- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Aurelien Jarno
- Date:
- 2025-06-17 17:25:02 UTC
- Severity:
- normal
- Tags:
Dear release team, An untrusted LD_LIBRARY_PATH environment variable vulnerability has been found in the GNU libc, affecting *static* binaries (CVE-2025-4802). It allows attacker controlled loading of dynamically shared library in *statically* compiled setuid binaries that call dlopen. The issue is fixed in glibc/2.36-9+deb12u11, once accepted in bookworm-pu (see bug #1106761). I haven't found any static binary with setuid or setgid bit set in the archive, but I think we should rebuild all static binaries in cases some users have changed the permission of some of them. This is the list of binNMU computed using Built-Using, assuming that d-i and dini will get an upload anyway for the point release: nmu 9 bash_5.2.15-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 5 busybox_1:1.35.0-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 16 cdebootstrap_0.7.8 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 6 chkrootkit_0.57-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 5 dar_2.7.8-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 2 docker.io_20.10.24+dfsg1-1+deb12u1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu qemu_1:7.2+dfsg-7+deb12u13 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 23 sash_3.8-5 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 10 supermin_5.2.2-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 13 tripwire_2.4.3.7-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 7 zsh_5.9-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' I also found the additional following ones by scanning the archive: nmu 5 balboa_2.0.0+ds-5 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 2 catatonit_0.1.7-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu e2fsprogs_1.47.0-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu gnupg2_2.2.40-1.1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu integrit_4.1-3 . arm64 armel armhf mips64el ppc64el s390x -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' # Some architectures use dietlibc nmu libcap2_1:2.66-4+deb12u1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu lxc_1:5.0.2-1+deb12u3 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 6 snapd_2.57.6-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 3 tini_0.19.0-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 3 tsocks_1.8beta5+ds1-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' nmu 2 ydotool_0.1.8-3 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' In addition, the following packages will need a sourceful upload as they can't be binNMUed: cross-toolchain-base_66 cross-toolchain-base-mipsen_24 cross-toolchain-base-ports_62 Regards Aurelien
Control: tags -1 + confirmed Thanks for the list. Scheduled, with added " . bookworm ", and the versions updated to reference +deb12u12. Regards, Adam
I've had to reschedule a few builds, as the binNMU versions had been used before for builds in unstable. nmu 9 balboa_2.0.0+ds-5 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)' nmu 2 e2fsprogs_1.47.0-2 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)' nmu 4 gnupg2_2.2.40-1.1 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)' nmu 26 sash_3.8-5 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)' Regards, Adam
cdebootsrap has the same source version in bookworm and sid (and bullseye), and sid is already at +b30. :-( I've scheduled +b35 in sid and +b31 in bookworm. Regards, Adam
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: bash Version: 5.2.15-2+b9 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: balboa Version: 2.0.0+ds-5+b9 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: busybox Version: 1.35.0-4+b5 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: catatonit Version: 0.1.7-1+b2 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: cdebootstrap Version: 0.7.8+b31 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: chkrootkit Version: 0.57-2+b6 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: dar Version: 2.7.8-2+b5 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: docker.io Version: 20.10.24+dfsg1-1+deb12u1+b2 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: bash Version: 5.2.15-2+b9 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: balboa Version: 2.0.0+ds-5+b9 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: busybox Version: 1.35.0-4+b5 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: catatonit Version: 0.1.7-1+b2 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: cdebootstrap Version: 0.7.8+b31 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: chkrootkit Version: 0.57-2+b6 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: dar Version: 2.7.8-2+b5 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: docker.io Version: 20.10.24+dfsg1-1+deb12u1+b2 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: e2fsprogs Version: 1.47.0-2+b2 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: gnupg2 Version: 2.2.40-1.1+b4 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: integrit Version: 4.1-3+b1 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: libcap2 Version: 2.66-4+deb12u1+b1 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: lxc Version: 5.0.2-1+deb12u3+b1 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: qemu Version: 7.2+dfsg-7+deb12u13+b1 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: sash Version: 3.8-5+b26 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: e2fsprogs Version: 1.47.0-2+b2 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: gnupg2 Version: 2.2.40-1.1+b4 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: integrit Version: 4.1-3+b1 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: libcap2 Version: 2.66-4+deb12u1+b1 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: lxc Version: 5.0.2-1+deb12u3+b1 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: qemu Version: 7.2+dfsg-7+deb12u13+b1 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: sash Version: 3.8-5+b26 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: supermin Version: 5.2.2-1+b10 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: tini Version: 0.19.0-1+b3 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: tripwire Version: 2.4.3.7-4+b13 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: tsocks Version: 1.8beta5+ds1-1+b3 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: ydotool Version: 0.1.8-3+b2 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: zsh Version: 5.9-4+b7 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: supermin Version: 5.2.2-1+b10 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: tini Version: 0.19.0-1+b3 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: tripwire Version: 2.4.3.7-4+b13 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: tsocks Version: 1.8beta5+ds1-1+b3 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: ydotool Version: 0.1.8-3+b2 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: zsh Version: 5.9-4+b7 Explanation: rebuild against glibc 2.36-9+deb12u12
snapd FTBFS on mips*el, although I assume unrelated to any glibc changes: make[1]: Entering directory '/build/reproducible-path/snapd-2.57.6' ldd: _build/bin/snap-exec: No such file or directory ldd: _build/bin/snap-update-ns: No such file or directory ldd: _build/bin/snapctl: No such file or directory # usually done via `go generate` but that is not supported on powerpc GO_GENERATE_BUILDDIR=_build/src/github.com/snapcore/snapd GO111MODULE=off GOPATH=$(pwd)/_build ./mkversion.sh *** Setting version to '2.57.6-1+b6' from changelog. # github.com/snapcore/snapd/osutil/sys osutil/sys/syscall.go:46:22: undefined: _SYS_GETUID osutil/sys/syscall.go:50:22: undefined: _SYS_GETEUID osutil/sys/syscall.go:54:23: undefined: _SYS_GETGID osutil/sys/syscall.go:58:23: undefined: _SYS_GETEGID make[1]: *** [debian/rules:134: override_dh_auto_build] Error 2 make[1]: Leaving directory '/build/reproducible-path/snapd-2.57.6' make: *** [debian/rules:109: build-arch] Error 2 Regards, Adam
Hi, It appears that snapd never built on mips*el and therefore is not shipped in bookworm. I think we should just ignore this failure. Regards Aurelien
Oops, that's my bad for expanding ANY the same for all of the packages when generating comment files, and not double checking. Thanks for the cluebat. Regards, Adam
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: snapd Version: 2.57.6-1+b6 Explanation: rebuild against glibc 2.36-9+deb12u12
package release.debian.org tags 1106777 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: snapd Version: 2.57.6-1+b6 Explanation: rebuild against glibc 2.36-9+deb12u12
On Fri, 06 Jun 2025 19:32:32 +0000 Adam D Barratt <adam@adam-barratt.org.uk> wrote:
> Upload details
> ==============
>
> Package: gnupg2
> Version: 2.2.40-1.1+b4
>
> Explanation: rebuild against glibc 2.36-9+deb12u12
It seems like gnupg2 isn't binNMU-safe in bookworm.
A few of the binary packages have Recommends: gnupg (= ${binary:Version})
even though gnupg is arch:all.
It's only Recommends but apt upgrade refuses to upgrade them:
MarkInstall gpg:amd64 < 2.2.40-1.1 -> 2.2.40-1.1+b4 @ii umU IPb > FU=0
gpg:amd64 Recommends on gnupg:amd64 < 2.2.40-1.1 @ii mK > (=
2.2.40-1.1+b4) can't be satisfied! (dep)
[...]
MarkKeep gpg:amd64 < 2.2.40-1.1 -> 2.2.40-1.1+b4 @ii umU IPb > FU=0
[...]
apt full-upgrade will upgrade it though.
Still I think gnupg2 needs a source upload.
Cheers,
Felix
Hi, Le Mon, Jun 09, 2025 at 07:49:57PM +0200, Felix Geyer a écrit : Well, that’s pretty unfortunate (and maybe a first for a point release). That will break a lot of upgrade workflows (it already did for me on a few boxes with p-u enabled). Agreed. Regards, taffit
[CCing gnupg2 maintainers, and full quoting / top-posting for their benefit] Hi gnupg2 maintainers, gnupg2 recently got binNMUed in bookworm, which uncovered the fact that the resulting packages have some broken recommendations. It looks like this is already fixed in unstable and trixie via #1060366. Could you please either prepare and submit a p-u update to make a similar change for bookworm, or ACK that you'd be happy for someone else to do so? Regards, Adam
[....] Hello Adam, I can/will take care of this. (Already fixed in GIT) Afaict this not too urgent, since the next point release timeline has not yet been announced. cu Andreas
[...] Thanks! Yeah, we're not entirely sure when 12.12 will be. Our normal schedule would put it in mid-July, but that would be during (or just after) Debconf. Regards, Adam