ubuntu/+source/glibc:ubuntu/xenial-security

Last commit made on 2018-01-17
Get this branch:
git clone -b ubuntu/xenial-security https://git.launchpad.net/ubuntu/+source/glibc
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-security
Repository:
lp:ubuntu/+source/glibc

Recent commits

5a1b372... by Chris Coulson on 2018-01-14

Import patches-unapplied version 2.23-0ubuntu10 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 1637ca09cd62a70b9884c1ae71686b4082c7ae27

New changelog entries:
  * SECURITY UPDATE: Memory leak in dynamic loader (ld.so)
    - debian/patches/any/cvs-compute-correct-array-size-in-_dl_init_paths.diff:
      Compute correct array size in _dl_init_paths
    - CVE-2017-1000408
  * SECURITY UPDATE: Buffer overflow in dynamic loader (ld.so)
    - debian/patches/any/cvs-count-components-of-expanded-path-in-_dl_init_paths.diff:
      Count components of the expanded path in _dl_init_path
    - CVE-2017-1000409
  * SECURITY UPDATE: One-byte overflow in glob
    - debian/patches/any/cvs-fix-one-byte-glob-overflow.diff: Fix one-byte
      overflow in glob
    - CVE-2017-15670
  * SECURITY UPDATE: Buffer overflow in glob
    - debian/patches/any/cvs-fix-glob-buffer-overflow.diff: Fix buffer overflow
      during GLOB_TILDE unescaping
    - CVE-2017-15804
  * SECURITY UPDATE: Local privilege escalation via mishandled RPATH / RUNPATH
    - debian/patches/any/cvs-elf-check-for-empty-tokens.diff: elf: Check for
      empty tokens before dynamic string token expansion
    - CVE-2017-16997
  * SECURITY UPDATE: Buffer underflow in realpath()
    - debian/patches/any/cvs-make-getcwd-fail-if-path-is-no-absolute.diff:
      Make getcwd(3) fail if it cannot obtain an absolute path
    - CVE-2018-1000001

1637ca0... by Steve Beattie on 2017-06-16

Import patches-unapplied version 2.23-0ubuntu9 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: cddea9d7b4b8650392d96a6b2bfe02698bf17289

New changelog entries:
  * SECURITY UPDATE: LD_LIBRARY_PATH stack corruption
    - debian/patches/any/CVE-2017-1000366.patch: Completely ignore
      LD_LIBRARY_PATH for AT_SECURE=1 programs
    - CVE-2017-1000366
  * SECURITY UPDATE: LD_PRELOAD stack corruption
    - debian/patches/any/upstream-harden-rtld-Reject-overly-long-LD_PRELOAD.patch:
      Reject overly long names or names containing directories in
      LD_PRELOAD for AT_SECURE=1 programs.
  * debian/patches/any/cvs-harden-glibc-malloc-metadata.patch: add
    additional consistency check for 1-byte overflows
  * debian/patches/any/cvs-harden-ignore-LD_HWCAP_MASK.patch: ignore
    LD_HWCAP_MASK for AT_SECURE=1 programs

cddea9d... by Steve Beattie on 2017-03-21

Import patches-unapplied version 2.23-0ubuntu7 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 1a71d7accbacdadfcc11892308131ea93eb6eb6f

New changelog entries:
  * REGRESSION UPDATE: Previous update introduced ABI breakage in
    internal glibc query ABI
    - Revert patches/any/CVE-2015-5180-regression.diff
      (LP: #1674532)

1a71d7a... by Steve Beattie on 2017-03-07

Import patches-unapplied version 2.23-0ubuntu6 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 6952a6bce06863ba887b3d158b44f0645d9c0946

New changelog entries:
  * SECURITY UPDATE: DNS resolver NULL pointer dereference with
    crafted record type
    - patches/any/CVE-2015-5180.diff: use out of band signaling for
      internal queries
    - CVE-2015-5180
  * Rebuild to get the following fixes into the xenial-security pocket:
    - SECURITY UPDATE: stack-based buffer overflow in the glob
      implementation
      + patches/git-updates.diff: Simplify the interface for the
        GLOB_ALTDIRFUNC callback gl_readdir
      + CVE-2016-1234
    - SECURITY UPDATE: getaddrinfo: stack overflow in hostent
      conversion
      + patches/git-updates.diff: Use a heap allocation instead
      + CVE-2016-3706:
    - SECURITY UPDATE: stack exhaustion in clntudp_call
      + patches/git-updates.diff: Use malloc/free for the error
        payload.
      + CVE-2016-4429
    - SECURITY UPDATE: memory exhaustion DoS in libresolv
      + patches/git-updates.diff: Simplify handling of nameserver
        configuration in resolver
      + CVE-2016-5417
    - SECURITY UPDATE: ARM32 backtrace infinite loop (DoS)
      + patches/git-updates.diff: mark __startcontext as .cantunwind
      + CVE-2016-6323

6952a6b... by Adam Conrad on 2016-11-16

Import patches-unapplied version 2.23-0ubuntu5 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 653af6348f487c9e2ef23f377a2f742babc05d23

New changelog entries:
  * Disable lock-elision on all targets to avoid regressions (LP: #1642390)

653af63... by Adam Conrad on 2016-10-14

Import patches-unapplied version 2.23-0ubuntu4 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: ff38964b4308fabc3d160ccaa265c63c7765e666

New changelog entries:
  * debian/rules.d/tarball.mk: Apply --no-renames to make the diff readable.
  * debian/patches/git-updates.diff: Update from release/2.23/master branch:
    - Include fix for potential makecontext() hang on ARMv7 (CVE-2016-6323)
    - Include fix for SEGV in sock_eq with nss_hesiod module (LP: #1571456)
    - Include malloc fixes, addressing multithread deadlocks (LP: #1630302)
    - debian/patches/hurd-i386/cvs-libpthread.so.diff: Dropped, upstreamed.
    - debian/patches/any/submitted-argp-attribute.diff: Dropped, upstreamed.
    - debian/patches/hurd-i386/tg-hurdsig-fixes-2.diff: Rebased to upstream.
  * debian/patches/ubuntu/local-altlocaledir.diff: Updated to latest version
    from Martin that limits scope to LC_MESSAGES, fixing segv (LP: #1577460)
  * debian/patches/any/cvs-cos-precision.diff: Fix cos() bugs (LP: #1614966)
  * debian/testsuite-xfail-debian.mk: Allow nptl/tst-signal6 to fail on ARM.

ff38964... by Adam Conrad on 2016-04-14

Import patches-unapplied version 2.23-0ubuntu3 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 1649eb0632f8e0da8cf11c7392b2ebc2b819becb

New changelog entries:
  * Merge with 2.23 from experimental, bringing in upstream updates:
    - Save/restore fprs/vrs while resolving symbols (LP: #1564918)
    - Fix _nss_dns_getnetbyname_r() stack overflow (CVE-2016-3075)
    - Merge libnss-dns-udeb and libnss-files-udeb into libc6-udeb.
  * Tidy up locale-gen, thanks to Gunnar Hjalmarsson (LP: #1560577):
    - Fix thinko that broke handling of multiple locale arguments.
    - Recognize UTF-8 locales without charset suffix in SUPPORTED.
    - Fix bug that led to the unsupported message not being shown.
  * Show reboot-required notification for all updates (LP: #1546457)

1649eb0... by Aurelien Jarno on 2016-04-14

Import patches-unapplied version 2.23-0experimental2 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 11618116edeb6f48b5ec42f2d97dfe997e7b4751

New changelog entries:
  [ Aurelien Jarno ]
  * debian/patches/git-updates.diff: update from upstream stable branch.
  * patches/kfreebsd/local-fbtl.diff: update to revision 5973 (from
    glibc-bsd).
  * debian/rules, debian/rules.d/build.mk: rename localedir into complocaledir
    following upstream change.
  * debian/patches/local-allocalim-header.diff: drop, obsolete.
  * debian/patches/any/local-no-pagesize.diff: drop, obsolete.
  [ Adam Conrad ]
  * debian/testsuite-xfail-debian.mk: Also allow tst-malloc-thread-fail to
    fail where we've already done so for test-xfail-tst-malloc-thread-exit.

1161811... by Aurelien Jarno on 2016-03-23

Import patches-unapplied version 2.23-0experimental1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: e7b872e1c5993f4a914425728f673029c5ff2f9a

New changelog entries:
  [ Aurelien Jarno ]
  * debian/patches/git-updates.diff: update from upstream stable branch.
  * debian/testsuite-xfail-debian.mk (powerpc) really mark
    tst-malloc-thread-exit as xfail.
  * debian/testsuite-xfail-debian.mk (ppc64) mark tst-malloc-thread-exit
    test as xfail, it is a known issue and not a regression.
  * patches/kfreebsd/local-fbtl.diff: update to revision 5969 (from
    glibc-bsd).
  * debian/patches/kfreebsd/local-tst-malloc-fbtl.diff: drop, obsoleted by
    hurd-i386/cvs-libpthread.so.diff.
  * debian/patches/kfreebsd/local-tst-unique.diff: disable tst-unique* on
    GNU/kFreeBSD, as they are not supported by the FreeBSD ELF OSABI.
  * debian/patches/alpha/submitted-fts64.diff: new patch to fix the new fts64
    function on alpha.
  [ Samuel Thibault ]
  * hurd-i386/cvs-libpthread.diff: More updates to glibc-2.23.
  * hurd-i386/cvs-openat.diff: Fix __openat prototype.
  * hurd-i386/cvs-gai_sigqueue.diff: Fix gai_sigqueue prototype.
  * hurd-i386/cvs-aio_sigqueue.diff: Fix aio_sigqueue prototype.
  * hurd-i386/cvs-libpthread.diff: Separate 2.23 changes to...
  * hurd-i386/cvs-libpthread-2.23.diff: ... separate patch.
  * hurd-i386/cvs-libpthread.so.diff: Fix building malloc tests.
  * testsuite-xfail-debian.mk: Skip test which just overflows memory.
  * hurd-i386/cvs-pt-kill.diff: Fix pthread_kill locking.
  * hurd-i386/cvs-open.diff: Fix __open in ld.so, thus fixing dlopen().
  * hurd-i386/cvs-c++-types.diff: Add expected c++-types.data.
  * hurd-i386/local-ihash-use.diff: Note that libpthread uses ihash.h.
  * testsuite-xfail-debian.mk: Add failing new tests. Disable the problematic
    test-lfs test.
  * hurd-i386/local-versions.diff: New patch to fix symbol version.
  [ Adam Conrad ]
  * debian/patches/any/cvs-tst-malloc-thread-exit.diff: Backport fix from
    upstream to make tst-malloc-thread-exit use fewer system resources.
  * debian/debhelper.in/locales.config: Make default_environment_locale
    get preseeded correctly both with and without /etc/default/locale.
  * debian/control.in/i386: Remove list of Breaks that predate oldstable.
  * debian/control.in/*: Drop long obsolete file overlap Breaks/Replaces.

e7b872e... by Aurelien Jarno on 2016-03-13

Import patches-unapplied version 2.23-0experimental0 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 6d870771cb0b2bcf80dc640d2a3e7300df949415

New changelog entries:
  [ Aurelien Jarno ]
  * New upstream release: version 2.23, with git updates up to 2016-03-12:
    - Fix German translation of "Alarm clock". Closes: #291293.
    - Fix strtol in Turkish locales. Closes: #458611.
    - Add LFS support for fts functions. Closes: #534521.
    - Fix build with GCC 6. Closes: #811574.
    - Fix unbounded stack allocation in nan* functions (CVE-2014-9761).
      Closes: #813187.
    - debian/patches/localedata/locale-ku_TR.diff: rebased.
    - debian/patches/localedata/fix-lang.diff: upstreamed.
    - debian/patches/localedata/first_weekday.diff: rebased.
    - debian/patches/localedata/locale-nb_NO.diff: upstreamed.
    - debian/patches/localedata/cvs-bg_BG-t_fmt.diff: upstreamed.
    - debian/patches/alpha/local-string-functions.diff: rebased.
    - debian/patches/amd64/local-blacklist-for-Intel-TSX.diff: rebased.
    - debian/patches/arm/local-ioperm.diff: dropped.
    - debian/patches/hppa/cvs-allocatestack-stacktop.diff: upstreamed.
    - debian/patches/hppa/local-pthread_spin_unlock.diff: upstreamed.
    - debian/patches/hppa/submitted-mathdef.diff: upstreamed.
    - debian/patches/hppa/cvs-update-mman.h.diff: upstreamed.
    - debian/patches/hppa/submitted-dladdr.diff: upstreamed.
    - debian/patches/hurd-i386/local-enable-ldconfig.diff: rebased.
    - debian/patches/hurd-i386/tg-tls.diff: rebased.
    - debian/patches/hurd-i386/tg-tls-threadvar.diff: rebased.
    - debian/patches/hurd-i386/tg-hurdsig-fixes.diff: rebased.
    - debian/patches/hurd-i386/tg-hurdsig-global-dispositions.diff: rebased.
    - debian/patches/hurd-i386/cvs-libpthread.diff: updated.
    - debian/patches/hurd-i386/unsubmitted-gnumach.defs.diff: rebased.
    - debian/patches/hurd-i386/submitted-fork_port_leak.diff: upstreamed.
    - debian/patches/hurd-i386/tg-libc_getspecific.diff: rebased.
    - debian/patches/hurd-i386/cvs-libpthread-libc-lockP.diff: upstreamed.
    - debian/patches/hurd-i386/tg-mmap32th_bit.diff: upstreamed.
    - debian/patches/hurd-i386/tg-sysheaders.diff: upstreamed.
    - debian/patches/hurd-i386/cvs-bootstrap.diff: upstreamed.
    - debian/patches/hurd-i386/cvs-cache-mach_host_self.diff: upstreamed.
    - debian/patches/hurd-i386/cvs-csu_crt0.diff: upstreamed.
    - debian/patches/hurd-i386/cvs-s_scalbn.diff: upstreamed.
    - debian/patches/hurd-i386/local-mach_print.diff: rebased.
    - debian/patches/hurd-i386/cvs-hidden.diff: rebased.
    - debian/patches/hurd-i386/cvs-O_DIRECTORY.diff: upstreamed.
    - debian/patches/hurd-i386/cvs-raise-longjump.diff: upstreamed.
    - debian/patches/i386/local-i386-ulps.diff: dropped.
    - debian/patches/kfreebsd/local-scripts.diff: rebased.
    - debian/patches/m68k/submitted-gcc34-seccomment.diff: rebased.
    - debian/patches/mips/cvs-testsuite-o32-fp.diff: upstreamed.
    - debian/patches/powerpc/local-powerpc8xx-dcbz.diff: rebased.
    - debian/patches/sh4/local-fpscr_values.diff: rebased.
    - debian/patches/any/local-bindresvport_blacklist.diff: rebased.
    - debian/patches/any/local-libgcc-compat-main.diff: rebased.
    - debian/patches/any/local-libgcc-compat-abilists.diff: rebased.
    - debian/patches/any/local-mktemp.diff: upstreamed.
    - debian/patches/any/cvs-stdio-lock.diff: upstreamed.
    - debian/patches/any/local-tcsetaddr.diff: rebased.
    - debian/patches/any/local-tst-mktime2.diff: rebased.
    - debian/patches/any/submitted-nis-netgrp.diff: upstreamed.
    - debian/patches/any/submitted-longdouble.diff: rebased.
    - debian/patches/any/local-dynamic-resolvconf.diff: rebased.
    - debian/patches/any/local-static-dlopen-search-path.diff: upstreamed.
    - debian/patches/any/local-math-logb.diff: upstreamed.
    - debian/patches/any/cvs-gawk-gensub.diff: upstreamed.
    - debian/patches/any/cvs-grantpt-namespace.diff: upstreamed.
    - debian/patches/any/cvs-grantpt-pty-owner.diff: upstreamed.
    - debian/patches/any/cvs-bits-libc-stdio-lock.diff: upstreamed.
    - debian/patches/any/submitted-hle-checking-mutex.diff: upstreamed.
    - debian/{control,symbols.wildcards,copyright}: Updated strings for 2.23.
    - debian/patches/kfreebsd/local-undef-glibc.diff: rebased.
    - debian/patches/kfreebsd/local-tst-malloc-backtrace.diff: rebased,
      renamed into local-tst-malloc-fbtl.diff.
    - debian/patches/hurd-i386/submitted-net.diff: rebased.
    - debian/patches/hurd-i386/tg-bits_atomic.h_multiple_threads.diff:
      rebased.
    - debian/patches/hurd-i386/submitted-handle-eprototype.diff: dropped.
  * debian/testsuite-xfail-debian.mk (powerpc) mark tst-malloc-thread-fail
    test as xfail, it is a known issue and not a regression.
  * debian/testsuite-xfail-debian.mk (mipsel): mark a few math tests are
    failing, due to a bug in the Loongson 3 FPU.
  * patches/kfreebsd/local-fbtl.diff: update to revision 5940 (from
    glibc-bsd).