libc6 2.15-0ubuntu10.13 doesn't mark reboot-required

Bug #1546457 reported by Will Pearson on 2016-02-17
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
Precise
High
Unassigned
Trusty
High
Unassigned
glibc (Ubuntu)
High
Adam Conrad
Wily
High
Unassigned

Bug Description

2.15-0ubunt10.13 on ubuntu 12.04 was installed last night as a result of http://www.ubuntu.com/usn/usn-2900-1/ and unattended-upgrades

However we are not getting a reboot-required file in /var/run/reboot-required.

We are doing reboots by hand, but we believe this should be fixed. I'll have a look at the packaging to see why this didn't happen.

Thanks for any help,

  Will Pearson

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in glibc (Ubuntu):
status: New → Confirmed
Dimitri John Ledkov (xnox) wrote :

eglibc (2.19-0ubuntu6.7) trusty-security; urgency=medium

  * SECURITY UPDATE: glibc getaddrinfo stack-based buffer overflow
    - debian/patches/any/CVE-2015-7547-pre1.diff: fix memory leak in
      resolv/nss_dns/dns-host.c.
    - debian/patches/any/CVE-2015-7547-pre2.diff: fix memory leak in
      include/resolv.h, resolv/gethnamaddr.c, resolv/nss_dns/dns-canon.c,
      resolv/nss_dns/dns-host.c, resolv/nss_dns/dns-network.c,
      resolv/res_query.c, resolv/res_send.c.
    - debian/patches/any/CVE-2015-7547.diff: fix buffer handling in
      resolv/nss_dns/dns-host.c, resolv/res_query.c, resolv/res_send.c.
    - CVE-2015-7547

Across all releases did not mark reboot required.

Changed in glibc (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in glibc (Ubuntu):
importance: Undecided → High
Changed in glibc (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → Adam Conrad (adconrad)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.23-0ubuntu3

---------------
glibc (2.23-0ubuntu3) xenial; urgency=medium

  * Merge with 2.23 from experimental, bringing in upstream updates:
    - Save/restore fprs/vrs while resolving symbols (LP: #1564918)
    - Fix _nss_dns_getnetbyname_r() stack overflow (CVE-2016-3075)
    - Merge libnss-dns-udeb and libnss-files-udeb into libc6-udeb.
  * Tidy up locale-gen, thanks to Gunnar Hjalmarsson (LP: #1560577):
    - Fix thinko that broke handling of multiple locale arguments.
    - Recognize UTF-8 locales without charset suffix in SUPPORTED.
    - Fix bug that led to the unsupported message not being shown.
  * Show reboot-required notification for all updates (LP: #1546457)

 -- Adam Conrad <email address hidden> Thu, 14 Apr 2016 10:26:16 -0600

Changed in glibc (Ubuntu):
status: Confirmed → Fix Released
Changed in eglibc (Ubuntu):
importance: Undecided → High
status: New → Fix Committed
Steve Beattie (sbeattie) on 2016-05-11
Changed in eglibc (Ubuntu Wily):
status: New → Invalid
Changed in glibc (Ubuntu Precise):
status: New → Invalid
Changed in glibc (Ubuntu Trusty):
status: New → Invalid
Steve Beattie (sbeattie) wrote :

I've verified that the the eglibc and glibc packages currently in proposed (precise/2.15-0ubuntu10.14, trusty/2.19-0ubuntu6.8, and wily/2.21-0ubuntu4.2) all trigger the reboot notification when installing/upgrading.

(Note that these glibc updates are in proposed for wider testing before being moved to sucurity/updates.)

Changed in eglibc (Ubuntu):
status: Fix Committed → Invalid
tags: added: verification-done
Changed in eglibc (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → High
no longer affects: glibc (Ubuntu Precise)
no longer affects: glibc (Ubuntu Trusty)
Changed in glibc (Ubuntu Wily):
status: New → Fix Committed
importance: Undecided → High
Changed in eglibc (Ubuntu Precise):
status: New → Fix Committed
importance: Undecided → High
no longer affects: eglibc (Ubuntu)
no longer affects: eglibc (Ubuntu Wily)
Martin Pitt (pitti) wrote :

What's the status on this, can we release them now? We suppose I should not release them to -updates, but you will handle this through -security?

Note that there are a few autopkgtest regressions, but these are not really glibc's fault. The vast majority are green, so I think this is good enough.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.15-0ubuntu10.14

---------------
eglibc (2.15-0ubuntu10.14) precise-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in gethostbyname_r and related
    functions
    - debian/patches/any/CVE-2015-1781.diff: take alignment padding
      into account when computing if buffer is too small.
    - CVE-2015-1781
  * SECURITY UPDATE: glibc Name Service Switch (NSS) denial of sevice
    - debian/patches/any/CVE-2014-8121-1.diff: do not close NSS files
      database during iteration.
    - debian/patches/any/CVE-2014-8121-2.diff: Separate internal state
      between getXXent and getXXbyYY NSS calls.
    - CVE-2014-8121
  * SECURITY UPDATE: glibc unbounded stack usage in NaN strtod
    conversion
    - debian/patches/any/CVE-2014-9761-1.diff: Refactor strtod parsing
      of NaN payloads.
    - debian/patches/any/CVE-2014-9761-1.diff: Fix nan functions
      handling of payload strings
    - CVE-2014-9761
  * SECURITY UPDATE: out of range data to strftime() causes segfault
    (denial of service)
    - debian/patches/any/CVE-2015-8776.diff: add range checks to
      strftime() processing
    - CVE-2015-8776
  * SECURITY UPDATE: glibc honors LD_POINTER_GUARD env for setuid
    AT_SECURE programs (e.g. setuid), allowing disabling of pointer
    mangling
    - debian/patches/any/CVE-2015-8777.diff: Always enable pointer
      guard
    - CVE-2015-8777
  * SECURITY UPDATE: integer overflow in hcreate and hcreate_r
    - debian/patches/any/CVE-2015-8778.diff: check for large inputs
    - CVE-2015-8778
  * SECURITY UPDATE: unbounded stack allocation in catopen()
    - debian/patches/any/CVE-2015-8779.diff: stop using unbounded
      alloca()
    - CVE-2015-8779
  * SECURITY UPDATE: Stack overflow in _nss_dns_getnetbyname_r
    - debian/patches/any/CVE-2016-3075.diff: do not make unneeded
      memory copy on the stack.
    - CVE-2016-3075
  * SECURITY UPDATE: pt_chown privilege escalation
    - debian/patches/any/CVE-2016-2856-pre.diff: add option to
      enable/disable pt_chown.
    - debian/patches/any/CVE-2016-2856.diff: grantpt: trust the kernel
      about pty group and permission mode
    - debian/debhelper.in/libc-bin.install: drop installation of
      pt_chown
    - CVE-2016-2856, CVE-2013-2207
  * debian/debhelper.in/libc.postinst: add reboot notifications for
    security updates (LP: #1546457)

 -- Steve Beattie <email address hidden> Fri, 08 Apr 2016 23:59:46 -0700

Changed in eglibc (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for eglibc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.19-0ubuntu6.8

---------------
eglibc (2.19-0ubuntu6.8) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in gethostbyname_r and related
    functions
    - debian/patches/any/CVE-2015-1781.diff: take alignment padding
      into account when computing if buffer is too small.
    - CVE-2015-1781
  * SECURITY UPDATE: glibc Name Service Switch (NSS) denial of sevice
    - debian/patches/any/CVE-2014-8121-1.diff: do not close NSS files
      database during iteration.
    - debian/patches/any/CVE-2014-8121-2.diff: Separate internal state
      between getXXent and getXXbyYY NSS calls.
    - CVE-2014-8121
  * SECURITY UPDATE: glibc unbounded stack usage in NaN strtod
    conversion
    - debian/patches/any/CVE-2014-9761-1.diff: Refactor strtod parsing
      of NaN payloads.
    - debian/patches/any/CVE-2014-9761-1.diff: Fix nan functions
      handling of payload strings
    - CVE-2014-9761
  * SECURITY UPDATE: NSS files long line buffer overflow
    - debian/patches/any/CVE-2015-5277.diff: Don't ignore too long
      lines in nss_files
    - CVE-2015-5277
  * SECURITY UPDATE: out of range data to strftime() causes segfault
    (denial of service)
    - debian/patches/any/CVE-2015-8776.diff: add range checks to
      strftime() processing
    - CVE-2015-8776
  * SECURITY UPDATE: glibc honors LD_POINTER_GUARD env for setuid
    AT_SECURE programs (e.g. setuid), allowing disabling of pointer
    mangling
    - debian/patches/any/CVE-2015-8777.diff: Always enable pointer
      guard
    - CVE-2015-8777
  * SECURITY UPDATE: integer overflow in hcreate and hcreate_r
    - debian/patches/any/CVE-2015-8778.diff: check for large inputs
    - CVE-2015-8778
  * SECURITY UPDATE: unbounded stack allocation in catopen()
    - debian/patches/any/CVE-2015-8779.diff: stop using unbounded
      alloca()
    - CVE-2015-8779
  * SECURITY UPDATE: Stack overflow in _nss_dns_getnetbyname_r
    - debian/patches/any/CVE-2016-3075.diff: do not make unneeded
      memory copy on the stack.
    - CVE-2016-3075
  * SECURITY UPDATE: pt_chown privilege escalation
    - debian/patches/any/CVE-2016-2856.diff: grantpt: trust the kernel
      about pty group and permission mode
    - debian/sysdeps/linux.mk: don't build pt_chown
    - debian/rules.d/debhelper.mk: only install pt_chown when built.
    - CVE-2016-2856, CVE-2013-2207
  * debian/debhelper.in/libc.postinst: add reboot notifications for
    security updates (LP: #1546457)
  * debian/patches/ubuntu/submitted-no-stack-backtrace.diff: update
    patch to eliminate compiler warning.

 -- Steve Beattie <email address hidden> Fri, 08 Apr 2016 23:26:02 -0700

Changed in eglibc (Ubuntu Trusty):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.21-0ubuntu4.2

---------------
glibc (2.21-0ubuntu4.2) wily-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in gethostbyname_r and related
    functions
    - debian/patches/any/CVE-2015-1781.diff: take alignment padding
      into account when computing if buffer is too small.
    - CVE-2015-1781
  * SECURITY UPDATE: glibc Name Service Switch (NSS) denial of sevice
    - debian/patches/any/CVE-2014-8121-1.diff: do not close NSS files
      database during iteration.
    - debian/patches/any/CVE-2014-8121-2.diff: Separate internal state
      between getXXent and getXXbyYY NSS calls.
    - CVE-2014-8121
  * SECURITY UPDATE: glibc unbounded stack usage in NaN strtod
    conversion
    - debian/patches/any/CVE-2014-9761-1.diff: Refactor strtod parsing
      of NaN payloads.
    - debian/patches/any/CVE-2014-9761-1.diff: Fix nan functions
      handling of payload strings
    - CVE-2014-9761
  * SECURITY UPDATE: out of range data to strftime() causes segfault
    (denial of service)
    - debian/patches/any/CVE-2015-8776.diff: add range checks to
      strftime() processing
    - CVE-2015-8776
  * SECURITY UPDATE: glibc honors LD_POINTER_GUARD env for setuid
    AT_SECURE programs (e.g. setuid), allowing disabling of pointer
    mangling
    - debian/patches/any/CVE-2015-8777.diff: Always enable pointer
      guard
    - CVE-2015-8777
  * SECURITY UPDATE: integer overflow in hcreate and hcreate_r
    - debian/patches/any/CVE-2015-8778.diff: check for large inputs
    - CVE-2015-8778
  * SECURITY UPDATE: unbounded stack allocation in catopen()
    - debian/patches/any/CVE-2015-8779.diff: stop using unbounded
      alloca()
    - CVE-2015-8779
  * SECURITY UPDATE: Stack overflow in _nss_dns_getnetbyname_r
    - debian/patches/any/CVE-2016-3075.diff: do not make unneeded
      memory copy on the stack.
    - CVE-2016-3075
  * SECURITY UPDATE: pt_chown privilege escalation
    - debian/patches/any/CVE-2016-2856.diff: grantpt: trust the kernel
      about pty group and permission mode
    - debian/sysdeps/linux.mk: don't build pt_chown
    - debian/rules.d/debhelper.mk: only install pt_chown when built.
    - CVE-2016-2856, CVE-2013-2207
  * debian/debhelper.in/libc.postinst: add reboot notifications for
    security updates (LP: #1546457)

 -- Steve Beattie <email address hidden> Fri, 08 Apr 2016 09:44:34 -0700

Changed in glibc (Ubuntu Wily):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers