Debian Package Tracker

general

source: glibc (main)
version: 2.29-1
maintainer: GNU Libc Maintainers (archive) (DMD)
uploaders: Samuel Thibault [DMD] – Aurelien Jarno [DMD] – Adam Conrad [DMD] – Clint Adams [DMD]
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.19-18+deb8u10
o-o-sec: 2.19-18+deb8u10
oldstable: 2.24-11+deb9u4
old-sec: 2.24-11+deb9u1
stable: 2.28-10
testing: 2.29-1
unstable: 2.29-1

versioned links

2.19-18+deb8u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.28-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.29-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

glibc-doc (8 bugs: 0, 2, 6, 0)
glibc-source (1 bugs: 0, 0, 1, 0)
libc-bin (22 bugs: 0, 8, 14, 0)
libc-dev-bin (1 bugs: 0, 1, 0, 0)
libc-l10n
libc0.1
libc0.1-dbg
libc0.1-dev
libc0.1-dev-i386
libc0.1-i386
libc0.1-pic
libc0.1-udeb
libc0.3
libc0.3-dbg
libc0.3-dev
libc0.3-pic
libc0.3-udeb
libc0.3-xen
libc6 (231 bugs: 0, 157, 74, 0)
libc6-amd64 (2 bugs: 0, 2, 0, 0)
libc6-dbg (1 bugs: 0, 0, 1, 0)
libc6-dev (33 bugs: 0, 19, 14, 0)
libc6-dev-amd64
libc6-dev-i386 (1 bugs: 0, 1, 0, 0)
libc6-dev-mips32
libc6-dev-mips64
libc6-dev-mipsn32
libc6-dev-powerpc
libc6-dev-ppc64
libc6-dev-s390
libc6-dev-sparc
libc6-dev-sparc64
libc6-dev-x32
libc6-i386 (2 bugs: 0, 1, 1, 0)
libc6-mips32
libc6-mips64
libc6-mipsn32
libc6-pic
libc6-powerpc
libc6-ppc64
libc6-s390
libc6-sparc
libc6-sparc64
libc6-udeb (1 bugs: 1, 0, 0, 0)
libc6-x32 (1 bugs: 0, 1, 0, 0)
libc6-xen
libc6.1
libc6.1-alphaev67
libc6.1-dbg
libc6.1-dev
libc6.1-pic
libc6.1-udeb
locales (54 bugs: 0, 31, 23, 0)
locales-all (2 bugs: 0, 2, 0, 0)
nscd (28 bugs: 0, 24, 4, 0)

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0h 59m 43s
Last run: 2019-09-15 20:51:37
Previous status: pass

testing: fail (log)
The tests ran in 1h 1m 13s
Last run: 2019-09-14 20:39:54
Previous status: fail

stable: pass (log)
The tests ran in 2h 14m 23s
Last run: 2019-08-29 18:50:19
Previous status: pass

Created: 2019-09-10 Last update: 2019-09-15 23:45

A new upstream version is available: 2.30 high

A new upstream version 2.30 is available, you should consider packaging it.

Created: 2019-02-01 Last update: 2019-09-15 19:16

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Please fix it.

Created: 2019-07-07 Last update: 2019-09-14 19:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Please fix it.

Created: 2017-03-01 Last update: 2019-09-14 19:00

lintian reports 1 error and 148 warnings high

Lintian reports 1 error and 148 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-08-23 Last update: 2019-09-10 02:41

42 bugs tagged patch in the BTS normal

The BTS contains patches fixing 42 bugs (46 if counting merged bugs), consider including or untagging them.

Created: 2019-04-01 Last update: 2019-09-16 00:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.29-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 4466b9f1b1c8aed78af31a692ef577b7daa7130f
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Sep 14 21:43:35 2019 +0200

    debian/patches/git-updates.diff: update from upstream stable branch:
    
    * debian/patches/git-updates.diff: update from upstream stable branch:
      - Fix getegid, geteuid and getppid on alpha with < 5.1 kernels.
        Closes: #939898.

commit 0434ca6692d525b77c6b5a4c6e347c89d6fb907a
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Sep 14 21:33:37 2019 +0200

    Fix a typo

commit 43c69fdb52c3287e3f7aba40e2ac679e0195e59d
Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date:   Tue Sep 10 21:23:57 2019 +0000

    patches/hurd-i386/submitted-anon-mmap-shared.diff: Re-disable
    
    actually makes some tests fail

commit 366c3309c1907a34a58a24dee4805e57fc60c5a9
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Mon Sep 9 13:46:28 2019 +0200

    Do not restart services of different architecture than libc
    
    Only check services in packages which are of the same architecture, or
    "arch:all".  This is most easily done by replacing the rather
    convoluted way of parsing "dpkg --status" output by switching to a
    more suitable output format of dpkg-query.  As a bonus, awk is no
    longer used in the maintscripts.
    
    Note that services in architecture-independent packages like
    postgresql-common will still be restarted twice, since there is no
    obvious way to tell the architecture of the actual binaries which need
    to be re-executed.

commit 50e8ff033864d87c42dba417e74b6526811446af
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Mon Sep 9 22:36:42 2019 +0200

    debian/control.in/main: drop the <!nocheck> profle from the python3:native build-depends.  Closes: #939871.

Created: 2019-09-09 Last update: 2019-09-14 22:54

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Please fix it.

Created: 2017-06-18 Last update: 2019-09-14 19:00

18 ignored security issues in jessie low

There are 18 open security issues in jessie.

18 issues skipped by the security teams:

CVE-2018-6485: An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
CVE-2017-1000408: A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
CVE-2017-15671: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).
CVE-2017-1000409: A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
CVE-2017-15804: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.
CVE-2017-12133: Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path.
CVE-2017-12132: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
CVE-2015-5180: res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).
CVE-2017-16997: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
CVE-2018-1000001: In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVE-2019-9169: In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
CVE-2009-5155: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
CVE-2017-15670: The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
CVE-2014-9761: Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.
CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2018-11236: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.
CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

Please fix them.

Created: 2015-07-12 Last update: 2019-09-14 19:00

8 ignored security issues in stretch low

There are 8 open security issues in stretch.

8 issues skipped by the security teams:

CVE-2018-6485: An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
CVE-2018-6551: The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.
CVE-2017-12132: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
CVE-2018-1000001: In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVE-2019-9169: In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
CVE-2009-5155: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
CVE-2016-10228: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

Please fix them.

Created: 2017-03-01 Last update: 2019-09-14 19:00

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2017-10-26 Last update: 2018-11-29 12:27

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2019-09-09 08:49

news

[rss feed]

[2019-09-15] glibc 2.29-1 MIGRATED to testing (Debian testing watch)
[2019-09-08] Accepted glibc 2.29-1 (source) into unstable (Aurelien Jarno)
[2019-08-21] Accepted glibc 2.29-0experimental1 (source) into experimental (Aurelien Jarno)
[2019-08-16] Accepted glibc 2.29-0experimental0 (source) into experimental (Aurelien Jarno)
[2019-05-06] glibc 2.28-10 MIGRATED to testing (Debian testing watch)
[2019-05-01] Accepted glibc 2.28-10 (source) into unstable (Aurelien Jarno)
[2019-04-25] Accepted glibc 2.28-9 (source) into unstable (Aurelien Jarno)
[2019-03-11] glibc 2.28-8 MIGRATED to testing (Debian testing watch)
[2019-02-28] Accepted glibc 2.28-8 (source) into unstable (Samuel Thibault)
[2019-02-20] glibc 2.28-7 MIGRATED to testing (Debian testing watch)
[2019-02-20] glibc 2.28-7 MIGRATED to testing (Debian testing watch)
[2019-02-09] Accepted glibc 2.24-11+deb9u4 (source) into proposed-updates->stable-new, proposed-updates (Aurelien Jarno)
[2019-02-09] Accepted glibc 2.28-7 (source) into unstable (Samuel Thibault)
[2019-02-09] glibc 2.28-6 MIGRATED to testing (Debian testing watch)
[2019-02-05] Accepted glibc 2.28-6 (source) into unstable (Aurelien Jarno)
[2019-01-15] glibc 2.28-5 MIGRATED to testing (Debian testing watch)
[2019-01-13] glibc 2.28-4 MIGRATED to testing (Debian testing watch)
[2019-01-12] Accepted glibc 2.28-5 (source) into unstable (Aurelien Jarno)
[2018-12-29] Accepted glibc 2.28-4 (source) into unstable (Aurelien Jarno)
[2018-12-17] glibc 2.28-2 MIGRATED to testing (Debian testing watch)
[2018-12-16] Accepted glibc 2.28-3 (source) into unstable (Aurelien Jarno)
[2018-12-05] Accepted glibc 2.28-2 (source) into unstable (Aurelien Jarno)
[2018-11-29] Accepted glibc 2.28-1 (source) into unstable (Aurelien Jarno)
[2018-11-12] Accepted glibc 2.28-0experimental1 (source) into experimental (Aurelien Jarno)
[2018-11-02] glibc 2.27-8 MIGRATED to testing (Debian testing watch)
[2018-10-29] Accepted glibc 2.28-0experimental0 (source) into experimental (Aurelien Jarno)
[2018-10-29] Accepted glibc 2.27-8 (source) into unstable (Samuel Thibault)
[2018-10-28] Accepted glibc 2.27-7 (source) into unstable (Samuel Thibault)
[2018-09-11] glibc 2.27-6 MIGRATED to testing (Debian testing watch)
[2018-09-04] Accepted glibc 2.27-6 (source) into unstable (Samuel Thibault)

bugs [bug history graph]

all: 448 478
RC: 2 5
I&N: 286 300
M&W: 158 171
F&P: 2
patch: 42 46

links

homepage
lintian (1, 148)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.30-0ubuntu1
346 bugs (5 patches)
patches for 2.30-0ubuntu1