The above mentioned CVE was made public today. It affects glibc 2.37 and newer, as well as any distribution which backported the patch with the affected code. Unfortunately, that includes Debian bookworm's libc6 2.36 package, any version prior to 2.36-9+deb12u4 of which is affected.
See https://security-tracker.debian.org/tra ... -2023-6246 for more information.
Unfortunately, it appears that updating a Pi 4 running raspberry pi OS is a nonstarter, given that rpios is using a custom build of glibc (note the u3 at the end of the package version, indicating that this version is affected by the CVE):Indeed, this package appears above the fixed package in apt's version list, due to the addition of +rpt2+ to the version string.
While 2.36-9+deb12u4 is an option on the Pi, attempting to install it forces removal of necessary packages:Given that this is a pretty serious (local, as of now) root vulnerability, when can we expect a proper rpi build of a fixed package?
See https://security-tracker.debian.org/tra ... -2023-6246 for more information.
Unfortunately, it appears that updating a Pi 4 running raspberry pi OS is a nonstarter, given that rpios is using a custom build of glibc (note the u3 at the end of the package version, indicating that this version is affected by the CVE):
Code:
||/ Name Version Architecture Description+++-==============-===================-============-=================================ii libc6:arm64 2.36-9+rpt2+deb12u3 arm64 GNU C Library: Shared librariesWhile 2.36-9+deb12u4 is an option on the Pi, attempting to install it forces removal of necessary packages:
Code:
$ sudo apt install libc6=2.36-9+deb12u4Reading package lists... DoneBuilding dependency tree... DoneReading state information... DoneThe following packages were automatically installed and are no longer required: libc-dev-bin libc-devtools libcrypt-dev libjs-sphinxdoc libjs-underscore libnsl-dev libtirpc-dev linux-libc-dev rpcsvc-protoUse 'sudo apt autoremove' to remove them.Suggested packages: glibc-doc libnss-nis libnss-nisplusThe following packages will be REMOVED: build-essential g++ g++-12 libc6-dbg libc6-dev libexpat1-dev libpython3-dev libpython3.11-dev libstdc++-12-dev python3-dev python3.11-dev zlib1g-devThe following packages will be DOWNGRADED: libc60 upgraded, 0 newly installed, 1 downgraded, 12 to remove and 46 not upgraded.Need to get 2,322 kB of archives.After this operation, 99.7 MB disk space will be freed.Do you want to continue? [Y/n] Statistics: Posted by PinkFreud — Thu Feb 01, 2024 4:01 am