import glibc-2.28-164.el8_5.3

SOURCES/glibc-rh2032280-1.patch

@@ -0,0 +1,64 @@
+commit a7e9dbb7742954814643a8562dcad09abb0b0e5d
+Author: Alexandra Hájková <ahajkova@redhat.com>
+Date:   Sat Dec 26 18:45:13 2020 +0100
+
+    Add xchdir to libsupport.
+
+diff --git a/support/Makefile b/support/Makefile
+index dcf3c4baa2a31070..fb95a69ed9158e78 100644
+--- a/support/Makefile
++++ b/support/Makefile
+@@ -82,6 +82,7 @@ libsupport-routines = \
+   xasprintf \
+   xbind \
+   xcalloc \
++  xchdir \
+   xchroot \
+   xclose \
+   xconnect \
+diff --git a/support/xchdir.c b/support/xchdir.c
+new file mode 100644
+index 0000000000000000..beb4feff72832065
+--- /dev/null
++++ b/support/xchdir.c
+@@ -0,0 +1,28 @@
++/* chdir with error checking.
++   Copyright (C) 2020 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <support/check.h>
++#include <support/xunistd.h>
++#include <unistd.h>
++
++void
++xchdir (const char *path)
++{
++  if (chdir (path) != 0)
++    FAIL_EXIT1 ("chdir (\"%s\"): %m", path);
++}
+diff --git a/support/xunistd.h b/support/xunistd.h
+index f99f362cb4763c5b..74fd2771d12c36fe 100644
+--- a/support/xunistd.h
++++ b/support/xunistd.h
+@@ -44,6 +44,7 @@ long xsysconf (int name);
+ long long xlseek (int fd, long long offset, int whence);
+ void xftruncate (int fd, long long length);
+ void xsymlink (const char *target, const char *linkpath);
++void xchdir (const char *path);
+ 
+ /* Equivalent of "mkdir -p".  */
+ void xmkdirp (const char *, mode_t);

SOURCES/glibc-rh2032280-2.patch

@@ -0,0 +1,72 @@
+commit 60854f40ea2d420867ed2f0f052ee7fca661dbff
+Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date:   Thu Oct 15 15:14:22 2020 -0300
+
+    support: Add create_temp_file_in_dir
+    
+    It allows created a temporary file in a specified directory.
+
+diff --git a/support/support.h b/support/support.h
+index f50f8cc1496d657d..96833bd4e992e6d3 100644
+--- a/support/support.h
++++ b/support/support.h
+@@ -23,6 +23,7 @@
+ #ifndef SUPPORT_H
+ #define SUPPORT_H
+ 
++#include <stdbool.h>
+ #include <stddef.h>
+ #include <sys/cdefs.h>
+ /* For mode_t.  */
+diff --git a/support/temp_file.c b/support/temp_file.c
+index 0bbc7f997264f758..5a2728c94a9c32ae 100644
+--- a/support/temp_file.c
++++ b/support/temp_file.c
+@@ -60,14 +60,12 @@ add_temp_file (const char *name)
+ }
+ 
+ int
+-create_temp_file (const char *base, char **filename)
++create_temp_file_in_dir (const char *base, const char *dir, char **filename)
+ {
+   char *fname;
+   int fd;
+ 
+-  fname = (char *) xmalloc (strlen (test_dir) + 1 + strlen (base)
+-			    + sizeof ("XXXXXX"));
+-  strcpy (stpcpy (stpcpy (stpcpy (fname, test_dir), "/"), base), "XXXXXX");
++  fname = xasprintf ("%s/%sXXXXXX", dir, base);
+ 
+   fd = mkstemp (fname);
+   if (fd == -1)
+@@ -86,6 +84,12 @@ create_temp_file (const char *base, char **filename)
+   return fd;
+ }
+ 
++int
++create_temp_file (const char *base, char **filename)
++{
++  return create_temp_file_in_dir (base, test_dir, filename);
++}
++
+ char *
+ support_create_temp_directory (const char *base)
+ {
+diff --git a/support/temp_file.h b/support/temp_file.h
+index c7795cc577ca22a9..d64563f41f1f50cd 100644
+--- a/support/temp_file.h
++++ b/support/temp_file.h
+@@ -32,6 +32,13 @@ void add_temp_file (const char *name);
+    *FILENAME.  */
+ int create_temp_file (const char *base, char **filename);
+ 
++/* Create a temporary file in directory DIR.  Return the opened file
++   descriptor on success, or -1 on failure.  Write the file name to
++   *FILENAME if FILENAME is not NULL.  In this case, the caller is
++   expected to free *FILENAME.  */
++int create_temp_file_in_dir (const char *base, const char *dir,
++			     char **filename);
++
+ /* Create a temporary directory and schedule it for deletion.  BASE is
+    used as a prefix for the unique directory name, which the function
+    returns.  The caller should free this string.  */

SOURCES/glibc-rh2032280-3.patch

@@ -0,0 +1,278 @@
+commit fb7bff12e81c677a6622f724edd4d4987dd9d971
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Tue Jan 18 13:29:36 2022 +0530
+
+    support: Add helpers to create paths longer than PATH_MAX
+    
+    Add new helpers support_create_and_chdir_toolong_temp_directory and
+    support_chdir_toolong_temp_directory to create and descend into
+    directory trees longer than PATH_MAX.
+    
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+# Conflicts:
+#	support/temp_file.c
+
+diff --git a/support/temp_file.c b/support/temp_file.c
+index 5a2728c94a9c32ae..661c86bad5c0121f 100644
+--- a/support/temp_file.c
++++ b/support/temp_file.c
+@@ -1,5 +1,6 @@
+ /* Temporary file handling for tests.
+-   Copyright (C) 1998-2018 Free Software Foundation, Inc.
++   Copyright (C) 1998-2022 Free Software Foundation, Inc.
++   Copyright The GNU Tools Authors.
+    This file is part of the GNU C Library.
+ 
+    The GNU C Library is free software; you can redistribute it and/or
+@@ -20,15 +21,17 @@
+    some 32-bit platforms. */
+ #define _FILE_OFFSET_BITS 64
+ 
++#include <support/check.h>
+ #include <support/temp_file.h>
+ #include <support/temp_file-internal.h>
+ #include <support/support.h>
+ 
++#include <errno.h>
+ #include <paths.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+-#include <unistd.h>
++#include <xunistd.h>
+ 
+ /* List of temporary files.  */
+ static struct temp_name_list
+@@ -36,14 +39,20 @@ static struct temp_name_list
+   struct temp_name_list *next;
+   char *name;
+   pid_t owner;
++  bool toolong;
+ } *temp_name_list;
+ 
+ /* Location of the temporary files.  Set by the test skeleton via
+    support_set_test_dir.  The string is not be freed.  */
+ static const char *test_dir = _PATH_TMP;
+ 
+-void
+-add_temp_file (const char *name)
++/* Name of subdirectories in a too long temporary directory tree.  */
++static char toolong_subdir[NAME_MAX + 1];
++static bool toolong_initialized;
++static size_t toolong_path_max;
++
++static void
++add_temp_file_internal (const char *name, bool toolong)
+ {
+   struct temp_name_list *newp
+     = (struct temp_name_list *) xcalloc (sizeof (*newp), 1);
+@@ -53,12 +62,19 @@ add_temp_file (const char *name)
+       newp->name = newname;
+       newp->next = temp_name_list;
+       newp->owner = getpid ();
++      newp->toolong = toolong;
+       temp_name_list = newp;
+     }
+   else
+     free (newp);
+ }
+ 
++void
++add_temp_file (const char *name)
++{
++  add_temp_file_internal (name, false);
++}
++
+ int
+ create_temp_file_in_dir (const char *base, const char *dir, char **filename)
+ {
+@@ -90,8 +106,8 @@ create_temp_file (const char *base, char **filename)
+   return create_temp_file_in_dir (base, test_dir, filename);
+ }
+ 
+-char *
+-support_create_temp_directory (const char *base)
++static char *
++create_temp_directory_internal (const char *base, bool toolong)
+ {
+   char *path = xasprintf ("%s/%sXXXXXX", test_dir, base);
+   if (mkdtemp (path) == NULL)
+@@ -99,16 +115,132 @@ support_create_temp_directory (const char *base)
+       printf ("error: mkdtemp (\"%s\"): %m", path);
+       exit (1);
+     }
+-  add_temp_file (path);
++  add_temp_file_internal (path, toolong);
+   return path;
+ }
+ 
+-/* Helper functions called by the test skeleton follow.  */
++char *
++support_create_temp_directory (const char *base)
++{
++  return create_temp_directory_internal (base, false);
++}
++
++static void
++ensure_toolong_initialized (void)
++{
++  if (!toolong_initialized)
++    FAIL_EXIT1 ("uninitialized toolong directory tree\n");
++}
++
++static void
++initialize_toolong (const char *base)
++{
++  long name_max = pathconf (base, _PC_NAME_MAX);
++  name_max = (name_max < 0 ? 64
++	      : (name_max < sizeof (toolong_subdir) ? name_max
++		 : sizeof (toolong_subdir) - 1));
++
++  long path_max = pathconf (base, _PC_PATH_MAX);
++  path_max = (path_max < 0 ? 1024
++	      : path_max <= PTRDIFF_MAX ? path_max : PTRDIFF_MAX);
++
++  /* Sanity check to ensure that the test does not create temporary directories
++     in different filesystems because this API doesn't support it.  */
++  if (toolong_initialized)
++    {
++      if (name_max != strlen (toolong_subdir))
++	FAIL_UNSUPPORTED ("name_max: Temporary directories in different"
++			  " filesystems not supported yet\n");
++      if (path_max != toolong_path_max)
++	FAIL_UNSUPPORTED ("path_max: Temporary directories in different"
++			  " filesystems not supported yet\n");
++      return;
++    }
++
++  toolong_path_max = path_max;
++
++  size_t len = name_max;
++  memset (toolong_subdir, 'X', len);
++  toolong_initialized = true;
++}
++
++char *
++support_create_and_chdir_toolong_temp_directory (const char *basename)
++{
++  char *base = create_temp_directory_internal (basename, true);
++  xchdir (base);
++
++  initialize_toolong (base);
++
++  size_t sz = strlen (toolong_subdir);
++
++  /* Create directories and descend into them so that the final path is larger
++     than PATH_MAX.  */
++  for (size_t i = 0; i <= toolong_path_max / sz; i++)
++    {
++      int ret = mkdir (toolong_subdir, S_IRWXU);
++      if (ret != 0 && errno == ENAMETOOLONG)
++	FAIL_UNSUPPORTED ("Filesystem does not support creating too long "
++			  "directory trees\n");
++      else if (ret != 0)
++	FAIL_EXIT1 ("Failed to create directory tree: %m\n");
++      xchdir (toolong_subdir);
++    }
++  return base;
++}
+ 
+ void
+-support_set_test_dir (const char *path)
++support_chdir_toolong_temp_directory (const char *base)
+ {
+-  test_dir = path;
++  ensure_toolong_initialized ();
++
++  xchdir (base);
++
++  size_t sz = strlen (toolong_subdir);
++  for (size_t i = 0; i <= toolong_path_max / sz; i++)
++    xchdir (toolong_subdir);
++}
++
++/* Helper functions called by the test skeleton follow.  */
++
++static void
++remove_toolong_subdirs (const char *base)
++{
++  ensure_toolong_initialized ();
++
++  if (chdir (base) != 0)
++    {
++      printf ("warning: toolong cleanup base failed: chdir (\"%s\"): %m\n",
++	      base);
++      return;
++    }
++
++  /* Descend.  */
++  int levels = 0;
++  size_t sz = strlen (toolong_subdir);
++  for (levels = 0; levels <= toolong_path_max / sz; levels++)
++    if (chdir (toolong_subdir) != 0)
++      {
++	printf ("warning: toolong cleanup failed: chdir (\"%s\"): %m\n",
++		toolong_subdir);
++	break;
++      }
++
++  /* Ascend and remove.  */
++  while (--levels >= 0)
++    {
++      if (chdir ("..") != 0)
++	{
++	  printf ("warning: toolong cleanup failed: chdir (\"..\"): %m\n");
++	  return;
++	}
++      if (remove (toolong_subdir) != 0)
++	{
++	  printf ("warning: could not remove subdirectory: %s: %m\n",
++		  toolong_subdir);
++	  return;
++	}
++    }
+ }
+ 
+ void
+@@ -123,6 +255,9 @@ support_delete_temp_files (void)
+ 	 around, to prevent PID reuse.)  */
+       if (temp_name_list->owner == pid)
+ 	{
++	  if (temp_name_list->toolong)
++	    remove_toolong_subdirs (temp_name_list->name);
++
+ 	  if (remove (temp_name_list->name) != 0)
+ 	    printf ("warning: could not remove temporary file: %s: %m\n",
+ 		    temp_name_list->name);
+@@ -147,3 +282,9 @@ support_print_temp_files (FILE *f)
+       fprintf (f, ")\n");
+     }
+ }
++
++void
++support_set_test_dir (const char *path)
++{
++  test_dir = path;
++}
+diff --git a/support/temp_file.h b/support/temp_file.h
+index d64563f41f1f50cd..055e31dcfb843ba6 100644
+--- a/support/temp_file.h
++++ b/support/temp_file.h
+@@ -44,6 +44,15 @@ int create_temp_file_in_dir (const char *base, const char *dir,
+    returns.  The caller should free this string.  */
+ char *support_create_temp_directory (const char *base);
+ 
++/* Create a temporary directory tree that is longer than PATH_MAX and schedule
++   it for deletion.  BASENAME is used as a prefix for the unique directory
++   name, which the function returns.  The caller should free this string.  */
++char *support_create_and_chdir_toolong_temp_directory (const char *basename);
++
++/* Change into the innermost directory of the directory tree BASE, which was
++   created using support_create_and_chdir_toolong_temp_directory.  */
++void support_chdir_toolong_temp_directory (const char *base);
++
+ __END_DECLS
+ 
+ #endif /* SUPPORT_TEMP_FILE_H */

SOURCES/glibc-rh2032280-4.patch

@@ -0,0 +1,331 @@
+commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Fri Jan 21 23:32:56 2022 +0530
+
+    getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
+    
+    No valid path returned by getcwd would fit into 1 byte, so reject the
+    size early and return NULL with errno set to ERANGE.  This change is
+    prompted by CVE-2021-3999, which describes a single byte buffer
+    underflow and overflow when all of the following conditions are met:
+    
+    - The buffer size (i.e. the second argument of getcwd) is 1 byte
+    - The current working directory is too long
+    - '/' is also mounted on the current working directory
+    
+    Sequence of events:
+    
+    - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
+      because the linux kernel checks for name length before it checks
+      buffer size
+    
+    - The code falls back to the generic getcwd in sysdeps/posix
+    
+    - In the generic func, the buf[0] is set to '\0' on line 250
+    
+    - this while loop on line 262 is bypassed:
+    
+        while (!(thisdev == rootdev && thisino == rootino))
+    
+      since the rootfs (/) is bind mounted onto the directory and the flow
+      goes on to line 449, where it puts a '/' in the byte before the
+      buffer.
+    
+    - Finally on line 458, it moves 2 bytes (the underflowed byte and the
+      '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.
+    
+    - buf is returned on line 469 and errno is not set.
+    
+    This resolves BZ #28769.
+    
+    Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+    Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+# Conflicts:
+#	sysdeps/posix/getcwd.c
+#	sysdeps/unix/sysv/linux/Makefile
+
+diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c
+index b53433a2dc77fafa..fcd7aaea79c6477b 100644
+--- a/sysdeps/posix/getcwd.c
++++ b/sysdeps/posix/getcwd.c
+@@ -238,6 +238,13 @@ __getcwd (char *buf, size_t size)
+   bool fd_needs_closing = false;
+   int fd = AT_FDCWD;
+ 
++  /* A size of 1 byte is never useful.  */
++  if (size == 1)
++    {
++      __set_errno (ERANGE);
++      return NULL;
++    }
++
+   char *path;
+ #ifndef NO_ALLOCATION
+   size_t allocated = size;
+diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
+index 688cf9fa9dea23a6..bb055f9d6b841ff5 100644
+--- a/sysdeps/unix/sysv/linux/Makefile
++++ b/sysdeps/unix/sysv/linux/Makefile
+@@ -180,7 +180,11 @@ sysdep_routines += xstatconv internal_statvfs internal_statvfs64 \
+ 
+ sysdep_headers += bits/fcntl-linux.h
+ 
+-tests += tst-fallocate tst-fallocate64
++tests += \
++  tst-fallocate \
++  tst-fallocate64 \
++  tst-getcwd-smallbuff \
++# tests
+ endif
+ 
+ ifeq ($(subdir),elf)
+diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+new file mode 100644
+index 0000000000000000..d460d6e7662dc5e4
+--- /dev/null
++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+@@ -0,0 +1,241 @@
++/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow
++   buffer when the CWD is too long and is also a mount target of /.  See bug
++   #28769 or CVE-2021-3999 for more context.
++   Copyright The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <fcntl.h>
++#include <intprops.h>
++#include <limits.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/mount.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <support/check.h>
++#include <support/temp_file.h>
++#include <support/xsched.h>
++#include <support/xunistd.h>
++
++static char *base;
++#define BASENAME "tst-getcwd-smallbuff"
++#define MOUNT_NAME "mpoint"
++static int sockfd[2];
++
++static void
++do_cleanup (void)
++{
++  support_chdir_toolong_temp_directory (base);
++  TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0);
++  free (base);
++}
++
++static void
++send_fd (const int sock, const int fd)
++{
++  struct msghdr msg = {0};
++  union
++    {
++      struct cmsghdr hdr;
++      char buf[CMSG_SPACE (sizeof (int))];
++    } cmsgbuf = {0};
++  struct cmsghdr *cmsg;
++  struct iovec vec;
++  char ch = 'A';
++  ssize_t n;
++
++  msg.msg_control = &cmsgbuf.buf;
++  msg.msg_controllen = sizeof (cmsgbuf.buf);
++
++  cmsg = CMSG_FIRSTHDR (&msg);
++  cmsg->cmsg_len = CMSG_LEN (sizeof (int));
++  cmsg->cmsg_level = SOL_SOCKET;
++  cmsg->cmsg_type = SCM_RIGHTS;
++  memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
++
++  vec.iov_base = &ch;
++  vec.iov_len = 1;
++  msg.msg_iov = &vec;
++  msg.msg_iovlen = 1;
++
++  while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR);
++
++  TEST_VERIFY_EXIT (n == 1);
++}
++
++static int
++recv_fd (const int sock)
++{
++  struct msghdr msg = {0};
++  union
++    {
++      struct cmsghdr hdr;
++      char buf[CMSG_SPACE(sizeof(int))];
++    } cmsgbuf = {0};
++  struct cmsghdr *cmsg;
++  struct iovec vec;
++  ssize_t n;
++  char ch = '\0';
++  int fd = -1;
++
++  vec.iov_base = &ch;
++  vec.iov_len = 1;
++  msg.msg_iov = &vec;
++  msg.msg_iovlen = 1;
++
++  msg.msg_control = &cmsgbuf.buf;
++  msg.msg_controllen = sizeof (cmsgbuf.buf);
++
++  while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR);
++  if (n != 1 || ch != 'A')
++    return -1;
++
++  cmsg = CMSG_FIRSTHDR (&msg);
++  if (cmsg == NULL)
++    return -1;
++  if (cmsg->cmsg_type != SCM_RIGHTS)
++    return -1;
++  memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd));
++  if (fd < 0)
++    return -1;
++  return fd;
++}
++
++static int
++child_func (void * const arg)
++{
++  xclose (sockfd[0]);
++  const int sock = sockfd[1];
++  char ch;
++
++  TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
++  TEST_VERIFY_EXIT (ch == '1');
++
++  if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL))
++    FAIL_EXIT1 ("mount failed: %m\n");
++  const int fd = xopen ("mpoint",
++			O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0);
++
++  send_fd (sock, fd);
++  xclose (fd);
++
++  TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
++  TEST_VERIFY_EXIT (ch == 'a');
++
++  xclose (sock);
++  return 0;
++}
++
++static void
++update_map (char * const mapping, const char * const map_file)
++{
++  const size_t map_len = strlen (mapping);
++
++  const int fd = xopen (map_file, O_WRONLY, 0);
++  xwrite (fd, mapping, map_len);
++  xclose (fd);
++}
++
++static void
++proc_setgroups_write (const long child_pid, const char * const str)
++{
++  const size_t str_len = strlen(str);
++
++  char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)];
++
++  snprintf (setgroups_path, sizeof (setgroups_path),
++	    "/proc/%ld/setgroups", child_pid);
++
++  const int fd = open (setgroups_path, O_WRONLY);
++
++  if (fd < 0)
++    {
++      TEST_VERIFY_EXIT (errno == ENOENT);
++      FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid);
++    }
++
++  xwrite (fd, str, str_len);
++  xclose(fd);
++}
++
++static char child_stack[1024 * 1024];
++
++int
++do_test (void)
++{
++  base = support_create_and_chdir_toolong_temp_directory (BASENAME);
++
++  xmkdir (MOUNT_NAME, S_IRWXU);
++  atexit (do_cleanup);
++
++  TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
++  pid_t child_pid = xclone (child_func, NULL, child_stack,
++			    sizeof (child_stack),
++			    CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD);
++
++  xclose (sockfd[1]);
++  const int sock = sockfd[0];
++
++  char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)];
++  char map_buf[sizeof ("0  1") + INT_STRLEN_BOUND (long)];
++
++  snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map",
++	    (long) child_pid);
++  snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid());
++  update_map (map_buf, map_path);
++
++  proc_setgroups_write ((long) child_pid, "deny");
++  snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map",
++	    (long) child_pid);
++  snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid());
++  update_map (map_buf, map_path);
++
++  TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1);
++  const int fd = recv_fd (sock);
++  TEST_VERIFY_EXIT (fd >= 0);
++  TEST_VERIFY_EXIT (fchdir (fd) == 0);
++
++  static char buf[2 * 10 + 1];
++  memset (buf, 'A', sizeof (buf));
++
++  /* Finally, call getcwd and check if it resulted in a buffer underflow.  */
++  char * cwd = getcwd (buf + sizeof (buf) / 2, 1);
++  TEST_VERIFY (cwd == NULL);
++  TEST_VERIFY (errno == ERANGE);
++
++  for (int i = 0; i < sizeof (buf); i++)
++    if (buf[i] != 'A')
++      {
++	printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]);
++	support_record_failure ();
++      }
++
++  TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1);
++  xclose (sock);
++  TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid);
++
++  return 0;
++}
++
++#define CLEANUP_HANDLER do_cleanup
++#include <support/test-driver.c>

SOURCES/glibc-rh2032280-5.patch

@@ -0,0 +1,121 @@
+commit de8995a2a04163617c1a233b4b81356ef9f9741f
+Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date:   Wed Mar 10 12:26:30 2021 -0300
+
+    support: Add xclone
+    
+    It is a wrapper for Linux clone syscall, to simplify the call to the
+    use only the most common arguments and remove architecture specific
+    handling (such as ia64 different name and signature).
+
+# Conflicts:
+#	support/Makefile
+
+diff --git a/support/Makefile b/support/Makefile
+index fb95a69ed9158e78..d2b95539403e416c 100644
+--- a/support/Makefile
++++ b/support/Makefile
+@@ -84,6 +84,7 @@ libsupport-routines = \
+   xcalloc \
+   xchdir \
+   xchroot \
++  xclone \
+   xclose \
+   xconnect \
+   xcopy_file_range \
+diff --git a/support/xclone.c b/support/xclone.c
+new file mode 100644
+index 0000000000000000..924d2b875402a819
+--- /dev/null
++++ b/support/xclone.c
+@@ -0,0 +1,50 @@
++/* Auxiliary functions to issue the clone syscall.
++   Copyright (C) 2021 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#ifdef __linux__
++# include <support/check.h>
++# include <stackinfo.h>  /* For _STACK_GROWS_{UP,DOWN}.  */
++# include <xsched.h>
++
++pid_t
++xclone (int (*fn) (void *arg), void *arg, void *stack, size_t stack_size,
++	int flags)
++{
++  pid_t r = -1;
++
++# ifdef __ia64__
++  extern int __clone2 (int (*fn) (void *arg), void *stack, size_t stack_size,
++		       int flags, void *arg, ...);
++  r = __clone2 (f, stack, stack_size, flags, arg, /* ptid */ NULL,
++		/* tls */ NULL, /* ctid  */ ctid);
++# else
++#  if _STACK_GROWS_DOWN
++  r = clone (fn, stack + stack_size, flags, arg, /* ptid */ NULL,
++	     /* tls */ NULL, /* ctid */  NULL);
++#  elif _STACK_GROWS_UP
++  r = clone (fn, stack, flags, arg, /* ptid */ NULL, /* tls */ NULL,
++	     &ctid);
++#  endif
++# endif
++
++  if (r < 0)
++    FAIL_EXIT1 ("clone: %m");
++
++  return r;
++}
++#endif
+diff --git a/support/xsched.h b/support/xsched.h
+new file mode 100644
+index 0000000000000000..eefd731940187b39
+--- /dev/null
++++ b/support/xsched.h
+@@ -0,0 +1,34 @@
++/* Wrapper for sched.h functions.
++   Copyright (C) 2021 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#ifndef SUPPORT_XSCHED_H
++#define SUPPORT_XSCHED_H
++
++__BEGIN_DECLS
++
++#include <sched.h>
++#include <sys/types.h>
++
++#ifdef __linux__
++pid_t xclone (int (*fn) (void *arg), void *arg, void *stack,
++	      size_t stack_size, int flags);
++#endif
++
++__END_DECLS
++
++#endif

SOURCES/glibc-rh2032280-6.patch

@@ -0,0 +1,46 @@
+commit 5b8e7980c5dabd9aaefeba4f0208baa8cf7653ee
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 24 18:14:24 2022 +0100
+
+    Linux: Detect user namespace support in io/tst-getcwd-smallbuff
+    
+    Otherwise the test fails with certain container runtimes.
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+index d460d6e7662dc5e4..55362f6060a2b3be 100644
+--- a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+@@ -34,6 +34,7 @@
+ #include <sys/un.h>
+ #include <support/check.h>
+ #include <support/temp_file.h>
++#include <support/test-driver.h>
+ #include <support/xsched.h>
+ #include <support/xunistd.h>
+ 
+@@ -188,6 +189,23 @@ do_test (void)
+   xmkdir (MOUNT_NAME, S_IRWXU);
+   atexit (do_cleanup);
+ 
++  /* Check whether user namespaces are supported.  */
++  {
++    pid_t pid = xfork ();
++    if (pid == 0)
++      {
++	if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0)
++	  _exit (EXIT_UNSUPPORTED);
++	else
++	  _exit (0);
++      }
++    int status;
++    xwaitpid (pid, &status, 0);
++    TEST_VERIFY_EXIT (WIFEXITED (status));
++    if (WEXITSTATUS (status) != 0)
++      return WEXITSTATUS (status);
++  }
++
+   TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
+   pid_t child_pid = xclone (child_func, NULL, child_stack,
+ 			    sizeof (child_stack),

SOURCES/glibc-rh2032280-7.patch

@@ -0,0 +1,24 @@
+commit 3842ba494963b1d76ad5f68b8d1e5c2279160e31
+Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date:   Tue Jun 1 09:23:40 2021 +0100
+
+    aarch64: align stack in clone [BZ #27939]
+    
+    The AArch64 PCS requires 16 byte aligned stack.  Previously if the
+    caller passed an unaligned stack to clone then the child crashed.
+    
+    Fixes bug 27939.
+
+diff --git a/sysdeps/unix/sysv/linux/aarch64/clone.S b/sysdeps/unix/sysv/linux/aarch64/clone.S
+index e0653048259dd9a3..4a1a999447ee5cf1 100644
+--- a/sysdeps/unix/sysv/linux/aarch64/clone.S
++++ b/sysdeps/unix/sysv/linux/aarch64/clone.S
+@@ -48,6 +48,8 @@ ENTRY(__clone)
+ 	/* Sanity check args.  */
+ 	mov	x0, #-EINVAL
+ 	cbz	x10, .Lsyscall_error
++	/* Align sp.  */
++	and	x1, x1, -16
+ 	cbz	x1, .Lsyscall_error
+ 
+ 	/* Do the system call.  */

SOURCES/glibc-rh2045062-1.patch

@@ -0,0 +1,164 @@
+commit e368b12f6c16b6888dda99ba641e999b9c9643c8
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 17 10:21:34 2022 +0100
+
+    socket: Add the __sockaddr_un_set function
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+# Conflicts:
+#	socket/Makefile
+
+diff --git a/include/sys/un.h b/include/sys/un.h
+index bdbee999806930f4..152afd9fc7426d8b 100644
+--- a/include/sys/un.h
++++ b/include/sys/un.h
+@@ -1 +1,13 @@
+ #include <socket/sys/un.h>
++
++#ifndef _ISOMAC
++
++/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME.
++   Return 0 on success or -1 on failure (due to overlong PATHNAME).
++   The caller should always use sizeof (struct sockaddr_un) as the
++   socket address length, disregaring the length of PATHNAME.
++   Only concrete (non-abstract) pathnames are supported.  */
++int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
++  attribute_hidden;
++
++#endif /* _ISOMAC */
+diff --git a/socket/Makefile b/socket/Makefile
+index b41eb071507a6271..8975a65c2aabbfbc 100644
+--- a/socket/Makefile
++++ b/socket/Makefile
+@@ -29,10 +29,14 @@ headers	:= sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \
+ routines := accept bind connect getpeername getsockname getsockopt	\
+ 	    listen recv recvfrom recvmsg send sendmsg sendto		\
+ 	    setsockopt shutdown socket socketpair isfdtype opensock	\
+-	    sockatmark accept4 recvmmsg sendmmsg
++	    sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set
+ 
+ tests := tst-accept4
+ 
++tests-internal := \
++  tst-sockaddr_un_set \
++  # tests-internal
++
+ aux	 := sa_len
+ 
+ include ../Rules
+diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c
+new file mode 100644
+index 0000000000000000..0bd40dc34e3d7efc
+--- /dev/null
++++ b/socket/sockaddr_un_set.c
+@@ -0,0 +1,41 @@
++/* Set the sun_path member of struct sockaddr_un.
++   Copyright (C) 2022 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <string.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++
++int
++__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
++{
++  size_t name_length = strlen (pathname);
++
++  /* The kernel supports names of exactly sizeof (addr->sun_path)
++     bytes, without a null terminator, but userspace does not; see the
++     SUN_LEN macro.  */
++  if (name_length >= sizeof (addr->sun_path))
++    {
++      __set_errno (EINVAL);     /* Error code used by the kernel.  */
++      return -1;
++    }
++
++  addr->sun_family = AF_UNIX;
++  memcpy (addr->sun_path, pathname, name_length + 1);
++  return 0;
++}
+diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c
+new file mode 100644
+index 0000000000000000..29c2a81afda81b5e
+--- /dev/null
++++ b/socket/tst-sockaddr_un_set.c
+@@ -0,0 +1,62 @@
++/* Test the __sockaddr_un_set function.
++   Copyright (C) 2022 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++/* Re-compile the function because the version in libc is not
++   exported.  */
++#include "sockaddr_un_set.c"
++
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++  struct sockaddr_un sun;
++
++  memset (&sun, 0xcc, sizeof (sun));
++  __sockaddr_un_set (&sun, "");
++  TEST_COMPARE (sun.sun_family, AF_UNIX);
++  TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0);
++
++  memset (&sun, 0xcc, sizeof (sun));
++  TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0);
++  TEST_COMPARE_STRING (sun.sun_path, "/example");
++
++  {
++    char pathname[108];         /* Length of sun_path (ABI constant).  */
++    memset (pathname, 'x', sizeof (pathname));
++    pathname[sizeof (pathname) - 1] = '\0';
++    memset (&sun, 0xcc, sizeof (sun));
++    TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0);
++    TEST_COMPARE (sun.sun_family, AF_UNIX);
++    TEST_COMPARE_STRING (sun.sun_path, pathname);
++  }
++
++  {
++    char pathname[109];
++    memset (pathname, 'x', sizeof (pathname));
++    pathname[sizeof (pathname) - 1] = '\0';
++    memset (&sun, 0xcc, sizeof (sun));
++    errno = 0;
++    TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1);
++    TEST_COMPARE (errno, EINVAL);
++  }
++
++  return 0;
++}
++
++#include <support/test-driver.c>

SOURCES/glibc-rh2045062-2.patch

@@ -0,0 +1,32 @@
+commit 226b46770c82899b555986583294b049c6ec9b40
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 17 10:21:34 2022 +0100
+
+    CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)
+    
+    Processing an overlong pathname in the sunrpc clnt_create function
+    results in a stack-based buffer overflow.
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c
+index 13ced8994e49d4ee..b44357cd88e60599 100644
+--- a/sunrpc/clnt_gen.c
++++ b/sunrpc/clnt_gen.c
+@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers,
+ 
+   if (strcmp (proto, "unix") == 0)
+     {
+-      memset ((char *)&sun, 0, sizeof (sun));
+-      sun.sun_family = AF_UNIX;
+-      strcpy (sun.sun_path, hostname);
++      if (__sockaddr_un_set (&sun, hostname) < 0)
++	{
++	  struct rpc_createerr *ce = &get_rpc_createerr ();
++	  ce->cf_stat = RPC_SYSTEMERROR;
++	  ce->cf_error.re_errno = errno;
++	  return NULL;
++	}
+       sock = RPC_ANYSOCK;
+       client = clntunix_create (&sun, prog, vers, &sock, 0, 0);
+       if (client == NULL)

SOURCES/glibc-rh2045062-3.patch

@@ -0,0 +1,80 @@
+commit ef972a4c50014a16132b5c75571cfb6b30bef136
+Author: Martin Sebor <msebor@redhat.com>
+Date:   Mon Jan 17 10:21:34 2022 +0100
+
+    sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+# Conflicts:
+#	sunrpc/Makefile
+
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index 85b0b3356aaf81a3..2f8f0597c99e117f 100644
+--- a/sunrpc/Makefile
++++ b/sunrpc/Makefile
+@@ -95,7 +95,8 @@ others += rpcgen
+ endif
+ 
+ tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \
+-  tst-udp-nonblocking
++  tst-udp-nonblocking tst-bug22542
++
+ xtests := tst-getmyaddr
+ 
+ ifeq ($(have-thread-library),yes)
+@@ -246,3 +247,4 @@ $(objpfx)tst-udp-timeout: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-udp-nonblocking: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-udp-garbage: \
+   $(common-objpfx)linkobj/libc.so $(shared-thread-library)
++$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so
+diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c
+new file mode 100644
+index 0000000000000000..d6cd79787bdef21d
+--- /dev/null
++++ b/sunrpc/tst-bug22542.c
+@@ -0,0 +1,44 @@
++/* Test to verify that overlong hostname is rejected by clnt_create
++   and doesn't cause a buffer overflow (bug  22542).
++
++   Copyright (C) 2022 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <rpc/clnt.h>
++#include <string.h>
++#include <support/check.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++
++static int
++do_test (void)
++{
++  /* Create an arbitrary hostname that's longer than fits in sun_path.  */
++  char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2];
++  memset (name, 'x', sizeof name - 1);
++  name [sizeof name - 1] = '\0';
++
++  errno = 0;
++  CLIENT *clnt = clnt_create (name, 0, 0, "unix");
++
++  TEST_VERIFY (clnt == NULL);
++  TEST_COMPARE (errno, EINVAL);
++  return 0;
++}
++
++#include <support/test-driver.c>

SOURCES/glibc-rh2045062-4.patch

@@ -0,0 +1,101 @@
+commit f545ad4928fa1f27a3075265182b38a4f939a5f7
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 17 10:21:34 2022 +0100
+
+    CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
+    
+    The sunrpc function svcunix_create suffers from a stack-based buffer
+    overflow with overlong pathname arguments.
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index 2f8f0597c99e117f..5f7087aee494cc2e 100644
+--- a/sunrpc/Makefile
++++ b/sunrpc/Makefile
+@@ -95,7 +95,7 @@ others += rpcgen
+ endif
+ 
+ tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \
+-  tst-udp-nonblocking tst-bug22542
++  tst-udp-nonblocking tst-bug22542 tst-bug28768
+ 
+ xtests := tst-getmyaddr
+ 
+diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
+index c2c076aa87f0a2ad..8fac2b35da1d38a5 100644
+--- a/sunrpc/svc_unix.c
++++ b/sunrpc/svc_unix.c
+@@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
+   SVCXPRT *xprt;
+   struct unix_rendezvous *r;
+   struct sockaddr_un addr;
+-  socklen_t len = sizeof (struct sockaddr_in);
++  socklen_t len = sizeof (addr);
++
++  if (__sockaddr_un_set (&addr, path) < 0)
++    return NULL;
+ 
+   if (sock == RPC_ANYSOCK)
+     {
+@@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
+ 	}
+       madesock = TRUE;
+     }
+-  memset (&addr, '\0', sizeof (addr));
+-  addr.sun_family = AF_UNIX;
+-  len = strlen (path) + 1;
+-  memcpy (addr.sun_path, path, len);
+-  len += sizeof (addr.sun_family);
+-
+   __bind (sock, (struct sockaddr *) &addr, len);
+ 
+   if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0
+diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c
+new file mode 100644
+index 0000000000000000..35a4b7b0b3d34350
+--- /dev/null
++++ b/sunrpc/tst-bug28768.c
+@@ -0,0 +1,42 @@
++/* Test to verify that long path is rejected by svcunix_create (bug 28768).
++   Copyright (C) 2022 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <rpc/svc.h>
++#include <shlib-compat.h>
++#include <string.h>
++#include <support/check.h>
++
++/* svcunix_create does not have a default version in linkobj/libc.so.  */
++compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1);
++
++static int
++do_test (void)
++{
++  char pathname[109];
++  memset (pathname, 'x', sizeof (pathname));
++  pathname[sizeof (pathname) - 1] = '\0';
++
++  errno = 0;
++  TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL);
++  TEST_COMPARE (errno, EINVAL);
++
++  return 0;
++}
++
++#include <support/test-driver.c>

SOURCES/glibc-rh2045062-5.patch

@@ -0,0 +1,54 @@
+commit 36f6e408845c8c539128f3fb9cb132bf1845a2c8
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Tue Mar 9 21:07:24 2021 +0100
+
+    <shlib-compat.h>: Support compat_symbol_reference for _ISOMAC
+    
+    This is helpful for testing compat symbols in cases where _ISOMAC
+    is activated implicitly due to -DMODULE_NAME=testsuite and cannot
+    be disabled easily.
+
+diff --git a/include/libc-symbols.h b/include/libc-symbols.h
+index 41436050d060b89f..44e12b63d40cc572 100644
+--- a/include/libc-symbols.h
++++ b/include/libc-symbols.h
+@@ -59,6 +59,19 @@
+ # define IN_MODULE (-1)
+ #endif
+ 
++/* Use symbol_version_reference to specify the version a symbol
++   reference should link to.  Use symbol_version or
++   default_symbol_version for the definition of a versioned symbol.
++   The difference is that the latter is a no-op in non-shared
++   builds.  */
++#ifdef __ASSEMBLER__
++# define symbol_version_reference(real, name, version) \
++     .symver real, name##@##version
++#else  /* !__ASSEMBLER__ */
++# define symbol_version_reference(real, name, version) \
++  __asm__ (".symver " #real "," #name "@" #version)
++#endif
++
+ #ifndef _ISOMAC
+ 
+ /* This is defined for the compilation of all C library code.  features.h
+@@ -388,19 +401,6 @@ for linking")
+    past the last element in SET.  */
+ #define symbol_set_end_p(set, ptr) ((ptr) >= (void *const *) &__stop_##set)
+ 
+-/* Use symbol_version_reference to specify the version a symbol
+-   reference should link to.  Use symbol_version or
+-   default_symbol_version for the definition of a versioned symbol.
+-   The difference is that the latter is a no-op in non-shared
+-   builds.  */
+-#ifdef __ASSEMBLER__
+-# define symbol_version_reference(real, name, version) \
+-     .symver real, name##@##version
+-#else  /* !__ASSEMBLER__ */
+-# define symbol_version_reference(real, name, version) \
+-  __asm__ (".symver " #real "," #name "@" #version)
+-#endif
+-
+ #ifdef SHARED
+ # define symbol_version(real, name, version) \
+   symbol_version_reference(real, name, version)

SPECS/glibc.spec

@@ -1,6 +1,6 @@
 %define glibcsrcdir glibc-2.28
 %define glibcversion 2.28
-%define glibcrelease 164%{?dist}
+%define glibcrelease 164%{?dist}.3
 # Pre-release tarballs are pulled in from git using a command that is
 # effectively:
 #
@@ -719,6 +719,18 @@ Patch582: glibc-rh1966472-1.patch
 Patch583: glibc-rh1966472-2.patch
 Patch584: glibc-rh1966472-3.patch
 Patch585: glibc-rh1966472-4.patch
+Patch586: glibc-rh2032280-1.patch
+Patch587: glibc-rh2032280-2.patch
+Patch588: glibc-rh2032280-3.patch
+Patch589: glibc-rh2032280-4.patch
+Patch590: glibc-rh2032280-5.patch
+Patch591: glibc-rh2032280-6.patch
+Patch592: glibc-rh2032280-7.patch
+Patch593: glibc-rh2045062-1.patch
+Patch594: glibc-rh2045062-2.patch
+Patch595: glibc-rh2045062-3.patch
+Patch596: glibc-rh2045062-4.patch
+Patch597: glibc-rh2045062-5.patch
 
 ##############################################################################
 # Continued list of core "glibc" package information:
@@ -2631,6 +2643,17 @@ fi
 %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
 
 %changelog
+* Thu Jan 27 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.3
+- CVE-2021-3999: getcwd: align stack on clone in aarch64 and fix a memory leak
+  (#2032280)
+
+* Wed Jan 26 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.2
+- CVE-2022-23218, CVE-2022-23219: Fix buffer overflows in sunrpc clnt_create
+  for "unix" and svcunix_create (#2045062).
+
+* Mon Jan 24 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.1
+- CVE-2021-3999: getcwd: Set errno to ERANGE for size == 1 (#2032280)
+
 * Mon Aug  9 2021 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164
 - librt: fix NULL pointer dereference (#1966472).