Opened 4 days ago
Last modified 28 hours ago
#5930 new enhancement
fix CVE-2026-4046, CVE-2026-5450, and CVE-2026-5928 in glibc
| Reported by: | Xi Ruoyao | Owned by: | SecurityAdvisory |
|---|---|---|---|
| Priority: | high | Milestone: | 13.1 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I'm really not a fan of "AI assisted" security vulnerability mining but ... it already happens.
I've uploaded a consolidated patch containing the fixes for them, the fixes for two prior vulnerabilities (currently as a sed command in book), and two fixes for Linux 7.0 so we can use it in mid-May update.
There are also CVE-2026-5435 and CVE-2026-6238 but they are not committed upstream yet and they only affect some interfaces deprecated for years, so I didn't include them here. If the fixes get committed before mid-May update we can append them into the patch.
Change History (5)
comment:1 by , 4 days ago
comment:2 by , 3 days ago
I need clarification.
In chapter 5 we use glibc-fhs-1.patch. Is that still needed? I think yes, but I'm not sure. Is the glibc-2.43-consolidated-1.patch needed in chapter 5? I think no, but again I'm not sure. It probably wouldn't hurt though.
In Chapter 8, we now have a sed and the fhs patch. Are they still needed in addition to the glibc-2.43-consolidated-1.patch? My understanding is that the sed is incorporated into the consolidated patch and the fhs patch is not. Correct?
comment:3 by , 3 days ago
The consolidated patch will be needed in Chapter 5, otherwise we can't build glibc against the Linux 7 API headers
comment:4 by , 3 days ago
Yes, the sed is in the patch but the FHS patch is not.
comment:5 by , 28 hours ago
| Owner: | changed from to |
|---|
Fixed at commit 6d990d4871. Leaving open for security advisory.
https://linuxfromscratch.org/patches/downloads/glibc/glibc-2.43-consolidated-1.patch