From ca483cc5b0e3e6a595a2c103755dee4d72f14f25 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 04 2024 13:06:40 +0000 Subject: import glibc-2.17-326.el7_9.3 --- diff --git a/SOURCES/centos-arm32-NO_LONG_DOUBLE_MATH.patch b/SOURCES/centos-arm32-NO_LONG_DOUBLE_MATH.patch deleted file mode 100644 index 790c74a..0000000 --- a/SOURCES/centos-arm32-NO_LONG_DOUBLE_MATH.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -Naurp a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c ---- a/stdio-common/printf_fp.c 2021-02-03 16:46:26.887807279 +0000 -+++ b/stdio-common/printf_fp.c 2021-02-03 16:50:16.604469900 +0000 -@@ -151,6 +151,7 @@ static wchar_t *group_number (wchar_t *b - wchar_t thousands_sep, int ngroups) - internal_function; - -+#ifndef __NO_LONG_DOUBLE_MATH - static __always_inline int - isnanl_or_pseudo (long double in) - { -@@ -172,6 +173,7 @@ isnanl_or_pseudo (long double in) - return __isnanl (in); - #endif - } -+#endif - - - int diff --git a/SOURCES/glibc-RHEL-31803.patch b/SOURCES/glibc-RHEL-31803.patch new file mode 100644 index 0000000..0fae925 --- /dev/null +++ b/SOURCES/glibc-RHEL-31803.patch @@ -0,0 +1,208 @@ +Author: Charles Fol +Date: Thu Mar 28 12:25:38 2024 -0300 + + iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961) + + ISO-2022-CN-EXT uses escape sequences to indicate character set changes + (as specified by RFC 1922). While the SOdesignation has the expected + bounds checks, neither SS2designation nor SS3designation have its; + allowing a write overflow of 1, 2, or 3 bytes with fixed values: + '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'. + + Checked on aarch64-linux-gnu. + + Co-authored-by: Adhemerval Zanella + Reviewed-by: Carlos O'Donell + Tested-by: Carlos O'Donell + +Conflicts: + iconvdata/Makefile + (usual tests conflict) + +diff --git a/iconvdata/Makefile b/iconvdata/Makefile +index 6f440e3f6122f56a..f8886d0f76cdac30 100644 +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -72,7 +72,8 @@ endif + ifeq (yes,$(build-shared)) + tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ +- bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13 ++ bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13 \ ++ tst-iconv-iso-2022-cn-ext + ifeq ($(have-thread-library),yes) + tests += bug-iconv3 + endif +@@ -306,6 +307,8 @@ $(objpfx)tst-iconv4.out: $(objpfx)gconv-modules \ + $(addprefix $(objpfx),$(modules.so)) + $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \ + $(addprefix $(objpfx),$(modules.so)) ++$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ ++ $(addprefix $(objpfx),$(modules.so)) + + $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ + $(addprefix $(objpfx),$(modules.so)) \ +diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c +index c86d8616d417f21b..661a55f1785c2bea 100644 +--- a/iconvdata/iso-2022-cn-ext.c ++++ b/iconvdata/iso-2022-cn-ext.c +@@ -564,6 +564,12 @@ enum + { \ + const char *escseq; \ + \ ++ if (outptr + 4 > outend) \ ++ { \ ++ result = __GCONV_FULL_OUTPUT; \ ++ break; \ ++ } \ ++ \ + assert (used == CNS11643_2_set); /* XXX */ \ + escseq = "*H"; \ + *outptr++ = ESC; \ +@@ -577,6 +583,12 @@ enum + { \ + const char *escseq; \ + \ ++ if (outptr + 4 > outend) \ ++ { \ ++ result = __GCONV_FULL_OUTPUT; \ ++ break; \ ++ } \ ++ \ + assert ((used >> 5) >= 3 && (used >> 5) <= 7); \ + escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2; \ + *outptr++ = ESC; \ +diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c +new file mode 100644 +index 0000000000000000..96a8765fd5369681 +--- /dev/null ++++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c +@@ -0,0 +1,128 @@ ++/* Verify ISO-2022-CN-EXT does not write out of the bounds. ++ Copyright (C) 2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* The test sets up a two memory page buffer with the second page marked ++ PROT_NONE to trigger a fault if the conversion writes beyond the exact ++ expected amount. Then we carry out various conversions and precisely ++ place the start of the output buffer in order to trigger a SIGSEGV if the ++ process writes anywhere between 1 and page sized bytes more (only one ++ PROT_NONE page is setup as a canary) than expected. These tests exercise ++ all three of the cases in ISO-2022-CN-EXT where the converter must switch ++ character sets and may run out of buffer space while doing the ++ operation. */ ++ ++static int ++do_test (void) ++{ ++ iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8"); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ char *ntf; ++ size_t ntfsize; ++ char *outbufbase; ++ { ++ int pgz = getpagesize (); ++ TEST_VERIFY_EXIT (pgz > 0); ++ ntfsize = 2 * pgz; ++ ++ ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE ++ | MAP_ANONYMOUS, -1); ++ xmprotect (ntf + pgz, pgz, PROT_NONE); ++ ++ outbufbase = ntf + pgz; ++ } ++ ++ /* Check if SOdesignation escape sequence does not trigger an OOB write. */ ++ { ++ char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2"; ++ ++ for (int i = 0; i < 9; i++) ++ { ++ char *inp = inbuf; ++ size_t inleft = sizeof (inbuf) - 1; ++ ++ char *outp = outbufbase - i; ++ size_t outleft = i; ++ ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) ++ == (size_t) -1); ++ TEST_COMPARE (errno, E2BIG); ++ ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); ++ } ++ } ++ ++ /* Same as before for SS2designation. */ ++ { ++ char inbuf[] = "㴽 \xe3\xb4\xbd"; ++ ++ for (int i = 0; i < 14; i++) ++ { ++ char *inp = inbuf; ++ size_t inleft = sizeof (inbuf) - 1; ++ ++ char *outp = outbufbase - i; ++ size_t outleft = i; ++ ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) ++ == (size_t) -1); ++ TEST_COMPARE (errno, E2BIG); ++ ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); ++ } ++ } ++ ++ /* Same as before for SS3designation. */ ++ { ++ char inbuf[] = "劄 \xe5\x8a\x84"; ++ ++ for (int i = 0; i < 14; i++) ++ { ++ char *inp = inbuf; ++ size_t inleft = sizeof (inbuf) - 1; ++ ++ char *outp = outbufbase - i; ++ size_t outleft = i; ++ ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) ++ == (size_t) -1); ++ TEST_COMPARE (errno, E2BIG); ++ ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); ++ } ++ } ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) != -1); ++ ++ xmunmap (ntf, ntfsize); ++ ++ return 0; ++} ++ ++#include diff --git a/SOURCES/glibc-RHEL-34263-1.patch b/SOURCES/glibc-RHEL-34263-1.patch new file mode 100644 index 0000000..fb05298 --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-1.patch @@ -0,0 +1,25 @@ +commit 83e43bf0b756065dc640680d90fa6f0b39425182 +Author: Allan McRae +Date: Mon Sep 9 20:23:35 2013 +1000 + + Fix nesting of ifdefs in netgroupcache.c + + Fixes unclosed '{' if HAVE_SENDFILE is defined (BZ #15895). + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 5262d5e53ae7ce74..4fce79283a9badb3 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -619,10 +619,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + # endif + } + else ++#endif + { +-# ifndef __ASSUME_SENDFILE ++#if defined HAVE_SENDFILE && !defined __ASSUME_SENDFILE + use_write: +-# endif + #endif + writeall (fd, &dataset->resp, sizeof (innetgroup_response_header)); + } diff --git a/SOURCES/glibc-RHEL-34263-10.patch b/SOURCES/glibc-RHEL-34263-10.patch new file mode 100644 index 0000000..ea39676 --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-10.patch @@ -0,0 +1,30 @@ +commit 4bbca1a44691a6e9adcee5c6798a707b626bc331 +Author: Florian Weimer +Date: Thu May 2 17:06:19 2024 +0200 + + nscd: Use time_t for return type of addgetnetgrentX + + Using int may give false results for future dates (timeouts after the + year 2028). + + Fixes commit 04a21e050d64a1193a6daab872bca2528bda44b ("CVE-2024-33601, + CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX + (bug 31680)"). + + Reviewed-by: Carlos O'Donell + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 7f78d21065ec832c..e5fa919c419c52d2 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -681,8 +681,8 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he, + .key_len = he->len + }; + +- int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner, +- he, dh); ++ time_t timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner, ++ he, dh); + if (timeout < 0) + timeout = 0; + return timeout; diff --git a/SOURCES/glibc-RHEL-34263-2.patch b/SOURCES/glibc-RHEL-34263-2.patch new file mode 100644 index 0000000..b67b9c5 --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-2.patch @@ -0,0 +1,134 @@ +Partial backport of the sendfile removal. This backport only +updates nscd/netgroupcache.c, to avoid future conflicts. + +commit 8c78faa9ef5c6cae455739f162e4b9d690e32eca +Author: Adhemerval Zanella +Date: Wed May 16 10:51:15 2018 -0300 + + Fix concurrent changes on nscd aware files (BZ #23178) + + As indicated by BZ#23178, concurrent access on some files read by nscd + may result non expected data send through service requisition. This is + due 'sendfile' Linux implementation where for sockets with zero-copy + support, callers must ensure the transferred portions of the the file + reffered by input file descriptor remain unmodified until the reader + on the other end of socket has consumed the transferred data. + + I could not find any explicit documentation stating this behaviour on + Linux kernel documentation. However man-pages sendfile entry [1] states + in NOTES the aforementioned remark. It was initially pushed on man-pages + with an explicit testcase [2] that shows changing the file used in + 'sendfile' call prior the socket input data consumption results in + previous data being lost. + + From commit message it stated on tested Linux version (3.15) only TCP + socket showed this issues, however on recent kernels (4.4) I noticed the + same behaviour for local sockets as well. + + Since sendfile on HURD is a read/write operation and the underlying + issue on Linux, the straightforward fix is just remove sendfile use + altogether. I am really skeptical it is hitting some hotstop (there + are indication over internet that sendfile is helpfull only for large + files, more than 10kb) here to justify that extra code complexity or + to pursuit other possible fix (through memory or file locks for + instance, which I am not sure it is doable). + + Checked on x86_64-linux-gnu. + + [BZ #23178] + * nscd/nscd-client.h (sendfileall): Remove prototype. + * nscd/connections.c [HAVE_SENDFILE] (sendfileall): Remove function. + (handle_request): Use writeall instead of sendfileall. + * nscd/aicache.c (addhstaiX): Likewise. + * nscd/grpcache.c (cache_addgr): Likewise. + * nscd/hstcache.c (cache_addhst): Likewise. + * nscd/initgrcache.c (addinitgroupsX): Likewise. + * nscd/netgroupcache.c (addgetnetgrentX, addinnetgrX): Likewise. + * nscd/pwdcache.c (cache_addpw): Likewise. + * nscd/servicescache.c (cache_addserv): Likewise. + * sysdeps/unix/sysv/linux/Makefile [$(subdir) == nscd] + (sysdep-CFLAGS): Remove -DHAVE_SENDFILE. + * sysdeps/unix/sysv/linux/kernel-features.h (__ASSUME_SENDFILE): + Remove define. + + [1] http://man7.org/linux/man-pages/man2/sendfile.2.html + [2] https://github.com/mkerrisk/man-pages/commit/7b6a3299776b5c1c4f169a591434a855d50c68b4#diff-efd6af3a70f0f07c578e85b51e83b3c3 + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 4fce79283a9badb3..7ee0c284ed58d1e3 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -415,33 +415,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + since while inserting this thread might block and so would + unnecessarily let the receiver wait. */ + writeout: +-#ifdef HAVE_SENDFILE +- if (__builtin_expect (db->mmap_used, 1) && cacheable) +- { +- assert (db->wr_fd != -1); +- assert ((char *) &dataset->resp > (char *) db->data); +- assert ((char *) dataset - (char *) db->head + total +- <= (sizeof (struct database_pers_head) +- + db->head->module * sizeof (ref_t) +- + db->head->data_size)); +-# ifndef __ASSUME_SENDFILE +- ssize_t written = +-# endif +- sendfileall (fd, db->wr_fd, (char *) &dataset->resp +- - (char *) db->head, dataset->head.recsize); +-# ifndef __ASSUME_SENDFILE +- if (written == -1 && errno == ENOSYS) +- goto use_write; +-# endif +- } +- else +-#endif +- { +-#if defined HAVE_SENDFILE && !defined __ASSUME_SENDFILE +- use_write: +-#endif +- writeall (fd, &dataset->resp, dataset->head.recsize); +- } ++ writeall (fd, &dataset->resp, dataset->head.recsize); + } + + if (cacheable) +@@ -596,36 +570,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + /* We write the dataset before inserting it to the database + since while inserting this thread might block and so would + unnecessarily let the receiver wait. */ +- assert (fd != -1); ++ assert (fd != -1); + +-#ifdef HAVE_SENDFILE +- if (__builtin_expect (db->mmap_used, 1) && cacheable) +- { +- assert (db->wr_fd != -1); +- assert ((char *) &dataset->resp > (char *) db->data); +- assert ((char *) dataset - (char *) db->head + sizeof (*dataset) +- <= (sizeof (struct database_pers_head) +- + db->head->module * sizeof (ref_t) +- + db->head->data_size)); +-# ifndef __ASSUME_SENDFILE +- ssize_t written = +-# endif +- sendfileall (fd, db->wr_fd, +- (char *) &dataset->resp - (char *) db->head, +- sizeof (innetgroup_response_header)); +-# ifndef __ASSUME_SENDFILE +- if (written == -1 && errno == ENOSYS) +- goto use_write; +-# endif +- } +- else +-#endif +- { +-#if defined HAVE_SENDFILE && !defined __ASSUME_SENDFILE +- use_write: +-#endif +- writeall (fd, &dataset->resp, sizeof (innetgroup_response_header)); +- } ++ writeall (fd, &dataset->resp, sizeof (innetgroup_response_header)); + } + + if (cacheable) diff --git a/SOURCES/glibc-RHEL-34263-3.patch b/SOURCES/glibc-RHEL-34263-3.patch new file mode 100644 index 0000000..008e1d4 --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-3.patch @@ -0,0 +1,61 @@ +Partial backport of the following commit, restricted to the +netgroup changes: + +commit c6dfed243e0310bc3294c0fdf1816fceab024e9b +Author: Roland McGrath +Date: Wed Oct 22 13:17:20 2014 -0700 + + Rework some nscd code not to use variable-length struct types. + +diff --git a/inet/netgroup.h b/inet/netgroup.h +index f3797a698d126157..fa1732762e32c2c0 100644 +--- a/inet/netgroup.h ++++ b/inet/netgroup.h +@@ -26,7 +26,7 @@ + struct name_list + { + struct name_list *next; +- char name[0]; ++ char name[]; + }; + + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 7ee0c284ed58d1e3..7d7269a8edf1b99d 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -136,11 +137,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + char *buffer = NULL; + size_t nentries = 0; + size_t group_len = strlen (key) + 1; +- union +- { +- struct name_list elem; +- char mem[sizeof (struct name_list) + group_len]; +- } first_needed; ++ struct name_list *first_needed ++ = alloca (sizeof (struct name_list) + group_len); + + if (netgroup_database == NULL + && __nss_database_lookup ("netgroup", NULL, NULL, &netgroup_database)) +@@ -153,9 +151,9 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + + memset (&data, '\0', sizeof (data)); + buffer = xmalloc (buflen); +- first_needed.elem.next = &first_needed.elem; +- memcpy (first_needed.elem.name, key, group_len); +- data.needed_groups = &first_needed.elem; ++ first_needed->next = first_needed; ++ memcpy (first_needed->name, key, group_len); ++ data.needed_groups = first_needed; + + while (data.needed_groups != NULL) + { diff --git a/SOURCES/glibc-RHEL-34263-4.patch b/SOURCES/glibc-RHEL-34263-4.patch new file mode 100644 index 0000000..1c2c697 --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-4.patch @@ -0,0 +1,133 @@ +commit 745664bd798ec8fd50438605948eea594179fba1 +Author: Florian Weimer +Date: Tue Aug 28 13:19:27 2018 +0200 + + nscd: Fix use-after-free in addgetnetgrentX [BZ #23520] + + addinnetgrX may use the heap-allocated buffer, so free the buffer + in this function. + +Conflicts: + nscd/netgroupcache.c + (different backport order) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 7d7269a8edf1b99d..d234eb5ac48c73f2 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -113,7 +113,8 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, + static time_t + addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + const char *key, uid_t uid, struct hashentry *he, +- struct datahead *dh, struct dataset **resultp) ++ struct datahead *dh, struct dataset **resultp, ++ void **tofreep) + { + if (__builtin_expect (debug_level > 0, 0)) + { +@@ -139,6 +140,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + size_t group_len = strlen (key) + 1; + struct name_list *first_needed + = alloca (sizeof (struct name_list) + group_len); ++ *tofreep = NULL; + + if (netgroup_database == NULL + && __nss_database_lookup ("netgroup", NULL, NULL, &netgroup_database)) +@@ -151,6 +153,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + + memset (&data, '\0', sizeof (data)); + buffer = xmalloc (buflen); ++ *tofreep = buffer; + first_needed->next = first_needed; + memcpy (first_needed->name, key, group_len); + data.needed_groups = first_needed; +@@ -439,8 +442,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + out: +- free (buffer); +- + *resultp = dataset; + + return timeout; +@@ -477,8 +478,12 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + group, group_len, + db, uid); + time_t timeout; ++ void *tofree; + if (result != NULL) +- timeout = result->head.timeout; ++ { ++ timeout = result->head.timeout; ++ tofree = NULL; ++ } + else + { + request_header req_get = +@@ -487,7 +492,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + .key_len = group_len + }; + timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL, +- &result); ++ &result, &tofree); + } + + struct indataset +@@ -559,8 +564,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + dh->ttl = dataset->head.ttl; + ++dh->nreloads; + if (cacheable) +- pthread_rwlock_unlock (&db->lock); +- return timeout; ++ pthread_rwlock_unlock (&db->lock); ++ goto out; + } + + if (he == NULL) +@@ -596,17 +601,30 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + dh->usable = false; + } + ++ out: ++ free (tofree); + return timeout; + } + + ++static time_t ++addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req, ++ const char *key, uid_t uid, struct hashentry *he, ++ struct datahead *dh) ++{ ++ struct dataset *ignore; ++ void *tofree; ++ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, ++ &ignore, &tofree); ++ free (tofree); ++ return timeout; ++} ++ + void + addgetnetgrent (struct database_dyn *db, int fd, request_header *req, + void *key, uid_t uid) + { +- struct dataset *ignore; +- +- addgetnetgrentX (db, fd, req, key, uid, NULL, NULL, &ignore); ++ addgetnetgrentX_ignore (db, fd, req, key, uid, NULL, NULL); + } + + +@@ -619,10 +637,8 @@ readdgetnetgrent (struct database_dyn *db, struct hashentry *he, + .type = GETNETGRENT, + .key_len = he->len + }; +- struct dataset *ignore; +- +- return addgetnetgrentX (db, -1, &req, db->data + he->key, he->owner, he, dh, +- &ignore); ++ return addgetnetgrentX_ignore ++ (db, -1, &req, db->data + he->key, he->owner, he, dh); + } + + diff --git a/SOURCES/glibc-RHEL-34263-5.patch b/SOURCES/glibc-RHEL-34263-5.patch new file mode 100644 index 0000000..a8a09cc --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-5.patch @@ -0,0 +1,39 @@ +commit dca565886b5e8bd7966e15f0ca42ee5cff686673 +Author: DJ Delorie +Date: Thu Feb 25 16:08:21 2021 -0500 + + nscd: Fix double free in netgroupcache [BZ #27462] + + In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free + was fixed, but this led to an occasional double-free. This patch + tracks the "live" allocation better. + + Tested manually by a third party. + + Related: RHBZ 1927877 + + Reviewed-by: Siddhesh Poyarekar + Reviewed-by: Carlos O'Donell + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index d234eb5ac48c73f2..e388ff91fea46e0c 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + : NULL); + ndomain = (ndomain ? newbuf + ndomaindiff + : NULL); +- buffer = newbuf; ++ *tofreep = buffer = newbuf; + } + + nhost = memcpy (buffer + bufused, +@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE) + { + buflen *= 2; +- buffer = xrealloc (buffer, buflen); ++ *tofreep = buffer = xrealloc (buffer, buflen); + } + else if (status == NSS_STATUS_RETURN + || status == NSS_STATUS_NOTFOUND diff --git a/SOURCES/glibc-RHEL-34263-6.patch b/SOURCES/glibc-RHEL-34263-6.patch new file mode 100644 index 0000000..da06f18 --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-6.patch @@ -0,0 +1,31 @@ +commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa +Author: Florian Weimer +Date: Thu Apr 25 15:00:45 2024 +0200 + + CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677) + + Using alloca matches what other caches do. The request length is + bounded by MAXKEYLEN. + + Reviewed-by: Carlos O'Donell + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index e388ff91fea46e0c..0a9d864109cdd8cd 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -503,12 +503,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + = (struct indataset *) mempool_alloc (db, + sizeof (*dataset) + req->key_len, + 1); +- struct indataset dataset_mem; + bool cacheable = true; + if (__builtin_expect (dataset == NULL, 0)) + { + cacheable = false; +- dataset = &dataset_mem; ++ /* The alloca is safe because nscd_run_worker verfies that ++ key_len is not larger than MAXKEYLEN. */ ++ dataset = alloca (sizeof (*dataset) + req->key_len); + } + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, diff --git a/SOURCES/glibc-RHEL-34263-7.patch b/SOURCES/glibc-RHEL-34263-7.patch new file mode 100644 index 0000000..67cd72d --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-7.patch @@ -0,0 +1,52 @@ +commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa +Author: Florian Weimer +Date: Thu Apr 25 15:01:07 2024 +0200 + + CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678) + + If we failed to add a not-found response to the cache, the dataset + point can be null, resulting in a null pointer dereference. + + Reviewed-by: Siddhesh Poyarekar + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 0a9d864109cdd8cd..d53c473c3e5139b8 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -148,7 +148,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + /* No such service. */ + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + memset (&data, '\0', sizeof (data)); +@@ -349,7 +349,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + { + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + total = buffilled; +@@ -411,14 +411,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + if (he == NULL && fd != -1) +- { +- /* We write the dataset before inserting it to the database +- since while inserting this thread might block and so would +- unnecessarily let the receiver wait. */ +- writeout: ++ /* We write the dataset before inserting it to the database since ++ while inserting this thread might block and so would ++ unnecessarily let the receiver wait. */ + writeall (fd, &dataset->resp, dataset->head.recsize); +- } + ++ maybe_cache_add: + if (cacheable) + { + /* If necessary, we also propagate the data to disk. */ diff --git a/SOURCES/glibc-RHEL-34263-8.patch b/SOURCES/glibc-RHEL-34263-8.patch new file mode 100644 index 0000000..d123328 --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-8.patch @@ -0,0 +1,53 @@ +commit b048a482f088e53144d26a61c390bed0210f49f2 +Author: Florian Weimer +Date: Thu Apr 25 15:01:07 2024 +0200 + + CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bug 31678) + + The addgetnetgrentX call in addinnetgrX may have failed to produce + a result, so the result variable in addinnetgrX can be NULL. + Use db->negtimeout as the fallback value if there is no result data; + the timeout is also overwritten below. + + Also avoid sending a second not-found response. (The client + disconnects after receiving the first response, so the data stream did + not go out of sync even without this fix.) It is still beneficial to + add the negative response to the mapping, so that the client can get + it from there in the future, instead of going through the socket. + + Reviewed-by: Siddhesh Poyarekar + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index d53c473c3e5139b8..07f23a75d76e652c 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -512,14 +512,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, + sizeof (innetgroup_response_header), +- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); ++ he == NULL ? 0 : dh->nreloads + 1, ++ result == NULL ? db->negtimeout : result->head.ttl); + /* Set the notfound status and timeout based on the result from + getnetgrent. */ +- dataset->head.notfound = result->head.notfound; ++ dataset->head.notfound = result == NULL || result->head.notfound; + dataset->head.timeout = timeout; + + dataset->resp.version = NSCD_VERSION; +- dataset->resp.found = result->resp.found; ++ dataset->resp.found = result != NULL && result->resp.found; + /* Until we find a matching entry the result is 0. */ + dataset->resp.result = 0; + +@@ -567,7 +568,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + goto out; + } + +- if (he == NULL) ++ /* addgetnetgrentX may have already sent a notfound response. Do ++ not send another one. */ ++ if (he == NULL && dataset->resp.found) + { + /* We write the dataset before inserting it to the database + since while inserting this thread might block and so would diff --git a/SOURCES/glibc-RHEL-34263-9.patch b/SOURCES/glibc-RHEL-34263-9.patch new file mode 100644 index 0000000..4ce9a1f --- /dev/null +++ b/SOURCES/glibc-RHEL-34263-9.patch @@ -0,0 +1,383 @@ +commit c04a21e050d64a1193a6daab872bca2528bda44b +Author: Florian Weimer +Date: Thu Apr 25 15:01:07 2024 +0200 + + CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) + + This avoids potential memory corruption when the underlying NSS + callback function does not use the buffer space to store all strings + (e.g., for constant strings). + + Instead of custom buffer management, two scratch buffers are used. + This increases stack usage somewhat. + + Scratch buffer allocation failure is handled by return -1 + (an invalid timeout value) instead of terminating the process. + This fixes bug 31679. + + Reviewed-by: Siddhesh Poyarekar + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 07f23a75d76e652c..7f78d21065ec832c 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include "../inet/netgroup.h" + #include "nscd.h" +@@ -66,6 +67,16 @@ struct dataset + char strdata[0]; + }; + ++/* Send a notfound response to FD. Always returns -1 to indicate an ++ ephemeral error. */ ++static time_t ++send_notfound (int fd) ++{ ++ if (fd != -1) ++ TEMP_FAILURE_RETRY (send (fd, ¬found, sizeof (notfound), MSG_NOSIGNAL)); ++ return -1; ++} ++ + /* Sends a notfound message and prepares a notfound dataset to write to the + cache. Returns true if there was enough memory to allocate the dataset and + returns the dataset in DATASETP, total bytes to write in TOTALP and the +@@ -84,8 +95,7 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, + total = sizeof (notfound); + timeout = time (NULL) + db->negtimeout; + +- if (fd != -1) +- TEMP_FAILURE_RETRY (send (fd, ¬found, total, MSG_NOSIGNAL)); ++ send_notfound (fd); + + dataset = mempool_alloc (db, sizeof (struct dataset) + req->key_len, 1); + /* If we cannot permanently store the result, so be it. */ +@@ -110,11 +120,78 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, + return cacheable; + } + ++struct addgetnetgrentX_scratch ++{ ++ /* This is the result that the caller should use. It can be NULL, ++ point into buffer, or it can be in the cache. */ ++ struct dataset *dataset; ++ ++ struct scratch_buffer buffer; ++ ++ /* Used internally in addgetnetgrentX as a staging area. */ ++ struct scratch_buffer tmp; ++ ++ /* Number of bytes in buffer that are actually used. */ ++ size_t buffer_used; ++}; ++ ++static void ++addgetnetgrentX_scratch_init (struct addgetnetgrentX_scratch *scratch) ++{ ++ scratch->dataset = NULL; ++ scratch_buffer_init (&scratch->buffer); ++ scratch_buffer_init (&scratch->tmp); ++ ++ /* Reserve space for the header. */ ++ scratch->buffer_used = sizeof (struct dataset); ++ static_assert (sizeof (struct dataset) < sizeof (scratch->tmp.__space), ++ "initial buffer space"); ++ memset (scratch->tmp.data, 0, sizeof (struct dataset)); ++} ++ ++static void ++addgetnetgrentX_scratch_free (struct addgetnetgrentX_scratch *scratch) ++{ ++ scratch_buffer_free (&scratch->buffer); ++ scratch_buffer_free (&scratch->tmp); ++} ++ ++/* Copy LENGTH bytes from S into SCRATCH. Returns NULL if SCRATCH ++ could not be resized, otherwise a pointer to the copy. */ ++static char * ++addgetnetgrentX_append_n (struct addgetnetgrentX_scratch *scratch, ++ const char *s, size_t length) ++{ ++ while (true) ++ { ++ size_t remaining = scratch->buffer.length - scratch->buffer_used; ++ if (remaining >= length) ++ break; ++ if (!scratch_buffer_grow_preserve (&scratch->buffer)) ++ return NULL; ++ } ++ char *copy = scratch->buffer.data + scratch->buffer_used; ++ memcpy (copy, s, length); ++ scratch->buffer_used += length; ++ return copy; ++} ++ ++/* Copy S into SCRATCH, including its null terminator. Returns false ++ if SCRATCH could not be resized. */ ++static bool ++addgetnetgrentX_append (struct addgetnetgrentX_scratch *scratch, const char *s) ++{ ++ if (s == NULL) ++ s = ""; ++ return addgetnetgrentX_append_n (scratch, s, strlen (s) + 1) != NULL; ++} ++ ++/* Caller must initialize and free *SCRATCH. If the return value is ++ negative, this function has sent a notfound response. */ + static time_t + addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + const char *key, uid_t uid, struct hashentry *he, +- struct datahead *dh, struct dataset **resultp, +- void **tofreep) ++ struct datahead *dh, struct addgetnetgrentX_scratch *scratch) + { + if (__builtin_expect (debug_level > 0, 0)) + { +@@ -133,14 +210,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + + char *key_copy = NULL; + struct __netgrent data; +- size_t buflen = MAX (1024, sizeof (*dataset) + req->key_len); +- size_t buffilled = sizeof (*dataset); +- char *buffer = NULL; + size_t nentries = 0; + size_t group_len = strlen (key) + 1; + struct name_list *first_needed + = alloca (sizeof (struct name_list) + group_len); +- *tofreep = NULL; + + if (netgroup_database == NULL + && __nss_database_lookup ("netgroup", NULL, NULL, &netgroup_database)) +@@ -152,8 +225,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + memset (&data, '\0', sizeof (data)); +- buffer = xmalloc (buflen); +- *tofreep = buffer; + first_needed->next = first_needed; + memcpy (first_needed->name, key, group_len); + data.needed_groups = first_needed; +@@ -196,8 +267,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + while (1) + { + int e; +- status = getfct.f (&data, buffer + buffilled, +- buflen - buffilled - req->key_len, &e); ++ status = getfct.f (&data, scratch->tmp.data, ++ scratch->tmp.length, &e); + if (status == NSS_STATUS_SUCCESS) + { + if (data.type == triple_val) +@@ -205,68 +276,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + const char *nhost = data.val.triple.host; + const char *nuser = data.val.triple.user; + const char *ndomain = data.val.triple.domain; +- +- size_t hostlen = strlen (nhost ?: "") + 1; +- size_t userlen = strlen (nuser ?: "") + 1; +- size_t domainlen = strlen (ndomain ?: "") + 1; +- +- if (nhost == NULL || nuser == NULL || ndomain == NULL +- || nhost > nuser || nuser > ndomain) +- { +- const char *last = nhost; +- if (last == NULL +- || (nuser != NULL && nuser > last)) +- last = nuser; +- if (last == NULL +- || (ndomain != NULL && ndomain > last)) +- last = ndomain; +- +- size_t bufused +- = (last == NULL +- ? buffilled +- : last + strlen (last) + 1 - buffer); +- +- /* We have to make temporary copies. */ +- size_t needed = hostlen + userlen + domainlen; +- +- if (buflen - req->key_len - bufused < needed) +- { +- buflen += MAX (buflen, 2 * needed); +- /* Save offset in the old buffer. We don't +- bother with the NULL check here since +- we'll do that later anyway. */ +- size_t nhostdiff = nhost - buffer; +- size_t nuserdiff = nuser - buffer; +- size_t ndomaindiff = ndomain - buffer; +- +- char *newbuf = xrealloc (buffer, buflen); +- /* Fix up the triplet pointers into the new +- buffer. */ +- nhost = (nhost ? newbuf + nhostdiff +- : NULL); +- nuser = (nuser ? newbuf + nuserdiff +- : NULL); +- ndomain = (ndomain ? newbuf + ndomaindiff +- : NULL); +- *tofreep = buffer = newbuf; +- } +- +- nhost = memcpy (buffer + bufused, +- nhost ?: "", hostlen); +- nuser = memcpy ((char *) nhost + hostlen, +- nuser ?: "", userlen); +- ndomain = memcpy ((char *) nuser + userlen, +- ndomain ?: "", domainlen); +- } +- +- char *wp = buffer + buffilled; +- wp = memmove (wp, nhost ?: "", hostlen); +- wp += hostlen; +- wp = memmove (wp, nuser ?: "", userlen); +- wp += userlen; +- wp = memmove (wp, ndomain ?: "", domainlen); +- wp += domainlen; +- buffilled = wp - buffer; ++ if (!(addgetnetgrentX_append (scratch, nhost) ++ && addgetnetgrentX_append (scratch, nuser) ++ && addgetnetgrentX_append (scratch, ndomain))) ++ return send_notfound (fd); + ++nentries; + } + else +@@ -318,8 +331,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE) + { +- buflen *= 2; +- *tofreep = buffer = xrealloc (buffer, buflen); ++ if (!scratch_buffer_grow (&scratch->tmp)) ++ return send_notfound (fd); + } + else if (status == NSS_STATUS_RETURN + || status == NSS_STATUS_NOTFOUND +@@ -352,10 +365,17 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + goto maybe_cache_add; + } + +- total = buffilled; ++ /* Capture the result size without the key appended. */ ++ total = scratch->buffer_used; ++ ++ /* Make a copy of the key. The scratch buffer must not move after ++ this point. */ ++ key_copy = addgetnetgrentX_append_n (scratch, key, req->key_len); ++ if (key_copy == NULL) ++ return send_notfound (fd); + + /* Fill in the dataset. */ +- dataset = (struct dataset *) buffer; ++ dataset = scratch->buffer.data; + timeout = datahead_init_pos (&dataset->head, total + req->key_len, + total - offsetof (struct dataset, resp), + he == NULL ? 0 : dh->nreloads + 1, +@@ -364,11 +384,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + dataset->resp.version = NSCD_VERSION; + dataset->resp.found = 1; + dataset->resp.nresults = nentries; +- dataset->resp.result_len = buffilled - sizeof (*dataset); +- +- assert (buflen - buffilled >= req->key_len); +- key_copy = memcpy (buffer + buffilled, key, req->key_len); +- buffilled += req->key_len; ++ dataset->resp.result_len = total - sizeof (*dataset); + + /* Now we can determine whether on refill we have to create a new + record or not. */ +@@ -399,7 +415,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + if (__builtin_expect (newp != NULL, 1)) + { + /* Adjust pointer into the memory block. */ +- key_copy = (char *) newp + (key_copy - buffer); ++ key_copy = (char *) newp + (key_copy - (char *) dataset); + + dataset = memcpy (newp, dataset, total + req->key_len); + cacheable = true; +@@ -440,7 +456,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + out: +- *resultp = dataset; ++ scratch->dataset = dataset; + + return timeout; + } +@@ -461,6 +477,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + if (user != NULL) + key = (char *) rawmemchr (key, '\0') + 1; + const char *domain = *key++ ? key : NULL; ++ struct addgetnetgrentX_scratch scratch; ++ ++ addgetnetgrentX_scratch_init (&scratch); + + if (__builtin_expect (debug_level > 0, 0)) + { +@@ -476,12 +495,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + group, group_len, + db, uid); + time_t timeout; +- void *tofree; + if (result != NULL) +- { +- timeout = result->head.timeout; +- tofree = NULL; +- } ++ timeout = result->head.timeout; + else + { + request_header req_get = +@@ -490,7 +505,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + .key_len = group_len + }; + timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL, +- &result, &tofree); ++ &scratch); ++ result = scratch.dataset; ++ if (timeout < 0) ++ goto out; + } + + struct indataset +@@ -604,7 +622,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + } + + out: +- free (tofree); ++ addgetnetgrentX_scratch_free (&scratch); + return timeout; + } + +@@ -614,11 +632,12 @@ addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req, + const char *key, uid_t uid, struct hashentry *he, + struct datahead *dh) + { +- struct dataset *ignore; +- void *tofree; +- time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, +- &ignore, &tofree); +- free (tofree); ++ struct addgetnetgrentX_scratch scratch; ++ addgetnetgrentX_scratch_init (&scratch); ++ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, &scratch); ++ addgetnetgrentX_scratch_free (&scratch); ++ if (timeout < 0) ++ timeout = 0; + return timeout; + } + +@@ -662,5 +681,9 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he, + .key_len = he->len + }; + +- return addinnetgrX (db, -1, &req, db->data + he->key, he->owner, he, dh); ++ int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner, ++ he, dh); ++ if (timeout < 0) ++ timeout = 0; ++ return timeout; + } diff --git a/SOURCES/glibc-armhfp-ELF_MACHINE_NO_REL-undefined.patch b/SOURCES/glibc-armhfp-ELF_MACHINE_NO_REL-undefined.patch deleted file mode 100644 index 78d7c4b..0000000 --- a/SOURCES/glibc-armhfp-ELF_MACHINE_NO_REL-undefined.patch +++ /dev/null @@ -1,36 +0,0 @@ -From patchwork Thu Jul 3 13:26:40 2014 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: ARM: Define ELF_MACHINE_NO_REL -X-Patchwork-Submitter: Will Newton -X-Patchwork-Id: 366862 -Message-Id: <1404394000-13429-1-git-send-email-will.newton@linaro.org> -To: libc-alpha@sourceware.org -Date: Thu, 3 Jul 2014 14:26:40 +0100 -From: Will Newton -List-Id: - -Fix a -Wundef warning on ARM. - -ChangeLog: - -2014-07-03 Will Newton - - * sysdeps/arm/dl-machine.h (ELF_MACHINE_NO_REL): Define. ---- - sysdeps/arm/dl-machine.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sysdeps/arm/dl-machine.h b/sysdeps/arm/dl-machine.h -index c5ffc93..d6b0c52 100644 ---- a/sysdeps/arm/dl-machine.h -+++ b/sysdeps/arm/dl-machine.h -@@ -296,6 +296,7 @@ elf_machine_plt_value (struct link_map *map, const Elf32_Rel *reloc, - /* ARM never uses Elf32_Rela relocations for the dynamic linker. - Prelinked libraries may use Elf32_Rela though. */ - #define ELF_MACHINE_NO_RELA defined RTLD_BOOTSTRAP -+#define ELF_MACHINE_NO_REL 0 - - /* Names of the architecture-specific auditing callback functions. */ - #define ARCH_LA_PLTENTER arm_gnu_pltenter diff --git a/SOURCES/glibc-rh1256317-armhfp-build-issue.patch b/SOURCES/glibc-rh1256317-armhfp-build-issue.patch deleted file mode 100644 index aa6e7fe..0000000 --- a/SOURCES/glibc-rh1256317-armhfp-build-issue.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/sysdeps/unix/arm/sysdep.S 2016-11-05 11:44:45.561945344 +0100 -+++ b/sysdeps/unix/arm/sysdep.S 2016-11-05 11:44:19.542069815 +0100 -@@ -37,7 +37,7 @@ - moveq r0, $EAGAIN /* Yes; translate it to EAGAIN. */ - #endif - --#ifndef IS_IN_rtld -+#if !IS_IN (rtld) - mov ip, lr - cfi_register (lr, ip) - mov r1, r0 diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec index f9d8f7f..68f2ee8 100644 --- a/SPECS/glibc.spec +++ b/SPECS/glibc.spec @@ -125,7 +125,7 @@ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: %{glibcrelease} +Release: %{glibcrelease}.3 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries. # Things that are linked directly into dynamically linked programs # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional @@ -1644,10 +1644,17 @@ Patch2861: glibc-rh1927536.patch Patch2862: glibc-rh1993930.patch Patch2863: glibc-rh2065058-1.patch Patch2864: glibc-rh2065058-2.patch -# Armhfp build issue -Patch9997: centos-arm32-NO_LONG_DOUBLE_MATH.patch -Patch9998: glibc-armhfp-ELF_MACHINE_NO_REL-undefined.patch -Patch9999: glibc-rh1256317-armhfp-build-issue.patch +Patch20671: glibc-RHEL-31803.patch +Patch20672: glibc-RHEL-34263-1.patch +Patch20673: glibc-RHEL-34263-2.patch +Patch20674: glibc-RHEL-34263-3.patch +Patch20675: glibc-RHEL-34263-4.patch +Patch20676: glibc-RHEL-34263-5.patch +Patch20677: glibc-RHEL-34263-6.patch +Patch20678: glibc-RHEL-34263-7.patch +Patch20679: glibc-RHEL-34263-8.patch +Patch20680: glibc-RHEL-34263-9.patch +Patch20681: glibc-RHEL-34263-10.patch ############################################################################## # End of glibc patches. @@ -3022,12 +3029,17 @@ package or when debugging this package. %patch2862 -p1 %patch2863 -p1 %patch2864 -p1 - -%ifarch %{arm} -%patch9998 -p1 -%patch9999 -p1 -%patch9997 -p1 -%endif +%patch -P 20671 -p1 +%patch -P 20672 -p1 +%patch -P 20673 -p1 +%patch -P 20674 -p1 +%patch -P 20675 -p1 +%patch -P 20676 -p1 +%patch -P 20677 -p1 +%patch -P 20678 -p1 +%patch -P 20679 -p1 +%patch -P 20680 -p1 +%patch -P 20681 -p1 ############################################################################## # %%prep - Additional prep required... @@ -4215,6 +4227,21 @@ rm -f *.filelist* %endif %changelog +* Thu May 2 2024 Florian Weimer - 2.17-326.3 +- nscd: Fix timeout type in netgroup cache (RHEL-34263) + +* Tue Apr 30 2024 Florian Weimer - 2.17-326.2 +- nscd: Do not use sendfile for the netgroup cache +- nscd: Use-after-free in netgroup cache +- CVE-2021-27645: nscd: double-free in netgroup cache +- CVE-2024-33599: nscd: buffer overflow in netgroup cache (RHEL-34263) +- CVE-2024-33600: nscd: null pointer dereferences in netgroup cache +- CVE-2024-33601: nscd: crash on out-of-memory condition +- CVE-2024-33602: nscd: memory corruption with NSS netgroup modules + +* Tue Apr 16 2024 Florian Weimer - 2.17-326.1 +- CVE-2024-2961: Out of bounds write in iconv conversion to ISO-2022-CN-EXT (RHEL-31803) + * Fri Mar 18 2022 DJ Delorie - 2.17-326 - resolv: Handle DNS transaction ID collisions (#2065058)