* [Buildroot] [PATCH 1/1] package/{glibc, localedef}: security bump to version 2.43-27-g4070d808b
@ 2026-05-09 18:19 Bernd Kuhls
2026-05-11 10:19 ` Peter Korsgaard
0 siblings, 1 reply; 2+ messages in thread
From: Bernd Kuhls @ 2026-05-09 18:19 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour, Thomas Petazzoni
Fixes the following security issues:
CVE-2026-5450: scanf %mc off-by-one heap buffer overflow
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0009;h=3c297fdc8018d26dfa3b1b269b8fdc2d4ab07e81;hb=HEAD
CVE-2026-5928: Potential buffer under-read in ungetwc
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0010;h=ae9953fb717886b93ea55fdede14450a0d4835f4;hb=HEAD
git shortlog 2.43-22-g8362e8ce1..2.43-27-g4070d808b
DJ Delorie (1):
include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h
Florian Weimer (1):
Linux: Only define OPEN_TREE_* macros in <sys/mount.h> if undefined (bug 33921)
H.J. Lu (1):
abilist.awk: Handle weak unversioned defined symbols
Rocket Ma (2):
libio: Fix ungetwc operating on byte stream [BZ #33998]
stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
package/glibc/glibc.hash | 2 +-
package/glibc/glibc.mk | 5 ++++-
package/localedef/localedef.mk | 2 +-
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index c9215dac6f..a6e6874e1f 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
# Locally calculated (fetched from git)
-sha256 c5d012c0417d1a8d72e72ea2cd917422fa04f9ab525f418c537cad5cd9042803 glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9-git4.tar.gz
+sha256 668f890b45fd8d32bb73783ad3b75fe1f396c5c3aa3c3832e616b4c3f0c6066b glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5-git4.tar.gz
# Hashes for license files
sha256 edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6 COPYINGv2
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 0a44015818..09ac89f336 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
# Generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
# When updating the version, please also update localedef
-GLIBC_VERSION = 2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
+GLIBC_VERSION = 2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
GLIBC_SITE = https://sourceware.org/git/glibc.git
GLIBC_SITE_METHOD = git
@@ -40,6 +40,9 @@ GLIBC_IGNORE_CVES += CVE-2026-4438
# Fixed by glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
GLIBC_IGNORE_CVES += CVE-2026-4046
+# Fixed by glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
+GLIBC_IGNORE_CVES += CVE-2026-5450 CVE-2026-5928
+
# This CVE is considered as not being security issues by
# upstream glibc:
# https://security-tracker.debian.org/tracker/CVE-2010-4756
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index ec906fad22..4890e095e3 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
# Use the same VERSION and SITE as target glibc
# As in glibc.mk, generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
+LOCALEDEF_VERSION = 2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION)$(BR_FMT_VERSION_git).tar.gz
LOCALEDEF_SITE = https://sourceware.org/git/glibc.git
LOCALEDEF_SITE_METHOD = git
--
2.47.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/{glibc, localedef}: security bump to version 2.43-27-g4070d808b
2026-05-09 18:19 [Buildroot] [PATCH 1/1] package/{glibc, localedef}: security bump to version 2.43-27-g4070d808b Bernd Kuhls
@ 2026-05-11 10:19 ` Peter Korsgaard
0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2026-05-11 10:19 UTC (permalink / raw)
To: Bernd Kuhls; +Cc: buildroot, Romain Naour, Thomas Petazzoni
>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes:
> Fixes the following security issues:
> CVE-2026-5450: scanf %mc off-by-one heap buffer overflow
> https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0009;h=3c297fdc8018d26dfa3b1b269b8fdc2d4ab07e81;hb=HEAD
> CVE-2026-5928: Potential buffer under-read in ungetwc
> https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0010;h=ae9953fb717886b93ea55fdede14450a0d4835f4;hb=HEAD
> git shortlog 2.43-22-g8362e8ce1..2.43-27-g4070d808b
> DJ Delorie (1):
> include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h
> Florian Weimer (1):
> Linux: Only define OPEN_TREE_* macros in <sys/mount.h> if undefined (bug 33921)
> H.J. Lu (1):
> abilist.awk: Handle weak unversioned defined symbols
> Rocket Ma (2):
> libio: Fix ungetwc operating on byte stream [BZ #33998]
> stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
> ---
> package/glibc/glibc.hash | 2 +-
> package/glibc/glibc.mk | 5 ++++-
> package/localedef/localedef.mk | 2 +-
> 3 files changed, 6 insertions(+), 3 deletions(-)
> diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
> index c9215dac6f..a6e6874e1f 100644
> --- a/package/glibc/glibc.hash
> +++ b/package/glibc/glibc.hash
> @@ -1,5 +1,5 @@
> # Locally calculated (fetched from git)
> -sha256 c5d012c0417d1a8d72e72ea2cd917422fa04f9ab525f418c537cad5cd9042803 glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9-git4.tar.gz
> +sha256 668f890b45fd8d32bb73783ad3b75fe1f396c5c3aa3c3832e616b4c3f0c6066b glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5-git4.tar.gz
> # Hashes for license files
> sha256 edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6 COPYINGv2
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 0a44015818..09ac89f336 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -7,7 +7,7 @@
> # Generate version string using:
> # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
> # When updating the version, please also update localedef
> -GLIBC_VERSION = 2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
> +GLIBC_VERSION = 2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
> GLIBC_SITE = https://sourceware.org/git/glibc.git
> GLIBC_SITE_METHOD = git
> @@ -40,6 +40,9 @@ GLIBC_IGNORE_CVES += CVE-2026-4438
> # Fixed by glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
> GLIBC_IGNORE_CVES += CVE-2026-4046
> +# Fixed by glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
> +GLIBC_IGNORE_CVES += CVE-2026-5450 CVE-2026-5928
We normally use the specific git hash fixing the issue, so it should
really be:
# Fixed by glibc-2.43-26-g2890b35cd361df2517525bf2c5f8c63f6f0d4a20
GLIBC_IGNORE_CVES += CVE-2026-5928
# Fixed by glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
GLIBC_IGNORE_CVES += CVE-2026-5450
Committed with that fixed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-11 10:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-09 18:19 [Buildroot] [PATCH 1/1] package/{glibc, localedef}: security bump to version 2.43-27-g4070d808b Bernd Kuhls
2026-05-11 10:19 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox