.gitignore

@@ -1,2 +1 @@
 SOURCES/glibc-2.28.tar.xz
-/glibc-2.28.tar.xz

.glibc.metadata

@@ -0,0 +1 @@
+ccb5dc9e51a9884df8488f86982439d47b283b2a SOURCES/glibc-2.28.tar.xz

SOURCES/glibc-RHEL-105326.patch

@@ -0,0 +1,236 @@
+commit 7ea06e994093fa0bcca0d0ee2c1db271d8d7885d
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jul 21 21:43:49 2025 +0200
+
+    posix: Fix double-free after allocation failure in regcomp (bug 33185)
+
+    If a memory allocation failure occurs during bracket expression
+    parsing in regcomp, a double-free error may result.
+
+    Reported-by: Anastasia Belova <abelova@astralinux.ru>
+    Co-authored-by: Paul Eggert <eggert@cs.ucla.edu>
+    Reviewed-by: Andreas K. Huettel <dilfridge@gentoo.org>
+
+Conflicts:
+	posix/Makefile
+	  (tests list not reformatted/sorted downstream)
+	posix/tst-regcomp-bracket-free.c
+	  (missing strerrorname_np downstream)
+
+diff --git a/posix/Makefile b/posix/Makefile
+index 83162123f9c927a0..42a0290370b40fd9 100644
+--- a/posix/Makefile
++++ b/posix/Makefile
+@@ -96,7 +96,7 @@ tests		:= test-errno tstgetopt testfnm runtests runptests \
+ 		   tst-posix_fadvise tst-posix_fadvise64 \
+ 		   tst-sysconf-empty-chroot tst-glob_symlinks tst-fexecve \
+ 		   tst-glob-tilde test-ssize-max tst-spawn4 bug-regex37 \
+-		   bug-regex38 tst-regcomp-truncated
++		   bug-regex38 tst-regcomp-truncated tst-regcomp-bracket-free
+ tests-internal	:= bug-regex5 bug-regex20 bug-regex33 \
+ 		   tst-rfc3484 tst-rfc3484-2 tst-rfc3484-3 \
+ 		   tst-glob_lstat_compat tst-spawn4-compat
+diff --git a/posix/regcomp.c b/posix/regcomp.c
+index 545d188468c376e7..b737b22da8703d6c 100644
+--- a/posix/regcomp.c
++++ b/posix/regcomp.c
+@@ -3375,6 +3375,7 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,
+     {
+ #ifdef RE_ENABLE_I18N
+       free_charset (mbcset);
++      mbcset = NULL;
+ #endif
+       /* Build a tree for simple bracket.  */
+       br_token.type = SIMPLE_BRACKET;
+@@ -3390,7 +3391,8 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,
+  parse_bracket_exp_free_return:
+   re_free (sbcset);
+ #ifdef RE_ENABLE_I18N
+-  free_charset (mbcset);
++  if (__glibc_likely (mbcset != NULL))
++    free_charset (mbcset);
+ #endif /* RE_ENABLE_I18N */
+   return NULL;
+ }
+diff --git a/posix/tst-regcomp-bracket-free.c b/posix/tst-regcomp-bracket-free.c
+new file mode 100644
+index 0000000000000000..e6041ddaeba3045c
+--- /dev/null
++++ b/posix/tst-regcomp-bracket-free.c
+@@ -0,0 +1,176 @@
++/* Test regcomp bracket parsing with injected allocation failures (bug 33185).
++   Copyright (C) 2025 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++/* This test invokes regcomp multiple times, failing one memory
++   allocation in each call.  The function call should fail with
++   REG_ESPACE (or succeed if it can recover from the allocation
++   failure).  Previously, there was double-free bug.  */
++
++#include <errno.h>
++#include <regex.h>
++#include <stdio.h>
++#include <string.h>
++#include <support/check.h>
++#include <support/namespace.h>
++#include <support/support.h>
++
++/* Data structure allocated via MAP_SHARED, so that writes from the
++   subprocess are visible.  */
++struct shared_data
++{
++  /* Number of tracked allocations performed so far.  */
++  volatile unsigned int allocation_count;
++
++  /* If this number is reached, one allocation fails.  */
++  volatile unsigned int failing_allocation;
++
++  /* The subprocess stores the expected name here.  */
++  char name[100];
++};
++
++/* Allocation count in shared mapping.  */
++static struct shared_data *shared;
++
++/* Returns true if a failure should be injected for this allocation.  */
++static bool
++fail_this_allocation (void)
++{
++  if (shared != NULL)
++    {
++      unsigned int count = shared->allocation_count;
++      shared->allocation_count = count + 1;
++      return count == shared->failing_allocation;
++    }
++  else
++    return false;
++}
++
++/* Failure-injecting wrappers for allocation functions used by glibc.  */
++
++void *
++malloc (size_t size)
++{
++  if (fail_this_allocation ())
++    {
++      errno = ENOMEM;
++      return NULL;
++    }
++  extern __typeof (malloc) __libc_malloc;
++  return __libc_malloc (size);
++}
++
++void *
++calloc (size_t a, size_t b)
++{
++  if (fail_this_allocation ())
++    {
++      errno = ENOMEM;
++      return NULL;
++    }
++  extern __typeof (calloc) __libc_calloc;
++  return __libc_calloc (a, b);
++}
++
++void *
++realloc (void *ptr, size_t size)
++{
++  if (fail_this_allocation ())
++    {
++      errno = ENOMEM;
++      return NULL;
++    }
++  extern __typeof (realloc) __libc_realloc;
++  return __libc_realloc (ptr, size);
++}
++
++/* No-op subprocess to verify that support_isolate_in_subprocess does
++   not perform any heap allocations.  */
++static void
++no_op (void *ignored)
++{
++}
++
++/* Perform a regcomp call in a subprocess.  Used to count its
++   allocations.  */
++static void
++initialize (void *regexp1)
++{
++  const char *regexp = regexp1;
++
++  shared->allocation_count = 0;
++
++  regex_t reg;
++  TEST_COMPARE (regcomp (&reg, regexp, 0), 0);
++}
++
++/* Perform regcomp in a subprocess with fault injection.  */
++static void
++test_in_subprocess (void *regexp1)
++{
++  const char *regexp = regexp1;
++  unsigned int inject_at = shared->failing_allocation;
++
++  regex_t reg;
++  int ret = regcomp (&reg, regexp, 0);
++
++  if (ret != 0)
++    {
++      TEST_COMPARE (ret, REG_ESPACE);
++      printf ("info: allocation %u failure results in return value %d,"
++              " error %s (%d)\n",
++              inject_at, ret, strerror (errno), errno);
++    }
++}
++
++static int
++do_test (void)
++{
++  char regexp[] = "[:alpha:]";
++
++  shared = support_shared_allocate (sizeof (*shared));
++
++  /* Disable fault injection.  */
++  shared->failing_allocation = ~0U;
++
++  support_isolate_in_subprocess (no_op, NULL);
++  TEST_COMPARE (shared->allocation_count, 0);
++
++  support_isolate_in_subprocess (initialize, regexp);
++
++  /* The number of allocations in the successful case, plus some
++     slack.  Once the number of expected allocations is exceeded,
++     injecting further failures does not make a difference.  */
++  unsigned int maximum_allocation_count = shared->allocation_count;
++  printf ("info: successful call performs %u allocations\n",
++          maximum_allocation_count);
++  maximum_allocation_count += 10;
++
++  for (unsigned int inject_at = 0; inject_at <= maximum_allocation_count;
++       ++inject_at)
++    {
++      shared->allocation_count = 0;
++      shared->failing_allocation = inject_at;
++      support_isolate_in_subprocess (test_in_subprocess, regexp);
++    }
++
++  support_shared_free (shared);
++
++  return 0;
++}
++
++#include <support/test-driver.c>

SOURCES/glibc-RHEL-114260.patch

@@ -0,0 +1,45 @@
+commit 0fceed254559836b57ee05188deac649bc505d05
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Fri Sep 12 21:33:34 2025 +0200
+
+    nss: Group merge does not react to ERANGE during merge (bug 33361)
+    
+    The break statement in CHECK_MERGE is expected to exit the surrounding
+    while loop, not the do-while loop with in the macro.  Remove the
+    do-while loop from the macro.  It is not needed to turn the macro
+    expansion into a single statement due to the way CHECK_MERGE is used
+    (and the statement expression would cover this anyway).
+    
+    Reviewed-by: Collin Funk <collin.funk1@gmail.com>
+
+diff --git a/nss/getXXbyYY_r.c b/nss/getXXbyYY_r.c
+index eae6c3480e..2b0735fb6a 100644
+--- a/nss/getXXbyYY_r.c
++++ b/nss/getXXbyYY_r.c
+@@ -157,19 +157,15 @@ __merge_einval (LOOKUP_TYPE *a,
+ 
+ #define CHECK_MERGE(err, status)		\
+   ({						\
+-    do						\
++    if (err)					\
+       {						\
+-	if (err)				\
+-	  {					\
+-	    __set_errno (err);			\
+-	    if (err == ERANGE)			\
+-	      status = NSS_STATUS_TRYAGAIN;	\
+-	    else				\
+-	      status = NSS_STATUS_UNAVAIL;	\
+-	    break;				\
+-	  }					\
++	__set_errno (err);			\
++	if (err == ERANGE)			\
++	  status = NSS_STATUS_TRYAGAIN;		\
++	else					\
++	  status = NSS_STATUS_UNAVAIL;		\
++	break;					\
+       }						\
+-    while (0);					\
+   })
+ 
+ /* Type of the lookup function we need here.  */

SOURCES/glibc-RHEL-137185.patch

@@ -0,0 +1,30 @@
+commit 78fdb2d6b1c34ea8e779fd48f9436dfbd50b6387
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Thu Jan 8 12:35:08 2026 +0100
+
+    Switch currency symbol for the bg_BG locale to euro
+    
+    Bulgaria joined the eurozone on 2026-01-01.
+    
+    Suggested-by: Йордан Гигов <jgigov@abv.bg>
+    Reviewed-by: Collin Funk <collin.funk1@gmail.com>
+
+Conflicts: 
+	localedata/locales/bg_BG
+	  (Adjust for missing UTF-8 conversion and separator/grouping
+	   fixes downstream)
+
+diff -Nrup a/localedata/locales/bg_BG b/localedata/locales/bg_BG
+--- a/localedata/locales/bg_BG	2018-08-01 01:10:47.000000000 -0400
++++ b/localedata/locales/bg_BG	2026-04-09 15:01:50.118100059 -0400
+@@ -248,8 +248,8 @@ reorder-end
+ END LC_COLLATE
+ 
+ LC_MONETARY
+-int_curr_symbol           "BGN "
+-currency_symbol           "<U043B><U0432>."
++int_curr_symbol           "EUR "
++currency_symbol           "<U20AC>"
+ mon_decimal_point         ","
+ mon_thousands_sep         "<U202F>"
+ mon_grouping              3;3

SOURCES/glibc-RHEL-140104.patch

@@ -0,0 +1,59 @@
+commit 559010e471acb3cb292615b71b248aba73e5c2fe
+Author: Dragan Stanojević (Nevidljivi) <neville.ravenwood@gmail.com>
+Date:   Wed Feb 7 16:31:04 2024 +0100
+
+    localedata: hr_HR: change currency to EUR/€
+    
+    Resolves: BZ # 29845
+
+Conflicts:
+	localedata/locales/hr_HR
+	  (locale definitions do not use UTF-8 downstream)
+
+diff --git a/localedata/locales/hr_HR b/localedata/locales/hr_HR
+index 029a3794e2a17dcb..a13370461eede9c1 100644
+--- a/localedata/locales/hr_HR
++++ b/localedata/locales/hr_HR
+@@ -24,8 +24,8 @@ tel        ""
+ fax        ""
+ language   "Croatian"
+ territory  "Croatia"
+-revision   "2.3"
+-date       "2016-04-16"
++revision   "2.4"
++date       "2022-12-03"
+ 
+ category "i18n:2012";LC_IDENTIFICATION
+ category "i18n:2012";LC_CTYPE
+@@ -171,8 +171,8 @@ nostr   "ne"
+ END LC_MESSAGES
+ 
+ LC_MONETARY
+-int_curr_symbol           "HRK "
+-currency_symbol           "kn"
++int_curr_symbol           "EUR "
++currency_symbol           "<U20AC>"
+ mon_decimal_point         ","
+ mon_thousands_sep         "."
+ mon_grouping              3;3
+diff --git a/stdlib/tst-strfmon_l.c b/stdlib/tst-strfmon_l.c
+index 603d4b0c3d91818b..65313cd14b61dfe4 100644
+--- a/stdlib/tst-strfmon_l.c
++++ b/stdlib/tst-strfmon_l.c
+@@ -181,12 +181,12 @@ static const struct locale_pair tests[] =
+       "hr_HR.UTF-8",
+       {
+         {
+-          "HRK 1.234.567,89", "1.234.567,89 kn",
+-          "HRK 1234567,89", "1234567,89 kn"
++          "EUR 1.234.567,89", "1.234.567,89 €",
++          "EUR 1234567,89", "1234567,89 €"
+         },
+         {
+-          "-HRK 1.234.567,89", "-1.234.567,89 kn",
+-          "-HRK 1234567,89", "-1234567,89 kn"
++          "-EUR 1.234.567,89", "-1.234.567,89 €",
++          "-EUR 1234567,89", "-1234567,89 €"
+         }
+       }
+     },

SOURCES/glibc-RHEL-141849.patch

@@ -0,0 +1,70 @@
+commit e56ff82d5034ec66c6a78f517af6faa427f65b0b
+Author: Carlos O'Donell <carlos@redhat.com>
+Date:   Thu Jan 15 15:09:38 2026 -0500
+
+    resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
+    
+    The default network value of zero for net was never tested for and
+    results in a DNS query constructed from uninitialized stack bytes.
+    The solution is to provide a default query for the case where net
+    is zero.
+    
+    Adding a test case for this was straight forward given the existence of
+    tst-resolv-network and if the test is added without the fix you observe
+    this failure:
+    
+    FAIL: resolv/tst-resolv-network
+    original exit status 1
+    error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
+    error: 1 test failures
+    
+    With a random QNAME resulting from the use of uninitialized stack bytes.
+    
+    After the fix the test passes.
+    
+    Additionally verified using wireshark before and after to ensure
+    on-the-wire bytes for the DNS query were as expected.
+    
+    No regressions on x86_64.
+    
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+
+diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
+index 61bddd754f2d73c0..cbab554f1e761016 100644
+--- a/resolv/nss_dns/dns-network.c
++++ b/resolv/nss_dns/dns-network.c
+@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result,
+       sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2],
+ 	       net_bytes[1], net_bytes[0]);
+       break;
++    default:
++      /* Default network (net is originally zero).  */
++      strcpy (qbuf, "0.0.0.0.in-addr.arpa");
++      break;
+     }
+ 
+   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
+diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c
+index 4b862d57e65276e5..afc1874160179fcc 100644
+--- a/resolv/tst-resolv-network.c
++++ b/resolv/tst-resolv-network.c
+@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx,
+ {
+   switch (code)
+     {
++    case 0:
++      send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa");
++      break;
+     case 1:
+       send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa");
+       break;
+@@ -259,6 +262,9 @@ do_test (void)
+                 "error: NO_RECOVERY\n");
+ 
+   /* Lookup by address, success cases.  */
++  check_reverse (0,
++                 "name: 0.in-addr.arpa\n"
++                 "net: 0x00000000\n");
+   check_reverse (1,
+                  "name: 1.in-addr.arpa\n"
+                  "net: 0x00000001\n");

SOURCES/glibc-RHEL-142194.patch

@@ -0,0 +1,84 @@
+commit 7b543dcdf97d07fd4346feb17916e08fe83ad0ae
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Thu Jan 15 22:29:46 2026 +0100
+
+    elf: Ignore LD_PROFILE if LD_PROFILE_OUTPUT is not set (bug 33797)
+
+    The previous default for LD_PROFILE_OUTPUT, /var/tmp, is insecure
+    because it's typically a 1777 directory, and other systems could
+    place malicious files there which interfere with execution.
+
+    Requiring the user to specify a profiling directory mitigates
+    the impact of bug 33797.  Clear LD_PROFILE_OUTPUT alongside
+    with LD_PROFILE.
+
+    Rework the test not to use predictable file names.
+
+    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Conflicts:
+	elf/rtld.c
+	  (different implementation of environment variable filtering
+	  downstream, incorporate changes from upstream commit
+	  4a133885a7c8ae7ebe34e36fcdb353f8e94c810f, adjust for
+	  GLRO(_dl_profile_output) use in glibc-rh2047981-44.patch)
+	elf/tst-env-setuid.c
+	  (no LD_PROFILE test downstream)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 48698f93a4873a6d..848f6f51d093f313 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -2684,11 +2684,9 @@ process_envvars (struct dl_main_state *state)
+   char *envline;
+   char *debug_output = NULL;
+ 
+-  /* This is the default place for profiling data file.  As a side
+-     effect, this marks ld.so as initialized, so that the rtld_active
+-     function returns true from now on.  */
+-  GLRO(dl_profile_output)
+-    = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
++  /* This marks ld.so as initialized, so that the rtld_active function
++     returns true from now on.  "" means no default.  */
++  GLRO(dl_profile_output) = "";
+ 
+   while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
+     {
+@@ -2738,7 +2736,8 @@ process_envvars (struct dl_main_state *state)
+ 	    }
+ 
+ 	  /* Which shared object shall be profiled.  */
+-	  if (memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
++	  if (!__libc_enable_secure
++	      && memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
+ 	    GLRO(dl_profile) = &envline[8];
+ 	  break;
+ 
+@@ -2899,6 +2898,15 @@ process_envvars (struct dl_main_state *state)
+ 	/* We use standard output if opening the file failed.  */
+ 	GLRO(dl_debug_fd) = STDOUT_FILENO;
+     }
++
++  /* There is no fixed, safe directory to store profiling data, so
++     activate LD_PROFILE only if LD_PROFILE_OUTPUT is set as well.  */
++  if (GLRO(dl_profile) != NULL && *GLRO(dl_profile_output) == '\0')
++    {
++      _dl_error_printf ("\
++warning: LD_PROFILE ignored because LD_PROFILE_OUTPUT not specified\n");
++      GLRO(dl_profile) = NULL;
++    }
+ }
+ 
+ #if HP_TIMING_INLINE
+diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
+index 5ea8a4a259ef753c..0b84642f71ae9351 100644
+--- a/sysdeps/generic/unsecvars.h
++++ b/sysdeps/generic/unsecvars.h
+@@ -21,6 +21,7 @@
+   "LD_ORIGIN_PATH\0"							      \
+   "LD_PRELOAD\0"							      \
+   "LD_PROFILE\0"							      \
++  "LD_PROFILE_OUTPUT\0"						              \
+   "LD_SHOW_AUXV\0"							      \
+   "LD_USE_LOAD_BIAS\0"							      \
+   "LOCALDOMAIN\0"							      \

SOURCES/glibc-RHEL-142787-1.patch

@@ -0,0 +1,174 @@
+commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302
+Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date:   Thu Jan 15 10:32:19 2026 -0300
+
+    posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
+
+    The wordexp fails to properly initialize the input wordexp_t when
+    WRDE_REUSE is used. The wordexp_t struct is properly freed, but
+    reuses the old wc_wordc value and updates the we_wordv in the
+    wrong position.  A later wordfree will then call free with an
+    invalid pointer.
+
+    Checked on x86_64-linux-gnu and i686-linux-gnu.
+
+    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Conflicts:
+	posix/Makefile
+	  (Makefile not sorted downstream)
+
+diff --git a/posix/Makefile b/posix/Makefile
+index 42a0290370b40fd9..e546b8d667b9c6c4 100644
+--- a/posix/Makefile
++++ b/posix/Makefile
+@@ -96,7 +96,8 @@ tests		:= test-errno tstgetopt testfnm runtests runptests \
+ 		   tst-posix_fadvise tst-posix_fadvise64 \
+ 		   tst-sysconf-empty-chroot tst-glob_symlinks tst-fexecve \
+ 		   tst-glob-tilde test-ssize-max tst-spawn4 bug-regex37 \
+-		   bug-regex38 tst-regcomp-truncated tst-regcomp-bracket-free
++		   bug-regex38 tst-regcomp-truncated tst-regcomp-bracket-free \
++		   tst-wordexp-reuse
+ tests-internal	:= bug-regex5 bug-regex20 bug-regex33 \
+ 		   tst-rfc3484 tst-rfc3484-2 tst-rfc3484-3 \
+ 		   tst-glob_lstat_compat tst-spawn4-compat
+@@ -128,7 +129,8 @@ generated += $(addprefix wordexp-test-result, 1 2 3 4 5 6 7 8 9 10) \
+ 	     tst-boost.mtrace bug-ga2.mtrace bug-ga2-mem.out \
+ 	     bug-glob2.mtrace bug-glob2-mem.out tst-vfork3-mem.out \
+ 	     tst-vfork3.mtrace getconf.speclist tst-fnmatch-mem.out \
+-	     tst-fnmatch.mtrace bug-regex36.mtrace
++	     tst-fnmatch.mtrace bug-regex36.mtrace \
++	     tst-wordexp-reuse-mem.out tst-wordexp-reuse.mtrace
+ 
+ ifeq ($(run-built-tests),yes)
+ ifeq (yes,$(build-shared))
+@@ -146,7 +148,8 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \
+ 		 $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \
+ 		 $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
+ 		 $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
+-		 $(objpfx)tst-glob-tilde-mem.out
++		 $(objpfx)tst-glob-tilde-mem.out \
++		 $(objpfx)tst-wordexp-reuse.out
+ xtests-special += $(objpfx)bug-ga2-mem.out
+ endif
+ 
+@@ -387,3 +390,10 @@ $(objpfx)posix-conf-vars-def.h: $(..)scripts/gen-posix-conf-vars.awk \
+ 	$(make-target-directory)
+ 	$(AWK) -f $(filter-out Makefile, $^) > $@.tmp
+ 	mv -f $@.tmp $@
++
++tst-wordexp-reuse-ENV += MALLOC_TRACE=$(objpfx)tst-wordexp-reuse.mtrace \
++			 LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
++
++$(objpfx)tst-wordexp-reuse-mem.out: $(objpfx)tst-wordexp-reuse.out
++	$(common-objpfx)malloc/mtrace $(objpfx)tst-wordexp-reuse.mtrace > $@; \
++	$(evaluate-test)
+diff --git a/posix/tst-wordexp-reuse.c b/posix/tst-wordexp-reuse.c
+new file mode 100644
+index 0000000000000000..3926b9f5576750ac
+--- /dev/null
++++ b/posix/tst-wordexp-reuse.c
+@@ -0,0 +1,89 @@
++/* Test for wordexp with WRDE_REUSE flag.
++   Copyright (C) 2026 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <wordexp.h>
++#include <mcheck.h>
++
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++  mtrace ();
++
++  {
++    wordexp_t p = { 0 };
++    TEST_COMPARE (wordexp ("one", &p, 0), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[0], "one");
++    TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[0], "two");
++    wordfree (&p);
++  }
++
++  {
++    wordexp_t p = { .we_offs = 2 };
++    TEST_COMPARE (wordexp ("one", &p, 0), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[0], "one");
++    TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_DOOFFS), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two");
++    wordfree (&p);
++  }
++
++  {
++    wordexp_t p = { 0 };
++    TEST_COMPARE (wordexp ("one", &p, 0), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[0], "one");
++    TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_APPEND), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[0], "two");
++    wordfree (&p);
++  }
++
++  {
++    wordexp_t p = { .we_offs = 2 };
++    TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one");
++    TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE
++				      | WRDE_DOOFFS), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two");
++    wordfree (&p);
++  }
++
++  {
++    wordexp_t p = { .we_offs = 2 };
++    TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one");
++    TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE
++				      | WRDE_DOOFFS | WRDE_APPEND), 0);
++    TEST_COMPARE (p.we_wordc, 1);
++    TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two");
++    wordfree (&p);
++  }
++
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index 4061969c720f1f34..0f503b1877d2ce5b 100644
+--- a/posix/wordexp.c
++++ b/posix/wordexp.c
+@@ -2241,7 +2241,9 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags)
+     {
+       /* Minimal implementation of WRDE_REUSE for now */
+       wordfree (pwordexp);
++      old_word.we_wordc = 0;
+       old_word.we_wordv = NULL;
++      pwordexp->we_wordc = 0;
+     }
+ 
+   if ((flags & WRDE_APPEND) == 0)

SOURCES/glibc-RHEL-142787-2.patch

@@ -0,0 +1,29 @@
+commit bed2db02f3183e93f21d506786c5f884a1dec9e7
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 26 17:12:37 2026 +0100
+
+    posix: Run tst-wordexp-reuse-mem test
+
+    The test was not properly scheduled for execution with a Makefile
+    dependency.
+
+    Fixes commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 ("posix: Reset
+    wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814").
+
+Conflicts:
+	posix/Makefile
+	  (Makefile not sorted downstream)
+
+diff --git a/posix/Makefile b/posix/Makefile
+index e546b8d667b9c6c4..b399b1dab0a8cb9c 100644
+--- a/posix/Makefile
++++ b/posix/Makefile
+@@ -149,7 +149,7 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \
+ 		 $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
+ 		 $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
+ 		 $(objpfx)tst-glob-tilde-mem.out \
+-		 $(objpfx)tst-wordexp-reuse.out
++		 $(objpfx)tst-wordexp-reuse-mem.out
+ xtests-special += $(objpfx)bug-ga2-mem.out
+ endif
+