* [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70
@ 2025-08-05 11:06 Peter Korsgaard
2025-08-07 22:01 ` Julien Olivain via buildroot
2025-08-14 20:32 ` Thomas Perale via buildroot
0 siblings, 2 replies; 4+ messages in thread
From: Peter Korsgaard @ 2025-08-05 11:06 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour, Thomas Petazzoni
Fixes the following security issues:
- CVE-2025-5702: power10: strcmp fails to save and restore nonvolatile
vector registers
https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0003
- CVE-2025-5745: power10: strncmp fails to save and restore nonvolatile
vector registers
https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0004
- CVE-2025-8058: posix: Fix double-free after allocation failure in regcomp
https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0005
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/glibc/glibc.hash | 2 +-
package/glibc/glibc.mk | 11 ++++++++++-
package/localedef/localedef.mk | 2 +-
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index 61af3d9488..0deba84dc7 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
# Locally calculated (fetched from Github)
-sha256 ed2cd1f058f22f682e700c5be408975db62025a14863a5a6700ee93d5927504e glibc-2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163.tar.gz
+sha256 166b6e7637bb45cb9352e4813005f83dd48f03ef634d3e9e94a30aa5a0300fab glibc-2.41-70-g1502c248d58cb99a203731707987a4342926e830.tar.gz
# Hashes for license files
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 29617b9756..239e39a2ba 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
# Generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
# When updating the version, please also update localedef
-GLIBC_VERSION = 2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163
+GLIBC_VERSION = 2.41-70-g1502c248d58cb99a203731707987a4342926e830
# Upstream doesn't officially provide an https download link.
# There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
@@ -25,6 +25,15 @@ GLIBC_CPE_ID_VENDOR = gnu
# allow proper matching with the CPE database.
GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
+# Fixed by glibc-2.41-57-g84bdbf8a6f2fdafd3661489dbb7f79835a52da82
+GLIBC_IGNORE_CVES += CVE-2025-5745
+
+# Fixed by glibc-2.41-60-g0c76c951620f9e12df2a89b2c684878b55bb6795
+GLIBC_IGNORE_CVES += CVE-2025-5702
+
+# Fixed by glibc-2.41-64-g1e16d0096d80a6e12d5bfa8e0aafdd13c47efd65
+GLIBC_IGNORE_CVES += CVE-2025-8058
+
# All these CVEs are considered as not being security issues by
# upstream glibc:
# https://security-tracker.debian.org/tracker/CVE-2010-4756
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index 7a6c94bd2f..c76a8d82a0 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
# Use the same VERSION and SITE as target glibc
# As in glibc.mk, generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163
+LOCALEDEF_VERSION = 2.41-70-g1502c248d58cb99a203731707987a4342926e830
LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
HOST_LOCALEDEF_DL_SUBDIR = glibc
--
2.39.5
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70
2025-08-05 11:06 [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70 Peter Korsgaard
@ 2025-08-07 22:01 ` Julien Olivain via buildroot
2025-08-08 7:06 ` Peter Korsgaard
2025-08-14 20:32 ` Thomas Perale via buildroot
1 sibling, 1 reply; 4+ messages in thread
From: Julien Olivain via buildroot @ 2025-08-07 22:01 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: buildroot, Romain Naour, Thomas Petazzoni
On 05/08/2025 13:06, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> - CVE-2025-5702: power10: strcmp fails to save and restore nonvolatile
> vector registers
> https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0003
>
> - CVE-2025-5745: power10: strncmp fails to save and restore nonvolatile
> vector registers
> https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0004
>
> - CVE-2025-8058: posix: Fix double-free after allocation failure in
> regcomp
> https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0005
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
For info, I also added a note in the commit log that power10 is
currently
not supported in Buildroot. See:
https://gitlab.com/buildroot.org/buildroot/-/commit/feaf53585a12d97802a67fd557ffc7340bbe6e13
Best regards,
Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70
2025-08-05 11:06 [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70 Peter Korsgaard
2025-08-07 22:01 ` Julien Olivain via buildroot
@ 2025-08-14 20:32 ` Thomas Perale via buildroot
1 sibling, 0 replies; 4+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-14 20:32 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Perale, buildroot
In reply of:
> Fixes the following security issues:
>
> - CVE-2025-5702: power10: strcmp fails to save and restore nonvolatile
> vector registers
> https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0003
>
> - CVE-2025-5745: power10: strncmp fails to save and restore nonvolatile
> vector registers
> https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0004
>
> - CVE-2025-8058: posix: Fix double-free after allocation failure in regcomp
> https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0005
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to 2025.02.x & 2025.05.x. Thanks
> ---
> package/glibc/glibc.hash | 2 +-
> package/glibc/glibc.mk | 11 ++++++++++-
> package/localedef/localedef.mk | 2 +-
> 3 files changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
> index 61af3d9488..0deba84dc7 100644
> --- a/package/glibc/glibc.hash
> +++ b/package/glibc/glibc.hash
> @@ -1,5 +1,5 @@
> # Locally calculated (fetched from Github)
> -sha256 ed2cd1f058f22f682e700c5be408975db62025a14863a5a6700ee93d5927504e glibc-2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163.tar.gz
> +sha256 166b6e7637bb45cb9352e4813005f83dd48f03ef634d3e9e94a30aa5a0300fab glibc-2.41-70-g1502c248d58cb99a203731707987a4342926e830.tar.gz
>
> # Hashes for license files
> sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 29617b9756..239e39a2ba 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -7,7 +7,7 @@
> # Generate version string using:
> # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
> # When updating the version, please also update localedef
> -GLIBC_VERSION = 2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163
> +GLIBC_VERSION = 2.41-70-g1502c248d58cb99a203731707987a4342926e830
>
> # Upstream doesn't officially provide an https download link.
> # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
> @@ -25,6 +25,15 @@ GLIBC_CPE_ID_VENDOR = gnu
> # allow proper matching with the CPE database.
> GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
>
> +# Fixed by glibc-2.41-57-g84bdbf8a6f2fdafd3661489dbb7f79835a52da82
> +GLIBC_IGNORE_CVES += CVE-2025-5745
> +
> +# Fixed by glibc-2.41-60-g0c76c951620f9e12df2a89b2c684878b55bb6795
> +GLIBC_IGNORE_CVES += CVE-2025-5702
> +
> +# Fixed by glibc-2.41-64-g1e16d0096d80a6e12d5bfa8e0aafdd13c47efd65
> +GLIBC_IGNORE_CVES += CVE-2025-8058
> +
> # All these CVEs are considered as not being security issues by
> # upstream glibc:
> # https://security-tracker.debian.org/tracker/CVE-2010-4756
> diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
> index 7a6c94bd2f..c76a8d82a0 100644
> --- a/package/localedef/localedef.mk
> +++ b/package/localedef/localedef.mk
> @@ -7,7 +7,7 @@
> # Use the same VERSION and SITE as target glibc
> # As in glibc.mk, generate version string using:
> # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
> -LOCALEDEF_VERSION = 2.41-5-gcb7f20653724029be89224ed3a35d627cc5b4163
> +LOCALEDEF_VERSION = 2.41-70-g1502c248d58cb99a203731707987a4342926e830
> LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
> LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
> HOST_LOCALEDEF_DL_SUBDIR = glibc
> --
> 2.39.5
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-08-14 20:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-05 11:06 [Buildroot] [PATCH] package/glibc: security bump to version 2.41-70 Peter Korsgaard
2025-08-07 22:01 ` Julien Olivain via buildroot
2025-08-08 7:06 ` Peter Korsgaard
2025-08-14 20:32 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox