metalefty/glibc
1
0
Fork 0
forked from rpms/glibc
Code Pull Requests Activity

import UBI glibc-2.28-251.el8_10.25

Browse Source
This commit is contained in:
eabdullin 2025-08-05 12:49:26 +00:00
parent 73b8a454b8
commit 6f91983eb9
10 changed files with 1158 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

236
SOURCES/glibc-RHEL-105326.patch Normal file
View File

@ -0,0 +1,236 @@
commit 7ea06e994093fa0bcca0d0ee2c1db271d8d7885d
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon Jul 21 21:43:49 2025 +0200
posix: Fix double-free after allocation failure in regcomp (bug 33185)
If a memory allocation failure occurs during bracket expression
parsing in regcomp, a double-free error may result.
Reported-by: Anastasia Belova <abelova@astralinux.ru>
Co-authored-by: Paul Eggert <eggert@cs.ucla.edu>
Reviewed-by: Andreas K. Huettel <dilfridge@gentoo.org>
Conflicts:
posix/Makefile
(tests list not reformatted/sorted downstream)
posix/tst-regcomp-bracket-free.c
(missing strerrorname_np downstream)
diff --git a/posix/Makefile b/posix/Makefile
index 83162123f9c927a0..42a0290370b40fd9 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -96,7 +96,7 @@ tests := test-errno tstgetopt testfnm runtests runptests \
tst-posix_fadvise tst-posix_fadvise64 \
tst-sysconf-empty-chroot tst-glob_symlinks tst-fexecve \
tst-glob-tilde test-ssize-max tst-spawn4 bug-regex37 \
- bug-regex38 tst-regcomp-truncated
+ bug-regex38 tst-regcomp-truncated tst-regcomp-bracket-free
tests-internal := bug-regex5 bug-regex20 bug-regex33 \
tst-rfc3484 tst-rfc3484-2 tst-rfc3484-3 \
tst-glob_lstat_compat tst-spawn4-compat
diff --git a/posix/regcomp.c b/posix/regcomp.c
index 545d188468c376e7..b737b22da8703d6c 100644
--- a/posix/regcomp.c
+++ b/posix/regcomp.c
@@ -3375,6 +3375,7 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,
{
#ifdef RE_ENABLE_I18N
free_charset (mbcset);
+ mbcset = NULL;
#endif
/* Build a tree for simple bracket. */
br_token.type = SIMPLE_BRACKET;
@@ -3390,7 +3391,8 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,
parse_bracket_exp_free_return:
re_free (sbcset);
#ifdef RE_ENABLE_I18N
- free_charset (mbcset);
+ if (__glibc_likely (mbcset != NULL))
+ free_charset (mbcset);
#endif /* RE_ENABLE_I18N */
return NULL;
}
diff --git a/posix/tst-regcomp-bracket-free.c b/posix/tst-regcomp-bracket-free.c
new file mode 100644
index 0000000000000000..e6041ddaeba3045c
--- /dev/null
+++ b/posix/tst-regcomp-bracket-free.c
@@ -0,0 +1,176 @@
+/* Test regcomp bracket parsing with injected allocation failures (bug 33185).
+ Copyright (C) 2025 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+/* This test invokes regcomp multiple times, failing one memory
+ allocation in each call. The function call should fail with
+ REG_ESPACE (or succeed if it can recover from the allocation
+ failure). Previously, there was double-free bug. */
+
+#include <errno.h>
+#include <regex.h>
+#include <stdio.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/namespace.h>
+#include <support/support.h>
+
+/* Data structure allocated via MAP_SHARED, so that writes from the
+ subprocess are visible. */
+struct shared_data
+{
+ /* Number of tracked allocations performed so far. */
+ volatile unsigned int allocation_count;
+
+ /* If this number is reached, one allocation fails. */
+ volatile unsigned int failing_allocation;
+
+ /* The subprocess stores the expected name here. */
+ char name[100];
+};
+
+/* Allocation count in shared mapping. */
+static struct shared_data *shared;
+
+/* Returns true if a failure should be injected for this allocation. */
+static bool
+fail_this_allocation (void)
+{
+ if (shared != NULL)
+ {
+ unsigned int count = shared->allocation_count;
+ shared->allocation_count = count + 1;
+ return count == shared->failing_allocation;
+ }
+ else
+ return false;
+}
+
+/* Failure-injecting wrappers for allocation functions used by glibc. */
+
+void *
+malloc (size_t size)
+{
+ if (fail_this_allocation ())
+ {
+ errno = ENOMEM;
+ return NULL;
+ }
+ extern __typeof (malloc) __libc_malloc;
+ return __libc_malloc (size);
+}
+
+void *
+calloc (size_t a, size_t b)
+{
+ if (fail_this_allocation ())
+ {
+ errno = ENOMEM;
+ return NULL;
+ }
+ extern __typeof (calloc) __libc_calloc;
+ return __libc_calloc (a, b);
+}
+
+void *
+realloc (void *ptr, size_t size)
+{
+ if (fail_this_allocation ())
+ {
+ errno = ENOMEM;
+ return NULL;
+ }
+ extern __typeof (realloc) __libc_realloc;
+ return __libc_realloc (ptr, size);
+}
+
+/* No-op subprocess to verify that support_isolate_in_subprocess does
+ not perform any heap allocations. */
+static void
+no_op (void *ignored)
+{
+}
+
+/* Perform a regcomp call in a subprocess. Used to count its
+ allocations. */
+static void
+initialize (void *regexp1)
+{
+ const char *regexp = regexp1;
+
+ shared->allocation_count = 0;
+
+ regex_t reg;
+ TEST_COMPARE (regcomp (&reg, regexp, 0), 0);
+}
+
+/* Perform regcomp in a subprocess with fault injection. */
+static void
+test_in_subprocess (void *regexp1)
+{
+ const char *regexp = regexp1;
+ unsigned int inject_at = shared->failing_allocation;
+
+ regex_t reg;
+ int ret = regcomp (&reg, regexp, 0);
+
+ if (ret != 0)
+ {
+ TEST_COMPARE (ret, REG_ESPACE);
+ printf ("info: allocation %u failure results in return value %d,"
+ " error %s (%d)\n",
+ inject_at, ret, strerror (errno), errno);
+ }
+}
+
+static int
+do_test (void)
+{
+ char regexp[] = "[:alpha:]";
+
+ shared = support_shared_allocate (sizeof (*shared));
+
+ /* Disable fault injection. */
+ shared->failing_allocation = ~0U;
+
+ support_isolate_in_subprocess (no_op, NULL);
+ TEST_COMPARE (shared->allocation_count, 0);
+
+ support_isolate_in_subprocess (initialize, regexp);
+
+ /* The number of allocations in the successful case, plus some
+ slack. Once the number of expected allocations is exceeded,
+ injecting further failures does not make a difference. */
+ unsigned int maximum_allocation_count = shared->allocation_count;
+ printf ("info: successful call performs %u allocations\n",
+ maximum_allocation_count);
+ maximum_allocation_count += 10;
+
+ for (unsigned int inject_at = 0; inject_at <= maximum_allocation_count;
+ ++inject_at)
+ {
+ shared->allocation_count = 0;
+ shared->failing_allocation = inject_at;
+ support_isolate_in_subprocess (test_in_subprocess, regexp);
+ }
+
+ support_shared_free (shared);
+
+ return 0;
+}
+
+#include <support/test-driver.c>

59
SOURCES/glibc-RHEL-18039-1.patch Normal file
View File

@ -0,0 +1,59 @@
commit 868ab8923a2ec977faafec97ecafac0c3159c1b2
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Jun 13 18:56:30 2024 +0200
resolv: Track single-request fallback via _res._flags (bug 31476)
This avoids changing _res.options, which inteferes with change
detection as part of automatic reloading of /etc/resolv.conf.
Reviewed-by: DJ Delorie <dj@redhat.com>
diff -Nrup a/resolv/res_send.c b/resolv/res_send.c
--- a/resolv/res_send.c 2025-02-19 21:54:08.104421209 -0500
+++ b/resolv/res_send.c 2025-02-19 21:54:51.202625194 -0500
@@ -1065,9 +1065,11 @@ send_dg(res_state statp,
seconds /= statp->nscount;
if (seconds <= 0)
seconds = 1;
- bool single_request_reopen = (statp->options & RES_SNGLKUPREOP) != 0;
- bool single_request = (((statp->options & RES_SNGLKUP) != 0)
- | single_request_reopen);
+ bool single_request_reopen = ((statp->options & RES_SNGLKUPREOP)
+ || (statp->_flags & RES_F_SNGLKUPREOP));
+ bool single_request = ((statp->options & RES_SNGLKUP)
+ || (statp->_flags & RES_F_SNGLKUP)
+ || single_request_reopen);
int save_gotsomewhere = *gotsomewhere;
int retval;
@@ -1124,14 +1126,14 @@ send_dg(res_state statp,
have received the first answer. */
if (!single_request)
{
- statp->options |= RES_SNGLKUP;
+ statp->_flags |= RES_F_SNGLKUP;
single_request = true;
*gotsomewhere = save_gotsomewhere;
goto retry;
}
else if (!single_request_reopen)
{
- statp->options |= RES_SNGLKUPREOP;
+ statp->_flags |= RES_F_SNGLKUPREOP;
single_request_reopen = true;
*gotsomewhere = save_gotsomewhere;
__res_iclose (statp, false);
diff -Nrup a/resolv/resolv-internal.h b/resolv/resolv-internal.h
--- a/resolv/resolv-internal.h 2025-02-19 21:54:08.104421209 -0500
+++ b/resolv/resolv-internal.h 2025-02-19 21:56:25.771072777 -0500
@@ -26,7 +26,8 @@
#define RES_F_VC 0x00000001 /* Socket is TCP. */
#define RES_F_CONN 0x00000002 /* Socket is connected. */
#define RES_F_EDNS0ERR 0x00000004 /* EDNS0 caused errors. */
-
+#define RES_F_SNGLKUP 0x00200000 /* Private version of RES_SNGLKUP. */
+#define RES_F_SNGLKUPREOP 0x00400000 /* Private version of RES_SNGLKUPREOP. */
/* Internal version of RES_USE_INET6 which does not trigger a
deprecation warning. */

197
SOURCES/glibc-RHEL-18039-2.patch Normal file
View File

@ -0,0 +1,197 @@
commit 691a3b2e9bfaba842e46a5ccb7f5e6ea144c3ade
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Jul 24 12:06:47 2024 +0200
resolv: Allow short error responses to match any query (bug 31890)
Reviewed-by: DJ Delorie <dj@redhat.com>
Conflicts:
resolv/res_send.c: res_queriesmatch/__libc_res_queriesmatch
diff -Nrup a/resolv/Makefile b/resolv/Makefile
--- a/resolv/Makefile 2025-06-06 08:53:20.890276516 -0400
+++ b/resolv/Makefile 2025-06-06 08:57:09.981844872 -0400
@@ -62,6 +62,7 @@ tests += \
tst-resolv-nondecimal \
tst-resolv-res_init-multi \
tst-resolv-search \
+ tst-resolv-short-response \
tst-resolv-trailing \
# This test calls __res_context_send directly, which is not exported
@@ -208,6 +209,8 @@ $(objpfx)tst-resolv-nondecimal: $(objpfx
$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library)
+$(objpfx)tst-resolv-short-response: $(objpfx)libresolv.so \
+ $(shared-thread-library)
$(objpfx)tst-resolv-trailing: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-threads: \
$(libdl) $(objpfx)libresolv.so $(shared-thread-library)
diff -Nrup a/resolv/res_send.c b/resolv/res_send.c
--- a/resolv/res_send.c 2025-06-06 08:53:30.892216323 -0400
+++ b/resolv/res_send.c 2025-06-06 08:59:35.588914830 -0400
@@ -1322,17 +1322,30 @@ send_dg(res_state statp,
goto wait;
/* Check for the correct header layout and a matching
- question. */
+ question. Some recursive resolvers send REFUSED
+ without copying back the question section
+ (producing a response that is only HFIXEDSZ bytes
+ long). Skip query matching in this case. */
+ bool thisansp_error = (anhp->rcode == SERVFAIL ||
+ anhp->rcode == NOTIMP ||
+ anhp->rcode == REFUSED);
+ bool skip_query_match = (*thisresplenp == HFIXEDSZ
+ && ntohs (anhp->qdcount) == 0
+ && thisansp_error);
int matching_query = 0; /* Default to no matching query. */
if (!recvresp1
&& anhp->id == hp->id
- && res_queriesmatch (buf, buf + buflen,
- *thisansp, *thisansp + *thisanssizp))
+ && (skip_query_match
+ || res_queriesmatch (buf, buf + buflen,
+ *thisansp,
+ *thisansp + *thisanssizp)))
matching_query = 1;
if (!recvresp2
&& anhp->id == hp2->id
- && res_queriesmatch (buf2, buf2 + buflen2,
- *thisansp, *thisansp + *thisanssizp))
+ && (skip_query_match
+ || res_queriesmatch (buf2, buf2 + buflen2,
+ *thisansp,
+ *thisansp + *thisanssizp)))
matching_query = 2;
if (matching_query == 0)
/* Spurious UDP packet. Drop it and continue
@@ -1342,9 +1355,7 @@ send_dg(res_state statp,
goto wait;
}
- if (anhp->rcode == SERVFAIL ||
- anhp->rcode == NOTIMP ||
- anhp->rcode == REFUSED) {
+ if (thisansp_error) {
next_ns:
if (recvresp1 || (buf2 != NULL && recvresp2)) {
*resplen2 = 0;
diff -Nrup a/resolv/tst-resolv-short-response.c b/resolv/tst-resolv-short-response.c
--- a/resolv/tst-resolv-short-response.c 1969-12-31 19:00:00.000000000 -0500
+++ b/resolv/tst-resolv-short-response.c 2025-06-06 08:57:09.987844834 -0400
@@ -0,0 +1,112 @@
+/* Test for spurious timeouts with short 12-byte responses (bug 31890).
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <resolv.h>
+#include <support/check.h>
+#include <support/resolv_test.h>
+#include <support/check_nss.h>
+
+/* The rcode in the initial response. */
+static volatile int rcode;
+
+static void
+response (const struct resolv_response_context *ctx,
+ struct resolv_response_builder *b,
+ const char *qname, uint16_t qclass, uint16_t qtype)
+{
+ switch (ctx->server_index)
+ {
+ case 0:
+ /* First server times out. */
+ struct resolv_response_flags flags = {.rcode = rcode};
+ resolv_response_init (b, flags);
+ break;
+ case 1:
+ /* Second server sends reply. */
+ resolv_response_init (b, (struct resolv_response_flags) {});
+ resolv_response_add_question (b, qname, qclass, qtype);
+ resolv_response_section (b, ns_s_an);
+ resolv_response_open_record (b, qname, qclass, qtype, 0);
+ switch (qtype)
+ {
+ case T_A:
+ {
+ char ipv4[4] = {192, 0, 2, 17};
+ resolv_response_add_data (b, &ipv4, sizeof (ipv4));
+ }
+ break;
+ case T_AAAA:
+ {
+ char ipv6[16]
+ = {0x20, 0x01, 0xd, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1};
+ resolv_response_add_data (b, &ipv6, sizeof (ipv6));
+ }
+ break;
+ default:
+ FAIL_EXIT1 ("unexpected TYPE%d query", qtype);
+ }
+ resolv_response_close_record (b);
+ break;
+ default:
+ FAIL_EXIT1 ("unexpected query to server %d", ctx->server_index);
+ }
+}
+
+static void
+check_one (void)
+{
+
+ /* The buggy 1-second query timeout results in 30 seconds of delay,
+ which triggers a test timeout failure. */
+ for (int i = 0; i < 10; ++i)
+ {
+ check_hostent ("www.example", gethostbyname ("www.example"),
+ "name: www.example\n"
+ "address: 192.0.2.17\n");
+ check_hostent ("www.example", gethostbyname2 ("www.example", AF_INET6),
+ "name: www.example\n"
+ "address: 2001:db8::1\n");
+ }
+}
+
+static int
+do_test (void)
+{
+ struct resolv_test *aux = resolv_test_start
+ ((struct resolv_redirect_config)
+ {
+ .response_callback = response,
+ });
+
+ _res.options |= RES_SNGLKUP;
+
+ rcode = 2; /* SERVFAIL. */
+ check_one ();
+
+ rcode = 4; /* NOTIMP. */
+ check_one ();
+
+ rcode = 5; /* REFUSED. */
+ check_one ();
+
+ resolv_test_end (aux);
+
+ return 0;
+}
+
+#include <support/test-driver.c>

203
SOURCES/glibc-RHEL-18039-3.patch Normal file
View File

@ -0,0 +1,203 @@
commit af625987d619388a100b153520d3ee308bda9889
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Jul 24 12:06:47 2024 +0200
resolv: Do not wait for non-existing second DNS response after error (bug 30081)
In single-request mode, there is no second response after an error
because the second query has not been sent yet. Waiting for it
introduces an unnecessary timeout.
Reviewed-by: DJ Delorie <dj@redhat.com>
diff -Nrup a/resolv/Makefile b/resolv/Makefile
--- a/resolv/Makefile 2025-02-19 22:32:03.567568899 -0500
+++ b/resolv/Makefile 2025-02-19 22:36:58.647149025 -0500
@@ -62,6 +62,7 @@ tests += \
tst-resolv-nondecimal \
tst-resolv-res_init-multi \
tst-resolv-search \
+ tst-resolv-semi-failure \
tst-resolv-short-response \
tst-resolv-trailing \
@@ -209,6 +210,8 @@ $(objpfx)tst-resolv-nondecimal: $(objpfx
$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library)
+$(objpfx)tst-resolv-semi-failure: $(objpfx)libresolv.so \
+ $(shared-thread-library)
$(objpfx)tst-resolv-short-response: $(objpfx)libresolv.so \
$(shared-thread-library)
$(objpfx)tst-resolv-trailing: $(objpfx)libresolv.so $(shared-thread-library)
diff -Nrup a/resolv/res_send.c b/resolv/res_send.c
--- a/resolv/res_send.c 2025-02-19 22:32:03.567568899 -0500
+++ b/resolv/res_send.c 2025-02-19 22:34:59.213509475 -0500
@@ -1361,7 +1361,7 @@ send_dg(res_state statp,
*resplen2 = 0;
return resplen;
}
- if (buf2 != NULL)
+ if (buf2 != NULL && !single_request)
{
/* No data from the first reply. */
resplen = 0;
diff -Nrup a/resolv/tst-resolv-semi-failure.c b/resolv/tst-resolv-semi-failure.c
--- a/resolv/tst-resolv-semi-failure.c 1969-12-31 19:00:00.000000000 -0500
+++ b/resolv/tst-resolv-semi-failure.c 2025-02-19 22:34:59.213509475 -0500
@@ -0,0 +1,133 @@
+/* Test parallel failure/success responses (bug 30081).
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <resolv.h>
+#include <support/check.h>
+#include <support/resolv_test.h>
+#include <support/check_nss.h>
+
+/* The rcode in the initial response. */
+static volatile int rcode;
+
+/* Whether to fail the initial A query (!fail_aaaa) or the initial
+ AAAA query (fail_aaaa). */
+static volatile bool fail_aaaa;
+
+static void
+response (const struct resolv_response_context *ctx,
+ struct resolv_response_builder *b,
+ const char *qname, uint16_t qclass, uint16_t qtype)
+{
+ /* Handle the failing query. */
+ if ((fail_aaaa && qtype == T_AAAA) && ctx->server_index == 0)
+ {
+ struct resolv_response_flags flags = {.rcode = rcode};
+ resolv_response_init (b, flags);
+ return;
+ }
+
+ /* Otherwise produce a response. */
+ resolv_response_init (b, (struct resolv_response_flags) {});
+ resolv_response_add_question (b, qname, qclass, qtype);
+ resolv_response_section (b, ns_s_an);
+ resolv_response_open_record (b, qname, qclass, qtype, 0);
+ switch (qtype)
+ {
+ case T_A:
+ {
+ char ipv4[4] = {192, 0, 2, 17};
+ resolv_response_add_data (b, &ipv4, sizeof (ipv4));
+ }
+ break;
+ case T_AAAA:
+ {
+ char ipv6[16]
+ = {0x20, 0x01, 0xd, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1};
+ resolv_response_add_data (b, &ipv6, sizeof (ipv6));
+ }
+ break;
+ default:
+ FAIL_EXIT1 ("unexpected TYPE%d query", qtype);
+ }
+ resolv_response_close_record (b);
+}
+
+static void
+check_one (void)
+{
+
+ /* The buggy 1-second query timeout results in 30 seconds of delay,
+ which triggers are test timeout failure. */
+ for (int i = 0; i < 30; ++i)
+ {
+ static const struct addrinfo hints =
+ {
+ .ai_family = AF_UNSPEC,
+ .ai_socktype = SOCK_STREAM,
+ };
+ struct addrinfo *ai;
+ int ret = getaddrinfo ("www.example", "80", &hints, &ai);
+ const char *expected;
+ if (ret == 0 && ai->ai_next != NULL)
+ expected = ("address: STREAM/TCP 192.0.2.17 80\n"
+ "address: STREAM/TCP 2001:db8::1 80\n");
+ else
+ /* Only one response because the AAAA lookup failure is
+ treated as an ignoreable error. */
+ expected = "address: STREAM/TCP 192.0.2.17 80\n";
+ check_addrinfo ("www.example", ai, ret, expected);
+ if (ret == 0)
+ freeaddrinfo (ai);
+ }
+}
+
+static int
+do_test (void)
+{
+ for (int do_single_lookup = 0; do_single_lookup < 2; ++do_single_lookup)
+ {
+ struct resolv_test *aux = resolv_test_start
+ ((struct resolv_redirect_config)
+ {
+ .response_callback = response,
+ });
+
+ if (do_single_lookup)
+ _res.options |= RES_SNGLKUP;
+
+ for (int do_fail_aaaa = 0; do_fail_aaaa < 2; ++do_fail_aaaa)
+ {
+ fail_aaaa = do_fail_aaaa;
+
+ rcode = 2; /* SERVFAIL. */
+ check_one ();
+
+ rcode = 4; /* NOTIMP. */
+ check_one ();
+
+ rcode = 5; /* REFUSED. */
+ check_one ();
+ }
+
+ resolv_test_end (aux);
+ }
+
+ return 0;
+}
+
+#include <support/test-driver.c>
diff -Nrup a/resolv/tst-resolv-short-response.c b/resolv/tst-resolv-short-response.c
--- a/resolv/tst-resolv-short-response.c 2025-02-19 22:32:03.567568899 -0500
+++ b/resolv/tst-resolv-short-response.c 2025-02-19 22:34:59.213509475 -0500
@@ -81,6 +81,18 @@ check_one (void)
check_hostent ("www.example", gethostbyname2 ("www.example", AF_INET6),
"name: www.example\n"
"address: 2001:db8::1\n");
+ static const struct addrinfo hints =
+ {
+ .ai_family = AF_UNSPEC,
+ .ai_socktype = SOCK_STREAM,
+ };
+ struct addrinfo *ai;
+ int ret = getaddrinfo ("www.example", "80", &hints, &ai);
+ check_addrinfo ("www.example", ai, ret,
+ "address: STREAM/TCP 192.0.2.17 80\n"
+ "address: STREAM/TCP 2001:db8::1 80\n");
+ if (ret == 0)
+ freeaddrinfo (ai);
}
}

81
SOURCES/glibc-RHEL-18039-4.patch Normal file
View File

@ -0,0 +1,81 @@
commit 95f61610f3e481d191b6184432342236fd59186d
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Jul 24 12:06:47 2024 +0200
resolv: Support clearing option flags with a “-” prefix (bug 14799)
I think using a “-” prefix is less confusing than introducing
double-negation construct (“no-no-tld-query”).
Reviewed-by: DJ Delorie <dj@redhat.com>
Conflicts:
NEWS: Dropped
resolv/res_init.c: DEPRECATED_RES_USE_INET6 and RES_TRUSTAD
diff -Nrup a/resolv/res_init.c b/resolv/res_init.c
--- a/resolv/res_init.c 2025-05-21 08:57:39.108958310 -0400
+++ b/resolv/res_init.c 2025-05-21 08:59:11.528419481 -0400
@@ -682,27 +682,29 @@ res_setoptions (struct resolv_conf_parse
{
char str[22];
uint8_t len;
- uint8_t clear;
unsigned long int flag;
} options[] = {
#define STRnLEN(str) str, sizeof (str) - 1
- { STRnLEN ("inet6"), 0, DEPRECATED_RES_USE_INET6 },
- { STRnLEN ("rotate"), 0, RES_ROTATE },
- { STRnLEN ("edns0"), 0, RES_USE_EDNS0 },
- { STRnLEN ("single-request-reopen"), 0, RES_SNGLKUPREOP },
- { STRnLEN ("single-request"), 0, RES_SNGLKUP },
- { STRnLEN ("no_tld_query"), 0, RES_NOTLDQUERY },
- { STRnLEN ("no-tld-query"), 0, RES_NOTLDQUERY },
- { STRnLEN ("no-reload"), 0, RES_NORELOAD },
- { STRnLEN ("use-vc"), 0, RES_USEVC },
- { STRnLEN ("no-aaaa"), 0, RES_NOAAAA },
+ { STRnLEN ("inet6"), DEPRECATED_RES_USE_INET6 },
+ { STRnLEN ("rotate"), RES_ROTATE },
+ { STRnLEN ("edns0"), RES_USE_EDNS0 },
+ { STRnLEN ("single-request-reopen"), RES_SNGLKUPREOP },
+ { STRnLEN ("single-request"), RES_SNGLKUP },
+ { STRnLEN ("no_tld_query"), RES_NOTLDQUERY },
+ { STRnLEN ("no-tld-query"), RES_NOTLDQUERY },
+ { STRnLEN ("no-reload"), RES_NORELOAD },
+ { STRnLEN ("use-vc"), RES_USEVC },
+ { STRnLEN ("no-aaaa"), RES_NOAAAA },
};
#define noptions (sizeof (options) / sizeof (options[0]))
+ bool negate_option = *cp == '-';
+ if (negate_option)
+ ++cp;
for (int i = 0; i < noptions; ++i)
if (strncmp (cp, options[i].str, options[i].len) == 0)
{
- if (options[i].clear)
- parser->template.options &= options[i].flag;
+ if (negate_option)
+ parser->template.options &= ~options[i].flag;
else
parser->template.options |= options[i].flag;
break;
diff -Nrup a/resolv/tst-resolv-res_init-skeleton.c b/resolv/tst-resolv-res_init-skeleton.c
--- a/resolv/tst-resolv-res_init-skeleton.c 2025-05-21 08:57:39.109958315 -0400
+++ b/resolv/tst-resolv-res_init-skeleton.c 2025-05-21 08:58:09.541110166 -0400
@@ -680,6 +680,16 @@ struct test_case test_cases[] =
"; nameserver[0]: [192.0.2.1]:53\n",
.res_options = "attempts:5 ndots:3 edns0 ",
},
+ {.name = "RES_OPTIONS can clear flags",
+ .conf = "options ndots:2 use-vc no-aaaa edns0\n"
+ "nameserver 192.0.2.1\n",
+ .expected = "options ndots:3 use-vc\n"
+ "search example.com\n"
+ "; search[0]: example.com\n"
+ "nameserver 192.0.2.1\n"
+ "; nameserver[0]: [192.0.2.1]:53\n",
+ .res_options = "ndots:3 -edns0 -no-aaaa",
+ },
{.name = "many search list entries (bug 19569)",
.conf = "nameserver 192.0.2.1\n"
"search corp.example.com support.example.com"

207
SOURCES/glibc-RHEL-18039-5.patch Normal file
View File

@ -0,0 +1,207 @@
commit 765325951ac5c7d072278c9424930b29657e9758
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Jul 24 12:06:47 2024 +0200
resolv: Implement strict-error stub resolver option (bug 27929)
For now, do not enable this mode by default due to the potential
impact on compatibility with existing deployments.
Reviewed-by: DJ Delorie <dj@redhat.com>
Conflicts:
NEWS
(Dropped)
diff -Nrup a/resolv/res_init.c b/resolv/res_init.c
--- a/resolv/res_init.c 2025-06-06 07:00:12.496548260 -0400
+++ b/resolv/res_init.c 2025-06-06 07:02:49.092632696 -0400
@@ -695,6 +695,7 @@ res_setoptions (struct resolv_conf_parse
{ STRnLEN ("no-reload"), RES_NORELOAD },
{ STRnLEN ("use-vc"), RES_USEVC },
{ STRnLEN ("no-aaaa"), RES_NOAAAA },
+ { STRnLEN ("strict-error"), RES_STRICTERR },
};
#define noptions (sizeof (options) / sizeof (options[0]))
bool negate_option = *cp == '-';
diff -Nrup a/resolv/res_send.c b/resolv/res_send.c
--- a/resolv/res_send.c 2025-06-06 07:00:12.434548622 -0400
+++ b/resolv/res_send.c 2025-06-06 07:02:49.095632678 -0400
@@ -1357,21 +1357,38 @@ send_dg(res_state statp,
if (thisansp_error) {
next_ns:
- if (recvresp1 || (buf2 != NULL && recvresp2)) {
- *resplen2 = 0;
- return resplen;
- }
- if (buf2 != NULL && !single_request)
+ /* Outside of strict-error mode, use the first
+ response even if the second response is an
+ error. This allows parallel resolution to
+ succeed even if the recursive resolver
+ always answers with SERVFAIL for AAAA
+ queries (which still happens in practice
+ unfortunately).
+
+ In strict-error mode, always switch to the
+ next server and try to get a response from
+ there. */
+ if ((statp->options & RES_STRICTERR) == 0)
{
- /* No data from the first reply. */
- resplen = 0;
- /* We are waiting for a possible second reply. */
- if (matching_query == 1)
- recvresp1 = 1;
- else
- recvresp2 = 1;
+ if (recvresp1 || (buf2 != NULL && recvresp2))
+ {
+ *resplen2 = 0;
+ return resplen;
+ }
+
+ if (buf2 != NULL && !single_request)
+ {
+ /* No data from the first reply. */
+ resplen = 0;
+ /* We are waiting for a possible
+ second reply. */
+ if (matching_query == 1)
+ recvresp1 = 1;
+ else
+ recvresp2 = 1;
- goto wait;
+ goto wait;
+ }
}
/* don't retry if called from dig */
diff -Nrup a/resolv/resolv.h b/resolv/resolv.h
--- a/resolv/resolv.h 2025-06-06 06:59:53.530659146 -0400
+++ b/resolv/resolv.h 2025-06-06 07:09:57.754126400 -0400
@@ -136,6 +136,7 @@ struct res_sym {
as a TLD. */
#define RES_NORELOAD 0x02000000 /* No automatic configuration reload. */
#define RES_NOAAAA 0x08000000 /* Suppress AAAA queries. */
+#define RES_STRICTERR 0x10000000 /* Report more DNS errors as errors. */
#define RES_DEFAULT (RES_RECURSE|RES_DEFNAMES|RES_DNSRCH)
diff -Nrup a/resolv/tst-resolv-res_init-skeleton.c b/resolv/tst-resolv-res_init-skeleton.c
--- a/resolv/tst-resolv-res_init-skeleton.c 2025-06-06 07:00:12.499548242 -0400
+++ b/resolv/tst-resolv-res_init-skeleton.c 2025-06-06 07:11:46.131274310 -0400
@@ -130,6 +130,7 @@ print_resp (FILE *fp, res_state resp)
print_option_flag (fp, &options, RES_NOTLDQUERY, "no-tld-query");
print_option_flag (fp, &options, RES_NORELOAD, "no-reload");
print_option_flag (fp, &options, RES_NOAAAA, "no-aaaa");
+ print_option_flag (fp, &options, RES_STRICTERR, "strict-error");
fputc ('\n', fp);
if (options != 0)
fprintf (fp, "; error: unresolved option bits: 0x%x\n", options);
@@ -731,6 +732,15 @@ struct test_case test_cases[] =
"search example.com\n"
"; search[0]: example.com\n"
"nameserver 192.0.2.1\n"
+ "; nameserver[0]: [192.0.2.1]:53\n"
+ },
+ {.name = "strict-error flag",
+ .conf = "options strict-error\n"
+ "nameserver 192.0.2.1\n",
+ .expected = "options strict-error\n"
+ "search example.com\n"
+ "; search[0]: example.com\n"
+ "nameserver 192.0.2.1\n"
"; nameserver[0]: [192.0.2.1]:53\n"
},
{ NULL }
diff -Nrup a/resolv/tst-resolv-semi-failure.c b/resolv/tst-resolv-semi-failure.c
--- a/resolv/tst-resolv-semi-failure.c 2025-06-06 07:00:12.438548599 -0400
+++ b/resolv/tst-resolv-semi-failure.c 2025-06-06 07:02:49.099632654 -0400
@@ -67,6 +67,9 @@ response (const struct resolv_response_c
resolv_response_close_record (b);
}
+/* Set to 1 if strict error checking is enabled. */
+static int do_strict_error;
+
static void
check_one (void)
{
@@ -83,7 +86,10 @@ check_one (void)
struct addrinfo *ai;
int ret = getaddrinfo ("www.example", "80", &hints, &ai);
const char *expected;
- if (ret == 0 && ai->ai_next != NULL)
+ /* In strict-error mode, a switch to the second name server
+ happens, and both responses are received, so a single
+ response is a bug. */
+ if (do_strict_error || (ret == 0 && ai->ai_next != NULL))
expected = ("address: STREAM/TCP 192.0.2.17 80\n"
"address: STREAM/TCP 2001:db8::1 80\n");
else
@@ -99,33 +105,36 @@ check_one (void)
static int
do_test (void)
{
- for (int do_single_lookup = 0; do_single_lookup < 2; ++do_single_lookup)
- {
- struct resolv_test *aux = resolv_test_start
- ((struct resolv_redirect_config)
- {
- .response_callback = response,
- });
-
- if (do_single_lookup)
- _res.options |= RES_SNGLKUP;
-
- for (int do_fail_aaaa = 0; do_fail_aaaa < 2; ++do_fail_aaaa)
- {
- fail_aaaa = do_fail_aaaa;
+ for (do_strict_error = 0; do_strict_error < 2; ++do_strict_error)
+ for (int do_single_lookup = 0; do_single_lookup < 2; ++do_single_lookup)
+ {
+ struct resolv_test *aux = resolv_test_start
+ ((struct resolv_redirect_config)
+ {
+ .response_callback = response,
+ });
+
+ if (do_strict_error)
+ _res.options |= RES_STRICTERR;
+ if (do_single_lookup)
+ _res.options |= RES_SNGLKUP;
+
+ for (int do_fail_aaaa = 0; do_fail_aaaa < 2; ++do_fail_aaaa)
+ {
+ fail_aaaa = do_fail_aaaa;
+
+ rcode = 2; /* SERVFAIL. */
+ check_one ();
+
+ rcode = 4; /* NOTIMP. */
+ check_one ();
+
+ rcode = 5; /* REFUSED. */
+ check_one ();
+ }
- rcode = 2; /* SERVFAIL. */
- check_one ();
-
- rcode = 4; /* NOTIMP. */
- check_one ();
-
- rcode = 5; /* REFUSED. */
- check_one ();
- }
-
- resolv_test_end (aux);
- }
+ resolv_test_end (aux);
+ }
return 0;
}

28
SOURCES/glibc-RHEL-18039-6.patch Normal file
View File

@ -0,0 +1,28 @@
commit ec119972cb2598c04ec7d4219e20506006836f64
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Aug 1 10:46:10 2024 +0200
resolv: Fix tst-resolv-short-response for older GCC (bug 32042)
Previous GCC versions do not support the C23 change that
allows labels on declarations.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
diff --git a/resolv/tst-resolv-short-response.c b/resolv/tst-resolv-short-response.c
index be354ae1c7..9b06b0c176 100644
--- a/resolv/tst-resolv-short-response.c
+++ b/resolv/tst-resolv-short-response.c
@@ -33,8 +33,10 @@ response (const struct resolv_response_context *ctx,
{
case 0:
/* First server times out. */
- struct resolv_response_flags flags = {.rcode = rcode};
- resolv_response_init (b, flags);
+ {
+ struct resolv_response_flags flags = {.rcode = rcode};
+ resolv_response_init (b, flags);
+ }
break;
case 1:
/* Second server sends reply. */

25
SOURCES/glibc-RHEL-93937-1.patch Normal file
View File

@ -0,0 +1,25 @@
commit 81a1fa6cbfef5ca33e7eeb11f8f9a528f4dc0117
Author: Arjun Shankar <arjun@redhat.com>
Date: Tue Nov 5 16:41:25 2019 +0100
Fix run-one-test so that it runs elf tests
The `test' make target passes a trailing slash in the subdir argument. This
does not play well with elf/rtld-Rules which looks for `elf' without any
trailing slash, and therefore doesn't find a match when running an elf test
individually. This commit removes the trailing slash from the invocation.
Reviewed-by: DJ Delorie <dj@redhat.com>
diff --git a/Makefile b/Makefile
index 6518f62ee0676b0d..40066189f3f49441 100644
--- a/Makefile
+++ b/Makefile
@@ -518,6 +518,6 @@ iconvdata/% localedata/% po/%: FORCE
.PHONY: test
test :
@-rm -f $(objpfx)$t.out
- $(MAKE) subdir=$(dir $t) -C $(dir $t) ..=../ $(objpfx)$t.out
+ $(MAKE) subdir=$(patsubst %/,%,$(dir $t)) -C $(dir $t) ..=../ $(objpfx)$t.out
@cat $(objpfx)$t.test-result
@cat $(objpfx)$t.out

100
SOURCES/glibc-RHEL-93937-2.patch Normal file
View File

@ -0,0 +1,100 @@
commit 2fca4b624bd3ceb8c756b4145c7e96aa032b2b98
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Jun 4 17:44:19 2025 +0200
Makefile: Avoid $(objpfx)/ in makefiles
If paths with both $(objpfx)/ and $(objpfx) (which already includes
a trailing slash) appear during the build, this can trigger unexpected
rebuilds, or incorrect concurrent rebuilds.
Conflicts:
elf/Makefile: Test differences.
nss/Makefile: Test differences.
diff --git a/elf/Makefile b/elf/Makefile
index 38976f195a398abf..d09f5482c089f18c 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -1055,8 +1055,8 @@ $(objpfx)$(1).generated-makefile: $(1)
endef
endif
-postclean-generated += $(objpfx)/dso-sort-tests-2.generated-makefile \
- $(objpfx)/dso-sort-tests-2.generated-makefile
+postclean-generated += $(objpfx)dso-sort-tests-2.generated-makefile \
+ $(objpfx)dso-sort-tests-2.generated-makefile
# Generate from each testcase description file
ifeq (yes,$(have-tunables))
@@ -2674,7 +2674,7 @@ $(objpfx)tst-tls21: $(libdl) $(shared-thread-library)
$(objpfx)tst-tls21.out: $(objpfx)tst-tls21mod.so
$(objpfx)tst-tls21mod.so: $(tst-tls-many-dynamic-modules:%=$(objpfx)%.so)
-$(objpfx)tst-rtld-run-static.out: $(objpfx)/ldconfig
+$(objpfx)tst-rtld-run-static.out: $(objpfx)ldconfig
$(objpfx)tst-dlmopen-gethostbyname: $(libdl)
$(objpfx)tst-dlmopen-gethostbyname.out: $(objpfx)tst-dlmopen-gethostbyname-mod.so
diff --git a/nss/Makefile b/nss/Makefile
index 4ee8b1eefd792062..05fcadf60fd0d771 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -172,36 +172,36 @@ libof-nss_test1 = extramodules
libof-nss_test2 = extramodules
libof-nss_test_errno = extramodules
libof-nss_test_gai_hv2_canonname = extramodules
-$(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
+$(objpfx)libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
$(build-module)
-$(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
+$(objpfx)libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
$(build-module)
-$(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps)
+$(objpfx)libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps)
$(build-module)
-$(objpfx)/libnss_test_gai_hv2_canonname.so: \
+$(objpfx)libnss_test_gai_hv2_canonname.so: \
$(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) \
- $(objpfx)/libnss_files.so
+ $(objpfx)libnss_files.so
$(build-module)
$(objpfx)nss_test2.os : nss_test1.c
ifdef libnss_test1.so-version
-$(objpfx)/libnss_test1.so$(libnss_test1.so-version): $(objpfx)/libnss_test1.so
+$(objpfx)libnss_test1.so$(libnss_test1.so-version): $(objpfx)libnss_test1.so
$(make-link)
endif
ifdef libnss_test2.so-version
-$(objpfx)/libnss_test2.so$(libnss_test2.so-version): $(objpfx)/libnss_test2.so
+$(objpfx)libnss_test2.so$(libnss_test2.so-version): $(objpfx)libnss_test2.so
$(make-link)
endif
-$(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \
- $(objpfx)/libnss_test_errno.so
+$(objpfx)libnss_test_errno.so$(libnss_files.so-version): \
+ $(objpfx)libnss_test_errno.so
$(make-link)
-$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
- $(objpfx)/libnss_test_gai_hv2_canonname.so
+$(objpfx)libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
+ $(objpfx)libnss_test_gai_hv2_canonname.so
$(make-link)
$(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \
- $(objpfx)/libnss_test1.so$(libnss_test1.so-version) \
- $(objpfx)/libnss_test2.so$(libnss_test2.so-version) \
- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
- $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
+ $(objpfx)libnss_test1.so$(libnss_test1.so-version) \
+ $(objpfx)libnss_test2.so$(libnss_test2.so-version) \
+ $(objpfx)libnss_test_errno.so$(libnss_files.so-version) \
+ $(objpfx)libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
ifeq (yes,$(have-thread-library))
$(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
@@ -211,4 +211,4 @@ $(objpfx)tst-nss-files-hosts-erange: $(libdl)
$(objpfx)tst-nss-files-hosts-multi: $(libdl)
$(objpfx)tst-nss-files-hosts-getent: $(libdl)
$(objpfx)tst-nss-files-alias-leak: $(libdl)
-$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
+$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)libnss_files.so

23
SPECS/glibc.spec
View File

@ -115,7 +115,7 @@ end \
Summary: The GNU libc libraries
Name: glibc
Version: %{glibcversion}
Release: %{glibcrelease}.22
Release: %{glibcrelease}.25
# In general, GPLv2+ is used by programs, LGPLv2+ is used for
# libraries.
@ -1277,6 +1277,15 @@ Patch1042: glibc-RHEL-92685-6.patch
Patch1043: glibc-RHEL-92685-7.patch
Patch1044: glibc-RHEL-92685-8.patch
Patch1045: glibc-RHEL-92685-9.patch
Patch1046: glibc-RHEL-93937-1.patch
Patch1047: glibc-RHEL-93937-2.patch
Patch1048: glibc-RHEL-18039-1.patch
Patch1049: glibc-RHEL-18039-2.patch
Patch1050: glibc-RHEL-18039-3.patch
Patch1051: glibc-RHEL-18039-4.patch
Patch1052: glibc-RHEL-18039-5.patch
Patch1053: glibc-RHEL-18039-6.patch
Patch1054: glibc-RHEL-105326.patch
##############################################################################
# Continued list of core "glibc" package information:
@ -2938,6 +2947,18 @@ fi
%{_libdir}/libpthread_nonshared.a
%changelog
* Thu Jul 24 2025 Florian Weimer <fweimer@redhat.com> - 2.28-251.25
- CVE-2025-8058: Double free in regcomp (RHEL-105326)
* Thu Jun 05 2025 Patsy Griffin <patsy@redhat.com> - 2.28-251.24
- Keep reloading /etc/resolv.conf after timeouts with getaddrinfo
and AF_UNSPEC.
- Avoid timeouts with getaddrinfo, AF_UNSPEC, and certain DNS error
responses. (RHEL-18039)
* Thu Jun 05 2025 Arjun Shankar <arjun@redhat.com> - 2.28-251.23
- Reduce spurious rebuilds while running tests (RHEL-93937)
* Mon May 26 2025 Florian Weimer <fweimer@redhat.com> - 2.28-251.22
- CVE-2025-4802: static setuid dlopen may search LD_LIBRARY_PATH (RHEL-92685)