From 35e3e2119d70e77eb10d567b981ade68f72d2931 Mon Sep 17 00:00:00 2001 From: mgb01105731 Date: Wed, 27 Aug 2025 16:29:55 +0800 Subject: [PATCH] Add patch to fix CVE-2024-33599 and CVE-2024-33600 --- 0093-fix-cve-2024-33599.patch | 32 +++++++++++++++ 0094-fix-cve-2024-33600.patch | 74 +++++++++++++++++++++++++++++++++++ glibc.spec | 10 ++++- 3 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 0093-fix-cve-2024-33599.patch create mode 100644 0094-fix-cve-2024-33600.patch diff --git a/0093-fix-cve-2024-33599.patch b/0093-fix-cve-2024-33599.patch new file mode 100644 index 0000000..7336751 --- /dev/null +++ b/0093-fix-cve-2024-33599.patch @@ -0,0 +1,32 @@ +From 4472b1141766bec30d6bf984e01de73396303380 Mon Sep 17 00:00:00 2001 +Florian Weimer +Date: Tue, 19 Nov 2024 17:02:06 +0800 +Subject: [PATCH 1/2] fix-cve-2024-33599 + +--- + nscd/netgroupcache.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 06b7d7b6..05623086 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + = (struct indataset *) mempool_alloc (db, + sizeof (*dataset) + req->key_len, + 1); +- struct indataset dataset_mem; + bool cacheable = true; + if (__glibc_unlikely (dataset == NULL)) + { + cacheable = false; +- dataset = &dataset_mem; ++ /* The alloca is safe because nscd_run_worker verfies that ++ key_len is not larger than MAXKEYLEN. */ ++ dataset = alloca (sizeof (*dataset) + req->key_len); + } + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, +-- +2.27.0 + diff --git a/0094-fix-cve-2024-33600.patch b/0094-fix-cve-2024-33600.patch new file mode 100644 index 0000000..7b5f654 --- /dev/null +++ b/0094-fix-cve-2024-33600.patch @@ -0,0 +1,74 @@ +From c35ef5ed25ba47bbb301e0902e305734a166a786 Mon Sep 17 00:00:00 2001 +Florian Weimer +Date: Tue, 19 Nov 2024 17:14:24 +0800 +Subject: [PATCH 2/2] fix-cve-2024-33600 + +--- + nscd/netgroupcache.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 05623086..ef87c2b0 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + /* No such service. */ + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + memset (&data, '\0', sizeof (data)); +@@ -410,14 +410,11 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + if (he == NULL && fd != -1) +- { +- /* We write the dataset before inserting it to the database +- since while inserting this thread might block and so would +- unnecessarily let the receiver wait. */ +- writeout: ++ /* We write the dataset before inserting it to the database ++ since while inserting this thread might block and so would ++ unnecessarily let the receiver wait. */ + writeall (fd, &dataset->resp, dataset->head.recsize); +- } +- ++maybe_cache_add: + if (cacheable) + { + /* If necessary, we also propagate the data to disk. */ +@@ -513,14 +510,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, + sizeof (innetgroup_response_header), +- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); ++ he == NULL ? 0 : dh->nreloads + 1, ++ result == NULL ? db->negtimeout : result->head.ttl); + /* Set the notfound status and timeout based on the result from + getnetgrent. */ +- dataset->head.notfound = result->head.notfound; ++ dataset->head.notfound = result == NULL || result->head.notfound; + dataset->head.timeout = timeout; + + dataset->resp.version = NSCD_VERSION; +- dataset->resp.found = result->resp.found; ++ dataset->resp.found = result != NULL && result->resp.found; + /* Until we find a matching entry the result is 0. */ + dataset->resp.result = 0; + +@@ -568,7 +566,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + goto out; + } + +- if (he == NULL) ++ /* addgetnetgrentX may have already sent a notfound response. Do ++ not send another one. */ ++ if (he == NULL && dataset->resp.found) + { + /* We write the dataset before inserting it to the database + since while inserting this thread might block and so would +-- +2.27.0 + diff --git a/glibc.spec b/glibc.spec index 1f24250..4b4ea8b 100644 --- a/glibc.spec +++ b/glibc.spec @@ -1,4 +1,4 @@ -%define anolis_release 14 +%define anolis_release 15 %bcond_without testsuite %bcond_without benchtests @@ -111,6 +111,11 @@ Patch0192: 1094-Fix-CVE-2025-0395.patch Patch0193: 1095-fix-CVE-2025-4802.patch # https://sourceware.org/git/?p=glibc.git;a=commit;h=7ea06e994093fa0bcca0d0ee2c1db271d8d7885d Patch0194: 0092-CVE-2025-8058.patch +# https://sourceware.org/git/?p=glibc.git;a=commit;h=87801a8fd06db1d654eea3e4f7626ff476a9bdaa +Patch0195: 0093-fix-cve-2024-33599.patch +# https://sourceware.org/git/?p=glibc.git;a=commit;h=b048a482f088e53144d26a61c390bed0210f49f2 +# https://sourceware.org/git/?p=glibc.git;a=commit;h=7835b00dbce53c3c87bbbb1754a95fb5e58187aa +Patch0196: 0094-fix-cve-2024-33600.patch Patch3062: 3062-Sw64-Add-Sw64-entries-to-config.h.in.patch Patch3063: 3063-Sw64-Add-relocations-and-ELF-flags-to-elf.h-and-scri.patch @@ -1197,6 +1202,9 @@ update_gconv_modules_cache () %{_libdir}/libpthread_nonshared.a %changelog +* Wed Aug 27 2025 mgb01105731 - 2.38-15 +- Add patch to fix CVE-2024-33599 and CVE-2024-33600 + * Tue Aug 12 2025 swcompiler - 2.38-14 - SW64: Add libnss_db -- Gitee