Package: release.debian.org Severity: normal Tags: bookworm security X-Debbugs-Cc: t...@security.debian.org User: release.debian....@packages.debian.org Usertags: binnmu Control: block -1 by 1106761
Dear release team, An untrusted LD_LIBRARY_PATH environment variable vulnerability has been found in the GNU libc, affecting *static* binaries (CVE-2025-4802). It allows attacker controlled loading of dynamically shared library in *statically* compiled setuid binaries that call dlopen. The issue is fixed in glibc/2.36-9+deb12u11, once accepted in bookworm-pu (see bug #1106761). I haven't found any static binary with setuid or setgid bit set in the archive, but I think we should rebuild all static binaries in cases some users have changed the permission of some of them. This is the list of binNMU computed using Built-Using, assuming that d-i and dini will get an upload anyway for the point release: nmu 9 bash_5.2.15-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 5 busybox_1:1.35.0-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 16 cdebootstrap_0.7.8 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 6 chkrootkit_0.57-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 5 dar_2.7.8-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 2 docker.io_20.10.24+dfsg1-1+deb12u1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu qemu_1:7.2+dfsg-7+deb12u13 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 23 sash_3.8-5 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 10 supermin_5.2.2-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 13 tripwire_2.4.3.7-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 7 zsh_5.9-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' I also found the additional following ones by scanning the archive: nmu 5 balboa_2.0.0+ds-5 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 2 catatonit_0.1.7-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu e2fsprogs_1.47.0-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu gnupg2_2.2.40-1.1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu integrit_4.1-3 . arm64 armel armhf mips64el ppc64el s390x -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' # Some architectures use dietlibc nmu libcap2_1:2.66-4+deb12u1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu lxc_1:5.0.2-1+deb12u3 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 6 snapd_2.57.6-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 3 tini_0.19.0-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 3 tsocks_1.8beta5+ds1-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 2 ydotool_0.1.8-3 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' In addition, the following packages will need a sourceful upload as they can't be binNMUed: cross-toolchain-base_66 cross-toolchain-base-mipsen_24 cross-toolchain-base-ports_62 Regards Aurelien
