Merge pull request #75928 from xnox/fix-glibc-cves

fix(glibc): cherry-pick patches from mailing list for CVE fixes

Export:  433c2cea96cf9455ba63d34361b4822167e29112

Author: xnox

bun.yaml

@@ -1,13 +1,16 @@
 package:
   name: bun
   version: "1.3.13"
-  epoch: 0 # go/wolfi-rsc/bun
+  epoch: 1 # go/wolfi-rsc/bun
   description: "Incredibly fast JavaScript runtime, bundler, test runner, and package manager - all in one"
   copyright:
     - license: MIT
   resources:
     cpu: "42"
     memory: 38Gi
+  test-resources:
+    cpu: "1"
+    memory: 1Gi
 
 environment:
   contents:

glibc.yaml

@@ -3,7 +3,7 @@ package:
   name: glibc
   version: "2.43"
   # Every glibc update causes build disruption; always announce on #eng-psa
-  epoch: 6
+  epoch: 7
   description: "the GNU C library"
   copyright:
     - license: LGPL-2.1-or-later
@@ -73,7 +73,10 @@ pipeline:
 
   - uses: patch
     with:
-      patches: 0001-Link-startup-files-without-package-metadata.patch
+      patches: |
+        0001-Link-startup-files-without-package-metadata.patch
+        0002-libio-Fix-ungetwc-operating-on-byte-stream-BZ-33998.patch
+        0003-stdio-common-Fix-buffer-overflow-in-scanf-mc-BZ-3400.patch
 
   - name: "Set up build directory"
     runs: |

glibc/0002-libio-Fix-ungetwc-operating-on-byte-stream-BZ-33998.patch

@@ -0,0 +1,100 @@
+From e85c81525672df5003ff113ca1189dbed88c673f Mon Sep 17 00:00:00 2001
+From: Rocket Ma <marocketbd@gmail.com>
+Date: Sat, 18 Apr 2026 03:17:42 -0700
+Subject: [PATCH 2/3] libio: Fix ungetwc operating on byte stream [BZ #33998]
+
+* libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one
+character, it accidently compare the wchar to push back with the last
+char from byte stream, instead of wide stream. Under specific coding,
+attacker may exploit this to leak information. This commit fix bug
+33998, or CVE-2026-5928.
+
+Signed-off-by: Rocket Ma <marocketbd@gmail.com>
+Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
+---
+ libio/Makefile              |  1 +
+ libio/bug-wgenops-bz33998.c | 44 +++++++++++++++++++++++++++++++++++++
+ libio/wgenops.c             |  4 ++--
+ 3 files changed, 47 insertions(+), 2 deletions(-)
+ create mode 100644 libio/bug-wgenops-bz33998.c
+
+diff --git a/libio/Makefile b/libio/Makefile
+index 4f4dd9f275..5995adf5dd 100644
+--- a/libio/Makefile
++++ b/libio/Makefile
+@@ -84,6 +84,7 @@ tests = \
+   bug-ungetwc1 \
+   bug-ungetwc2 \
+   bug-wfflush \
++  bug-wgenops-bz33998 \
+   bug-wmemstream1 \
+   bug-wsetpos \
+   test-fmemopen \
+diff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c
+new file mode 100644
+index 0000000000..b3f750a753
+--- /dev/null
++++ b/libio/bug-wgenops-bz33998.c
+@@ -0,0 +1,44 @@
++/* Regression test for ungetwc operating on byte stream (BZ #33998)
++   Copyright (C) 2026 The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <unistd.h>
++#include <sys/mman.h>
++#include <stdio.h>
++#include <wchar.h>
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++  int fd = memfd_create ("test", MFD_CLOEXEC);
++  TEST_VERIFY (fd != -1);
++  TEST_COMPARE (write (fd, (unsigned char[]){ 'A', 0, 0, 0 }, 4), 4);
++  TEST_COMPARE (lseek (fd, 0, SEEK_SET), 0);
++  FILE *fp = fdopen (fd, "r+");
++  TEST_VERIFY (fp != NULL);
++  TEST_COMPARE (getwc (fp), L'A');
++
++  /* if the bug is fixed, then ungetwc should not touch byte stream. */
++  char *old_read_ptr = fp->_IO_read_ptr;
++  TEST_COMPARE (ungetwc (0, fp), L'\0');
++  TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr);
++
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/libio/wgenops.c b/libio/wgenops.c
+index 7a8466ea44..7c47459828 100644
+--- a/libio/wgenops.c
++++ b/libio/wgenops.c
+@@ -108,8 +108,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c)
+ {
+   if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base
+       && !_IO_in_backup (fp)
+-      && (wint_t) fp->_IO_read_ptr[-1] == c)
+-    --fp->_IO_read_ptr;
++      && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c)
++    --fp->_wide_data->_IO_read_ptr;
+   else
+     {
+       /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/
+-- 
+2.51.0
+

glibc/0003-stdio-common-Fix-buffer-overflow-in-scanf-mc-BZ-3400.patch

@@ -0,0 +1,132 @@
+From 52a0be690747e3bf89218bf14e62837dfe2d1288 Mon Sep 17 00:00:00 2001
+From: Rocket Ma <marocketbd@gmail.com>
+Date: Fri, 17 Apr 2026 23:48:41 -0700
+Subject: [PATCH 3/3] stdio-common: Fix buffer overflow in scanf %mc [BZ
+ #34008]
+
+* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with
+format %mc or %mC, glibc allocates one byte less, leading to
+user-controlled one byte overflow. This commit fixes BZ #34008, or
+CVE-2026-5450.
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Signed-off-by: Rocket Ma <marocketbd@gmail.com>
+Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
+---
+ stdio-common/Makefile              |  4 +++
+ stdio-common/tst-vfscanf-bz34008.c | 48 ++++++++++++++++++++++++++++++
+ stdio-common/vfscanf-internal.c    |  7 ++---
+ 3 files changed, 55 insertions(+), 4 deletions(-)
+ create mode 100644 stdio-common/tst-vfscanf-bz34008.c
+
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index 210944837e..0c0085e607 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -349,6 +349,7 @@ tests := \
+   tst-vfprintf-user-type \
+   tst-vfprintf-width-i18n \
+   tst-vfprintf-width-prec-alloc \
++  tst-vfscanf-bz34008 \
+   tst-wc-printf \
+   tstdiomisc \
+   tstgetln \
+@@ -564,6 +565,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \
+ tst-vfprintf-width-prec-ENV = \
+   MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \
+   LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
++tst-vfscanf-bz34008-ENV = \
++  MALLOC_CHECK_=3 \
++  LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+ tst-printf-bz25691-ENV = \
+   MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \
+   LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c
+new file mode 100644
+index 0000000000..48371c8a3d
+--- /dev/null
++++ b/stdio-common/tst-vfscanf-bz34008.c
+@@ -0,0 +1,48 @@
++/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008)
++   Copyright (C) 2026 The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include "malloc/mcheck.h"
++#include <stddef.h>
++#include <stdio.h>
++#include <string.h>
++#include <wchar.h>
++#include <stdlib.h>
++#include <malloc.h>
++#include <support/check.h>
++
++#define WIDTH 0x410
++#define SCANFSTR "%1040mc"
++static int
++do_test (void)
++{
++  mcheck_pedantic (NULL);
++  char *input = malloc (WIDTH + 1);
++  TEST_VERIFY (input != NULL);
++  memset (input, 'A', WIDTH);
++  input[WIDTH] = '\0';
++
++  char *buf = NULL;
++  TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1);
++  TEST_VERIFY (buf != NULL);
++
++  free (buf);
++  free (input);
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c
+index 63b9246e47..8687150dff 100644
+--- a/stdio-common/vfscanf-internal.c
++++ b/stdio-common/vfscanf-internal.c
+@@ -862,8 +862,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
+ 			{
+ 			  /* Enlarge the buffer.  */
+ 			  size_t newsize
+-			    = strsize
+-			      + (strsize >= width ? width - 1 : strsize);
++			    = strsize + (strsize >= width ? width : strsize);
+ 
+ 			  str = (char *) realloc (*strptr, newsize);
+ 			  if (str == NULL)
+@@ -936,7 +935,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
+ 		      && wstr == (wchar_t *) *strptr + strsize)
+ 		    {
+ 		      size_t newsize
+-			= strsize + (strsize > width ? width - 1 : strsize);
++			= strsize + (strsize >= width ? width : strsize);
+ 		      /* Enlarge the buffer.  */
+ 		      wstr = (wchar_t *) realloc (*strptr,
+ 						  newsize * sizeof (wchar_t));
+@@ -991,7 +990,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
+ 		    && wstr == (wchar_t *) *strptr + strsize)
+ 		  {
+ 		    size_t newsize
+-		      = strsize + (strsize > width ? width - 1 : strsize);
++		      = strsize + (strsize >= width ? width : strsize);
+ 		    /* Enlarge the buffer.  */
+ 		    wstr = (wchar_t *) realloc (*strptr,
+ 						newsize * sizeof (wchar_t));
+-- 
+2.51.0
+

gn.yaml

@@ -2,7 +2,7 @@
 package:
   name: gn
   version: "0.0_git20260501"
-  epoch: 0
+  epoch: 1
   description: "Meta-build system that generates build files for Ninja"
   copyright:
     - license: BSD-3-Clause
@@ -26,7 +26,7 @@ pipeline:
     with:
       repository: https://gn.googlesource.com/gn.git
       branch: main
-      expected-commit: eab8a9f92dca9b8548a89d9e5eb6aeb8ac6bba77
+      expected-commit: 1740f5c25bcac5a650ee3d1c1ec22bfa25fcd756
 
   - runs: |
       python${{vars.python-version}} build/gen.py

kargo.yaml

@@ -1,7 +1,7 @@
 package:
   name: kargo
   version: "1.9.6"
-  epoch: 1 # GHSA-mh2q-q3fh-2475
+  epoch: 2 # GHSA-pc3f-x583-g7j2
   description: Application lifecycle orchestration
   copyright:
     - license: Apache-2.0
@@ -35,6 +35,7 @@ pipeline:
         github.com/docker/cli@v29.2.0
         google.golang.org/grpc@v1.79.3
         go.opentelemetry.io/otel@v1.41.0
+        github.com/moby/spdystream@v0.5.1
       modroot: hack/tools
       tidy: false
 
@@ -47,6 +48,7 @@ pipeline:
         github.com/go-git/go-git/v5@v5.17.1
         github.com/go-jose/go-jose/v4@v4.1.4
         go.opentelemetry.io/otel@v1.41.0
+        github.com/moby/spdystream@v0.5.1
 
   - runs: |
       cd ui

postgresql-16.yaml

@@ -1,7 +1,7 @@
 package:
   name: postgresql-16
   version: "16.13"
-  epoch: 6
+  epoch: 7 # go/wolfi-rsc/postgresql-16
   description: A sophisticated object-relational DBMS
   copyright:
     - license: BSD-3-Clause
@@ -13,8 +13,11 @@ package:
       - ecpg=${{package.full-version}}
       - tzdata
   resources:
-    cpu: "9"
+    cpu: "5"
     memory: 14Gi
+  test-resources:
+    cpu: "1"
+    memory: 4Gi
 
 environment:
   environment:

py3-pymysql.yaml

@@ -1,7 +1,7 @@
 package:
   name: py3-pymysql
-  version: "1.1.2"
-  epoch: 2 # go/wolfi-rsc/py3-pymysql
+  version: "1.1.3"
+  epoch: 0 # go/wolfi-rsc/py3-pymysql
   description: Pure Python MySQL Driver
   copyright:
     - license: MIT
@@ -34,7 +34,7 @@ pipeline:
     with:
       repository: https://github.com/PyMySQL/PyMySQL
       tag: v${{package.version}}
-      expected-commit: d7bb777e503d82bf2496113f07dd4ab249615efc
+      expected-commit: 5613187f54fd524a009a340f50b160c644899706
 
 subpackages:
   - range: py-versions

renovate.yaml

@@ -1,6 +1,6 @@
 package:
   name: renovate
-  version: "43.160.2"
+  version: "43.160.4"
   epoch: 0
   description: "Automated dependency updates. Multi-platform and multi-language."
   copyright:
@@ -39,7 +39,7 @@ pipeline:
     with:
       repository: https://github.com/renovatebot/renovate
       tag: ${{package.version}}
-      expected-commit: ca23fd14ded0783b5978205df51dc09ff7a2633a
+      expected-commit: 26ba9fde6b973209945b83417d68579be64d6b16
 
   - runs: |
       sed -i 's/"version": "0.0.0-semantic-release"/"version": "${{package.version}}"/' package.json

ruby3.3-fluentd-kubernetes-daemonset-1.19.yaml

@@ -2,7 +2,7 @@ package:
   # fluentd supported versions: https://github.com/fluent/fluentd/blob/master/SECURITY.md
   # The kubernetes daemonset trails fluentd releases by a bit
   name: ruby3.3-fluentd-kubernetes-daemonset-1.19
-  version: "1.19.2.1.4"
+  version: "1.19.2.1.5"
   epoch: 0 # go/wolfi-rsc/ruby3.3-fluentd-kubernetes-daemonset-1.19
   description: Fluentd ${{vars.fluentdMM}} daemonset for Kubernetes
   copyright:
@@ -51,7 +51,7 @@ data:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 6693e712bbe39cbf472bbfa71141ed21bd631b9f
+      expected-commit: f5a6ce26005449fb63d2cd46c2c417a29463f520
       repository: https://github.com/fluent/fluentd-kubernetes-daemonset.git
       tag: v${{vars.mangled-package-version}}