glibc - Debian Package Tracker

general

source: glibc (main)
version: 2.32-4
maintainer: GNU Libc Maintainers (archive) (DMD)
uploaders: Aurelien Jarno [DMD] – Clint Adams [DMD] – Samuel Thibault [DMD]
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.24-11+deb9u4
o-o-sec: 2.24-11+deb9u1
oldstable: 2.28-10
stable: 2.31-13+deb11u2
testing: 2.32-4
unstable: 2.32-4
exp: 2.33-0experimental2

versioned links

2.24-11+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.28-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.31-13+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.32-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.33-0experimental2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

glibc-doc (8 bugs: 0, 2, 6, 0)
glibc-source (1 bugs: 0, 0, 1, 0)
libc-bin (26 bugs: 0, 11, 15, 0)
libc-dev-bin (2 bugs: 0, 1, 1, 0)
libc-devtools
libc-l10n
libc0.1
libc0.1-dbg
libc0.1-dev
libc0.1-dev-i386
libc0.1-i386
libc0.1-udeb
libc0.3
libc0.3-dbg
libc0.3-dev
libc0.3-udeb
libc6 (224 bugs: 0, 157, 67, 0)
libc6-amd64 (2 bugs: 0, 2, 0, 0)
libc6-dbg (1 bugs: 0, 0, 1, 0)
libc6-dev (33 bugs: 0, 19, 14, 0)
libc6-dev-amd64
libc6-dev-i386
libc6-dev-mips32
libc6-dev-mips64
libc6-dev-mipsn32
libc6-dev-powerpc
libc6-dev-ppc64
libc6-dev-s390
libc6-dev-sparc
libc6-dev-sparc64
libc6-dev-x32
libc6-i386 (2 bugs: 0, 1, 1, 0)
libc6-mips32
libc6-mips64
libc6-mipsn32
libc6-powerpc
libc6-ppc64
libc6-s390
libc6-sparc
libc6-sparc64
libc6-udeb
libc6-x32 (1 bugs: 0, 1, 0, 0)
libc6.1
libc6.1-alphaev67
libc6.1-dbg
libc6.1-dev
libc6.1-udeb
locales (51 bugs: 0, 31, 20, 0)
locales-all (2 bugs: 0, 2, 0, 0)
nscd (28 bugs: 0, 25, 3, 0)

action needed

A new upstream version is available: 2.34 high

A new upstream version 2.34 is available, you should consider packaging it.

Created: 2021-08-24 Last update: 2021-10-28 08:34

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2021-09-06 Last update: 2021-10-26 23:41

lintian reports 14 errors and 40 warnings high

Lintian reports 14 errors and 40 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-05-27 Last update: 2021-10-13 21:31

38 bugs tagged patch in the BTS normal

The BTS contains patches fixing 38 bugs (44 if counting merged bugs), consider including or untagging them.

Created: 2021-08-14 Last update: 2021-10-28 11:31

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2021-09-23 Last update: 2021-10-28 09:00

12 low-priority security issues in buster low

There are 12 open security issues in buster.

12 issues left for the package maintainer to handle:

CVE-2020-1751: (needs triaging) An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2020-1752: (needs triaging) A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
CVE-2020-6096: (needs triaging) An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.
CVE-2021-3326: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2016-10228: (needs triaging) The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2019-19126: (needs triaging) On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
CVE-2019-25013: (needs triaging) The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2020-10029: (needs triaging) The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-27618: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVE-2021-27645: (needs triaging) The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVE-2021-33574: (needs triaging) The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2021-35942: (needs triaging) The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-10-09 14:05

1 low-priority security issue in bullseye low

There is 1 open security issue in bullseye.

1 issue left for the package maintainer to handle:

CVE-2021-33574: (needs triaging) The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

You can find information about how to handle this issue in the security team's documentation.

Created: 2021-08-14 Last update: 2021-10-09 14:05

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2021-09-20 Last update: 2021-09-21 08:00

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2020-10-12 03:33

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2021-09-20 01:06

testing migrations

This package will soon be part of the glibc-2.33 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2021-10-02] Accepted glibc 2.31-13+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Aurelien Jarno)
[2021-10-01] Accepted glibc 2.31-13+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Aurelien Jarno)
[2021-09-22] Accepted glibc 2.33-0experimental2 (source) into experimental (Aurelien Jarno)
[2021-09-22] glibc 2.32-4 MIGRATED to testing (Debian testing watch)
[2021-09-19] Accepted glibc 2.32-4 (source) into unstable (Aurelien Jarno)
[2021-09-15] Accepted glibc 2.33-0experimental1 (source) into experimental (Aurelien Jarno)
[2021-09-14] Accepted glibc 2.32-3 (source) into unstable (Aurelien Jarno)
[2021-09-07] Accepted glibc 2.32-2 (source) into unstable (Aurelien Jarno)
[2021-09-06] Accepted glibc 2.33-0experimental0 (source) into experimental (Aurelien Jarno)
[2021-09-05] Accepted glibc 2.32-1 (source) into unstable (Aurelien Jarno)
[2021-08-28] glibc 2.31-17 MIGRATED to testing (Debian testing watch)
[2021-08-24] Accepted glibc 2.32-0experimental1 (source) into experimental (Aurelien Jarno)
[2021-08-23] Accepted glibc 2.31-17 (source) into unstable (Aurelien Jarno)
[2021-08-21] Accepted glibc 2.32-0experimental0 (source) into experimental (Aurelien Jarno)
[2021-08-18] Accepted glibc 2.31-16 (source) into unstable (Aurelien Jarno)
[2021-08-17] Accepted glibc 2.31-15 (source) into unstable (Aurelien Jarno)
[2021-08-17] Accepted glibc 2.31-14 (source) into unstable (Aurelien Jarno)
[2021-07-25] glibc 2.31-13 MIGRATED to testing (Debian testing watch)
[2021-07-06] Accepted glibc 2.31-13 (source) into unstable (Aurelien Jarno)
[2021-05-20] glibc 2.31-12 MIGRATED to testing (Debian testing watch)
[2021-05-01] Accepted glibc 2.31-12 (source) into unstable (Aurelien Jarno)
[2021-04-04] glibc 2.31-11 MIGRATED to testing (Debian testing watch)
[2021-03-31] Accepted glibc 2.31-11 (source) into unstable (Aurelien Jarno)
[2021-03-26] glibc 2.31-10 MIGRATED to testing (Debian testing watch)
[2021-03-21] Accepted glibc 2.31-10 (source) into unstable (Aurelien Jarno)
[2021-01-10] glibc 2.31-9 MIGRATED to testing (Debian testing watch)
[2021-01-10] glibc 2.31-9 MIGRATED to testing (Debian testing watch)
[2021-01-05] Accepted glibc 2.31-9 (source) into unstable (Aurelien Jarno)
[2021-01-04] Accepted glibc 2.31-8 (source amd64) into experimental, experimental (Debian FTP Masters) (signed by: Aurelien Jarno)
[2021-01-03] Accepted glibc 2.31-7 (source) into unstable (Aurelien Jarno)

bugs [bug history graph]

all: 441 469
RC: 1 4
I&N: 284 303
M&W: 152 158
F&P: 4
patch: 38 44

links

homepage
lintian (14, 40)
buildd: logs, exp, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (80, 97)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.34-0ubuntu3
385 bugs (5 patches)