Do I need to upgrade glibc-debuginfo and glibc-debugsource?

slightlyseasoned · March 25, 2024, 12:14am

sudo dnf list extras outputs:

Last metadata expiration check: 1:23:11 ago on Sun 24 Mar 2024 12:34:46 PM EDT.
Extra Packages
glibc-debuginfo.x86_64                                                                      2.38-14.fc39                                                                    @updates-debuginfo
glibc-debugsource.x86_64                                                                    2.38-14.fc39                                                                    @updates-debuginfo

Every time I’ve ran dnf updateinfo --refresh --list for the past couple months I get the following output:

Fedora 39 - x86_64      31 kB/s |  25 kB     00:00    
Fedora 39 openh264 (From Cisco) - x86_64                                                                                                                      3.5 kB/s | 989  B     00:00    
Fedora 39 - x86_64 - Updates                                                                                                                                  131 kB/s |  21 kB     00:00    
ProtonVPN Fedora Stable repository                                                                                                                            619  B/s | 659  B     00:01    
FEDORA-2024-aec80d6e8a Important/Sec. glibc-debuginfo-2.38-16.fc39.x86_64
FEDORA-2024-aec80d6e8a Important/Sec. glibc-debugsource-2.38-16.fc39.x86_64

Running sudo dnf upgrade --refresh && flatpak update says:

Fedora 39 - x86_64                                                                                                                                             60 kB/s |  25 kB     00:00    
Fedora 39 openh264 (From Cisco) - x86_64                                                                                                                      7.9 kB/s | 989  B     00:00    
Fedora 39 - x86_64 - Updates                                                                                                                                   59 kB/s |  22 kB     00:00    
ProtonVPN Fedora Stable repository                                                                                                                            1.0 kB/s | 659  B     00:00    
Dependencies resolved.
Nothing to do.
Complete!
Looking for updates…
Nothing to do.

Similarly, su -c 'dnf upgrade --advisory FEDORA-2024-aec80d6e8a' gives:

Password: 
Last metadata expiration check: 0:20:05 ago on Sun 24 Mar 2024 06:50:47 PM EDT.
Dependencies resolved.
Nothing to do.
Complete!

At Bugzilla, it says the CVEs related to these packages was fixed in version 2.39:
https://bugzilla.redhat.com/show_bug.cgi?id=2254395
https://bugzilla.redhat.com/show_bug.cgi?id=2254396
https://bugzilla.redhat.com/show_bug.cgi?id=2249053

There’s a bit of doubt in my mind that things are working as they’re supposed to. The metadata appears very outdated with some of my repositories, as witnessed with dnf updateinfo --list -v:

Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, notify-packagekit, playground, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade
DNF version: 4.19.0
cachedir: /var/tmp/dnf-windwalkin-07ntf96u
User-Agent: constructed: 'libdnf (Fedora Linux 39; workstation; Linux.x86_64)'
repo: using cache for: fedora
fedora: using metadata from Tue 31 Oct 2023 08:12:39 PM EDT.
repo: using cache for: fedora-cisco-openh264
fedora-cisco-openh264: using metadata from Tue 12 Dec 2023 12:22:46 PM EST.
repo: using cache for: updates
updates: using metadata from Sat 23 Mar 2024 09:01:28 PM EDT.
repo: using cache for: protonvpn-fedora-stable
protonvpn-fedora-stable: using metadata from Wed 06 Mar 2024 08:17:41 AM EST.
Last metadata expiration check: 3:05:26 ago on Sun 24 Mar 2024 02:27:26 PM EDT.
FEDORA-2024-aec80d6e8a Important/Sec. glibc-debuginfo-2.38-16.fc39.x86_64   2024-01-31 20:54:16
FEDORA-2024-aec80d6e8a Important/Sec. glibc-debugsource-2.38-16.fc39.x86_64 2024-01-31 20:54:16

I found glibc-debuginfo-2.38-16.fc39.x86_64.rpm to download but as far as I know there’s no way to know when a newer version becomes available with this route at:

https://www.rpmfind.net/linux/rpm2html/search.php?query=glibc-debuginfo

After looking into this a lot, I’m beginning to think again maybe there’s nothing on my part that needs to be done. Was this security fix backported to my current versions of glibc-debuginfo-2.38-14.fc39.x86_64 and glibc-debugsource-2.38-14.fc39.x86_64? Other than perhaps refreshing the metadata with some of my repositories is there anything else that needs to be done? Can someone clarify this for me please?

chrisawi · March 25, 2024, 12:21am

Those packages were installed by you with dnf debuginfo-install. You can safely remove them.

slightlyseasoned · March 25, 2024, 12:23am

Thanks for your reply Chris. I am currently learning C and need these packages. Otherwise I would remove them.

computersavvy · March 25, 2024, 12:28am

AFAIK glibc-debuginfo and glibc-debugsource are not required to be installed. If you have them you apparently installed them yourself for some reason so they probably could be removed with no harm.
These are the only glibc packages I have installed.

$ dnf list installed glibc*
Installed Packages
glibc.x86_64                                                         2.38-16.fc39                                           @updates
glibc-all-langpacks.x86_64                                           2.38-16.fc39                                           @updates
glibc-common.x86_64                                                  2.38-16.fc39                                           @updates
glibc-devel.x86_64                                                   2.38-16.fc39                                           @updates
glibc-gconv-extra.x86_64                                             2.38-16.fc39                                           @updates
glibc-headers-x86.noarch                                             2.38-16.fc39                                           @updates
glibc-langpack-en.x86_64                                             2.38-16.fc39                                           @updates

In fact, running dnf list glibc* on my workstation does not give the glibc-debug* packages at all; so I wonder why you are even seeing them. They must have come from a different source than the fedora repos.

You can probably see what repo they may have come from with the dnf command I posted just above.

slightlyseasoned · March 25, 2024, 12:35am

Hey Jeff, they came from updates-debuginfo repository based on the output of sudo dnf list extras above.

dnf list glibc* reflects this as well.

I don’t remember exactly how I installed them but I think just through the package manager dnf. I am learning C programming and need these packages.

computersavvy · March 25, 2024, 12:45am

Sorry, I missed that since you are not posting while using the preformatted text tags to retain the on-screen formatting.

This is done using
```
text pasted here
```
or by using the </> button on the toolbar.

Posting this way retains the readability instead of scrunching everything down with single spaces between words.

Even the block quote fails to retain formatting.

slightlyseasoned · March 25, 2024, 12:49am

That is all right, Jeff. I just appreciate your help and thank you for the tip. I will reformat this.

jjames · March 25, 2024, 1:24am

If you want debuginfo packages to update automatically, edit /etc/dnf/plugins/debuginfo-install.conf and change “autoupdate=0” to “autoupdate=1”.

slightlyseasoned · March 25, 2024, 1:52am

Thank you very much Jerry! Now have the following installed:

glibc-debuginfo-2.38-16.fc39.x86_64
glibc-debugsource-2.38-16.fc39.x86_64

However, I am still a little unsure if this completely corrects the security issue. May only be fixed in 2.39 according to the Bugzilla reports I linked above.

Also it seems a bit odd that I never had the option to update this through the software center.

chrisawi · March 25, 2024, 2:09am

Those do appear to be the current versions.

The debuginfo packages are in a disabled repo that is temporarily enabled when you use the debuginfo-install command. Enabling autoupdate makes that plugin automatically enable those repos when any *-debuginfo packages are installed.

I don’t think that would help for GNOME Software (via PackageKit) though, only dnf upgrade itself.

slightlyseasoned · March 25, 2024, 2:15am

Thank you for clarifying Chris.

I will make a note of this so that when I have to reinstall eventually I won’t run into this issue again.

Topic		Replies	Views
Linux kernel debug Ask Fedora f38 , packages , kernel	5	1482	June 29, 2023
How to install `debuginfo` package requested by GDB that doesn't exist in repositories? Ask Fedora kde , kde-plasma , wayland , debuginfod , respins , f40	25	1047	October 14, 2024
Need help solving a DNF issue Ask Fedora gnome , workstation , f40	12	13720	May 3, 2024
Fedora 39 Workstation upgrade to F40 faild Ask Fedora f39 , workstation	9	4716	April 26, 2024
Gnome-software update and check problem after upgrading to fedora41 Ask Fedora gnome-software , f41	20	574	November 8, 2024

Do I need to upgrade glibc-debuginfo and glibc-debugsource?

Related topics