metalefty/glibc
1
0
Fork 0
forked from rpms/glibc
Code Pull Requests Activity

import CS git glibc-2.28-251.el8_10.31

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-03-17 12:31:29 -04:00
parent 82f5125cec
commit 0904f9acfe
5 changed files with 374 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
SOURCES/glibc-RHEL-141849.patch Normal file
View File

@ -0,0 +1,70 @@
commit e56ff82d5034ec66c6a78f517af6faa427f65b0b
Author: Carlos O'Donell <carlos@redhat.com>
Date: Thu Jan 15 15:09:38 2026 -0500
resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
The default network value of zero for net was never tested for and
results in a DNS query constructed from uninitialized stack bytes.
The solution is to provide a default query for the case where net
is zero.
Adding a test case for this was straight forward given the existence of
tst-resolv-network and if the test is added without the fix you observe
this failure:
FAIL: resolv/tst-resolv-network
original exit status 1
error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
error: 1 test failures
With a random QNAME resulting from the use of uninitialized stack bytes.
After the fix the test passes.
Additionally verified using wireshark before and after to ensure
on-the-wire bytes for the DNS query were as expected.
No regressions on x86_64.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 61bddd754f2d73c0..cbab554f1e761016 100644
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result,
sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2],
net_bytes[1], net_bytes[0]);
break;
+ default:
+ /* Default network (net is originally zero). */
+ strcpy (qbuf, "0.0.0.0.in-addr.arpa");
+ break;
}
net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c
index 4b862d57e65276e5..afc1874160179fcc 100644
--- a/resolv/tst-resolv-network.c
+++ b/resolv/tst-resolv-network.c
@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx,
{
switch (code)
{
+ case 0:
+ send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa");
+ break;
case 1:
send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa");
break;
@@ -259,6 +262,9 @@ do_test (void)
"error: NO_RECOVERY\n");
/* Lookup by address, success cases. */
+ check_reverse (0,
+ "name: 0.in-addr.arpa\n"
+ "net: 0x00000000\n");
check_reverse (1,
"name: 1.in-addr.arpa\n"
"net: 0x00000001\n");

84
SOURCES/glibc-RHEL-142194.patch Normal file
View File

@ -0,0 +1,84 @@
commit 7b543dcdf97d07fd4346feb17916e08fe83ad0ae
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Jan 15 22:29:46 2026 +0100
elf: Ignore LD_PROFILE if LD_PROFILE_OUTPUT is not set (bug 33797)
The previous default for LD_PROFILE_OUTPUT, /var/tmp, is insecure
because it's typically a 1777 directory, and other systems could
place malicious files there which interfere with execution.
Requiring the user to specify a profiling directory mitigates
the impact of bug 33797. Clear LD_PROFILE_OUTPUT alongside
with LD_PROFILE.
Rework the test not to use predictable file names.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Conflicts:
elf/rtld.c
(different implementation of environment variable filtering
downstream, incorporate changes from upstream commit
4a133885a7c8ae7ebe34e36fcdb353f8e94c810f, adjust for
GLRO(_dl_profile_output) use in glibc-rh2047981-44.patch)
elf/tst-env-setuid.c
(no LD_PROFILE test downstream)
diff --git a/elf/rtld.c b/elf/rtld.c
index 48698f93a4873a6d..848f6f51d093f313 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2684,11 +2684,9 @@ process_envvars (struct dl_main_state *state)
char *envline;
char *debug_output = NULL;
- /* This is the default place for profiling data file. As a side
- effect, this marks ld.so as initialized, so that the rtld_active
- function returns true from now on. */
- GLRO(dl_profile_output)
- = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
+ /* This marks ld.so as initialized, so that the rtld_active function
+ returns true from now on. "" means no default. */
+ GLRO(dl_profile_output) = "";
while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
{
@@ -2738,7 +2736,8 @@ process_envvars (struct dl_main_state *state)
}
/* Which shared object shall be profiled. */
- if (memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
+ if (!__libc_enable_secure
+ && memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
GLRO(dl_profile) = &envline[8];
break;
@@ -2899,6 +2898,15 @@ process_envvars (struct dl_main_state *state)
/* We use standard output if opening the file failed. */
GLRO(dl_debug_fd) = STDOUT_FILENO;
}
+
+ /* There is no fixed, safe directory to store profiling data, so
+ activate LD_PROFILE only if LD_PROFILE_OUTPUT is set as well. */
+ if (GLRO(dl_profile) != NULL && *GLRO(dl_profile_output) == '\0')
+ {
+ _dl_error_printf ("\
+warning: LD_PROFILE ignored because LD_PROFILE_OUTPUT not specified\n");
+ GLRO(dl_profile) = NULL;
+ }
}
#if HP_TIMING_INLINE
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index 5ea8a4a259ef753c..0b84642f71ae9351 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -21,6 +21,7 @@
"LD_ORIGIN_PATH\0" \
"LD_PRELOAD\0" \
"LD_PROFILE\0" \
+ "LD_PROFILE_OUTPUT\0" \
"LD_SHOW_AUXV\0" \
"LD_USE_LOAD_BIAS\0" \
"LOCALDOMAIN\0" \

174
SOURCES/glibc-RHEL-142787-1.patch Normal file
View File

@ -0,0 +1,174 @@
commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Thu Jan 15 10:32:19 2026 -0300
posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
The wordexp fails to properly initialize the input wordexp_t when
WRDE_REUSE is used. The wordexp_t struct is properly freed, but
reuses the old wc_wordc value and updates the we_wordv in the
wrong position. A later wordfree will then call free with an
invalid pointer.
Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Conflicts:
posix/Makefile
(Makefile not sorted downstream)
diff --git a/posix/Makefile b/posix/Makefile
index 42a0290370b40fd9..e546b8d667b9c6c4 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -96,7 +96,8 @@ tests := test-errno tstgetopt testfnm runtests runptests \
tst-posix_fadvise tst-posix_fadvise64 \
tst-sysconf-empty-chroot tst-glob_symlinks tst-fexecve \
tst-glob-tilde test-ssize-max tst-spawn4 bug-regex37 \
- bug-regex38 tst-regcomp-truncated tst-regcomp-bracket-free
+ bug-regex38 tst-regcomp-truncated tst-regcomp-bracket-free \
+ tst-wordexp-reuse
tests-internal := bug-regex5 bug-regex20 bug-regex33 \
tst-rfc3484 tst-rfc3484-2 tst-rfc3484-3 \
tst-glob_lstat_compat tst-spawn4-compat
@@ -128,7 +129,8 @@ generated += $(addprefix wordexp-test-result, 1 2 3 4 5 6 7 8 9 10) \
tst-boost.mtrace bug-ga2.mtrace bug-ga2-mem.out \
bug-glob2.mtrace bug-glob2-mem.out tst-vfork3-mem.out \
tst-vfork3.mtrace getconf.speclist tst-fnmatch-mem.out \
- tst-fnmatch.mtrace bug-regex36.mtrace
+ tst-fnmatch.mtrace bug-regex36.mtrace \
+ tst-wordexp-reuse-mem.out tst-wordexp-reuse.mtrace
ifeq ($(run-built-tests),yes)
ifeq (yes,$(build-shared))
@@ -146,7 +148,8 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \
$(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \
$(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
$(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
- $(objpfx)tst-glob-tilde-mem.out
+ $(objpfx)tst-glob-tilde-mem.out \
+ $(objpfx)tst-wordexp-reuse.out
xtests-special += $(objpfx)bug-ga2-mem.out
endif
@@ -387,3 +390,10 @@ $(objpfx)posix-conf-vars-def.h: $(..)scripts/gen-posix-conf-vars.awk \
$(make-target-directory)
$(AWK) -f $(filter-out Makefile, $^) > $@.tmp
mv -f $@.tmp $@
+
+tst-wordexp-reuse-ENV += MALLOC_TRACE=$(objpfx)tst-wordexp-reuse.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+
+$(objpfx)tst-wordexp-reuse-mem.out: $(objpfx)tst-wordexp-reuse.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-wordexp-reuse.mtrace > $@; \
+ $(evaluate-test)
diff --git a/posix/tst-wordexp-reuse.c b/posix/tst-wordexp-reuse.c
new file mode 100644
index 0000000000000000..3926b9f5576750ac
--- /dev/null
+++ b/posix/tst-wordexp-reuse.c
@@ -0,0 +1,89 @@
+/* Test for wordexp with WRDE_REUSE flag.
+ Copyright (C) 2026 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <wordexp.h>
+#include <mcheck.h>
+
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+ mtrace ();
+
+ {
+ wordexp_t p = { 0 };
+ TEST_COMPARE (wordexp ("one", &p, 0), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[0], "one");
+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[0], "two");
+ wordfree (&p);
+ }
+
+ {
+ wordexp_t p = { .we_offs = 2 };
+ TEST_COMPARE (wordexp ("one", &p, 0), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[0], "one");
+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_DOOFFS), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two");
+ wordfree (&p);
+ }
+
+ {
+ wordexp_t p = { 0 };
+ TEST_COMPARE (wordexp ("one", &p, 0), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[0], "one");
+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_APPEND), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[0], "two");
+ wordfree (&p);
+ }
+
+ {
+ wordexp_t p = { .we_offs = 2 };
+ TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one");
+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE
+ | WRDE_DOOFFS), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two");
+ wordfree (&p);
+ }
+
+ {
+ wordexp_t p = { .we_offs = 2 };
+ TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one");
+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE
+ | WRDE_DOOFFS | WRDE_APPEND), 0);
+ TEST_COMPARE (p.we_wordc, 1);
+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two");
+ wordfree (&p);
+ }
+
+ return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/posix/wordexp.c b/posix/wordexp.c
index 4061969c720f1f34..0f503b1877d2ce5b 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -2241,7 +2241,9 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags)
{
/* Minimal implementation of WRDE_REUSE for now */
wordfree (pwordexp);
+ old_word.we_wordc = 0;
old_word.we_wordv = NULL;
+ pwordexp->we_wordc = 0;
}
if ((flags & WRDE_APPEND) == 0)

29
SOURCES/glibc-RHEL-142787-2.patch Normal file
View File

@ -0,0 +1,29 @@
commit bed2db02f3183e93f21d506786c5f884a1dec9e7
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon Jan 26 17:12:37 2026 +0100
posix: Run tst-wordexp-reuse-mem test
The test was not properly scheduled for execution with a Makefile
dependency.
Fixes commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 ("posix: Reset
wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814").
Conflicts:
posix/Makefile
(Makefile not sorted downstream)
diff --git a/posix/Makefile b/posix/Makefile
index e546b8d667b9c6c4..b399b1dab0a8cb9c 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -149,7 +149,7 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \
$(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
$(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
$(objpfx)tst-glob-tilde-mem.out \
- $(objpfx)tst-wordexp-reuse.out
+ $(objpfx)tst-wordexp-reuse-mem.out
xtests-special += $(objpfx)bug-ga2-mem.out
endif

18
SPECS/glibc.spec
View File

@ -115,7 +115,7 @@ end \
Summary: The GNU libc libraries
Name: glibc
Version: %{glibcversion}
Release: %{glibcrelease}.27
Release: %{glibcrelease}.31
# In general, GPLv2+ is used by programs, LGPLv2+ is used for
# libraries.
@ -1295,6 +1295,10 @@ Patch1060: glibc-RHEL-72011-5.patch
Patch1061: glibc-RHEL-72011-6.patch
Patch1062: glibc-RHEL-72011-7.patch
Patch1063: glibc-RHEL-72011-8.patch
Patch1064: glibc-RHEL-141849.patch
Patch1065: glibc-RHEL-142194.patch
Patch1066: glibc-RHEL-142787-1.patch
Patch1067: glibc-RHEL-142787-2.patch
##############################################################################
# Continued list of core "glibc" package information:
@ -2956,6 +2960,18 @@ fi
%{_libdir}/libpthread_nonshared.a
%changelog
* Mon Jan 26 2026 Florian Weimer <fweimer@redhat.com> - 2.28-251.31
- CVE-2025-15281: wordexp WRDE_REUSE uninitialized memory read (RHEL-142787)
* Mon Jan 19 2026 Florian Weimer <fweimer@redhat.com> - 2.28-251.30
- Remove default /var/tmp for LD_PROFILE_OUTPUT (RHEL-142194)
* Mon Jan 19 2026 Florian Weimer <fweimer@redhat.com> - 2.28-251.29
- rpminspect.yaml: note that glibc-minimal-langpack is empty (RHEL-123889)
* Fri Jan 16 2026 Florian Weimer <fweimer@redhat.com> - 2.28-251.28
- CVE-2026-0915: Stack memory disclosure in getnetbyaddr (RHEL-141849)
* Thu Nov 20 2025 Arjun Shankar <arjun@redhat.com> - 2.28-251.27
- Fix a segmentation fault in multi-threaded multi-namespace programs using
ctype.h macros (RHEL-72011)