These two fixes used in Gentoo patchset-7 are not gonna seemingly upstreamed (I cannot see them in glibc-2.27 nor applied by Debian libc6-2.26) - 0057_all_lib-punycode.c-decode_digit-Fix-integer-overflow.patch 0058_all_libidn-punycode.c-decode_digit-Really-fix-integer-ov.patch 0077_all_libidn-Fix-out-of-bounds-stack-read.-Report-and-patc.patch --
(In reply to Ulenrich from comment #0) > These two fixes used in Gentoo patchset-7 > are not gonna seemingly upstreamed > (I cannot see them in glibc-2.27 nor applied by Debian libc6-2.26) > - > 0057_all_lib-punycode.c-decode_digit-Fix-integer-overflow.patch > 0058_all_libidn-punycode.c-decode_digit-Really-fix-integer-ov.patch > 0077_all_libidn-Fix-out-of-bounds-stack-read.-Report-and-patc.patch > -- Upstream can't take them without difficulty because of a) license change of libidn and b) libidn not requiring fsf copyright assignment. That said they will be gone in 2.28, as the problem is fixed in a different way. (And yes there is an upstream bug filed. Just search this bugzilla here to find a link.)
Very thanks for explanation. I stumbled about them because I investigated something else. I thought they might be hidden from you, but it is not. Thanx
Here's the relevant discussion upstream. Effectively, the code will be removed from glibc, loading libidn2 dynamically instead.
