[Bug 1851263] Re: Ubuntu 18.04.3 LTS bump Glibc 2.27 to the latest stable

Romain Naour 1851263 at bugs.launchpad.net
Wed Nov 6 19:34:07 UTC 2019 

Hi Loïc,

You're welcome.

Yes, I understand that glibc is a critical piece and we need to do the
upgrade carefully.

With my customer, we tested with several ubuntu versions:
ubuntu 14.04: glibc 2.19: OK
ubuntu 16.04: glibc 2.23: OK
ubuntu 18.04: glibc 2.27: KO
ubuntu 18.10: glibc 2.28: OK

Only the LTS 18.04 is affected.

The patch I'm looking for has been backported [1] by Glibc upstream
project (for good reason) and they are certainly more competent than me
to complete the SRU process.

Maybe other patches related to libio can be necessary [2] and there are some patches related to CVE.
I only tested up to the last Debian glibc 2.27 version packaged [3].

[1] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3bb748257405e94e13de76573a4e9da1cfd961d0
[2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=0262507918cfad7223bf81b8f162b7adc7a2af01
[3] https://salsa.debian.org/glibc-team/glibc/commit/0c8d271ac59dc2e4ee6bd509d59049080bd87f76

Best regards,
Romain

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1851263

Title:
  Ubuntu 18.04.3 LTS bump Glibc 2.27 to the latest stable

Status in glibc package in Ubuntu:
  New

Bug description:
  Hi,

  I updated from ubuntu 14.04 to 18.04 and installed a custom (old)
  application.

  When starting the application it stop immediately with this error message:
  "glibc detected an invalid stdio handle"

  This error message was added by commit [1] "libio: Implement vtable
  verification [BZ #20191]" to fix a security issue [2].

  I tested with several Linux distribution (so different libc version)
  and the application is working fine with Fedora 30 (Glibc 2.29).

  There is an interesting patch [3] from Glibc 2.28 which was backported
  to Glibc 2.27 [4] "libio: Disable vtable validation in case of
  interposition [BZ #23313]"

  But Ubuntu 18.04 is still using an old Glibc 2.27 version (from 02-2018).
  Here is the Glibc version used in 18.04:
  $ dpkg -s libc6
  [...]
  Version: 2.27-3ubuntu1

  Looking at the changelog, ubuntu updated Glibc 2.27 the 16 Apr 2018
  but there is a lot of fix from upstream Glibc 2.27 stable branch. The
  one I'm looking for was merged the 07-2018.

  It would be great if Ubuntu 18.04 can update Glibc to the latest
  stable version.

  Best regards,
  Romain

  [1] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=db3476aff19b75c4fdefbe65fcd5f0a90588ba51
  [2] https://dhavalkapil.com/blogs/FILE-Structure-Exploitation
  [3] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=c402355dfa7807b8e0adb27c009135a7e2b9f1b0
  [4] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3bb748257405e94e13de76573a4e9da1cfd961d0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1851263/+subscriptions

More information about the foundations-bugs mailing list