Opened 4 days ago
Last modified 28 hours ago
#5930 new enhancement
fix CVE-2026-4046, CVE-2026-5450, and CVE-2026-5928 in glibc
| Reported by: | Xi Ruoyao | Owned by: | SecurityAdvisory |
|---|---|---|---|
| Priority: | high | Milestone: | 13.1 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I'm really not a fan of "AI assisted" security vulnerability mining but ... it already happens.
I've uploaded a consolidated patch containing the fixes for them, the fixes for two prior vulnerabilities (currently as a sed command in book), and two fixes for Linux 7.0 so we can use it in mid-May update.
There are also CVE-2026-5435 and CVE-2026-6238 but they are not committed upstream yet and they only affect some interfaces deprecated for years, so I didn't include them here. If the fixes get committed before mid-May update we can append them into the patch.
Change History (5)
comment:1 by , 4 days ago
comment:2 by , 3 days ago
I need clarification.
In chapter 5 we use glibc-fhs-1.patch. Is that still needed? I think yes, but I'm not sure. Is the glibc-2.43-consolidated-1.patch needed in chapter 5? I think no, but again I'm not sure. It probably wouldn't hurt though.
In Chapter 8, we now have a sed and the fhs patch. Are they still needed in addition to the glibc-2.43-consolidated-1.patch? My understanding is that the sed is incorporated into the consolidated patch and the fhs patch is not. Correct?
comment:3 by , 3 days ago
The consolidated patch will be needed in Chapter 5, otherwise we can't build glibc against the Linux 7 API headers
comment:4 by , 3 days ago
Yes, the sed is in the patch but the FHS patch is not.
(I didn't consolidate the FHS patch because it seems we are supposed to keep the FHS patch for a lot of future glibc versions).
comment:5 by , 28 hours ago
| Owner: | changed from to |
|---|
Fixed at commit 6d990d4871. Leaving open for security advisory.
https://linuxfromscratch.org/patches/downloads/glibc/glibc-2.43-consolidated-1.patch