CVE-2019-25013 (https://sourceware.org/bugzilla/show_bug.cgi?id=24973): The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. Patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b Not in any release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e486a3e2bcba51de8672b544186e147079cdff0 commit 0e486a3e2bcba51de8672b544186e147079cdff0 Author: Andreas K. Huettel <dilfridge@gentoo.org> AuthorDate: 2021-01-07 11:24:02 +0000 Commit: Andreas K. Huettel <dilfridge@gentoo.org> CommitDate: 2021-01-07 11:24:27 +0000 sys-libs/glibc: Patchlevel bump Bug: https://bugs.gentoo.org/764176 Bug: https://bugs.gentoo.org/763618 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Andreas K. Huettel <dilfridge@gentoo.org> sys-libs/glibc/Manifest | 1 + sys-libs/glibc/glibc-2.32-r7.ebuild | 1513 +++++++++++++++++++++++++++++++++++ 2 files changed, 1514 insertions(+)
Ready to stable? In tree since 7th Jan.
(In reply to Sam James from comment #2) > Ready to stable? In tree since 7th Jan. Why not.
hppa/sparc stable
amd64 done
x86 done
arm64 done
arm done
s390 stable
@ppc, ppc64: ping
some tests still fail, but I checked and it seems due to kernel bug. debian disables those FAIL: signal/tst-minsigstksz-1 FAIL: signal/tst-minsigstksz-2 FAIL: signal/tst-minsigstksz-3 FAIL: signal/tst-minsigstksz-3a FAIL: signal/tst-minsigstksz-4 ppc and ppc64 done.
Unable to check for sanity: > no match for package: sys-libs/glibc-2.32-r7
Nothing to do for toolchain here anymore
New request filed
This issue was resolved and addressed in GLSA 202107-07 at https://security.gentoo.org/glsa/202107-07 by GLSA coordinator John Helmert III (ajak).