Ubuntu
glibc package

libc6 2.15-0ubuntu10.13 doesn't mark reboot-required

Bug #1546457 reported by Will Pearson
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
Precise
Fix Released
High
Unassigned
Trusty
Fix Released
High
Unassigned
glibc (Ubuntu)
Fix Released
High
Adam Conrad
Wily
Fix Released
High
Unassigned

Bug Description

2.15-0ubunt10.13 on ubuntu 12.04 was installed last night as a result of http://www.ubuntu.com/usn/usn-2900-1/ and unattended-upgrades

However we are not getting a reboot-required file in /var/run/reboot-required.

We are doing reboots by hand, but we believe this should be fixed. I'll have a look at the packaging to see why this didn't happen.

Thanks for any help,

  Will Pearson

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in glibc (Ubuntu):
status: New → Confirmed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

eglibc (2.19-0ubuntu6.7) trusty-security; urgency=medium

  * SECURITY UPDATE: glibc getaddrinfo stack-based buffer overflow
    - debian/patches/any/CVE-2015-7547-pre1.diff: fix memory leak in
      resolv/nss_dns/dns-host.c.
    - debian/patches/any/CVE-2015-7547-pre2.diff: fix memory leak in
      include/resolv.h, resolv/gethnamaddr.c, resolv/nss_dns/dns-canon.c,
      resolv/nss_dns/dns-host.c, resolv/nss_dns/dns-network.c,
      resolv/res_query.c, resolv/res_send.c.
    - debian/patches/any/CVE-2015-7547.diff: fix buffer handling in
      resolv/nss_dns/dns-host.c, resolv/res_query.c, resolv/res_send.c.
    - CVE-2015-7547

Across all releases did not mark reboot required.

Marc Deslauriers (mdeslaur)
Changed in glibc (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Brian Murray (brian-murray)
Changed in glibc (Ubuntu):
importance: Undecided → High
Marc Deslauriers (mdeslaur)
Changed in glibc (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → Adam Conrad (adconrad)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.23-0ubuntu3

---------------
glibc (2.23-0ubuntu3) xenial; urgency=medium

  * Merge with 2.23 from experimental, bringing in upstream updates:
    - Save/restore fprs/vrs while resolving symbols (LP: #1564918)
    - Fix _nss_dns_getnetbyname_r() stack overflow (CVE-2016-3075)
    - Merge libnss-dns-udeb and libnss-files-udeb into libc6-udeb.
  * Tidy up locale-gen, thanks to Gunnar Hjalmarsson (LP: #1560577):
    - Fix thinko that broke handling of multiple locale arguments.
    - Recognize UTF-8 locales without charset suffix in SUPPORTED.
    - Fix bug that led to the unsupported message not being shown.
  * Show reboot-required notification for all updates (LP: #1546457)

 -- Adam Conrad <email address hidden> Thu, 14 Apr 2016 10:26:16 -0600

Changed in glibc (Ubuntu):
status: Confirmed → Fix Released
Mathew Hodson (mhodson)
Changed in eglibc (Ubuntu):
importance: Undecided → High
status: New → Fix Committed
Steve Beattie (sbeattie)
Changed in eglibc (Ubuntu Wily):
status: New → Invalid
Changed in glibc (Ubuntu Precise):
status: New → Invalid
Changed in glibc (Ubuntu Trusty):
status: New → Invalid
Revision history for this message
Steve Beattie (sbeattie) wrote :

I've verified that the the eglibc and glibc packages currently in proposed (precise/2.15-0ubuntu10.14, trusty/2.19-0ubuntu6.8, and wily/2.21-0ubuntu4.2) all trigger the reboot notification when installing/upgrading.

(Note that these glibc updates are in proposed for wider testing before being moved to sucurity/updates.)

Changed in eglibc (Ubuntu):
status: Fix Committed → Invalid
tags: added: verification-done
Mathew Hodson (mhodson)
Changed in eglibc (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → High
no longer affects: glibc (Ubuntu Precise)
no longer affects: glibc (Ubuntu Trusty)
Changed in glibc (Ubuntu Wily):
status: New → Fix Committed
importance: Undecided → High
Changed in eglibc (Ubuntu Precise):
status: New → Fix Committed
importance: Undecided → High
no longer affects: eglibc (Ubuntu)
no longer affects: eglibc (Ubuntu Wily)
Revision history for this message
Martin Pitt (pitti) wrote :

What's the status on this, can we release them now? We suppose I should not release them to -updates, but you will handle this through -security?

Note that there are a few autopkgtest regressions, but these are not really glibc's fault. The vast majority are green, so I think this is good enough.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.15-0ubuntu10.14

---------------
eglibc (2.15-0ubuntu10.14) precise-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in gethostbyname_r and related
    functions
    - debian/patches/any/CVE-2015-1781.diff: take alignment padding
      into account when computing if buffer is too small.
    - CVE-2015-1781
  * SECURITY UPDATE: glibc Name Service Switch (NSS) denial of sevice
    - debian/patches/any/CVE-2014-8121-1.diff: do not close NSS files
      database during iteration.
    - debian/patches/any/CVE-2014-8121-2.diff: Separate internal state
      between getXXent and getXXbyYY NSS calls.
    - CVE-2014-8121
  * SECURITY UPDATE: glibc unbounded stack usage in NaN strtod
    conversion
    - debian/patches/any/CVE-2014-9761-1.diff: Refactor strtod parsing
      of NaN payloads.
    - debian/patches/any/CVE-2014-9761-1.diff: Fix nan functions
      handling of payload strings
    - CVE-2014-9761
  * SECURITY UPDATE: out of range data to strftime() causes segfault
    (denial of service)
    - debian/patches/any/CVE-2015-8776.diff: add range checks to
      strftime() processing
    - CVE-2015-8776
  * SECURITY UPDATE: glibc honors LD_POINTER_GUARD env for setuid
    AT_SECURE programs (e.g. setuid), allowing disabling of pointer
    mangling
    - debian/patches/any/CVE-2015-8777.diff: Always enable pointer
      guard
    - CVE-2015-8777
  * SECURITY UPDATE: integer overflow in hcreate and hcreate_r
    - debian/patches/any/CVE-2015-8778.diff: check for large inputs
    - CVE-2015-8778
  * SECURITY UPDATE: unbounded stack allocation in catopen()
    - debian/patches/any/CVE-2015-8779.diff: stop using unbounded
      alloca()
    - CVE-2015-8779
  * SECURITY UPDATE: Stack overflow in _nss_dns_getnetbyname_r
    - debian/patches/any/CVE-2016-3075.diff: do not make unneeded
      memory copy on the stack.
    - CVE-2016-3075
  * SECURITY UPDATE: pt_chown privilege escalation
    - debian/patches/any/CVE-2016-2856-pre.diff: add option to
      enable/disable pt_chown.
    - debian/patches/any/CVE-2016-2856.diff: grantpt: trust the kernel
      about pty group and permission mode
    - debian/debhelper.in/libc-bin.install: drop installation of
      pt_chown
    - CVE-2016-2856, CVE-2013-2207
  * debian/debhelper.in/libc.postinst: add reboot notifications for
    security updates (LP: #1546457)

 -- Steve Beattie <email address hidden> Fri, 08 Apr 2016 23:59:46 -0700

Changed in eglibc (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote : Update Released

The verification of the Stable Release Update for eglibc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.19-0ubuntu6.8

---------------
eglibc (2.19-0ubuntu6.8) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in gethostbyname_r and related
    functions
    - debian/patches/any/CVE-2015-1781.diff: take alignment padding
      into account when computing if buffer is too small.
    - CVE-2015-1781
  * SECURITY UPDATE: glibc Name Service Switch (NSS) denial of sevice
    - debian/patches/any/CVE-2014-8121-1.diff: do not close NSS files
      database during iteration.
    - debian/patches/any/CVE-2014-8121-2.diff: Separate internal state
      between getXXent and getXXbyYY NSS calls.
    - CVE-2014-8121
  * SECURITY UPDATE: glibc unbounded stack usage in NaN strtod
    conversion
    - debian/patches/any/CVE-2014-9761-1.diff: Refactor strtod parsing
      of NaN payloads.
    - debian/patches/any/CVE-2014-9761-1.diff: Fix nan functions
      handling of payload strings
    - CVE-2014-9761
  * SECURITY UPDATE: NSS files long line buffer overflow
    - debian/patches/any/CVE-2015-5277.diff: Don't ignore too long
      lines in nss_files
    - CVE-2015-5277
  * SECURITY UPDATE: out of range data to strftime() causes segfault
    (denial of service)
    - debian/patches/any/CVE-2015-8776.diff: add range checks to
      strftime() processing
    - CVE-2015-8776
  * SECURITY UPDATE: glibc honors LD_POINTER_GUARD env for setuid
    AT_SECURE programs (e.g. setuid), allowing disabling of pointer
    mangling
    - debian/patches/any/CVE-2015-8777.diff: Always enable pointer
      guard
    - CVE-2015-8777
  * SECURITY UPDATE: integer overflow in hcreate and hcreate_r
    - debian/patches/any/CVE-2015-8778.diff: check for large inputs
    - CVE-2015-8778
  * SECURITY UPDATE: unbounded stack allocation in catopen()
    - debian/patches/any/CVE-2015-8779.diff: stop using unbounded
      alloca()
    - CVE-2015-8779
  * SECURITY UPDATE: Stack overflow in _nss_dns_getnetbyname_r
    - debian/patches/any/CVE-2016-3075.diff: do not make unneeded
      memory copy on the stack.
    - CVE-2016-3075
  * SECURITY UPDATE: pt_chown privilege escalation
    - debian/patches/any/CVE-2016-2856.diff: grantpt: trust the kernel
      about pty group and permission mode
    - debian/sysdeps/linux.mk: don't build pt_chown
    - debian/rules.d/debhelper.mk: only install pt_chown when built.
    - CVE-2016-2856, CVE-2013-2207
  * debian/debhelper.in/libc.postinst: add reboot notifications for
    security updates (LP: #1546457)
  * debian/patches/ubuntu/submitted-no-stack-backtrace.diff: update
    patch to eliminate compiler warning.

 -- Steve Beattie <email address hidden> Fri, 08 Apr 2016 23:26:02 -0700

Changed in eglibc (Ubuntu Trusty):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.21-0ubuntu4.2

---------------
glibc (2.21-0ubuntu4.2) wily-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in gethostbyname_r and related
    functions
    - debian/patches/any/CVE-2015-1781.diff: take alignment padding
      into account when computing if buffer is too small.
    - CVE-2015-1781
  * SECURITY UPDATE: glibc Name Service Switch (NSS) denial of sevice
    - debian/patches/any/CVE-2014-8121-1.diff: do not close NSS files
      database during iteration.
    - debian/patches/any/CVE-2014-8121-2.diff: Separate internal state
      between getXXent and getXXbyYY NSS calls.
    - CVE-2014-8121
  * SECURITY UPDATE: glibc unbounded stack usage in NaN strtod
    conversion
    - debian/patches/any/CVE-2014-9761-1.diff: Refactor strtod parsing
      of NaN payloads.
    - debian/patches/any/CVE-2014-9761-1.diff: Fix nan functions
      handling of payload strings
    - CVE-2014-9761
  * SECURITY UPDATE: out of range data to strftime() causes segfault
    (denial of service)
    - debian/patches/any/CVE-2015-8776.diff: add range checks to
      strftime() processing
    - CVE-2015-8776
  * SECURITY UPDATE: glibc honors LD_POINTER_GUARD env for setuid
    AT_SECURE programs (e.g. setuid), allowing disabling of pointer
    mangling
    - debian/patches/any/CVE-2015-8777.diff: Always enable pointer
      guard
    - CVE-2015-8777
  * SECURITY UPDATE: integer overflow in hcreate and hcreate_r
    - debian/patches/any/CVE-2015-8778.diff: check for large inputs
    - CVE-2015-8778
  * SECURITY UPDATE: unbounded stack allocation in catopen()
    - debian/patches/any/CVE-2015-8779.diff: stop using unbounded
      alloca()
    - CVE-2015-8779
  * SECURITY UPDATE: Stack overflow in _nss_dns_getnetbyname_r
    - debian/patches/any/CVE-2016-3075.diff: do not make unneeded
      memory copy on the stack.
    - CVE-2016-3075
  * SECURITY UPDATE: pt_chown privilege escalation
    - debian/patches/any/CVE-2016-2856.diff: grantpt: trust the kernel
      about pty group and permission mode
    - debian/sysdeps/linux.mk: don't build pt_chown
    - debian/rules.d/debhelper.mk: only install pt_chown when built.
    - CVE-2016-2856, CVE-2013-2207
  * debian/debhelper.in/libc.postinst: add reboot notifications for
    security updates (LP: #1546457)

 -- Steve Beattie <email address hidden> Fri, 08 Apr 2016 09:44:34 -0700

Changed in glibc (Ubuntu Wily):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.