glibc CVE-2016-20013

Asked by Keith Wilhelm

Currently Ubuntu's page for this CVE https://ubuntu.com/security/CVE-2016-20013 shows that glibc for Ubuntu 24.04 and later is vulnerable. However, this code was removed from glibc as of version 2.39 and now resides in libxcrypt.

From https://lists.gnu.org/archive/html/info-gnu/2024-01/msg00017.html:

  "libcrypt has been removed from the GNU C Library. The configure
  options "--enable-crypt" and "--enable-nss-crypt" are no longer
  available. <crypt.h>, libcrypt.a, and libcrypt.so.1 will not be
  installed. For now <unistd.h> continues to declare the crypt
  function by default, to avoid introducing vulnerabilities into
  existing applications due to a missing prototype. This declaration
  is deprecated and may be removed in a future glibc release.

  The replacement for libcrypt is libxcrypt, maintained separately from
  GNU libc, but available under compatible licensing terms, and providing
  binary backward compatibility with the former libcrypt. It is currently
  distributed from <https://github.com/besser82/libxcrypt/>."

Could the Ubuntu CVE tracker be updated to show glibc is not vulnerable in 24.04 and later, and reassign the CVE to libxcrypt?

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said :
#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.