Debian Package Tracker

general

source: glibc (main)
version: 2.29-2
maintainer: GNU Libc Maintainers (archive) (DMD)
uploaders: Samuel Thibault [DMD] – Aurelien Jarno [DMD] – Adam Conrad [DMD] – Clint Adams [DMD]
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.19-18+deb8u10
o-o-sec: 2.19-18+deb8u10
oldstable: 2.24-11+deb9u4
old-sec: 2.24-11+deb9u1
stable: 2.28-10
testing: 2.29-2
unstable: 2.29-2

versioned links

2.19-18+deb8u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.28-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.29-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

glibc-doc (8 bugs: 0, 2, 6, 0)
glibc-source (1 bugs: 0, 0, 1, 0)
libc-bin (23 bugs: 0, 8, 15, 0)
libc-dev-bin (2 bugs: 0, 1, 1, 0)
libc-l10n
libc0.1
libc0.1-dbg
libc0.1-dev
libc0.1-dev-i386
libc0.1-i386
libc0.1-pic
libc0.1-udeb
libc0.3
libc0.3-dbg
libc0.3-dev
libc0.3-pic
libc0.3-udeb
libc0.3-xen
libc6 (228 bugs: 0, 157, 71, 0)
libc6-amd64 (2 bugs: 0, 2, 0, 0)
libc6-dbg (1 bugs: 0, 0, 1, 0)
libc6-dev (33 bugs: 0, 19, 14, 0)
libc6-dev-amd64
libc6-dev-i386 (1 bugs: 0, 1, 0, 0)
libc6-dev-mips32
libc6-dev-mips64
libc6-dev-mipsn32
libc6-dev-powerpc
libc6-dev-ppc64
libc6-dev-s390
libc6-dev-sparc
libc6-dev-sparc64
libc6-dev-x32
libc6-i386 (2 bugs: 0, 1, 1, 0)
libc6-mips32
libc6-mips64
libc6-mipsn32
libc6-pic
libc6-powerpc
libc6-ppc64
libc6-s390
libc6-sparc
libc6-sparc64
libc6-udeb (1 bugs: 1, 0, 0, 0)
libc6-x32 (1 bugs: 0, 1, 0, 0)
libc6-xen
libc6.1
libc6.1-alphaev67
libc6.1-dbg
libc6.1-dev
libc6.1-pic
libc6.1-udeb
locales (54 bugs: 0, 31, 23, 0)
locales-all (2 bugs: 0, 2, 0, 0)
nscd (28 bugs: 0, 24, 4, 0)

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 1:00:49
Last run: 2019-10-13 21:00:43 UTC
Previous status: fail

testing: fail (log)
The tests ran in an unknown time
Last run: None
Previous status: None

Created: 2019-09-10 Last update: 2019-10-17 02:05

A new upstream version is available: 2.30 high

A new upstream version 2.30 is available, you should consider packaging it.

Created: 2019-02-01 Last update: 2019-10-17 00:03

lintian reports 1 error and 135 warnings high

Lintian reports 1 error and 135 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-10-01 Last update: 2019-10-01 04:11

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Please fix it.

Created: 2019-07-07 Last update: 2019-09-28 00:06

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Please fix it.

Created: 2017-03-01 Last update: 2019-09-28 00:06

41 bugs tagged patch in the BTS normal

The BTS contains patches fixing 41 bugs (44 if counting merged bugs), consider including or untagging them.

Created: 2019-04-01 Last update: 2019-10-17 02:31

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Please fix it.

Created: 2017-06-18 Last update: 2019-09-28 00:06

18 ignored security issues in jessie low

There are 18 open security issues in jessie.

18 issues skipped by the security teams:

CVE-2018-6485: An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
CVE-2017-1000408: A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
CVE-2017-15671: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).
CVE-2017-1000409: A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
CVE-2017-15804: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.
CVE-2017-12133: Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path.
CVE-2017-12132: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
CVE-2015-5180: res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).
CVE-2017-16997: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
CVE-2018-1000001: In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVE-2019-9169: In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
CVE-2009-5155: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
CVE-2017-15670: The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
CVE-2014-9761: Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.
CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2018-11236: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.
CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

Please fix them.

Created: 2015-07-12 Last update: 2019-09-28 00:06

8 ignored security issues in stretch low

There are 8 open security issues in stretch.

8 issues skipped by the security teams:

CVE-2018-6485: An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
CVE-2018-6551: The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.
CVE-2017-12132: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
CVE-2018-1000001: In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVE-2019-9169: In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
CVE-2009-5155: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

Please fix them.

Created: 2017-03-01 Last update: 2019-09-28 00:06

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2017-10-26 Last update: 2018-11-29 12:27

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 4.2.1).

Created: 2018-12-23 Last update: 2019-09-29 23:40

news

[rss feed]

[2019-09-28] glibc 2.29-2 MIGRATED to testing (Debian testing watch)
[2019-09-21] Accepted glibc 2.29-2 (source) into unstable (Aurelien Jarno)
[2019-09-15] glibc 2.29-1 MIGRATED to testing (Debian testing watch)
[2019-09-08] Accepted glibc 2.29-1 (source) into unstable (Aurelien Jarno)
[2019-08-21] Accepted glibc 2.29-0experimental1 (source) into experimental (Aurelien Jarno)
[2019-08-16] Accepted glibc 2.29-0experimental0 (source) into experimental (Aurelien Jarno)
[2019-05-06] glibc 2.28-10 MIGRATED to testing (Debian testing watch)
[2019-05-01] Accepted glibc 2.28-10 (source) into unstable (Aurelien Jarno)
[2019-04-25] Accepted glibc 2.28-9 (source) into unstable (Aurelien Jarno)
[2019-03-11] glibc 2.28-8 MIGRATED to testing (Debian testing watch)
[2019-02-28] Accepted glibc 2.28-8 (source) into unstable (Samuel Thibault)
[2019-02-20] glibc 2.28-7 MIGRATED to testing (Debian testing watch)
[2019-02-20] glibc 2.28-7 MIGRATED to testing (Debian testing watch)
[2019-02-09] Accepted glibc 2.24-11+deb9u4 (source) into proposed-updates->stable-new, proposed-updates (Aurelien Jarno)
[2019-02-09] Accepted glibc 2.28-7 (source) into unstable (Samuel Thibault)
[2019-02-09] glibc 2.28-6 MIGRATED to testing (Debian testing watch)
[2019-02-05] Accepted glibc 2.28-6 (source) into unstable (Aurelien Jarno)
[2019-01-15] glibc 2.28-5 MIGRATED to testing (Debian testing watch)
[2019-01-13] glibc 2.28-4 MIGRATED to testing (Debian testing watch)
[2019-01-12] Accepted glibc 2.28-5 (source) into unstable (Aurelien Jarno)
[2018-12-29] Accepted glibc 2.28-4 (source) into unstable (Aurelien Jarno)
[2018-12-17] glibc 2.28-2 MIGRATED to testing (Debian testing watch)
[2018-12-16] Accepted glibc 2.28-3 (source) into unstable (Aurelien Jarno)
[2018-12-05] Accepted glibc 2.28-2 (source) into unstable (Aurelien Jarno)
[2018-11-29] Accepted glibc 2.28-1 (source) into unstable (Aurelien Jarno)
[2018-11-12] Accepted glibc 2.28-0experimental1 (source) into experimental (Aurelien Jarno)
[2018-11-02] glibc 2.27-8 MIGRATED to testing (Debian testing watch)
[2018-10-29] Accepted glibc 2.28-0experimental0 (source) into experimental (Aurelien Jarno)
[2018-10-29] Accepted glibc 2.27-8 (source) into unstable (Samuel Thibault)
[2018-10-28] Accepted glibc 2.27-7 (source) into unstable (Samuel Thibault)

bugs [bug history graph]

all: 447 477
RC: 2 5
I&N: 287 302
M&W: 158 170
F&P: 0
patch: 41 44

links

homepage
lintian (1, 135)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.30-0ubuntu2
348 bugs (5 patches)
patches for 2.30-0ubuntu2