bottlerocket-os · KCSesh · Dec 11, 2024 · Dec 4, 2024 · Dec 4, 2024 · Dec 4, 2024
diff --git a/packages/bash/Cargo.toml b/packages/bash/Cargo.toml
@@ -12,8 +12,8 @@ path = "../packages.rs"
 releases-url = "https://ftp.gnu.org/gnu/bash"
 
 [[package.metadata.build-package.external-files]]
-url = "https://ftp.gnu.org/gnu/bash/bash-5.2.32.tar.gz"
-sha512 = "92a66ff5159964d430a29027a259a9f4ab45e22ee57483d21ace58a731182627092fbf3032e1cd531ff359cf91c691b088eb647f41b06e113e53c01a2f057405"
+url = "https://ftp.gnu.org/gnu/bash/bash-5.2.37.tar.gz"
+sha512 = "c07e2715cca7c3c8435fcb13aaf2968671f10f9e1fe5edd7c63d7e34fb821c159087b70386e17bdda723d8223057b53810e75eb249b03ebfc847147b06a8101f"
 
 [build-dependencies]
 glibc = { path = "../glibc" }

diff --git a/packages/bash/bash.spec b/packages/bash/bash.spec
@@ -1,5 +1,5 @@
 Name: %{_cross_os}bash
-Version: 5.2.32
+Version: 5.2.37
 Release: 1%{?dist}
 Summary: The GNU Bourne Again shell
 License: GPL-3.0-or-later

diff --git a/packages/ethtool/Cargo.toml b/packages/ethtool/Cargo.toml
@@ -12,8 +12,8 @@ path = "../packages.rs"
 releases-url = "https://kernel.org/pub/software/network/ethtool/"
 
 [[package.metadata.build-package.external-files]]
-url = "https://mirrors.edge.kernel.org/pub/software/network/ethtool/ethtool-6.10.tar.xz"
-sha512 = "1b6a0f5d2b89de57d1f003779557f2be786e26660ec430e80a966ad047f2fe1fe41bb573738b93454f32cf9089000ae879fc7feba0532bb559636a301ea61b10"
+url = "https://mirrors.edge.kernel.org/pub/software/network/ethtool/ethtool-6.11.tar.xz"
+sha512 = "77f649e1082a164e3627bcb21db1215a89d9a0e984f86516bb05879685aee76b034f6a9e19a499dcdd82883fa003f628b70d27ca8272064df27fe9de67c7a9a7"
 
 [build-dependencies]
 glibc = { path = "../glibc" }

diff --git a/packages/ethtool/ethtool.spec b/packages/ethtool/ethtool.spec
@@ -1,5 +1,5 @@
 Name: %{_cross_os}ethtool
-Version: 6.10
+Version: 6.11
 Release: 1%{?dist}
 Summary: Settings tool for Ethernet NICs
 License: GPL-2.0-only AND GPL-2.0-or-later

diff --git a/packages/glibc/0071-i386-ulp-update-for-SSE2-disable-multi-arch-configur.patch b/packages/glibc/0071-i386-ulp-update-for-SSE2-disable-multi-arch-configur.patch
@@ -0,0 +1,25 @@
+From 29e20bd1222cb69dcc6827e899ce7181090052dc Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 25 Apr 2024 12:56:48 +0200
+Subject: [PATCH] i386: ulp update for SSE2 --disable-multi-arch configurations
+
+(cherry picked from commit 3a3a4497421422aa854c855cbe5110ca7d598ffc)
+---
+ sysdeps/i386/fpu/libm-test-ulps | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sysdeps/i386/fpu/libm-test-ulps b/sysdeps/i386/fpu/libm-test-ulps
+index 84e6686eba..f2139fc172 100644
+--- a/sysdeps/i386/fpu/libm-test-ulps
++++ b/sysdeps/i386/fpu/libm-test-ulps
+@@ -1232,6 +1232,7 @@ ldouble: 6
+
+ Function: "hypot":
+ double: 1
++float: 1
+ float128: 1
+ ldouble: 1
+
+-- 
+2.45.0
+
diff --git a/packages/glibc/0072-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch b/packages/glibc/0072-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
@@ -0,0 +1,38 @@
+From 5968aebb86164034b8f8421b4abab2f837a5bdaf Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 25 Apr 2024 15:00:45 +0200
+Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup
+ cache (bug 31677)
+
+Using alloca matches what other caches do.  The request length is
+bounded by MAXKEYLEN.
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+(cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa)
+---
+ nscd/netgroupcache.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+index 06b7d7b6ca..31b721bbee 100644
+--- a/nscd/netgroupcache.c
++++ b/nscd/netgroupcache.c
+@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
+       = (struct indataset *) mempool_alloc (db,
+ 					    sizeof (*dataset) + req->key_len,
+ 					    1);
+-  struct indataset dataset_mem;
+   bool cacheable = true;
+   if (__glibc_unlikely (dataset == NULL))
+     {
+       cacheable = false;
+-      dataset = &dataset_mem;
++      /* The alloca is safe because nscd_run_worker verfies that
++	 key_len is not larger than MAXKEYLEN.  */
++      dataset = alloca (sizeof (*dataset) + req->key_len);
+     }
+
+   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
+-- 
+2.45.0
+
diff --git a/packages/glibc/0073-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch b/packages/glibc/0073-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch
@@ -0,0 +1,59 @@
+From 541ea5172aa658c4bd5c6c6d6fd13903c3d5bb0a Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 25 Apr 2024 15:01:07 +0200
+Subject: [PATCH] CVE-2024-33600: nscd: Do not send missing not-found response
+ in addgetnetgrentX (bug 31678)
+
+If we failed to add a not-found response to the cache, the dataset
+point can be null, resulting in a null pointer dereference.
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+(cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa)
+---
+ nscd/netgroupcache.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+index 31b721bbee..32c6aef370 100644
+--- a/nscd/netgroupcache.c
++++ b/nscd/netgroupcache.c
+@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+       /* No such service.  */
+       cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
+ 			       &key_copy);
+-      goto writeout;
++      goto maybe_cache_add;
+     }
+
+   memset (&data, '\0', sizeof (data));
+@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+     {
+       cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
+ 			       &key_copy);
+-      goto writeout;
++      goto maybe_cache_add;
+     }
+
+   total = buffilled;
+@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+   }
+
+   if (he == NULL && fd != -1)
+-    {
+-      /* We write the dataset before inserting it to the database
+-	 since while inserting this thread might block and so would
+-	 unnecessarily let the receiver wait.  */
+-    writeout:
++    /* We write the dataset before inserting it to the database since
++       while inserting this thread might block and so would
++       unnecessarily let the receiver wait.  */
+       writeall (fd, &dataset->resp, dataset->head.recsize);
+-    }
+
++ maybe_cache_add:
+   if (cacheable)
+     {
+       /* If necessary, we also propagate the data to disk.  */
+-- 
+2.45.0
+
diff --git a/packages/glibc/0074-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch b/packages/glibc/0074-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch
@@ -0,0 +1,60 @@
+From 2ae9446c1b7a3064743b4a51c0bbae668ee43e4c Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 25 Apr 2024 15:01:07 +0200
+Subject: [PATCH] CVE-2024-33600: nscd: Avoid null pointer crashes after
+ notfound response (bug 31678)
+
+The addgetnetgrentX call in addinnetgrX may have failed to produce
+a result, so the result variable in addinnetgrX can be NULL.
+Use db->negtimeout as the fallback value if there is no result data;
+the timeout is also overwritten below.
+
+Also avoid sending a second not-found response.  (The client
+disconnects after receiving the first response, so the data stream did
+not go out of sync even without this fix.)  It is still beneficial to
+add the negative response to the mapping, so that the client can get
+it from there in the future, instead of going through the socket.
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+(cherry picked from commit b048a482f088e53144d26a61c390bed0210f49f2)
+---
+ nscd/netgroupcache.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+index 32c6aef370..c3cd79dec5 100644
+--- a/nscd/netgroupcache.c
++++ b/nscd/netgroupcache.c
+@@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
+
+   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
+ 		     sizeof (innetgroup_response_header),
+-		     he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
++		     he == NULL ? 0 : dh->nreloads + 1,
++		     result == NULL ? db->negtimeout : result->head.ttl);
+   /* Set the notfound status and timeout based on the result from
+      getnetgrent.  */
+-  dataset->head.notfound = result->head.notfound;
++  dataset->head.notfound = result == NULL || result->head.notfound;
+   dataset->head.timeout = timeout;
+
+   dataset->resp.version = NSCD_VERSION;
+-  dataset->resp.found = result->resp.found;
++  dataset->resp.found = result != NULL && result->resp.found;
+   /* Until we find a matching entry the result is 0.  */
+   dataset->resp.result = 0;
+
+@@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
+       goto out;
+     }
+
+-  if (he == NULL)
++  /* addgetnetgrentX may have already sent a notfound response.  Do
++     not send another one.  */
++  if (he == NULL && dataset->resp.found)
+     {
+       /* We write the dataset before inserting it to the database
+ 	 since while inserting this thread might block and so would
+-- 
+2.45.0
+