x "$tmp/out" ; then
++  echo "error: iconv output file is executable"
++  failure=true
++fi
+ if ! cmp -s "$tmp/out" "$tmp/expected" ; then
+ echo "error: iconv output difference" >&$logfd
+ echo "*** expected ***" >&$logfd
 diff --git a/math/auto-libm-test-in b/math/auto-libm-test-in
 index 01ba689aa8..4f194da19d 100644
 --- a/math/auto-libm-test-in
@@ -1797,6 +1836,18 @@ index e98e2df152..43dd16d59c 100644
iattr->stacksize = to - (size_t) iattr->stackaddr;
  #endif
  /* We succeed and no need to look further.  */
+diff --git a/posix/Makefile b/posix/Makefile
+index a650abf598..0e209a7ed0 100644
+--- a/posix/Makefile
 b/posix/Makefile
+@@ -303,6 +303,7 @@ tests := \
+   tst-posix_spawn-setsid \
+   tst-preadwrite \
+   tst-preadwrite64 \
++  tst-regcomp-bracket-free \
+   tst-regcomp-truncated \
+   tst-regex \
+   tst-regex2 \
 diff --git a/posix/environ.c b/posix/environ.c
 index a0ed0d80ea..924effe3c