Re: [OE-core] [PATCH] glibc: stable 2.43 branch updates

[Hemanth Kumar M D <Hemanth.KumarMD@windriver.com>]

[-- Attachment #1: Type: text/plain, Size: 5451 bytes --]

Hi Peter,

Thanks for the suggestion.

I had already checked the CVE reports, and these CVEs are not currently 
being reported there.

Ref:https://lists.openembedded.org/g/openembedded-core/message/234641?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3ACr… 
<https://lists.openembedded.org/g/openembedded-core/message/234641?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3ACreated%2C%2COE-core+CVE+metrics+for+master%2C20%2C2%2C0%2C118682687>

Would it still be preferred to add CVE_STATUS entries in such cases, or 
only when they appear in the reports?


On 08-04-2026 03:13 pm, Marko, Peter wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Please set status for fixed CVEs via CVE_STATUS_STABLE_BACKPORTS, otherwise they will be still present in CVE reports.
> Peter
>
> -----Original Message-----
> From:openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Hemanth Kumar M D via lists.openembedded.org
> Sent: Wednesday, April 8, 2026 11:16 AM
> To:openembedded-core@lists.openembedded.org
> Cc:Sundeep.Kokkonda@windriver.com;Hemanth.KumarMD@windriver.com
> Subject: [OE-core] [PATCH] glibc: stable 2.43 branch updates
>
> From: Hemanth Kumar M D<Hemanth.KumarMD@windriver.com>
>
> $ git log --oneline 856c426a753450b8c6861a5b994a564f4fc16d4b..ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c
>
> ce1013a197 tests: fix tst-rseq with Linux 7.0
> 60cabd0464 riscv: Resolve calls to memcpy using memcpy-generic in early startup
> 02ffd413cf elf: Use dl-symbol-redir-ifunc.h instead _dl_strlen
> 2695314378 elf: parse /proc/self/maps as the last resort to find the gap for tst-link-map-contiguous-ldso
> dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438)
> 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437)
> 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test
> 305ce0b588 aarch64: Tests for locking GCS
> 2ee41ba6ec aarch64: Lock GCS status at startup
> fa4a40c7d4 tests: aarch64: fix makefile dependencies for dlopen tests for BTI
> 9898ea58b5 malloc: Avoid accessing /sys/kernel/mm files
> c3ceb93dc4 Add BZ 33904 entry to NEWS
> 911bd469f8 debug: Fix build with --enable-fortify-source=1 (BZ 33904)
> 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940)
> d6cb7ce0e9 Linux: In getlogin_r, use utmp fallback only for specific errors
> 140c760d71 nss: Introduce dedicated struct nss_database_for_fork type
>
> Testing Results:
> +--------------+--------+--------+------+
> | Result       | Before | After  | Diff |
> +--------------+--------+--------+------+
> | PASS         | 6770   | 6774   | +4   |
> | XPASS        | 4      | 4      |  0   |
> | FAIL         | 29     | 28     | -1   |
> | XFAIL        | 16     | 16     |  0   |
> | UNSUPPORTED  | 489    | 490    | +1   |
> +--------------+--------+--------+------+
>
> Changes in testcases:
> +------------------------------------------------------+--------+-------------+
> | Testcase                                             | Before | After       |
> +------------------------------------------------------+--------+-------------+
> | elf/tst-tls20                                        | FAIL   | PASS        |
> | posix/tst-wordexp-reuse-mem                          | N/A    | PASS        |
> | resolv/tst-resolv-invalid-ptr                        | N/A    | PASS        |
> | resolv/tst-resolv-dns-section                        | N/A    | PASS        |
> | nss/tst-nss-malloc-failure-getlogin_r                | N/A    | UNSUPPORTED |
> +------------------------------------------------------+--------+-------------+
>
> Justification:
>
> commit - 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test
> Fixes Makefile dependency to ensure the testcase is executed.
> Passing new testcase:
> +PASS: posix/tst-wordexp-reuse-mem
>
> commit - dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438)
> Adds validation for hostname parsing and introduces a regression test.
> Passing new testcase:
> +PASS: resolv/tst-resolv-invalid-ptr
>
> commit - 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437)
> Fixes DNS answer section parsing and adds a regression test.
> Passing new testcase:
> +PASS: resolv/tst-resolv-dns-section
>
> commit - 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940)
> Fixes null pointer dereference and improves NSS handling.
> Added testcase:
> UNSUPPORTED: nss/tst-nss-malloc-failure-getlogin_r
>
> Signed-off-by: Hemanth Kumar M D<Hemanth.KumarMD@windriver.com>
> ---
>   meta/recipes-core/glibc/glibc-version.inc | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
> index 89be8fcb88..015e7943c5 100644
> --- a/meta/recipes-core/glibc/glibc-version.inc
> +++ b/meta/recipes-core/glibc/glibc-version.inc
> @@ -1,6 +1,6 @@
>   SRCBRANCH ?= "release/2.43/master"
>   PV = "2.43+git"
> -SRCREV_glibc ?= "856c426a753450b8c6861a5b994a564f4fc16d4b"
> +SRCREV_glibc ?= "ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c"
>   SRCREV_localedef ?= "cba02c503d7c853a38ccfb83c57e343ca5ecd7e5"
>
>   GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
> --
> 2.49.0
>
-- 
Regards,
Hemanth Kumar M D

[-- Attachment #2: Type: text/html, Size: 7155 bytes --]