Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 494444

Summary: sys-libs/glibc-2.17 - multiple vulnerabilities?
Product: Gentoo Security Reporter: Ulenrich <eulenreich>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: axiator, toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments:
Description Flags
glibc-2.17-CVE-Debian-2013-autumn.patch none

Description Ulenrich 2013-12-16 13:16:37 UTC
Reading the Changelogs when updating my Debian-sid, 
I found these eglibc patches 
which are applicable to Gentoo glibc-2.17 just fine:

CVE-2013-4332-memalign.diff.patch
CVE-2013-4332-pvalloc.diff.patch
CVE-2013-4332-valloc.diff.patch
CVE-2013-4237.diff.patch
CVE-2013-4788-static-ptrguard.diff.patch
CVE-2013-4788-static-ptrguard-arm.diff.patch
CVE-2013-4237-alignment.diff.patch
NonCVE-findlocale-div-by-zero.diff.patch

Runs well my Gentoo~unstable having these patches.
Is it Gentoo policy to only security support the stable glibc-2.16 ?


Reproducible: Always
Comment 1 Ulenrich 2013-12-16 13:17:46 UTC
Created attachment 365468 [details, diff]
glibc-2.17-CVE-Debian-2013-autumn.patch
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-12-16 13:21:18 UTC

*** This bug has been marked as a duplicate of bug 484646 ***
Comment 3 Agostino Sarubbo gentoo-dev 2013-12-16 14:00:46 UTC
All CVEs you listed are filed separately as bug.
Comment 4 Ulenrich 2013-12-16 14:40:14 UTC
@Agostino 
Is the portage GLSA checker able to automaticly examine what upstream git commit to use as an epatch_user patch applicable to my special glibc-2.17 version? The Gentoo CVE bugs you mention do not specify any glibc version. Howto get these bugs information out of the bugtracker into my portage tree?