Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70
@ 2025-08-05 11:06 Peter Korsgaard
  2025-08-07 22:01 ` Julien Olivain via buildroot
  2025-08-14 20:32 ` Thomas Perale via buildroot
  0 siblings, 2 replies; 4+ messages in thread
From: Peter Korsgaard @ 2025-08-05 11:06 UTC (permalink / raw)
  To: buildroot; +Cc: Romain Naour, Thomas Petazzoni

Fixes the following security issues:

- CVE-2025-5702: power10: strcmp fails to save and restore nonvolatile
  vector registers
  https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0003

- CVE-2025-5745: power10: strncmp fails to save and restore nonvolatile
  vector registers
  https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0004

- CVE-2025-8058: posix: Fix double-free after allocation failure in regcomp
  https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0005

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/glibc/glibc.hash       |  2 +-
 package/glibc/glibc.mk         | 11 ++++++++++-
 package/localedef/localedef.mk |  2 +-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index 61af3d9488..0deba84dc7 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  ed2cd1f058f22f682e700c5be408975db62025a14863a5a6700ee93d5927504e  glibc-2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163.tar.gz
+sha256  166b6e7637bb45cb9352e4813005f83dd48f03ef634d3e9e94a30aa5a0300fab  glibc-2.41-70-g1502c248d58cb99a203731707987a4342926e830.tar.gz
 
 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 29617b9756..239e39a2ba 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163
+GLIBC_VERSION = 2.41-70-g1502c248d58cb99a203731707987a4342926e830
 
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
@@ -25,6 +25,15 @@ GLIBC_CPE_ID_VENDOR = gnu
 # allow proper matching with the CPE database.
 GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
 
+# Fixed by glibc-2.41-57-g84bdbf8a6f2fdafd3661489dbb7f79835a52da82
+GLIBC_IGNORE_CVES += CVE-2025-5745
+
+# Fixed by glibc-2.41-60-g0c76c951620f9e12df2a89b2c684878b55bb6795
+GLIBC_IGNORE_CVES += CVE-2025-5702
+
+# Fixed by glibc-2.41-64-g1e16d0096d80a6e12d5bfa8e0aafdd13c47efd65
+GLIBC_IGNORE_CVES += CVE-2025-8058
+
 # All these CVEs are considered as not being security issues by
 # upstream glibc:
 #  https://security-tracker.debian.org/tracker/CVE-2010-4756
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index 7a6c94bd2f..c76a8d82a0 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
 # Use the same VERSION and SITE as target glibc
 # As in glibc.mk, generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163
+LOCALEDEF_VERSION = 2.41-70-g1502c248d58cb99a203731707987a4342926e830
 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
 LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
 HOST_LOCALEDEF_DL_SUBDIR = glibc
-- 
2.39.5

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70
  2025-08-05 11:06 [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70 Peter Korsgaard
@ 2025-08-07 22:01 ` Julien Olivain via buildroot
  2025-08-08  7:06   ` Peter Korsgaard
  2025-08-14 20:32 ` Thomas Perale via buildroot
  1 sibling, 1 reply; 4+ messages in thread
From: Julien Olivain via buildroot @ 2025-08-07 22:01 UTC (permalink / raw)
  To: Peter Korsgaard; +Cc: buildroot, Romain Naour, Thomas Petazzoni

On 05/08/2025 13:06, Peter Korsgaard wrote:
> Fixes the following security issues:
> 
> - CVE-2025-5702: power10: strcmp fails to save and restore nonvolatile
>   vector registers
>   https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0003
> 
> - CVE-2025-5745: power10: strncmp fails to save and restore nonvolatile
>   vector registers
>   https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0004
> 
> - CVE-2025-8058: posix: Fix double-free after allocation failure in 
> regcomp
>   https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0005
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.

For info, I also added a note in the commit log that power10 is 
currently
not supported in Buildroot. See:
https://gitlab.com/buildroot.org/buildroot/-/commit/feaf53585a12d97802a67fd557ffc7340bbe6e13

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70
  2025-08-07 22:01 ` Julien Olivain via buildroot
@ 2025-08-08  7:06   ` Peter Korsgaard
  0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2025-08-08  7:06 UTC (permalink / raw)
  To: Julien Olivain; +Cc: buildroot, Romain Naour, Thomas Petazzoni

>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes:

 > Applied to master, thanks.

 > For info, I also added a note in the commit log that power10 is
 > currently
 > not supported in Buildroot. See:
 > https://gitlab.com/buildroot.org/buildroot/-/commit/feaf53585a12d97802a67fd557ffc7340bbe6e13

Ahh yes, true - Thanks!

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70
  2025-08-05 11:06 [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70 Peter Korsgaard
  2025-08-07 22:01 ` Julien Olivain via buildroot
@ 2025-08-14 20:32 ` Thomas Perale via buildroot
  1 sibling, 0 replies; 4+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-14 20:32 UTC (permalink / raw)
  To: Peter Korsgaard; +Cc: Thomas Perale, buildroot

In reply of:
> Fixes the following security issues:
> 
> - CVE-2025-5702: power10: strcmp fails to save and restore nonvolatile
>   vector registers
>   https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0003
> 
> - CVE-2025-5745: power10: strncmp fails to save and restore nonvolatile
>   vector registers
>   https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0004
> 
> - CVE-2025-8058: posix: Fix double-free after allocation failure in regcomp
>   https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0005
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to 2025.02.x & 2025.05.x. Thanks

> ---
>  package/glibc/glibc.hash       |  2 +-
>  package/glibc/glibc.mk         | 11 ++++++++++-
>  package/localedef/localedef.mk |  2 +-
>  3 files changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
> index 61af3d9488..0deba84dc7 100644
> --- a/package/glibc/glibc.hash
> +++ b/package/glibc/glibc.hash
> @@ -1,5 +1,5 @@
>  # Locally calculated (fetched from Github)
> -sha256  ed2cd1f058f22f682e700c5be408975db62025a14863a5a6700ee93d5927504e  glibc-2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163.tar.gz
> +sha256  166b6e7637bb45cb9352e4813005f83dd48f03ef634d3e9e94a30aa5a0300fab  glibc-2.41-70-g1502c248d58cb99a203731707987a4342926e830.tar.gz
>  
>  # Hashes for license files
>  sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 29617b9756..239e39a2ba 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -7,7 +7,7 @@
>  # Generate version string using:
>  #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
>  # When updating the version, please also update localedef
> -GLIBC_VERSION = 2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163
> +GLIBC_VERSION = 2.41-70-g1502c248d58cb99a203731707987a4342926e830
>  
>  # Upstream doesn't officially provide an https download link.
>  # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
> @@ -25,6 +25,15 @@ GLIBC_CPE_ID_VENDOR = gnu
>  # allow proper matching with the CPE database.
>  GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
>  
> +# Fixed by glibc-2.41-57-g84bdbf8a6f2fdafd3661489dbb7f79835a52da82
> +GLIBC_IGNORE_CVES += CVE-2025-5745
> +
> +# Fixed by glibc-2.41-60-g0c76c951620f9e12df2a89b2c684878b55bb6795
> +GLIBC_IGNORE_CVES += CVE-2025-5702
> +
> +# Fixed by glibc-2.41-64-g1e16d0096d80a6e12d5bfa8e0aafdd13c47efd65
> +GLIBC_IGNORE_CVES += CVE-2025-8058
> +
>  # All these CVEs are considered as not being security issues by
>  # upstream glibc:
>  #  https://security-tracker.debian.org/tracker/CVE-2010-4756
> diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
> index 7a6c94bd2f..c76a8d82a0 100644
> --- a/package/localedef/localedef.mk
> +++ b/package/localedef/localedef.mk
> @@ -7,7 +7,7 @@
>  # Use the same VERSION and SITE as target glibc
>  # As in glibc.mk, generate version string using:
>  #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
> -LOCALEDEF_VERSION = 2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163
> +LOCALEDEF_VERSION = 2.41-70-g1502c248d58cb99a203731707987a4342926e830
>  LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
>  LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
>  HOST_LOCALEDEF_DL_SUBDIR = glibc
> -- 
> 2.39.5
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-08-14 20:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-05 11:06 [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70 Peter Korsgaard
2025-08-07 22:01 ` Julien Olivain via buildroot
2025-08-08  7:06   ` Peter Korsgaard
2025-08-14 20:32 ` Thomas Perale via buildroot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox