GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.1/patches/2225329/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2225329,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2225329/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/glibc/patch/20260420202247.3430896-1-carlos@redhat.com/",
    "project": {
        "id": 41,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/41/?format=api",
        "name": "GNU C Library",
        "link_name": "glibc",
        "list_id": "libc-alpha.sourceware.org",
        "list_email": "libc-alpha@sourceware.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260420202247.3430896-1-carlos@redhat.com>",
    "date": "2026-04-20T20:22:42",
    "name": "[COMMITTED] Add advisory text for CVE-2026-5450",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "5d292f6ae5bcde63de8e52d1bbaf067fb7232d90",
    "submitter": {
        "id": 22438,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/22438/?format=api",
        "name": "Carlos O'Donell",
        "email": "carlos@redhat.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/glibc/patch/20260420202247.3430896-1-carlos@redhat.com/mbox/",
    "series": [
        {
            "id": 500677,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/500677/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/glibc/list/?series=500677",
            "date": "2026-04-20T20:22:42",
            "name": "[COMMITTED] Add advisory text for CVE-2026-5450",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/500677/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2225329/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2225329/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "libc-alpha@sourceware.org"
        ],
        "Delivered-To": [
            "patchwork-incoming@legolas.ozlabs.org",
            "libc-alpha@sourceware.org"
        ],
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=IeCwX4HD;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)",
            "sourceware.org;\n\tdkim=pass (1024-bit key,\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=IeCwX4HD",
            "sourceware.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com",
            "sourceware.org; spf=pass smtp.mailfrom=redhat.com",
            "server2.sourceware.org;\n arc=none smtp.remote-ip=170.10.129.124"
        ],
        "Received": [
            "from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzxl01hzVz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 06:23:24 +1000 (AEST)",
            "from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 31C7E4BA23D4\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 20:23:22 +0000 (GMT)",
            "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by sourceware.org (Postfix) with ESMTP id 1445A4BA23D4\n for <libc-alpha@sourceware.org>; Mon, 20 Apr 2026 20:22:54 +0000 (GMT)",
            "from mail-qt1-f199.google.com (mail-qt1-f199.google.com\n [209.85.160.199]) by relay.mimecast.com with ESMTP with STARTTLS\n (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id\n us-mta-507-5UThctEZOWOKPf_GK7z3Bw-1; Mon, 20 Apr 2026 16:22:52 -0400",
            "by mail-qt1-f199.google.com with SMTP id\n d75a77b69052e-50d6bf346adso1773031cf.1\n for <libc-alpha@sourceware.org>; Mon, 20 Apr 2026 13:22:52 -0700 (PDT)",
            "from codonell-thinkpadp16vgen1.rmtcaon.csb ([198.48.244.52])\n by smtp.gmail.com with ESMTPSA id\n d75a77b69052e-50e39305285sm108995511cf.13.2026.04.20.13.22.49\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 20 Apr 2026 13:22:49 -0700 (PDT)"
        ],
        "DKIM-Filter": [
            "OpenDKIM Filter v2.11.0 sourceware.org 31C7E4BA23D4",
            "OpenDKIM Filter v2.11.0 sourceware.org 1445A4BA23D4"
        ],
        "DMARC-Filter": "OpenDMARC Filter v1.4.2 sourceware.org 1445A4BA23D4",
        "ARC-Filter": "OpenARC Filter v1.0.0 sourceware.org 1445A4BA23D4",
        "ARC-Seal": "i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1776716574; cv=none;\n b=r69cvURPW3TYx6RNexBrs94S3bP7dzKGPRnDZbXexiW10f3horIStTflMuI456mEunTHc38HUZN7TMIPJQLtsQhzXJREZg/lwzDq9lSM9jVe+SFUy9KSDNQUhnVDwd4a69mkbXT0iYlWC+cU2qhVV4YhnnAcxOpPV23g+1BLOCc=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1776716574; c=relaxed/simple;\n bh=hm6qd/XxKXBxvRf3IaC2MS5z0Pfle5nVasBqgY3QqY0=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=dAuo5MBB+e3yQcooBL5zQ3kRdx4JDQag9tPtcTqlG9i1Y41YULRwqw1mXe7i91zfz0LYHhIsMxwR59wtgwAaSQ10lpWp5vzH5G/h0y6WqmbauxoEq1lCoYJlOoaKKPP2/OZzfzSotb1j60f2tD73h4jHBp62OYlHtbBzcLooHi0=",
        "ARC-Authentication-Results": "i=1; server2.sourceware.org",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776716573;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=K6fl4BE6Z8mD4/0Atw9WrI0b80F4BeMSG9ny7jFkoXc=;\n b=IeCwX4HDy9iX7jzCd/L2hh7md53t0mnyEzlpLRKLiERQRPxbynOECAgmFvJeSl/aecaPDQ\n zVS1HSbg5oSoC1sggFz2OezgG4TLMqAumRLF6UuUQqZxQiz1wqVA3FA6AXADT5SSkMzHxo\n G1n2uzkDHNDUlBP1TDpf8GQrJDqwvXY=",
        "X-MC-Unique": "5UThctEZOWOKPf_GK7z3Bw-1",
        "X-Mimecast-MFC-AGG-ID": "5UThctEZOWOKPf_GK7z3Bw_1776716572",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776716571; x=1777321371;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=K6fl4BE6Z8mD4/0Atw9WrI0b80F4BeMSG9ny7jFkoXc=;\n b=K6biy94xt3t8k1mTo2TW1/e4aBd20S24LTXRiIq2N/VXszXcYrl18zdQNpctHDWLVi\n hkCpE6s3Dvr72SItrzrckptWuNBamITH/DozHS8t5ZOi+UT8DDtUVGbq6/4FZTPFWQVP\n aL7pTOn+iw7UH0ktiZgk1HWU3PkanAEcE+J+U8F8shwDnMOzS+SbswHeK2TY2H1eDYw3\n nUwkKnyj3+eNBbxjBN4d5W70F4+eSw1r3ouXGxuYlL99cn+7H/Ul/Awt1d04DoCY9a1G\n rfjCZJ4deXqwnzDDM6X77Yh/TvdMnPwrZklQmbnlgfHEJ7qixG/BeWe2ch3mxD0+GIp4\n AoDA==",
        "X-Gm-Message-State": "AOJu0Yyh7OTZS7gqCv0q2M+XOHvy82s4HKZVW0lCvnqjlalU7RRsa6xC\n jPPOS3F1IufOfHIFeiAkT8prRpS2Qf7/oyjA5u4qWQeXARKGrnTzOYg4IppN3l5TY9WerfXYXET\n qyyxoFcl7FYoIt3YLFAhNS792CxrR8aS6EHGuZ+RPx8rPowq1dL0wa8mwcAHYT7nexJUBRTK8Mj\n R+XiUPW18gvSa8feLZNB0sSDWMeShLydv/tL0rZkjeGCk=",
        "X-Gm-Gg": "AeBDiesYTo0xmteFq21VbkNcrS43OxycbOH6R6d2JmoQX+WB0Wocvw98iLnZGC+MUu1\n G/YcVkUQ7GJLogfFJx1DQLKqgRMfTPYQAS116ZFeaFhvllrRqy334EZ+c41hl9MCOFVDN4QvNnR\n WC/gKXITpUOZhbGLnkVBt34UpFL+us98bsDsPTNM3xa/kvKEgT2KlRHygDLc/PbxpG1e5bFaOKr\n yaes5PaO02+0pkDl0hQmVkHGjU2LJeSq6qsH+6yKY7rWfYfrA6LFoy61J9R8RlD88Gnzr1cnOlm\n ymTnS/xF9uYmZwftr4oSJrpqLFJ9NxV0jDVgMLCOrBvwPW8FHUyCiCgT33R4cg1520SKNURbTeJ\n e5Lo78HdK69l/7B3gubAauCWnrQ9gU1tjVRVKsEcoYIzxMybU/gy58CBhHul3y0kgmvkz9JOMoN\n cPy4ZzyFj/8oQ1G2TVBV6Cj9wEOjbKJn6USInR8nkMQteHkh6oYOgW216bpNGRLQ==",
        "X-Received": [
            "by 2002:a05:622a:514a:b0:50e:c093:9051 with SMTP id\n d75a77b69052e-50ec093944bmr52351761cf.30.1776716571171;\n Mon, 20 Apr 2026 13:22:51 -0700 (PDT)",
            "by 2002:a05:622a:514a:b0:50e:c093:9051 with SMTP id\n d75a77b69052e-50ec093944bmr52351221cf.30.1776716570430;\n Mon, 20 Apr 2026 13:22:50 -0700 (PDT)"
        ],
        "From": "Carlos O'Donell <carlos@redhat.com>",
        "To": "libc-alpha@sourceware.org",
        "Cc": "Carlos O'Donell <carlos@redhat.com>",
        "Subject": "[COMMITTED] Add advisory text for CVE-2026-5450",
        "Date": "Mon, 20 Apr 2026 16:22:42 -0400",
        "Message-ID": "<20260420202247.3430896-1-carlos@redhat.com>",
        "X-Mailer": "git-send-email 2.53.0",
        "MIME-Version": "1.0",
        "X-Mimecast-Spam-Score": "0",
        "X-Mimecast-MFC-PROC-ID": "hTE15Dt4UDQuXNjL1_gxluGS1R8H--OFxHl5xWKxHF0_1776716572",
        "X-Mimecast-Originator": "redhat.com",
        "Content-Transfer-Encoding": "8bit",
        "content-type": "text/plain; charset=\"US-ASCII\"; x-default=true",
        "X-BeenThere": "libc-alpha@sourceware.org",
        "X-Mailman-Version": "2.1.30",
        "Precedence": "list",
        "List-Id": "Libc-alpha mailing list <libc-alpha.sourceware.org>",
        "List-Unsubscribe": "<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>",
        "List-Archive": "<https://sourceware.org/pipermail/libc-alpha/>",
        "List-Post": "<mailto:libc-alpha@sourceware.org>",
        "List-Help": "<mailto:libc-alpha-request@sourceware.org?subject=help>",
        "List-Subscribe": "<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>",
        "Errors-To": "libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"
    },
    "content": "---\n advisories/GLIBC-SA-2026-0009 | 23 +++++++++++++++++++++++\n 1 file changed, 23 insertions(+)\n create mode 100644 advisories/GLIBC-SA-2026-0009",
    "diff": "diff --git a/advisories/GLIBC-SA-2026-0009 b/advisories/GLIBC-SA-2026-0009\nnew file mode 100644\nindex 0000000000..ae376e9fda\n--- /dev/null\n+++ b/advisories/GLIBC-SA-2026-0009\n@@ -0,0 +1,23 @@\n+scanf %mc off-by-one heap buffer overflow\n+\n+Calling the scanf family of functions with a %mc (malloc'd character\n+match) in the GNU C Library version 2.7 to version 2.43 with a format\n+width specifier with an explicit width greater than 1024 could result in\n+a one byte heap buffer overflow.\n+\n+The bug is in the buffer growth formula in __vfscanf_internal, which\n+under-allocates by one byte during realloc expansion, allowing a\n+controlled single-byte overwrite past the end of the heap buffer.\n+\n+The impact is limited by the fact that to execute the overwrite you need\n+both user controlled input data and a specific choice of maximum width\n+that yields a smaller than needed allocation. The latter point has to\n+take into account malloc's particular chunk size rounding process.  The\n+\"%[width]mc\" format specififer does not appear to have notable use in\n+major Linux-based OS distributions, due to which the real world impact\n+may be limited to bespoke use cases.\n+\n+CVE-Id: CVE-2026-5450\n+Public-Date: 2026-03-19\n+Vulnerable-Commit: 874aa52349cc111d1f6ea5dff24bb14c306714e0 (2.7)\n+Reported-by: Rocket Ma\n",
    "prefixes": [
        "COMMITTED"
    ]
}