* Aurelien Jarno: > On 2020-08-06 06:08, Jinpu Wang wrote: >> Hi Florian, >> >> On Wed, Aug 5, 2020 at 6:44 PM Florian Weimer <f...@deneb.enyo.de> wrote: >> > >> > * Jinpu Wang: >> > >> > > Dear Maintainer: >> > > >> > > Sorry, add some missing information below: >> > > >> > > After update to Buster, the systemd-sysusers are segfaulting every time. >> > > After search around, I found following bugreport in glibc >> > > https://sourceware.org/legacy-ml/libc-alpha/2016-06/msg01015.html >> > > >> > > I backported to the fix to 2.28-10, it fixed the problem. >> > > >> > > glibc upstream have a different fix for it in 2.32, see >> > > https://sourceware.org/bugzilla/show_bug.cgi?id=20338 >> > > >> > > I think it's still easier to backport the fix in msg01015.html to 2.28 >> > > version, >> > > patch attached in the initial report. >> > >> > The patch from 2016 is incomplete because it does not seek back to the >> > original file position, so the next call of fgetsgent_r skips over the >> > entry that could not be fully parsed. >> Thanks for quick response, can you provide a minimum bugfix, which >> can be easily backported to old version like 2.28? > > I think we do not want to diverge from the upstream fix, even if it is a > bit more work to backport. We first need to fix it in bullseye/sid and > then we can try to get this in the next buster stable release.
I can backport it to upstream release branches, all the way to version 2.28. Would that help? I plan to add local copies of the new functions, so that the GLIBC_PRIVATE ABI remains unchanged. But I have other commitments, so that may not happen until September-ish. >> as you also make the bug 20338 as a security hole. > > It is marked as "security-", so it is *not* considered as a security > issue (as the content of this file is trusted). That's right.
