Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2026-05-13 17:18:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc" Wed May 13 17:18:18 2026 rev:305 rq:1352665 version:2.43 Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2026-05-08 16:43:43.745074877 +0200 +++ /work/SRC/openSUSE:Factory/.glibc.new.1966/glibc.changes 2026-05-13 17:18:20.612811807 +0200 @@ -1,0 +2,8 @@ +Mon May 11 09:00:52 UTC 2026 - Andreas Schwab <[email protected]> + +- ungetwc-byte-stream.patch: libio: Fix ungetwc operating on byte stream + (CVE-2026-5928, bsc#1262464, BZ #33998) +- scanf-mc-buffer-overflow.patch: stdio-common: Fix buffer overflow in + scanf %mc (CVE-2026-5450, bsc#1262465, BZ #34008) + +------------------------------------------------------------------- New: ---- scanf-mc-buffer-overflow.patch ungetwc-byte-stream.patch ----------(New B)---------- New: (CVE-2026-5928, bsc#1262464, BZ #33998) - scanf-mc-buffer-overflow.patch: stdio-common: Fix buffer overflow in scanf %mc (CVE-2026-5450, bsc#1262465, BZ #34008) New: - ungetwc-byte-stream.patch: libio: Fix ungetwc operating on byte stream (CVE-2026-5928, bsc#1262464, BZ #33998) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.QCbh8C/_old 2026-05-13 17:18:22.124874462 +0200 +++ /var/tmp/diff_new_pack.QCbh8C/_new 2026-05-13 17:18:22.124874462 +0200 @@ -367,6 +367,10 @@ Patch1013: sys-mount-open-tree-macros.patch # PATCH-FIX-UPSTREAM Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046, BZ #33980) Patch1014: ibm139x-pending-char-state.patch +# PATCH-FIX-UPSTREAM libio: Fix ungetwc operating on byte stream (CVE-2026-5928, BZ #33998) +Patch1015: ungetwc-byte-stream.patch +# PATCH-FIX-UPSTREAM stdio-common: Fix buffer overflow in scanf %mc (CVE-2026-5450, BZ #34008) +Patch1016: scanf-mc-buffer-overflow.patch %endif ### ++++++ scanf-mc-buffer-overflow.patch ++++++ >From 839898777226a3ed88c0859f25ffe712519b4ead Mon Sep 17 00:00:00 2001 From: Rocket Ma <[email protected]> Date: Fri, 17 Apr 2026 23:48:41 -0700 Subject: [PATCH] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008] * stdio-common/vfscanf-internal.c: When enlarging allocated buffer with format %mc or %mC, glibc allocates one byte less, leading to user-controlled one byte overflow. This commit fixes BZ #34008, or CVE-2026-5450. Reviewed-by: Carlos O'Donell <[email protected]> Signed-off-by: Rocket Ma <[email protected]> Reviewed-by: H.J. Lu <[email protected]> --- stdio-common/Makefile | 4 +++ stdio-common/tst-vfscanf-bz34008.c | 48 ++++++++++++++++++++++++++++++ stdio-common/vfscanf-internal.c | 7 ++--- 3 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 stdio-common/tst-vfscanf-bz34008.c diff --git a/stdio-common/Makefile b/stdio-common/Makefile index 210944837e..0c0085e607 100644 --- a/stdio-common/Makefile +++ b/stdio-common/Makefile @@ -349,6 +349,7 @@ tests := \ tst-vfprintf-user-type \ tst-vfprintf-width-i18n \ tst-vfprintf-width-prec-alloc \ + tst-vfscanf-bz34008 \ tst-wc-printf \ tstdiomisc \ tstgetln \ @@ -564,6 +565,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \ tst-vfprintf-width-prec-ENV = \ MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +tst-vfscanf-bz34008-ENV = \ + MALLOC_CHECK_=3 \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so tst-printf-bz25691-ENV = \ MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c new file mode 100644 index 0000000000..48371c8a3d --- /dev/null +++ b/stdio-common/tst-vfscanf-bz34008.c @@ -0,0 +1,48 @@ +/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008) + Copyright (C) 2026 The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include "malloc/mcheck.h" +#include <stddef.h> +#include <stdio.h> +#include <string.h> +#include <wchar.h> +#include <stdlib.h> +#include <malloc.h> +#include <support/check.h> + +#define WIDTH 0x410 +#define SCANFSTR "%1040mc" +static int +do_test (void) +{ + mcheck_pedantic (NULL); + char *input = malloc (WIDTH + 1); + TEST_VERIFY (input != NULL); + memset (input, 'A', WIDTH); + input[WIDTH] = '\0'; + + char *buf = NULL; + TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1); + TEST_VERIFY (buf != NULL); + + free (buf); + free (input); + return 0; +} + +#include <support/test-driver.c> diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c index 59fc8208aa..3d11ac261e 100644 --- a/stdio-common/vfscanf-internal.c +++ b/stdio-common/vfscanf-internal.c @@ -855,8 +855,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, { /* Enlarge the buffer. */ size_t newsize - = strsize - + (strsize >= width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); str = (char *) realloc (*strptr, newsize); if (str == NULL) @@ -929,7 +928,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, && wstr == (wchar_t *) *strptr + strsize) { size_t newsize - = strsize + (strsize > width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); /* Enlarge the buffer. */ wstr = (wchar_t *) realloc (*strptr, newsize * sizeof (wchar_t)); @@ -984,7 +983,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, && wstr == (wchar_t *) *strptr + strsize) { size_t newsize - = strsize + (strsize > width ? width - 1 : strsize); + = strsize + (strsize >= width ? width : strsize); /* Enlarge the buffer. */ wstr = (wchar_t *) realloc (*strptr, newsize * sizeof (wchar_t)); -- 2.54.0 ++++++ ungetwc-byte-stream.patch ++++++ >From ef3bfb5f910011f3780cb06aa47e730035f53285 Mon Sep 17 00:00:00 2001 From: Rocket Ma <[email protected]> Date: Fri, 1 May 2026 20:39:07 -0700 Subject: [PATCH] libio: Fix ungetwc operating on byte stream [BZ #33998] * libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one character, it accidently compare the wchar to push back with the last char from byte stream, instead of wide stream. Under specific coding, attacker may exploit this to leak information. This commit fix bug 33998, or CVE-2026-5928. Signed-off-by: Rocket Ma <[email protected]> Reviewed-by: Carlos O'Donell <[email protected]> --- libio/Makefile | 1 + libio/bug-wgenops-bz33998.c | 54 +++++++++++++++++++++++++++++++++++++ libio/wgenops.c | 4 +-- 3 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 libio/bug-wgenops-bz33998.c diff --git a/libio/Makefile b/libio/Makefile index 93656466df..6e0627bb88 100644 --- a/libio/Makefile +++ b/libio/Makefile @@ -84,6 +84,7 @@ tests = \ bug-ungetwc1 \ bug-ungetwc2 \ bug-wfflush \ + bug-wgenops-bz33998 \ bug-wmemstream1 \ bug-wsetpos \ test-fmemopen \ diff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c new file mode 100644 index 0000000000..cc4067da99 --- /dev/null +++ b/libio/bug-wgenops-bz33998.c @@ -0,0 +1,54 @@ +/* Regression test for ungetwc operating on byte stream (BZ #33998) + Copyright (C) 2026 The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include "support/temp_file.h" +#include "support/xstdio.h" +#include "support/xunistd.h" +#include <stdlib.h> +#include <unistd.h> +#include <sys/mman.h> +#include <stdio.h> +#include <wchar.h> +#include <support/check.h> + +static int +do_test (void) +{ + char *filename; + int fd = create_temp_file ("tst-bz33998-", &filename); + TEST_VERIFY (fd != -1); + xwrite (fd, "A", sizeof ("A")); // write "A\0" by design + xclose (fd); + + FILE *fp = xfopen (filename, "r+"); + TEST_COMPARE (getwc (fp), L'A'); + /* If the bug is fixed, then ungetwc should not touch byte stream. + If the bug is not fixed, ungetwc firstly match last read char, L'A', + failed, then the pbackfail branch, matching last read char in byte + stream, that is, '\0' (initialized when setup wide stream). */ + char *old_read_ptr = fp->_IO_read_ptr; + TEST_COMPARE (ungetwc (L'\0', fp), L'\0'); + TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr); + + xfclose (fp); + free (filename); + + return 0; +} + +#include <support/test-driver.c> diff --git a/libio/wgenops.c b/libio/wgenops.c index 6829477e0c..5f36bc49a1 100644 --- a/libio/wgenops.c +++ b/libio/wgenops.c @@ -110,8 +110,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c) { if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base && !_IO_in_backup (fp) - && (wint_t) fp->_IO_read_ptr[-1] == c) - --fp->_IO_read_ptr; + && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c) + --fp->_wide_data->_IO_read_ptr; else { /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/ -- 2.54.0
