Debian Bug report logs -
#884615
src:glibc: CVE-2017-16997: incorrect RPATH/RUNPATH handling for SUID binaries
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>
:
Bug#884615
; Package src:glibc
.
(Sun, 17 Dec 2017 17:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Aurelien Jarno <aurel32@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>
.
(Sun, 17 Dec 2017 17:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:glibc
Version: 2.19-1
Severity: important
Tags: upstream security patch
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=22625
The following vulnerability was published for glibc:
| CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
| for AT_SECURE or SUID binaries could be used to load libraries from the
| current directory.
See https://sourceware.org/bugzilla/show_bug.cgi?id=22625 for more details.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Added tag(s) pending.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org
.
(Sun, 31 Dec 2017 12:03:05 GMT) (full text, mbox, link).
Message sent on
to Aurelien Jarno <aurel32@debian.org>
:
Bug#884615.
(Sun, 31 Dec 2017 12:03:07 GMT) (full text, mbox, link).
Message #10 received at 884615-submitter@bugs.debian.org (full text, mbox, reply):
tag 884615 pending
thanks
Hello,
Bug #884615 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?id=f2a51d8
---
commit f2a51d8c5a2e4a05320cf99e9ed7a8e58c23c412
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun Dec 31 13:01:32 2017 +0100
debian/patches/git-updates.diff: update from upstream stable branch:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fixes incorrect RPATH/RUNPATH handling for SUID binaries
(CVE-2017-16997). Closes: #884615.
diff --git a/debian/changelog b/debian/changelog
index 2b53951..b63b805 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ glibc (2.25-6) UNRELEASED; urgency=medium
[ Aurelien Jarno ]
* debian/control.in/main: add mips r6 architectures to Build-Depends:
g++-6-multilib. Closes: #884774.
+ * debian/patches/git-updates.diff: update from upstream stable branch:
+ - Fixes incorrect RPATH/RUNPATH handling for SUID binaries
+ (CVE-2017-16997). Closes: #884615.
-- Aurelien Jarno <aurel32@debian.org> Wed, 20 Dec 2017 22:29:01 +0100
Reply sent
to Aurelien Jarno <aurel32@debian.org>
:
You have taken responsibility.
(Sun, 31 Dec 2017 18:09:04 GMT) (full text, mbox, link).
Notification sent
to Aurelien Jarno <aurel32@debian.org>
:
Bug acknowledged by developer.
(Sun, 31 Dec 2017 18:09:04 GMT) (full text, mbox, link).
Message #15 received at 884615-close@bugs.debian.org (full text, mbox, reply):
Source: glibc
Source-Version: 2.25-6
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884615@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 Dec 2017 18:50:30 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67
Architecture: source
Version: 2.25-6
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
glibc-doc - GNU C Library: Documentation
glibc-source - GNU C Library: sources
libc-bin - GNU C Library: Binaries
libc-dev-bin - GNU C Library: Development binaries
libc-l10n - GNU C Library: localization files
libc0.1 - GNU C Library: Shared libraries
libc0.1-dbg - GNU C Library: detached debugging symbols
libc0.1-dev - GNU C Library: Development Libraries and Header Files
libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
libc0.1-pic - GNU C Library: PIC archive library
libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3 - GNU C Library: Shared libraries
libc0.3-dbg - GNU C Library: detached debugging symbols
libc0.3-dev - GNU C Library: Development Libraries and Header Files
libc0.3-pic - GNU C Library: PIC archive library
libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3-xen - GNU C Library: Shared libraries [Xen version]
libc6 - GNU C Library: Shared libraries
libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
libc6-dbg - GNU C Library: detached debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files
libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
libc6-pic - GNU C Library: PIC archive library
libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64
libc6-xen - GNU C Library: Shared libraries [Xen version]
libc6.1 - GNU C Library: Shared libraries
libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
libc6.1-dbg - GNU C Library: detached debugging symbols
libc6.1-dev - GNU C Library: Development Libraries and Header Files
libc6.1-pic - GNU C Library: PIC archive library
libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
locales - GNU C Library: National Language (locale) data [support]
locales-all - GNU C Library: Precompiled locale data
multiarch-support - Transitional package to ensure multiarch compatibility
nscd - GNU C Library: Name Service Cache Daemon
Closes: 884615 884774
Changes:
glibc (2.25-6) unstable; urgency=medium
.
[ Aurelien Jarno ]
* debian/control.in/main: add mips r6 architectures to Build-Depends:
g++-6-multilib. Closes: #884774.
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fixes incorrect RPATH/RUNPATH handling for SUID binaries
(CVE-2017-16997). Closes: #884615.
* debian/control.in/main, debian/copyright, rules.d/tarball.mk: prefer
https for upstream links.
* debian/control.in/main: bump Standards-Version to 4.1.3.
* debian/patches/alpha/submitted-rlimit.diff: new patch to fix getrlimit
and setrlimit with RLIM_INFINITY on alpha.
* debian/patches/alpha/submitted-fminmax.diff: new patch to fix fmin and
fmax on alpha.
* debian/testsuite-xfail-debian.mk: mark test-fexcept, test-ldouble and
test-ldouble-finite as XFAIL as the failures are due to new tests, and
thus not a regression.
Checksums-Sha1:
ec07f287e543a60eac49cc50eeaa9fecc10ef7f7 8851 glibc_2.25-6.dsc
f8188b13e5d049baa10d74969ae5c8ecce8d61e9 1042276 glibc_2.25-6.debian.tar.xz
b8bcd23baadba9837cb71ec5f1a8ddbc709ea983 7556 glibc_2.25-6_source.buildinfo
Checksums-Sha256:
01fff6edadd2c0f93997d0dcb4637bd04a4833374f81adb1391d510ec4f25f8f 8851 glibc_2.25-6.dsc
c66ebe42f41975aa4a7721465e29406c5ed027f12a10dadf30d9638274f0d596 1042276 glibc_2.25-6.debian.tar.xz
bb365f0611709a585a1220e699c5a24a8dde1d912bf070abd19833eaf1d46157 7556 glibc_2.25-6_source.buildinfo
Files:
32f0a882825b4a1cd48022e90dadd1c3 8851 libs required glibc_2.25-6.dsc
30cda4a1cfeded4adb2f395040baee91 1042276 libs required glibc_2.25-6.debian.tar.xz
d666a8cd6d0bed2b50be02b46b4caabb 7556 libs required glibc_2.25-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh3djJsFAlpJI/EACgkQupx4Bh3d
jJvSXA//c2n1P0y9KXD8/4GUkuyoq0aopR+i+RxfyS41vTW2dxNx77f07TCgJQj5
r2tmJlhwUqnjmSyejJ5kCWgV2UXLSDwQt0SrvA+ZTQj96wD79EfNBDij4ZSu3hwF
6zGLfZste985+dtkRs2bRuOC8mWPJXWa9t/2Kskoa7+3in5ubdSVCx6U8LyzB52p
1RfbAbo7vdvpgunNtn9+HcwIHNhpqdN2b6OI6sO4OTAfEXzzDmnwihJHZG2DSc3Q
ql0kVls0ovu60anUjhc8R+QXzIQdNefA6PIN0DbXJEuPEvJWg64kpUMbxTTke42C
ddBAK+ncQqXSplO4WKBLt/y74w+yv3Ly3cVts2alt3d6hYQn0d5X3KAS8zCvCHuC
5/vOUT/CJx7JHIYqZD4Bm2ze6oUvJrZQ2MsH7IoTksfUvk2/klcgNyhb875JEMqx
4a72PfwA6NJhPhVixekNyQJgT2kXMxcFlGU5//+LwzrzBXjLJIIEFw4RaX4aKEYn
8273UbaUFZzFTLkP5tURt9TYpZv6G3wqCrE3SOwVY9rNEXvq1Dtt1yksVp8tK3w1
AtZR5vYeWHsez6rr5EfpITOsYCSabHrytp3WYuRsdOT/Lhm9Ms/B/EhdRZPmO9G5
o94oGSpemiaFnxyZFk6k5Csc8+W3dZx9FklpXfDhKE60a1DmY/E=
=7D+Q
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 25 Mar 2018 07:27:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Apr 28 15:17:51 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.