debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #00980
[Bug 2112018] [NEW] Merge klibc from Debian Unstable for questing
Public bug reported:
Scheduled-For: ubuntu-25.06
Ubuntu: 2.0.13-4ubuntu1
Debian Unstable: 2.0.14-1
A new release of klibc is available for merging from Debian Unstable.
If it turns out this needs a sync rather than a merge, please change the
tag 'dcr-merge' to 'dcr-sync', and (optionally) update the title as
desired.
If this merge pulls in a new upstream version, also consider adding an
entry to the questing Release Notes:
https://discourse.ubuntu.com/t/questing-quokka-release-notes/
### New Debian Changes ###
klibc (2.0.14-1) unstable; urgency=medium
* New upstream version:
- parisc: Fix build with Linux 6.10+ (Closes: #1075820)
-- Ben Hutchings <benh@xxxxxxxxxx> Tue, 04 Mar 2025 04:37:02 +0100
### Old Ubuntu Delta ###
klibc (2.0.13-4ubuntu1) oracular; urgency=medium
* SECURITY UPDATE: improper pointer arithmetic
- debian/patches/CVE-2016-9840.patch: remove offset pointer optimization
in usr/klibc/zlib/inftrees.c.
- CVE-2016-9840
* SECURITY UPDATE: improper pointer arithmetic
- debian/patches/CVE-2016-9841.patch: remove offset pointer optimization
in usr/klibc/zlib/inffast.c.
- CVE-2016-9841
* SECURITY UPDATE: memory corruption during compression
- debian/patches/CVE-2018-25032.patch: addresses a bug that can crash
deflate on rare inputs when using Z_FIXED.
- CVE-2018-25032
* SECURITY UPDATE: heap-based buffer over-read
- debian/patches/CVE-2022-37434-1.patch: adds an extra condition to check
if state->head->extra_max is greater than len before copying, and moves
the len assignment to be placed before the check in
usr/klibc/zlib/inflate.c.
- debian/patches/CVE-2022-37434-2.patch: in the previous patch, the
placement of the len assignment was causing issues so it was moved
within the conditional check.
- CVE-2022-37434
-- Ian Constantin <ian.constantin@xxxxxxxxxxxxx> Tue, 21 May 2024
11:39:40 +0300
** Affects: klibc (Ubuntu)
Importance: Undecided
Status: New
** Tags: dcr-merge
** Changed in: klibc (Ubuntu)
Milestone: None => ubuntu-25.06
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to klibc in Ubuntu.
https://bugs.launchpad.net/bugs/2112018
Title:
Merge klibc from Debian Unstable for questing
Status in klibc package in Ubuntu:
New
Bug description:
Scheduled-For: ubuntu-25.06
Ubuntu: 2.0.13-4ubuntu1
Debian Unstable: 2.0.14-1
A new release of klibc is available for merging from Debian Unstable.
If it turns out this needs a sync rather than a merge, please change
the tag 'dcr-merge' to 'dcr-sync', and (optionally) update the title
as desired.
If this merge pulls in a new upstream version, also consider adding an
entry to the questing Release Notes:
https://discourse.ubuntu.com/t/questing-quokka-release-notes/
### New Debian Changes ###
klibc (2.0.14-1) unstable; urgency=medium
* New upstream version:
- parisc: Fix build with Linux 6.10+ (Closes: #1075820)
-- Ben Hutchings <benh@xxxxxxxxxx> Tue, 04 Mar 2025 04:37:02 +0100
### Old Ubuntu Delta ###
klibc (2.0.13-4ubuntu1) oracular; urgency=medium
* SECURITY UPDATE: improper pointer arithmetic
- debian/patches/CVE-2016-9840.patch: remove offset pointer optimization
in usr/klibc/zlib/inftrees.c.
- CVE-2016-9840
* SECURITY UPDATE: improper pointer arithmetic
- debian/patches/CVE-2016-9841.patch: remove offset pointer optimization
in usr/klibc/zlib/inffast.c.
- CVE-2016-9841
* SECURITY UPDATE: memory corruption during compression
- debian/patches/CVE-2018-25032.patch: addresses a bug that can crash
deflate on rare inputs when using Z_FIXED.
- CVE-2018-25032
* SECURITY UPDATE: heap-based buffer over-read
- debian/patches/CVE-2022-37434-1.patch: adds an extra condition to check
if state->head->extra_max is greater than len before copying, and moves
the len assignment to be placed before the check in
usr/klibc/zlib/inflate.c.
- debian/patches/CVE-2022-37434-2.patch: in the previous patch, the
placement of the len assignment was causing issues so it was moved
within the conditional check.
- CVE-2022-37434
-- Ian Constantin <ian.constantin@xxxxxxxxxxxxx> Tue, 21 May 2024
11:39:40 +0300
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/2112018/+subscriptions
Follow ups
