From: Michael Tremer Date: Sat, 24 Jan 2026 14:41:45 +0000 (+0000) Subject: glibc: Update to 2.43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0c6dc6bc879c7d56310a99077631677c0bff008;p=ipfire-2.x.git glibc: Update to 2.43 Signed-off-by: Michael Tremer --- diff --git a/config/rootfiles/common/aarch64/glibc b/config/rootfiles/common/aarch64/glibc index e3493dd95..b474a0e40 100644 --- a/config/rootfiles/common/aarch64/glibc +++ b/config/rootfiles/common/aarch64/glibc @@ -77,6 +77,7 @@ usr/bin/locale #usr/include/bits/error-ldbl.h #usr/include/bits/error.h #usr/include/bits/eventfd.h +#usr/include/bits/fcntl-linux-fortify.h #usr/include/bits/fcntl-linux.h #usr/include/bits/fcntl.h #usr/include/bits/fcntl2.h @@ -125,6 +126,7 @@ usr/bin/locale #usr/include/bits/mqueue2.h #usr/include/bits/msq.h #usr/include/bits/netdb.h +#usr/include/bits/openat2.h #usr/include/bits/param.h #usr/include/bits/poll.h #usr/include/bits/poll2.h @@ -237,6 +239,7 @@ usr/bin/locale #usr/include/bits/types/idtype_t.h #usr/include/bits/types/locale_t.h #usr/include/bits/types/mbstate_t.h +#usr/include/bits/types/once_flag.h #usr/include/bits/types/res_state.h #usr/include/bits/types/sig_atomic_t.h #usr/include/bits/types/sigevent_t.h @@ -814,7 +817,7 @@ usr/lib/gconv #usr/lib/libc_nonshared.a #usr/lib/libdl.a #usr/lib/libg.a -#usr/lib/libm-2.42.a +#usr/lib/libm-2.43.a #usr/lib/libm.a #usr/lib/libm.so #usr/lib/libmcheck.a @@ -2958,6 +2961,20 @@ usr/lib/locale #usr/lib/locale/en_SC.utf8/LC_PAPER #usr/lib/locale/en_SC.utf8/LC_TELEPHONE #usr/lib/locale/en_SC.utf8/LC_TIME +#usr/lib/locale/en_SE.utf8 +#usr/lib/locale/en_SE.utf8/LC_ADDRESS +#usr/lib/locale/en_SE.utf8/LC_COLLATE +#usr/lib/locale/en_SE.utf8/LC_CTYPE +#usr/lib/locale/en_SE.utf8/LC_IDENTIFICATION +#usr/lib/locale/en_SE.utf8/LC_MEASUREMENT +#usr/lib/locale/en_SE.utf8/LC_MESSAGES +#usr/lib/locale/en_SE.utf8/LC_MESSAGES/SYS_LC_MESSAGES +#usr/lib/locale/en_SE.utf8/LC_MONETARY +#usr/lib/locale/en_SE.utf8/LC_NAME +#usr/lib/locale/en_SE.utf8/LC_NUMERIC +#usr/lib/locale/en_SE.utf8/LC_PAPER +#usr/lib/locale/en_SE.utf8/LC_TELEPHONE +#usr/lib/locale/en_SE.utf8/LC_TIME #usr/lib/locale/en_SG #usr/lib/locale/en_SG.utf8 #usr/lib/locale/en_SG.utf8/LC_ADDRESS @@ -8175,6 +8192,7 @@ usr/lib/locale #usr/share/i18n/locales/en_NZ #usr/share/i18n/locales/en_PH #usr/share/i18n/locales/en_SC +#usr/share/i18n/locales/en_SE #usr/share/i18n/locales/en_SG #usr/share/i18n/locales/en_US #usr/share/i18n/locales/en_ZA diff --git a/config/rootfiles/common/riscv64/glibc b/config/rootfiles/common/riscv64/glibc index 1dbc835fc..be7a29829 100644 --- a/config/rootfiles/common/riscv64/glibc +++ b/config/rootfiles/common/riscv64/glibc @@ -76,6 +76,7 @@ usr/bin/locale #usr/include/bits/error-ldbl.h #usr/include/bits/error.h #usr/include/bits/eventfd.h +#usr/include/bits/fcntl-linux-fortify.h #usr/include/bits/fcntl-linux.h #usr/include/bits/fcntl.h #usr/include/bits/fcntl2.h @@ -124,6 +125,7 @@ usr/bin/locale #usr/include/bits/mqueue2.h #usr/include/bits/msq.h #usr/include/bits/netdb.h +#usr/include/bits/openat2.h #usr/include/bits/param.h #usr/include/bits/poll.h #usr/include/bits/poll2.h @@ -236,6 +238,7 @@ usr/bin/locale #usr/include/bits/types/idtype_t.h #usr/include/bits/types/locale_t.h #usr/include/bits/types/mbstate_t.h +#usr/include/bits/types/once_flag.h #usr/include/bits/types/res_state.h #usr/include/bits/types/sig_atomic_t.h #usr/include/bits/types/sigevent_t.h @@ -2955,6 +2958,20 @@ usr/lib/locale #usr/lib/locale/en_SC.utf8/LC_PAPER #usr/lib/locale/en_SC.utf8/LC_TELEPHONE #usr/lib/locale/en_SC.utf8/LC_TIME +#usr/lib/locale/en_SE.utf8 +#usr/lib/locale/en_SE.utf8/LC_ADDRESS +#usr/lib/locale/en_SE.utf8/LC_COLLATE +#usr/lib/locale/en_SE.utf8/LC_CTYPE +#usr/lib/locale/en_SE.utf8/LC_IDENTIFICATION +#usr/lib/locale/en_SE.utf8/LC_MEASUREMENT +#usr/lib/locale/en_SE.utf8/LC_MESSAGES +#usr/lib/locale/en_SE.utf8/LC_MESSAGES/SYS_LC_MESSAGES +#usr/lib/locale/en_SE.utf8/LC_MONETARY +#usr/lib/locale/en_SE.utf8/LC_NAME +#usr/lib/locale/en_SE.utf8/LC_NUMERIC +#usr/lib/locale/en_SE.utf8/LC_PAPER +#usr/lib/locale/en_SE.utf8/LC_TELEPHONE +#usr/lib/locale/en_SE.utf8/LC_TIME #usr/lib/locale/en_SG #usr/lib/locale/en_SG.utf8 #usr/lib/locale/en_SG.utf8/LC_ADDRESS @@ -8172,6 +8189,7 @@ usr/lib/locale #usr/share/i18n/locales/en_NZ #usr/share/i18n/locales/en_PH #usr/share/i18n/locales/en_SC +#usr/share/i18n/locales/en_SE #usr/share/i18n/locales/en_SG #usr/share/i18n/locales/en_US #usr/share/i18n/locales/en_ZA diff --git a/config/rootfiles/common/x86_64/glibc b/config/rootfiles/common/x86_64/glibc index a4bdd8a8e..1ea042e20 100644 --- a/config/rootfiles/common/x86_64/glibc +++ b/config/rootfiles/common/x86_64/glibc @@ -77,6 +77,7 @@ usr/bin/locale #usr/include/bits/error-ldbl.h #usr/include/bits/error.h #usr/include/bits/eventfd.h +#usr/include/bits/fcntl-linux-fortify.h #usr/include/bits/fcntl-linux.h #usr/include/bits/fcntl.h #usr/include/bits/fcntl2.h @@ -125,6 +126,7 @@ usr/bin/locale #usr/include/bits/mqueue2.h #usr/include/bits/msq.h #usr/include/bits/netdb.h +#usr/include/bits/openat2.h #usr/include/bits/param.h #usr/include/bits/platform #usr/include/bits/platform/features.h @@ -240,6 +242,7 @@ usr/bin/locale #usr/include/bits/types/idtype_t.h #usr/include/bits/types/locale_t.h #usr/include/bits/types/mbstate_t.h +#usr/include/bits/types/once_flag.h #usr/include/bits/types/res_state.h #usr/include/bits/types/sig_atomic_t.h #usr/include/bits/types/sigevent_t.h @@ -823,7 +826,7 @@ usr/lib/gconv #usr/lib/libc_nonshared.a #usr/lib/libdl.a #usr/lib/libg.a -#usr/lib/libm-2.42.a +#usr/lib/libm-2.43.a #usr/lib/libm.a #usr/lib/libm.so #usr/lib/libmcheck.a @@ -2967,6 +2970,20 @@ usr/lib/locale #usr/lib/locale/en_SC.utf8/LC_PAPER #usr/lib/locale/en_SC.utf8/LC_TELEPHONE #usr/lib/locale/en_SC.utf8/LC_TIME +#usr/lib/locale/en_SE.utf8 +#usr/lib/locale/en_SE.utf8/LC_ADDRESS +#usr/lib/locale/en_SE.utf8/LC_COLLATE +#usr/lib/locale/en_SE.utf8/LC_CTYPE +#usr/lib/locale/en_SE.utf8/LC_IDENTIFICATION +#usr/lib/locale/en_SE.utf8/LC_MEASUREMENT +#usr/lib/locale/en_SE.utf8/LC_MESSAGES +#usr/lib/locale/en_SE.utf8/LC_MESSAGES/SYS_LC_MESSAGES +#usr/lib/locale/en_SE.utf8/LC_MONETARY +#usr/lib/locale/en_SE.utf8/LC_NAME +#usr/lib/locale/en_SE.utf8/LC_NUMERIC +#usr/lib/locale/en_SE.utf8/LC_PAPER +#usr/lib/locale/en_SE.utf8/LC_TELEPHONE +#usr/lib/locale/en_SE.utf8/LC_TIME #usr/lib/locale/en_SG #usr/lib/locale/en_SG.utf8 #usr/lib/locale/en_SG.utf8/LC_ADDRESS @@ -8184,6 +8201,7 @@ usr/lib/locale #usr/share/i18n/locales/en_NZ #usr/share/i18n/locales/en_PH #usr/share/i18n/locales/en_SC +#usr/share/i18n/locales/en_SE #usr/share/i18n/locales/en_SG #usr/share/i18n/locales/en_US #usr/share/i18n/locales/en_ZA diff --git a/lfs/glibc b/lfs/glibc index 49cce7282..3dd1cefa2 100644 --- a/lfs/glibc +++ b/lfs/glibc @@ -24,7 +24,7 @@ include Config -VER = 2.42 +VER = 2.43 THISAPP = glibc-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -87,7 +87,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 6ffabfe7942034a5a4fb5097679cb47bc3431eb2a3864af07cea0cb6aa5db63fbaf6f026b3c9299e00268058a6762eb21e92499f012d552ed87d65c7ffbd0bbe +$(DL_FILE)_BLAKE2 = a764edf3d0d52809aa94cf1a8f73341159d226ecc2a595aa3c9e1d1fd4b2d4eb9a599d70bda8812b73d8ef58b39746efdd34026772e38c0f091fe071d461ea98 install : $(TARGET) @@ -120,9 +120,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @mkdir $(DIR_SRC)/glibc-build cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-localedef-no-archive.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-2.42-CVE-2026-0861.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-2.42-CVE-2026-0915.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-2.42-CVE-2025-15281.patch ifneq "$(TOOLCHAIN)" "1" ifeq "$(BUILD_ARCH)" "x86_64" diff --git a/src/patches/glibc-2.42-CVE-2025-15281.patch b/src/patches/glibc-2.42-CVE-2025-15281.patch deleted file mode 100644 index 89322f80d..000000000 --- a/src/patches/glibc-2.42-CVE-2025-15281.patch +++ /dev/null @@ -1,175 +0,0 @@ -From cbf39c26b25801e9bc88499b4fd361ac172d4125 Mon Sep 17 00:00:00 2001 -From: Adhemerval Zanella -Date: Thu, 15 Jan 2026 10:32:19 -0300 -Subject: [PATCH] posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 - / BZ 33814) - -The wordexp fails to properly initialize the input wordexp_t when -WRDE_REUSE is used. The wordexp_t struct is properly freed, but -reuses the old wc_wordc value and updates the we_wordv in the -wrong position. A later wordfree will then call free with an -invalid pointer. - -Checked on x86_64-linux-gnu and i686-linux-gnu. - -Reviewed-by: Carlos O'Donell -(cherry picked from commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302) ---- - posix/Makefile | 11 +++++ - posix/tst-wordexp-reuse.c | 89 +++++++++++++++++++++++++++++++++++++++ - posix/wordexp.c | 2 + - 3 files changed, 102 insertions(+) - create mode 100644 posix/tst-wordexp-reuse.c - -diff --git a/posix/Makefile b/posix/Makefile -index a36e5decd3..1ea86efcc1 100644 ---- a/posix/Makefile -+++ b/posix/Makefile -@@ -327,6 +327,7 @@ tests := \ - tst-wait4 \ - tst-waitid \ - tst-wordexp-nocmd \ -+ tst-wordexp-reuse \ - tstgetopt \ - # tests - -@@ -457,6 +458,8 @@ generated += \ - tst-rxspencer-no-utf8.mtrace \ - tst-vfork3-mem.out \ - tst-vfork3.mtrace \ -+ tst-wordexp-reuse-mem.out \ -+ tst-wordexp-reuse.mtrace \ - # generated - endif - endif -@@ -492,6 +495,7 @@ tests-special += \ - $(objpfx)tst-pcre-mem.out \ - $(objpfx)tst-rxspencer-no-utf8-mem.out \ - $(objpfx)tst-vfork3-mem.out \ -+ $(objpfx)tst-wordexp-reuse.out \ - # tests-special - endif - endif -@@ -775,3 +779,10 @@ $(objpfx)posix-conf-vars-def.h: $(..)scripts/gen-posix-conf-vars.awk \ - $(make-target-directory) - $(AWK) -f $(filter-out Makefile, $^) > $@.tmp - mv -f $@.tmp $@ -+ -+tst-wordexp-reuse-ENV += MALLOC_TRACE=$(objpfx)tst-wordexp-reuse.mtrace \ -+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so -+ -+$(objpfx)tst-wordexp-reuse-mem.out: $(objpfx)tst-wordexp-reuse.out -+ $(common-objpfx)malloc/mtrace $(objpfx)tst-wordexp-reuse.mtrace > $@; \ -+ $(evaluate-test) -diff --git a/posix/tst-wordexp-reuse.c b/posix/tst-wordexp-reuse.c -new file mode 100644 -index 0000000000..3926b9f557 ---- /dev/null -+++ b/posix/tst-wordexp-reuse.c -@@ -0,0 +1,89 @@ -+/* Test for wordexp with WRDE_REUSE flag. -+ Copyright (C) 2026 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+ -+#include -+ -+static int -+do_test (void) -+{ -+ mtrace (); -+ -+ { -+ wordexp_t p = { 0 }; -+ TEST_COMPARE (wordexp ("one", &p, 0), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[0], "one"); -+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[0], "two"); -+ wordfree (&p); -+ } -+ -+ { -+ wordexp_t p = { .we_offs = 2 }; -+ TEST_COMPARE (wordexp ("one", &p, 0), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[0], "one"); -+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_DOOFFS), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); -+ wordfree (&p); -+ } -+ -+ { -+ wordexp_t p = { 0 }; -+ TEST_COMPARE (wordexp ("one", &p, 0), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[0], "one"); -+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE | WRDE_APPEND), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[0], "two"); -+ wordfree (&p); -+ } -+ -+ { -+ wordexp_t p = { .we_offs = 2 }; -+ TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one"); -+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE -+ | WRDE_DOOFFS), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); -+ wordfree (&p); -+ } -+ -+ { -+ wordexp_t p = { .we_offs = 2 }; -+ TEST_COMPARE (wordexp ("one", &p, WRDE_DOOFFS), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "one"); -+ TEST_COMPARE (wordexp ("two", &p, WRDE_REUSE -+ | WRDE_DOOFFS | WRDE_APPEND), 0); -+ TEST_COMPARE (p.we_wordc, 1); -+ TEST_COMPARE_STRING (p.we_wordv[p.we_offs + 0], "two"); -+ wordfree (&p); -+ } -+ -+ return 0; -+} -+ -+#include -diff --git a/posix/wordexp.c b/posix/wordexp.c -index a69b732801..9df4bb7424 100644 ---- a/posix/wordexp.c -+++ b/posix/wordexp.c -@@ -2216,7 +2216,9 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags) - { - /* Minimal implementation of WRDE_REUSE for now */ - wordfree (pwordexp); -+ old_word.we_wordc = 0; - old_word.we_wordv = NULL; -+ pwordexp->we_wordc = 0; - } - - if ((flags & WRDE_APPEND) == 0) --- -2.43.7 - diff --git a/src/patches/glibc-2.42-CVE-2026-0861.patch b/src/patches/glibc-2.42-CVE-2026-0861.patch deleted file mode 100644 index 5126d2e25..000000000 --- a/src/patches/glibc-2.42-CVE-2026-0861.patch +++ /dev/null @@ -1,88 +0,0 @@ -From b0ec8fb689df862171f0f78994a3bdeb51313545 Mon Sep 17 00:00:00 2001 -From: Siddhesh Poyarekar -Date: Thu, 15 Jan 2026 06:06:40 -0500 -Subject: [PATCH] memalign: reinstate alignment overflow check (CVE-2026-0861) - -The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the -overflow check for alignment in memalign functions, _mid_memalign and -_int_memalign. Reinstate the overflow check in _int_memalign, aligned -with the PTRDIFF_MAX change since that is directly responsible for the -CVE. The missing _mid_memalign check is not relevant (and does not have -a security impact) and may need a different approach to fully resolve, -so it has been omitted. - -CVE-Id: CVE-2026-0861 -Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 -Reported-by: Igor Morgenstern, Aisle Research -Fixes: BZ #33796 -Reviewed-by: Wilco Dijkstra -Signed-off-by: Siddhesh Poyarekar -(cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93) ---- - malloc/malloc.c | 7 +++++-- - malloc/tst-malloc-too-large.c | 10 ++-------- - 2 files changed, 7 insertions(+), 10 deletions(-) - -diff --git a/malloc/malloc.c b/malloc/malloc.c -index 5f3e701fd1..1d5aa304d3 100644 ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -5167,7 +5167,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) - INTERNAL_SIZE_T size; - - nb = checked_request2size (bytes); -- if (nb == 0) -+ if (nb == 0 || alignment > PTRDIFF_MAX) - { - __set_errno (ENOMEM); - return NULL; -@@ -5183,7 +5183,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) - we don't find anything in those bins, the common malloc code will - scan starting at 2x. */ - -- /* Call malloc with worst case padding to hit alignment. */ -+ /* Call malloc with worst case padding to hit alignment. ALIGNMENT is a -+ power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of -+ space to add MINSIZE and whatever checked_request2size adds to BYTES to -+ get NB. Consequently, total below also does not overflow. */ - m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); - - if (m == NULL) -diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c -index a548a37b46..a1bda673a3 100644 ---- a/malloc/tst-malloc-too-large.c -+++ b/malloc/tst-malloc-too-large.c -@@ -152,7 +152,6 @@ test_large_allocations (size_t size) - } - - --static long pagesize; - - /* This function tests the following aligned memory allocation functions - using several valid alignments and precedes each allocation test with a -@@ -171,8 +170,8 @@ test_large_aligned_allocations (size_t size) - - /* All aligned memory allocation functions expect an alignment that is a - power of 2. Given this, we test each of them with every valid -- alignment from 1 thru PAGESIZE. */ -- for (align = 1; align <= pagesize; align *= 2) -+ alignment for the type of ALIGN, i.e. until it wraps to 0. */ -+ for (align = 1; align > 0; align <<= 1) - { - test_setup (); - #if __GNUC_PREREQ (7, 0) -@@ -265,11 +264,6 @@ do_test (void) - DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); - #endif - -- /* Aligned memory allocation functions need to be tested up to alignment -- size equivalent to page size, which should be a power of 2. */ -- pagesize = sysconf (_SC_PAGESIZE); -- TEST_VERIFY_EXIT (powerof2 (pagesize)); -- - /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. - in the range (SIZE_MAX - 2^14, SIZE_MAX], fail. - --- -2.47.3 - diff --git a/src/patches/glibc-2.42-CVE-2026-0915.patch b/src/patches/glibc-2.42-CVE-2026-0915.patch deleted file mode 100644 index 078dc451f..000000000 --- a/src/patches/glibc-2.42-CVE-2026-0915.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 453e6b8dbab935257eb0802b0c97bca6b67ba30e Mon Sep 17 00:00:00 2001 -From: Carlos O'Donell -Date: Thu, 15 Jan 2026 15:09:38 -0500 -Subject: [PATCH] resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) - -The default network value of zero for net was never tested for and -results in a DNS query constructed from uninitialized stack bytes. -The solution is to provide a default query for the case where net -is zero. - -Adding a test case for this was straight forward given the existence of -tst-resolv-network and if the test is added without the fix you observe -this failure: - -FAIL: resolv/tst-resolv-network -original exit status 1 -error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128 -error: 1 test failures - -With a random QNAME resulting from the use of uninitialized stack bytes. - -After the fix the test passes. - -Additionally verified using wireshark before and after to ensure -on-the-wire bytes for the DNS query were as expected. - -No regressions on x86_64. - -Reviewed-by: Florian Weimer -(cherry picked from commit e56ff82d5034ec66c6a78f517af6faa427f65b0b) ---- - resolv/nss_dns/dns-network.c | 4 ++++ - resolv/tst-resolv-network.c | 6 ++++++ - 2 files changed, 10 insertions(+) - -diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c -index 519f8422ca..e14e959d7c 100644 ---- a/resolv/nss_dns/dns-network.c -+++ b/resolv/nss_dns/dns-network.c -@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result, - sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2], - net_bytes[1], net_bytes[0]); - break; -+ default: -+ /* Default network (net is originally zero). */ -+ strcpy (qbuf, "0.0.0.0.in-addr.arpa"); -+ break; - } - - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); -diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c -index d9f69649d0..181be80835 100644 ---- a/resolv/tst-resolv-network.c -+++ b/resolv/tst-resolv-network.c -@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx, - { - switch (code) - { -+ case 0: -+ send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa"); -+ break; - case 1: - send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa"); - break; -@@ -265,6 +268,9 @@ do_test (void) - "error: TRY_AGAIN\n"); - - /* Lookup by address, success cases. */ -+ check_reverse (0, -+ "name: 0.in-addr.arpa\n" -+ "net: 0x00000000\n"); - check_reverse (1, - "name: 1.in-addr.arpa\n" - "net: 0x00000001\n"); --- -2.47.3 -