From patchwork Tue May 29 15:28:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baruch Siach X-Patchwork-Id: 922182 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=tkos.co.il Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40wHgy4qL3z9s0y for ; Wed, 30 May 2018 01:29:02 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9D78D87E65; Tue, 29 May 2018 15:28:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EjjgZ3LWhbeX; Tue, 29 May 2018 15:28:56 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 13E2287E3D; Tue, 29 May 2018 15:28:56 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 8B0C11C2B6C for ; Tue, 29 May 2018 15:28:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 87EAC866CF for ; Tue, 29 May 2018 15:28:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wTkFhsE3qWoL for ; Tue, 29 May 2018 15:28:53 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx.tkos.co.il (guitar.tcltek.co.il [192.115.133.116]) by whitealder.osuosl.org (Postfix) with ESMTPS id A2AF48664C for ; Tue, 29 May 2018 15:28:53 +0000 (UTC) Received: from tarshish.tkos.co.il (unknown [10.0.8.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx.tkos.co.il (Postfix) with ESMTPSA id D47124405F1; Tue, 29 May 2018 18:28:51 +0300 (IDT) From: Baruch Siach To: buildroot@busybox.net Date: Tue, 29 May 2018 18:28:03 +0300 Message-Id: X-Mailer: git-send-email 2.17.0 Subject: [Buildroot] [PATCH 2018.02.x] glibc: security bump to latest 2.26 branch X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixed issues are listed in the 2.26 branch NEWS file: CVE-2017-18269: An SSE2-based memmove implementation for the i386 architecture could corrupt memory. Reported by Max Horn. CVE-2018-11236: Very long pathname arguments to realpath function could result in an integer overflow and buffer overflow. Reported by Alexey Izbyshev. CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi architecture could write beyond the target buffer, resulting in a buffer overflow. Reported by Andreas Schwab. Signed-off-by: Baruch Siach --- package/glibc/glibc.hash | 2 +- package/glibc/glibc.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash index 3dab1e151692..890f523fd917 100644 --- a/package/glibc/glibc.hash +++ b/package/glibc/glibc.hash @@ -1,4 +1,4 @@ # Locally calculated (fetched from Github) -sha256 00fbc845678a96f4acc574c4bda4be76506ecd8bafb2d08c58bfa3507625c81a glibc-glibc-2.26-146-gd300041c533a3d837c9f37a099bcc95466860e98.tar.gz +sha256 1e18aee61dc51a5aaf7bfcb65ed01894aa82c3d3f7b9a01f20d59cd9db2f082b glibc-glibc-2.26-160-g4df8479e6b3baf365bd4eedbba922b73471e5d73.tar.gz # Locally calculated (fetched from Github) sha256 5aa9adeac09727db0b8a52794186563771e74d70410e9fd86431e339953fd4bb glibc-arc-2017.09-release.tar.gz diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk index 0351433e6a09..562f0258d5a5 100644 --- a/package/glibc/glibc.mk +++ b/package/glibc/glibc.mk @@ -10,7 +10,7 @@ GLIBC_SITE = $(call github,foss-for-synopsys-dwc-arc-processors,glibc,$(GLIBC_VE else # Generate version string using: # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master -GLIBC_VERSION = glibc-2.26-146-gd300041c533a3d837c9f37a099bcc95466860e98 +GLIBC_VERSION = glibc-2.26-160-g4df8479e6b3baf365bd4eedbba922b73471e5d73 # Upstream doesn't officially provide an https download link. # There is one (https://sourceware.org/git/glibc.git) but it's not reliable, # sometimes the connection times out. So use an unofficial github mirror.