Package: release.debian.org
The <URL: https://tracker.debian.org/pkg/newlib > package got an open security problem with malloc and friends in stable and oldstable, see
<URL: https://bugs.debian.org/984446 > for the CVE issue. The package
is orphaned.
I would like to fix the bug at least in stable, and propose the
following upload. The change is already in the git repo on salsa in the debian/bookworm branch. The problem is already fixed in unstable and
testing with a new version of the upstream code. The fix to stable is
only the minimal patch to solve the issue.
I propose to use the version number 3.3.0-2, but am open to better
proposals. The version in testing is 4.4.0.20231231-2.
Complete proposed patch is below:
diff --git a/debian/changelog b/debian/changelog
index b3e3ef851..1c8ddc5cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+newlib (3.3.0-2) bookworm; urgency=medium
+
+ * QA upload.
+ * Orphan package to reflect status in Unstable.
+ * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow
+ check in malloc and friends.
Usually you would choose for this update 3.3.0-1.3+deb12u1, but given
3.3.0-2 was never present in unstable and the version later moved on,
this is in theory possible.
I would add as well the bug closer for #984446.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 07:09:59 |
Calls: | 6,706 |
Files: | 12,236 |
Messages: | 5,350,633 |