-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
packages: update glibc to latest 2.38 patches
- Loading branch information
Showing
38 changed files
with
4,670 additions
and
0 deletions.
There are no files selected for viewing
25 changes: 25 additions & 0 deletions
25
packages/glibc/0071-i386-ulp-update-for-SSE2-disable-multi-arch-configur.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| From 29e20bd1222cb69dcc6827e899ce7181090052dc Mon Sep 17 00:00:00 2001 | ||
| From: Florian Weimer <fweimer@redhat.com> | ||
| Date: Thu, 25 Apr 2024 12:56:48 +0200 | ||
| Subject: [PATCH] i386: ulp update for SSE2 --disable-multi-arch configurations | ||
|
|
||
| (cherry picked from commit 3a3a4497421422aa854c855cbe5110ca7d598ffc) | ||
| --- | ||
| sysdeps/i386/fpu/libm-test-ulps | 1 + | ||
| 1 file changed, 1 insertion(+) | ||
|
|
||
| diff --git a/sysdeps/i386/fpu/libm-test-ulps b/sysdeps/i386/fpu/libm-test-ulps | ||
| index 84e6686eba..f2139fc172 100644 | ||
| --- a/sysdeps/i386/fpu/libm-test-ulps | ||
| +++ b/sysdeps/i386/fpu/libm-test-ulps | ||
| @@ -1232,6 +1232,7 @@ ldouble: 6 | ||
|
|
||
| Function: "hypot": | ||
| double: 1 | ||
| +float: 1 | ||
| float128: 1 | ||
| ldouble: 1 | ||
|
|
||
| -- | ||
| 2.45.0 | ||
|
|
38 changes: 38 additions & 0 deletions
38
packages/glibc/0072-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| From 5968aebb86164034b8f8421b4abab2f837a5bdaf Mon Sep 17 00:00:00 2001 | ||
| From: Florian Weimer <fweimer@redhat.com> | ||
| Date: Thu, 25 Apr 2024 15:00:45 +0200 | ||
| Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup | ||
| cache (bug 31677) | ||
|
|
||
| Using alloca matches what other caches do. The request length is | ||
| bounded by MAXKEYLEN. | ||
|
|
||
| Reviewed-by: Carlos O'Donell <carlos@redhat.com> | ||
| (cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa) | ||
| --- | ||
| nscd/netgroupcache.c | 5 +++-- | ||
| 1 file changed, 3 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c | ||
| index 06b7d7b6ca..31b721bbee 100644 | ||
| --- a/nscd/netgroupcache.c | ||
| +++ b/nscd/netgroupcache.c | ||
| @@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, | ||
| = (struct indataset *) mempool_alloc (db, | ||
| sizeof (*dataset) + req->key_len, | ||
| 1); | ||
| - struct indataset dataset_mem; | ||
| bool cacheable = true; | ||
| if (__glibc_unlikely (dataset == NULL)) | ||
| { | ||
| cacheable = false; | ||
| - dataset = &dataset_mem; | ||
| + /* The alloca is safe because nscd_run_worker verfies that | ||
| + key_len is not larger than MAXKEYLEN. */ | ||
| + dataset = alloca (sizeof (*dataset) + req->key_len); | ||
| } | ||
|
|
||
| datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, | ||
| -- | ||
| 2.45.0 | ||
|
|
59 changes: 59 additions & 0 deletions
59
packages/glibc/0073-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| From 541ea5172aa658c4bd5c6c6d6fd13903c3d5bb0a Mon Sep 17 00:00:00 2001 | ||
| From: Florian Weimer <fweimer@redhat.com> | ||
| Date: Thu, 25 Apr 2024 15:01:07 +0200 | ||
| Subject: [PATCH] CVE-2024-33600: nscd: Do not send missing not-found response | ||
| in addgetnetgrentX (bug 31678) | ||
|
|
||
| If we failed to add a not-found response to the cache, the dataset | ||
| point can be null, resulting in a null pointer dereference. | ||
|
|
||
| Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
| (cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa) | ||
| --- | ||
| nscd/netgroupcache.c | 14 ++++++-------- | ||
| 1 file changed, 6 insertions(+), 8 deletions(-) | ||
|
|
||
| diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c | ||
| index 31b721bbee..32c6aef370 100644 | ||
| --- a/nscd/netgroupcache.c | ||
| +++ b/nscd/netgroupcache.c | ||
| @@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, | ||
| /* No such service. */ | ||
| cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, | ||
| &key_copy); | ||
| - goto writeout; | ||
| + goto maybe_cache_add; | ||
| } | ||
|
|
||
| memset (&data, '\0', sizeof (data)); | ||
| @@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, | ||
| { | ||
| cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, | ||
| &key_copy); | ||
| - goto writeout; | ||
| + goto maybe_cache_add; | ||
| } | ||
|
|
||
| total = buffilled; | ||
| @@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, | ||
| } | ||
|
|
||
| if (he == NULL && fd != -1) | ||
| - { | ||
| - /* We write the dataset before inserting it to the database | ||
| - since while inserting this thread might block and so would | ||
| - unnecessarily let the receiver wait. */ | ||
| - writeout: | ||
| + /* We write the dataset before inserting it to the database since | ||
| + while inserting this thread might block and so would | ||
| + unnecessarily let the receiver wait. */ | ||
| writeall (fd, &dataset->resp, dataset->head.recsize); | ||
| - } | ||
|
|
||
| + maybe_cache_add: | ||
| if (cacheable) | ||
| { | ||
| /* If necessary, we also propagate the data to disk. */ | ||
| -- | ||
| 2.45.0 | ||
|
|
60 changes: 60 additions & 0 deletions
60
packages/glibc/0074-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| From 2ae9446c1b7a3064743b4a51c0bbae668ee43e4c Mon Sep 17 00:00:00 2001 | ||
| From: Florian Weimer <fweimer@redhat.com> | ||
| Date: Thu, 25 Apr 2024 15:01:07 +0200 | ||
| Subject: [PATCH] CVE-2024-33600: nscd: Avoid null pointer crashes after | ||
| notfound response (bug 31678) | ||
|
|
||
| The addgetnetgrentX call in addinnetgrX may have failed to produce | ||
| a result, so the result variable in addinnetgrX can be NULL. | ||
| Use db->negtimeout as the fallback value if there is no result data; | ||
| the timeout is also overwritten below. | ||
|
|
||
| Also avoid sending a second not-found response. (The client | ||
| disconnects after receiving the first response, so the data stream did | ||
| not go out of sync even without this fix.) It is still beneficial to | ||
| add the negative response to the mapping, so that the client can get | ||
| it from there in the future, instead of going through the socket. | ||
|
|
||
| Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
| (cherry picked from commit b048a482f088e53144d26a61c390bed0210f49f2) | ||
| --- | ||
| nscd/netgroupcache.c | 11 +++++++---- | ||
| 1 file changed, 7 insertions(+), 4 deletions(-) | ||
|
|
||
| diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c | ||
| index 32c6aef370..c3cd79dec5 100644 | ||
| --- a/nscd/netgroupcache.c | ||
| +++ b/nscd/netgroupcache.c | ||
| @@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, | ||
|
|
||
| datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, | ||
| sizeof (innetgroup_response_header), | ||
| - he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); | ||
| + he == NULL ? 0 : dh->nreloads + 1, | ||
| + result == NULL ? db->negtimeout : result->head.ttl); | ||
| /* Set the notfound status and timeout based on the result from | ||
| getnetgrent. */ | ||
| - dataset->head.notfound = result->head.notfound; | ||
| + dataset->head.notfound = result == NULL || result->head.notfound; | ||
| dataset->head.timeout = timeout; | ||
|
|
||
| dataset->resp.version = NSCD_VERSION; | ||
| - dataset->resp.found = result->resp.found; | ||
| + dataset->resp.found = result != NULL && result->resp.found; | ||
| /* Until we find a matching entry the result is 0. */ | ||
| dataset->resp.result = 0; | ||
|
|
||
| @@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, | ||
| goto out; | ||
| } | ||
|
|
||
| - if (he == NULL) | ||
| + /* addgetnetgrentX may have already sent a notfound response. Do | ||
| + not send another one. */ | ||
| + if (he == NULL && dataset->resp.found) | ||
| { | ||
| /* We write the dataset before inserting it to the database | ||
| since while inserting this thread might block and so would | ||
| -- | ||
| 2.45.0 | ||
|
|
Oops, something went wrong.