[Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs

[Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs

[Peter Korsgaard]

Commit b5680f53d60 (package/glibc: bump to 2.39) forgot to drop the ignores
for the 2.38 specific CVEs.  Do that now.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/glibc/glibc.mk | 28 ----------------------------
 1 file changed, 28 deletions(-)

diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 96a850516f..8bc4cd4666 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -24,34 +24,6 @@ GLIBC_CPE_ID_VENDOR = gnu
 # allow proper matching with the CPE database.
 GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
 
-# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between
-# 2.38 and the version we're really using
-GLIBC_IGNORE_CVES += CVE-2023-4527
-
-# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
-# 2.38 and the version we're really using
-GLIBC_IGNORE_CVES += CVE-2023-4806
-
-# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-4911
-
-# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-5156
-
-# Fixed by 23514c72b780f3da097ecf33a793b7ba9c2070d2, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6246
-
-# Fixed by d0338312aace5bbfef85e03055e1212dd0e49578, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6779
-
-# Fixed by d37c2b20a4787463d192b32041c3406c2bd91de0, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6780
-
 # All these CVEs are considered as not being security issues by
 # upstream glibc:
 #  https://security-tracker.debian.org/tracker/CVE-2010-4756
-- 
2.39.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes

[Peter Korsgaard]

Fixes the following security issues:

  GLIBC-SA-2024-0004:
    ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
    sequence (CVE-2024-2961)

  GLIBC-SA-2024-0005:
    nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599)

  GLIBC-SA-2024-0006:
    nscd: Null pointer crash after notfound response (CVE-2024-33600)

  GLIBC-SA-2024-0007:
    nscd: netgroup cache may terminate daemon on memory allocation
    failure (CVE-2024-33601)

  GLIBC-SA-2024-0008:
    nscd: netgroup cache assumes NSS callback uses in-buffer strings
    (CVE-2024-33602)

In addition, the following bugs are fixed:

  [19622] network: Support aliasing with struct sockaddr
  [30701] time: getutxent misbehaves on 32-bit x86 when _TIME_BITS=64
  [30994] REP MOVSB performance suffers from page aliasing on Zen 4
  [31339] libc: arm32 loader crash after cleanup in 2.36
  [31325] mips: clone3 is wrong for o32
  [31335] math: Compile glibc with -march=x86-64-v3 should disable FMA4
    multi-arch version
  [31402] libc: clone (NULL, NULL, ...) clobbers %r7 register on
    s390{,x}
  [31479] libc: Missing #include <sys/rseq.h> in sched_getcpu.c may
    result in a loss of rseq acceleration
  [31316] build: Fails test misc/tst-dirname "Didn't expect signal from
    child: got `Illegal instruction'" on non SSE CPUs
  [31371] x86-64: APX and Tile registers aren't preserved in ld.so
    trampoline
  [31372] dynamic-link: _dl_tlsdesc_dynamic doesn't preserve all caller-
    saved registers
  [31429] build: Glibc failed to build with -march=x86-64-v3
  [31501] dynamic-link: _dl_tlsdesc_dynamic_xsavec may clobber %rbx
  [31640] dynamic-link: POWER10 ld.so crashes in
    elf_machine_load_address with GCC 14
  [31676] Configuring with CC="gcc -march=x86-64-v3"
    --with-rtld-early-cflags=-march=x86-64 results in linker failure
  [31677] nscd: nscd: netgroup cache: invalid memcpy under low
    memory/storage conditions
  [31678] nscd: nscd: Null pointer dereferences after failed netgroup
    cache insertion
  [31679] nscd: nscd: netgroup cache may terminate daemon on memory
    allocation failure
  [31680] nscd: nscd: netgroup cache assumes NSS callback uses in-buffer
    strings
  [31686] dynamic-link: Stack-based buffer overflow in
    parse_tunables_string
  [31719] dynamic-link: --enable-hardcoded-path-in-tests doesn't work
    with -Wl,--enable-new-dtags
  [31782] Test build failure with recent GCC trunk
    (x86/tst-cpu-features-supports.c:69:3: error: parameter to builtin
    not valid: avx5124fmaps)
  [31798] pidfd_getpid.c is miscompiled by GCC 6.4
  [31867] build: "CPU ISA level is lower than required" on SSE2-free
    CPUs
  [31883] build: ISA level support configure check relies on bashism /
    is otherwise broken for arithmetic

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/glibc/glibc.hash       |  2 +-
 package/glibc/glibc.mk         | 14 +++++++++++++-
 package/localedef/localedef.mk |  2 +-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index 94b7819a30..aaf7848a7c 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  2ba018b344e0e8330dcadd6130f4174f0fc2502b2e032210345e0e5a2f7ed12e  glibc-2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e.tar.gz
+sha256  2858e8e47c4c0df32b526c56d5590ec939e8178201ee9526bb070999ce4aa1f2  glibc-2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685.tar.gz
 
 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 8bc4cd4666..db6fa55819 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e
+GLIBC_VERSION = 2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
 # sometimes the connection times out. So use an unofficial github mirror.
@@ -24,6 +24,18 @@ GLIBC_CPE_ID_VENDOR = gnu
 # allow proper matching with the CPE database.
 GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
 
+# Fixed by glibc-2.39-31-g31da30f23cddd36db29d5b6a1c7619361b271fb4
+GLIBC_IGNORE_CVES += CVE-2024-2961
+
+# Fixed by glibc-2.39-35-g1263d583d2e28afb8be53f8d6922f0842036f35d
+GLIBC_IGNORE_CVES += CVE-2024-33599
+
+# Fixed by glibc-2.39-37-gc99f886de54446cd4447db6b44be93dabbdc2f8b
+GLIBC_IGNORE_CVES += CVE-2024-33600
+
+# Fixed by glibc-2.39-38-ga9a8d3eebb145779a18d90e3966009a1daa63cd
+GLIBC_IGNORE_CVES += CVE-2024-33601 CVE-2024-33602
+
 # All these CVEs are considered as not being security issues by
 # upstream glibc:
 #  https://security-tracker.debian.org/tracker/CVE-2010-4756
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index f304ba8021..6940900f8d 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
 # Use the same VERSION and SITE as target glibc
 # As in glibc.mk, generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e
+LOCALEDEF_VERSION = 2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685
 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
 LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
 HOST_LOCALEDEF_DL_SUBDIR = glibc
-- 
2.39.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs

[Yann E. MORIN]

Peter, All,

On 2024-06-16 14:43 +0200, Peter Korsgaard spake thusly:
> Commit b5680f53d60 (package/glibc: bump to 2.39) forgot to drop the ignores
> for the 2.38 specific CVEs.  Do that now.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/glibc/glibc.mk | 28 ----------------------------
>  1 file changed, 28 deletions(-)
> 
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 96a850516f..8bc4cd4666 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -24,34 +24,6 @@ GLIBC_CPE_ID_VENDOR = gnu
>  # allow proper matching with the CPE database.
>  GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
>  
> -# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between
> -# 2.38 and the version we're really using
> -GLIBC_IGNORE_CVES += CVE-2023-4527
> -
> -# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
> -# 2.38 and the version we're really using
> -GLIBC_IGNORE_CVES += CVE-2023-4806
> -
> -# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-4911
> -
> -# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-5156
> -
> -# Fixed by 23514c72b780f3da097ecf33a793b7ba9c2070d2, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-6246
> -
> -# Fixed by d0338312aace5bbfef85e03055e1212dd0e49578, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-6779
> -
> -# Fixed by d37c2b20a4787463d192b32041c3406c2bd91de0, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-6780
> -
>  # All these CVEs are considered as not being security issues by
>  # upstream glibc:
>  #  https://security-tracker.debian.org/tracker/CVE-2010-4756
> -- 
> 2.39.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes

[Yann E. MORIN]

Peter, All,

On 2024-06-16 14:43 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
> 
>   GLIBC-SA-2024-0004:
>     ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
>     sequence (CVE-2024-2961)
> 
>   GLIBC-SA-2024-0005:
>     nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599)
> 
>   GLIBC-SA-2024-0006:
>     nscd: Null pointer crash after notfound response (CVE-2024-33600)
> 
>   GLIBC-SA-2024-0007:
>     nscd: netgroup cache may terminate daemon on memory allocation
>     failure (CVE-2024-33601)
> 
>   GLIBC-SA-2024-0008:
>     nscd: netgroup cache assumes NSS callback uses in-buffer strings
>     (CVE-2024-33602)
> 
> In addition, the following bugs are fixed:
[--SNIP--]
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Commit b5680f53d60 (package/glibc: bump to 2.39) forgot to drop the ignores
 > for the 2.38 specific CVEs.  Do that now.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2024.05.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 >   GLIBC-SA-2024-0004:
 >     ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
 >     sequence (CVE-2024-2961)

 >   GLIBC-SA-2024-0005:
 >     nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599)

 >   GLIBC-SA-2024-0006:
 >     nscd: Null pointer crash after notfound response (CVE-2024-33600)

 >   GLIBC-SA-2024-0007:
 >     nscd: netgroup cache may terminate daemon on memory allocation
 >     failure (CVE-2024-33601)

 >   GLIBC-SA-2024-0008:
 >     nscd: netgroup cache assumes NSS callback uses in-buffer strings
 >     (CVE-2024-33602)

 > In addition, the following bugs are fixed:

 >   [19622] network: Support aliasing with struct sockaddr
 >   [30701] time: getutxent misbehaves on 32-bit x86 when _TIME_BITS=64
 >   [30994] REP MOVSB performance suffers from page aliasing on Zen 4
 >   [31339] libc: arm32 loader crash after cleanup in 2.36
 >   [31325] mips: clone3 is wrong for o32
 >   [31335] math: Compile glibc with -march=x86-64-v3 should disable FMA4
 >     multi-arch version
 >   [31402] libc: clone (NULL, NULL, ...) clobbers %r7 register on
 >     s390{,x}
 >   [31479] libc: Missing #include <sys/rseq.h> in sched_getcpu.c may
 >     result in a loss of rseq acceleration
 >   [31316] build: Fails test misc/tst-dirname "Didn't expect signal from
 >     child: got `Illegal instruction'" on non SSE CPUs
 >   [31371] x86-64: APX and Tile registers aren't preserved in ld.so
 >     trampoline
 >   [31372] dynamic-link: _dl_tlsdesc_dynamic doesn't preserve all caller-
 >     saved registers
 >   [31429] build: Glibc failed to build with -march=x86-64-v3
 >   [31501] dynamic-link: _dl_tlsdesc_dynamic_xsavec may clobber %rbx
 >   [31640] dynamic-link: POWER10 ld.so crashes in
 >     elf_machine_load_address with GCC 14
 >   [31676] Configuring with CC="gcc -march=x86-64-v3"
 >     --with-rtld-early-cflags=-march=x86-64 results in linker failure
 >   [31677] nscd: nscd: netgroup cache: invalid memcpy under low
 >     memory/storage conditions
 >   [31678] nscd: nscd: Null pointer dereferences after failed netgroup
 >     cache insertion
 >   [31679] nscd: nscd: netgroup cache may terminate daemon on memory
 >     allocation failure
 >   [31680] nscd: nscd: netgroup cache assumes NSS callback uses in-buffer
 >     strings
 >   [31686] dynamic-link: Stack-based buffer overflow in
 >     parse_tunables_string
 >   [31719] dynamic-link: --enable-hardcoded-path-in-tests doesn't work
 >     with -Wl,--enable-new-dtags
 >   [31782] Test build failure with recent GCC trunk
 >     (x86/tst-cpu-features-supports.c:69:3: error: parameter to builtin
 >     not valid: avx5124fmaps)
 >   [31798] pidfd_getpid.c is miscompiled by GCC 6.4
 >   [31867] build: "CPU ISA level is lower than required" on SSE2-free
 >     CPUs
 >   [31883] build: ISA level support configure check relies on bashism /
 >     is otherwise broken for arithmetic

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2024.05.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot