Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/hardy-security/glibc
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches

Recent revisions

95. By Marc Deslauriers

debian/patches/any/strtod_overflow_bug7066.patch: Fix array
overflow in floating point parser triggered by applying patch for
CVE-2012-3480 (LP: #1090740)

94. By Steve Beattie

* SECURITY UPDATE: buffer overflow in vfprintf handling
  - debian/patches/any/CVE-2012-3404.patch: Fix allocation when
    handling positional parameters in printf.
  - CVE-2012-3404
* SECURITY UPDATE: buffer overflow in vfprintf handling
  - debian/patches/any/CVE-2012-3405.patch: fix extension of array
  - CVE-2012-3405
* SECURITY UPDATE: stack buffer overflow in vfprintf handling
  (LP: #1031301)
  - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
    array grows too large to handle via alloca extension
  - CVE-2012-3406
* SECURITY UPDATE: stdlib strtod integer/buffer overflows
  - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
    and modify types to void integer overflows
  - CVE-2012-3480
* debian/expected_test_summary: update expected results to prevent FTBFS

93. By Steve Beattie

* SECURITY UPDATE: timezone header parsing integer overflow (LP: #906961)
  - debian/patches/any/glibc-CVE-2009-5029.patch: Check values from
    TZ file header
  - CVE-2009-5029
  - debian/patches/any/submitted-nis-shadow.diff remove encrypted
    passwords from passwd entries, and add them in shadow entries and
    fix incorrect password overwriting
  - CVE-2010-0015
* SECURITY UPDATE: memory consumption denial of service in fnmatch
  - debian/patches/any/glibc-CVE-2011-1071.patch: avoid too much
    stack use in fnmatch.
  - CVE-2011-1071
* SECURITY UPDATE: /etc/mtab corruption denial of service
  - debian/patches/any/glibc-CVE-2011-1089.patch: Report write
    error in addmnt even for cached streams
  - CVE-2011-1089
* SECURITY UPDATE: insufficient locale environment sanitization
  - debian/patches/any/glibc-CVE-2011-1095.patch: escape contents of
    LANG environment variable.
  - CVE-2011-1095
* SECURITY UPDATE: ld.so insecure handling of privileged programs'
  - debian/patches/any/glibc-CVE-2011-1658.patch: improve handling of
  - CVE-2011-1658
* SECURITY UPDATE: fnmatch integer overflow
  - debian/patches/any/glibc-CVE-2011-1659.patch: check size of
    pattern in wide character representation
  - CVE-2011-1659
* SECURITY UPDATE: signedness bug in memcpy_ssse3
  - debian/patches/any/glibc-CVE-2011-2702.patch: use unsigned
    comparison instructions
  - CVE-2011-2702
* SECURITY UPDATE: DoS in RPC implementation (LP: #901716)
  - debian/patches/any/glibc-CVE-2011-4609.patch: nanosleep when too
    many open fds is detected
  - CVE-2011-4609
* SECURITY UPDATE: vfprintf nargs overflow leading to FORTIFY
  check bypass
  - debian/patches/any/glibc-CVE-2012-0864.patch: check for integer
  - CVE-2012-0864

92. By Kees Cook

* SECURITY UPDATE: setuid iconv users could load arbitrary libraries.
  - debian/patches/any/dst-expansion-fix.diff: refresh with new
    proposed solution, avoiding iconv issues.
  - any/cvs-check-setuid-on-audit.diff: upstream fix for CVE-2010-3856,
    which was already had a work-around in 2.7-10ubuntu7.

91. By Kees Cook

* SECURITY UPDATE: root escalation via LD_AUDIT DST expansion.
  - debian/patches/any/dst-expansion-fix.diff: upstream fixes.
  - CVE-2010-3847
  - debian/patches/any/disable-ld_audit.diff: turn off LD_AUDIT
    for setuid binaries.

90. By Kees Cook

* SECURITY UPDATE: integer overflow in strfmon() might lead to arbitrary
  code execution.
  - debian/patches/any/git-strfmon-overflow.diff: backport from upstream.
  - CVE-2008-1391
* SECURITY UPDATE: newlines not escaped in /etc/mtab.
  - debian/patches/any/git-mntent-newline-escape.diff: upstream fixes.
  - CVE-2010-0296
* SECURITY UPDATE: arbitrary code execution from ELF headers (LP: #542197).
  - debian/patches/any/git-fix-dtag-cast.diff: upstream fixes.
  - CVE-2010-0830
* debian/patches/any/git-readdir-padding.diff: fix readdir padding when
  processing getdents64() in a 32-bit execution environment (LP: #392501).

89. By Matthias Klose

* Probably built on the good buildds last time; pessimize expected
  test results on ia64, i386.
* debian/expected_test_summary: Fix typos in expected sparc results.

88. By Matthias Klose

* Adjust debian/expected_test_summary:
  - Fix typo for i386 xen.
  - crypt/sha512c fails on i386 (log-test-i486-linux-gnu-libc), but not on
    the PPA build.
  - Add current results for ia64, powerpc, sparc.

87. By Matthias Klose

* Merge remaining changes from 2.7-10 (r2869:2892).
* If RELEASE_UPGRADE_MODE is set to `desktop', make the glibc/restart-services,
  glibc/restart-failed and glibc/upgrade questions of medium priority (and
  restarting the services automatically). LP: #174002.
  Works as well around the upgrade errors mentioned in LP #205079 in a KDE
  environment, when the upgrade is done using the update-manager.
* debian/rules: Always use the package settings for *FLAGS, not the settings
  from the environment.
* Fail the build if regressions are found running the testsuite compared to
  expected results from debian/expected_test_summary. Take initial values
  from a PPA build predating this upload.
* Merge from Debian trunk:
  - local/manpages/ld.so.8: fix libraries search order. Closes: #473458.
  - Update Finish debconf translation, by Esko Araj√§rvi. Closes: #473802.
  - Add any/cvs-strerror_r.diff to make strerror_r actually thread safe.
    Closes: #456531.
* debian/rules.d/build.mk: Call `sync' before building the tarball of
  supported locales. Our buildds trigger http://lkml.org/lkml/2007/8/1/337
  on every build.

86. By Steve Langasek

Clear out LDFLAGS when building; glibc isn't happy building with
-Wl,-Bsymbolic-functions. LP: #201673

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.