Package: release.debian.org Severity: normal Tags: trixie security X-Debbugs-Cc: t...@security.debian.org User: release.debian....@packages.debian.org Usertags: binnmu
Dear release team, An untrusted LD_LIBRARY_PATH environment variable vulnerability has been found in the GNU libc, affecting *static* binaries (CVE-2025-4802). It allows attacker controlled loading of dynamically shared library in *statically* compiled setuid binaries that call dlopen. The issue has been fixed in glibc 2.39, which migrated to testing on 2024-07-23. I haven't found any static binary with setuid or setgid bit set in the archive, but I think we should rebuild all static binaries in cases some users have changed the permission of some of them. Most of the static binaries in trixie have been rebuilt since them, thanks to the regular binNMU to get rid of outdated Built-Using. That said a few packages shipping glibc based static binaries do not set Built-Using, and hasn't been rebuild for other reasons since then, so they need a binNMU: nmu 10 tini_0.19.0-1 . ANY. -m 'Rebuild against libc6-dev (>= 2.39)' nmu tsocks_1.8beta5+ds1-2 . ANY . -m 'Rebuild against libc6-dev (>= 2.39)' Using +b10 for tini is done on purpose, in order to keep some values available for bookworm and possibly bullseye, as the source version is the same from bullseye to sid. Thanks Aurelien
