This commit does 3 things: address ipv6 breakage with nscd due to previous CVE fix, reformat previous CVE patches, and patch 4 new CVEs
The ipv6 w/ nscd breakage was due to CVE-2023-4806's patch and caused wrong results with IPv6 addresses when using nscd. The patch mixes up the variables i and count. Therefore backport the fix (227c903).
Additionally, the above fix highlighted that our original patches for CVE-2023-4806 and CVE-2023-5156 were malformed. Specifically, the CVE-2023-4806 patch which updates "/sysdeps/posix/getaddrinfo.c.” to latest from glibc-2.35 (commit 17092c0) did not include the changes to other files (mostly additional tests so impact was low) but did partially include CVE-2023-5156's changes. To fix, regenerate both patches based on commits from upstream stable 2.35.
Finally, this PR applies patches for CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
* Bump package version to recompile binaries with fixed gcc stack protection (CVE-2023-4039)
* Bump debuginfo versions in toolchain manifests
* Bump kernel headers to match kernel
* Update SPECS/gettext/gettext.spec
Taking suggestion
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Update for code review comments
* Fix for code review comment in qt5-qtdeclarative changelog
* Fix dash version for signed spec files
---------
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Make `glibc-static` a real package and police its version
* Add version bounds to all mentions of `glibc-static` in spec files
* Bump releases for all affected packages
* Add pipeline job to check static glibc versions
* Release new glibc packages with split out glibc-static
* Include distribution in requirement bounds
* Don't implicitly install glibc-static in pkggen chroot
* Correctly split up the static libraries between devel/static
* Consistent use of f-strings
* Allow libacvp to build without depending on `glibc-static`
* Remove `libhugetlbfs-tests` package
* Update kernel configs to not support static linking
* Declare `glibc-static` dependency for flannel
* Enable `-pie` by default in `clang`
* Rebuild SymCrypt with `-pie` enabled `clang`
* Use `glibc-static` on all platforms for `busybox`
* Tidy up libacvp Source lines
* Clang can't default to `-pie` so move `crt1.o` to `glibc-devel`
* Fix libacvp Source0 syntax
* Don't build static binaries in libhugetlbfs-tests
* Update kernel config signatures
* Kubevirt needs glibc-static too
Also introduce three more fixes from upstream:
* e2952dfaf awk: input numbers are never octal or hex
* e63d7cdfd awk: fix use after free (CVE-2022-30065)
* daa66ed62 ash: fix use-after-free in pattern substituon code
* 7c2a3bdde ash: fix use-after-free in bash pattern substitution
Reference: https://bugs.busybox.net/show_bug.cgi?id=14781
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
CBL-Mariner-Bot
Rachel Menge
Chris PeBenito
Minghe Ren
Mandeep Plaha
jslobodzian
Andrew Phelps
Andy Caldwell
Muhammad Falak R Wani
Pawel Winogrodzki
Henry Li
Henry Beberman
Mateusz Malisz