newlib - Debian Package Tracker

general

source: newlib (main)
version: 3.3.0-1
maintainer: Agustin Henze (DMD) (LowNMU)
arch: all
std-ver: 4.2.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 2.4.0.20160527-2
stable: 3.1.0.20181231-1
testing: 3.3.0-1
unstable: 3.3.0-1

versioned links

2.4.0.20160527-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.0.20181231-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.3.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnewlib-arm-none-eabi (1 bugs: 0, 1, 0, 0)
libnewlib-dev
libnewlib-doc

action needed

A new upstream version is available: 4.1.0 high

A new upstream version 4.1.0 is available, you should consider packaging it.

Created: 2020-11-19 Last update: 2021-04-11 22:01

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2021-3420: A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.

Created: 2021-03-03 Last update: 2021-03-22 20:02

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs, consider including or untagging them.

Created: 2020-10-19 Last update: 2021-04-11 21:32

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-12-30 Last update: 2021-04-11 19:32

10 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit be78293e292f1806db33abaf981eda6ce7e2414c
Merge: 9b08bc21 388e84a2
Author: Joaquin de Andres <me@xcancerberox.com.ar>
Date:   Sat Feb 29 14:42:15 2020 +0000

    Merge branch 'upstream_new_release' into 'master'
    
    New upstream release 3.3.0
    
    See merge request debian/newlib!19

commit 388e84a293864f11b9d20da326ca9ca4e9628458
Author: Joaquin de Andres <me@xcancerberox.com.ar>
Date:   Sat Feb 29 14:36:04 2020 +0100

    Update changelog for 3.3.0-1 release

commit 1ae944b2828d3043f2d1777e019db527404493d4
Author: Joaquin de Andres <me@xcancerberox.com.ar>
Date:   Sat Feb 29 12:11:06 2020 +0100

    Update changelog

commit 3b7f8a4c5e3b0f7401317d9f93e4d62f98d6539f
Author: Joaquin de Andres <me@xcancerberox.com.ar>
Date:   Sat Feb 29 11:42:34 2020 +0100

    New upstream version 3.3.0

commit 4bfb40bf2f606d449af75c3f2f6d3b805fc25c25
Author: Joaquin de Andres <me@xcancerberox.com.ar>
Date:   Sat Feb 29 11:40:18 2020 +0100

    Gbp config for pristintar, auto dch and auto merge

commit 9b08bc2150bad70491871d2094d67e5d31f4bf7a
Merge: 2821d5a8 7d721503
Author: Joaquin de Andres <me@xcancerberox.com.ar>
Date:   Fri Feb 28 10:06:51 2020 +0000

    Merge branch 'salsa-ci-update' into 'master'
    
    Salsa ci update
    
    See merge request debian/newlib!18

commit 7d7215034453a45a52fd61ca50c8f4c0bf8c984e
Author: Joaquin de Andres <me@xcancerberox.com.ar>
Date:   Thu Feb 27 14:28:23 2020 +0100

    Salsa ci yml actualization

commit 73ce3ce445690fc939b70d325172c6ff76ea9d57
Author: Joaquin de Andres <me@xcancerberox.com.ar>
Date:   Thu Feb 27 14:26:29 2020 +0100

    Move ci yml to standard name

commit 2821d5a8daa349dc03d7025b4fd08a3e0e577b9f
Merge: 71cb347c 7864f23e
Author: Agustin Henze <tin@debian.org>
Date:   Sat Mar 2 15:25:04 2019 +0000

    Merge branch 'use-http-instead-of-ftp' into 'master'
    
    [watch] Use http because ftp is not supported for salsa runners
    
    See merge request debian/newlib!17

commit 7864f23e692fe3b5196587a57dca820afa35ee50
Author: Agustin Henze <tin@debian.org>
Date:   Sat Mar 2 11:33:11 2019 -0300

    [watch] Use http because ftp is not supported for salsa runners

Created: 2019-03-02 Last update: 2021-04-05 13:37

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2020-07-29 12:33

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

libnewlib-doc could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2021-04-11 21:03

9 low-priority security issues in buster low

There are 9 open security issues in buster.

9 issues left for the package maintainer to handle:

CVE-2019-14871: (needs triaging) The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as used by REENT_CHECK_TM, REENT_CHECK_MISC, REENT_CHECK_MP and other newlib macros in versions prior to 3.3.0, does not check for memory allocation problems when the DEBUG flag is unset (as is the case in production firmware builds).
CVE-2019-14872: (needs triaging) The _dtoa_r function of the newlib libc library, prior to version 3.3.0, performs multiple memory allocations without checking their return value. This could result in NULL pointer dereference.
CVE-2019-14873: (needs triaging) In the __multadd function of the newlib libc library, prior to versions 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. This will trigger a null pointer dereference bug in case of a memory allocation failure.
CVE-2019-14874: (needs triaging) In the __i2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. The access of _ x[0] will trigger a null pointer dereference bug in case of a memory allocation failure.
CVE-2019-14875: (needs triaging) In the __multiply function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. The access of _x[0] will trigger a null pointer dereference bug in case of a memory allocation failure.
CVE-2019-14876: (needs triaging) In the __lshift function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. The access to b1 will trigger a null pointer dereference bug in case of a memory allocation failure.
CVE-2019-14877: (needs triaging) In the __mdiff function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate big integers, however no check is performed to verify if the allocation succeeded or not. The access to _wds and _sign will trigger a null pointer dereference bug in case of a memory allocation failure.
CVE-2019-14878: (needs triaging) In the __d2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. Accessing _x will trigger a null pointer dereference bug in case of a memory allocation failure.
CVE-2021-3420: (needs triaging) A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-03-22 20:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.2.0).

Created: 2018-08-26 Last update: 2020-11-17 05:41

news

[rss feed]

[2020-03-07] newlib 3.3.0-1 MIGRATED to testing (Debian testing watch)
[2020-03-05] Accepted newlib 3.3.0-1 (source) into unstable (Joaquin de Andres) (signed by: Agustin Henze)
[2019-02-21] newlib 3.1.0.20181231-1 MIGRATED to testing (Debian testing watch)
[2019-02-11] Accepted newlib 3.1.0.20181231-1 (source all) into unstable (Agustin Henze)
[2018-12-04] newlib 3.0.0.20180831-1 MIGRATED to testing (Debian testing watch)
[2018-12-01] Accepted newlib 3.0.0.20180831-1 (source all) into unstable (Agustin Henze)
[2018-08-14] newlib 3.0.0.20180802-2 MIGRATED to testing (Debian testing watch)
[2018-08-12] Accepted newlib 3.0.0.20180802-2 (source all) into unstable (Agustin Henze)
[2018-08-12] Accepted newlib 3.0.0.20180802-1 (source all) into unstable (Agustin Henze)
[2018-04-12] newlib 2.4.0.20160527-4 MIGRATED to testing (Debian testing watch)
[2018-04-06] Accepted newlib 2.4.0.20160527-4 (source all) into unstable (Agustin Henze)
[2017-09-26] newlib 2.4.0.20160527-3 MIGRATED to testing (Debian testing watch)
[2017-09-20] Accepted newlib 2.4.0.20160527-3 (source all) into unstable (Agustin Henze)
[2017-01-10] newlib 2.4.0.20160527-2 MIGRATED to testing (Debian testing watch)
[2016-12-30] Accepted newlib 2.4.0.20160527-2 (source all) into unstable (Agustin Henze)
[2016-12-20] newlib 2.4.0.20160527-1 MIGRATED to testing (Debian testing watch)
[2016-12-09] Accepted newlib 2.4.0.20160527-1 (source all) into unstable (Agustin Henze)
[2016-09-28] newlib 2.2.0+git20150830.5a3d536-1 MIGRATED to testing (Debian testing watch)
[2016-09-27] newlib REMOVED from testing (Debian testing watch)
[2015-09-07] newlib 2.2.0+git20150830.5a3d536-1 MIGRATED to testing (Britney)
[2015-08-31] Accepted newlib 2.2.0+git20150830.5a3d536-1 (source all) into unstable (Agustin Henze)
[2015-08-20] newlib 2.1.0+git20141201.db59ff3-2 MIGRATED to testing (Britney)
[2015-08-19] newlib REMOVED from testing (Britney)
[2015-05-27] newlib 2.1.0+git20141201.db59ff3-2 MIGRATED to testing (Britney)
[2015-05-21] Accepted newlib 2.1.0+git20141201.db59ff3-2 (source all) into unstable (Agustin Henze)
[2014-12-01] Accepted newlib 2.1.0+git20141201.db59ff3-1 (source all) into experimental (Agustin Henze)
[2014-09-10] newlib 2.1.0+git20140818.1a8323b-2 MIGRATED to testing (Britney)
[2014-09-05] newlib 2.1.0+git20140818.1a8323b-1 MIGRATED to testing (Britney)
[2014-09-04] Accepted newlib 2.1.0+git20140818.1a8323b-2 (source all) into unstable (Agustin Henze)
[2014-08-30] Accepted newlib 2.1.0+git20140818.1a8323b-1 (source all) into unstable (Thomas Preud'homme) (signed by: Agustin Henze)

bugs [bug history graph]

all: 7
RC: 0
I&N: 7
M&W: 0
F&P: 0
patch: 3

links

homepage
lintian (0, 4)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.3.0-1
1 bug