[Bug 1851263] Re: Ubuntu 18.04.3 LTS bump Glibc 2.27 to the latest stable

Launchpad Bug Tracker 1851263 at bugs.launchpad.net
Mon Nov 2 18:40:35 UTC 2020 

This bug was fixed in the package glibc - 2.27-3ubuntu1.3

---------------
glibc (2.27-3ubuntu1.3) bionic; urgency=medium

  [ Balint Reczey ]
  * debian/gbp.conf: Add initial configuration
  * debian/control.in/main: Add Vcs-* pointing to Ubuntu packaging repository
  * arm64: Enable searching shared libraries in atomics/ on LSE HW
  * Ship arm64 variant with LSE support in libc6-lse (LP: #1885012)
  * Run tests of libc6-lse on HW supporting LSE
  * debian/patches/git-updates.diff: update from upstream stable branch
    - pthread_cond_broadcast: Fix waiters-after-spinning case
    - Fix SSe2-based memmove corrupting memory (CVE-2017-18269)
    - Fix strstr() performance regression on Haswell processors
    - Support Japanese new era "令和 (Reiwa)"
    - io: Remove copy_file_range emulation
    (LP: #1851263, #1858203, #1838327, #1797335, #1756209, #1853193)
  * XFAIL stdlib/tst-getrandom (LP: #1891403)
  * debian/testsuite-xfail-debian.mk: XFAIL new tst-support_descriptors

  [ Thadeu Lima de Souza Cascardo ]
  * tests: Make preadwritev2 invalid flags tests unsupported (LP: #1770480)

  [ Andreas Hasenack ]
  * branch-pthread_rwlock_trywrlock-hang-23844.patch:
    nptl: Fix pthread_rwlock_try*lock stalls (Bug 23844) (LP: #1864864)

 -- Balint Reczey <rbalint at ubuntu.com>  Wed, 02 Sep 2020 11:18:37 +0200

** Changed in: glibc (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18269

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1851263

Title:
  Ubuntu 18.04.3 LTS bump Glibc 2.27 to the latest stable

Status in glibc package in Ubuntu:
  Confirmed
Status in glibc source package in Bionic:
  Fix Released

Bug description:
  [Impact]

  * Ubuntu 18.04 is missing various stability and performance fixes that
  have been added to upstream's 2.27 branch. The accumulated changes are
  known to fix various issues already reported to Launchpad.

  [Test Case]
  * Observe that debian/patches/git-updates-2.diff contains the missing upstream commits intended to be backported.
  * Observe the patch being applied at build time.

  * All triggered autopkgtests were run in the Bileto PPA before the SRU upload took place and no reggressions were found.
  * Several issues fixed in git-updates-2.diff were reported on Launchpad and the ones having reproducers were and will be verified separately.

  [Regression Potential]
  * Any form of regression is possible including hangs, live locks and crashes due to the broad range of fixes to be backported. In addition to the standard autopkgtests it is recommended to keep the packages in bionic-proposed longer and call for testing on additional public channels, such as on the ubuntu-devel mailing list.

  [Original Bug Text]

  Hi,

  I updated from ubuntu 14.04 to 18.04 and installed a custom (old)
  application.

  When starting the application it stop immediately with this error message:
  "glibc detected an invalid stdio handle"

  This error message was added by commit [1] "libio: Implement vtable
  verification [BZ #20191]" to fix a security issue [2].

  I tested with several Linux distribution (so different libc version)
  and the application is working fine with Fedora 30 (Glibc 2.29).

  There is an interesting patch [3] from Glibc 2.28 which was backported
  to Glibc 2.27 [4] "libio: Disable vtable validation in case of
  interposition [BZ #23313]"

  But Ubuntu 18.04 is still using an old Glibc 2.27 version (from 02-2018).
  Here is the Glibc version used in 18.04:
  $ dpkg -s libc6
  [...]
  Version: 2.27-3ubuntu1

  Looking at the changelog, ubuntu updated Glibc 2.27 the 16 Apr 2018
  but there is a lot of fix from upstream Glibc 2.27 stable branch. The
  one I'm looking for was merged the 07-2018.

  It would be great if Ubuntu 18.04 can update Glibc to the latest
  stable version.

  Best regards,
  Romain

  [1] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=db3476aff19b75c4fdefbe65fcd5f0a90588ba51
  [2] https://dhavalkapil.com/blogs/FILE-Structure-Exploitation
  [3] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=c402355dfa7807b8e0adb27c009135a7e2b9f1b0
  [4] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3bb748257405e94e13de76573a4e9da1cfd961d0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1851263/+subscriptions

More information about the foundations-bugs mailing list