[Buildroot] [PATCH] package/{glibc, localedef}: security bump to version 2.43-22-g8362e8ce1

[Buildroot] [PATCH] package/{glibc, localedef}: security bump to version 2.43-22-g8362e8ce1

[Peter Korsgaard]

Fixes the following security issue:

CVE-2026-4046: iconv crash due to assertion failure with untrusted input

https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0007;h=b880fb55449693b879beae443e5d9bc1070b938b;hb=HEAD

git shortlog  2.43-17-gdd9945c0b..2.43-22-g8362e8ce1
Adhemerval Zanella (1):
      elf: Use dl-symbol-redir-ifunc.h instead _dl_strlen

Adhemerval Zanella Netto (1):
      riscv: Resolve calls to memcpy using memcpy-generic in early startup

Florian Weimer (1):
      Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046)

Michael Jeanson (1):
      tests: fix tst-rseq with Linux 7.0

Xi Ruoyao (1):
      elf: parse /proc/self/maps as the last resort to find the gap for tst-link-map-contiguous-ldso

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/glibc/glibc.hash       | 2 +-
 package/glibc/glibc.mk         | 5 ++++-
 package/localedef/localedef.mk | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index d7731eb280..c9215dac6f 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from git)
-sha256  742023f6c13500a56ae834f51c4453998b2dcd1ccb576fec457d49cdec3f22b3  glibc-2.43-17-gdd9945c0ba40d2dbc9eb7c99291ba6b69bd66718-git4.tar.gz
+sha256  c5d012c0417d1a8d72e72ea2cd917422fa04f9ab525f418c537cad5cd9042803  glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9-git4.tar.gz
 
 # Hashes for license files
 sha256  edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6  COPYINGv2
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 1d9cd34cef..0a44015818 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.43-17-gdd9945c0ba40d2dbc9eb7c99291ba6b69bd66718
+GLIBC_VERSION = 2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
 GLIBC_SITE = https://sourceware.org/git/glibc.git
 GLIBC_SITE_METHOD = git
 
@@ -37,6 +37,9 @@ GLIBC_IGNORE_CVES += CVE-2026-4437
 # Fixed by glibc-2.43-17-gdd9945c0ba40d2dbc9eb7c99291ba6b69bd66718
 GLIBC_IGNORE_CVES += CVE-2026-4438
 
+# Fixed by glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
+GLIBC_IGNORE_CVES += CVE-2026-4046
+
 # This CVE is considered as not being security issues by
 # upstream glibc:
 #  https://security-tracker.debian.org/tracker/CVE-2010-4756
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index 28494364f4..ec906fad22 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
 # Use the same VERSION and SITE as target glibc
 # As in glibc.mk, generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.43-17-gdd9945c0ba40d2dbc9eb7c99291ba6b69bd66718
+LOCALEDEF_VERSION = 2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION)$(BR_FMT_VERSION_git).tar.gz
 LOCALEDEF_SITE = https://sourceware.org/git/glibc.git
 LOCALEDEF_SITE_METHOD = git
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/{glibc, localedef}: security bump to version 2.43-22-g8362e8ce1

[Julien Olivain via buildroot]

On 04/05/2026 20:45, Peter Korsgaard wrote:
> Fixes the following security issue:
> 
> CVE-2026-4046: iconv crash due to assertion failure with untrusted 
> input
> 
> https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0007;h=b880fb55449693b879beae443e5d9bc1070b938b;hb=HEAD
> 
> git shortlog  2.43-17-gdd9945c0b..2.43-22-g8362e8ce1
> Adhemerval Zanella (1):
>       elf: Use dl-symbol-redir-ifunc.h instead _dl_strlen
> 
> Adhemerval Zanella Netto (1):
>       riscv: Resolve calls to memcpy using memcpy-generic in early 
> startup
> 
> Florian Weimer (1):
>       Use pending character state in IBM1390, IBM1399 character sets 
> (CVE-2026-4046)
> 
> Michael Jeanson (1):
>       tests: fix tst-rseq with Linux 7.0
> 
> Xi Ruoyao (1):
>       elf: parse /proc/self/maps as the last resort to find the gap for 
> tst-link-map-contiguous-ldso
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot