From 3ac034a90bf3d23b02c420a19fd6cde6c7fb0af9 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 23 Jul 2025 09:09:13 +0200
Subject: [PATCH] iconv: Do not create executable output files (RHEL-103952)

---
 glibc-RHEL-103952.patch | 51 +++++++++++++++++++++++++++++++++++++++++
 glibc.spec              |  6 ++++-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 glibc-RHEL-103952.patch

diff --git a/glibc-RHEL-103952.patch b/glibc-RHEL-103952.patch
new file mode 100644
index 0000000..22c522f
--- /dev/null
+++ b/glibc-RHEL-103952.patch
@@ -0,0 +1,51 @@
+commit cdcf24ee14c27b77744ff52ab3ae852821207eb0
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Thu Jul 17 14:44:05 2025 +0200
+
+    iconv: iconv -o should not create executable files (bug 33164)
+    
+    The mistake is that open must use 0666 to pick up the umask,
+    and not 0777 (which is required by mkdir).
+    
+    Fixes commit 8ef3cff9d1ceafe369f982d980678d749fb93bd2
+    ("iconv: Support in-place conversions (bug 10460, bug 32033)").
+    
+    Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
+
+diff --git a/iconv/iconv_prog.c b/iconv/iconv_prog.c
+index e3b051a309ff142b..08ea99d6adf6ea86 100644
+--- a/iconv/iconv_prog.c
++++ b/iconv/iconv_prog.c
+@@ -437,7 +437,7 @@ input_error (const char *path)
+ static void
+ open_output_direct (void)
+ {
+-  output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_TRUNC, 0777);
++  output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_TRUNC, 0666);
+   if (output_fd < 0)
+     output_error ();
+ }
+@@ -458,7 +458,7 @@ prepare_output_file (char **argv)
+   else
+     {
+       /* If iconv creates the output file, no overlap is possible.  */
+-      output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_EXCL, 0777);
++      output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_EXCL, 0666);
+       if (output_fd >= 0)
+ 	output_buffer_size = copy_buffer_size;
+       else
+diff --git a/iconv/tst-iconv_prog-buffer.sh b/iconv/tst-iconv_prog-buffer.sh
+index 23098ac56a344c48..562f90fe513e94d7 100644
+--- a/iconv/tst-iconv_prog-buffer.sh
++++ b/iconv/tst-iconv_prog-buffer.sh
+@@ -75,6 +75,10 @@ run_iconv () {
+ }
+ 
+ check_out_expected () {
++    if test -x "$tmp/out" ; then
++	echo "error: iconv output file is executable"
++	failure=true
++    fi
+     if ! cmp -s "$tmp/out" "$tmp/expected" ; then
+         echo "error: iconv output difference" >&$logfd
+         echo "*** expected ***" >&$logfd
diff --git a/glibc.spec b/glibc.spec
index c68393a..425b2d5 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -157,7 +157,7 @@ end \
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 216%{?dist}
+Release: 217%{?dist}
 
 # In general, GPLv2+ is used by programs, LGPLv2+ is used for
 # libraries.
@@ -1321,6 +1321,7 @@ Patch1011: glibc-RHEL-93320-16.patch
 Patch1012: glibc-RHEL-93320-17.patch
 Patch1013: glibc-RHEL-93320-18.patch
 Patch1014: glibc-RHEL-93320-19.patch
+Patch1015: glibc-RHEL-103952.patch
 
 ##############################################################################
 # Continued list of core "glibc" package information:
@@ -3318,6 +3319,9 @@ update_gconv_modules_cache ()
 %endif
 
 %changelog
+* Wed Jul 23 2025 Florian Weimer  <fweimer@redhat.com> - 2.34-217
+- iconv: Do not create executable output files (RHEL-103952)
+
 * Mon Jul 14 2025 Benjamin Herrenschmidt <benh@amazon.com> - 2.34-216
 - Backport GLIBC_2.35 libc symbols incl. _dl_find_object (RHEL-93320)