From e8f76ede2b231d2e1fe694bbc632089b30c236b0 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 23 Jul 2025 09:14:49 +0200
Subject: [PATCH] iconv: Do not create executable output files (RHEL-104151)

Resolves: RHEL-104151
---
 glibc-RHEL-104151.patch | 51 +++++++++++++++++++++++++++++++++++++++++
 glibc.spec              |  6 ++++-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 glibc-RHEL-104151.patch

diff --git a/glibc-RHEL-104151.patch b/glibc-RHEL-104151.patch
new file mode 100644
index 0000000..8248df4
--- /dev/null
+++ b/glibc-RHEL-104151.patch
@@ -0,0 +1,51 @@
+commit cdcf24ee14c27b77744ff52ab3ae852821207eb0
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Thu Jul 17 14:44:05 2025 +0200
+
+    iconv: iconv -o should not create executable files (bug 33164)
+    
+    The mistake is that open must use 0666 to pick up the umask,
+    and not 0777 (which is required by mkdir).
+    
+    Fixes commit 8ef3cff9d1ceafe369f982d980678d749fb93bd2
+    ("iconv: Support in-place conversions (bug 10460, bug 32033)").
+    
+    Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
+
+diff --git a/iconv/iconv_prog.c b/iconv/iconv_prog.c
+index a2f1d34e4579f80f..30ebfa0696db1635 100644
+--- a/iconv/iconv_prog.c
++++ b/iconv/iconv_prog.c
+@@ -436,7 +436,7 @@ input_error (const char *path)
+ static void
+ open_output_direct (void)
+ {
+-  output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_TRUNC, 0777);
++  output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_TRUNC, 0666);
+   if (output_fd < 0)
+     output_error ();
+ }
+@@ -457,7 +457,7 @@ prepare_output_file (char **argv)
+   else
+     {
+       /* If iconv creates the output file, no overlap is possible.  */
+-      output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_EXCL, 0777);
++      output_fd = open64 (output_file, O_WRONLY | O_CREAT | O_EXCL, 0666);
+       if (output_fd >= 0)
+ 	output_buffer_size = copy_buffer_size;
+       else
+diff --git a/iconv/tst-iconv_prog-buffer.sh b/iconv/tst-iconv_prog-buffer.sh
+index 23098ac56a344c48..562f90fe513e94d7 100644
+--- a/iconv/tst-iconv_prog-buffer.sh
++++ b/iconv/tst-iconv_prog-buffer.sh
+@@ -75,6 +75,10 @@ run_iconv () {
+ }
+ 
+ check_out_expected () {
++    if test -x "$tmp/out" ; then
++	echo "error: iconv output file is executable"
++	failure=true
++    fi
+     if ! cmp -s "$tmp/out" "$tmp/expected" ; then
+         echo "error: iconv output difference" >&$logfd
+         echo "*** expected ***" >&$logfd
diff --git a/glibc.spec b/glibc.spec
index 5918cea..60672d1 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -145,7 +145,7 @@ Version: %{glibcversion}
 # - It allows using the Release number without the %%dist tag in the dependency
 #   generator to make the generated requires interchangeable between Rawhide
 #   and ELN (.elnYY < .fcXX).
-%global baserelease 43
+%global baserelease 44
 Release: %{baserelease}%{?dist}
 
 # Licenses:
@@ -576,6 +576,7 @@ Patch258: glibc-upstream-2.39-211.patch
 Patch259: glibc-RHEL-82285.patch
 Patch260: glibc-RHEL-101754-1.patch
 Patch261: glibc-RHEL-101754-2.patch
+Patch262: glibc-RHEL-104151.patch
 
 ##############################################################################
 # Continued list of core "glibc" package information:
@@ -2573,6 +2574,9 @@ update_gconv_modules_cache ()
 %endif
 
 %changelog
+* Wed Jul 23 2025 Florian Weimer  <fweimer@redhat.com> - 2.39-44
+- iconv: Do not create executable output files (RHEL-104151)
+
 * Wed Jul 09 2025 Florian Weimer <fweimer@redhat.com> - 2.39-43
 - Rebuild due to SIGNSERVER-1997 (RHEL-102555)