glibc - Debian Package Tracker

general

source: glibc (main)
version: 2.31-9
maintainer: GNU Libc Maintainers (archive) (DMD)
uploaders: Adam Conrad [DMD] – Aurelien Jarno [DMD] – Clint Adams [DMD] – Samuel Thibault [DMD]
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.19-18+deb8u10
o-o-sec: 2.19-18+deb8u10
oldstable: 2.24-11+deb9u4
old-sec: 2.24-11+deb9u1
stable: 2.28-10
testing: 2.31-9
unstable: 2.31-9

versioned links

2.19-18+deb8u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.28-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.31-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

glibc-doc (8 bugs: 0, 2, 6, 0)
glibc-source (1 bugs: 0, 0, 1, 0)
libc-bin (25 bugs: 0, 9, 16, 0)
libc-dev-bin (2 bugs: 0, 1, 1, 0)
libc-devtools
libc-l10n
libc0.1
libc0.1-dbg
libc0.1-dev
libc0.1-dev-i386
libc0.1-i386
libc0.1-udeb
libc0.3
libc0.3-dbg
libc0.3-dev
libc0.3-udeb
libc0.3-xen
libc6 (229 bugs: 0, 160, 69, 0)
libc6-amd64 (2 bugs: 0, 2, 0, 0)
libc6-dbg (1 bugs: 0, 0, 1, 0)
libc6-dev (38 bugs: 0, 23, 15, 0)
libc6-dev-amd64
libc6-dev-i386
libc6-dev-mips32
libc6-dev-mips64
libc6-dev-mipsn32
libc6-dev-powerpc
libc6-dev-ppc64
libc6-dev-s390
libc6-dev-sparc
libc6-dev-sparc64
libc6-dev-x32
libc6-i386 (3 bugs: 0, 2, 1, 0)
libc6-mips32
libc6-mips64
libc6-mipsn32
libc6-powerpc
libc6-ppc64
libc6-s390
libc6-sparc
libc6-sparc64
libc6-udeb
libc6-x32 (1 bugs: 0, 1, 0, 0)
libc6-xen
libc6.1
libc6.1-alphaev67
libc6.1-dbg
libc6.1-dev
libc6.1-udeb
locales (60 bugs: 0, 34, 26, 0)
locales-all (2 bugs: 0, 2, 0, 0)
nscd (28 bugs: 0, 25, 3, 0)

action needed

A new upstream version is available: 2.33 high

A new upstream version 2.33 is available, you should consider packaging it.

Created: 2020-08-08 Last update: 2021-03-01 05:04

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2021-27645: The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVE-2021-3326: The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

Created: 2021-02-19 Last update: 2021-02-28 06:25

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2021-27645: The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVE-2021-3326: The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

Created: 2021-02-19 Last update: 2021-02-28 06:25

lintian reports 49 warnings high

Lintian reports 49 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-09-21 Last update: 2021-01-27 03:02

44 bugs tagged patch in the BTS normal

The BTS contains patches fixing 44 bugs (50 if counting merged bugs), consider including or untagging them.

Created: 2020-10-19 Last update: 2021-03-01 09:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.31-10, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 6926d1cb8b242d7ddc48255dad08c8e1f1d5013c
Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date:   Sat Feb 6 13:16:25 2021 +0100

    libc-udeb.install.hurd-i386: Add missing libmachuser/libhurduser

commit c5c15326c8e0ae8b890142e385227a76cb009a29
Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date:   Mon Feb 1 20:01:57 2021 +0100

    hurd tiocflush: Fix fix.

commit 06c6918f61fa71ae3fa73f7d243e46e5cd4243e8
Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date:   Mon Feb 1 18:42:47 2021 +0000

    hurd: Cope with BSD 4.1-ish ioctl(..., TIOCFLUSH, NULL)
    
    debian/patches/hurd-i386/git-tiocflush.diff

Created: 2021-02-01 Last update: 2021-02-21 17:34

17 low-priority security issues in stretch low

There are 17 open security issues in stretch.

17 issues left for the package maintainer to handle:

CVE-2009-5155: (needs triaging) In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
CVE-2016-10228: (needs triaging) The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2016-10739: (needs triaging) In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.
CVE-2017-12132: (needs triaging) The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
CVE-2018-1000001: (postponed; to be fixed through a stable update) In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVE-2018-6485: (needs triaging) An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
CVE-2018-6551: (needs triaging) The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.
CVE-2019-19126: (needs triaging) On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
CVE-2019-25013: (postponed; to be fixed through a stable update) The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2019-9169: (needs triaging) In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
CVE-2020-10029: (needs triaging) The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-1751: (needs triaging) An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2020-1752: (needs triaging) A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
CVE-2020-27618: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVE-2020-6096: (needs triaging) An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.
CVE-2021-27645: (needs triaging) The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVE-2021-3326: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-02-28 06:25

10 low-priority security issues in buster low

There are 10 open security issues in buster.

10 issues left for the package maintainer to handle:

CVE-2016-10228: (needs triaging) The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2019-19126: (needs triaging) On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
CVE-2019-25013: (needs triaging) The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2020-10029: (needs triaging) The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-1751: (needs triaging) An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2020-1752: (needs triaging) A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
CVE-2020-27618: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVE-2020-6096: (needs triaging) An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.
CVE-2021-27645: (needs triaging) The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVE-2021-3326: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-02-28 06:25

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2020-05-11 Last update: 2021-01-06 13:05

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2020-10-12 03:33

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.2.1).

Created: 2018-12-23 Last update: 2021-01-05 13:06

news

[rss feed]

[2021-01-10] glibc 2.31-9 MIGRATED to testing (Debian testing watch)
[2021-01-10] glibc 2.31-9 MIGRATED to testing (Debian testing watch)
[2021-01-05] Accepted glibc 2.31-9 (source) into unstable (Aurelien Jarno)
[2021-01-04] Accepted glibc 2.31-8 (source amd64) into experimental, experimental (Debian FTP Masters) (signed by: Aurelien Jarno)
[2021-01-03] Accepted glibc 2.31-7 (source) into unstable (Aurelien Jarno)
[2020-12-29] glibc 2.31-6 MIGRATED to testing (Debian testing watch)
[2020-12-16] Accepted glibc 2.31-6 (source) into unstable (Samuel Thibault)
[2020-12-06] glibc 2.31-5 MIGRATED to testing (Debian testing watch)
[2020-12-01] Accepted glibc 2.31-5 (source) into unstable (Aurelien Jarno)
[2020-10-18] glibc 2.31-4 MIGRATED to testing (Debian testing watch)
[2020-10-10] Accepted glibc 2.31-4 (source) into unstable (Aurelien Jarno)
[2020-08-12] glibc 2.31-3 MIGRATED to testing (Debian testing watch)
[2020-08-04] Accepted glibc 2.31-3 (source) into unstable (Aurelien Jarno)
[2020-07-29] glibc 2.31-2 MIGRATED to testing (Debian testing watch)
[2020-07-22] Accepted glibc 2.31-2 (source) into unstable (Aurelien Jarno)
[2020-07-21] glibc 2.31-1 MIGRATED to testing (Debian testing watch)
[2020-07-13] Accepted glibc 2.31-1 (source) into unstable (Aurelien Jarno)
[2020-05-18] Accepted glibc 2.31-0experimental2 (source) into experimental (Aurelien Jarno)
[2020-05-16] glibc 2.30-8 MIGRATED to testing (Debian testing watch)
[2020-05-12] Accepted glibc 2.31-0experimental1 (source) into experimental (Aurelien Jarno)
[2020-05-11] Accepted glibc 2.30-8 (source) into unstable (Samuel Thibault)
[2020-05-11] glibc 2.30-7 MIGRATED to testing (Debian testing watch)
[2020-05-05] Accepted glibc 2.30-7 (source) into unstable (Aurelien Jarno)
[2020-05-05] Accepted glibc 2.30-6 (source) into unstable (Aurelien Jarno)
[2020-05-04] Accepted glibc 2.30-5 (source) into unstable (Aurelien Jarno)
[2020-04-03] glibc 2.30-4 MIGRATED to testing (Debian testing watch)
[2020-03-25] Accepted glibc 2.30-4 (source) into unstable (Aurelien Jarno)
[2020-03-24] Accepted glibc 2.30-3 (source) into unstable (Aurelien Jarno)
[2020-03-18] glibc 2.30-2 MIGRATED to testing (Debian testing watch)
[2020-03-12] Accepted glibc 2.30-2 (source) into unstable (Aurelien Jarno)

bugs [bug history graph]

all: 458 490
RC: 1 4
I&N: 297 316
M&W: 158 168
F&P: 2
patch: 44 50

links

homepage
lintian (0, 49)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (80, 97)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.33-0ubuntu2
364 bugs (5 patches)
patches for 2.33-0ubuntu2