From 298426b280623bf478de0206cde95ce5a4636cc4 Mon Sep 17 00:00:00 2001 From: mgb01105731 Date: Wed, 13 Aug 2025 09:57:42 +0800 Subject: [PATCH] Add patch to fix CVE-2024-33599,CVE-2024-33600 --- 0093-fix-cve-2024-33599.patch | 33 +++++++++++++++ 0094-fix-cve-2024-33600.patch | 75 +++++++++++++++++++++++++++++++++++ glibc.spec | 10 ++++- 3 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 0093-fix-cve-2024-33599.patch create mode 100644 0094-fix-cve-2024-33600.patch diff --git a/0093-fix-cve-2024-33599.patch b/0093-fix-cve-2024-33599.patch new file mode 100644 index 0000000..a99868f --- /dev/null +++ b/0093-fix-cve-2024-33599.patch @@ -0,0 +1,33 @@ +From 4472b1141766bec30d6bf984e01de73396303380 Mon Sep 17 00:00:00 2001 +Florian Weimer +Date: Tue, 19 Nov 2024 17:02:06 +0800 +Subject: [PATCH 1/2] fix-cve-2024-33599 + +--- + nscd/netgroupcache.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 06b7d7b6..05623086 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + = (struct indataset *) mempool_alloc (db, + sizeof (*dataset) + req->key_len, + 1); +- struct indataset dataset_mem; + bool cacheable = true; + if (__glibc_unlikely (dataset == NULL)) + { + cacheable = false; +- dataset = &dataset_mem; ++ /* The alloca is safe because nscd_run_worker verfies that ++ key_len is not larger than MAXKEYLEN. */ ++ dataset = alloca (sizeof (*dataset) + req->key_len); + } + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, +-- +2.27.0 + + diff --git a/0094-fix-cve-2024-33600.patch b/0094-fix-cve-2024-33600.patch new file mode 100644 index 0000000..80cae46 --- /dev/null +++ b/0094-fix-cve-2024-33600.patch @@ -0,0 +1,75 @@ +From c35ef5ed25ba47bbb301e0902e305734a166a786 Mon Sep 17 00:00:00 2001 +Florian Weimer +Date: Tue, 19 Nov 2024 17:14:24 +0800 +Subject: [PATCH 2/2] fix-cve-2024-33600 + +--- + nscd/netgroupcache.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 05623086..ef87c2b0 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + /* No such service. */ + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + memset (&data, '\0', sizeof (data)); +@@ -410,14 +410,11 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + if (he == NULL && fd != -1) +- { +- /* We write the dataset before inserting it to the database +- since while inserting this thread might block and so would +- unnecessarily let the receiver wait. */ +- writeout: ++ /* We write the dataset before inserting it to the database ++ since while inserting this thread might block and so would ++ unnecessarily let the receiver wait. */ + writeall (fd, &dataset->resp, dataset->head.recsize); +- } +- ++maybe_cache_add: + if (cacheable) + { + /* If necessary, we also propagate the data to disk. */ +@@ -513,14 +510,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, + sizeof (innetgroup_response_header), +- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); ++ he == NULL ? 0 : dh->nreloads + 1, ++ result == NULL ? db->negtimeout : result->head.ttl); + /* Set the notfound status and timeout based on the result from + getnetgrent. */ +- dataset->head.notfound = result->head.notfound; ++ dataset->head.notfound = result == NULL || result->head.notfound; + dataset->head.timeout = timeout; + + dataset->resp.version = NSCD_VERSION; +- dataset->resp.found = result->resp.found; ++ dataset->resp.found = result != NULL && result->resp.found; + /* Until we find a matching entry the result is 0. */ + dataset->resp.result = 0; + +@@ -568,7 +566,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + goto out; + } + +- if (he == NULL) ++ /* addgetnetgrentX may have already sent a notfound response. Do ++ not send another one. */ ++ if (he == NULL && dataset->resp.found) + { + /* We write the dataset before inserting it to the database + since while inserting this thread might block and so would +-- +2.27.0 + + diff --git a/glibc.spec b/glibc.spec index 58b2090..b0a590b 100644 --- a/glibc.spec +++ b/glibc.spec @@ -1,4 +1,4 @@ -%define anolis_release 13 +%define anolis_release 14 %bcond_without testsuite %bcond_without benchtests @@ -111,6 +111,11 @@ Patch0192: 1094-Fix-CVE-2025-0395.patch Patch0193: 1095-fix-CVE-2025-4802.patch # https://sourceware.org/git/?p=glibc.git;a=commit;h=7ea06e994093fa0bcca0d0ee2c1db271d8d7885d Patch0194: 0092-CVE-2025-8058.patch +# https://sourceware.org/git/?p=glibc.git;a=commit;h=87801a8fd06db1d654eea3e4f7626ff476a9bdaa +Patch0195: 0093-fix-cve-2024-33599.patch +# https://sourceware.org/git/?p=glibc.git;a=commit;h=b048a482f088e53144d26a61c390bed0210f49f2 +# https://sourceware.org/git/?p=glibc.git;a=commit;h=7835b00dbce53c3c87bbbb1754a95fb5e58187aa +Patch0196: 0094-fix-cve-2024-33600.patch Patch3062: 3062-Sw64-Add-Sw64-entries-to-config.h.in.patch Patch3063: 3063-Sw64-Add-relocations-and-ELF-flags-to-elf.h-and-scri.patch @@ -1199,6 +1204,9 @@ update_gconv_modules_cache () %{_libdir}/libpthread_nonshared.a %changelog +* Wed Aug 13 2025 mgb01105731 - 2.38-14 +- Add patch to fix CVE-2024-33599,CVE-2024-33600 + * Mon Aug 04 2025 wenxin - 2.38-13 - Add patch to fix CVE-2025-8058 -- Gitee