diff --git a/SPECS/glibc/CVE-2026-0861.patch b/SPECS/glibc/CVE-2026-0861.patch new file mode 100644 index 00000000000..2f2e025b87d --- /dev/null +++ b/SPECS/glibc/CVE-2026-0861.patch @@ -0,0 +1,91 @@ +From 7241963d58eaf14a0c4ed8ff301f4f098bf3b8d1 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Thu, 15 Jan 2026 06:06:40 -0500 +Subject: [PATCH] memalign: reinstate alignment overflow check (CVE-2026-0861) + +The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the +overflow check for alignment in memalign functions, _mid_memalign and +_int_memalign. Reinstate the overflow check in _int_memalign, aligned +with the PTRDIFF_MAX change since that is directly responsible for the +CVE. The missing _mid_memalign check is not relevant (and does not have +a security impact) and may need a different approach to fully resolve, +so it has been omitted. + +CVE-Id: CVE-2026-0861 +Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 +Reported-by: Igor Morgenstern, Aisle Research +Fixes: BZ #33796 +Reviewed-by: Wilco Dijkstra +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93) +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/bminor/glibc/commit/499d1ccafccfe64df1b88deea2fa84d8180e8e8f.patch +--- + malloc/malloc.c | 8 +++++--- + malloc/tst-malloc-too-large.c | 10 ++-------- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index 1a1ac1d8..d4be6a2c 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -4952,7 +4952,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) + + + +- if (!checked_request2size (bytes, &nb)) ++ if (!checked_request2size (bytes, &nb) || alignment > PTRDIFF_MAX) + { + __set_errno (ENOMEM); + return NULL; +@@ -4963,8 +4963,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) + request, and then possibly free the leading and trailing space. + */ + +- /* Call malloc with worst case padding to hit alignment. */ +- ++ /* Call malloc with worst case padding to hit alignment. ALIGNMENT is a ++ power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of ++ space to add MINSIZE and whatever checked_request2size adds to BYTES to ++ get NB. Consequently, total below also does not overflow. */ + m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); + + if (m == 0) +diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c +index dac3c808..e7017981 100644 +--- a/malloc/tst-malloc-too-large.c ++++ b/malloc/tst-malloc-too-large.c +@@ -151,7 +151,6 @@ test_large_allocations (size_t size) + } + + +-static long pagesize; + + /* This function tests the following aligned memory allocation functions + using several valid alignments and precedes each allocation test with a +@@ -170,8 +169,8 @@ test_large_aligned_allocations (size_t size) + + /* All aligned memory allocation functions expect an alignment that is a + power of 2. Given this, we test each of them with every valid +- alignment from 1 thru PAGESIZE. */ +- for (align = 1; align <= pagesize; align *= 2) ++ alignment for the type of ALIGN, i.e. until it wraps to 0. */ ++ for (align = 1; align > 0; align <<= 1) + { + test_setup (); + #if __GNUC_PREREQ (7, 0) +@@ -264,11 +263,6 @@ do_test (void) + DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); + #endif + +- /* Aligned memory allocation functions need to be tested up to alignment +- size equivalent to page size, which should be a power of 2. */ +- pagesize = sysconf (_SC_PAGESIZE); +- TEST_VERIFY_EXIT (powerof2 (pagesize)); +- + /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. + in the range (SIZE_MAX - 2^14, SIZE_MAX], fail. + +-- +2.45.4 + diff --git a/SPECS/glibc/CVE-2026-0915.patch b/SPECS/glibc/CVE-2026-0915.patch new file mode 100644 index 00000000000..1d13860e7d4 --- /dev/null +++ b/SPECS/glibc/CVE-2026-0915.patch @@ -0,0 +1,79 @@ +From dc92ec23f6856d94528d0ee0162b80b1ded3c970 Mon Sep 17 00:00:00 2001 +From: Carlos O'Donell +Date: Thu, 15 Jan 2026 15:09:38 -0500 +Subject: [PATCH] resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) + +The default network value of zero for net was never tested for and +results in a DNS query constructed from uninitialized stack bytes. +The solution is to provide a default query for the case where net +is zero. + +Adding a test case for this was straight forward given the existence of +tst-resolv-network and if the test is added without the fix you observe +this failure: + +FAIL: resolv/tst-resolv-network +original exit status 1 +error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128 +error: 1 test failures + +With a random QNAME resulting from the use of uninitialized stack bytes. + +After the fix the test passes. + +Additionally verified using wireshark before and after to ensure +on-the-wire bytes for the DNS query were as expected. + +No regressions on x86_64. + +Reviewed-by: Florian Weimer +(cherry picked from commit e56ff82d5034ec66c6a78f517af6faa427f65b0b) +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/bminor/glibc/commit/66f0cb057c9b4fb1249a5fec6ef4a63511a37899.patch +--- + resolv/nss_dns/dns-network.c | 4 ++++ + resolv/tst-resolv-network.c | 6 ++++++ + 2 files changed, 10 insertions(+) + +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c +index 09cd9174..3458bd46 100644 +--- a/resolv/nss_dns/dns-network.c ++++ b/resolv/nss_dns/dns-network.c +@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result, + sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2], + net_bytes[1], net_bytes[0]); + break; ++ default: ++ /* Default network (net is originally zero). */ ++ strcpy (qbuf, "0.0.0.0.in-addr.arpa"); ++ break; + } + + net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); +diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c +index 956f847d..f1f11613 100644 +--- a/resolv/tst-resolv-network.c ++++ b/resolv/tst-resolv-network.c +@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx, + { + switch (code) + { ++ case 0: ++ send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa"); ++ break; + case 1: + send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa"); + break; +@@ -265,6 +268,9 @@ do_test (void) + "error: TRY_AGAIN\n"); + + /* Lookup by address, success cases. */ ++ check_reverse (0, ++ "name: 0.in-addr.arpa\n" ++ "net: 0x00000000\n"); + check_reverse (1, + "name: 1.in-addr.arpa\n" + "net: 0x00000001\n"); +-- +2.45.4 + diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec index 8ad83fe4771..d5dbc49d2d7 100644 --- a/SPECS/glibc/glibc.spec +++ b/SPECS/glibc/glibc.spec @@ -7,7 +7,7 @@ Summary: Main C library Name: glibc Version: 2.35 -Release: 7%{?dist} +Release: 8%{?dist} License: BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -35,6 +35,8 @@ Patch10: CVE-2024-33599.patch Patch11: CVE-2024-33600.patch # This patch fixes both CVE-2024-33601 and CVE-2024-33602 Patch12: CVE-2024-33601.patch +Patch13: CVE-2026-0861.patch +Patch14: CVE-2026-0915.patch BuildRequires: bison BuildRequires: gawk BuildRequires: gettext @@ -327,6 +329,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||: %defattr(-,root,root) %changelog +* Wed Jan 21 2026 Azure Linux Security Servicing Account - 2.35-8 +- Patch for CVE-2026-0915, CVE-2026-0861 + * Mon May 06 2024 Rachel Menge - 2.35-7 - Fixup CVE-2023-4806.patch and CVE-2023-5156.patch - Backport typo fix for nscd diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index b26e9101130..67266cca0bd 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,12 +1,12 @@ filesystem-1.1-20.cm2.aarch64.rpm kernel-headers-5.15.186.1-1.cm2.noarch.rpm -glibc-2.35-7.cm2.aarch64.rpm -glibc-devel-2.35-7.cm2.aarch64.rpm -glibc-i18n-2.35-7.cm2.aarch64.rpm -glibc-iconv-2.35-7.cm2.aarch64.rpm -glibc-lang-2.35-7.cm2.aarch64.rpm -glibc-nscd-2.35-7.cm2.aarch64.rpm -glibc-tools-2.35-7.cm2.aarch64.rpm +glibc-2.35-8.cm2.aarch64.rpm +glibc-devel-2.35-8.cm2.aarch64.rpm +glibc-i18n-2.35-8.cm2.aarch64.rpm +glibc-iconv-2.35-8.cm2.aarch64.rpm +glibc-lang-2.35-8.cm2.aarch64.rpm +glibc-nscd-2.35-8.cm2.aarch64.rpm +glibc-tools-2.35-8.cm2.aarch64.rpm zlib-1.2.13-2.cm2.aarch64.rpm zlib-devel-1.2.13-2.cm2.aarch64.rpm file-5.40-3.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 93960bf8cb6..6956d80e8d5 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,12 +1,12 @@ filesystem-1.1-20.cm2.x86_64.rpm kernel-headers-5.15.186.1-1.cm2.noarch.rpm -glibc-2.35-7.cm2.x86_64.rpm -glibc-devel-2.35-7.cm2.x86_64.rpm -glibc-i18n-2.35-7.cm2.x86_64.rpm -glibc-iconv-2.35-7.cm2.x86_64.rpm -glibc-lang-2.35-7.cm2.x86_64.rpm -glibc-nscd-2.35-7.cm2.x86_64.rpm -glibc-tools-2.35-7.cm2.x86_64.rpm +glibc-2.35-8.cm2.x86_64.rpm +glibc-devel-2.35-8.cm2.x86_64.rpm +glibc-i18n-2.35-8.cm2.x86_64.rpm +glibc-iconv-2.35-8.cm2.x86_64.rpm +glibc-lang-2.35-8.cm2.x86_64.rpm +glibc-nscd-2.35-8.cm2.x86_64.rpm +glibc-tools-2.35-8.cm2.x86_64.rpm zlib-1.2.13-2.cm2.x86_64.rpm zlib-devel-1.2.13-2.cm2.x86_64.rpm file-5.40-3.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 34fc14f69fe..a200643880a 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -106,15 +106,15 @@ glib-debuginfo-2.71.0-9.cm2.aarch64.rpm glib-devel-2.71.0-9.cm2.aarch64.rpm glib-doc-2.71.0-9.cm2.noarch.rpm glib-schemas-2.71.0-9.cm2.aarch64.rpm -glibc-2.35-7.cm2.aarch64.rpm -glibc-debuginfo-2.35-7.cm2.aarch64.rpm -glibc-devel-2.35-7.cm2.aarch64.rpm -glibc-i18n-2.35-7.cm2.aarch64.rpm -glibc-iconv-2.35-7.cm2.aarch64.rpm -glibc-lang-2.35-7.cm2.aarch64.rpm -glibc-nscd-2.35-7.cm2.aarch64.rpm -glibc-static-2.35-7.cm2.aarch64.rpm -glibc-tools-2.35-7.cm2.aarch64.rpm +glibc-2.35-8.cm2.aarch64.rpm +glibc-debuginfo-2.35-8.cm2.aarch64.rpm +glibc-devel-2.35-8.cm2.aarch64.rpm +glibc-i18n-2.35-8.cm2.aarch64.rpm +glibc-iconv-2.35-8.cm2.aarch64.rpm +glibc-lang-2.35-8.cm2.aarch64.rpm +glibc-nscd-2.35-8.cm2.aarch64.rpm +glibc-static-2.35-8.cm2.aarch64.rpm +glibc-tools-2.35-8.cm2.aarch64.rpm gmp-6.2.1-4.cm2.aarch64.rpm gmp-debuginfo-6.2.1-4.cm2.aarch64.rpm gmp-devel-6.2.1-4.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index b9d4c32bcaa..0a46358f992 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -111,15 +111,15 @@ glib-debuginfo-2.71.0-9.cm2.x86_64.rpm glib-devel-2.71.0-9.cm2.x86_64.rpm glib-doc-2.71.0-9.cm2.noarch.rpm glib-schemas-2.71.0-9.cm2.x86_64.rpm -glibc-2.35-7.cm2.x86_64.rpm -glibc-debuginfo-2.35-7.cm2.x86_64.rpm -glibc-devel-2.35-7.cm2.x86_64.rpm -glibc-i18n-2.35-7.cm2.x86_64.rpm -glibc-iconv-2.35-7.cm2.x86_64.rpm -glibc-lang-2.35-7.cm2.x86_64.rpm -glibc-nscd-2.35-7.cm2.x86_64.rpm -glibc-static-2.35-7.cm2.x86_64.rpm -glibc-tools-2.35-7.cm2.x86_64.rpm +glibc-2.35-8.cm2.x86_64.rpm +glibc-debuginfo-2.35-8.cm2.x86_64.rpm +glibc-devel-2.35-8.cm2.x86_64.rpm +glibc-i18n-2.35-8.cm2.x86_64.rpm +glibc-iconv-2.35-8.cm2.x86_64.rpm +glibc-lang-2.35-8.cm2.x86_64.rpm +glibc-nscd-2.35-8.cm2.x86_64.rpm +glibc-static-2.35-8.cm2.x86_64.rpm +glibc-tools-2.35-8.cm2.x86_64.rpm gmp-6.2.1-4.cm2.x86_64.rpm gmp-debuginfo-6.2.1-4.cm2.x86_64.rpm gmp-devel-6.2.1-4.cm2.x86_64.rpm