[Buildroot] [PATCH 1/2] package/{glibc, localedef}: bump to version 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675
Romain Naour
romain.naour at smile.fr
Sat Sep 30 13:48:17 UTC 2023
Hello Peter,
Le 29/09/2023 à 21:32, Peter Korsgaard a écrit :
>>>>>> "Romain" == Romain Naour <romain.naour at gmail.com> writes:
>
> > Enable mathvec explicitely on aarch64(be) since it's now enabled by
> > default [1]. aarch64 mathvec requires at gcc-10 but Buildroot already
> > provide gcc-11 as minimum version.
>
> > Don't use --enable-fortify-source for now in order to keep original
> > behavior while doing the glibc version bump (and because some
> > architecture doesn't support well fortiry-source, i.e Microblaze).
> > Postpone this change to a follow up commit.
>
> > Keep the "deprecated" libcrypt enabled just in case if some
> > application are not yet ready to use an alternative such as libxcrypt.
>
> > Security related changes:
>
> > CVE-2023-25139: When the printf family of functions is called with a
> > format specifier that uses an <apostrophe> (enable grouping) and a
> > minimum width specifier, the resulting output could be larger than
> > reasonably expected by a caller that computed a tight bound on the
> > buffer size. The resulting larger than expected output could result
> > in a buffer overflow in the printf family of functions.
>
> It would have been handy to first bump to the 2.37.x version fixing this
> issue for easy backporting, but OK - I will do it separately.
Previous Glibc release are still maintained so we probably have to send patches
directly for Buildroot stable release.
Best regards,
Romain
>
> > See:
> > https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html
>
> > Runtime tested with Qemu on Gitlab-ci:
> > https://gitlab.com/kubu93/buildroot/-/pipelines/998435203
> > https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/998926028
>
> > [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=cd94326a1326c4e3f1ee7a8d0a161cc0bdcaf07e
>
> > Signed-off-by: Romain Naour <romain.naour at gmail.com>
>
> Committed, thanks.
>
More information about the buildroot
mailing list