| Message ID | 20250724075627.2132259-1-Deepesh.Varatharajan@windriver.com |
|---|---|
| State | Accepted, archived |
| Commit | 05760b29576aa8797bbae2e9a1a6a44d3c6aa97e |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [kirkstone] glibc: stable 2.35 branch updates | expand |
On Thu, Jul 24, 2025 at 12:56 AM Varatharajan, Deepesh via lists.openembedded.org <deepesh.varatharajan=windriver.com@lists.openembedded.org> wrote: > > From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> > > Below commits on glibc-2.35 stable branch are updated. > > git log --oneline d2febe7c407665c18cfea1930c65f41899ab3aa3..80401002011f470d9c6eb604bf734715e9b3a8c2 > 8040100201 Fix error reporting (false negatives) in SGID tests > c6ec750be5 support: Pick group in support_capture_subprogram_self_sgid if UID == 0 > c9e44b6467 support: Don't fail on fchown when spawning sgid processes > 621c65ccf1 elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static > c7ff2bc297 Revert "elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static" > 8624f6431b elf: Fix subprocess status handling for tst-dlopen-sgid (bug 32987) > ed10034f00 elf: Test case for bug 32976 (CVE-2025-4802) > 08aea7712d support: Add support_record_failure_barrier > 901e24b128 support: Use const char * argument in support_capture_subprogram_self_sgid > bff3b0f16c elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static > > Dropped : > 0025-CVE-2025-4802.patch > ed10034f00 elf: Test case for bug 32976 (CVE-2025-4802) > > Test results: > > Before after diff > PASS 4833 4839 +6 > XPASS 6 6 0 > FAIL 133 130 -3 > XFAIL 16 16 0 > UNSUPPORTED 200 197 -3 > > Following commits improved test results: > > 8040100201 Fix error reporting (false negatives) in SGID tests > Improved SGID test handling by unifying error reporting and using secure temporary directories. > Replaced non-standard exit codes and fixed premature exits to avoid masking failures. > These changes reduced false negatives, increasing overall test pass rates. > > 8624f6431b elf: Fix subprocess status handling for tst-dlopen-sgid (bug 32987) > Fixed tst-dlopen-sgid false positives by correctly handling subprocess exit status (bug 32987). > Ensured test fails on abnormal or non-zero child exits. > This commit restores reliability in SGID testing and is the first step toward centralized SGID test error handling. LGTM > > UNSUPPORTED tests changes > -UNSUPPORTED: elf/tst-env-setuid > -UNSUPPORTED: elf/tst-env-setuid-tunables > -UNSUPPORTED: stdlib/tst-secure-getenv > > FAILed tests changes > -FAIL: elf/tst-dlopen-sgid > -FAIL: misc/tst-error1 > -FAIL: resolv/tst-resolv-aliases > > PASSed tests changes > +PASS: elf/tst-env-setuid > +PASS: elf/tst-env-setuid-tunables > +PASS: stdlib/tst-secure-getenv > +PASS: elf/tst-dlopen-sgid > +PASS: misc/tst-error1 > +PASS: resolv/tst-resolv-aliases > > Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> > --- > meta/recipes-core/glibc/glibc-version.inc | 2 +- > meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch | 3 ++- > meta/recipes-core/glibc/glibc_2.35.bb | 2 +- > 3 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc > index 34b199c02b..b269518af4 100644 > --- a/meta/recipes-core/glibc/glibc-version.inc > +++ b/meta/recipes-core/glibc/glibc-version.inc > @@ -1,6 +1,6 @@ > SRCBRANCH ?= "release/2.35/master" > PV = "2.35" > -SRCREV_glibc ?= "d2febe7c407665c18cfea1930c65f41899ab3aa3" > +SRCREV_glibc ?= "80401002011f470d9c6eb604bf734715e9b3a8c2" > SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" > > GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" > diff --git a/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch b/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch > index 0298f5a865..a1197c0318 100644 > --- a/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch > +++ b/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch > @@ -81,7 +81,7 @@ index 09079c12..c2baed69 100644 > - NULL, NULL); > - > - /* Remember the last search directory added at startup. */ > -- _dl_init_all_dirs = GL(dl_all_dirs); > +_dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;- _dl_init_all_dirs = GL(dl_all_dirs); > - > - _dl_lazy = *(getenv ("LD_BIND_NOW") ?: "") == '\0'; > - > @@ -97,6 +97,7 @@ index 09079c12..c2baed69 100644 > if (__libc_enable_secure) > { > static const char unsecure_envvars[] = > + setup_vdso_pointers (); > @@ -324,6 +301,29 @@ _dl_non_dynamic_init (void) > #endif > } > diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb > index 3023e9c1ed..df5f14984a 100644 > --- a/meta/recipes-core/glibc/glibc_2.35.bb > +++ b/meta/recipes-core/glibc/glibc_2.35.bb > @@ -27,6 +27,7 @@ CVE_CHECK_IGNORE += "CVE-2023-4527" > CVE_CHECK_IGNORE += " \ > CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156 \ > CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 \ > + CVE-2025-4802 \ > " > > DEPENDS += "gperf-native bison-native" > @@ -61,7 +62,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > file://0022-sysdeps-gnu-configure.ac-Set-libc_cv_rootsbindir-onl.patch \ > file://0023-timezone-Make-shell-interpreter-overridable-in-tzsel.patch \ > file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ > - file://0025-CVE-2025-4802.patch \ > file://0026-PR25847-1.patch \ > file://0026-PR25847-2.patch \ > file://0026-PR25847-3.patch \ > -- > 2.49.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#220823): https://lists.openembedded.org/g/openembedded-core/message/220823 > Mute This Topic: https://lists.openembedded.org/mt/114317449/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 34b199c02b..b269518af4 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.35/master" PV = "2.35" -SRCREV_glibc ?= "d2febe7c407665c18cfea1930c65f41899ab3aa3" +SRCREV_glibc ?= "80401002011f470d9c6eb604bf734715e9b3a8c2" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" diff --git a/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch b/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch index 0298f5a865..a1197c0318 100644 --- a/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch +++ b/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch @@ -81,7 +81,7 @@ index 09079c12..c2baed69 100644 - NULL, NULL); - - /* Remember the last search directory added at startup. */ -- _dl_init_all_dirs = GL(dl_all_dirs); +_dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;- _dl_init_all_dirs = GL(dl_all_dirs); - - _dl_lazy = *(getenv ("LD_BIND_NOW") ?: "") == '\0'; - @@ -97,6 +97,7 @@ index 09079c12..c2baed69 100644 if (__libc_enable_secure) { static const char unsecure_envvars[] = + setup_vdso_pointers (); @@ -324,6 +301,29 @@ _dl_non_dynamic_init (void) #endif } diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb index 3023e9c1ed..df5f14984a 100644 --- a/meta/recipes-core/glibc/glibc_2.35.bb +++ b/meta/recipes-core/glibc/glibc_2.35.bb @@ -27,6 +27,7 @@ CVE_CHECK_IGNORE += "CVE-2023-4527" CVE_CHECK_IGNORE += " \ CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156 \ CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 \ + CVE-2025-4802 \ " DEPENDS += "gperf-native bison-native" @@ -61,7 +62,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0022-sysdeps-gnu-configure.ac-Set-libc_cv_rootsbindir-onl.patch \ file://0023-timezone-Make-shell-interpreter-overridable-in-tzsel.patch \ file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ - file://0025-CVE-2025-4802.patch \ file://0026-PR25847-1.patch \ file://0026-PR25847-2.patch \ file://0026-PR25847-3.patch \