From 75e7c7ba8cddb2644350a7f59c943f5c4e99b3b0 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Wed, 31 Jan 2024 09:12:54 +0100 Subject: [PATCH] package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0 Fixes the following security issues: CVE-2023-6246: syslog: Fix heap buffer overflow in __vsyslog_internal https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0001;hb=HEAD CVE-2023-6779: syslog: Heap buffer overflow in __vsyslog_internal https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0002;hb=HEAD CVE-2023-6780: syslog: Integer overflow in __vsyslog_internal https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0003;hb=HEAD For details, see the Qualys advisory: https://www.openwall.com/lists/oss-security/2024/01/30/6 Signed-off-by: Peter Korsgaard --- package/glibc/glibc.hash | 2 +- package/glibc/glibc.mk | 14 +++++++++++++- package/localedef/localedef.mk | 2 +- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash index 00d9f1c985..15ae55b9e6 100644 --- a/package/glibc/glibc.hash +++ b/package/glibc/glibc.hash @@ -1,5 +1,5 @@ # Locally calculated (fetched from Github) -sha256 fd991e43997ff6e4994264c3cbc23fa87fa28b1b3c446eda8fc2d1d3834a2cfb glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701.tar.gz +sha256 e38f4284d6909c6b5db7d79c6e450daeaf136a67e547290eec0b063a55eaaa42 glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0.tar.gz # Hashes for license files sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk index d49da6457c..d198d6f04c 100644 --- a/package/glibc/glibc.mk +++ b/package/glibc/glibc.mk @@ -7,7 +7,7 @@ # Generate version string using: # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2- # When updating the version, please also update localedef -GLIBC_VERSION = 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 +GLIBC_VERSION = 2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0 # Upstream doesn't officially provide an https download link. # There is one (https://sourceware.org/git/glibc.git) but it's not reliable, # sometimes the connection times out. So use an unofficial github mirror. @@ -40,6 +40,18 @@ GLIBC_IGNORE_CVES += CVE-2023-4911 # 2.38 and the version we're really using. GLIBC_IGNORE_CVES += CVE-2023-5156 +# Fixed by 23514c72b780f3da097ecf33a793b7ba9c2070d2, which is between +# 2.38 and the version we're really using. +GLIBC_IGNORE_CVES += CVE-2023-6246 + +# Fixed by d0338312aace5bbfef85e03055e1212dd0e49578, which is between +# 2.38 and the version we're really using. +GLIBC_IGNORE_CVES += CVE-2023-6779 + +# Fixed by d37c2b20a4787463d192b32041c3406c2bd91de0, which is between +# 2.38 and the version we're really using. +GLIBC_IGNORE_CVES += CVE-2023-6780 + # All these CVEs are considered as not being security issues by # upstream glibc: # https://security-tracker.debian.org/tracker/CVE-2010-4756 diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk index ed6d4b4968..c017c0e00e 100644 --- a/package/localedef/localedef.mk +++ b/package/localedef/localedef.mk @@ -7,7 +7,7 @@ # Use the same VERSION and SITE as target glibc # As in glibc.mk, generate version string using: # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2- -LOCALEDEF_VERSION = 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 +LOCALEDEF_VERSION = 2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION)) HOST_LOCALEDEF_DL_SUBDIR = glibc