XPost: linux.debian.devel.release
Package: release.debian.org
The <URL:
https://tracker.debian.org/pkg/newlib > package got an open
security problem with malloc and friends in stable and oldstable, see
<URL:
https://bugs.debian.org/984446 > for the CVE issue. The package
is orphaned.
I would like to fix the bug at least in stable, and propose the
following upload. The change is already in the git repo on salsa in the debian/bookworm branch. The problem is already fixed in unstable and
testing with a new version of the upstream code. The fix to stable is
only the minimal patch to solve the issue.
I propose to use the version number 3.3.0-2, but am open to better
proposals. The version in testing is 4.4.0.20231231-2.
Complete proposed patch is below:
diff --git a/debian/changelog b/debian/changelog
index b3e3ef851..1c8ddc5cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+newlib (3.3.0-2) bookworm; urgency=medium
+
+ * QA upload.
+ * Orphan package to reflect status in Unstable.
+ * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow
+ check in malloc and friends.
+
+ -- Petter Reinholdtsen <
pere@debian.org> Sat, 16 Mar 2024 08:53:41 +0100
+
newlib (3.3.0-1.3) unstable; urgency=medium
* Non-maintainer upload.
diff --git a/debian/control b/debian/control
index ff12d0bc5..4daa4e559 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,7 @@
Source: newlib
Section: devel
Priority: optional
-Maintainer: Agustin Henze <
tin@debian.org>
+Maintainer: Debian QA Group <
packages@qa.debian.org>
Build-Depends:
debhelper (>= 9),
texinfo,
diff --git a/debian/gbp.conf b/debian/gbp.conf
index f4a0824a9..04f21b160 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,7 @@
[DEFAULT]
pristine-tar = True
merge = True
+debian-branch = debian/bookworm