XPost: linux.debian.devel.release
Package: release.debian.org
Severity: normal
Tags: trixie security
X-Debbugs-Cc:
team@security.debian.org
User:
release.debian.org@packages.debian.org
Usertags: binnmu
Dear release team,
An untrusted LD_LIBRARY_PATH environment variable vulnerability has been
found in the GNU libc, affecting *static* binaries (CVE-2025-4802). It
allows attacker controlled loading of dynamically shared library in *statically* compiled setuid binaries that call dlopen.
The issue has been fixed in glibc 2.39, which migrated to testing on 2024-07-23. I haven't found any static binary with setuid or setgid bit
set in the archive, but I think we should rebuild all static binaries in
cases some users have changed the permission of some of them. Most of
the static binaries in trixie have been rebuilt since them, thanks to
the regular binNMU to get rid of outdated Built-Using. That said a few
packages shipping glibc based static binaries do not set Built-Using,
and hasn't been rebuild for other reasons since then, so they need a
binNMU:
nmu 10 tini_0.19.0-1 . ANY. -m 'Rebuild against libc6-dev (>= 2.39)'
nmu tsocks_1.8beta5+ds1-2 . ANY . -m 'Rebuild against libc6-dev (>= 2.39)'
Using +b10 for tini is done on purpose, in order to keep some values
available for bookworm and possibly bullseye, as the source version is
the same from bullseye to sid.
Thanks
Aurelien
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)