diff --git a/core/glibc/PKGBUILD b/core/glibc/PKGBUILD index 8f6dbf582..d267dd15b 100644 --- a/core/glibc/PKGBUILD +++ b/core/glibc/PKGBUILD @@ -15,9 +15,9 @@ noautobuild=1 pkgname=glibc -pkgver=2.36 -_commit=93967a2a7bbdcedb73e0b246713580c7c84d001e -pkgrel=7 +pkgver=2.37 +_commit=a704fd9a133bfb10510e18702f48a6a9c88dbbd5 +pkgrel=2 arch=(x86_64) url='https://www.gnu.org/software/libc' license=(GPL LGPL) @@ -28,6 +28,7 @@ source=(git+https://sourceware.org/git/glibc.git#commit=${_commit} locale-gen sdt.h sdt-config.h reenable_DT_HASH.patch + cve-2023-25139.patch ) validpgpkeys=(7273542B39962DF7B299931416792B4EA25340F8 # Carlos O'Donell BC7C7372637EC10C57D7AA6579C43DFBF1CF2187) # Siddhesh Poyarekar @@ -36,7 +37,8 @@ b2sums=('SKIP' '04fbb3b0b28705f41ccc6c15ed5532faf0105370f22133a2b49867e790df0491f5a1255220ff6ebab91a462f088d0cf299491b3eb8ea53534cb8638a213e46e3' 'a6a5e2f2a627cc0d13d11a82458cfd0aa75ec1c5a3c7647e5d5a3bb1d4c0770887a3909bfda1236803d5bc9801bfd6251e13483e9adf797e4725332cd0d91a0e' '214e995e84b342fe7b2a7704ce011b7c7fc74c2971f98eeb3b4e677b99c860addc0a7d91b8dc0f0b8be7537782ee331999e02ba48f4ccc1c331b60f27d715678' - '5fdd133c367af2f5454ea1eea7907de12166fb95eb59dbe33eae16aa9e26209b6585972bc1c80e36a0af4bfb04296acaf940ee78cd624cdcbab9669dff46c051') + '5fdd133c367af2f5454ea1eea7907de12166fb95eb59dbe33eae16aa9e26209b6585972bc1c80e36a0af4bfb04296acaf940ee78cd624cdcbab9669dff46c051' + '917b876dbc2bc23d15ffedb56bfb51611f8c7a5b8321281a2cf488d442a45c38fc754e857573843042bf7cc3df87d4271bc723acd52aab4c8fc3c8f07d41456e') prepare() { mkdir -p glibc-build @@ -44,10 +46,15 @@ prepare() { [[ -d glibc-$pkgver ]] && ln -s glibc-$pkgver glibc cd glibc - # re-enable `--hash-style=both` for building shared objects due to issues with EPIC's EAC + # Re-enable `--hash-style=both` for building shared objects due to issues with EPIC's EAC # which relies on DT_HASH to be present in these libs. # reconsider 2023-01 patch -Np1 -i "${srcdir}"/reenable_DT_HASH.patch + + # Add a temporary patch for cve 2023-25139 until a fix has been backported. + # Technical the fix itself is complete but the test cases aren't. + # See https://sourceware.org/bugzilla/show_bug.cgi?id=30068 + patch -Np1 -i "${srcdir}"/cve-2023-25139.patch } build() { diff --git a/core/glibc/cve-2023-25139.patch b/core/glibc/cve-2023-25139.patch new file mode 100644 index 000000000..3361e68fa --- /dev/null +++ b/core/glibc/cve-2023-25139.patch @@ -0,0 +1,81 @@ +This is a partial fix for mishandling of grouping when formatting +integers. It properly computes the width in presence of grouping +characteres when the precision is larger than the number of significant +digits. +--- + stdio-common/Makefile | 1 + + stdio-common/tst-grouping3.c | 37 +++++++++++++++++++++++++++++ + stdio-common/vfprintf-process-arg.c | 2 +- + 3 files changed, 39 insertions(+), 1 deletion(-) + create mode 100644 stdio-common/tst-grouping3.c + +diff --git a/stdio-common/Makefile b/stdio-common/Makefile +index 6e9d104524..b46d932a20 100644 +--- a/stdio-common/Makefile ++++ b/stdio-common/Makefile +@@ -195,6 +195,7 @@ tests := \ + tst-gets \ + tst-grouping \ + tst-grouping2 \ ++ tst-grouping3 \ + tst-long-dbl-fphex \ + tst-memstream-string \ + tst-obprintf \ +diff --git a/stdio-common/tst-grouping3.c b/stdio-common/tst-grouping3.c +new file mode 100644 +index 0000000000..0031ad4010 +--- /dev/null ++++ b/stdio-common/tst-grouping3.c +@@ -0,0 +1,37 @@ ++/* Test printf with grouping and padding (bug 23432) ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <locale.h> ++#include <stdio.h> ++#include <support/check.h> ++#include <support/support.h> ++ ++static int ++do_test (void) ++{ ++ char buf[80]; ++ ++ xsetlocale (LC_NUMERIC, "de_DE.UTF-8"); ++ ++ sprintf (buf, "%+-'13.9d", 1234567); ++ TEST_COMPARE_STRING (buf, "+001.234.567 "); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> +diff --git a/stdio-common/vfprintf-process-arg.c b/stdio-common/vfprintf-process-arg.c +index 2c651946df..cd3eaf5c0c 100644 +--- a/stdio-common/vfprintf-process-arg.c ++++ b/stdio-common/vfprintf-process-arg.c +@@ -257,7 +257,7 @@ LABEL (unsigned_number): /* Unsigned number of base BASE. */ + width -= 2; + } + +- width -= workend - string + prec; ++ width -= number_length + prec; + + Xprintf_buffer_pad (buf, L_('0'), prec); + +-- +2.39.1