glibc - Debian Package Tracker

general

source: glibc (main)
version: 2.31-12
maintainer: GNU Libc Maintainers (archive) (DMD)
uploaders: Samuel Thibault [DMD] – Aurelien Jarno [DMD] – Adam Conrad [DMD] – Clint Adams [DMD]
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 2.24-11+deb9u4
old-sec: 2.24-11+deb9u1
stable: 2.28-10
testing: 2.31-12
unstable: 2.31-12

versioned links

2.24-11+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.24-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.28-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.31-12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

glibc-doc (8 bugs: 0, 2, 6, 0)
glibc-source (1 bugs: 0, 0, 1, 0)
libc-bin (26 bugs: 0, 10, 16, 0)
libc-dev-bin (2 bugs: 0, 1, 1, 0)
libc-devtools
libc-l10n
libc0.1
libc0.1-dbg
libc0.1-dev
libc0.1-dev-i386
libc0.1-i386
libc0.1-udeb
libc0.3
libc0.3-dbg
libc0.3-dev
libc0.3-udeb
libc0.3-xen
libc6 (231 bugs: 0, 162, 69, 0)
libc6-amd64 (2 bugs: 0, 2, 0, 0)
libc6-dbg (1 bugs: 0, 0, 1, 0)
libc6-dev (39 bugs: 0, 24, 15, 0)
libc6-dev-amd64
libc6-dev-i386
libc6-dev-mips32
libc6-dev-mips64
libc6-dev-mipsn32
libc6-dev-powerpc
libc6-dev-ppc64
libc6-dev-s390
libc6-dev-sparc
libc6-dev-sparc64
libc6-dev-x32
libc6-i386 (2 bugs: 0, 1, 1, 0)
libc6-mips32
libc6-mips64
libc6-mipsn32
libc6-powerpc
libc6-ppc64
libc6-s390
libc6-sparc
libc6-sparc64
libc6-udeb
libc6-x32 (1 bugs: 0, 1, 0, 0)
libc6-xen
libc6.1
libc6.1-alphaev67
libc6.1-dbg
libc6.1-dev
libc6.1-udeb
locales (55 bugs: 0, 34, 21, 0)
locales-all (2 bugs: 0, 2, 0, 0)
nscd (28 bugs: 0, 25, 3, 0)

action needed

A new upstream version is available: 2.33 high

A new upstream version 2.33 is available, you should consider packaging it.

Created: 2020-08-08 Last update: 2021-06-24 11:40

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2021-33574: The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

Created: 2021-05-26 Last update: 2021-06-05 07:31

lintian reports 141 errors and 117 warnings high

Lintian reports 141 errors and 117 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-05-27 Last update: 2021-05-27 22:04

44 bugs tagged patch in the BTS normal

The BTS contains patches fixing 44 bugs (51 if counting merged bugs), consider including or untagging them.

Created: 2020-10-19 Last update: 2021-06-24 16:01

11 low-priority security issues in buster low

There are 11 open security issues in buster.

11 issues left for the package maintainer to handle:

CVE-2016-10228: (needs triaging) The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVE-2019-19126: (needs triaging) On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
CVE-2019-25013: (needs triaging) The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVE-2020-10029: (needs triaging) The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-1751: (needs triaging) An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2020-1752: (needs triaging) A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
CVE-2020-27618: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVE-2020-6096: (needs triaging) An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.
CVE-2021-27645: (needs triaging) The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVE-2021-3326: (needs triaging) The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-33574: (needs triaging) The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-06-05 07:31

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2020-05-11 Last update: 2021-05-04 01:04

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2020-10-12 03:33

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.2.1).

Created: 2018-12-23 Last update: 2021-05-02 07:04

news

[rss feed]

[2021-05-20] glibc 2.31-12 MIGRATED to testing (Debian testing watch)
[2021-05-01] Accepted glibc 2.31-12 (source) into unstable (Aurelien Jarno)
[2021-04-04] glibc 2.31-11 MIGRATED to testing (Debian testing watch)
[2021-03-31] Accepted glibc 2.31-11 (source) into unstable (Aurelien Jarno)
[2021-03-26] glibc 2.31-10 MIGRATED to testing (Debian testing watch)
[2021-03-21] Accepted glibc 2.31-10 (source) into unstable (Aurelien Jarno)
[2021-01-10] glibc 2.31-9 MIGRATED to testing (Debian testing watch)
[2021-01-10] glibc 2.31-9 MIGRATED to testing (Debian testing watch)
[2021-01-05] Accepted glibc 2.31-9 (source) into unstable (Aurelien Jarno)
[2021-01-04] Accepted glibc 2.31-8 (source amd64) into experimental, experimental (Debian FTP Masters) (signed by: Aurelien Jarno)
[2021-01-03] Accepted glibc 2.31-7 (source) into unstable (Aurelien Jarno)
[2020-12-29] glibc 2.31-6 MIGRATED to testing (Debian testing watch)
[2020-12-16] Accepted glibc 2.31-6 (source) into unstable (Samuel Thibault)
[2020-12-06] glibc 2.31-5 MIGRATED to testing (Debian testing watch)
[2020-12-01] Accepted glibc 2.31-5 (source) into unstable (Aurelien Jarno)
[2020-10-18] glibc 2.31-4 MIGRATED to testing (Debian testing watch)
[2020-10-10] Accepted glibc 2.31-4 (source) into unstable (Aurelien Jarno)
[2020-08-12] glibc 2.31-3 MIGRATED to testing (Debian testing watch)
[2020-08-04] Accepted glibc 2.31-3 (source) into unstable (Aurelien Jarno)
[2020-07-29] glibc 2.31-2 MIGRATED to testing (Debian testing watch)
[2020-07-22] Accepted glibc 2.31-2 (source) into unstable (Aurelien Jarno)
[2020-07-21] glibc 2.31-1 MIGRATED to testing (Debian testing watch)
[2020-07-13] Accepted glibc 2.31-1 (source) into unstable (Aurelien Jarno)
[2020-05-18] Accepted glibc 2.31-0experimental2 (source) into experimental (Aurelien Jarno)
[2020-05-16] glibc 2.30-8 MIGRATED to testing (Debian testing watch)
[2020-05-12] Accepted glibc 2.31-0experimental1 (source) into experimental (Aurelien Jarno)
[2020-05-11] Accepted glibc 2.30-8 (source) into unstable (Samuel Thibault)
[2020-05-11] glibc 2.30-7 MIGRATED to testing (Debian testing watch)
[2020-05-05] Accepted glibc 2.30-7 (source) into unstable (Aurelien Jarno)
[2020-05-05] Accepted glibc 2.30-6 (source) into unstable (Aurelien Jarno)

bugs [bug history graph]

all: 460 489
RC: 1 4
I&N: 299 319
M&W: 158 164
F&P: 2
patch: 44 51

links

homepage
lintian (141, 117)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (80, 97)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.33-0ubuntu7
371 bugs (6 patches)
patches for 2.33-0ubuntu7