vcswatch reports that
this package has been uploaded into the archive but the debian/changelog in the
VCS is still UNRELEASED. You should consider pushing the missing commits
or updating the VCS.
CVE-2020-28928: In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
CVE-2020-28928: In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
Please fix it.
Depends on packages which need a new maintainer
normal
The packages that musl depends on which need a new maintainer are:
CVE-2017-15650: musl libc before 1.1.17 has a buffer overflow via crafted DNS replies because dns_parse_callback in network/lookup_name.c does not restrict the number of addresses, and thus an attacker can provide an unexpected number by sending A records in a reply to an AAAA query.
CVE-2019-14697: musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.
CVE-2019-14697: musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.
CVE-2020-28928: In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
Please fix them.
Standards version of the package is outdated.
wishlist
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.5.1 instead of
4.5.0).
![[bug history graph]](https://qa.debian.org/data/bts/graphs/m/musl.png){kind=link}