From 1d98e934107db50fed307d2bf477a750e2c49b21 Mon Sep 17 00:00:00 2001
From: abushwang <abushwang@tencent.com>
Date: Mon, 26 May 2025 10:07:26 +0800
Subject: [PATCH] fix CVE-2025-4802

Signed-off-by: abushwang <abushwang@tencent.com>
---
 ...BRARY_PATH-and-debug-env-var-for-set.patch | 82 +++++++++++++++++++
 glibc.spec                                    |  7 +-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-4802-elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch

diff --git a/CVE-2025-4802-elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch b/CVE-2025-4802-elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch
new file mode 100644
index 0000000..3ad84ac
--- /dev/null
+++ b/CVE-2025-4802-elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch
@@ -0,0 +1,82 @@
+From 3be3728df2f1912c80abd3288bc6e3a25ad679e4 Mon Sep 17 00:00:00 2001
+From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date: Mon, 6 Nov 2023 17:25:49 -0300
+Subject: [PATCH] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for
+ static
+
+It mimics the ld.so behavior.
+
+Checked on x86_64-linux-gnu.
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+(cherry picked from commit 5451fa962cd0a90a0e2ec1d8910a559ace02bba0)
+
+Changes:
+
+	git/elf/dl-support.c
+	  (missing commit 55f41ef8de4a4d0c5762d78659e11202d3c765d4
+	   ("elf: Remove LD_PROFILE for static binaries"))
+---
+ elf/dl-support.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/elf/dl-support.c b/elf/dl-support.c
+index 44a54dea07..d57e650583 100644
+--- a/elf/dl-support.c
++++ b/elf/dl-support.c
+@@ -276,8 +276,6 @@ _dl_non_dynamic_init (void)
+   _dl_main_map.l_phdr = GL(dl_phdr);
+   _dl_main_map.l_phnum = GL(dl_phnum);
+ 
+-  _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
+-
+   /* Set up the data structures for the system-supplied DSO early,
+      so they can influence _dl_init_paths.  */
+   setup_vdso (NULL, NULL);
+@@ -285,6 +283,22 @@ _dl_non_dynamic_init (void)
+   /* With vDSO setup we can initialize the function pointers.  */
+   setup_vdso_pointers ();
+ 
++  if (__libc_enable_secure)
++    {
++      static const char unsecure_envvars[] =
++	UNSECURE_ENVVARS
++	;
++      const char *cp = unsecure_envvars;
++
++      while (cp < unsecure_envvars + sizeof (unsecure_envvars))
++	{
++	  __unsetenv (cp);
++	  cp = strchr (cp, '\0') + 1;
++	}
++    }
++
++  _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
++
+   /* Initialize the data structures for the search paths for shared
+      objects.  */
+   _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH",
+@@ -306,20 +320,6 @@ _dl_non_dynamic_init (void)
+     _dl_profile_output
+       = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
+ 
+-  if (__libc_enable_secure)
+-    {
+-      static const char unsecure_envvars[] =
+-	UNSECURE_ENVVARS
+-	;
+-      const char *cp = unsecure_envvars;
+-
+-      while (cp < unsecure_envvars + sizeof (unsecure_envvars))
+-	{
+-	  __unsetenv (cp);
+-	  cp = strchr (cp, '\0') + 1;
+-	}
+-    }
+-
+ #ifdef DL_PLATFORM_INIT
+   DL_PLATFORM_INIT;
+ #endif
+-- 
+2.39.3
+
diff --git a/glibc.spec b/glibc.spec
index eef7636..8045b05 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -86,7 +86,7 @@ end}
 Summary: The GNU libc libraries
 Name: glibc
 Version: 2.38
-Release: 30%{?dist}
+Release: 31%{?dist}
 
 License: LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL
 URL: http://www.gnu.org/software/glibc/
@@ -117,6 +117,7 @@ Patch0016: https://github.com/sailfishos-mirror/glibc/commit/950891b5e7a5307272d
 Patch0017: https://github.com/sailfishos-mirror/glibc/commit/6fd215d6ae9a4a6e75f7ea18d89db6a10f158eaf.patch
 Patch0018: CVE-2025-0395-Fix-underallocation-of-abort_msg_s-struct-CVE-2025-0.patch
 Patch0019: backport-assert-Add-test-for-CVE-2025-0395.patch
+Patch0020: CVE-2025-4802-elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch
 
 
 Patch3000: glibc-python3.patch
@@ -1034,6 +1035,10 @@ update_gconv_modules_cache ()
 %endif
 
 %changelog
+* Mon May 26 2025 Shuo Wang <abushwang@tencent.com> - 2.38-31
+- fix CVE-2025-4802
+- elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static
+
 * Wed May 21 2025 xiajiamei <xiejiamei@hygon.cn> - 2.38-30
 - backport x86-Add-new-architecture-type-for-Hygon-processors.patch
 - backport x86-Add-cache-information-support-for-Hygon-processo.patch
-- 
Gitee