Your message dated Sat, 31 May 2025 18:53:42 +0200
with message-id <ads0frtbol403...@aurel32.net>
and subject line Re: Bug#1106789: nmu: multiple binNMUs against glibc (>= 2.39)
for CVE-2025-4802
has caused the Debian Bug report #1106789,
regarding nmu: multiple binNMUs against glibc (>= 2.39) for CVE-2025-4802
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106789: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106789
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie security
X-Debbugs-Cc: t...@security.debian.org
User: release.debian....@packages.debian.org
Usertags: binnmu
Dear release team,
An untrusted LD_LIBRARY_PATH environment variable vulnerability has been
found in the GNU libc, affecting *static* binaries (CVE-2025-4802). It
allows attacker controlled loading of dynamically shared library in
*statically* compiled setuid binaries that call dlopen.
The issue has been fixed in glibc 2.39, which migrated to testing on
2024-07-23. I haven't found any static binary with setuid or setgid bit
set in the archive, but I think we should rebuild all static binaries in
cases some users have changed the permission of some of them. Most of
the static binaries in trixie have been rebuilt since them, thanks to
the regular binNMU to get rid of outdated Built-Using. That said a few
packages shipping glibc based static binaries do not set Built-Using,
and hasn't been rebuild for other reasons since then, so they need a
binNMU:
nmu 10 tini_0.19.0-1 . ANY. -m 'Rebuild against libc6-dev (>= 2.39)'
nmu tsocks_1.8beta5+ds1-2 . ANY . -m 'Rebuild against libc6-dev (>= 2.39)'
Using +b10 for tini is done on purpose, in order to keep some values
available for bookworm and possibly bullseye, as the source version is
the same from bullseye to sid.
Thanks
Aurelien
--- End Message ---
--- Begin Message ---
Hi,
On 2025-05-29 22:09, Aurelien Jarno wrote:
> Package: release.debian.org
> Severity: normal
> Tags: trixie security
> X-Debbugs-Cc: t...@security.debian.org
> User: release.debian....@packages.debian.org
> Usertags: binnmu
>
> Dear release team,
>
> An untrusted LD_LIBRARY_PATH environment variable vulnerability has been
> found in the GNU libc, affecting *static* binaries (CVE-2025-4802). It
> allows attacker controlled loading of dynamically shared library in
> *statically* compiled setuid binaries that call dlopen.
>
> The issue has been fixed in glibc 2.39, which migrated to testing on
> 2024-07-23. I haven't found any static binary with setuid or setgid bit
> set in the archive, but I think we should rebuild all static binaries in
> cases some users have changed the permission of some of them. Most of
> the static binaries in trixie have been rebuilt since them, thanks to
> the regular binNMU to get rid of outdated Built-Using. That said a few
> packages shipping glibc based static binaries do not set Built-Using,
> and hasn't been rebuild for other reasons since then, so they need a
> binNMU:
>
> nmu 10 tini_0.19.0-1 . ANY. -m 'Rebuild against libc6-dev (>= 2.39)'
> nmu tsocks_1.8beta5+ds1-2 . ANY . -m 'Rebuild against libc6-dev (>= 2.39)'
Both packages have been uploaded to fix the built-using issue, so an
unblock will be required instead. I am therefore closing this bug.
Regards
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net
--- End Message ---
