diff --git a/SOURCES/glibc-rh1685400.patch b/SOURCES/glibc-rh1685400.patch deleted file mode 100644 index 688a60c..0000000 --- a/SOURCES/glibc-rh1685400.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 583dd860d5b833037175247230a328f0050dbfe9 -Author: Paul Eggert -Date: Mon Jan 21 11:08:13 2019 -0800 - - regex: fix read overrun [BZ #24114] - - Problem found by AddressSanitizer, reported by Hongxu Chen in: - https://debbugs.gnu.org/34140 - * posix/regexec.c (proceed_next_node): - Do not read past end of input buffer. - -diff --git a/posix/regexec.c b/posix/regexec.c -index 73644c2341336e66..06b8487c3e3eab0e 100644 ---- a/posix/regexec.c -+++ b/posix/regexec.c -@@ -1289,8 +1289,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, - else if (naccepted) - { - char *buf = (char *) re_string_get_buffer (&mctx->input); -- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, -- naccepted) != 0) -+ if (mctx->input.valid_len - *pidx < naccepted -+ || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, -+ naccepted) -+ != 0)) - return -1; - } - } diff --git a/SOURCES/glibc-rh1871386-1.patch b/SOURCES/glibc-rh1871386-1.patch new file mode 100644 index 0000000..5cd3074 --- /dev/null +++ b/SOURCES/glibc-rh1871386-1.patch @@ -0,0 +1,20 @@ +commit 0798b8ecc8da8667362496c1217d18635106c609 +Author: Vineet Gupta +Date: Wed Apr 8 19:56:12 2020 -0700 + + ARC: Update syscall-names.list for ARC specific syscalls + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 314a653938..21a62a06f4 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -41,6 +41,9 @@ adjtimex + afs_syscall + alarm + alloc_hugepages ++arc_gettls ++arc_settls ++arc_usr_cmpxchg + arch_prctl + arm_fadvise64_64 + arm_sync_file_range diff --git a/SOURCES/glibc-rh1871386-2.patch b/SOURCES/glibc-rh1871386-2.patch new file mode 100644 index 0000000..d89c08d --- /dev/null +++ b/SOURCES/glibc-rh1871386-2.patch @@ -0,0 +1,26 @@ +commit b67339d0bbc07911859ca8c488e1923441cd3c33 +Author: Joseph Myers +Date: Mon Jun 15 22:58:22 2020 +0000 + + Update syscall-names.list for Linux 5.7. + + Linux 5.7 has no new syscalls. Update the version number in + syscall-names.list to reflect that it is still current for 5.7. + + Tested with build-many-glibcs.py. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 21a62a06f4..15dec5b98f 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -21,8 +21,8 @@ + # This file can list all potential system calls. The names are only + # used if the installed kernel headers also provide them. + +-# The list of system calls is current as of Linux 5.6. +-kernel 5.6 ++# The list of system calls is current as of Linux 5.7. ++kernel 5.7 + + FAST_atomic_update + FAST_cmpxchg diff --git a/SOURCES/glibc-rh1871386-3.patch b/SOURCES/glibc-rh1871386-3.patch new file mode 100644 index 0000000..09bd048 --- /dev/null +++ b/SOURCES/glibc-rh1871386-3.patch @@ -0,0 +1,37 @@ +commit 1cfb4715288845ebc55ad664421b48b32de9599c +Author: Joseph Myers +Date: Fri Aug 7 14:38:43 2020 +0000 + + Update syscall lists for Linux 5.8. + + Linux 5.8 has one new syscall, faccessat2. Update syscall-names.list + and regenerate the arch-syscall.h headers with build-many-glibcs.py + update-syscalls. + + Tested with build-many-glibcs.py. + +Modified to only update syscall-names.list for RHEL 8.5.0. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 15dec5b98f..a462318ecf 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -21,8 +21,8 @@ + # This file can list all potential system calls. The names are only + # used if the installed kernel headers also provide them. + +-# The list of system calls is current as of Linux 5.7. +-kernel 5.7 ++# The list of system calls is current as of Linux 5.8. ++kernel 5.8 + + FAST_atomic_update + FAST_cmpxchg +@@ -105,6 +105,7 @@ execveat + exit + exit_group + faccessat ++faccessat2 + fadvise64 + fadvise64_64 + fallocate diff --git a/SOURCES/glibc-rh1871386-4.patch b/SOURCES/glibc-rh1871386-4.patch new file mode 100644 index 0000000..72bb49d --- /dev/null +++ b/SOURCES/glibc-rh1871386-4.patch @@ -0,0 +1,37 @@ +commit dac8713629c8736a60aebec2f01657e46baa4c73 +Author: Joseph Myers +Date: Fri Oct 23 16:31:11 2020 +0000 + + Update syscall lists for Linux 5.9. + + Linux 5.9 has one new syscall, close_range. Update syscall-names.list + and regenerate the arch-syscall.h headers with build-many-glibcs.py + update-syscalls. + + Tested with build-many-glibcs.py. + +Modified to only update syscall-names.list for RHEL 8.5.0. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index a462318ecf..2d42aaf803 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -21,8 +21,8 @@ + # This file can list all potential system calls. The names are only + # used if the installed kernel headers also provide them. + +-# The list of system calls is current as of Linux 5.8. +-kernel 5.8 ++# The list of system calls is current as of Linux 5.9. ++kernel 5.9 + + FAST_atomic_update + FAST_cmpxchg +@@ -79,6 +79,7 @@ clone + clone2 + clone3 + close ++close_range + cmpxchg_badaddr + connect + copy_file_range diff --git a/SOURCES/glibc-rh1871386-5.patch b/SOURCES/glibc-rh1871386-5.patch new file mode 100644 index 0000000..a2e2b7d --- /dev/null +++ b/SOURCES/glibc-rh1871386-5.patch @@ -0,0 +1,37 @@ +commit bcf47eb0fba4c6278aadd6a377d6b7b3f673e17c +Author: Joseph Myers +Date: Wed Dec 16 02:08:52 2020 +0000 + + Update syscall lists for Linux 5.10. + + Linux 5.10 has one new syscall, process_madvise. Update + syscall-names.list and regenerate the arch-syscall.h headers with + build-many-glibcs.py update-syscalls. + + Tested with build-many-glibcs.py. + +Modified to only update syscall-names.list for RHEL 8.5.0. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 2d42aaf803..4bd42be2b9 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -21,8 +21,8 @@ + # This file can list all potential system calls. The names are only + # used if the installed kernel headers also provide them. + +-# The list of system calls is current as of Linux 5.9. +-kernel 5.9 ++# The list of system calls is current as of Linux 5.10. ++kernel 5.10 + + FAST_atomic_update + FAST_cmpxchg +@@ -433,6 +433,7 @@ pread64 + preadv + preadv2 + prlimit64 ++process_madvise + process_vm_readv + process_vm_writev + prof diff --git a/SOURCES/glibc-rh1871386-6.patch b/SOURCES/glibc-rh1871386-6.patch new file mode 100644 index 0000000..36a47e8 --- /dev/null +++ b/SOURCES/glibc-rh1871386-6.patch @@ -0,0 +1,42 @@ +commit 2b778ceb4010c28d70de9b8eab20e8d88eed586b +Author: Paul Eggert +Date: Sat Jan 2 11:32:25 2021 -0800 + + Update copyright dates with scripts/update-copyrights + + I used these shell commands: + + ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright + (cd ../glibc && git commit -am"[this commit message]") + + and then ignored the output, which consisted lines saying "FOO: warning: + copyright statement not found" for each of 6694 files FOO. + I then removed trailing white space from benchtests/bench-pthread-locks.c + and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this + diagnostic from Savannah: + remote: *** pre-commit check failed ... + remote: *** error: lines with trailing whitespace found + remote: error: hook declined to update refs/heads/master + +Modified to only update copyright for syscall-names.list for RHEL 8.5.0. Also +update licenses link to use https. + +diff -Nrup a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +--- a/sysdeps/unix/sysv/linux/syscall-names.list 2021-03-16 14:12:27.828571456 -0400 ++++ b/sysdeps/unix/sysv/linux/syscall-names.list 2021-03-16 14:13:23.950145631 -0400 +@@ -1,5 +1,5 @@ + # List of all known Linux system calls. +-# Copyright (C) 2017-2018 Free Software Foundation, Inc. ++# Copyright (C) 2017-2021 Free Software Foundation, Inc. + # This file is part of the GNU C Library. + # + # The GNU C Library is free software; you can redistribute it and/or +@@ -14,7 +14,7 @@ + # + # You should have received a copy of the GNU Lesser General Public + # License along with the GNU C Library; if not, see +-# . ++# . + + # This file contains the list of system call names. It has to remain in + # alphabetical order. Lines which start with # are treated as comments. diff --git a/SOURCES/glibc-rh1871386-7.patch b/SOURCES/glibc-rh1871386-7.patch new file mode 100644 index 0000000..79774e7 --- /dev/null +++ b/SOURCES/glibc-rh1871386-7.patch @@ -0,0 +1,37 @@ +commit 83908b3a1ea51e3aa7ff422275940e56dbba989f +Author: Joseph Myers +Date: Fri Feb 19 21:16:27 2021 +0000 + + Update syscall lists for Linux 5.11. + + Linux 5.11 has one new syscall, epoll_pwait2. Update + syscall-names.list and regenerate the arch-syscall.h headers with + build-many-glibcs.py update-syscalls. + + Tested with build-many-glibcs.py. + +Modified to only update syscall-names.list for RHEL 8.5.0. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 4df7eeab96..f6cb34089d 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -21,8 +21,8 @@ + # This file can list all potential system calls. The names are only + # used if the installed kernel headers also provide them. + +-# The list of system calls is current as of Linux 5.10. +-kernel 5.10 ++# The list of system calls is current as of Linux 5.11. ++kernel 5.11 + + FAST_atomic_update + FAST_cmpxchg +@@ -95,6 +95,7 @@ epoll_create1 + epoll_ctl + epoll_ctl_old + epoll_pwait ++epoll_pwait2 + epoll_wait + epoll_wait_old + eventfd diff --git a/SOURCES/glibc-rh1927040.patch b/SOURCES/glibc-rh1927040.patch deleted file mode 100644 index 4960631..0000000 --- a/SOURCES/glibc-rh1927040.patch +++ /dev/null @@ -1,177 +0,0 @@ -This is a custom downstream RHEL 8 patch which rebuilds three -GLIBC_PRIVATE interfaces locally for use by libnss_files.so.2 -and libnss_compat.so.2. - -The shared objects needs the following 3 functions: -__nss_readline -__nss_parse_line_result -__nss_files_fopen (only requirement for libnss_compat.so.2) - -They are implemented in: -nss/nss_parse_line_result.c -nss/nss_readline.c -nss/nss_files_fopen.c - -We create wrappers for those functions, recompile, and link directly -into the shared objects: -nss/nss_parse_line_result_int.c -nss/nss_readline_int.c -nss/nss_files_fopen_int.c - -After building the new shared objects there are no longer any undefined -global function references to __nss_readline@GLIBC_PRIVATE, -__nss_parse_line_result@GLIBC_PRIVATE or -__nss_files_fopen@GLIBC_PRIVATE. - -Instead we see local function definitions in the shared object e.g. -Symbol table '.symtab' contains 628 entries: -... - 486: 0000000000008ce0 92 FUNC LOCAL DEFAULT 15 __nss_parse_line_result -... - 494: 0000000000008b70 72 FUNC LOCAL DEFAULT 15 __nss_readline_seek -... - 497: 0000000000008bc0 279 FUNC LOCAL DEFAULT 15 __nss_readline -... - 510: 0000000000008ce0 82 FUNC LOCAL DEFAULT 15 __nss_files_fopen - -The remaining GLIBC_PRIVATE references in the shared objects are all -pre-existing and do not impact upgrade scenarios. - -For reference the existing and present GLIBC_PRIVATE interfaces are: -__libc_alloc_buffer_alloc_array@@GLIBC_PRIVATE -__libc_alloc_buffer_copy_string@@GLIBC_PRIVATE -__libc_alloc_buffer_create_failure@@GLIBC_PRIVATE -__libc_dynarray_emplace_enlarge@@GLIBC_PRIVATE -__libc_scratch_buffer_grow@@GLIBC_PRIVATE -__resp@@GLIBC_PRIVATE -_nss_files_parse_grent@@GLIBC_PRIVATE -_nss_files_parse_pwent@@GLIBC_PRIVATE -_nss_files_parse_sgent@@GLIBC_PRIVATE -_nss_files_parse_spent@@GLIBC_PRIVATE -errno@@GLIBC_PRIVATE -__nss_database_lookup2@GLIBC_PRIVATE -__nss_lookup_function@GLIBC_PRIVATE - -Each was checked for existence in libc.so.6. - -A small reproducer was used in testing this patch, included here: -cat >> tst-rhbz1927040.c < -#include -#include -#include -#include -#include - -int -main (void) -{ - struct passwd *res; - - /* Only lookup via files. */ - printf ("INFO: Upgrade glibc, then press ENTER to see if libnss_files.so.2 loads."); - getchar (); - - /* Try to get one entry. */ - printf ("INFO: Looking up first password entry.\n"); - setpwent (); - errno = 0; - res = getpwent (); - if (res == NULL && errno != 0) - { - printf ("FAIL: Could not get entry (%s).\n", strerror(errno)); - exit (1); - } - printf ("INFO: First entry passwd.pw_name = \"%s\"\n", res->pw_name); - printf ("PASS: Call to getpwent succeeded.\n"); - endpwent (); - exit (0); -} -EOF - -Testing RHEL upgrade -from: glibc-2.28-127.el8_3.2 -to: glibc-2.28-148.el8 - -./tst-rhbz1927040 -INFO: Upgrade glibc, then press ENTER to see if libnss_files.so.2 loads. -INFO: Looking up first password entry. -INFO: Result was NULL. -PASS: Call to getpwent succeeded. - -With LD_DEBUG=all you can observe: - 22697: /lib64/libnss_files.so.2: error: symbol lookup error: undefined symbol: __nss_files_fopen, version GLIBC_PRIVATE (fatal) - -Which is the indication that the upgrade caused the transient IdM lookup failure. - -Running again succeeds: -INFO: Upgrade glibc, then press ENTER to see if libnss_files.so.2 loads. -INFO: Looking up first password entry. -INFO: First entry passwd.pw_name = "root" -PASS: Call to getpwent succeeded. - -diff --git a/nss/Makefile b/nss/Makefile -index 7359da38feb65618..d5c28a6b5ed3661c 100644 ---- a/nss/Makefile -+++ b/nss/Makefile -@@ -92,9 +92,19 @@ extra-libs-others = $(extra-libs) - subdir-dirs = $(services:%=nss_%) - vpath %.c $(subdir-dirs) ../locale/programs ../intl - -- -+# In RHEL we add nss_readline, nss_parse_line_result, and -+# nss_files_fopen to the libnss_files-routines in order to avoid the -+# case where a long running process (having never used NSS) attemps to -+# load an NSS module for the first time and that NSS module needs a -+# newer GLIBC_PRIVATE interface. In effect we must make the NSS modules -+# self-sufficient and not rely on a GLIBC_PRIVATE interface. -+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1927040 -+# Note: We must recompile the objects to get the correct global symbol -+# references, which is why we have the *_int.c wrappers. - libnss_files-routines := $(addprefix files-,$(databases)) \ -- files-initgroups files-init -+ files-initgroups files-init \ -+ nss_readline_int nss_parse_line_result_int \ -+ nss_files_fopen_int - - libnss_db-dbs := $(addprefix db-,\ - $(filter-out hosts network key alias,\ -@@ -104,8 +114,10 @@ libnss_db-routines := $(libnss_db-dbs) db-open db-init hash-string - generated += $(filter-out db-alias.c db-netgrp.c, \ - $(addsuffix .c,$(libnss_db-dbs))) - -+# See note above regarding nss_files_fopen. - libnss_compat-routines := $(addprefix compat-,grp pwd spwd initgroups) \ -- nisdomain -+ nisdomain \ -+ nss_files_fopen_int - - install-others += $(inst_vardbdir)/Makefile - -diff --git a/nss/nss_files_fopen_int.c b/nss/nss_files_fopen_int.c -new file mode 100644 -index 0000000000000000..fa518084fd609b52 ---- /dev/null -+++ b/nss/nss_files_fopen_int.c -@@ -0,0 +1,3 @@ -+/* Include a local internal copy of __nss_files_fopen to make the NSS -+ module self-contained. */ -+#include -diff --git a/nss/nss_parse_line_result_int.c b/nss/nss_parse_line_result_int.c -new file mode 100644 -index 0000000000000000..bc0ee7a251743c9a ---- /dev/null -+++ b/nss/nss_parse_line_result_int.c -@@ -0,0 +1,3 @@ -+/* Include a local internal copy of __nss_parse_line_result to make the -+ NSS module self-contained. */ -+#include -diff --git a/nss/nss_readline_int.c b/nss/nss_readline_int.c -new file mode 100644 -index 0000000000000000..0e7bd259733673c9 ---- /dev/null -+++ b/nss/nss_readline_int.c -@@ -0,0 +1,3 @@ -+/* Include a local internal copy of __nss_readline and -+ __nss_readline_seek to make the NSS module self-contained. */ -+#include diff --git a/SOURCES/glibc-rh1932770.patch b/SOURCES/glibc-rh1932770.patch new file mode 100644 index 0000000..4960631 --- /dev/null +++ b/SOURCES/glibc-rh1932770.patch @@ -0,0 +1,177 @@ +This is a custom downstream RHEL 8 patch which rebuilds three +GLIBC_PRIVATE interfaces locally for use by libnss_files.so.2 +and libnss_compat.so.2. + +The shared objects needs the following 3 functions: +__nss_readline +__nss_parse_line_result +__nss_files_fopen (only requirement for libnss_compat.so.2) + +They are implemented in: +nss/nss_parse_line_result.c +nss/nss_readline.c +nss/nss_files_fopen.c + +We create wrappers for those functions, recompile, and link directly +into the shared objects: +nss/nss_parse_line_result_int.c +nss/nss_readline_int.c +nss/nss_files_fopen_int.c + +After building the new shared objects there are no longer any undefined +global function references to __nss_readline@GLIBC_PRIVATE, +__nss_parse_line_result@GLIBC_PRIVATE or +__nss_files_fopen@GLIBC_PRIVATE. + +Instead we see local function definitions in the shared object e.g. +Symbol table '.symtab' contains 628 entries: +... + 486: 0000000000008ce0 92 FUNC LOCAL DEFAULT 15 __nss_parse_line_result +... + 494: 0000000000008b70 72 FUNC LOCAL DEFAULT 15 __nss_readline_seek +... + 497: 0000000000008bc0 279 FUNC LOCAL DEFAULT 15 __nss_readline +... + 510: 0000000000008ce0 82 FUNC LOCAL DEFAULT 15 __nss_files_fopen + +The remaining GLIBC_PRIVATE references in the shared objects are all +pre-existing and do not impact upgrade scenarios. + +For reference the existing and present GLIBC_PRIVATE interfaces are: +__libc_alloc_buffer_alloc_array@@GLIBC_PRIVATE +__libc_alloc_buffer_copy_string@@GLIBC_PRIVATE +__libc_alloc_buffer_create_failure@@GLIBC_PRIVATE +__libc_dynarray_emplace_enlarge@@GLIBC_PRIVATE +__libc_scratch_buffer_grow@@GLIBC_PRIVATE +__resp@@GLIBC_PRIVATE +_nss_files_parse_grent@@GLIBC_PRIVATE +_nss_files_parse_pwent@@GLIBC_PRIVATE +_nss_files_parse_sgent@@GLIBC_PRIVATE +_nss_files_parse_spent@@GLIBC_PRIVATE +errno@@GLIBC_PRIVATE +__nss_database_lookup2@GLIBC_PRIVATE +__nss_lookup_function@GLIBC_PRIVATE + +Each was checked for existence in libc.so.6. + +A small reproducer was used in testing this patch, included here: +cat >> tst-rhbz1927040.c < +#include +#include +#include +#include +#include + +int +main (void) +{ + struct passwd *res; + + /* Only lookup via files. */ + printf ("INFO: Upgrade glibc, then press ENTER to see if libnss_files.so.2 loads."); + getchar (); + + /* Try to get one entry. */ + printf ("INFO: Looking up first password entry.\n"); + setpwent (); + errno = 0; + res = getpwent (); + if (res == NULL && errno != 0) + { + printf ("FAIL: Could not get entry (%s).\n", strerror(errno)); + exit (1); + } + printf ("INFO: First entry passwd.pw_name = \"%s\"\n", res->pw_name); + printf ("PASS: Call to getpwent succeeded.\n"); + endpwent (); + exit (0); +} +EOF + +Testing RHEL upgrade +from: glibc-2.28-127.el8_3.2 +to: glibc-2.28-148.el8 + +./tst-rhbz1927040 +INFO: Upgrade glibc, then press ENTER to see if libnss_files.so.2 loads. +INFO: Looking up first password entry. +INFO: Result was NULL. +PASS: Call to getpwent succeeded. + +With LD_DEBUG=all you can observe: + 22697: /lib64/libnss_files.so.2: error: symbol lookup error: undefined symbol: __nss_files_fopen, version GLIBC_PRIVATE (fatal) + +Which is the indication that the upgrade caused the transient IdM lookup failure. + +Running again succeeds: +INFO: Upgrade glibc, then press ENTER to see if libnss_files.so.2 loads. +INFO: Looking up first password entry. +INFO: First entry passwd.pw_name = "root" +PASS: Call to getpwent succeeded. + +diff --git a/nss/Makefile b/nss/Makefile +index 7359da38feb65618..d5c28a6b5ed3661c 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -92,9 +92,19 @@ extra-libs-others = $(extra-libs) + subdir-dirs = $(services:%=nss_%) + vpath %.c $(subdir-dirs) ../locale/programs ../intl + +- ++# In RHEL we add nss_readline, nss_parse_line_result, and ++# nss_files_fopen to the libnss_files-routines in order to avoid the ++# case where a long running process (having never used NSS) attemps to ++# load an NSS module for the first time and that NSS module needs a ++# newer GLIBC_PRIVATE interface. In effect we must make the NSS modules ++# self-sufficient and not rely on a GLIBC_PRIVATE interface. ++# See: https://bugzilla.redhat.com/show_bug.cgi?id=1927040 ++# Note: We must recompile the objects to get the correct global symbol ++# references, which is why we have the *_int.c wrappers. + libnss_files-routines := $(addprefix files-,$(databases)) \ +- files-initgroups files-init ++ files-initgroups files-init \ ++ nss_readline_int nss_parse_line_result_int \ ++ nss_files_fopen_int + + libnss_db-dbs := $(addprefix db-,\ + $(filter-out hosts network key alias,\ +@@ -104,8 +114,10 @@ libnss_db-routines := $(libnss_db-dbs) db-open db-init hash-string + generated += $(filter-out db-alias.c db-netgrp.c, \ + $(addsuffix .c,$(libnss_db-dbs))) + ++# See note above regarding nss_files_fopen. + libnss_compat-routines := $(addprefix compat-,grp pwd spwd initgroups) \ +- nisdomain ++ nisdomain \ ++ nss_files_fopen_int + + install-others += $(inst_vardbdir)/Makefile + +diff --git a/nss/nss_files_fopen_int.c b/nss/nss_files_fopen_int.c +new file mode 100644 +index 0000000000000000..fa518084fd609b52 +--- /dev/null ++++ b/nss/nss_files_fopen_int.c +@@ -0,0 +1,3 @@ ++/* Include a local internal copy of __nss_files_fopen to make the NSS ++ module self-contained. */ ++#include +diff --git a/nss/nss_parse_line_result_int.c b/nss/nss_parse_line_result_int.c +new file mode 100644 +index 0000000000000000..bc0ee7a251743c9a +--- /dev/null ++++ b/nss/nss_parse_line_result_int.c +@@ -0,0 +1,3 @@ ++/* Include a local internal copy of __nss_parse_line_result to make the ++ NSS module self-contained. */ ++#include +diff --git a/nss/nss_readline_int.c b/nss/nss_readline_int.c +new file mode 100644 +index 0000000000000000..0e7bd259733673c9 +--- /dev/null ++++ b/nss/nss_readline_int.c +@@ -0,0 +1,3 @@ ++/* Include a local internal copy of __nss_readline and ++ __nss_readline_seek to make the NSS module self-contained. */ ++#include diff --git a/SOURCES/glibc-rh1936864.patch b/SOURCES/glibc-rh1936864.patch new file mode 100644 index 0000000..688a60c --- /dev/null +++ b/SOURCES/glibc-rh1936864.patch @@ -0,0 +1,28 @@ +commit 583dd860d5b833037175247230a328f0050dbfe9 +Author: Paul Eggert +Date: Mon Jan 21 11:08:13 2019 -0800 + + regex: fix read overrun [BZ #24114] + + Problem found by AddressSanitizer, reported by Hongxu Chen in: + https://debbugs.gnu.org/34140 + * posix/regexec.c (proceed_next_node): + Do not read past end of input buffer. + +diff --git a/posix/regexec.c b/posix/regexec.c +index 73644c2341336e66..06b8487c3e3eab0e 100644 +--- a/posix/regexec.c ++++ b/posix/regexec.c +@@ -1289,8 +1289,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, + else if (naccepted) + { + char *buf = (char *) re_string_get_buffer (&mctx->input); +- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, +- naccepted) != 0) ++ if (mctx->input.valid_len - *pidx < naccepted ++ || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, ++ naccepted) ++ != 0)) + return -1; + } + } diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec index b592f17..d4b0ff3 100644 --- a/SPECS/glibc.spec +++ b/SPECS/glibc.spec @@ -1,6 +1,6 @@ %define glibcsrcdir glibc-2.28 %define glibcversion 2.28 -%define glibcrelease 151%{?dist} +%define glibcrelease 152%{?dist} # Pre-release tarballs are pulled in from git using a command that is # effectively: # @@ -680,8 +680,15 @@ Patch543: glibc-rh1817513-133.patch Patch544: glibc-rh1912544.patch Patch545: glibc-rh1918115.patch Patch546: glibc-rh1924919.patch -Patch547: glibc-rh1927040.patch -Patch548: glibc-rh1685400.patch +Patch547: glibc-rh1932770.patch +Patch548: glibc-rh1936864.patch +Patch549: glibc-rh1871386-1.patch +Patch550: glibc-rh1871386-2.patch +Patch551: glibc-rh1871386-3.patch +Patch552: glibc-rh1871386-4.patch +Patch553: glibc-rh1871386-5.patch +Patch554: glibc-rh1871386-6.patch +Patch555: glibc-rh1871386-7.patch ############################################################################## # Continued list of core "glibc" package information: @@ -2593,14 +2600,17 @@ fi %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared %changelog -* Fri Mar 5 2021 Siddhesh Poyarekar - 2.28-151 -- CVE-2019-9169: Fix buffer overread in regexec.c (#1685400). +* Tue Mar 16 2021 Patsy Griffin - 2.28-152 +- Update syscall-names.list to 5.7, 5.8, 5.9, 5.10 and 5.11. (#1871386) -* Fri Mar 05 2021 Carlos O'Donell - 2.28-150 -- Rebuild glibc to update security markup metadata (#1931305) +* Mon Mar 15 2021 Siddhesh Poyarekar - 2.28-151 +- CVE-2019-9169: Fix buffer overread in regexec.c (#1936864). -* Wed Feb 24 2021 Carlos O'Donell - 2.28-149 -- Fix NSS files and compat service upgrade defect (#1927040). +* Mon Mar 15 2021 Siddhesh Poyarekar - 2.28-150 +- Rebuild glibc to update security markup metadata (#1935128) + +* Mon Mar 15 2021 Siddhesh Poyarekar - 2.28-149 +- Fix NSS files and compat service upgrade defect (#1932770). * Fri Feb 5 2021 Florian Weimer - 2.28-148 - CVE-2021-3326: iconv assertion failure in ISO-2022-JP-3 decoding (#1924919)