diff mbox series

[scarthgap,09/11] glibc: fix CVE-2025-8058

Message ID c2b63f171719e2b1c12ba049cbe776adf9e0244b.1753910853.git.steve@sakoman.com
State Accepted
Delegated to: Steve Sakoman
Headers show
Series [scarthgap,01/11] gnutls: patch CVE-2025-32989 | expand

Commit Message

Steve Sakoman July 30, 2025, 9:29 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

This is a single commit bump containing only CVE fix
$ git log --oneline cff1042cceec3502269947e96cf7023451af22f3..b027d5b145f1b2908f370bdb96dfe40180d0fcb6
b027d5b145 posix: Fix double-free after allocation failure in regcomp (bug 33185)

Test results didn't change except newly added test succeeding.
(tst-regcomp-bracket-free)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/glibc/glibc-version.inc | 2 +-
 meta/recipes-core/glibc/glibc_2.39.bb     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Wang, Jinfeng (CN) Sept. 26, 2025, 8:06 a.m. UTC | #1 
Hi all,

With this patch, after I add INHERIT += "buildhistory" in conf/local.conf, I found the following build errors:
ERROR: glibc-2.39+git-r0.wr2413 do_packagedata: QA Issue: Package version for package ldconfig went backwards which would break package feeds (from 0:2.39+git0+cff1042cce-r0.wr2408.0 to   0:2.39+git0+b027d5b145-r0.wr2413.0) [version-going-backwards]
ERROR: glibc-2.39+git-r0.wr2413 do_packagedata: QA Issue: Package version for package ldd went backwards which would break package feeds (from 0:2.39+git0+cff1042cce-r0.wr2408.0 to 0:2.39+git0+b027d5b145-r0.wr2413.0) [version-going-backwards]
ERROR: glibc-2.39+git-r0.wr2413 do_packagedata: QA Issue: Package version for package ldso went backwards which would break package feeds (from 0:2.39+git0+cff1042cce-r0.wr2408.0 to
I found in the buildhistory.bbclass, bb.utils.vercmp((pkge, pkgv, pkgr), (last_pkge, last_pkgv, last_pkgr)) will compare the version, the hash is part of the version.
The commit(d9b992de0da6be8e9bc26c39c4e5aa7bb9c2049e) in oe-core glibc, upgrade from cff1042cce to b027d5b145. c < b, so it is thought as version-going-backwards. How to deal with this situation?

Regards,
Jinfeng
Gyorgy Sarvari Sept. 26, 2025, 5:19 p.m. UTC | #2 
On 9/26/25 10:06, Wang, Jinfeng (CN) via lists.openembedded.org wrote:
> Hi all,
>  
> With this patch, after I add INHERIT += "buildhistory" in
> conf/local.conf, I found the following build errors:
>   ERROR: glibc-2.39+git-r0.wr2413 do_packagedata: QA Issue: Package
> version for package ldconfig went backwards which would break package
> feeds (from 0:2.39+git0+cff1042cce-r0.wr2408.0 to  
> 0:2.39+git0+b027d5b145-r0.wr2413.0) [version-going-backwards]
>   ERROR: glibc-2.39+git-r0.wr2413 do_packagedata: QA Issue: Package
> version for package ldd went backwards which would break package feeds
> (from 0:2.39+git0+cff1042cce-r0.wr2408.0 to
> 0:2.39+git0+b027d5b145-r0.wr2413.0) [version-going-backwards]
>   ERROR: glibc-2.39+git-r0.wr2413 do_packagedata: QA Issue: Package
> version for package ldso went backwards which would break package
> feeds (from 0:2.39+git0+cff1042cce-r0.wr2408.0 to 
> I found in the buildhistory.bbclass, bb.utils.vercmp((pkge, pkgv,
> pkgr), (last_pkge, last_pkgv, last_pkgr)) will compare the version,
> the hash is part of the version.
> The commit(d9b992de0da6be8e9bc26c39c4e5aa7bb9c2049e) in oe-core glibc,
> upgrade from cff1042cce to b027d5b145. c < b, so it is thought as
> version-going-backwards. How to deal with this situation?

I think this is more like a general behavior with all packages using the
+git PV postfix. I suspect using buildhistory has an implied requirement
of using pr service too? That supposed set an increasing number in the
"git0" part (instead of the static 0), which should ensure that it's a
monotonic sequence.
diff mbox series

Patch

diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 6ee9fc7a0b..89e532fd67 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@ 
 SRCBRANCH ?= "release/2.39/master"
 PV = "2.39+git"
-SRCREV_glibc ?= "cff1042cceec3502269947e96cf7023451af22f3"
+SRCREV_glibc ?= "b027d5b145f1b2908f370bdb96dfe40180d0fcb6"
 SRCREV_localedef ?= "fab74f31b3811df543e24b6de47efdf45b538abc"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb
index c87eb76f41..ff6c8f3b43 100644
--- a/meta/recipes-core/glibc/glibc_2.39.bb
+++ b/meta/recipes-core/glibc/glibc_2.39.bb
@@ -18,7 +18,7 @@  easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS"
 CVE_STATUS_STABLE_BACKPORTS = "CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 CVE-2025-0395 \
-    CVE-2025-4802 CVE-2025-5702"
+    CVE-2025-4802 CVE-2025-5702 CVE-2025-8058"
 CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash"
 
 DEPENDS += "gperf-native bison-native"