From cc2a2a379faf7ee104efc35a7a35ec10fe21b86e Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 4 Aug 2025 20:38:25 +0000 Subject: [PATCH] import UBI glibc-2.34-168.el9_6.23 --- SOURCES/glibc-RHEL-104150.patch | 51 +++++++ SOURCES/glibc-RHEL-105328.patch | 233 ++++++++++++++++++++++++++++++++ SOURCES/glibc-RHEL-106230.patch | 34 +++++ SPECS/glibc.spec | 14 +- 4 files changed, 331 insertions(+), 1 deletion(-) create mode 100644 SOURCES/glibc-RHEL-104150.patch create mode 100644 SOURCES/glibc-RHEL-105328.patch create mode 100644 SOURCES/glibc-RHEL-106230.patch diff --git a/SOURCES/glibc-RHEL-104150.patch b/SOURCES/glibc-RHEL-104150.patch new file mode 100644 index 0000000..22c522f --- /dev/null +++ b/SOURCES/glibc-RHEL-104150.patch @@ -0,0 +1,51 @@ +commit cdcf24ee14c27b77744ff52ab3ae852821207eb0 +Author: Florian Weimer +Date: Thu Jul 17 14:44:05 2025 +0200 + + iconv: iconv -o should not create executable files (bug 33164) + + The mistake is that open must use 0666 to pick up the umask, + and not 0777 (which is required by mkdir). + + Fixes commit 8ef3cff9d1ceafe369f982d980678d749fb93bd2 + ("iconv: Support in-place conversions (bug 10460, bug 32033)"). + + Reviewed-by: H.J. Lu + +diff --git a/iconv/iconv_prog.c b/iconv/iconv_prog.c +index e3b051a309ff142b..08ea99d6adf6ea86 100644 +--- a/iconv/iconv_prog.c ++++ b/iconv/iconv_prog.c +@@ -437,7 +437,7 @@ input_error (const char *path) + static void + open_output_direct (void) + { +- output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_TRUNC, 0777); ++ output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_TRUNC, 0666); + if (output_fd < 0) + output_error (); + } +@@ -458,7 +458,7 @@ prepare_output_file (char **argv) + else + { + /* If iconv creates the output file, no overlap is possible. */ +- output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_EXCL, 0777); ++ output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_EXCL, 0666); + if (output_fd >= 0) + output_buffer_size = copy_buffer_size; + else +diff --git a/iconv/tst-iconv_prog-buffer.sh b/iconv/tst-iconv_prog-buffer.sh +index 23098ac56a344c48..562f90fe513e94d7 100644 +--- a/iconv/tst-iconv_prog-buffer.sh ++++ b/iconv/tst-iconv_prog-buffer.sh +@@ -75,6 +75,10 @@ run_iconv () { + } + + check_out_expected () { ++ if test -x "$tmp/out" ; then ++ echo "error: iconv output file is executable" ++ failure=true ++ fi + if ! cmp -s "$tmp/out" "$tmp/expected" ; then + echo "error: iconv output difference" >&$logfd + echo "*** expected ***" >&$logfd diff --git a/SOURCES/glibc-RHEL-105328.patch b/SOURCES/glibc-RHEL-105328.patch new file mode 100644 index 0000000..adc4d74 --- /dev/null +++ b/SOURCES/glibc-RHEL-105328.patch @@ -0,0 +1,233 @@ +commit 7ea06e994093fa0bcca0d0ee2c1db271d8d7885d +Author: Florian Weimer +Date: Mon Jul 21 21:43:49 2025 +0200 + + posix: Fix double-free after allocation failure in regcomp (bug 33185) + + If a memory allocation failure occurs during bracket expression + parsing in regcomp, a double-free error may result. + + Reported-by: Anastasia Belova + Co-authored-by: Paul Eggert + Reviewed-by: Andreas K. Huettel + +Conflicts: + posix/Makefile + (tests list not reformatted downstream) + +diff --git a/posix/Makefile b/posix/Makefile +index 4c32a088a73723c7..ef7a9ca31d9ee136 100644 +--- a/posix/Makefile ++++ b/posix/Makefile +@@ -111,6 +111,7 @@ tests := test-errno tstgetopt testfnm runtests runptests \ + tst-sched_getaffinity \ + tst-cpuset-dynamic \ + tst-cpuset-static \ ++ tst-regcomp-bracket-free \ + + + # Test for the glob symbol version that was replaced in glibc 2.27. +diff --git a/posix/regcomp.c b/posix/regcomp.c +index 887e5b50684e22f5..005e6459bbe8bd55 100644 +--- a/posix/regcomp.c ++++ b/posix/regcomp.c +@@ -3365,6 +3365,7 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, + { + #ifdef RE_ENABLE_I18N + free_charset (mbcset); ++ mbcset = NULL; + #endif + /* Build a tree for simple bracket. */ + br_token.type = SIMPLE_BRACKET; +@@ -3380,7 +3381,8 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, + parse_bracket_exp_free_return: + re_free (sbcset); + #ifdef RE_ENABLE_I18N +- free_charset (mbcset); ++ if (__glibc_likely (mbcset != NULL)) ++ free_charset (mbcset); + #endif /* RE_ENABLE_I18N */ + return NULL; + } +diff --git a/posix/tst-regcomp-bracket-free.c b/posix/tst-regcomp-bracket-free.c +new file mode 100644 +index 0000000000000000..3c091d8c44ebe56f +--- /dev/null ++++ b/posix/tst-regcomp-bracket-free.c +@@ -0,0 +1,176 @@ ++/* Test regcomp bracket parsing with injected allocation failures (bug 33185). ++ Copyright (C) 2025 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* This test invokes regcomp multiple times, failing one memory ++ allocation in each call. The function call should fail with ++ REG_ESPACE (or succeed if it can recover from the allocation ++ failure). Previously, there was double-free bug. */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Data structure allocated via MAP_SHARED, so that writes from the ++ subprocess are visible. */ ++struct shared_data ++{ ++ /* Number of tracked allocations performed so far. */ ++ volatile unsigned int allocation_count; ++ ++ /* If this number is reached, one allocation fails. */ ++ volatile unsigned int failing_allocation; ++ ++ /* The subprocess stores the expected name here. */ ++ char name[100]; ++}; ++ ++/* Allocation count in shared mapping. */ ++static struct shared_data *shared; ++ ++/* Returns true if a failure should be injected for this allocation. */ ++static bool ++fail_this_allocation (void) ++{ ++ if (shared != NULL) ++ { ++ unsigned int count = shared->allocation_count; ++ shared->allocation_count = count + 1; ++ return count == shared->failing_allocation; ++ } ++ else ++ return false; ++} ++ ++/* Failure-injecting wrappers for allocation functions used by glibc. */ ++ ++void * ++malloc (size_t size) ++{ ++ if (fail_this_allocation ()) ++ { ++ errno = ENOMEM; ++ return NULL; ++ } ++ extern __typeof (malloc) __libc_malloc; ++ return __libc_malloc (size); ++} ++ ++void * ++calloc (size_t a, size_t b) ++{ ++ if (fail_this_allocation ()) ++ { ++ errno = ENOMEM; ++ return NULL; ++ } ++ extern __typeof (calloc) __libc_calloc; ++ return __libc_calloc (a, b); ++} ++ ++void * ++realloc (void *ptr, size_t size) ++{ ++ if (fail_this_allocation ()) ++ { ++ errno = ENOMEM; ++ return NULL; ++ } ++ extern __typeof (realloc) __libc_realloc; ++ return __libc_realloc (ptr, size); ++} ++ ++/* No-op subprocess to verify that support_isolate_in_subprocess does ++ not perform any heap allocations. */ ++static void ++no_op (void *ignored) ++{ ++} ++ ++/* Perform a regcomp call in a subprocess. Used to count its ++ allocations. */ ++static void ++initialize (void *regexp1) ++{ ++ const char *regexp = regexp1; ++ ++ shared->allocation_count = 0; ++ ++ regex_t reg; ++ TEST_COMPARE (regcomp (®, regexp, 0), 0); ++} ++ ++/* Perform regcomp in a subprocess with fault injection. */ ++static void ++test_in_subprocess (void *regexp1) ++{ ++ const char *regexp = regexp1; ++ unsigned int inject_at = shared->failing_allocation; ++ ++ regex_t reg; ++ int ret = regcomp (®, regexp, 0); ++ ++ if (ret != 0) ++ { ++ TEST_COMPARE (ret, REG_ESPACE); ++ printf ("info: allocation %u failure results in return value %d," ++ " error %s (%d)\n", ++ inject_at, ret, strerrorname_np (errno), errno); ++ } ++} ++ ++static int ++do_test (void) ++{ ++ char regexp[] = "[:alpha:]"; ++ ++ shared = support_shared_allocate (sizeof (*shared)); ++ ++ /* Disable fault injection. */ ++ shared->failing_allocation = ~0U; ++ ++ support_isolate_in_subprocess (no_op, NULL); ++ TEST_COMPARE (shared->allocation_count, 0); ++ ++ support_isolate_in_subprocess (initialize, regexp); ++ ++ /* The number of allocations in the successful case, plus some ++ slack. Once the number of expected allocations is exceeded, ++ injecting further failures does not make a difference. */ ++ unsigned int maximum_allocation_count = shared->allocation_count; ++ printf ("info: successful call performs %u allocations\n", ++ maximum_allocation_count); ++ maximum_allocation_count += 10; ++ ++ for (unsigned int inject_at = 0; inject_at <= maximum_allocation_count; ++ ++inject_at) ++ { ++ shared->allocation_count = 0; ++ shared->failing_allocation = inject_at; ++ support_isolate_in_subprocess (test_in_subprocess, regexp); ++ } ++ ++ support_shared_free (shared); ++ ++ return 0; ++} ++ ++#include diff --git a/SOURCES/glibc-RHEL-106230.patch b/SOURCES/glibc-RHEL-106230.patch new file mode 100644 index 0000000..d8232fc --- /dev/null +++ b/SOURCES/glibc-RHEL-106230.patch @@ -0,0 +1,34 @@ +commit 87afbd7a1ad9c1dd116921817fa97198171045db +Author: Sam James +Date: Mon Jul 28 21:55:30 2025 +0100 + + inet-fortified: fix namespace violation (bug 33227) + + We need to use __sz, not sz, as we do elsewhere. + + Reviewed-by: Florian Weimer + +diff --git a/inet/bits/inet-fortified.h b/inet/bits/inet-fortified.h +index 8420a4b7fb41086f..5d16b1f871c49e6f 100644 +--- a/inet/bits/inet-fortified.h ++++ b/inet/bits/inet-fortified.h +@@ -38,15 +38,15 @@ __fortify_function int + __NTH (inet_pton (int __af, const char *__restrict __src, + void * __restrict __dst)) + { +- size_t sz = 0; ++ size_t __sz = 0; + if (__af == AF_INET) +- sz = sizeof (struct in_addr); ++ __sz = sizeof (struct in_addr); + else if (__af == AF_INET6) +- sz = sizeof (struct in6_addr); ++ __sz = sizeof (struct in6_addr); + else + return __inet_pton_alias (__af, __src, __dst); + +- return __glibc_fortify (inet_pton, sz, sizeof (char), ++ return __glibc_fortify (inet_pton, __sz, sizeof (char), + __glibc_objsize (__dst), + __af, __src, __dst); + }; diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec index cab827f..a3ad480 100644 --- a/SPECS/glibc.spec +++ b/SPECS/glibc.spec @@ -157,7 +157,7 @@ end \ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: 168%{?dist}.20 +Release: 168%{?dist}.23 # In general, GPLv2+ is used by programs, LGPLv2+ is used for # libraries. @@ -1181,6 +1181,9 @@ Patch873: glibc-RHEL-93877.patch Patch874: glibc-RHEL-95547-1.patch Patch875: glibc-RHEL-95547-2.patch Patch876: glibc-RHEL-95547-3.patch +Patch877: glibc-RHEL-104150.patch +Patch878: glibc-RHEL-105328.patch +Patch879: glibc-RHEL-106230.patch ############################################################################## # Continued list of core "glibc" package information: @@ -3174,6 +3177,15 @@ update_gconv_modules_cache () %endif %changelog +* Tue Jul 29 2025 Florian Weimer - 2.34-168.23 +- Fix namespace pollution in inet_ntop with fortification (RHEL-106230) + +* Thu Jul 24 2025 Florian Weimer - 2.34-168.22 +- CVE-2025-8058: Double free in regcomp (RHEL-105328) + +* Wed Jul 23 2025 Florian Weimer - 2.34-168.21 +- iconv: Do not create executable output files (RHEL-104150) + * Mon Jun 16 2025 Frédéric Bérat - 2.34-168.20 - CVE-2025-5702 glibc: Vector register overwrite bug in glibc (RHEL-95547)