Do I need to upgrade glibc-debuginfo and glibc-debugsource?

sudo dnf list extras outputs:

Last metadata expiration check: 1:23:11 ago on Sun 24 Mar 2024 12:34:46 PM EDT.
Extra Packages
glibc-debuginfo.x86_64                                                                      2.38-14.fc39                                                                    @updates-debuginfo
glibc-debugsource.x86_64                                                                    2.38-14.fc39                                                                    @updates-debuginfo

Every time I’ve ran dnf updateinfo --refresh --list for the past couple months I get the following output:

Fedora 39 - x86_64      31 kB/s |  25 kB     00:00    
Fedora 39 openh264 (From Cisco) - x86_64                                                                                                                      3.5 kB/s | 989  B     00:00    
Fedora 39 - x86_64 - Updates                                                                                                                                  131 kB/s |  21 kB     00:00    
ProtonVPN Fedora Stable repository                                                                                                                            619  B/s | 659  B     00:01    
FEDORA-2024-aec80d6e8a Important/Sec. glibc-debuginfo-2.38-16.fc39.x86_64
FEDORA-2024-aec80d6e8a Important/Sec. glibc-debugsource-2.38-16.fc39.x86_64

Running sudo dnf upgrade --refresh && flatpak update says:

Fedora 39 - x86_64                                                                                                                                             60 kB/s |  25 kB     00:00    
Fedora 39 openh264 (From Cisco) - x86_64                                                                                                                      7.9 kB/s | 989  B     00:00    
Fedora 39 - x86_64 - Updates                                                                                                                                   59 kB/s |  22 kB     00:00    
ProtonVPN Fedora Stable repository                                                                                                                            1.0 kB/s | 659  B     00:00    
Dependencies resolved.
Nothing to do.
Complete!
Looking for updates…
Nothing to do.

Similarly, su -c 'dnf upgrade --advisory FEDORA-2024-aec80d6e8a' gives:

Password: 
Last metadata expiration check: 0:20:05 ago on Sun 24 Mar 2024 06:50:47 PM EDT.
Dependencies resolved.
Nothing to do.
Complete!

At Bugzilla, it says the CVEs related to these packages was fixed in version 2.39:
https://bugzilla.redhat.com/show_bug.cgi?id=2254395
https://bugzilla.redhat.com/show_bug.cgi?id=2254396
https://bugzilla.redhat.com/show_bug.cgi?id=2249053

There’s a bit of doubt in my mind that things are working as they’re supposed to. The metadata appears very outdated with some of my repositories, as witnessed with dnf updateinfo --list -v:

Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, notify-packagekit, playground, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade
DNF version: 4.19.0
cachedir: /var/tmp/dnf-windwalkin-07ntf96u
User-Agent: constructed: 'libdnf (Fedora Linux 39; workstation; Linux.x86_64)'
repo: using cache for: fedora
fedora: using metadata from Tue 31 Oct 2023 08:12:39 PM EDT.
repo: using cache for: fedora-cisco-openh264
fedora-cisco-openh264: using metadata from Tue 12 Dec 2023 12:22:46 PM EST.
repo: using cache for: updates
updates: using metadata from Sat 23 Mar 2024 09:01:28 PM EDT.
repo: using cache for: protonvpn-fedora-stable
protonvpn-fedora-stable: using metadata from Wed 06 Mar 2024 08:17:41 AM EST.
Last metadata expiration check: 3:05:26 ago on Sun 24 Mar 2024 02:27:26 PM EDT.
FEDORA-2024-aec80d6e8a Important/Sec. glibc-debuginfo-2.38-16.fc39.x86_64   2024-01-31 20:54:16
FEDORA-2024-aec80d6e8a Important/Sec. glibc-debugsource-2.38-16.fc39.x86_64 2024-01-31 20:54:16

I found glibc-debuginfo-2.38-16.fc39.x86_64.rpm to download but as far as I know there’s no way to know when a newer version becomes available with this route at:

https://www.rpmfind.net/linux/rpm2html/search.php?query=glibc-debuginfo

After looking into this a lot, I’m beginning to think again maybe there’s nothing on my part that needs to be done. Was this security fix backported to my current versions of glibc-debuginfo-2.38-14.fc39.x86_64 and glibc-debugsource-2.38-14.fc39.x86_64? Other than perhaps refreshing the metadata with some of my repositories is there anything else that needs to be done? Can someone clarify this for me please?

Those packages were installed by you with dnf debuginfo-install. You can safely remove them.

Thanks for your reply Chris. I am currently learning C and need these packages. Otherwise I would remove them.

AFAIK glibc-debuginfo and glibc-debugsource are not required to be installed. If you have them you apparently installed them yourself for some reason so they probably could be removed with no harm.
These are the only glibc packages I have installed.

$ dnf list installed glibc*
Installed Packages
glibc.x86_64                                                         2.38-16.fc39                                           @updates
glibc-all-langpacks.x86_64                                           2.38-16.fc39                                           @updates
glibc-common.x86_64                                                  2.38-16.fc39                                           @updates
glibc-devel.x86_64                                                   2.38-16.fc39                                           @updates
glibc-gconv-extra.x86_64                                             2.38-16.fc39                                           @updates
glibc-headers-x86.noarch                                             2.38-16.fc39                                           @updates
glibc-langpack-en.x86_64                                             2.38-16.fc39                                           @updates

In fact, running dnf list glibc* on my workstation does not give the glibc-debug* packages at all; so I wonder why you are even seeing them. They must have come from a different source than the fedora repos.

You can probably see what repo they may have come from with the dnf command I posted just above.

Hey Jeff, they came from updates-debuginfo repository based on the output of sudo dnf list extras above.

dnf list glibc* reflects this as well.

I don’t remember exactly how I installed them but I think just through the package manager dnf. I am learning C programming and need these packages.

Sorry, I missed that since you are not posting while using the preformatted text tags to retain the on-screen formatting.

This is done using
```
text pasted here
```
or by using the </> button on the toolbar.

Posting this way retains the readability instead of scrunching everything down with single spaces between words.

Even the block quote fails to retain formatting.

That is all right, Jeff. I just appreciate your help and thank you for the tip. I will reformat this.

If you want debuginfo packages to update automatically, edit /etc/dnf/plugins/debuginfo-install.conf and change “autoupdate=0” to “autoupdate=1”.

3 Likes

Thank you very much Jerry! Now have the following installed:

glibc-debuginfo-2.38-16.fc39.x86_64
glibc-debugsource-2.38-16.fc39.x86_64

However, I am still a little unsure if this completely corrects the security issue. May only be fixed in 2.39 according to the Bugzilla reports I linked above.

Also it seems a bit odd that I never had the option to update this through the software center.

Those do appear to be the current versions.

The debuginfo packages are in a disabled repo that is temporarily enabled when you use the debuginfo-install command. Enabling autoupdate makes that plugin automatically enable those repos when any *-debuginfo packages are installed.

I don’t think that would help for GNOME Software (via PackageKit) though, only dnf upgrade itself.

1 Like

Thank you for clarifying Chris.

I will make a note of this so that when I have to reinstall eventually I won’t run into this issue again.