Re: [Buildroot] [PATCH 1/1] package/{glibc, localedef}: security bump to version 2.43-27-g4070d808b

From: Peter Korsgaard <peter@korsgaard.com>
To: Bernd Kuhls <bernd@kuhls.net>
Cc: buildroot@buildroot.org,  Romain Naour <romain.naour@gmail.com>,
	 Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Subject: Re: [Buildroot] [PATCH 1/1] package/{glibc, localedef}: security bump to version 2.43-27-g4070d808b
Date: Mon, 11 May 2026 12:19:49 +0200	[thread overview]
Message-ID: <874ikep7sq.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20260509181924.1370490-1-bernd@kuhls.net> (Bernd Kuhls's message of "Sat, 9 May 2026 20:19:24 +0200")

>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes:

 > Fixes the following security issues:
 > CVE-2026-5450: scanf %mc off-by-one heap buffer overflow
 > https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0009;h=3c297fdc8018d26dfa3b1b269b8fdc2d4ab07e81;hb=HEAD

 > CVE-2026-5928: Potential buffer under-read in ungetwc
 > https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0010;h=ae9953fb717886b93ea55fdede14450a0d4835f4;hb=HEAD

 > git shortlog 2.43-22-g8362e8ce1..2.43-27-g4070d808b

 > DJ Delorie (1):
 >       include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h

 > Florian Weimer (1):
 >       Linux: Only define OPEN_TREE_* macros in <sys/mount.h> if undefined (bug 33921)

 > H.J. Lu (1):
 >       abilist.awk: Handle weak unversioned defined symbols

 > Rocket Ma (2):
 >       libio: Fix ungetwc operating on byte stream [BZ #33998]
 >       stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]

 > Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
 > ---
 >  package/glibc/glibc.hash       | 2 +-
 >  package/glibc/glibc.mk         | 5 ++++-
 >  package/localedef/localedef.mk | 2 +-
 >  3 files changed, 6 insertions(+), 3 deletions(-)

 > diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
 > index c9215dac6f..a6e6874e1f 100644
 > --- a/package/glibc/glibc.hash
 > +++ b/package/glibc/glibc.hash
 > @@ -1,5 +1,5 @@
 >  # Locally calculated (fetched from git)
 > -sha256  c5d012c0417d1a8d72e72ea2cd917422fa04f9ab525f418c537cad5cd9042803  glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9-git4.tar.gz
 > +sha256  668f890b45fd8d32bb73783ad3b75fe1f396c5c3aa3c3832e616b4c3f0c6066b  glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5-git4.tar.gz

 >  # Hashes for license files
 >  sha256  edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6  COPYINGv2
 > diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
 > index 0a44015818..09ac89f336 100644
 > --- a/package/glibc/glibc.mk
 > +++ b/package/glibc/glibc.mk
 > @@ -7,7 +7,7 @@
 >  # Generate version string using:
 >  #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 >  # When updating the version, please also update localedef
 > -GLIBC_VERSION = 2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
 > +GLIBC_VERSION = 2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
 >  GLIBC_SITE = https://sourceware.org/git/glibc.git
 >  GLIBC_SITE_METHOD = git

 > @@ -40,6 +40,9 @@ GLIBC_IGNORE_CVES += CVE-2026-4438
 >  # Fixed by glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
 >  GLIBC_IGNORE_CVES += CVE-2026-4046

 > +# Fixed by glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
 > +GLIBC_IGNORE_CVES += CVE-2026-5450 CVE-2026-5928

We normally use the specific git hash fixing the issue, so it should
really be:

# Fixed by glibc-2.43-26-g2890b35cd361df2517525bf2c5f8c63f6f0d4a20
GLIBC_IGNORE_CVES += CVE-2026-5928

# Fixed by glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
GLIBC_IGNORE_CVES += CVE-2026-5450

Committed with that fixed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot