Skip to content

Update and sync to current version 2.36.1-8+deb11u1 in Debian stable

After the clarify about the branch layout for the byzantium archive I've prepared finally the update for util-linux. This MR is updating the package based on the latest version in Debian stable which got a security update due a CVE vulnerable.

The following diff isn't a full diff, I've dropped the patches that were added for a better overview.

The version number looks a bit long and not that good readable but is following the current rules for naming the PureOS version.

$ git diff pureos/2.36.1-8pureos3 debian/
diff --git a/debian/changelog b/debian/changelog
index 15e0114d6..ce77aca55 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+util-linux (2.36.1-8+deb11u1pureos1) byzantium; urgency=medium
+
+  * Merge in 2.36.1-8+deb11u1 from Debian stable, remaining change:
+    - Add sulogin-lockedpwd.patch: Permit root rescue login on PureOS
+
+ -- Carsten Schoenert <carsten.schoenert@puri.sm>  Sat, 09 Apr 2022 08:31:34 +0200
+
+util-linux (2.36.1-8+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * include/strutils: Add ul_strtou64() function
+  * libmount: fix UID check for FUSE umount [CVE-2021-3995]
+  * libmount: fix (deleted) suffix issue [CVE-2021-3996]
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 20 Jan 2022 21:10:35 +0100
+
 util-linux (2.36.1-8pureos3) byzantium; urgency=medium
 
   * d/gbp.conf: Enforsing tagging schema to 'pureos/...'
...
diff --git a/debian/patches/series b/debian/patches/series
index 4edac8985..b30b0fbc4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,4 +7,7 @@ debian/verbose-tests.patch
 upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch
 upstream/libmount-allow-read-only-for-not-root-users.patch
 upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch
+debian/backport-ul_strtou64-function.patch
+upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch
+upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch
 pureos/sulogin-lockedpwd.patch

@matthias.klumpp @jeremiah.foster @guido.gunther

Edited by Carsten Schoenert

Merge request reports