From 80dab3f1f1eacb74447cce95c425ec3291b01f0b Mon Sep 17 00:00:00 2001 From: Patsy Griffin Date: Thu, 25 Jun 2026 15:49:42 -0400 Subject: [PATCH] CVE-2026-5928: Fix ungetwc operating on byte stream (RHEL-181725) Resolves: RHEL-181725 --- glibc-RHEL-181725.patch | 108 ++++++++++++++++++++++++++++++++++++++++ glibc.spec | 10 ++-- 2 files changed, 115 insertions(+), 3 deletions(-) create mode 100644 glibc-RHEL-181725.patch diff --git a/glibc-RHEL-181725.patch b/glibc-RHEL-181725.patch new file mode 100644 index 0000000..288c54c --- /dev/null +++ b/glibc-RHEL-181725.patch @@ -0,0 +1,108 @@ +commit ef3bfb5f910011f3780cb06aa47e730035f53285 +Author: Rocket Ma +Date: Fri May 1 20:39:07 2026 -0700 + + libio: Fix ungetwc operating on byte stream [BZ #33998] + + * libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one + character, it accidently compare the wchar to push back with the last + char from byte stream, instead of wide stream. Under specific coding, + attacker may exploit this to leak information. This commit fix bug + 33998, or CVE-2026-5928. + + Signed-off-by: Rocket Ma + Reviewed-by: Carlos O'Donell + +Conflicts: + libio/Makefile + (Usual conflict when adding tests due to missing backports.) + +diff -Nrup a/libio/Makefile b/libio/Makefile +--- a/libio/Makefile 2026-06-25 12:22:31.811580535 -0400 ++++ b/libio/Makefile 2026-06-25 12:26:47.978009204 -0400 +@@ -58,8 +58,8 @@ tests = tst_swprintf tst_wprintf tst_sws + tst-freopen bug-rewind bug-rewind2 bug-ungetc bug-fseek \ + tst-mmap-eofsync tst-mmap-fflushsync bug-mmap-fflush \ + tst-mmap2-eofsync tst-mmap-offend bug-fopena+ bug-wfflush \ +- bug-ungetc2 bug-ftell bug-ungetc3 bug-ungetc4 tst-fopenloc2 \ +- tst-memstream1 tst-memstream2 tst-memstream3 \ ++ bug-wgenops-bz33998 bug-ungetc2 bug-ftell bug-ungetc3 bug-ungetc4 \ ++ tst-fopenloc2 tst-memstream1 tst-memstream2 tst-memstream3 \ + tst-wmemstream1 tst-wmemstream2 tst-wmemstream3 \ + bug-memstream1 bug-wmemstream1 \ + tst-setvbuf1 tst-popen-fork tst-popen1 tst-fgetwc bug-wsetpos tst-fseek \ +diff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c +new file mode 100644 +index 0000000000..cc4067da99 +--- /dev/null ++++ b/libio/bug-wgenops-bz33998.c +@@ -0,0 +1,54 @@ ++/* Regression test for ungetwc operating on byte stream (BZ #33998) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "support/temp_file.h" ++#include "support/xstdio.h" ++#include "support/xunistd.h" ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ char *filename; ++ int fd = create_temp_file ("tst-bz33998-", &filename); ++ TEST_VERIFY (fd != -1); ++ xwrite (fd, "A", sizeof ("A")); // write "A\0" by design ++ xclose (fd); ++ ++ FILE *fp = xfopen (filename, "r+"); ++ TEST_COMPARE (getwc (fp), L'A'); ++ /* If the bug is fixed, then ungetwc should not touch byte stream. ++ If the bug is not fixed, ungetwc firstly match last read char, L'A', ++ failed, then the pbackfail branch, matching last read char in byte ++ stream, that is, '\0' (initialized when setup wide stream). */ ++ char *old_read_ptr = fp->_IO_read_ptr; ++ TEST_COMPARE (ungetwc (L'\0', fp), L'\0'); ++ TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr); ++ ++ xfclose (fp); ++ free (filename); ++ ++ return 0; ++} ++ ++#include +diff --git a/libio/wgenops.c b/libio/wgenops.c +index 6829477e0c..5f36bc49a1 100644 +--- a/libio/wgenops.c ++++ b/libio/wgenops.c +@@ -110,8 +110,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c) + { + if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base + && !_IO_in_backup (fp) +- && (wint_t) fp->_IO_read_ptr[-1] == c) +- --fp->_IO_read_ptr; ++ && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c) ++ --fp->_wide_data->_IO_read_ptr; + else + { + /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/ diff --git a/glibc.spec b/glibc.spec index 2a58424..0c97429 100644 --- a/glibc.spec +++ b/glibc.spec @@ -115,7 +115,7 @@ end \ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: %{glibcrelease}.38 +Release: %{glibcrelease}.39 # In general, GPLv2+ is used by programs, LGPLv2+ is used for # libraries. @@ -1334,6 +1334,7 @@ Patch1099: glibc-RHEL-172700-1.patch Patch1100: glibc-RHEL-172700-2.patch Patch1101: glibc-RHEL-172700-3.patch Patch1102: glibc-RHEL-172700-4.patch +Patch1103: glibc-RHEL-181725.patch ############################################################################## # Continued list of core "glibc" package information: @@ -2995,8 +2996,11 @@ fi %{_libdir}/libpthread_nonshared.a %changelog - * Tue Jun 02 2026 Patsy Griffin - 2.28-251.38 - - CVE-2026-5450: Fix buffer overflow in scanf (RHEL-172700) +* Thu Jun 25 2026 Patsy Griffin - 2.28-251.39 +- CVE-2026-5928: Fix ungetwc operating on byte stream (RHEL-181725) + +* Tue Jun 02 2026 Patsy Griffin - 2.28-251.38 +- CVE-2026-5450: Fix buffer overflow in scanf (RHEL-172700) * Mon May 11 2026 Arjun Shankar - 2.28-251.37 - Add tests for CVE-2026-4437 and CVE-2026-4438 (RHEL-173358)