Source: glibc Version: 2.41-10 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Control: found -1 2.36-9+deb12u7 Control: found -1 2.36-9+deb12u10 Control: found -1 2.36-9 Control: forwarded -1 https://sourceware.org/bugzilla/show_bug.cgi?id=33185 Hi, The following vulnerability was published for glibc. CVE-2025-8058[0]: | The regcomp function in the GNU C library version from 2.4 to 2.41 | is subject to a double free if some previous allocation fails. It | can be accomplished either by a malloc failure or by using an | interposed malloc that injects random malloc failures. The double | free can allow buffer manipulation depending of how the regex is | constructed. This issue affects all architectures and ABIs | supported by the GNU C library. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-8058 https://www.cve.org/CVERecord?id=CVE-2025-8058 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=33185 [2] https://sourceware.org/git/?p=glibc.git;a=commit;h=7ea06e994093fa0bcca0d0ee2c1db271d8d7885d [3] https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2025-0005 Regards, Salvatore
Hello, Bug #1109803 in glibc reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/glibc-team/glibc/-/commit/053da3eb6349f1b107ecb30deba5da7300e53721 ------------------------------------------------------------------------ debian/patches/git-updates.diff: update from upstream stable branch: * debian/patches/git-updates.diff: update from upstream stable branch: - Fix iconv to not create executable files with -o. - Fix double-free after allocation failure in regcomp (GLIBC-SA-2025-0005 / CVE-2025-8058). Closes: #1109803. ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1109803
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1109803@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 26 Jul 2025 20:29:12 +0200
Source: glibc
Architecture: source
Version: 2.41-11
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1109803
Changes:
glibc (2.41-11) unstable; urgency=medium
.
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix iconv to not create executable files with -o.
- Fix double-free after allocation failure in regcomp (GLIBC-SA-2025-0005
/ CVE-2025-8058). Closes: #1109803.
Checksums-Sha1:
2931b622d180aad0ebc32521a656aebc1406c806 7544 glibc_2.41-11.dsc
a9aaca1300e658612a7e7d60030ee47a4fa79edf 437792 glibc_2.41-11.debian.tar.xz
6540f115b4e71ac1d6410712284b68aa7e542df7 9356 glibc_2.41-11_source.buildinfo
Checksums-Sha256:
07b4bbd9b93343a90e89e64ae1227286884ca6e04b8a40553edc5a1aba158ed0 7544 glibc_2.41-11.dsc
8931fe5a287262e8d0adcbdde28d08cefbe955edf7abf4c32540a5ad7f0e470d 437792 glibc_2.41-11.debian.tar.xz
2d31497f1e2c7ad79b7f143deb0389a4ff8a191711795481324677c670046cf5 9356 glibc_2.41-11_source.buildinfo
Files:
abadf10b156698691b691a436d8fa044 7544 libs required glibc_2.41-11.dsc
fdb42bc1b6f7a918079d34ef4688543d 437792 libs required glibc_2.41-11.debian.tar.xz
a9def08992760ce18ba034d936c8ec7e 9356 libs required glibc_2.41-11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmiFIXMACgkQE4jA+Jno
M2vRyg/+LYErFmMycGFHP3L0GjvZ35X9Kijy1znu+cWF/DbYioKPlE8wsJvRrq+s
3FiYDG/6coOwn0ijhcp6AZVAQV6X250sM6oKb8Z1oGWcmV8ko5KbIv5bM1KP3Z75
HTTileiTTHrImQytZN72gkJ7k+vmpJrhxleu+cAdVOGsaIr8PT3SHvp/Zduv+SxT
XxtWpR+wXZ+YMrLiRfUDgnu/Sjld9iEUIo7gqmRu6CTXhnnMwp20RxiMoqPT1PNp
Q5DKEpmUPzu7ibzPFIDpJaTiGSDzEPFDnr/Pe6/otqH2O7mBXKma7bbjnJVB7yr2
xOcP98x5sqvEmMLxj2hB6+sunQ3Gta7FGhGXRnS7ZPOE8BOfUBHkbrNlPL4BqQ8J
b3W3DNxSqVlyAB1+gt5CGn9h9CeFL/Qlv5c/X0Asap+YtPbBeB6m9q4XUCz9XKfB
f2tDtX1Fn4W2XUBJ7+hmiQUG/8A3BUzk0NbZA3UY8VP/skurje414/0waLZA9AtE
M1cBcnEtKqBvrVfxXHPDOisHiq0LavEwgFArQaZC1OgFMfn3t/BMSWuB9dHA0Ekj
WxnQFxN4qFe3KwHnKSWltrjpx+2hpLEYfwSZIi8jtj8ZXuMAjsg8RxxbpvOKp4xs
P8Rfqe05LceU1k38hIreJXb79WP5JrRJsi9xSmOWs198z3BheHQ=
=qdj5
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1109803@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 Aug 2025 21:11:05 +0200
Source: glibc
Architecture: source
Version: 2.36-9+deb12u13
Distribution: bookworm
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1109803
Changes:
glibc (2.36-9+deb12u13) bookworm; urgency=medium
.
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix error reporting (false negatives) in SGID tests
- Fix double-free after allocation failure in regcomp (GLIBC-SA-2025-0005
/ CVE-2025-8058). Closes: #1109803.
Checksums-Sha1:
1ade2f71d7b4c255f107219258b7473e2a553c29 9765 glibc_2.36-9+deb12u13.dsc
685316ee360f4b31963e317d383cbc82d910c5c0 908524 glibc_2.36-9+deb12u13.debian.tar.xz
f971ee69e0189ad6a5950cbd67443e6b8189d00c 10258 glibc_2.36-9+deb12u13_source.buildinfo
Checksums-Sha256:
c034e180a28197c8a9d2b378bcf621d87766a49b3d1bb2d82cc25068ba398cac 9765 glibc_2.36-9+deb12u13.dsc
728086077548b13c37a348a99f74b9c7a437d6a8aed4aab5e2ed86b3a5ff6df6 908524 glibc_2.36-9+deb12u13.debian.tar.xz
b611b6a4833f15e8f012b7fee69cf307274215ada725fcfb8410b341fc00e1f0 10258 glibc_2.36-9+deb12u13_source.buildinfo
Files:
5459c588efa4e02c59784b8d07580d3e 9765 libs required glibc_2.36-9+deb12u13.dsc
25861cd110c61ea32a2e52ffa4e65ff2 908524 libs required glibc_2.36-9+deb12u13.debian.tar.xz
6d79d46d485fbf7d4357d5369ece09ca 10258 libs required glibc_2.36-9+deb12u13_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmistfwACgkQE4jA+Jno
M2tJIxAAmUv5ozV4o2nwYO0K5gLwcwn9g2coqLf1LGNDE7ReY5b0oS9F6RLvhNrp
C59+aYuQ0yVrIHAEdyqDww/9Ir2BSB3hdq6ccraVLejQN6taL9xfHxq75WzuHkMe
Dy6NMvqAKV6fLEIZotj2HJUWT6zeUu99/PemWCmRoP4m5CabhY0fOWXUHhgxsf+R
PRjPtiCff8ImyPziDHrL28GF1jjJiP9sN9mbReJ/ulRlHXw21bAkC9KlrzfHODqh
Q9u1Xz7hj575vScJ26Yar/STPlSGiLP9qizIJXzYcYdQLpeiAUcCm7tVX8DnZg2N
lgqiZTNHpuI6+2EiPuh/4TWLFS5E9WTlSxeZMikkPvpvSZk6SCUcamWpERaotgHL
/ViXw0zUtuFVg6G9/n09WDNZQURgTfvHl8ZldV5k807I1dPw5jR/Nv56UWTXgjQC
/QyePmEWc48hBOKL9T9zmrrbjkH+UMVZ7AjsreHa60rT5DxWpDwDsMDwc2sYWrN0
NsmNZc6u2XnmRlDWKUQljC0OM9bW5JcmUfVUi2vlj2fpva62Utjx4GOdJX39C/9X
u+7vrOLlxq/DthG15laz+6wXzGnAQc075pzylrGa3q28IlxwBvfybV689zVEMp/R
nkkM1UbmVPuLE6GzuUBYyor2kkfzkwiupTUdYWsUCsvTICl+vA8=
=lL8Y
-----END PGP SIGNATURE-----