[AutoPR- Security] Patch glibc for CVE-2026-0915, CVE-2026-0861 [MEDIUM]

SPECS/glibc/CVE-2026-0861.patch

@@ -0,0 +1,91 @@
+From 7241963d58eaf14a0c4ed8ff301f4f098bf3b8d1 Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@gotplt.org>
+Date: Thu, 15 Jan 2026 06:06:40 -0500
+Subject: [PATCH] memalign: reinstate alignment overflow check (CVE-2026-0861)
+
+The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the
+overflow check for alignment in memalign functions, _mid_memalign and
+_int_memalign.  Reinstate the overflow check in _int_memalign, aligned
+with the PTRDIFF_MAX change since that is directly responsible for the
+CVE.  The missing _mid_memalign check is not relevant (and does not have
+a security impact) and may need a different approach to fully resolve,
+so it has been omitted.
+
+CVE-Id: CVE-2026-0861
+Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206
+Reported-by: Igor Morgenstern, Aisle Research
+Fixes: BZ #33796
+Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
+Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
+(cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/bminor/glibc/commit/499d1ccafccfe64df1b88deea2fa84d8180e8e8f.patch
+---
+ malloc/malloc.c               |  8 +++++---
+ malloc/tst-malloc-too-large.c | 10 ++--------
+ 2 files changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 1a1ac1d8..d4be6a2c 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -4952,7 +4952,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+
+
+
+-  if (!checked_request2size (bytes, &nb))
++  if (!checked_request2size (bytes, &nb) || alignment > PTRDIFF_MAX)
+     {
+       __set_errno (ENOMEM);
+       return NULL;
+@@ -4963,8 +4963,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+      request, and then possibly free the leading and trailing space.
+    */
+
+-  /* Call malloc with worst case padding to hit alignment. */
+-
++  /* Call malloc with worst case padding to hit alignment.  ALIGNMENT is a
++     power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of
++     space to add MINSIZE and whatever checked_request2size adds to BYTES to
++     get NB.  Consequently, total below also does not overflow.  */
+   m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
+
+   if (m == 0)
+diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c
+index dac3c808..e7017981 100644
+--- a/malloc/tst-malloc-too-large.c
++++ b/malloc/tst-malloc-too-large.c
+@@ -151,7 +151,6 @@ test_large_allocations (size_t size)
+ }
+
+
+-static long pagesize;
+
+ /* This function tests the following aligned memory allocation functions
+    using several valid alignments and precedes each allocation test with a
+@@ -170,8 +169,8 @@ test_large_aligned_allocations (size_t size)
+
+   /* All aligned memory allocation functions expect an alignment that is a
+      power of 2.  Given this, we test each of them with every valid
+-     alignment from 1 thru PAGESIZE.  */
+-  for (align = 1; align <= pagesize; align *= 2)
++     alignment for the type of ALIGN, i.e. until it wraps to 0.  */
++  for (align = 1; align > 0; align <<= 1)
+     {
+       test_setup ();
+ #if __GNUC_PREREQ (7, 0)
+@@ -264,11 +263,6 @@ do_test (void)
+   DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+ #endif
+
+-  /* Aligned memory allocation functions need to be tested up to alignment
+-     size equivalent to page size, which should be a power of 2.  */
+-  pagesize = sysconf (_SC_PAGESIZE);
+-  TEST_VERIFY_EXIT (powerof2 (pagesize));
+-
+   /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.
+      in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
+
+-- 
+2.45.4
+

SPECS/glibc/CVE-2026-0915.patch

@@ -0,0 +1,79 @@
+From dc92ec23f6856d94528d0ee0162b80b1ded3c970 Mon Sep 17 00:00:00 2001
+From: Carlos O'Donell <carlos@redhat.com>
+Date: Thu, 15 Jan 2026 15:09:38 -0500
+Subject: [PATCH] resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
+
+The default network value of zero for net was never tested for and
+results in a DNS query constructed from uninitialized stack bytes.
+The solution is to provide a default query for the case where net
+is zero.
+
+Adding a test case for this was straight forward given the existence of
+tst-resolv-network and if the test is added without the fix you observe
+this failure:
+
+FAIL: resolv/tst-resolv-network
+original exit status 1
+error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
+error: 1 test failures
+
+With a random QNAME resulting from the use of uninitialized stack bytes.
+
+After the fix the test passes.
+
+Additionally verified using wireshark before and after to ensure
+on-the-wire bytes for the DNS query were as expected.
+
+No regressions on x86_64.
+
+Reviewed-by: Florian Weimer <fweimer@redhat.com>
+(cherry picked from commit e56ff82d5034ec66c6a78f517af6faa427f65b0b)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/bminor/glibc/commit/66f0cb057c9b4fb1249a5fec6ef4a63511a37899.patch
+---
+ resolv/nss_dns/dns-network.c | 4 ++++
+ resolv/tst-resolv-network.c  | 6 ++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
+index 09cd9174..3458bd46 100644
+--- a/resolv/nss_dns/dns-network.c
++++ b/resolv/nss_dns/dns-network.c
+@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result,
+       sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2],
+ 	       net_bytes[1], net_bytes[0]);
+       break;
++    default:
++      /* Default network (net is originally zero).  */
++      strcpy (qbuf, "0.0.0.0.in-addr.arpa");
++      break;
+     }
+
+   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
+diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c
+index 956f847d..f1f11613 100644
+--- a/resolv/tst-resolv-network.c
++++ b/resolv/tst-resolv-network.c
+@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx,
+ {
+   switch (code)
+     {
++    case 0:
++      send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa");
++      break;
+     case 1:
+       send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa");
+       break;
+@@ -265,6 +268,9 @@ do_test (void)
+                 "error: TRY_AGAIN\n");
+
+   /* Lookup by address, success cases.  */
++  check_reverse (0,
++                 "name: 0.in-addr.arpa\n"
++                 "net: 0x00000000\n");
+   check_reverse (1,
+                  "name: 1.in-addr.arpa\n"
+                  "net: 0x00000001\n");
+-- 
+2.45.4
+

SPECS/glibc/glibc.spec

@@ -7,7 +7,7 @@
 Summary:        Main C library
 Name:           glibc
 Version:        2.35
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -35,6 +35,8 @@ Patch10:        CVE-2024-33599.patch
 Patch11:        CVE-2024-33600.patch
 # This patch fixes both CVE-2024-33601 and CVE-2024-33602
 Patch12:        CVE-2024-33601.patch
+Patch13:        CVE-2026-0861.patch
+Patch14:        CVE-2026-0915.patch
 BuildRequires:  bison
 BuildRequires:  gawk
 BuildRequires:  gettext
@@ -327,6 +329,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %defattr(-,root,root)
 
 %changelog
+* Wed Jan 21 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.35-8
+- Patch for CVE-2026-0915, CVE-2026-0861
+
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 2.35-7
 - Fixup CVE-2023-4806.patch and CVE-2023-5156.patch
 - Backport typo fix for nscd

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -1,12 +1,12 @@
 filesystem-1.1-20.cm2.aarch64.rpm
 kernel-headers-5.15.186.1-1.cm2.noarch.rpm
-glibc-2.35-7.cm2.aarch64.rpm
-glibc-devel-2.35-7.cm2.aarch64.rpm
-glibc-i18n-2.35-7.cm2.aarch64.rpm
-glibc-iconv-2.35-7.cm2.aarch64.rpm
-glibc-lang-2.35-7.cm2.aarch64.rpm
-glibc-nscd-2.35-7.cm2.aarch64.rpm
-glibc-tools-2.35-7.cm2.aarch64.rpm
+glibc-2.35-8.cm2.aarch64.rpm
+glibc-devel-2.35-8.cm2.aarch64.rpm
+glibc-i18n-2.35-8.cm2.aarch64.rpm
+glibc-iconv-2.35-8.cm2.aarch64.rpm
+glibc-lang-2.35-8.cm2.aarch64.rpm
+glibc-nscd-2.35-8.cm2.aarch64.rpm
+glibc-tools-2.35-8.cm2.aarch64.rpm
 zlib-1.2.13-2.cm2.aarch64.rpm
 zlib-devel-1.2.13-2.cm2.aarch64.rpm
 file-5.40-3.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -1,12 +1,12 @@
 filesystem-1.1-20.cm2.x86_64.rpm
 kernel-headers-5.15.186.1-1.cm2.noarch.rpm
-glibc-2.35-7.cm2.x86_64.rpm
-glibc-devel-2.35-7.cm2.x86_64.rpm
-glibc-i18n-2.35-7.cm2.x86_64.rpm
-glibc-iconv-2.35-7.cm2.x86_64.rpm
-glibc-lang-2.35-7.cm2.x86_64.rpm
-glibc-nscd-2.35-7.cm2.x86_64.rpm
-glibc-tools-2.35-7.cm2.x86_64.rpm
+glibc-2.35-8.cm2.x86_64.rpm
+glibc-devel-2.35-8.cm2.x86_64.rpm
+glibc-i18n-2.35-8.cm2.x86_64.rpm
+glibc-iconv-2.35-8.cm2.x86_64.rpm
+glibc-lang-2.35-8.cm2.x86_64.rpm
+glibc-nscd-2.35-8.cm2.x86_64.rpm
+glibc-tools-2.35-8.cm2.x86_64.rpm
 zlib-1.2.13-2.cm2.x86_64.rpm
 zlib-devel-1.2.13-2.cm2.x86_64.rpm
 file-5.40-3.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -106,15 +106,15 @@ glib-debuginfo-2.71.0-9.cm2.aarch64.rpm
 glib-devel-2.71.0-9.cm2.aarch64.rpm
 glib-doc-2.71.0-9.cm2.noarch.rpm
 glib-schemas-2.71.0-9.cm2.aarch64.rpm
-glibc-2.35-7.cm2.aarch64.rpm
-glibc-debuginfo-2.35-7.cm2.aarch64.rpm
-glibc-devel-2.35-7.cm2.aarch64.rpm
-glibc-i18n-2.35-7.cm2.aarch64.rpm
-glibc-iconv-2.35-7.cm2.aarch64.rpm
-glibc-lang-2.35-7.cm2.aarch64.rpm
-glibc-nscd-2.35-7.cm2.aarch64.rpm
-glibc-static-2.35-7.cm2.aarch64.rpm
-glibc-tools-2.35-7.cm2.aarch64.rpm
+glibc-2.35-8.cm2.aarch64.rpm
+glibc-debuginfo-2.35-8.cm2.aarch64.rpm
+glibc-devel-2.35-8.cm2.aarch64.rpm
+glibc-i18n-2.35-8.cm2.aarch64.rpm
+glibc-iconv-2.35-8.cm2.aarch64.rpm
+glibc-lang-2.35-8.cm2.aarch64.rpm
+glibc-nscd-2.35-8.cm2.aarch64.rpm
+glibc-static-2.35-8.cm2.aarch64.rpm
+glibc-tools-2.35-8.cm2.aarch64.rpm
 gmp-6.2.1-4.cm2.aarch64.rpm
 gmp-debuginfo-6.2.1-4.cm2.aarch64.rpm
 gmp-devel-6.2.1-4.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -111,15 +111,15 @@ glib-debuginfo-2.71.0-9.cm2.x86_64.rpm
 glib-devel-2.71.0-9.cm2.x86_64.rpm
 glib-doc-2.71.0-9.cm2.noarch.rpm
 glib-schemas-2.71.0-9.cm2.x86_64.rpm
-glibc-2.35-7.cm2.x86_64.rpm
-glibc-debuginfo-2.35-7.cm2.x86_64.rpm
-glibc-devel-2.35-7.cm2.x86_64.rpm
-glibc-i18n-2.35-7.cm2.x86_64.rpm
-glibc-iconv-2.35-7.cm2.x86_64.rpm
-glibc-lang-2.35-7.cm2.x86_64.rpm
-glibc-nscd-2.35-7.cm2.x86_64.rpm
-glibc-static-2.35-7.cm2.x86_64.rpm
-glibc-tools-2.35-7.cm2.x86_64.rpm
+glibc-2.35-8.cm2.x86_64.rpm
+glibc-debuginfo-2.35-8.cm2.x86_64.rpm
+glibc-devel-2.35-8.cm2.x86_64.rpm
+glibc-i18n-2.35-8.cm2.x86_64.rpm
+glibc-iconv-2.35-8.cm2.x86_64.rpm
+glibc-lang-2.35-8.cm2.x86_64.rpm
+glibc-nscd-2.35-8.cm2.x86_64.rpm
+glibc-static-2.35-8.cm2.x86_64.rpm
+glibc-tools-2.35-8.cm2.x86_64.rpm
 gmp-6.2.1-4.cm2.x86_64.rpm
 gmp-debuginfo-6.2.1-4.cm2.x86_64.rpm
 gmp-devel-6.2.1-4.cm2.x86_64.rpm