1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109945: bookworm-pu: package glibc/2.36-9+deb12u13

    From Aurelien Jarno@21:1/5 to All on Sun Jul 27 00:00:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:glibc
    User: [email protected]
    Usertags: pu

    [ Reason ]
    The reason that triggered this upload is a security issue in regcomp (CVE-2025-8058) that got fixed in the upstream stable branch. It also
    includes some improvements to the testsuite with regards to SGID tests.

    [ Impact ]
    If the unblock isn't granted, systems will be vulnerable to
    CVE-2025-8058.

    [ Tests ]
    A new test has been added for the regcomp change.

    [ Risks ]
    Risks are quite low, besides the new test and testsuite improvement, the changes are only a few lines and thus easily reviewable.

    [ Checklist ]
    [x] *all* changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in (old)stable
    [x] the issue is verified as fixed in unstable

    [ Changes ]
    There are two changes in the upstream stable branch, and no debian
    specific change.

    The double-free after allocation failure in regcomp could happen if some previous allocation fails. This might allow buffer manipulation by using
    an interposed malloc that injects random malloc failures and specially constructing the regex.

    The SGID tests improvements fixes false negative in SGID tests. This
    is done by improving the test framework and replacing open coded parts
    with calls to the framework. This only improves the testsuite and does
    not changes the binaries shipped in the packages.

    diff --git a/debian/changelog b/debian/changelog
    index c5550316..d3e7c05b 100644
    --- a/debian/changelog
    +++ b/debian/changelog
    @@ -1,3 +1,12 @@
    +glibc (2.36-9+deb12u13) bookworm; urgency=medium
    +
    + * debian/patches/git-updates.diff: update from upstream stable branch:
    + - Fix error reporting (false negatives) in SGID tests
    + - Fix double-free after allocation failure in regcomp (GLIBC-SA-2025-0005 + / CVE-2025-8058). Closes: #1109803.
    +
    + -- Aurelien Jarno <[email protected]> Sat, 26 Jul 2025 23:37:52 +0200
    +
    glibc (2.36-9+deb12u12) bookworm; urgency=medium

    * d/p/local-revert-aarch64-use-prefer_sve_ifuncs-for-sve-memset.diff: revert diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index 57d9065b..361d0520 100644
    --- a/debian/patches/git-updates.diff
    +++ b/debian/patches/git-updates.diff
    @@ -85,10 +85,10 @@ index d1e139d03c..09c0cf8357 100644
    else # -s
    verbose :=
    diff --git a/NEWS b/NEWS
    -index f61e521fc8..5efe374819 100644
    +index f61e521fc8..60ac79f4e6 100644
    --- a/NEWS
    +++ b/NEWS
    -@@ -5,6 +5,116 @
  • From Jonathan Wiltshire@21:1/5 to All on Mon Jul 28 23:30:01 2025
    XPost: linux.debian.maint.boot, linux.debian.devel.release

    Control: tag -1 d-i moreinfo

    I'm OK with this, but d-i ack needed for the udebs.

    Thanks,

    --
    Jonathan Wiltshire [email protected]
    Debian Developer http://people.debian.org/~jmw

    4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)