From 0904f9acfeef082071f3c8b337c229d1bb1569e8 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 17 Mar 2026 12:31:29 -0400 Subject: [PATCH] import CS git glibc-2.28-251.el8_10.31 --- SOURCES/glibc-RHEL-141849.patch | 70 ++++++++++++ SOURCES/glibc-RHEL-142194.patch | 84 +++++++++++++++ SOURCES/glibc-RHEL-142787-1.patch | 174 ++++++++++++++++++++++++++++++ SOURCES/glibc-RHEL-142787-2.patch | 29 +++++ SPECS/glibc.spec | 18 +++- 5 files changed, 374 insertions(+), 1 deletion(-) create mode 100644 SOURCES/glibc-RHEL-141849.patch create mode 100644 SOURCES/glibc-RHEL-142194.patch create mode 100644 SOURCES/glibc-RHEL-142787-1.patch create mode 100644 SOURCES/glibc-RHEL-142787-2.patch diff --git a/SOURCES/glibc-RHEL-141849.patch b/SOURCES/glibc-RHEL-141849.patch new file mode 100644 index 0000000..e9924bc --- /dev/null +++ b/SOURCES/glibc-RHEL-141849.patch @@ -0,0 +1,70 @@ +commit e56ff82d5034ec66c6a78f517af6faa427f65b0b +Author: Carlos O'Donell +Date: Thu Jan 15 15:09:38 2026 -0500 + + resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) + + The default network value of zero for net was never tested for and + results in a DNS query constructed from uninitialized stack bytes. + The solution is to provide a default query for the case where net + is zero. + + Adding a test case for this was straight forward given the existence of + tst-resolv-network and if the test is added without the fix you observe + this failure: + + FAIL: resolv/tst-resolv-network + original exit status 1 + error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128 + error: 1 test failures + + With a random QNAME resulting from the use of uninitialized stack bytes. + + After the fix the test passes. + + Additionally verified using wireshark before and after to ensure + on-the-wire bytes for the DNS query were as expected. + + No regressions on x86_64. + + Reviewed-by: Florian Weimer + +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c +index 61bddd754f2d73c0..cbab554f1e761016 100644 +--- a/resolv/nss_dns/dns-network.c ++++ b/resolv/nss_dns/dns-network.c +@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result, + sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2], + net_bytes[1], net_bytes[0]); + break; ++ default: ++ /* Default network (net is originally zero). */ ++ strcpy (qbuf, "0.0.0.0.in-addr.arpa"); ++ break; + } + + net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); +diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c +index 4b862d57e65276e5..afc1874160179fcc 100644 +--- a/resolv/tst-resolv-network.c ++++ b/resolv/tst-resolv-network.c +@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx, + { + switch (code) + { ++ case 0: ++ send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa"); ++ break; + case 1: + send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa"); + break; +@@ -259,6 +262,9 @@ do_test (void) + "error: NO_RECOVERY\n"); + + /* Lookup by address, success cases. */ ++ check_reverse (0, ++ "name: 0.in-addr.arpa\n" ++ "net: 0x00000000\n"); + check_reverse (1, + "name: 1.in-addr.arpa\n" + "net: 0x00000001\n"); diff --git a/SOURCES/glibc-RHEL-142194.patch b/SOURCES/glibc-RHEL-142194.patch new file mode 100644 index 0000000..264e112 --- /dev/null +++ b/SOURCES/glibc-RHEL-142194.patch @@ -0,0 +1,84 @@ +commit 7b543dcdf97d07fd4346feb17916e08fe83ad0ae +Author: Florian Weimer +Date: Thu Jan 15 22:29:46 2026 +0100 + + elf: Ignore LD_PROFILE if LD_PROFILE_OUTPUT is not set (bug 33797) + + The previous default for LD_PROFILE_OUTPUT, /var/tmp, is insecure + because it's typically a 1777 directory, and other systems could + place malicious files there which interfere with execution. + + Requiring the user to specify a profiling directory mitigates + the impact of bug 33797. Clear LD_PROFILE_OUTPUT alongside + with LD_PROFILE. + + Rework the test not to use predictable file names. + + Reviewed-by: Carlos O'Donell + +Conflicts: + elf/rtld.c + (different implementation of environment variable filtering + downstream, incorporate changes from upstream commit + 4a133885a7c8ae7ebe34e36fcdb353f8e94c810f, adjust for + GLRO(_dl_profile_output) use in glibc-rh2047981-44.patch) + elf/tst-env-setuid.c + (no LD_PROFILE test downstream) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 48698f93a4873a6d..848f6f51d093f313 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2684,11 +2684,9 @@ process_envvars (struct dl_main_state *state) + char *envline; + char *debug_output = NULL; + +- /* This is the default place for profiling data file. As a side +- effect, this marks ld.so as initialized, so that the rtld_active +- function returns true from now on. */ +- GLRO(dl_profile_output) +- = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0]; ++ /* This marks ld.so as initialized, so that the rtld_active function ++ returns true from now on. "" means no default. */ ++ GLRO(dl_profile_output) = ""; + + while ((envline = _dl_next_ld_env_entry (&runp)) != NULL) + { +@@ -2738,7 +2736,8 @@ process_envvars (struct dl_main_state *state) + } + + /* Which shared object shall be profiled. */ +- if (memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0') ++ if (!__libc_enable_secure ++ && memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0') + GLRO(dl_profile) = &envline[8]; + break; + +@@ -2899,6 +2898,15 @@ process_envvars (struct dl_main_state *state) + /* We use standard output if opening the file failed. */ + GLRO(dl_debug_fd) = STDOUT_FILENO; + } ++ ++ /* There is no fixed, safe directory to store profiling data, so ++ activate LD_PROFILE only if LD_PROFILE_OUTPUT is set as well. */ ++ if (GLRO(dl_profile) != NULL && *GLRO(dl_profile_output) == '\0') ++ { ++ _dl_error_printf ("\ ++warning: LD_PROFILE ignored because LD_PROFILE_OUTPUT not specified\n"); ++ GLRO(dl_profile) = NULL; ++ } + } + + #if HP_TIMING_INLINE +diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h +index 5ea8a4a259ef753c..0b84642f71ae9351 100644 +--- a/sysdeps/generic/unsecvars.h ++++ b/sysdeps/generic/unsecvars.h +@@ -21,6 +21,7 @@ + "LD_ORIGIN_PATH\0" \ + "LD_PRELOAD\0" \ + "LD_PROFILE\0" \ ++ "LD_PROFILE_OUTPUT\0" \ + "LD_SHOW_AUXV\0" \ + "LD_USE_LOAD_BIAS\0" \ + "LOCALDOMAIN\0" \ diff --git a/SOURCES/glibc-RHEL-142787-1.patch b/SOURCES/glibc-RHEL-142787-1.patch new file mode 100644 index 0000000..80c247c --- /dev/null +++ b/SOURCES/glibc-RHEL-142787-1.patch @@ -0,0 +1,174 @@ +commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 +Author: Adhemerval Zanella +Date: Thu Jan 15 10:32:19 2026 -0300 + + posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814) + + The wordexp fails to properly initialize the input wordexp_t when + WRDE_REUSE is used. The wordexp_t struct is properly freed, but + reuses the old wc_wordc value and updates the we_wordv in the + wrong position. A later wordfree will then call free with an + invalid pointer. + + Checked on x86_64-linux-gnu and i686-linux-gnu. + + Reviewed-by: Carlos O'Donell + +Conflicts: + posix/Makefile + (Makefile not sorted downstream) + +diff --git a/posix/Makefile b/posix/Makefile +index 42a0290370b40fd9..e546b8d667b9c6c4 100644 +--- a/posix/Makefile ++++ b/posix/Makefile +@@ -96,7 +96,8 @@ tests := test-errno tstgetopt testfnm runtests runptests \ + tst-posix_fadvise tst-posix_fadvise64 \ + tst-sysconf-empty-chroot tst-glob_symlinks tst-fexecve \ + tst-glob-tilde test-ssize-max tst-spawn4 bug-regex37 \ +- bug-regex38 tst-regcomp-truncated tst-regcomp-bracket-free ++ bug-regex38 tst-regcomp-truncated tst-regcomp-bracket-free \ ++ tst-wordexp-reuse + tests-internal := bug-regex5 bug-regex20 bug-regex33 \ + tst-rfc3484 tst-rfc3484-2 tst-rfc3484-3 \ + tst-glob_lstat_compat tst-spawn4-compat +@@ -128,7 +129,8 @@ generated += $(addprefix wordexp-test-result, 1 2 3 4 5 6 7 8 9 10) \ + tst-boost.mtrace bug-ga2.mtrace bug-ga2-mem.out \ + bug-glob2.mtrace bug-glob2-mem.out tst-vfork3-mem.out \ + tst-vfork3.mtrace getconf.speclist tst-fnmatch-mem.out \ +- tst-fnmatch.mtrace bug-regex36.mtrace ++ tst-fnmatch.mtrace bug-regex36.mtrace \ ++ tst-wordexp-reuse-mem.out tst-wordexp-reuse.mtrace + + ifeq ($(run-built-tests),yes) + ifeq (yes,$(build-shared)) +@@ -146,7 +148,8 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \ + $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \ + $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \ + $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \ +- $(objpfx)tst-glob-tilde-mem.out ++ $(objpfx)tst-glob-tilde-mem.out \ ++ $(objpfx)tst-wordexp-reuse.out + xtests-special += $(objpfx)bug-ga2-mem.out + endif + +@@ -387,3 +390,10 @@ $(objpfx)posix-conf-vars-def.h: $(..)scripts/gen-posix-conf-vars.awk \ + $(make-target-directory) + $(AWK) -f $(filter-out Makefile, $^) > $@.tmp + mv -f $@.tmp $@ ++ ++tst-wordexp-reuse-ENV += MALLOC_TRACE=$(objpfx)tst-wordexp-reuse.mtrace \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++ ++$(objpfx)tst-wordexp-reuse-mem.out: $(objpfx)tst-wordexp-reuse.out ++ $(common-objpfx)malloc/mtrace $(objpfx)tst-wordexp-reuse.mtrace > $@; \ ++ $(evaluate-test) +diff --git a/posix/tst-wordexp-reuse.c b/posix/tst-wordexp-reuse.c +new file mode 100644 +index 0000000000000000..3926b9f5576750ac +--- /dev/null ++++ b/posix/tst-wordexp-reuse.c +@@ -0,0 +1,89 @@ ++/* Test for wordexp with WRDE_REUSE flag. ++ Copyright (C) 2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++ ++#include ++ ++static int ++do_test (void) ++{ ++ mtrace (); ++ ++ { ++ wordexp_t p = { 0 }; ++ TEST_COMPARE (wordexp ("one", &p, 0), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "two"); ++ wordfree (&p); ++ } ++ ++ { ++ wordexp_t p = { .we_offs = 2 }; ++ TEST_COMPARE (wordexp ("one", &p, 0), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_DOOFFS), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); ++ wordfree (&p); ++ } ++ ++ { ++ wordexp_t p = { 0 }; ++ TEST_COMPARE (wordexp ("one", &p, 0), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_APPEND), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "two"); ++ wordfree (&p); ++ } ++ ++ { ++ wordexp_t p = { .we_offs = 2 }; ++ TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE ++ | WRDE_DOOFFS), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); ++ wordfree (&p); ++ } ++ ++ { ++ wordexp_t p = { .we_offs = 2 }; ++ TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE ++ | WRDE_DOOFFS | WRDE_APPEND), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); ++ wordfree (&p); ++ } ++ ++ return 0; ++} ++ ++#include +diff --git a/posix/wordexp.c b/posix/wordexp.c +index 4061969c720f1f34..0f503b1877d2ce5b 100644 +--- a/posix/wordexp.c ++++ b/posix/wordexp.c +@@ -2241,7 +2241,9 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags) + { + /* Minimal implementation of WRDE_REUSE for now */ + wordfree (pwordexp); ++ old_word.we_wordc = 0; + old_word.we_wordv = NULL; ++ pwordexp->we_wordc = 0; + } + + if ((flags & WRDE_APPEND) == 0) diff --git a/SOURCES/glibc-RHEL-142787-2.patch b/SOURCES/glibc-RHEL-142787-2.patch new file mode 100644 index 0000000..4672ab6 --- /dev/null +++ b/SOURCES/glibc-RHEL-142787-2.patch @@ -0,0 +1,29 @@ +commit bed2db02f3183e93f21d506786c5f884a1dec9e7 +Author: Florian Weimer +Date: Mon Jan 26 17:12:37 2026 +0100 + + posix: Run tst-wordexp-reuse-mem test + + The test was not properly scheduled for execution with a Makefile + dependency. + + Fixes commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 ("posix: Reset + wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814"). + +Conflicts: + posix/Makefile + (Makefile not sorted downstream) + +diff --git a/posix/Makefile b/posix/Makefile +index e546b8d667b9c6c4..b399b1dab0a8cb9c 100644 +--- a/posix/Makefile ++++ b/posix/Makefile +@@ -149,7 +149,7 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \ + $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \ + $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \ + $(objpfx)tst-glob-tilde-mem.out \ +- $(objpfx)tst-wordexp-reuse.out ++ $(objpfx)tst-wordexp-reuse-mem.out + xtests-special += $(objpfx)bug-ga2-mem.out + endif + diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec index e2a54ff..65dc0cd 100644 --- a/SPECS/glibc.spec +++ b/SPECS/glibc.spec @@ -115,7 +115,7 @@ end \ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: %{glibcrelease}.27 +Release: %{glibcrelease}.31 # In general, GPLv2+ is used by programs, LGPLv2+ is used for # libraries. @@ -1295,6 +1295,10 @@ Patch1060: glibc-RHEL-72011-5.patch Patch1061: glibc-RHEL-72011-6.patch Patch1062: glibc-RHEL-72011-7.patch Patch1063: glibc-RHEL-72011-8.patch +Patch1064: glibc-RHEL-141849.patch +Patch1065: glibc-RHEL-142194.patch +Patch1066: glibc-RHEL-142787-1.patch +Patch1067: glibc-RHEL-142787-2.patch ############################################################################## # Continued list of core "glibc" package information: @@ -2956,6 +2960,18 @@ fi %{_libdir}/libpthread_nonshared.a %changelog +* Mon Jan 26 2026 Florian Weimer - 2.28-251.31 +- CVE-2025-15281: wordexp WRDE_REUSE uninitialized memory read (RHEL-142787) + +* Mon Jan 19 2026 Florian Weimer - 2.28-251.30 +- Remove default /var/tmp for LD_PROFILE_OUTPUT (RHEL-142194) + +* Mon Jan 19 2026 Florian Weimer - 2.28-251.29 +- rpminspect.yaml: note that glibc-minimal-langpack is empty (RHEL-123889) + +* Fri Jan 16 2026 Florian Weimer - 2.28-251.28 +- CVE-2026-0915: Stack memory disclosure in getnetbyaddr (RHEL-141849) + * Thu Nov 20 2025 Arjun Shankar - 2.28-251.27 - Fix a segmentation fault in multi-threaded multi-namespace programs using ctype.h macros (RHEL-72011)