glibc: Fix nscd breakage and patch CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 (#9051)

This commit does 3 things: address ipv6 breakage with nscd due to previous CVE fix, reformat previous CVE patches, and patch 4 new CVEs

The ipv6 w/ nscd breakage was due to CVE-2023-4806's patch and caused wrong results with IPv6 addresses when using nscd. The patch mixes up the variables i and count. Therefore backport the fix (227c903).

Additionally, the above fix highlighted that our original patches for CVE-2023-4806 and CVE-2023-5156 were malformed. Specifically, the CVE-2023-4806 patch which updates "/sysdeps/posix/getaddrinfo.c.” to latest from glibc-2.35 (commit 17092c0) did not include the changes to other files (mostly additional tests so impact was low) but did partially include CVE-2023-5156's changes. To fix, regenerate both patches based on commits from upstream stable 2.35.

Finally, this PR applies patches for CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602

Author: rlmenge

SPECS-EXTENDED/buildah/buildah.spec

@@ -21,7 +21,7 @@
 Summary:        A command line tool used for creating OCI Images
 Name:           buildah
 Version:        1.18.0
-Release:        22%{?dist}
+Release:        23%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -32,7 +32,7 @@ BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  git
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  go-md2man
 BuildRequires:  go-rpm-macros
 BuildRequires:  golang
@@ -123,6 +123,9 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test
 
 %changelog
+* Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.18.0-23
+- Bump release to rebuild against glibc 2.35-7
+
 * Fri Feb 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.18.0-22
 - Bump release to rebuild with go 1.21.6
 

SPECS-EXTENDED/catatonit/catatonit.spec

@@ -3,7 +3,7 @@ Distribution:   Mariner
 
 Name: catatonit
 Version: 0.1.7
-Release: 9%{?dist}
+Release: 10%{?dist}
 Summary: A signal-forwarding process manager for containers
 License: GPLv3+
 URL: https://github.com/openSUSE/catatonit
@@ -13,7 +13,7 @@ BuildRequires: automake
 BuildRequires: file
 BuildRequires: gcc
 BuildRequires: git
-BuildRequires: glibc-static >= 2.35-6%{?dist}
+BuildRequires: glibc-static >= 2.35-7%{?dist}
 BuildRequires: libtool
 BuildRequires: make
 
@@ -61,6 +61,9 @@ ln -s %{_libexecdir}/%{name}/%{name} %{buildroot}%{_libexecdir}/podman/%{name}
 %{_libexecdir}/podman/%{name}
 
 %changelog
+* Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.1.7-10
+- Bump release to rebuild against glibc 2.35-7
+
 * Wed Oct 04 2023 Minghe Ren <mingheren@microsoft.com> - 0.1.7-9
 - Bump release to rebuild against glibc 2.35-6
 

SPECS-EXTENDED/dyninst/dyninst.spec

@@ -1,7 +1,7 @@
 Summary: An API for Run-time Code Generation
 License: LGPLv2+
 Name: dyninst
-Release: 11%{?dist}
+Release: 12%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL: http://www.dyninst.org
@@ -31,7 +31,7 @@ BuildRequires: tbb tbb-devel
 
 # Extra requires just for the testsuite
 BuildRequires: gcc-gfortran libstdc++-static libxml2-devel
-BuildRequires: glibc-static >= 2.35-6%{?dist}
+BuildRequires: glibc-static >= 2.35-7%{?dist}
 
 # Testsuite files should not provide/require anything
 %{?filter_setup:
@@ -194,6 +194,9 @@ echo "%{_libdir}/dyninst" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %attr(644,root,root) %{_libdir}/dyninst/testsuite/*.a
 
 %changelog
+* Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 10.1.0-12
+- Bump release to rebuild against glibc 2.35-7
+
 * Wed Oct 04 2023 Minghe Ren <mingheren@microsoft.com> - 10.1.0-11
 - Bump release to rebuild against glibc 2.35-6
 

SPECS-EXTENDED/podman/podman.spec

@@ -36,7 +36,7 @@
 
 Name:           podman
 Version:        4.1.1
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        ASL 2.0 and BSD and ISC and MIT and MPLv2.0
 Summary:        Manage Pods, Containers and Container Images
 Vendor:         Microsoft Corporation
@@ -51,7 +51,7 @@ BuildRequires:  go-md2man
 BuildRequires:  golang
 BuildRequires:  gcc
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  git
 BuildRequires:  go-rpm-macros
 BuildRequires:  gpgme-devel
@@ -387,6 +387,9 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 
 # rhcontainerbot account currently managed by lsm5
 %changelog
+* Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 4.1.1-20
+- Bump release to rebuild against glibc 2.35-7
+
 * Fri Feb 02 2024 Muhammad Falak <mwani@microsoft.com> - 4.1.1-19
 - Bump release to rebuild with go 1.21.6
 - Bump version of gvproxy to enable build with go1.21

SPECS/busybox/busybox.spec

@@ -1,7 +1,7 @@
 Summary:        Statically linked binary providing simplified versions of system commands
 Name:           busybox
 Version:        1.35.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -18,7 +18,7 @@ Patch5:         ash-fix-use-after-free-in-bash-pattern-substitution.patch
 Patch6:         selinux-copy-file.patch
 Patch7:         selinux-cp-a.patch
 BuildRequires:  gcc
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  libselinux-devel >= 1.27.7-2
 BuildRequires:  libsepol-devel
 # libbb/hash_md5_sha.c
@@ -96,6 +96,9 @@ install -m 644 docs/busybox.petitboot.1 %{buildroot}/%{_mandir}/man1/busybox.pet
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.35.0-10
+- Bump release to rebuild against glibc 2.35-7
+
 * Thu Nov 16 2023 Chris PeBenito <chpebeni@microsoft.com> - 1.35.0-9
 - Enable SELinux features.
 - Improve SELinux behavior for copy funtions.

SPECS/flannel/flannel.spec

@@ -4,7 +4,7 @@
 Summary:        Simple and easy way to configure a layer 3 network fabric designed for Kubernetes
 Name:           flannel
 Version:        0.14.0
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -16,7 +16,7 @@ Patch0:         CVE-2021-44716.patch
 
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  golang >= 1.18.5
 BuildRequires:  kernel-headers
 
@@ -49,6 +49,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld
 %{_bindir}/flanneld
 
 %changelog
+* Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.10.0-22
+- Bump release to rebuild against glibc 2.35-7
+
 * Mon Feb 05 2024 Osama Esmail <osamaesmail@microsoft.com> - 0.14.0-21
 - Patching CVE-2021-44716