[Bug 2094272] Re: [SRU] New upstream microrelease .NET 8.0.112/8.0.12
Launchpad Bug Tracker
2094272 at bugs.launchpad.net
Thu Jan 16 11:15:19 UTC 2025
This bug was fixed in the package dotnet8 -
8.0.112-8.0.12-0ubuntu1~24.10.1
---------------
dotnet8 (8.0.112-8.0.12-0ubuntu1~24.10.1) oracular; urgency=medium
* New upstream release (LP: #2094272).
* SECURITY UPDATE: remote code execution
- CVE-2025-21172: An integer overflow in msdia140.dll leads to heap-based
buffer overflow, leading to possible RCE. An attacker could exploit this
vulnerability by loading a specially crafted file in Visual Studio.
* SECURITY UPDATE: remote code execution
- CVE-2025-21176: Insufficient input data validation leads to heap-based
buffer overflow in msdia140.dll. An attacker could exploit this
vulnerability by loading a specially crafted file in Visual Studio.
* SECURITY UPDATE: elevation of privilege
- CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
Dependency Injection on Linux. An attacker could exploit this
vulnerability to writing a specially crafted file in the security
context of the local system. This only affects .NET on Linux operating
systems.
* Unified source build transition. The debian source tree for dotnet*
source packages is now build from a common source (see also:
https://github.com/canonical/dotnet-source-build/pull/13). Changes include:
- d/rules: Refactored; the same file is now used by
all dotnet* source packages. A major change is the use of substvars.
- d/control: Change hard-coded libicu* to dynamic ${libicu:Depends} substvar.
- d/eng/dotnet-pkg-info.mk: Added to provide common information and
functionality for all dotnet* source packages. Is used by d/rules.
- Removed .in file extension from the files
d/*.{install,manpages,dirs,docs,preinst,sh}.in and used substvars.
- d/eng/build-dotnet-tarball.sh: Removed.
- d/eng/source_build_artifact_path.py, d/eng/versionlib,
d/tests/regular-tests: Updated; includes bug-fixes from
other dotnet* source packages.
- d/patches: Renamed patch files to uniquely identify patches among all
dotnet* source packages.
* Removed fix-clang19-build.patch; backported upstream.
* d/aspnetcore-runtime-8.0.docs: Included src/razor/NOTICE.txt in package to
comply with Apache-2.0 paragraph 4 section (d).
* d/control:
- Alphabetically sorted Build-Depends.
- Added tree to Build-Depends for debugging purposes.
- Fixed descriptions with invalid control statements
(lines containing a space, a full stop and some more characters)
to comply with Section 5.6.13 in the Debian Policy Manual.
- Added dotnet-runtime-dbg-8.0, aspnetcore-runtime-dbg-8.0,
dotnet-sdk-dbg-8.0 to dotnet8 Suggests.
* d/copyright:
- Refresh copyright info.
- Add LGPL-2.1 license text.
* d/rules: Added override_dh_auto_clean to remove .NET and Python
binary artifacts.
* lintian overrides:
- Silenced dotnet-sdk-8.0-source-built-artifacts: package-has-long-file-name
The long file name is unavoidable.
- Silenced FO127 related lintian warning
hyphen-in-upstream-part-of-debian-changelog-version.
- Silenced manpage troff warnings. Troff complains that it is silly that the
dotnet8 manpages select a monospace font on a terminal output that only
supports monospace fonts.
-- Dominik Viererbe <dominik.viererbe at canonical.com> Wed, 15 Jan 2025
20:11:26 +0200
** Changed in: dotnet8 (Ubuntu Oracular)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21172
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21173
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21176
** Changed in: dotnet8 (Ubuntu Noble)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dotnet8 in Ubuntu.
https://bugs.launchpad.net/bugs/2094272
Title:
[SRU] New upstream microrelease .NET 8.0.112/8.0.12
Status in dotnet8 package in Ubuntu:
In Progress
Status in dotnet8 source package in Jammy:
Fix Released
Status in dotnet8 source package in Noble:
Fix Released
Status in dotnet8 source package in Oracular:
Fix Released
Status in dotnet8 source package in Plucky:
In Progress
Bug description:
Tracking bug for the January .NET 8 release.
[Impact]
* This correspond to an upstream microrelease (Microsoft Patch
Tuesday microrelease) released on January 14th, 2025.
* It is beneficial for our LTS users to have access to the latest
.NET stack.
* This update includes structural changes to the packaging files to allow
building all dotnet source packages from a common source. This reduces the
maintenance effort and especially the probability of copy & paste mistakes
significantly. The dotnet9 source package already uses this structure with
no issue.
[Test Case]
* The package should build successfully in -proposed (respectively).
* The packages should be installable on jammy, noble, oracular, plucky on
amd64, arm64, s390x and ppc64el architectures.
* Autopackage tests should pass.
* The usual manual tests that have been seen in the previous microreleases
(see https://github.com/canonical/dotnet-source-build/blob/main/docs/SRUTestPlan.md).
Note: The need for manual testing has been largely reduced, because the
autopkgtests improvements far exceeds the coverage provided by the
mentioned manual test plans.
[Regression Potential]
* The upstream testing routine is usually satisfactory, but there is
always a risk of something breaking.
[Other]
* 8.0.12 is the version number of the .NET Runtime and 8.0.112 is the version
number of the .NET SDK. The package version only refers to the SDK version
number.
* We are only building the 8.0.1xx feature band, because this is the only
feature band that allows building from source. See explanation of feature
bands: https://learn.microsoft.com/en-us/dotnet/core/releases-and-support#feature-bands-sdk-only
* Overview of how dotnet is versioned: https://learn.microsoft.com/en-
us/dotnet/core/versions/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dotnet8/+bug/2094272/+subscriptions
More information about the foundations-bugs
mailing list