From 9a32375fe89a6cca4384bea2b53c4d97132861ef Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 17 Feb 2026 09:48:13 +0000 Subject: [PATCH] import UBI glibc-2.34-231.el9_7.10 --- SOURCES/glibc-RHEL-141738.patch | 86 +++++++++++++ SOURCES/glibc-RHEL-141851.patch | 70 ++++++++++ SOURCES/glibc-RHEL-142194-2.patch | 52 ++++++++ SOURCES/glibc-RHEL-142194-3.patch | 41 ++++++ SOURCES/glibc-RHEL-142194.patch | 58 +++++++++ SOURCES/glibc-RHEL-144079-1.patch | 172 +++++++++++++++++++++++++ SOURCES/glibc-RHEL-144079-2.patch | 29 +++++ SOURCES/glibc-RHEL-145151.patch | 39 ++++++ SOURCES/patch-git-generated-commit.txt | 2 +- SOURCES/patch-git-generated-log.txt | 155 ++++++++++++++++++++++ SOURCES/patch-git.lua | 16 ++- 11 files changed, 714 insertions(+), 6 deletions(-) create mode 100644 SOURCES/glibc-RHEL-141738.patch create mode 100644 SOURCES/glibc-RHEL-141851.patch create mode 100644 SOURCES/glibc-RHEL-142194-2.patch create mode 100644 SOURCES/glibc-RHEL-142194-3.patch create mode 100644 SOURCES/glibc-RHEL-142194.patch create mode 100644 SOURCES/glibc-RHEL-144079-1.patch create mode 100644 SOURCES/glibc-RHEL-144079-2.patch create mode 100644 SOURCES/glibc-RHEL-145151.patch diff --git a/SOURCES/glibc-RHEL-141738.patch b/SOURCES/glibc-RHEL-141738.patch new file mode 100644 index 0000000..98fe129 --- /dev/null +++ b/SOURCES/glibc-RHEL-141738.patch @@ -0,0 +1,86 @@ +commit c9188d333717d3ceb7e3020011651f424f749f93 +Author: Siddhesh Poyarekar +Date: Thu Jan 15 06:06:40 2026 -0500 + + memalign: reinstate alignment overflow check (CVE-2026-0861) + + The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the + overflow check for alignment in memalign functions, _mid_memalign and + _int_memalign. Reinstate the overflow check in _int_memalign, aligned + with the PTRDIFF_MAX change since that is directly responsible for the + CVE. The missing _mid_memalign check is not relevant (and does not have + a security impact) and may need a different approach to fully resolve, + so it has been omitted. + + CVE-Id: CVE-2026-0861 + Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 + Reported-by: Igor Morgenstern, Aisle Research + Fixes: BZ #33796 + Reviewed-by: Wilco Dijkstra + Signed-off-by: Siddhesh Poyarekar + +Conflicts: + malloc/malloc.c + (old checked_request2size interface downstream) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index fe80b8239756a7c9..8d2ede60d93e433f 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -4815,7 +4815,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) + + + +- if (!checked_request2size (bytes, &nb)) ++ if (!checked_request2size (bytes, &nb) || alignment > PTRDIFF_MAX) + { + __set_errno (ENOMEM); + return NULL; +@@ -4826,8 +4826,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) + request, and then possibly free the leading and trailing space. + */ + +- /* Call malloc with worst case padding to hit alignment. */ +- ++ /* Call malloc with worst case padding to hit alignment. ALIGNMENT is a ++ power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of ++ space to add MINSIZE and whatever checked_request2size adds to BYTES to ++ get NB. Consequently, total below also does not overflow. */ + m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); + + if (m == 0) +diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c +index 328b4a2a4fd72cf4..593381520c40cb84 100644 +--- a/malloc/tst-malloc-too-large.c ++++ b/malloc/tst-malloc-too-large.c +@@ -151,7 +151,6 @@ test_large_allocations (size_t size) + } + + +-static long pagesize; + + /* This function tests the following aligned memory allocation functions + using several valid alignments and precedes each allocation test with a +@@ -170,8 +169,8 @@ test_large_aligned_allocations (size_t size) + + /* All aligned memory allocation functions expect an alignment that is a + power of 2. Given this, we test each of them with every valid +- alignment from 1 thru PAGESIZE. */ +- for (align = 1; align <= pagesize; align *= 2) ++ alignment for the type of ALIGN, i.e. until it wraps to 0. */ ++ for (align = 1; align > 0; align <<= 1) + { + test_setup (); + #if __GNUC_PREREQ (7, 0) +@@ -264,11 +263,6 @@ do_test (void) + DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); + #endif + +- /* Aligned memory allocation functions need to be tested up to alignment +- size equivalent to page size, which should be a power of 2. */ +- pagesize = sysconf (_SC_PAGESIZE); +- TEST_VERIFY_EXIT (powerof2 (pagesize)); +- + /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. + in the range (SIZE_MAX - 2^14, SIZE_MAX], fail. + diff --git a/SOURCES/glibc-RHEL-141851.patch b/SOURCES/glibc-RHEL-141851.patch new file mode 100644 index 0000000..1d3cf7f --- /dev/null +++ b/SOURCES/glibc-RHEL-141851.patch @@ -0,0 +1,70 @@ +commit e56ff82d5034ec66c6a78f517af6faa427f65b0b +Author: Carlos O'Donell +Date: Thu Jan 15 15:09:38 2026 -0500 + + resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) + + The default network value of zero for net was never tested for and + results in a DNS query constructed from uninitialized stack bytes. + The solution is to provide a default query for the case where net + is zero. + + Adding a test case for this was straight forward given the existence of + tst-resolv-network and if the test is added without the fix you observe + this failure: + + FAIL: resolv/tst-resolv-network + original exit status 1 + error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128 + error: 1 test failures + + With a random QNAME resulting from the use of uninitialized stack bytes. + + After the fix the test passes. + + Additionally verified using wireshark before and after to ensure + on-the-wire bytes for the DNS query were as expected. + + No regressions on x86_64. + + Reviewed-by: Florian Weimer + +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c +index 74b78959c230a8e3..1912fef6f2284c2d 100644 +--- a/resolv/nss_dns/dns-network.c ++++ b/resolv/nss_dns/dns-network.c +@@ -208,6 +208,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result, + sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2], + net_bytes[1], net_bytes[0]); + break; ++ default: ++ /* Default network (net is originally zero). */ ++ strcpy (qbuf, "0.0.0.0.in-addr.arpa"); ++ break; + } + + net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); +diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c +index 156cb5692b6a9a28..febb447f60814498 100644 +--- a/resolv/tst-resolv-network.c ++++ b/resolv/tst-resolv-network.c +@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx, + { + switch (code) + { ++ case 0: ++ send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa"); ++ break; + case 1: + send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa"); + break; +@@ -265,6 +268,9 @@ do_test (void) + "error: TRY_AGAIN\n"); + + /* Lookup by address, success cases. */ ++ check_reverse (0, ++ "name: 0.in-addr.arpa\n" ++ "net: 0x00000000\n"); + check_reverse (1, + "name: 1.in-addr.arpa\n" + "net: 0x00000001\n"); diff --git a/SOURCES/glibc-RHEL-142194-2.patch b/SOURCES/glibc-RHEL-142194-2.patch new file mode 100644 index 0000000..fa52d55 --- /dev/null +++ b/SOURCES/glibc-RHEL-142194-2.patch @@ -0,0 +1,52 @@ +commit 4a133885a7c8ae7ebe34e36fcdb353f8e94c810f +Author: Adhemerval Zanella +Date: Mon Nov 6 17:25:45 2023 -0300 + + elf: Ignore LD_PROFILE for setuid binaries + + Loader does not ignore LD_PROFILE in secure-execution mode (different + than man-page states [1]), rather it uses a different path + (/var/profile) and ignore LD_PROFILE_OUTPUT. + + Allowing secure-execution profiling is already a non good security + boundary, since it enables different code paths and extra OS access by + the process. But by ignoring LD_PROFILE_OUTPUT, the resulting profile + file might also be acceded in a racy manner since the file name does not + use any process-specific information (such as pid, timing, etc.). + + Another side-effect is it forces lazy binding even on libraries that + might be with DF_BIND_NOW. + + [1] https://man7.org/linux/man-pages/man8/ld.so.8.html + Reviewed-by: Siddhesh Poyarekar + +Conflicts: + elf/Makefile + elf/tst-env-setuid.c + (test does not have LD_PROFILE support downstream) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 1fbfc65a38e19110..44546e8e158e7b9c 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2761,10 +2761,6 @@ process_envvars (struct dl_main_state *state) + char *envline; + char *debug_output = NULL; + +- /* This is the default place for profiling data file. */ +- GLRO(dl_profile_output) +- = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0]; +- + while ((envline = _dl_next_ld_env_entry (&runp)) != NULL) + { + size_t len = 0; +@@ -2813,7 +2809,8 @@ process_envvars (struct dl_main_state *state) + } + + /* Which shared object shall be profiled. */ +- if (memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0') ++ if (!__libc_enable_secure ++ && memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0') + GLRO(dl_profile) = &envline[8]; + break; + diff --git a/SOURCES/glibc-RHEL-142194-3.patch b/SOURCES/glibc-RHEL-142194-3.patch new file mode 100644 index 0000000..f22de71 --- /dev/null +++ b/SOURCES/glibc-RHEL-142194-3.patch @@ -0,0 +1,41 @@ +Downstream-only patch to move the LD_PROFILE_OUTPUT check to the right +place, after it was added in the middle of an if statement in +glibc-RHEL-142194-1.patch. + +diff --git a/elf/rtld.c b/elf/rtld.c +index 44546e8e158e7b9c..b788857924e5a388 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2951,16 +2951,6 @@ process_envvars (struct dl_main_state *state) + if (state->mode != rtld_mode_normal) + _exit (5); + } +- +- /* There is no fixed, safe directory to store profiling data, so +- activate LD_PROFILE only if LD_PROFILE_OUTPUT is set as well. */ +- if (GLRO(dl_profile) != NULL && GLRO(dl_profile_output) == NULL) +- { +- _dl_error_printf ("\ +-warning: LD_PROFILE ignored because LD_PROFILE_OUTPUT not specified\n"); +- GLRO(dl_profile) = NULL; +- } +- + /* If we have to run the dynamic linker in debugging mode and the + LD_DEBUG_OUTPUT environment variable is given, we write the debug + messages to this file. */ +@@ -2981,6 +2971,15 @@ warning: LD_PROFILE ignored because LD_PROFILE_OUTPUT not specified\n"); + /* We use standard output if opening the file failed. */ + GLRO(dl_debug_fd) = STDOUT_FILENO; + } ++ ++ /* There is no fixed, safe directory to store profiling data, so ++ activate LD_PROFILE only if LD_PROFILE_OUTPUT is set as well. */ ++ if (GLRO(dl_profile) != NULL && GLRO(dl_profile_output) == NULL) ++ { ++ _dl_error_printf ("\ ++warning: LD_PROFILE ignored because LD_PROFILE_OUTPUT not specified\n"); ++ GLRO(dl_profile) = NULL; ++ } + } + + #if HP_TIMING_INLINE diff --git a/SOURCES/glibc-RHEL-142194.patch b/SOURCES/glibc-RHEL-142194.patch new file mode 100644 index 0000000..8f2ee5c --- /dev/null +++ b/SOURCES/glibc-RHEL-142194.patch @@ -0,0 +1,58 @@ +commit 7b543dcdf97d07fd4346feb17916e08fe83ad0ae +Author: Florian Weimer +Date: Thu Jan 15 22:29:46 2026 +0100 + + elf: Ignore LD_PROFILE if LD_PROFILE_OUTPUT is not set (bug 33797) + + The previous default for LD_PROFILE_OUTPUT, /var/tmp, is insecure + because it's typically a 1777 directory, and other systems could + place malicious files there which interfere with execution. + + Requiring the user to specify a profiling directory mitigates + the impact of bug 33797. Clear LD_PROFILE_OUTPUT alongside + with LD_PROFILE. + + Rework the test not to use predictable file names. + + Reviewed-by: Carlos O'Donell + +Conflicts: + elf/rtld.c + (different implementation of environment variable filtering + downstream) + elf/tst-env-setuid.c + (no LD_PROFILE test downstream) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 425003e6c8e452ab..1fbfc65a38e19110 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2954,6 +2954,16 @@ process_envvars (struct dl_main_state *state) + if (state->mode != rtld_mode_normal) + _exit (5); + } ++ ++ /* There is no fixed, safe directory to store profiling data, so ++ activate LD_PROFILE only if LD_PROFILE_OUTPUT is set as well. */ ++ if (GLRO(dl_profile) != NULL && GLRO(dl_profile_output) == NULL) ++ { ++ _dl_error_printf ("\ ++warning: LD_PROFILE ignored because LD_PROFILE_OUTPUT not specified\n"); ++ GLRO(dl_profile) = NULL; ++ } ++ + /* If we have to run the dynamic linker in debugging mode and the + LD_DEBUG_OUTPUT environment variable is given, we write the debug + messages to this file. */ +diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h +index 5ea8a4a259ef753c..0b84642f71ae9351 100644 +--- a/sysdeps/generic/unsecvars.h ++++ b/sysdeps/generic/unsecvars.h +@@ -21,6 +21,7 @@ + "LD_ORIGIN_PATH\0" \ + "LD_PRELOAD\0" \ + "LD_PROFILE\0" \ ++ "LD_PROFILE_OUTPUT\0" \ + "LD_SHOW_AUXV\0" \ + "LD_USE_LOAD_BIAS\0" \ + "LOCALDOMAIN\0" \ diff --git a/SOURCES/glibc-RHEL-144079-1.patch b/SOURCES/glibc-RHEL-144079-1.patch new file mode 100644 index 0000000..be5ed54 --- /dev/null +++ b/SOURCES/glibc-RHEL-144079-1.patch @@ -0,0 +1,172 @@ +commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 +Author: Adhemerval Zanella +Date: Thu Jan 15 10:32:19 2026 -0300 + + posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814) + + The wordexp fails to properly initialize the input wordexp_t when + WRDE_REUSE is used. The wordexp_t struct is properly freed, but + reuses the old wc_wordc value and updates the we_wordv in the + wrong position. A later wordfree will then call free with an + invalid pointer. + + Checked on x86_64-linux-gnu and i686-linux-gnu. + + Reviewed-by: Carlos O'Donell + +Conflicts: + posix/Makefile + (Makefile not sorted downstream) + +diff --git a/posix/Makefile b/posix/Makefile +index 562e8cb85fdb6f43..2dfd687430b205a8 100644 +--- a/posix/Makefile ++++ b/posix/Makefile +@@ -113,7 +113,8 @@ tests := test-errno tstgetopt testfnm runtests runptests \ + tst-cpuset-dynamic \ + tst-cpuset-static \ + tst-spawn6 \ +- tst-regcomp-bracket-free ++ tst-regcomp-bracket-free \ ++ tst-wordexp-reuse + + # Test for the glob symbol version that was replaced in glibc 2.27. + ifeq ($(have-GLIBC_2.26)$(build-shared),yesyes) +@@ -160,6 +161,7 @@ generated += $(addprefix wordexp-test-result, 1 2 3 4 5 6 7 8 9 10) \ + bug-glob2.mtrace bug-glob2-mem.out tst-vfork3-mem.out \ + tst-vfork3.mtrace getconf.speclist tst-fnmatch-mem.out \ + tst-fnmatch.mtrace bug-regex36.mtrace \ ++ tst-wordexp-reuse-mem.out tst-wordexp-reuse.mtrace \ + testcases.h ptestcases.h + + ifeq ($(run-built-tests),yes) +@@ -178,7 +180,8 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \ + $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \ + $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \ + $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \ +- $(objpfx)tst-glob-tilde-mem.out $(objpfx)bug-ga2-mem.out ++ $(objpfx)tst-glob-tilde-mem.out $(objpfx)bug-ga2-mem.out \ ++ $(objpfx)tst-wordexp-reuse.out + endif + + include ../Rules +@@ -455,3 +458,10 @@ $(objpfx)posix-conf-vars-def.h: $(..)scripts/gen-posix-conf-vars.awk \ + $(make-target-directory) + $(AWK) -f $(filter-out Makefile, $^) > $@.tmp + mv -f $@.tmp $@ ++ ++tst-wordexp-reuse-ENV += MALLOC_TRACE=$(objpfx)tst-wordexp-reuse.mtrace \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++ ++$(objpfx)tst-wordexp-reuse-mem.out: $(objpfx)tst-wordexp-reuse.out ++ $(common-objpfx)malloc/mtrace $(objpfx)tst-wordexp-reuse.mtrace > $@; \ ++ $(evaluate-test) +diff --git a/posix/tst-wordexp-reuse.c b/posix/tst-wordexp-reuse.c +new file mode 100644 +index 0000000000000000..3926b9f5576750ac +--- /dev/null ++++ b/posix/tst-wordexp-reuse.c +@@ -0,0 +1,89 @@ ++/* Test for wordexp with WRDE_REUSE flag. ++ Copyright (C) 2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++ ++#include ++ ++static int ++do_test (void) ++{ ++ mtrace (); ++ ++ { ++ wordexp_t p = { 0 }; ++ TEST_COMPARE (wordexp ("one", &p, 0), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "two"); ++ wordfree (&p); ++ } ++ ++ { ++ wordexp_t p = { .we_offs = 2 }; ++ TEST_COMPARE (wordexp ("one", &p, 0), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_DOOFFS), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); ++ wordfree (&p); ++ } ++ ++ { ++ wordexp_t p = { 0 }; ++ TEST_COMPARE (wordexp ("one", &p, 0), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_APPEND), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[0], "two"); ++ wordfree (&p); ++ } ++ ++ { ++ wordexp_t p = { .we_offs = 2 }; ++ TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE ++ | WRDE_DOOFFS), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); ++ wordfree (&p); ++ } ++ ++ { ++ wordexp_t p = { .we_offs = 2 }; ++ TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one"); ++ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE ++ | WRDE_DOOFFS | WRDE_APPEND), 0); ++ TEST_COMPARE (p.we_wordc, 1); ++ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); ++ wordfree (&p); ++ } ++ ++ return 0; ++} ++ ++#include +diff --git a/posix/wordexp.c b/posix/wordexp.c +index 1f3b09f721bbee5c..b23608d4ee1cccd8 100644 +--- a/posix/wordexp.c ++++ b/posix/wordexp.c +@@ -2220,7 +2220,9 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags) + { + /* Minimal implementation of WRDE_REUSE for now */ + wordfree (pwordexp); ++ old_word.we_wordc = 0; + old_word.we_wordv = NULL; ++ pwordexp->we_wordc = 0; + } + + if ((flags & WRDE_APPEND) == 0) diff --git a/SOURCES/glibc-RHEL-144079-2.patch b/SOURCES/glibc-RHEL-144079-2.patch new file mode 100644 index 0000000..b459da1 --- /dev/null +++ b/SOURCES/glibc-RHEL-144079-2.patch @@ -0,0 +1,29 @@ +commit bed2db02f3183e93f21d506786c5f884a1dec9e7 +Author: Florian Weimer +Date: Mon Jan 26 17:12:37 2026 +0100 + + posix: Run tst-wordexp-reuse-mem test + + The test was not properly scheduled for execution with a Makefile + dependency. + + Fixes commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 ("posix: Reset + wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814"). + +Conflicts: + posix/Makefile + (Makefile not sorted downstream) + +diff --git a/posix/Makefile b/posix/Makefile +index 2dfd687430b205a8..837fc26868ed74a8 100644 +--- a/posix/Makefile ++++ b/posix/Makefile +@@ -181,7 +181,7 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \ + $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \ + $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \ + $(objpfx)tst-glob-tilde-mem.out $(objpfx)bug-ga2-mem.out \ +- $(objpfx)tst-wordexp-reuse.out ++ $(objpfx)tst-wordexp-reuse-mem.out + endif + + include ../Rules diff --git a/SOURCES/glibc-RHEL-145151.patch b/SOURCES/glibc-RHEL-145151.patch new file mode 100644 index 0000000..ee16c69 --- /dev/null +++ b/SOURCES/glibc-RHEL-145151.patch @@ -0,0 +1,39 @@ +commit 6f999af332c91035350390ef8af96388b8f4fd2c +Author: Arjun Shankar +Date: Mon Aug 18 15:33:13 2025 +0200 + + support: Handle FUSE_GETXATTR during FUSE FS mount + + When testing with some kernel versions, support FUSE infrastructure + encounters a FUSE_GETXATTR request, leading to FUSE tests hanging until + timed out. Therefore, pass FUSE_GETXATTR requests from + support_fuse_handle_mountpoint to support_fuse_handle_directory, and + adjust support_fuse_handle_directory to return ENOSYS so that tests can + proceed. + + Reviewed-by: Florian Weimer + +diff --git a/support/support_fuse.c b/support/support_fuse.c +index f6c063b549e2c26c..5af2f7d8ab93a5ea 100644 +--- a/support/support_fuse.c ++++ b/support/support_fuse.c +@@ -212,6 +212,9 @@ support_fuse_handle_directory (struct support_fuse *f) + support_fuse_reply_prepared (f); + } + return true; ++ case FUSE_GETXATTR: ++ support_fuse_reply_error (f, ENOSYS); ++ return true; + default: + return false; + } +@@ -222,7 +225,8 @@ support_fuse_handle_mountpoint (struct support_fuse *f) + { + TEST_VERIFY (f->inh != NULL); + /* 1 is the root node. */ +- if (f->inh->opcode == FUSE_GETATTR && f->inh->nodeid == 1) ++ if ((f->inh->opcode == FUSE_GETATTR || f->inh->opcode == FUSE_GETXATTR) ++ && f->inh->nodeid == 1) + return support_fuse_handle_directory (f); + return false; + } diff --git a/SOURCES/patch-git-generated-commit.txt b/SOURCES/patch-git-generated-commit.txt index 6b658bb..91a6e0a 100644 --- a/SOURCES/patch-git-generated-commit.txt +++ b/SOURCES/patch-git-generated-commit.txt @@ -1,2 +1,2 @@ -816c61b8558c2c34f1f2dd3cb447f9e5bfd127b7 +56deb46380448bca50f02be99f51a5467aa24030 v1 diff --git a/SOURCES/patch-git-generated-log.txt b/SOURCES/patch-git-generated-log.txt index 51b1082..39b4a6f 100644 --- a/SOURCES/patch-git-generated-log.txt +++ b/SOURCES/patch-git-generated-log.txt @@ -1,3 +1,158 @@ +commit 56deb46380448bca50f02be99f51a5467aa24030 +Author: Florian Weimer +AuthorDate: Thu Jan 29 14:17:01 2026 +0100 +Commit: Florian Weimer +CommitDate: Thu Jan 29 14:17:01 2026 +0100 + + Handle FUSE_GETXATTR during FUSE FS mount in tests (RHEL-145151) + + Resolves: RHEL-145151 + +:000000 100644 00000000 ee16c69b A glibc-RHEL-145151.patch + +commit 0a09c16368e4e8fb2101cd6ed60618a79e479aab +Author: Florian Weimer +AuthorDate: Tue Jan 27 11:32:03 2026 +0100 +Commit: Florian Weimer +CommitDate: Tue Jan 27 11:32:03 2026 +0100 + + CVE-2025-15281: wordexp WRDE_REUSE uninitialized memory read (RHEL-144079) + + Resolves: RHEL-144079 + +:000000 100644 00000000 be5ed54a A glibc-RHEL-144079-1.patch +:000000 100644 00000000 b459da17 A glibc-RHEL-144079-2.patch + +commit 22c0310693412fd065c0411c90678a5845ab3f32 +Author: Florian Weimer +AuthorDate: Mon Jan 19 22:38:03 2026 +0100 +Commit: Florian Weimer +CommitDate: Tue Jan 20 21:50:10 2026 +0100 + + Ignore LD_PROFILE in SUID binaries (RHEL-142195) + + This is required to make the previous change effective. + + Resolves: RHEL-142195 + +:000000 100644 00000000 fa52d55f A glibc-RHEL-142194-2.patch +:000000 100644 00000000 f22de711 A glibc-RHEL-142194-3.patch + +commit d931b2849ec1e63c65177bfb9aaf8c2a7624641f +Author: Florian Weimer +AuthorDate: Mon Jan 19 09:15:30 2026 +0100 +Commit: Florian Weimer +CommitDate: Mon Jan 19 09:15:30 2026 +0100 + + Remove default /var/tmp for LD_PROFILE_OUTPUT (RHEL-142195) + + Resolves: RHEL-142195 + +:000000 100644 00000000 8f2ee5c7 A glibc-RHEL-142194.patch + +commit c0e43e2f2d5018440cec50e6cf51d5ad84c86d52 +Author: Florian Weimer +AuthorDate: Fri Jan 16 15:04:59 2026 +0100 +Commit: Florian Weimer +CommitDate: Fri Jan 16 15:04:59 2026 +0100 + + CVE-2026-0915: Stack memory disclosure in getnetbyaddr (RHEL-141851) + + Resolves: RHEL-141851 + +:000000 100644 00000000 1d3cf7f3 A glibc-RHEL-141851.patch + +commit 930b24e88d549ee514a7dcfff44ecc298fecf5eb +Author: Florian Weimer +AuthorDate: Fri Jan 16 14:57:11 2026 +0100 +Commit: Florian Weimer +CommitDate: Fri Jan 16 14:57:51 2026 +0100 + + patch-git: Avoid trailing tabs in changelog (RHEL-141921) + + The RPM Lua function print puts tabs between its arguments. + + Resolves: RHEL-141921 + +:100644 100644 c975eb75 2ae7888a M patch-git.lua + +commit 57e8ed6766ccca6decdfb5cc254624ffe78e9918 +Author: Florian Weimer +AuthorDate: Fri Jan 16 13:57:34 2026 +0100 +Commit: Florian Weimer +CommitDate: Fri Jan 16 14:27:17 2026 +0100 + + CVE-2026-0861: Check for alignment overflow in memalign functions (RHEL-141738) + + Resolves: RHEL-141738 + +:000000 100644 00000000 98fe129e A glibc-RHEL-141738.patch + +commit c0696b434e75e63edff714cd743ba757093ee7d2 +Author: Florian Weimer +AuthorDate: Thu Nov 27 16:49:34 2025 +0100 +Commit: Florian Weimer +CommitDate: Sat Dec 6 16:03:38 2025 +0100 + + patch-git: Do not require directory names in Lua patches table + + RPM 6.0.0 does not put the source directory prefix there anymore. + + Resolves: RHEL-134108 + RPM-Changelog: - + RPM-Skip-Release: yes + +:100644 100644 04cb0612 c975eb75 M patch-git.lua + +commit 93a7b9082a4dfa980df60daf8eb8fa3f1b83b159 +Author: Florian Weimer +AuthorDate: Tue Nov 11 20:16:03 2025 +0100 +Commit: Florian Weimer +CommitDate: Sat Dec 6 16:03:01 2025 +0100 + + patch-git: Support git worktree + + After “git worktree”, .git is a text file, not a directory. + + Resolves: RHEL-127593 + RPM-Changelog: - + RPM-Skip-Release: yes + +:100644 100644 f95800e1 04cb0612 M patch-git.lua + +commit 583e20a8c0b64e9e02abb1e37b625bed55035fd1 +Author: Florian Weimer +AuthorDate: Thu Oct 16 08:48:13 2025 +0200 +Commit: Florian Weimer +CommitDate: Tue Nov 11 20:09:20 2025 +0100 + + patch-git: Add auto-generated/ prefix to Source: files + + This suppresses a centpkg pre-push-check failure. + + Resolves: RHEL-126050 + +:100644 100644 04f201b8 f95800e1 M patch-git.lua + +commit bca5140d2048565256b4f2528068749ba6a9e2fc +Author: DJ Delorie +AuthorDate: Mon Oct 13 22:20:35 2025 -0400 +Commit: DJ Delorie +CommitDate: Mon Oct 13 22:20:35 2025 -0400 + + rpminspect.yaml: note that glibc-minimal-langpack is empty (RHEL-118847) + + This fixes the "continues to be empty" VERIFY from rpminspect. + + Support for this was added by: + https://github.com/rpminspect/rpminspect/issues/1518 + + Resolves: RHEL-116641 + RPM-Changelog: - + RPM-Skip-Release: yes + +:100644 100644 209d25db 214d07ba M rpminspect.yaml + commit 816c61b8558c2c34f1f2dd3cb447f9e5bfd127b7 Author: Arjun Shankar AuthorDate: Thu Oct 9 15:25:37 2025 +0200 diff --git a/SOURCES/patch-git.lua b/SOURCES/patch-git.lua index 04f201b..2ae7888 100644 --- a/SOURCES/patch-git.lua +++ b/SOURCES/patch-git.lua @@ -487,7 +487,7 @@ local function generate_files() -- True if %_sourcedir refers to a Git repository and git is installed. local have_git = (posix == nil -- Not running under rpm. or (posix.access('/usr/bin/git', 'x') - and posix.access(sourcedir .. '/.git/.', 'x'))) + and posix.access(sourcedir .. '/.git', 'r'))) local commit_marker_contents -- For git_commit_file. if have_git then commit_marker_contents = @@ -576,12 +576,18 @@ local function emit_sources() max = tointeger(k) end end + + -- The centpkg pre-push-check recognizes this prefix on Source + -- files and does not fail if these sources are neither committed + -- to the Git repository nor listed in the sources file. + local auto_generated = 'auto-generated/' + local function emit(name) max = max + 1 print('Source' .. max .. ': ' .. name .. '\n') end - emit(git_commit_file) - emit(git_log_file) + emit(auto_generated .. git_commit_file) + emit(auto_generated .. git_log_file) emit('patch-git.lua') -- This file. end @@ -1904,7 +1910,7 @@ if rpm then if patches_log ~= '' then local fp = assert(io.open(patches_log, 'w+')) for i=1,#patches do - local pname = assert(string.match(patches[i], '.*/([^/]+)$')) + local pname = assert(string.match(patches[i], '([^/]+)$')) fp:write('Patch' .. i .. ': ' .. pname .. '\n') end assert(fp:close()) @@ -1917,7 +1923,7 @@ if rpm then for j=1,#cl do -- RPM does not recursively macro-expand what we emit here, -- so do not apply %-escaping. - print(cl[j], '\n') + print(cl[j] .. '\n') end print('\n') end