[scarthgap,19/25] glibc: stable 2.39 branch updates

Message ID	3f86db0e4faf9519fcfcb981e57f673daeb20269.1770626074.git.yoann.congal@smile.fr
State	RFC, archived
Delegated to:	Yoann Congal
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.221.43, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 19/25] glibc: stable 2.39 branch updates Date: Mon, 9 Feb 2026 10:29:02 +0100 Message-ID: <3f86db0e4faf9519fcfcb981e57f673daeb20269.1770626074.git.yoann.congal@smile.fr> In-Reply-To: <cover.1770626074.git.yoann.congal@smile.fr> References: <cover.1770626074.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/25] curl: fix CVE-2025-10148 \| expand [scarthgap,01/25] curl: fix CVE-2025-10148 [scarthgap,02/25] curl: patch CVE-2025-14524 [scarthgap,03/25] expat: patch CVE-2026-24515 [scarthgap,04/25] expat: patch CVE-2026-25210 [scarthgap,05/25] glib-2.0: patch CVE-2026-0988 [scarthgap,06/25] inetutils: Fix CVE-2026-24061 [scarthgap,07/25] libpng: patch CVE-2026-22695 [scarthgap,08/25] libpng: patch CVE-2026-22801 [scarthgap,09/25] libtasn1: Fix CVE-2025-13151 [scarthgap,10/25] libxml2: patch CVE-2026-0989 [scarthgap,11/25] libxml2: patch CVE-2026-0990 [scarthgap,12/25] libxml2: patch CVE-2026-0992 [scarthgap,13/25] libxml2: add follow-up patch for CVE-2026-0992 [scarthgap,14/25] python3: patch CVE-2025-13837 [scarthgap,15/25] python-urllib3: Backport fix for CVE-2026-21441 [scarthgap,16/25] zlib: ignore CVE-2026-22184 [scarthgap,17/25] ffmpeg: upgrade 6.1.3 -> 6.1.4 [scarthgap,18/25] ffmpeg: ignore CVE-2025-25469 [scarthgap,19/25] glibc: stable 2.39 branch updates [scarthgap,20/25] meta/classes: fix missing vardeps for CVE status variables [scarthgap,21/25] improve_kernel_cve_report: add script for postprocesing of kernel CVE data [scarthgap,22/25] lighttpd: Fix trailing slash on files in mod_dirlisting [scarthgap,23/25] docbook-xml-dtd4: fix the fetching failure [scarthgap,24/25] pseudo: Update to 1.9.3 release [scarthgap,25/25] libtheora: set CVE_PRODUCT

Message ID

3f86db0e4faf9519fcfcb981e57f673daeb20269.1770626074.git.yoann.congal@smile.fr

State

RFC, archived

Delegated to:

Yoann Congal

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 19/25] glibc: stable 2.39 branch updates
Date: Mon,  9 Feb 2026 10:29:02 +0100
Message-ID: 
 <3f86db0e4faf9519fcfcb981e57f673daeb20269.1770626074.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1770626074.git.yoann.congal@smile.fr>
References: <cover.1770626074.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/25] curl: fix CVE-2025-10148 | expand

Commit Message

Yoann Congal Feb. 9, 2026, 9:29 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

git log --oneline 58cbbd43fe82910cf8ae9008351b0b0665104500..ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc
ce65d944e3 (HEAD -> release/2.39/master, origin/release/2.39/master) posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
831f63b94c resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
fb22fd3f5b memalign: reinstate alignment overflow check (CVE-2026-0861)
10c0bcb3d3 support: Exit on consistency check failure in resolv_response_add_name
f47dd22366 support: Fix FILE * leak in check_for_unshare_hints in test-container
4a53354eaf sprof: fix -Wformat warnings on 32-bit hosts
beb8267909 sprof: check pread size and offset for overflow
c07002038f getaddrinfo.c: Avoid uninitialized pointer access [BZ #32465]
ae5fb93559 nptl: Optimize trylock for high cache contention workloads (BZ #33704)
efff7cb659 ppc64le: Power 10 rawmemchr clobbers v20 (bug #33091)
f6becd8ae8 ppc64le: Restore optimized strncmp for power10
0daa4e46b8 ppc64le: Restore optimized strcmp for power10
28c1de6580 AArch64: Fix instability in AdvSIMD tan
03d0393343 AArch64: Optimise SVE scalar callbacks
0d05a895f1 aarch64: fix includes in SME tests
c1dc4412f8 aarch64: fix cfi directives around __libc_arm_za_disable
d60f15dc89 aarch64: tests for SME
d1d0d09e9e aarch64: clear ZA state of SME before clone and clone3 syscalls
dbe1904b7c aarch64: define macro for calling __libc_arm_za_disable
58cf4aa421 aarch64: update tests for SME
1b3bd9a9a6 aarch64: Disable ZA state of SME in setjmp and sigsetjmp
38942a336b linux: Also check pkey_get for ENOSYS on tst-pkey (BZ 31996)
c74d59a656 aarch64: Do not link conform tests with -Wl,-z,force-bti (bug 33601)
323ad087a1 x86: fix wmemset ifunc stray '!' (bug 33542)

Testing Results:
             Before    After    Diff
PASS         4926      4921     -5
XPASS        4         4         0
FAIL         223       229      +6
XFAIL        16        16        0
UNSUPPORTED  224       224       0

Changes in failed testcases:

testcase-name                                before  after
elf/tst-audit21                              PASS    FAIL
malloc/tst-malloc-too-large                  PASS    FAIL
malloc/tst-malloc-too-large-malloc-check     PASS    FAIL
malloc/tst-malloc-too-large-malloc-hugetlb1  PASS    FAIL
malloc/tst-malloc-too-large-malloc-hugetlb2  PASS    FAIL
malloc/tst-malloc-too-large-mcheck           PASS    FAIL

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-core/glibc/glibc-version.inc | 2 +-
 meta/recipes-core/glibc/glibc_2.39.bb     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Yoann Congal Feb. 10, 2026, 3:38 p.m. UTC | #1

On Mon Feb 9, 2026 at 10:29 AM CET, Yoann Congal wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> git log --oneline 58cbbd43fe82910cf8ae9008351b0b0665104500..ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc
> ce65d944e3 (HEAD -> release/2.39/master, origin/release/2.39/master) posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
> 831f63b94c resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
> fb22fd3f5b memalign: reinstate alignment overflow check (CVE-2026-0861)
> 10c0bcb3d3 support: Exit on consistency check failure in resolv_response_add_name
> f47dd22366 support: Fix FILE * leak in check_for_unshare_hints in test-container
> 4a53354eaf sprof: fix -Wformat warnings on 32-bit hosts
> beb8267909 sprof: check pread size and offset for overflow
> c07002038f getaddrinfo.c: Avoid uninitialized pointer access [BZ #32465]
> ae5fb93559 nptl: Optimize trylock for high cache contention workloads (BZ #33704)
> efff7cb659 ppc64le: Power 10 rawmemchr clobbers v20 (bug #33091)
> f6becd8ae8 ppc64le: Restore optimized strncmp for power10
> 0daa4e46b8 ppc64le: Restore optimized strcmp for power10
> 28c1de6580 AArch64: Fix instability in AdvSIMD tan
> 03d0393343 AArch64: Optimise SVE scalar callbacks
> 0d05a895f1 aarch64: fix includes in SME tests
> c1dc4412f8 aarch64: fix cfi directives around __libc_arm_za_disable
> d60f15dc89 aarch64: tests for SME
> d1d0d09e9e aarch64: clear ZA state of SME before clone and clone3 syscalls
> dbe1904b7c aarch64: define macro for calling __libc_arm_za_disable
> 58cf4aa421 aarch64: update tests for SME
> 1b3bd9a9a6 aarch64: Disable ZA state of SME in setjmp and sigsetjmp
> 38942a336b linux: Also check pkey_get for ENOSYS on tst-pkey (BZ 31996)
> c74d59a656 aarch64: Do not link conform tests with -Wl,-z,force-bti (bug 33601)
> 323ad087a1 x86: fix wmemset ifunc stray '!' (bug 33542)
>
> Testing Results:
>              Before    After    Diff
> PASS         4926      4921     -5
> XPASS        4         4         0
> FAIL         223       229      +6
> XFAIL        16        16        0
> UNSUPPORTED  224       224       0
>
> Changes in failed testcases:
>
> testcase-name                                before  after
> elf/tst-audit21                              PASS    FAIL
> malloc/tst-malloc-too-large                  PASS    FAIL
> malloc/tst-malloc-too-large-malloc-check     PASS    FAIL
> malloc/tst-malloc-too-large-malloc-hugetlb1  PASS    FAIL
> malloc/tst-malloc-too-large-malloc-hugetlb2  PASS    FAIL
> malloc/tst-malloc-too-large-mcheck           PASS    FAIL
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---
>  meta/recipes-core/glibc/glibc-version.inc | 2 +-
>  meta/recipes-core/glibc/glibc_2.39.bb     | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Hello,

When run on the autobuilder, all those new FAIL tests are PASS:
https://valkyrie.yocto.io/pub/non-release/20260209-10/testresults/qemux86-64-tc/testresults.json
I will add this info in the commit message then proceed with merge.

Regards,

>
> diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
> index 2ca15711587..03a8e5d01e3 100644
> --- a/meta/recipes-core/glibc/glibc-version.inc
> +++ b/meta/recipes-core/glibc/glibc-version.inc
> @@ -1,6 +1,6 @@
>  SRCBRANCH ?= "release/2.39/master"
>  PV = "2.39+git"
> -SRCREV_glibc ?= "58cbbd43fe82910cf8ae9008351b0b0665104500"
> +SRCREV_glibc ?= "ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc"
>  SRCREV_localedef ?= "cba02c503d7c853a38ccfb83c57e343ca5ecd7e5"
>  
>  GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
> diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb
> index ff6c8f3b437..7958d64eed1 100644
> --- a/meta/recipes-core/glibc/glibc_2.39.bb
> +++ b/meta/recipes-core/glibc/glibc_2.39.bb
> @@ -18,7 +18,7 @@ easier access for another. 'ASLR bypass itself is not a vulnerability.'"
>  
>  CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS"
>  CVE_STATUS_STABLE_BACKPORTS = "CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 CVE-2025-0395 \
> -    CVE-2025-4802 CVE-2025-5702 CVE-2025-8058"
> +    CVE-2025-4802 CVE-2025-5702 CVE-2025-8058 CVE-2025-15281 CVE-2026-0861 CVE-2026-0915"
>  CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash"
>  
>  DEPENDS += "gperf-native bison-native"

diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 2ca15711587..03a8e5d01e3 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@ 
 SRCBRANCH ?= "release/2.39/master"
 PV = "2.39+git"
-SRCREV_glibc ?= "58cbbd43fe82910cf8ae9008351b0b0665104500"
+SRCREV_glibc ?= "ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc"
 SRCREV_localedef ?= "cba02c503d7c853a38ccfb83c57e343ca5ecd7e5"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb
index ff6c8f3b437..7958d64eed1 100644
--- a/meta/recipes-core/glibc/glibc_2.39.bb
+++ b/meta/recipes-core/glibc/glibc_2.39.bb
@@ -18,7 +18,7 @@  easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS"
 CVE_STATUS_STABLE_BACKPORTS = "CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 CVE-2025-0395 \
-    CVE-2025-4802 CVE-2025-5702 CVE-2025-8058"
+    CVE-2025-4802 CVE-2025-5702 CVE-2025-8058 CVE-2025-15281 CVE-2026-0861 CVE-2026-0915"
 CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash"
 
 DEPENDS += "gperf-native bison-native"

[scarthgap,19/25] glibc: stable 2.39 branch updates

Commit Message

Comments

Patch