* [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs
@ 2024-06-16 12:43 Peter Korsgaard
2024-06-16 12:43 ` [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Peter Korsgaard @ 2024-06-16 12:43 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour
Commit b5680f53d60 (package/glibc: bump to 2.39) forgot to drop the ignores
for the 2.38 specific CVEs. Do that now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/glibc/glibc.mk | 28 ----------------------------
1 file changed, 28 deletions(-)
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 96a850516f..8bc4cd4666 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -24,34 +24,6 @@ GLIBC_CPE_ID_VENDOR = gnu
# allow proper matching with the CPE database.
GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
-# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between
-# 2.38 and the version we're really using
-GLIBC_IGNORE_CVES += CVE-2023-4527
-
-# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
-# 2.38 and the version we're really using
-GLIBC_IGNORE_CVES += CVE-2023-4806
-
-# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-4911
-
-# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-5156
-
-# Fixed by 23514c72b780f3da097ecf33a793b7ba9c2070d2, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6246
-
-# Fixed by d0338312aace5bbfef85e03055e1212dd0e49578, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6779
-
-# Fixed by d37c2b20a4787463d192b32041c3406c2bd91de0, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6780
-
# All these CVEs are considered as not being security issues by
# upstream glibc:
# https://security-tracker.debian.org/tracker/CVE-2010-4756
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread* [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes
2024-06-16 12:43 [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs Peter Korsgaard
@ 2024-06-16 12:43 ` Peter Korsgaard
2024-06-16 20:42 ` Yann E. MORIN
2024-07-05 19:28 ` Peter Korsgaard
2024-06-16 20:42 ` [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs Yann E. MORIN
2024-07-05 19:28 ` Peter Korsgaard
2 siblings, 2 replies; 6+ messages in thread
From: Peter Korsgaard @ 2024-06-16 12:43 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour, Thomas Petazzoni
Fixes the following security issues:
GLIBC-SA-2024-0004:
ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
sequence (CVE-2024-2961)
GLIBC-SA-2024-0005:
nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599)
GLIBC-SA-2024-0006:
nscd: Null pointer crash after notfound response (CVE-2024-33600)
GLIBC-SA-2024-0007:
nscd: netgroup cache may terminate daemon on memory allocation
failure (CVE-2024-33601)
GLIBC-SA-2024-0008:
nscd: netgroup cache assumes NSS callback uses in-buffer strings
(CVE-2024-33602)
In addition, the following bugs are fixed:
[19622] network: Support aliasing with struct sockaddr
[30701] time: getutxent misbehaves on 32-bit x86 when _TIME_BITS=64
[30994] REP MOVSB performance suffers from page aliasing on Zen 4
[31339] libc: arm32 loader crash after cleanup in 2.36
[31325] mips: clone3 is wrong for o32
[31335] math: Compile glibc with -march=x86-64-v3 should disable FMA4
multi-arch version
[31402] libc: clone (NULL, NULL, ...) clobbers %r7 register on
s390{,x}
[31479] libc: Missing #include <sys/rseq.h> in sched_getcpu.c may
result in a loss of rseq acceleration
[31316] build: Fails test misc/tst-dirname "Didn't expect signal from
child: got `Illegal instruction'" on non SSE CPUs
[31371] x86-64: APX and Tile registers aren't preserved in ld.so
trampoline
[31372] dynamic-link: _dl_tlsdesc_dynamic doesn't preserve all caller-
saved registers
[31429] build: Glibc failed to build with -march=x86-64-v3
[31501] dynamic-link: _dl_tlsdesc_dynamic_xsavec may clobber %rbx
[31640] dynamic-link: POWER10 ld.so crashes in
elf_machine_load_address with GCC 14
[31676] Configuring with CC="gcc -march=x86-64-v3"
--with-rtld-early-cflags=-march=x86-64 results in linker failure
[31677] nscd: nscd: netgroup cache: invalid memcpy under low
memory/storage conditions
[31678] nscd: nscd: Null pointer dereferences after failed netgroup
cache insertion
[31679] nscd: nscd: netgroup cache may terminate daemon on memory
allocation failure
[31680] nscd: nscd: netgroup cache assumes NSS callback uses in-buffer
strings
[31686] dynamic-link: Stack-based buffer overflow in
parse_tunables_string
[31719] dynamic-link: --enable-hardcoded-path-in-tests doesn't work
with -Wl,--enable-new-dtags
[31782] Test build failure with recent GCC trunk
(x86/tst-cpu-features-supports.c:69:3: error: parameter to builtin
not valid: avx5124fmaps)
[31798] pidfd_getpid.c is miscompiled by GCC 6.4
[31867] build: "CPU ISA level is lower than required" on SSE2-free
CPUs
[31883] build: ISA level support configure check relies on bashism /
is otherwise broken for arithmetic
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/glibc/glibc.hash | 2 +-
package/glibc/glibc.mk | 14 +++++++++++++-
package/localedef/localedef.mk | 2 +-
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index 94b7819a30..aaf7848a7c 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
# Locally calculated (fetched from Github)
-sha256 2ba018b344e0e8330dcadd6130f4174f0fc2502b2e032210345e0e5a2f7ed12e glibc-2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e.tar.gz
+sha256 2858e8e47c4c0df32b526c56d5590ec939e8178201ee9526bb070999ce4aa1f2 glibc-2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685.tar.gz
# Hashes for license files
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 8bc4cd4666..db6fa55819 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
# Generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
# When updating the version, please also update localedef
-GLIBC_VERSION = 2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e
+GLIBC_VERSION = 2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685
# Upstream doesn't officially provide an https download link.
# There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
# sometimes the connection times out. So use an unofficial github mirror.
@@ -24,6 +24,18 @@ GLIBC_CPE_ID_VENDOR = gnu
# allow proper matching with the CPE database.
GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
+# Fixed by glibc-2.39-31-g31da30f23cddd36db29d5b6a1c7619361b271fb4
+GLIBC_IGNORE_CVES += CVE-2024-2961
+
+# Fixed by glibc-2.39-35-g1263d583d2e28afb8be53f8d6922f0842036f35d
+GLIBC_IGNORE_CVES += CVE-2024-33599
+
+# Fixed by glibc-2.39-37-gc99f886de54446cd4447db6b44be93dabbdc2f8b
+GLIBC_IGNORE_CVES += CVE-2024-33600
+
+# Fixed by glibc-2.39-38-ga9a8d3eebb145779a18d90e3966009a1daa63cd
+GLIBC_IGNORE_CVES += CVE-2024-33601 CVE-2024-33602
+
# All these CVEs are considered as not being security issues by
# upstream glibc:
# https://security-tracker.debian.org/tracker/CVE-2010-4756
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index f304ba8021..6940900f8d 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
# Use the same VERSION and SITE as target glibc
# As in glibc.mk, generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e
+LOCALEDEF_VERSION = 2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685
LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
HOST_LOCALEDEF_DL_SUBDIR = glibc
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes
2024-06-16 12:43 ` [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes Peter Korsgaard
@ 2024-06-16 20:42 ` Yann E. MORIN
2024-07-05 19:28 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Yann E. MORIN @ 2024-06-16 20:42 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Romain Naour, Thomas Petazzoni, buildroot
Peter, All,
On 2024-06-16 14:43 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
>
> GLIBC-SA-2024-0004:
> ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
> sequence (CVE-2024-2961)
>
> GLIBC-SA-2024-0005:
> nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599)
>
> GLIBC-SA-2024-0006:
> nscd: Null pointer crash after notfound response (CVE-2024-33600)
>
> GLIBC-SA-2024-0007:
> nscd: netgroup cache may terminate daemon on memory allocation
> failure (CVE-2024-33601)
>
> GLIBC-SA-2024-0008:
> nscd: netgroup cache assumes NSS callback uses in-buffer strings
> (CVE-2024-33602)
>
> In addition, the following bugs are fixed:
[--SNIP--]
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes
2024-06-16 12:43 ` [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes Peter Korsgaard
2024-06-16 20:42 ` Yann E. MORIN
@ 2024-07-05 19:28 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2024-07-05 19:28 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour, Thomas Petazzoni
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> GLIBC-SA-2024-0004:
> ISO-2022-CN-EXT: fix out-of-bound writes when writing escape
> sequence (CVE-2024-2961)
> GLIBC-SA-2024-0005:
> nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599)
> GLIBC-SA-2024-0006:
> nscd: Null pointer crash after notfound response (CVE-2024-33600)
> GLIBC-SA-2024-0007:
> nscd: netgroup cache may terminate daemon on memory allocation
> failure (CVE-2024-33601)
> GLIBC-SA-2024-0008:
> nscd: netgroup cache assumes NSS callback uses in-buffer strings
> (CVE-2024-33602)
> In addition, the following bugs are fixed:
> [19622] network: Support aliasing with struct sockaddr
> [30701] time: getutxent misbehaves on 32-bit x86 when _TIME_BITS=64
> [30994] REP MOVSB performance suffers from page aliasing on Zen 4
> [31339] libc: arm32 loader crash after cleanup in 2.36
> [31325] mips: clone3 is wrong for o32
> [31335] math: Compile glibc with -march=x86-64-v3 should disable FMA4
> multi-arch version
> [31402] libc: clone (NULL, NULL, ...) clobbers %r7 register on
> s390{,x}
> [31479] libc: Missing #include <sys/rseq.h> in sched_getcpu.c may
> result in a loss of rseq acceleration
> [31316] build: Fails test misc/tst-dirname "Didn't expect signal from
> child: got `Illegal instruction'" on non SSE CPUs
> [31371] x86-64: APX and Tile registers aren't preserved in ld.so
> trampoline
> [31372] dynamic-link: _dl_tlsdesc_dynamic doesn't preserve all caller-
> saved registers
> [31429] build: Glibc failed to build with -march=x86-64-v3
> [31501] dynamic-link: _dl_tlsdesc_dynamic_xsavec may clobber %rbx
> [31640] dynamic-link: POWER10 ld.so crashes in
> elf_machine_load_address with GCC 14
> [31676] Configuring with CC="gcc -march=x86-64-v3"
> --with-rtld-early-cflags=-march=x86-64 results in linker failure
> [31677] nscd: nscd: netgroup cache: invalid memcpy under low
> memory/storage conditions
> [31678] nscd: nscd: Null pointer dereferences after failed netgroup
> cache insertion
> [31679] nscd: nscd: netgroup cache may terminate daemon on memory
> allocation failure
> [31680] nscd: nscd: netgroup cache assumes NSS callback uses in-buffer
> strings
> [31686] dynamic-link: Stack-based buffer overflow in
> parse_tunables_string
> [31719] dynamic-link: --enable-hardcoded-path-in-tests doesn't work
> with -Wl,--enable-new-dtags
> [31782] Test build failure with recent GCC trunk
> (x86/tst-cpu-features-supports.c:69:3: error: parameter to builtin
> not valid: avx5124fmaps)
> [31798] pidfd_getpid.c is miscompiled by GCC 6.4
> [31867] build: "CPU ISA level is lower than required" on SSE2-free
> CPUs
> [31883] build: ISA level support configure check relies on bashism /
> is otherwise broken for arithmetic
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2024.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs
2024-06-16 12:43 [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs Peter Korsgaard
2024-06-16 12:43 ` [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes Peter Korsgaard
@ 2024-06-16 20:42 ` Yann E. MORIN
2024-07-05 19:28 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Yann E. MORIN @ 2024-06-16 20:42 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Romain Naour, buildroot
Peter, All,
On 2024-06-16 14:43 +0200, Peter Korsgaard spake thusly:
> Commit b5680f53d60 (package/glibc: bump to 2.39) forgot to drop the ignores
> for the 2.38 specific CVEs. Do that now.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/glibc/glibc.mk | 28 ----------------------------
> 1 file changed, 28 deletions(-)
>
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 96a850516f..8bc4cd4666 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -24,34 +24,6 @@ GLIBC_CPE_ID_VENDOR = gnu
> # allow proper matching with the CPE database.
> GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
>
> -# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between
> -# 2.38 and the version we're really using
> -GLIBC_IGNORE_CVES += CVE-2023-4527
> -
> -# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
> -# 2.38 and the version we're really using
> -GLIBC_IGNORE_CVES += CVE-2023-4806
> -
> -# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-4911
> -
> -# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-5156
> -
> -# Fixed by 23514c72b780f3da097ecf33a793b7ba9c2070d2, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-6246
> -
> -# Fixed by d0338312aace5bbfef85e03055e1212dd0e49578, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-6779
> -
> -# Fixed by d37c2b20a4787463d192b32041c3406c2bd91de0, which is between
> -# 2.38 and the version we're really using.
> -GLIBC_IGNORE_CVES += CVE-2023-6780
> -
> # All these CVEs are considered as not being security issues by
> # upstream glibc:
> # https://security-tracker.debian.org/tracker/CVE-2010-4756
> --
> 2.39.2
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs
2024-06-16 12:43 [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs Peter Korsgaard
2024-06-16 12:43 ` [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes Peter Korsgaard
2024-06-16 20:42 ` [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs Yann E. MORIN
@ 2024-07-05 19:28 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2024-07-05 19:28 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Commit b5680f53d60 (package/glibc: bump to 2.39) forgot to drop the ignores
> for the 2.38 specific CVEs. Do that now.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2024.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-07-05 19:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-16 12:43 [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs Peter Korsgaard
2024-06-16 12:43 ` [Buildroot] [PATCH 2/2] package/glibc: security bump to 2.39-74 for post-2.39 security fixes Peter Korsgaard
2024-06-16 20:42 ` Yann E. MORIN
2024-07-05 19:28 ` Peter Korsgaard
2024-06-16 20:42 ` [Buildroot] [PATCH 1/2] package/glibc: drop ignores for 2.38 specific CVEs Yann E. MORIN
2024-07-05 19:28 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox