glibc - Debian Package Tracker

general

source: glibc (main)
version: 2.33-2
maintainer: GNU Libc Maintainers (archive) (DMD)
uploaders: Aurelien Jarno [DMD] – Clint Adams [DMD] – Samuel Thibault [DMD]
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.24-11+deb9u4
o-o-sec: 2.24-11+deb9u1
oldstable: 2.28-10
stable: 2.31-13+deb11u2
testing: 2.33-2
unstable: 2.33-2
exp: 2.34-0experimental2

versioned links

2.24-11+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.28-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.31-13+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.33-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.34-0experimental2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

glibc-doc (8 bugs: 0, 2, 6, 0)
glibc-source (1 bugs: 0, 0, 1, 0)
libc-bin (26 bugs: 0, 11, 15, 0)
libc-dev-bin (2 bugs: 0, 1, 1, 0)
libc-devtools
libc-l10n
libc0.1
libc0.1-dbg
libc0.1-dev
libc0.1-dev-i386
libc0.1-i386
libc0.1-udeb
libc0.3
libc0.3-dbg
libc0.3-dev
libc0.3-udeb
libc6 (227 bugs: 2, 157, 68, 0)
libc6-amd64 (2 bugs: 0, 2, 0, 0)
libc6-dbg (1 bugs: 0, 0, 1, 0)
libc6-dev (33 bugs: 0, 19, 14, 0)
libc6-dev-amd64
libc6-dev-i386
libc6-dev-mips32
libc6-dev-mips64
libc6-dev-mipsn32
libc6-dev-powerpc
libc6-dev-ppc64
libc6-dev-s390
libc6-dev-sparc
libc6-dev-sparc64
libc6-dev-x32
libc6-i386 (2 bugs: 0, 1, 1, 0)
libc6-mips32
libc6-mips64
libc6-mipsn32
libc6-powerpc
libc6-ppc64
libc6-s390
libc6-sparc
libc6-sparc64
libc6-udeb
libc6-x32 (1 bugs: 0, 1, 0, 0)
libc6.1
libc6.1-alphaev67
libc6.1-dbg
libc6.1-dev
libc6.1-udeb
locales (49 bugs: 0, 29, 20, 0)
locales-all (3 bugs: 0, 2, 1, 0)
nscd (29 bugs: 0, 26, 3, 0)

action needed

A new upstream version is available: 2.34 high

A new upstream version 2.34 is available, you should consider packaging it.

Created: 2021-08-24 Last update: 2022-01-18 08:07

23 security issues in stretch high

There are 23 open security issues in stretch.

4 important issues:

CVE-2021-3998:
CVE-2021-3999:
CVE-2022-23218: The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-23219: The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

19 issues postponed or untriaged:

CVE-2009-5155: (needs triaging) In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
CVE-2018-6485: (needs triaging) An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
CVE-2018-6551: (needs triaging) The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.
CVE-2019-9169: (needs triaging) In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
CVE-2020-1751: (needs triaging) An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2020-1752: (needs triaging) A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
CVE-2020-6096: (needs triaging) An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.
CVE-2021-3326: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2016-10228: (needs triaging) The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2016-10739: (needs triaging) In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.
CVE-2017-12132: (needs triaging) The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
CVE-2019-19126: (needs triaging) On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
CVE-2019-25013: (postponed; to be fixed through a stable update) The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2020-10029: (needs triaging) The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-27618: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVE-2021-27645: (needs triaging) The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVE-2021-33574: (needs triaging) The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2021-35942: (needs triaging) The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.
CVE-2018-1000001: (postponed; to be fixed through a stable update) In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

Created: 2022-01-14 Last update: 2022-01-17 20:31

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2021-3998:
CVE-2021-3999:
CVE-2022-23218: The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-23219: The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Created: 2022-01-14 Last update: 2022-01-17 20:31

4 security issues in bookworm high

There are 4 open security issues in bookworm.

4 important issues:

CVE-2021-3998:
CVE-2021-3999:
CVE-2022-23218: The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-23219: The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Created: 2022-01-14 Last update: 2022-01-17 20:31

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2021-12-13 Last update: 2022-01-16 22:42

lintian reports 28 errors and 91 warnings high

Lintian reports 28 errors and 91 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-05-27 Last update: 2022-01-01 04:32

38 bugs tagged patch in the BTS normal

The BTS contains patches fixing 38 bugs (45 if counting merged bugs), consider including or untagging them.

Created: 2021-08-14 Last update: 2022-01-18 11:01

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2021-09-23 Last update: 2022-01-18 10:36

16 low-priority security issues in buster low

There are 16 open security issues in buster.

16 issues left for the package maintainer to handle:

CVE-2020-1751: (needs triaging) An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2020-1752: (needs triaging) A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
CVE-2020-6096: (needs triaging) An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.
CVE-2021-3326: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-3998: (needs triaging)
CVE-2021-3999: (needs triaging)
CVE-2016-10228: (needs triaging) The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2019-19126: (needs triaging) On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
CVE-2019-25013: (needs triaging) The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2020-10029: (needs triaging) The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-27618: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVE-2021-27645: (needs triaging) The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVE-2021-33574: (needs triaging) The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2021-35942: (needs triaging) The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.
CVE-2022-23218: (needs triaging) The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-23219: (needs triaging) The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2022-01-17 20:31

5 low-priority security issues in bullseye low

There are 5 open security issues in bullseye.

5 issues left for the package maintainer to handle:

CVE-2021-3998: (needs triaging)
CVE-2021-3999: (needs triaging)
CVE-2021-33574: (needs triaging) The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2022-23218: (needs triaging) The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-23219: (needs triaging) The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-14 Last update: 2022-01-17 20:31

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2021-09-20 Last update: 2022-01-07 16:27

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2020-10-12 03:33

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2022-01-07 07:37

news

[rss feed]

[2022-01-13] glibc 2.33-2 MIGRATED to testing (Debian testing watch)
[2022-01-06] Accepted glibc 2.33-2 (source) into unstable (Aurelien Jarno)
[2021-12-19] Accepted glibc 2.34-0experimental2 (source) into experimental (Aurelien Jarno)
[2021-12-17] Accepted glibc 2.34-0experimental1 (source) into experimental (Aurelien Jarno)
[2021-12-17] glibc 2.33-1 MIGRATED to testing (Debian testing watch)
[2021-12-12] Accepted glibc 2.34-0experimental0 (source) into experimental (Aurelien Jarno)
[2021-12-12] Accepted glibc 2.33-1 (source) into unstable (Aurelien Jarno)
[2021-12-08] glibc 2.32-5 MIGRATED to testing (Debian testing watch)
[2021-12-05] Accepted glibc 2.33-0experimental3 (source) into experimental (Aurelien Jarno)
[2021-12-05] Accepted glibc 2.32-5 (source) into unstable (Aurelien Jarno)
[2021-10-02] Accepted glibc 2.31-13+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Aurelien Jarno)
[2021-10-01] Accepted glibc 2.31-13+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Aurelien Jarno)
[2021-09-22] Accepted glibc 2.33-0experimental2 (source) into experimental (Aurelien Jarno)
[2021-09-22] glibc 2.32-4 MIGRATED to testing (Debian testing watch)
[2021-09-19] Accepted glibc 2.32-4 (source) into unstable (Aurelien Jarno)
[2021-09-15] Accepted glibc 2.33-0experimental1 (source) into experimental (Aurelien Jarno)
[2021-09-14] Accepted glibc 2.32-3 (source) into unstable (Aurelien Jarno)
[2021-09-07] Accepted glibc 2.32-2 (source) into unstable (Aurelien Jarno)
[2021-09-06] Accepted glibc 2.33-0experimental0 (source) into experimental (Aurelien Jarno)
[2021-09-05] Accepted glibc 2.32-1 (source) into unstable (Aurelien Jarno)
[2021-08-28] glibc 2.31-17 MIGRATED to testing (Debian testing watch)
[2021-08-24] Accepted glibc 2.32-0experimental1 (source) into experimental (Aurelien Jarno)
[2021-08-23] Accepted glibc 2.31-17 (source) into unstable (Aurelien Jarno)
[2021-08-21] Accepted glibc 2.32-0experimental0 (source) into experimental (Aurelien Jarno)
[2021-08-18] Accepted glibc 2.31-16 (source) into unstable (Aurelien Jarno)
[2021-08-17] Accepted glibc 2.31-15 (source) into unstable (Aurelien Jarno)
[2021-08-17] Accepted glibc 2.31-14 (source) into unstable (Aurelien Jarno)
[2021-07-25] glibc 2.31-13 MIGRATED to testing (Debian testing watch)
[2021-07-06] Accepted glibc 2.31-13 (source) into unstable (Aurelien Jarno)
[2021-05-20] glibc 2.31-12 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 442 469
RC: 3 4
I&N: 282 302
M&W: 154 160
F&P: 3
patch: 38 45

links

homepage
lintian (28, 91)
buildd: logs, exp, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (80, 97)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.34-0ubuntu3
391 bugs (5 patches)
patches for 2.34-0ubuntu3