glibc: Fix nscd breakage and patch CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 (#9051)

This commit does 3 things: address ipv6 breakage with nscd due to previous CVE fix, reformat previous CVE patches, and patch 4 new CVEs The ipv6 w/ nscd breakage was due to CVE-2023-4806's patch and caused wrong results with IPv6 addresses when using nscd. The patch mixes up the variables i and count. Therefore backport the fix (227c903). Additionally, the above fix highlighted that our original patches for CVE-2023-4806 and CVE-2023-5156 were malformed. Specifically, the CVE-2023-4806 patch which updates "/sysdeps/posix/getaddrinfo.c.” to latest from glibc-2.35 (commit 17092c0) did not include the changes to other files (mostly additional tests so impact was low) but did partially include CVE-2023-5156's changes. To fix, regenerate both patches based on commits from upstream stable 2.35. Finally, this PR applies patches for CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
2024-05-10 18:50:52 -07:00 · 2024-05-10 18:50:52 -07:00 · 332adb9675
--- a/SPECS-EXTENDED/buildah/buildah.spec
+++ b/SPECS-EXTENDED/buildah/buildah.spec
@ -21,7 +21,7 @@
 Summary:        A command line tool used for creating OCI Images
 Name:           buildah
 Version:        1.18.0
-Release:        22%{?dist}
+Release:        23%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -32,7 +32,7 @@ BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  git
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  go-md2man
 BuildRequires:  go-rpm-macros
 BuildRequires:  golang
@ -123,6 +123,9 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.18.0-23
 - Bump release to rebuild against glibc 2.35-7
 * Fri Feb 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.18.0-22
 - Bump release to rebuild with go 1.21.6
--- a/SPECS-EXTENDED/catatonit/catatonit.spec
+++ b/SPECS-EXTENDED/catatonit/catatonit.spec
@ -3,7 +3,7 @@ Distribution:   Mariner
 Name: catatonit
 Version: 0.1.7
-Release: 9%{?dist}
+Release: 10%{?dist}
 Summary: A signal-forwarding process manager for containers
 License: GPLv3+
 URL: https://github.com/openSUSE/catatonit
@ -13,7 +13,7 @@ BuildRequires: automake
 BuildRequires: file
 BuildRequires: gcc
 BuildRequires: git
-BuildRequires: glibc-static >= 2.35-6%{?dist}
+BuildRequires: glibc-static >= 2.35-7%{?dist}
 BuildRequires: libtool
 BuildRequires: make
@ -61,6 +61,9 @@ ln -s %{_libexecdir}/%{name}/%{name} %{buildroot}%{_libexecdir}/podman/%{name}
 %{_libexecdir}/podman/%{name}
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.1.7-10
 - Bump release to rebuild against glibc 2.35-7
 * Wed Oct 04 2023 Minghe Ren <mingheren@microsoft.com> - 0.1.7-9
 - Bump release to rebuild against glibc 2.35-6
--- a/SPECS-EXTENDED/dyninst/dyninst.spec
+++ b/SPECS-EXTENDED/dyninst/dyninst.spec
@ -1,7 +1,7 @@
 Summary: An API for Run-time Code Generation
 License: LGPLv2+
 Name: dyninst
-Release: 11%{?dist}
+Release: 12%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL: http://www.dyninst.org
@ -31,7 +31,7 @@ BuildRequires: tbb tbb-devel
 # Extra requires just for the testsuite
 BuildRequires: gcc-gfortran libstdc++-static libxml2-devel
-BuildRequires: glibc-static >= 2.35-6%{?dist}
+BuildRequires: glibc-static >= 2.35-7%{?dist}
 # Testsuite files should not provide/require anything
 %{?filter_setup:
@ -194,6 +194,9 @@ echo "%{_libdir}/dyninst" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %attr(644,root,root) %{_libdir}/dyninst/testsuite/*.a
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 10.1.0-12
 - Bump release to rebuild against glibc 2.35-7
 * Wed Oct 04 2023 Minghe Ren <mingheren@microsoft.com> - 10.1.0-11
 - Bump release to rebuild against glibc 2.35-6
--- a/SPECS-EXTENDED/podman/podman.spec
+++ b/SPECS-EXTENDED/podman/podman.spec
@ -36,7 +36,7 @@
 Name:           podman
 Version:        4.1.1
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        ASL 2.0 and BSD and ISC and MIT and MPLv2.0
 Summary:        Manage Pods, Containers and Container Images
 Vendor:         Microsoft Corporation
@ -51,7 +51,7 @@ BuildRequires:  go-md2man
 BuildRequires:  golang
 BuildRequires:  gcc
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  git
 BuildRequires:  go-rpm-macros
 BuildRequires:  gpgme-devel
@ -387,6 +387,9 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 # rhcontainerbot account currently managed by lsm5
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 4.1.1-20
 - Bump release to rebuild against glibc 2.35-7
 * Fri Feb 02 2024 Muhammad Falak <mwani@microsoft.com> - 4.1.1-19
 - Bump release to rebuild with go 1.21.6
 - Bump version of gvproxy to enable build with go1.21
--- a/SPECS/busybox/busybox.spec
+++ b/SPECS/busybox/busybox.spec
@ -1,7 +1,7 @@
 Summary:        Statically linked binary providing simplified versions of system commands
 Name:           busybox
 Version:        1.35.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -18,7 +18,7 @@ Patch5:         ash-fix-use-after-free-in-bash-pattern-substitution.patch
 Patch6:         selinux-copy-file.patch
 Patch7:         selinux-cp-a.patch
 BuildRequires:  gcc
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  libselinux-devel >= 1.27.7-2
 BuildRequires:  libsepol-devel
 # libbb/hash_md5_sha.c
@ -96,6 +96,9 @@ install -m 644 docs/busybox.petitboot.1 %{buildroot}/%{_mandir}/man1/busybox.pet
 %{_mandir}/man1/busybox.petitboot.1.gz
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.35.0-10
 - Bump release to rebuild against glibc 2.35-7
 * Thu Nov 16 2023 Chris PeBenito <chpebeni@microsoft.com> - 1.35.0-9
 - Enable SELinux features.
 - Improve SELinux behavior for copy funtions.
--- a/SPECS/flannel/flannel.spec
+++ b/SPECS/flannel/flannel.spec
@ -4,7 +4,7 @@
 Summary:        Simple and easy way to configure a layer 3 network fabric designed for Kubernetes
 Name:           flannel
 Version:        0.14.0
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -16,7 +16,7 @@ Patch0:         CVE-2021-44716.patch
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  golang >= 1.18.5
 BuildRequires:  kernel-headers
@ -49,6 +49,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld
 %{_bindir}/flanneld
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.10.0-22
 - Bump release to rebuild against glibc 2.35-7
 * Mon Feb 05 2024 Osama Esmail <osamaesmail@microsoft.com> - 0.14.0-21
 - Patching CVE-2021-44716
--- a/SPECS/glibc/CVE-2023-4806.patch
+++ b/SPECS/glibc/CVE-2023-4806.patch
--- a/SPECS/glibc/CVE-2023-5156.patch
+++ b/SPECS/glibc/CVE-2023-5156.patch
@ -19,12 +19,13 @@ Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 sysdeps/posix/getaddrinfo.c     |  4 +---
 3 files changed, 24 insertions(+), 3 deletions(-)
-diff -ruN a/nss/Makefile b/nss/Makefile
+diff --git a/nss/Makefile b/nss/Makefile
--- a/nss/Makefile	2023-10-03 16:02:01.212592000 -0700
+index ed1c05158e..6cac7dd83b 100644
-+++ b/nss/Makefile	2023-10-03 18:03:01.994397600 -0700
+--- a/nss/Makefile
-@@ -136,6 +136,15 @@
+++ b/nss/Makefile
- extra-test-objs                += nss_test1.os nss_test2.os nss_test_errno.os \
+@@ -147,6 +147,15 @@ endif
-                           nss_test_gai_hv2_canonname.os
+ extra-test-objs		+= nss_test1.os nss_test2.os nss_test_errno.os \
 			   nss_test_gai_hv2_canonname.os
 +ifeq ($(run-built-tests),yes)
 +ifneq (no,$(PERL))
@ -33,12 +34,12 @@ diff -ruN a/nss/Makefile b/nss/Makefile
 +endif
 +
 +generated += mtrace-tst-nss-gai-hv2-canonname.out \
-+               tst-nss-gai-hv2-canonname.mtrace
+		tst-nss-gai-hv2-canonname.mtrace
 +
 include ../Rules
 ifeq (yes,$(have-selinux))
-@@ -198,6 +207,17 @@
+@@ -215,6 +224,17 @@ endif
 $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
 $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
@ -56,6 +57,8 @@ diff -ruN a/nss/Makefile b/nss/Makefile
 # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
 # functions can load testing NSS modules via DT_RPATH.
 LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
 diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
 index d5f10c07d6..7db53cf09d 100644
 --- a/nss/tst-nss-gai-hv2-canonname.c
 +++ b/nss/tst-nss-gai-hv2-canonname.c
@@ -21,6 +21,7 @@
@ -75,25 +78,20 @@ diff -ruN a/nss/Makefile b/nss/Makefile
   __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
   struct addrinfo hints = {};
-diff -ruN a/NEWS b/NEWS
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
--- a/NEWS	2022-02-02 21:27:54.000000000 -0800
+index ad7891a953..f4c08d6e3b 100644
-+++ b/NEWS	2023-10-03 20:04:28.294207226 -0700
+--- a/sysdeps/posix/getaddrinfo.c
-@@ -5,6 +5,18 @@
+++ b/sysdeps/posix/getaddrinfo.c
- Please send GNU C library bug reports via <https://sourceware.org/bugzilla/>
+@@ -1196,9 +1196,7 @@ free_and_return:
- using `glibc' in the "product" field.
+   if (malloc_name)
- 
+     free ((char *) name);
-+
+   free (addrmem);
-+Security related changes:
+-  if (res.free_at)
-+
+-    free (res.at);
-+  CVE-2023-4806: When an NSS plugin only implements the
+-  free (res.canon);
-+  _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
+  gaih_result_reset (&res);
 +  memory that was freed during buffer resizing, potentially causing a
 +  crash or read or write to arbitrary memory.
 +
 +  CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
 +  an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
 +  AI_ALL and AI_V4MAPPED flags set.
 +
 Version 2.35
- Major new features:
+   return result;
 }
 -- 
 2.39.3
--- a/SPECS/glibc/CVE-2024-33599.patch
+++ b/SPECS/glibc/CVE-2024-33599.patch
@ -0,0 +1,37 @@
 From 7a95873543ce225376faf13bb71c43dea6d24f86 Mon Sep 17 00:00:00 2001
 From: Florian Weimer <fweimer@redhat.com>
 Date: Thu, 25 Apr 2024 15:00:45 +0200
 Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup
 cache (bug 31677)
 Using alloca matches what other caches do.  The request length is
 bounded by MAXKEYLEN.
 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
 (cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa)
 ---
 nscd/netgroupcache.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
 index 85977521a6..f0de064368 100644
 --- a/nscd/netgroupcache.c
 +++ b/nscd/netgroupcache.c
@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
       = (struct indataset *) mempool_alloc (db,
 					    sizeof (*dataset) + req->key_len,
 					    1);
 -  struct indataset dataset_mem;
   bool cacheable = true;
   if (__glibc_unlikely (dataset == NULL))
     {
       cacheable = false;
 -      dataset = &dataset_mem;
 +      /* The alloca is safe because nscd_run_worker verfies that
 +	 key_len is not larger than MAXKEYLEN.  */
 +      dataset = alloca (sizeof (*dataset) + req->key_len);
     }
   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
 -- 
 2.39.3
--- a/SPECS/glibc/CVE-2024-33600.patch
+++ b/SPECS/glibc/CVE-2024-33600.patch
@ -0,0 +1,119 @@
 PATCH [1/2]
 From 4370bef52b0f3f3652c6aa13d7a9bb3ac079746d Mon Sep 17 00:00:00 2001
 From: Florian Weimer <fweimer@redhat.com>
 Date: Thu, 25 Apr 2024 15:01:07 +0200
 Subject: [PATCH] CVE-2024-33600: nscd: Do not send missing not-found response
 in addgetnetgrentX (bug 31678)
 If we failed to add a not-found response to the cache, the dataset
 point can be null, resulting in a null pointer dereference.
 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 (cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa)
 ---
 nscd/netgroupcache.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)
 diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
 index f0de064368..a64b5930d5 100644
 --- a/nscd/netgroupcache.c
 +++ b/nscd/netgroupcache.c
@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
       /* No such service.  */
       cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
 			       &key_copy);
 -      goto writeout;
 +      goto maybe_cache_add;
     }
   memset (&data, '\0', sizeof (data));
@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
     {
       cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
 			       &key_copy);
 -      goto writeout;
 +      goto maybe_cache_add;
     }
   total = buffilled;
@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
   }
   if (he == NULL && fd != -1)
 -    {
 -      /* We write the dataset before inserting it to the database
 -	 since while inserting this thread might block and so would
 -	 unnecessarily let the receiver wait.  */
 -    writeout:
 +    /* We write the dataset before inserting it to the database since
 +       while inserting this thread might block and so would
 +       unnecessarily let the receiver wait.  */
       writeall (fd, &dataset->resp, dataset->head.recsize);
 -    }
 + maybe_cache_add:
   if (cacheable)
     {
       /* If necessary, we also propagate the data to disk.  */
 -- 
 2.39.3
 PATCH [2/2]
 From bafadc589fbe21ae330e8c2af74db9da44a17660 Mon Sep 17 00:00:00 2001
 From: Florian Weimer <fweimer@redhat.com>
 Date: Thu, 25 Apr 2024 15:01:07 +0200
 Subject: [PATCH] CVE-2024-33600: nscd: Avoid null pointer crashes after
 notfound response (bug 31678)
 The addgetnetgrentX call in addinnetgrX may have failed to produce
 a result, so the result variable in addinnetgrX can be NULL.
 Use db->negtimeout as the fallback value if there is no result data;
 the timeout is also overwritten below.
 Also avoid sending a second not-found response.  (The client
 disconnects after receiving the first response, so the data stream did
 not go out of sync even without this fix.)  It is still beneficial to
 add the negative response to the mapping, so that the client can get
 it from there in the future, instead of going through the socket.
 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 (cherry picked from commit b048a482f088e53144d26a61c390bed0210f49f2)
 ---
 nscd/netgroupcache.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)
 diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
 index a64b5930d5..787e44d851 100644
 --- a/nscd/netgroupcache.c
 +++ b/nscd/netgroupcache.c
@@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
 		     sizeof (innetgroup_response_header),
 -		     he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
 +		     he == NULL ? 0 : dh->nreloads + 1,
 +		     result == NULL ? db->negtimeout : result->head.ttl);
   /* Set the notfound status and timeout based on the result from
      getnetgrent.  */
 -  dataset->head.notfound = result->head.notfound;
 +  dataset->head.notfound = result == NULL || result->head.notfound;
   dataset->head.timeout = timeout;
   dataset->resp.version = NSCD_VERSION;
 -  dataset->resp.found = result->resp.found;
 +  dataset->resp.found = result != NULL && result->resp.found;
   /* Until we find a matching entry the result is 0.  */
   dataset->resp.result = 0;
@@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
       goto out;
     }
 -  if (he == NULL)
 +  /* addgetnetgrentX may have already sent a notfound response.  Do
 +     not send another one.  */
 +  if (he == NULL && dataset->resp.found)
     {
       /* We write the dataset before inserting it to the database
 	 since while inserting this thread might block and so would
 -- 
 2.39.3
--- a/SPECS/glibc/CVE-2024-33601.patch
+++ b/SPECS/glibc/CVE-2024-33601.patch
@ -0,0 +1,389 @@
 From 7a5864cac60e06000394128a5a2817b03542f5a3 Mon Sep 17 00:00:00 2001
 From: Florian Weimer <fweimer@redhat.com>
 Date: Thu, 25 Apr 2024 15:01:07 +0200
 Subject: [PATCH] CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two
 buffers in addgetnetgrentX (bug 31680)
 This avoids potential memory corruption when the underlying NSS
 callback function does not use the buffer space to store all strings
 (e.g., for constant strings).
 Instead of custom buffer management, two scratch buffers are used.
 This increases stack usage somewhat.
 Scratch buffer allocation failure is handled by return -1
 (an invalid timeout value) instead of terminating the process.
 This fixes bug 31679.
 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
 ---
 nscd/netgroupcache.c | 219 ++++++++++++++++++++++++-------------------
 1 file changed, 121 insertions(+), 98 deletions(-)
 diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
 index 787e44d851..aaabbbb003 100644
 --- a/nscd/netgroupcache.c
 +++ b/nscd/netgroupcache.c
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <sys/mman.h>
 +#include <scratch_buffer.h>
 #include "../inet/netgroup.h"
 #include "nscd.h"
@@ -65,6 +66,16 @@ struct dataset
   char strdata[0];
 };
 +/* Send a notfound response to FD.  Always returns -1 to indicate an
 +   ephemeral error.  */
 +static time_t
 +send_notfound (int fd)
 +{
 +  if (fd != -1)
 +    TEMP_FAILURE_RETRY (send (fd, &notfound, sizeof (notfound), MSG_NOSIGNAL));
 +  return -1;
 +}
 +
 /* Sends a notfound message and prepares a notfound dataset to write to the
    cache.  Returns true if there was enough memory to allocate the dataset and
    returns the dataset in DATASETP, total bytes to write in TOTALP and the
@@ -83,8 +94,7 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
   total = sizeof (notfound);
   timeout = time (NULL) + db->negtimeout;
 -  if (fd != -1)
 -    TEMP_FAILURE_RETRY (send (fd, &notfound, total, MSG_NOSIGNAL));
 +  send_notfound (fd);
   dataset = mempool_alloc (db, sizeof (struct dataset) + req->key_len, 1);
   /* If we cannot permanently store the result, so be it.  */
@@ -109,11 +119,78 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
   return cacheable;
 }
 +struct addgetnetgrentX_scratch
 +{
 +  /* This is the result that the caller should use.  It can be NULL,
 +     point into buffer, or it can be in the cache.  */
 +  struct dataset *dataset;
 +
 +  struct scratch_buffer buffer;
 +
 +  /* Used internally in addgetnetgrentX as a staging area.  */
 +  struct scratch_buffer tmp;
 +
 +  /* Number of bytes in buffer that are actually used.  */
 +  size_t buffer_used;
 +};
 +
 +static void
 +addgetnetgrentX_scratch_init (struct addgetnetgrentX_scratch *scratch)
 +{
 +  scratch->dataset = NULL;
 +  scratch_buffer_init (&scratch->buffer);
 +  scratch_buffer_init (&scratch->tmp);
 +
 +  /* Reserve space for the header.  */
 +  scratch->buffer_used = sizeof (struct dataset);
 +  static_assert (sizeof (struct dataset) < sizeof (scratch->tmp.__space),
 +		 "initial buffer space");
 +  memset (scratch->tmp.data, 0, sizeof (struct dataset));
 +}
 +
 +static void
 +addgetnetgrentX_scratch_free (struct addgetnetgrentX_scratch *scratch)
 +{
 +  scratch_buffer_free (&scratch->buffer);
 +  scratch_buffer_free (&scratch->tmp);
 +}
 +
 +/* Copy LENGTH bytes from S into SCRATCH.  Returns NULL if SCRATCH
 +   could not be resized, otherwise a pointer to the copy.  */
 +static char *
 +addgetnetgrentX_append_n (struct addgetnetgrentX_scratch *scratch,
 +			  const char *s, size_t length)
 +{
 +  while (true)
 +    {
 +      size_t remaining = scratch->buffer.length - scratch->buffer_used;
 +      if (remaining >= length)
 +	break;
 +      if (!scratch_buffer_grow_preserve (&scratch->buffer))
 +	return NULL;
 +    }
 +  char *copy = scratch->buffer.data + scratch->buffer_used;
 +  memcpy (copy, s, length);
 +  scratch->buffer_used += length;
 +  return copy;
 +}
 +
 +/* Copy S into SCRATCH, including its null terminator.  Returns false
 +   if SCRATCH could not be resized.  */
 +static bool
 +addgetnetgrentX_append (struct addgetnetgrentX_scratch *scratch, const char *s)
 +{
 +  if (s == NULL)
 +    s = "";
 +  return addgetnetgrentX_append_n (scratch, s, strlen (s) + 1) != NULL;
 +}
 +
 +/* Caller must initialize and free *SCRATCH.  If the return value is
 +   negative, this function has sent a notfound response.  */
 static time_t
 addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 		 const char *key, uid_t uid, struct hashentry *he,
 -		 struct datahead *dh, struct dataset **resultp,
 -		 void **tofreep)
 +		 struct datahead *dh, struct addgetnetgrentX_scratch *scratch)
 {
   if (__glibc_unlikely (debug_level > 0))
     {
@@ -132,14 +209,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
   char *key_copy = NULL;
   struct __netgrent data;
 -  size_t buflen = MAX (1024, sizeof (*dataset) + req->key_len);
 -  size_t buffilled = sizeof (*dataset);
 -  char *buffer = NULL;
   size_t nentries = 0;
   size_t group_len = strlen (key) + 1;
   struct name_list *first_needed
     = alloca (sizeof (struct name_list) + group_len);
 -  *tofreep = NULL;
   if (netgroup_database == NULL
       && !__nss_database_get (nss_database_netgroup, &netgroup_database))
@@ -151,8 +224,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
     }
   memset (&data, '\0', sizeof (data));
 -  buffer = xmalloc (buflen);
 -  *tofreep = buffer;
   first_needed->next = first_needed;
   memcpy (first_needed->name, key, group_len);
   data.needed_groups = first_needed;
@@ -195,8 +266,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 		while (1)
 		  {
 		    int e;
 -		    status = getfct.f (&data, buffer + buffilled,
 -				       buflen - buffilled - req->key_len, &e);
 +		    status = getfct.f (&data, scratch->tmp.data,
 +				       scratch->tmp.length, &e);
 		    if (status == NSS_STATUS_SUCCESS)
 		      {
 			if (data.type == triple_val)
@@ -204,68 +275,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 			    const char *nhost = data.val.triple.host;
 			    const char *nuser = data.val.triple.user;
 			    const char *ndomain = data.val.triple.domain;
 -
 -			    size_t hostlen = strlen (nhost ?: "") + 1;
 -			    size_t userlen = strlen (nuser ?: "") + 1;
 -			    size_t domainlen = strlen (ndomain ?: "") + 1;
 -
 -			    if (nhost == NULL || nuser == NULL || ndomain == NULL
 -				|| nhost > nuser || nuser > ndomain)
 -			      {
 -				const char *last = nhost;
 -				if (last == NULL
 -				    || (nuser != NULL && nuser > last))
 -				  last = nuser;
 -				if (last == NULL
 -				    || (ndomain != NULL && ndomain > last))
 -				  last = ndomain;
 -
 -				size_t bufused
 -				  = (last == NULL
 -				     ? buffilled
 -				     : last + strlen (last) + 1 - buffer);
 -
 -				/* We have to make temporary copies.  */
 -				size_t needed = hostlen + userlen + domainlen;
 -
 -				if (buflen - req->key_len - bufused < needed)
 -				  {
 -				    buflen += MAX (buflen, 2 * needed);
 -				    /* Save offset in the old buffer.  We don't
 -				       bother with the NULL check here since
 -				       we'll do that later anyway.  */
 -				    size_t nhostdiff = nhost - buffer;
 -				    size_t nuserdiff = nuser - buffer;
 -				    size_t ndomaindiff = ndomain - buffer;
 -
 -				    char *newbuf = xrealloc (buffer, buflen);
 -				    /* Fix up the triplet pointers into the new
 -				       buffer.  */
 -				    nhost = (nhost ? newbuf + nhostdiff
 -					     : NULL);
 -				    nuser = (nuser ? newbuf + nuserdiff
 -					     : NULL);
 -				    ndomain = (ndomain ? newbuf + ndomaindiff
 -					       : NULL);
 -				    *tofreep = buffer = newbuf;
 -				  }
 -
 -				nhost = memcpy (buffer + bufused,
 -						nhost ?: "", hostlen);
 -				nuser = memcpy ((char *) nhost + hostlen,
 -						nuser ?: "", userlen);
 -				ndomain = memcpy ((char *) nuser + userlen,
 -						  ndomain ?: "", domainlen);
 -			      }
 -
 -			    char *wp = buffer + buffilled;
 -			    wp = memmove (wp, nhost ?: "", hostlen);
 -			    wp += hostlen;
 -			    wp = memmove (wp, nuser ?: "", userlen);
 -			    wp += userlen;
 -			    wp = memmove (wp, ndomain ?: "", domainlen);
 -			    wp += domainlen;
 -			    buffilled = wp - buffer;
 +			    if (!(addgetnetgrentX_append (scratch, nhost)
 +				  && addgetnetgrentX_append (scratch, nuser)
 +				  && addgetnetgrentX_append (scratch, ndomain)))
 +			      return send_notfound (fd);
 			    ++nentries;
 			  }
 			else
@@ -317,8 +330,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 		      }
 		    else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
 		      {
 -			buflen *= 2;
 -			*tofreep = buffer = xrealloc (buffer, buflen);
 +			if (!scratch_buffer_grow (&scratch->tmp))
 +			  return send_notfound (fd);
 		      }
 		    else if (status == NSS_STATUS_RETURN
 			     || status == NSS_STATUS_NOTFOUND
@@ -351,10 +364,17 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
       goto maybe_cache_add;
     }
 -  total = buffilled;
 +  /* Capture the result size without the key appended.   */
 +  total = scratch->buffer_used;
 +
 +  /* Make a copy of the key.  The scratch buffer must not move after
 +     this point.  */
 +  key_copy = addgetnetgrentX_append_n (scratch, key, req->key_len);
 +  if (key_copy == NULL)
 +    return send_notfound (fd);
   /* Fill in the dataset.  */
 -  dataset = (struct dataset *) buffer;
 +  dataset = scratch->buffer.data;
   timeout = datahead_init_pos (&dataset->head, total + req->key_len,
 			       total - offsetof (struct dataset, resp),
 			       he == NULL ? 0 : dh->nreloads + 1,
@@ -363,11 +383,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
   dataset->resp.version = NSCD_VERSION;
   dataset->resp.found = 1;
   dataset->resp.nresults = nentries;
 -  dataset->resp.result_len = buffilled - sizeof (*dataset);
 -
 -  assert (buflen - buffilled >= req->key_len);
 -  key_copy = memcpy (buffer + buffilled, key, req->key_len);
 -  buffilled += req->key_len;
 +  dataset->resp.result_len = total - sizeof (*dataset);
   /* Now we can determine whether on refill we have to create a new
      record or not.  */
@@ -398,7 +414,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
     if (__glibc_likely (newp != NULL))
       {
 	/* Adjust pointer into the memory block.  */
 -	key_copy = (char *) newp + (key_copy - buffer);
 +	key_copy = (char *) newp + (key_copy - (char *) dataset);
 	dataset = memcpy (newp, dataset, total + req->key_len);
 	cacheable = true;
@@ -439,7 +455,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
     }
  out:
 -  *resultp = dataset;
 +  scratch->dataset = dataset;
   return timeout;
 }
@@ -460,6 +476,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
   if (user != NULL)
     key = (char *) rawmemchr (key, '\0') + 1;
   const char *domain = *key++ ? key : NULL;
 +  struct addgetnetgrentX_scratch scratch;
 +
 +  addgetnetgrentX_scratch_init (&scratch);
   if (__glibc_unlikely (debug_level > 0))
     {
@@ -475,12 +494,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
 							    group, group_len,
 							    db, uid);
   time_t timeout;
 -  void *tofree;
   if (result != NULL)
 -    {
 -      timeout = result->head.timeout;
 -      tofree = NULL;
 -    }
 +    timeout = result->head.timeout;
   else
     {
       request_header req_get =
@@ -489,7 +504,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
 	  .key_len = group_len
 	};
       timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL,
 -				 &result, &tofree);
 +				 &scratch);
 +      result = scratch.dataset;
 +      if (timeout < 0)
 +	goto out;
     }
   struct indataset
@@ -603,7 +621,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
     }
  out:
 -  free (tofree);
 +  addgetnetgrentX_scratch_free (&scratch);
   return timeout;
 }
@@ -613,11 +631,12 @@ addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req,
 			const char *key, uid_t uid, struct hashentry *he,
 			struct datahead *dh)
 {
 -  struct dataset *ignore;
 -  void *tofree;
 -  time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh,
 -				    &ignore, &tofree);
 -  free (tofree);
 +  struct addgetnetgrentX_scratch scratch;
 +  addgetnetgrentX_scratch_init (&scratch);
 +  time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, &scratch);
 +  addgetnetgrentX_scratch_free (&scratch);
 +  if (timeout < 0)
 +    timeout = 0;
   return timeout;
 }
@@ -661,5 +680,9 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he,
       .key_len = he->len
     };
 -  return addinnetgrX (db, -1, &req, db->data + he->key, he->owner, he, dh);
 +  int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner,
 +			     he, dh);
 +  if (timeout < 0)
 +    timeout = 0;
 +  return timeout;
 }
 -- 
 2.39.3
--- a/SPECS/glibc/CVE-2024-33602.nopatch
+++ b/SPECS/glibc/CVE-2024-33602.nopatch
@ -0,0 +1 @@
 CVE-2024-33602 is fixed by CVE-2024-33601.patch
--- a/SPECS/glibc/get_nscd_addresses_fix_subscript_typos.patch
+++ b/SPECS/glibc/get_nscd_addresses_fix_subscript_typos.patch
@ -0,0 +1,41 @@
 Imported for CBL-Mariner by Rachel Menge <rachelmenge@microsoft.com>
 This patch resolves a typo which affected name resolution
 when using nscd
 From 227c9035872fc9e9e2cf56ec8f89219747ee19bc Mon Sep 17 00:00:00 2001
 From: =?utf8?q?J=C3=B6rg=20Sonnenberger?= <joerg@bec.de>
 Date: Mon, 26 Sep 2022 13:59:16 -0400
 Subject: [PATCH] get_nscd_addresses: Fix subscript typos [BZ #29605]
 Fix the subscript on air->family, which was accidentally set to COUNT
 when it should have remained as I.
 Resolves: BZ #29605
 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 (cherry picked from commit c9226c03da0276593a0918eaa9a14835183343e8)
 ---
 sysdeps/posix/getaddrinfo.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
 index bcff909b2f..5cda9bb072 100644
 --- a/sysdeps/posix/getaddrinfo.c
 +++ b/sysdeps/posix/getaddrinfo.c
@@ -540,11 +540,11 @@ get_nscd_addresses (const char *name, const struct addrinfo *req,
 	  at[count].addr[2] = htonl (0xffff);
 	}
       else if (req->ai_family == AF_UNSPEC
 -	       || air->family[count] == req->ai_family)
 +	       || air->family[i] == req->ai_family)
 	{
 -	  at[count].family = air->family[count];
 +	  at[count].family = air->family[i];
 	  memcpy (at[count].addr, addrs, size);
 -	  if (air->family[count] == AF_INET6)
 +	  if (air->family[i] == AF_INET6)
 	    res->got_ipv6 = true;
 	}
       at[count].next = at + count + 1;
 -- 
 2.39.3
--- a/SPECS/glibc/glibc.spec
+++ b/SPECS/glibc/glibc.spec
@ -7,7 +7,7 @@
 Summary:        Main C library
 Name:           glibc
 Version:        2.35
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -30,6 +30,11 @@ Patch5:         glibc-2.34_pthread_cond_wait.patch
 Patch6:         CVE-2023-4911.patch
 Patch7:         CVE-2023-4806.patch
 Patch8:         CVE-2023-5156.patch
 Patch9:         get_nscd_addresses_fix_subscript_typos.patch
 Patch10:        CVE-2024-33599.patch
 Patch11:        CVE-2024-33600.patch
 # This patch fixes both CVE-2024-33601 and CVE-2024-33602
 Patch12:        CVE-2024-33601.patch
 BuildRequires:  bison
 BuildRequires:  gawk
 BuildRequires:  gettext
@ -322,6 +327,11 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %defattr(-,root,root)
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 2.35-7
 - Fixup CVE-2023-4806.patch and CVE-2023-5156.patch
 - Backport typo fix for nscd
 - Patch CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
 * Wed Oct 04 2023 Minghe Ren <mingheren@microsoft.com> - 2.35-6
 - Add patches for CVE-2023-4806 and CVE-2023-5156
--- a/SPECS/kubernetes/kubernetes.spec
+++ b/SPECS/kubernetes/kubernetes.spec
@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.28.4
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -23,7 +23,7 @@ Patch1:         CVE-2023-48795.patch
 Patch2:         CVE-2023-5408.patch
 Patch3:         CVE-2023-45288.patch
 BuildRequires:  flex-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  golang
 BuildRequires:  rsync
 BuildRequires:  systemd-devel
@ -268,9 +268,12 @@ fi
 %{_exec_prefix}/local/bin/pause
 %changelog
-* Thu Apr 18 2024 Chris Gunn <chrisgun@microsoft.com> - 1.28.4-7
+* Thu Apr 18 2024 Chris Gunn <chrisgun@microsoft.com> - 1.28.4-8
 - Fix for CVE-2023-45288
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.28.4-7
 - Bump release to rebuild against glibc 2.35-7
 * Tue Apr 24 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 1.28.4-6
 - Use autopatch instead of individual patch
@ -458,5 +461,3 @@ fi
 * Wed Dec 02 2020 Nicolas Guibourge <nicolasg@microsoft.com> - 1.19.1-1
 - Original version for CBL-Mariner
--- a/SPECS/kubevirt/kubevirt.spec
+++ b/SPECS/kubevirt/kubevirt.spec
@ -19,7 +19,7 @@
 Summary:        Container native virtualization
 Name:           kubevirt
 Version:        0.59.0
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -39,7 +39,7 @@ Patch6:         CVE-2022-41723.patch
 Patch7:         CVE-2023-45288.patch
 %global debug_package %{nil}
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  golang
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
@ -216,9 +216,12 @@ install -p -m 0644 cmd/virt-handler/nsswitch.conf %{buildroot}%{_datadir}/kube-v
 %{_bindir}/virt-tests
 %changelog
-* Thu Apr 18 2024 chrisgun@microsoft.com <chrisgun@microsoft.com> - 0.59.0-16
+* Thu Apr 18 2024 chrisgun@microsoft.com <chrisgun@microsoft.com> - 0.59.0-17
 - Fix for CVE-2023-45288
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.59.0-16
 - Bump release to rebuild against glibc 2.35-7
 * Wed Mar 13 2024 Archana Choudhary <archana1@microsoft.com> - 0.59.0-15
 - Add patch for CVE-2022-41723
--- a/SPECS/libguestfs/libguestfs.spec
+++ b/SPECS/libguestfs/libguestfs.spec
@ -25,7 +25,7 @@
 Summary:        Access and modify virtual machine disk images
 Name:           libguestfs
 Version:        1.44.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -89,7 +89,7 @@ BuildRequires:  gcc-c++
 BuildRequires:  gdisk
 BuildRequires:  genisoimage
 BuildRequires:  gfs2-utils
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  gperf
 BuildRequires:  grep
@ -1236,6 +1236,9 @@ rm ocaml/html/.gitignore
 %endif
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.44.0-19
 - Bump release to rebuild against glibc 2.35-7
 * Wed Oct 11 2023 Minghe Ren <mingheren@microsoft.com> - 1.44.0-18
 - Bump release to rebuild against glibc 2.35-6
--- a/SPECS/rust/rust.spec
+++ b/SPECS/rust/rust.spec
@ -9,7 +9,7 @@
 Summary:        Rust Programming Language
 Name:           rust
 Version:        1.72.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -57,7 +57,7 @@ BuildRequires:  ninja-build
 BuildRequires:  openssl-devel
 BuildRequires:  python3
 %if %{with_check}
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 %endif
 # rustc uses a C compiler to invoke the linker, and links to glibc in most cases
 Requires:       binutils
@ -168,6 +168,9 @@ rm %{buildroot}%{_bindir}/*.old
 %{_mandir}/man1/*
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.72.0-7
 - Bump release to rebuild against glibc 2.35-7
 * Wed Feb 21 2024 Sam Meluch <sammeluch@microsoft.com> - 1.72.0-6
 - Dash roll package to rebuild with new libgit2
--- a/SPECS/supermin/supermin.spec
+++ b/SPECS/supermin/supermin.spec
@ -21,7 +21,7 @@
 Summary:        Tool for creating supermin appliances
 Name:           supermin
 Version:        5.2.1
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -54,7 +54,7 @@ BuildRequires:  systemd-udev
 %if %{with dietlibc}
 BuildRequires:  dietlibc-devel
 %else
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 %endif
 %if %{with_check}
@ -129,6 +129,9 @@ make check || {
 %{_rpmconfigdir}/supermin-find-requires
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.2.1-10
 - Bump release to rebuild against glibc 2.35-7
 * Wed Oct 04 2023 Minghe Ren <mingheren@microsoft.com> - 5.2.1-9
 - Bump release to rebuild against glibc 2.35-6
--- a/SPECS/tini/tini.spec
+++ b/SPECS/tini/tini.spec
@ -1,7 +1,7 @@
 Summary:        A tiny but valid init for containers
 Name:           tini
 Version:        0.19.0
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -13,7 +13,7 @@ BuildRequires:  diffutils
 BuildRequires:  file
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  kernel-headers
 BuildRequires:  make
 BuildRequires:  sed
@ -66,6 +66,9 @@ ln -s %{_bindir}/tini-static %{buildroot}%{_bindir}/docker-init
 %{_bindir}/docker-init
 %changelog
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.19.0-12
 - Bump release to rebuild against glibc 2.35-7
 * Wed Oct 04 2023 Minghe Ren <mingheren@microsoft.com> - 0.19.0-11
 - Bump release to rebuild against glibc 2.35-6
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -1,12 +1,12 @@
 filesystem-1.1-20.cm2.aarch64.rpm
 kernel-headers-5.15.158.1-1.cm2.noarch.rpm
-glibc-2.35-6.cm2.aarch64.rpm
+glibc-2.35-7.cm2.aarch64.rpm
-glibc-devel-2.35-6.cm2.aarch64.rpm
+glibc-devel-2.35-7.cm2.aarch64.rpm
-glibc-i18n-2.35-6.cm2.aarch64.rpm
+glibc-i18n-2.35-7.cm2.aarch64.rpm
-glibc-iconv-2.35-6.cm2.aarch64.rpm
+glibc-iconv-2.35-7.cm2.aarch64.rpm
-glibc-lang-2.35-6.cm2.aarch64.rpm
+glibc-lang-2.35-7.cm2.aarch64.rpm
-glibc-nscd-2.35-6.cm2.aarch64.rpm
+glibc-nscd-2.35-7.cm2.aarch64.rpm
-glibc-tools-2.35-6.cm2.aarch64.rpm
+glibc-tools-2.35-7.cm2.aarch64.rpm
 zlib-1.2.13-2.cm2.aarch64.rpm
 zlib-devel-1.2.13-2.cm2.aarch64.rpm
 file-5.40-2.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -1,12 +1,12 @@
 filesystem-1.1-20.cm2.x86_64.rpm
 kernel-headers-5.15.158.1-1.cm2.noarch.rpm
-glibc-2.35-6.cm2.x86_64.rpm
+glibc-2.35-7.cm2.x86_64.rpm
-glibc-devel-2.35-6.cm2.x86_64.rpm
+glibc-devel-2.35-7.cm2.x86_64.rpm
-glibc-i18n-2.35-6.cm2.x86_64.rpm
+glibc-i18n-2.35-7.cm2.x86_64.rpm
-glibc-iconv-2.35-6.cm2.x86_64.rpm
+glibc-iconv-2.35-7.cm2.x86_64.rpm
-glibc-lang-2.35-6.cm2.x86_64.rpm
+glibc-lang-2.35-7.cm2.x86_64.rpm
-glibc-nscd-2.35-6.cm2.x86_64.rpm
+glibc-nscd-2.35-7.cm2.x86_64.rpm
-glibc-tools-2.35-6.cm2.x86_64.rpm
+glibc-tools-2.35-7.cm2.x86_64.rpm
 zlib-1.2.13-2.cm2.x86_64.rpm
 zlib-devel-1.2.13-2.cm2.x86_64.rpm
 file-5.40-2.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -106,15 +106,15 @@ glib-debuginfo-2.71.0-2.cm2.aarch64.rpm
 glib-devel-2.71.0-2.cm2.aarch64.rpm
 glib-doc-2.71.0-2.cm2.noarch.rpm
 glib-schemas-2.71.0-2.cm2.aarch64.rpm
-glibc-2.35-6.cm2.aarch64.rpm
+glibc-2.35-7.cm2.aarch64.rpm
-glibc-debuginfo-2.35-6.cm2.aarch64.rpm
+glibc-debuginfo-2.35-7.cm2.aarch64.rpm
-glibc-devel-2.35-6.cm2.aarch64.rpm
+glibc-devel-2.35-7.cm2.aarch64.rpm
-glibc-i18n-2.35-6.cm2.aarch64.rpm
+glibc-i18n-2.35-7.cm2.aarch64.rpm
-glibc-iconv-2.35-6.cm2.aarch64.rpm
+glibc-iconv-2.35-7.cm2.aarch64.rpm
-glibc-lang-2.35-6.cm2.aarch64.rpm
+glibc-lang-2.35-7.cm2.aarch64.rpm
-glibc-nscd-2.35-6.cm2.aarch64.rpm
+glibc-nscd-2.35-7.cm2.aarch64.rpm
-glibc-static-2.35-6.cm2.aarch64.rpm
+glibc-static-2.35-7.cm2.aarch64.rpm
-glibc-tools-2.35-6.cm2.aarch64.rpm
+glibc-tools-2.35-7.cm2.aarch64.rpm
 gmp-6.2.1-4.cm2.aarch64.rpm
 gmp-debuginfo-6.2.1-4.cm2.aarch64.rpm
 gmp-devel-6.2.1-4.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -111,15 +111,15 @@ glib-debuginfo-2.71.0-2.cm2.x86_64.rpm
 glib-devel-2.71.0-2.cm2.x86_64.rpm
 glib-doc-2.71.0-2.cm2.noarch.rpm
 glib-schemas-2.71.0-2.cm2.x86_64.rpm
-glibc-2.35-6.cm2.x86_64.rpm
+glibc-2.35-7.cm2.x86_64.rpm
-glibc-debuginfo-2.35-6.cm2.x86_64.rpm
+glibc-debuginfo-2.35-7.cm2.x86_64.rpm
-glibc-devel-2.35-6.cm2.x86_64.rpm
+glibc-devel-2.35-7.cm2.x86_64.rpm
-glibc-i18n-2.35-6.cm2.x86_64.rpm
+glibc-i18n-2.35-7.cm2.x86_64.rpm
-glibc-iconv-2.35-6.cm2.x86_64.rpm
+glibc-iconv-2.35-7.cm2.x86_64.rpm
-glibc-lang-2.35-6.cm2.x86_64.rpm
+glibc-lang-2.35-7.cm2.x86_64.rpm
-glibc-nscd-2.35-6.cm2.x86_64.rpm
+glibc-nscd-2.35-7.cm2.x86_64.rpm
-glibc-static-2.35-6.cm2.x86_64.rpm
+glibc-static-2.35-7.cm2.x86_64.rpm
-glibc-tools-2.35-6.cm2.x86_64.rpm
+glibc-tools-2.35-7.cm2.x86_64.rpm
 gmp-6.2.1-4.cm2.x86_64.rpm
 gmp-debuginfo-6.2.1-4.cm2.x86_64.rpm
 gmp-devel-6.2.1-4.cm2.x86_64.rpm
		`@ -0,0 +1 @@`
							`CVE-2024-33602 is fixed by CVE-2024-33601.patch`