[Buildroot] [PATCH-2021.02.x] package/glibc: security bump to version 2.32-50-g737efa27fca5c97f5

[Buildroot] [PATCH-2021.02.x] package/glibc: security bump to version 2.32-50-g737efa27fca5c97f5

[Peter Korsgaard]

Fixes the following security issue:

- CVE-2021-33574: The mq_notify function has a potential use-after-free
  issue when using a notification type of SIGEV_THREAD and a thread
  attribute with a non-default affinity mask.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 .../glibc.hash                                                  | 2 +-
 package/glibc/glibc.mk                                          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename package/glibc/{2.32-37-g760e1d287825fa91d4d5a0cc921340c740d803e2 => 2.32-50-g737efa27fca5c97f566a2005687fda7d6659cd2e}/glibc.hash (70%)

diff --git a/package/glibc/2.32-37-g760e1d287825fa91d4d5a0cc921340c740d803e2/glibc.hash b/package/glibc/2.32-50-g737efa27fca5c97f566a2005687fda7d6659cd2e/glibc.hash
similarity index 70%
rename from package/glibc/2.32-37-g760e1d287825fa91d4d5a0cc921340c740d803e2/glibc.hash
rename to package/glibc/2.32-50-g737efa27fca5c97f566a2005687fda7d6659cd2e/glibc.hash
index b1d5243fcc..5e00ef7c04 100644
--- a/package/glibc/2.32-37-g760e1d287825fa91d4d5a0cc921340c740d803e2/glibc.hash
+++ b/package/glibc/2.32-50-g737efa27fca5c97f566a2005687fda7d6659cd2e/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  f4710e9a435a7b83e1d23dd75434f0d36b898eba9b4249c946c32b467d852fd4  glibc-2.32-37-g760e1d287825fa91d4d5a0cc921340c740d803e2.tar.gz
+sha256  b634d38ace90752eeecb93246d71c0673bab0db8dfbd69333479ae7b10d63410  glibc-2.32-50-g737efa27fca5c97f566a2005687fda7d6659cd2e.tar.gz
 
 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index f84f670fc0..14c3f03597 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -16,7 +16,7 @@ ifeq ($(BR2_RISCV_32),y)
 # Until 2.33 is released, just use master
 GLIBC_VERSION = 2.32.9000-69-gbd394d131c10c9ec22c6424197b79410042eed99
 else
-GLIBC_VERSION = 2.32-37-g760e1d287825fa91d4d5a0cc921340c740d803e2
+GLIBC_VERSION = 2.32-50-g737efa27fca5c97f566a2005687fda7d6659cd2e
 endif
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
-- 
2.20.1

_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH-2021.02.x] package/glibc: security bump to version 2.32-50-g737efa27fca5c97f5

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issue:
 > - CVE-2021-33574: The mq_notify function has a potential use-after-free
 >   issue when using a notification type of SIGEV_THREAD and a thread
 >   attribute with a non-default affinity mask.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2021.02.x and 2021.05.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH-2021.02.x] package/glibc: security bump to version 2.32-50-g737efa27fca5c97f5

[Romain Naour]

Hello Peter,

Le 08/08/2021 à 21:47, Peter Korsgaard a écrit :
>>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> 
>  > Fixes the following security issue:
>  > - CVE-2021-33574: The mq_notify function has a potential use-after-free
>  >   issue when using a notification type of SIGEV_THREAD and a thread
>  >   attribute with a non-default affinity mask.
> 
>  > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> 
> Committed to 2021.02.x and 2021.05.x, thanks.
> 

Even if it's not easy, we should try to keep glibc and localdef package in sync.

https://git.buildroot.net/buildroot/commit/?id=c8cbe9719025676bc2330b9dfb11e58dc4f427e8

Best regards,
Romain
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH-2021.02.x] package/glibc: security bump to version 2.32-50-g737efa27fca5c97f5

[Peter Korsgaard]

>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:

 > Hello Peter,
 > Le 08/08/2021 à 21:47, Peter Korsgaard a écrit :
 >>>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
 >> 
 >> > Fixes the following security issue:
 >> > - CVE-2021-33574: The mq_notify function has a potential use-after-free
 >> >   issue when using a notification type of SIGEV_THREAD and a thread
 >> >   attribute with a non-default affinity mask.
 >> 
 >> > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 >> 
 >> Committed to 2021.02.x and 2021.05.x, thanks.
 >> 

 > Even if it's not easy, we should try to keep glibc and localdef package in sync.

 > https://git.buildroot.net/buildroot/commit/?id=c8cbe9719025676bc2330b9dfb11e58dc4f427e8

Crap, indeed. Will fix.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot