<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="override-package-glibc">Override package: glibc<a class="headerlink" href="#override-package-glibc" title="Permanent link">&para;</a></h1>
<h2 id="el9">EL9<a class="headerlink" href="#el9" title="Permanent link">&para;</a></h2>
<li>Version <code></code></li>
<li>Based on <code>2.34-100.el9_4.2</code></li>
<h3 id="changes-summary">Changes summary<a class="headerlink" href="#changes-summary" title="Permanent link">&para;</a></h3>
<li>Distrust and/or unset many more environment variables used by current and previous glibc versions when running SUID/SGID/setcap (Owl via ALT Linux)</li>
<li>When <code>syslog(3)</code>/<code>vsyslog(3)</code> is called by a SUID/SGID/setcap program without a preceding call to <code>openlog(3)</code>, don't blindly trust <code>__progname</code> for the syslog ident (Owl via ALT Linux, further revised for Rocky Linux)</li>
<li>In <code>syslog(3)/vsyslog(3)</code> use <code>asctime_r(3)+localtime_r(3)</code> instead of <code>strftime_r()</code> so that month names don't depend on current locale settings (Owl via ALT Linux)</li>
<li>In <code>asprintf(3)/vasprintf(3)</code> reset the pointer to NULL on error, like BSDs do, so that the caller wouldn't access memory over an uninitialized or stale pointer (ALT Linux)</li>
<li>In <code>fread(3)/fwrite(3)</code> check for potential integer overflow (ALT Linux)</li>
<li>In <code>tmpfile(3)</code> use the <code>TMPDIR</code> environment variable (when not running SUID/SGID/setcap) (ALT Linux)</li>
<li>When <code>qsort(3)</code> is wrongly used with a nontransitive comparison function, nevertheless be robust and avoid <a href="">memory corruption</a> (Qualys, Rocky Linux)</li>
<h4 id="known-effective-vulnerability-mitigations-and-fixes">Known-effective vulnerability mitigations and fixes<a class="headerlink" href="#known-effective-vulnerability-mitigations-and-fixes" title="Permanent link">&para;</a></h4>
<p><code></code> and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream also included starting with <code>2.34-100.el9_4.2</code>.</p>
<p><code></code> and above includes <code>iconv(3)</code> ISO-2022-CN-EXT <a href="../../issues/CVE-2024-2961/">CVE-2024-2961</a> fix from upstream glibc 2.34 branch, which upstream also included starting with <code>2.34-100.el9_4.2</code>.</p>
<p><code></code> included mitigations sufficient to avoid security exposure of <a href="../../issues/CVE-2023-4911/">CVE-2023-4911</a> and a backport of upstream glibc fix of <a href="">CVE-2023-4527</a> that was not yet in upstream EL. In the update to <code></code> and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).</p>
<p>In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.</p>
<h3 id="change-log">Change log<a class="headerlink" href="#change-log" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code>* Thu Jun 13 2024 Solar Designer &lt;; -
- Rebase on 2.34-100.2
[... upstream changes ...]
* Mon May 20 2024 Solar Designer &lt;; -
- Rebase on 2.34-100
* Tue May 07 2024 Solar Designer &lt;; -
- Upstream glibc 2.34 fix &quot;nscd: Use time_t for return type of addgetnetgrentX&quot;
* Tue Apr 30 2024 Solar Designer &lt;; -
- Add nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes
from upstream glibc 2.34 branch
* Thu Apr 18 2024 Solar Designer &lt;; -
- Rebase on 2.34-83.12
- Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch
[... upstream changes ...]
* Wed Jan 31 2024 Solar Designer &lt;; -
- Harden syslog ident fallback initialization to use at most 64 characters of
__progname when __libc_enable_secure, as inspired by Qualys&#39; discovery of
related vulnerabilities in newer glibc (not yet present in this version):
- Harden qsort against nontransitive comparison functions as suggested by
* Wed Nov 22 2023 Solar Designer &lt;; -
- Rebase on 2.34-83.7, drop &quot;our&quot; CVE-2023-4527 patch in favor of RH&#39;s
(a similar rebase was made on Oct 6 in for 9.2)
[... upstream changes ...]
* Mon Oct 2 2023 Solar Designer &lt;; -
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
as none of their revisions matched this package&#39;s set of backports as-is
- Add glibc-upstream-no-aaaa-CVE-2023-4527.patch based on upstream commit
bd77dd7e73e3530203be1c52c8a29d08270cb25d fixing
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
* Tue Sep 26 2023 Solar Designer &lt;; -
- Revise the texinfo documentation edit of glibc-2.34-alt-asprintf.patch via
* Sat Sep 23 2023 Solar Designer &lt;; -
- Add some of the patches from ALT Linux as of when they were at 2.34:
git show 5fa32fb0f8509f4b2b1105d71b45966dfbadc099 &gt; glibc-2.34-alt-tmpfile.patch
git show f97e5d60a6a4c9cb64e3b9ee6f5113969cf07d87 &gt; glibc-2.34-alt-asprintf.patch
git show cd45d0f74560325cc48aedb9f56881270ab3dfab &gt; glibc-2.34-alt-libio-bound.patch
git show 436eb1017c04aee3a553c2868d00a4b046e5e394 &gt; glibc-2.34-owl-alt-syslog-ident.patch
git show 03a86c234873723c26b7e387c498c1332c223968 &gt; glibc-2.34-mjt-owl-alt-syslog-timestamp.patch
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">June 13, 2024</span>
