[AutoPR- Security] Patch glibc for CVE-2026-0861, CVE-2026-0915 [MEDIUM] (#15522)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: 3 people

SPECS-EXTENDED/buildah/buildah.spec

@@ -30,7 +30,7 @@ Epoch: 0
 Version: 1.41.4
 # The `AND` needs to be uppercase in the License for SPDX compatibility
 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 ExclusiveArch: aarch64 ppc64le s390x x86_64
@@ -43,7 +43,7 @@ BuildRequires: device-mapper-devel
 BuildRequires: git-core
 BuildRequires: golang >= 1.16.6
 BuildRequires: glib2-devel
-BuildRequires: glibc-static >= 2.38-16%{?dist}
+BuildRequires: glibc-static >= 2.38-17%{?dist}
 %if !%{defined gobuild}
 BuildRequires: go-rpm-macros
 %endif
@@ -173,6 +173,9 @@ make test-unit
 %{_datadir}/%{name}/test
 
 %changelog
+* Mon Jan 19 2026 Kanishk Bansal <kanbansal@microsoft.com> - 0:1.41.4-5
+- Bump to rebuild with updated glibc
+
 * Mon Nov 10 2025 Andrew Phelps <anphel@microsoft.com> - 0:1.41.4-4
 - Bump to rebuild with updated glibc
 

SPECS-EXTENDED/catatonit/catatonit.spec

@@ -3,7 +3,7 @@ Distribution:   Azure Linux
 
 Name: catatonit
 Version: 0.1.7
-Release: 24%{?dist}
+Release: 25%{?dist}
 Summary: A signal-forwarding process manager for containers
 License: GPLv3+
 URL: https://github.com/openSUSE/catatonit
@@ -13,7 +13,7 @@ BuildRequires: automake
 BuildRequires: file
 BuildRequires: gcc
 BuildRequires: git
-BuildRequires: glibc-static >= 2.38-16%{?dist}
+BuildRequires: glibc-static >= 2.38-17%{?dist}
 BuildRequires: libtool
 BuildRequires: make
 
@@ -61,6 +61,9 @@ ln -s %{_libexecdir}/%{name}/%{name} %{buildroot}%{_libexecdir}/podman/%{name}
 %{_libexecdir}/podman/%{name}
 
 %changelog
+* Mon Jan 19 2026 Kanishk Bansal <kanbansal@microsoft.com> - 0.1.7-25
+- Bump to rebuild with updated glibc
+
 * Mon Nov 10 2025 Andrew Phelps <anphel@microsoft.com> - 0.1.7-24
 - Bump to rebuild with updated glibc
 

SPECS-EXTENDED/crun/crun.spec

@@ -12,7 +12,7 @@
 Summary:       OCI runtime written in C
 Name:          crun
 Version:       1.24
-Release:       1%{?dist}
+Release:       2%{?dist}
 Vendor:        Microsoft Corporation
 Distribution:  Azure Linux
 URL:           https://github.com/containers/%{name}
@@ -48,7 +48,7 @@ BuildRequires: wasmedge-devel
 %endif
 
 BuildRequires: python
-BuildRequires: glibc-static >= 2.38-16%{?dist}
+BuildRequires: glibc-static >= 2.38-17%{?dist}
 Provides:      oci-runtime
 
 %description
@@ -114,6 +114,9 @@ rm -rf %{buildroot}%{_prefix}/lib*
 %endif
 
 %changelog
+* Mon Jan 19 2026 Kanishk Bansal <kanbansal@microsoft.com> - 1.24-2
+- Bump to rebuild with updated glibc
+
 * Fri Nov 07 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 1.24-1
 - Initial Azure Linux import from Fedora 42 (license: MIT).
 - Modified for building in azurelinux

SPECS-EXTENDED/dyninst/dyninst.spec

@@ -1,7 +1,7 @@
 Summary: An API for Run-time Code Generation
 License: LGPLv2+
 Name: dyninst
-Release: 26%{?dist}
+Release: 27%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL: http://www.dyninst.org
@@ -31,7 +31,7 @@ BuildRequires: tbb tbb-devel
 
 # Extra requires just for the testsuite
 BuildRequires: gcc-gfortran libstdc++-static libxml2-devel
-BuildRequires: glibc-static >= 2.38-16%{?dist}
+BuildRequires: glibc-static >= 2.38-17%{?dist}
 
 # Testsuite files should not provide/require anything
 %{?filter_setup:
@@ -194,6 +194,9 @@ echo "%{_libdir}/dyninst" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %attr(644,root,root) %{_libdir}/dyninst/testsuite/*.a
 
 %changelog
+* Mon Jan 19 2026 Kanishk Bansal <kanbansal@microsoft.com> - 10.1.0-27
+- Bump to rebuild with updated glibc
+
 * Mon Nov 10 2025 Andrew Phelps <anphel@microsoft.com> - 10.1.0-26
 - Bump to rebuild with updated glibc
 

SPECS-EXTENDED/podman/podman.spec

@@ -31,7 +31,7 @@ Epoch: 0
 # If you're reading this on dist-git, the version is automatically filled in by Packit.
 Version: 5.6.1
 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 ExclusiveArch: aarch64 ppc64le s390x x86_64 riscv64
 Summary: Manage Pods, Containers and Container Images
 Vendor:         Microsoft Corporation
@@ -48,7 +48,7 @@ BuildRequires: btrfs-progs-devel
 BuildRequires: gcc
 BuildRequires: glib2-devel
 BuildRequires: glibc-devel
-BuildRequires: glibc-static >= 2.38-16%{?dist}
+BuildRequires: glibc-static >= 2.38-17%{?dist}
 BuildRequires: golang
 BuildRequires: git-core
 
@@ -298,6 +298,9 @@ make localunit
 
 # rhcontainerbot account currently managed by lsm5
 %changelog
+* Mon Jan 19 2026 Kanishk Bansal <kanbansal@microsoft.com> - 0:5.6.1-6
+- Bump to rebuild with updated glibc
+
 * Thu Dec 18 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 0:5.6.1-5
 - Fix install issues
 - Add runtime required packages for installation along with podman

SPECS/busybox/busybox.spec

@@ -1,7 +1,7 @@
 Summary:        Statically linked binary providing simplified versions of system commands
 Name:           busybox
 Version:        1.36.1
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -19,7 +19,7 @@ Patch5:         CVE-2023-42366.patch
 Patch6:         CVE-2023-39810.patch
 Patch7:         CVE-2022-48174.patch
 BuildRequires:  gcc
-BuildRequires:  glibc-static >= 2.38-16%{?dist}
+BuildRequires:  glibc-static >= 2.38-17%{?dist}
 BuildRequires:  libselinux-devel >= 1.27.7-2
 BuildRequires:  libsepol-devel
 %if 0%{?with_check}
@@ -106,6 +106,9 @@ SKIP_KNOWN_BUGS=1 ./runtest
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Mon Jan 19 2026 Kanishk Bansal <kanbansal@microsoft.com> - 1.36.1-20
+- Bump to rebuild with updated glibc
+
 * Mon Nov 10 2025 Andrew Phelps <anphel@microsoft.com> - 1.36.1-19
 - Bump to rebuild with updated glibc
 

SPECS/flannel/flannel.spec

@@ -3,7 +3,7 @@
 Summary:        Simple and easy way to configure a layer 3 network fabric designed for Kubernetes
 Name:           flannel
 Version:        0.24.2
-Release:        22%{?dist}
+Release:        23%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -19,7 +19,7 @@ Patch4:         CVE-2024-51744.patch
 Patch5:         CVE-2025-65637.patch
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.38-16%{?dist}
+BuildRequires:  glibc-static >= 2.38-17%{?dist}
 BuildRequires:  golang < 1.25
 BuildRequires:  kernel-headers
 
@@ -53,6 +53,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld
 %{_bindir}/flanneld
 
 %changelog
+* Mon Jan 19 2026 Kanishk Bansal <kanbansal@microsoft.com> - 0.24.2-23
+- Bump to rebuild with updated glibc
+
 * Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.24.2-22
 - Patch for CVE-2025-65637
 

SPECS/glibc/CVE-2026-0861.patch

@@ -0,0 +1,90 @@
+From 320a9e12e379c819fb3bfe14590d0f8bdff20115 Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@gotplt.org>
+Date: Thu, 15 Jan 2026 06:06:40 -0500
+Subject: [PATCH] memalign: reinstate alignment overflow check (CVE-2026-0861)
+
+The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the
+overflow check for alignment in memalign functions, _mid_memalign and
+_int_memalign.  Reinstate the overflow check in _int_memalign, aligned
+with the PTRDIFF_MAX change since that is directly responsible for the
+CVE.  The missing _mid_memalign check is not relevant (and does not have
+a security impact) and may need a different approach to fully resolve,
+so it has been omitted.
+
+CVE-Id: CVE-2026-0861
+Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206
+Reported-by: Igor Morgenstern, Aisle Research
+Fixes: BZ #33796
+Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
+Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
+(cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/bminor/glibc/commit/744b63026a29f7eedbbc8e3a01a7f48a6eb0a085.patch
+---
+ malloc/malloc.c               |  7 +++++--
+ malloc/tst-malloc-too-large.c | 10 ++--------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index d0bbbf37..70bf56d1 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -5042,7 +5042,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+   INTERNAL_SIZE_T size;
+ 
+   nb = checked_request2size (bytes);
+-  if (nb == 0)
++  if (nb == 0 || alignment > PTRDIFF_MAX)
+     {
+       __set_errno (ENOMEM);
+       return NULL;
+@@ -5058,7 +5058,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+      we don't find anything in those bins, the common malloc code will
+      scan starting at 2x.  */
+ 
+-  /* Call malloc with worst case padding to hit alignment. */
++  /* Call malloc with worst case padding to hit alignment.  ALIGNMENT is a
++     power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of
++     space to add MINSIZE and whatever checked_request2size adds to BYTES to
++     get NB.  Consequently, total below also does not overflow.  */
+   m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
+ 
+   if (m == 0)
+diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c
+index 5be6800b..206184ac 100644
+--- a/malloc/tst-malloc-too-large.c
++++ b/malloc/tst-malloc-too-large.c
+@@ -151,7 +151,6 @@ test_large_allocations (size_t size)
+ }
+ 
+ 
+-static long pagesize;
+ 
+ /* This function tests the following aligned memory allocation functions
+    using several valid alignments and precedes each allocation test with a
+@@ -170,8 +169,8 @@ test_large_aligned_allocations (size_t size)
+ 
+   /* All aligned memory allocation functions expect an alignment that is a
+      power of 2.  Given this, we test each of them with every valid
+-     alignment from 1 thru PAGESIZE.  */
+-  for (align = 1; align <= pagesize; align *= 2)
++     alignment for the type of ALIGN, i.e. until it wraps to 0.  */
++  for (align = 1; align > 0; align <<= 1)
+     {
+       test_setup ();
+ #if __GNUC_PREREQ (7, 0)
+@@ -264,11 +263,6 @@ do_test (void)
+   DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+ #endif
+ 
+-  /* Aligned memory allocation functions need to be tested up to alignment
+-     size equivalent to page size, which should be a power of 2.  */
+-  pagesize = sysconf (_SC_PAGESIZE);
+-  TEST_VERIFY_EXIT (powerof2 (pagesize));
+-
+   /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.
+      in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
+ 
+-- 
+2.45.4
+

SPECS/glibc/CVE-2026-0915.patch

@@ -0,0 +1,79 @@
+From ab36888721c2d315887b6056f996218dc689168f Mon Sep 17 00:00:00 2001
+From: Carlos O'Donell <carlos@redhat.com>
+Date: Thu, 15 Jan 2026 15:09:38 -0500
+Subject: [PATCH] resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
+
+The default network value of zero for net was never tested for and
+results in a DNS query constructed from uninitialized stack bytes.
+The solution is to provide a default query for the case where net
+is zero.
+
+Adding a test case for this was straight forward given the existence of
+tst-resolv-network and if the test is added without the fix you observe
+this failure:
+
+FAIL: resolv/tst-resolv-network
+original exit status 1
+error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
+error: 1 test failures
+
+With a random QNAME resulting from the use of uninitialized stack bytes.
+
+After the fix the test passes.
+
+Additionally verified using wireshark before and after to ensure
+on-the-wire bytes for the DNS query were as expected.
+
+No regressions on x86_64.
+
+Reviewed-by: Florian Weimer <fweimer@redhat.com>
+(cherry picked from commit e56ff82d5034ec66c6a78f517af6faa427f65b0b)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/bminor/glibc/commit/49125ffc8e1674dc2a100dfdc5b78796f22e16f2.patch
+---
+ resolv/nss_dns/dns-network.c | 4 ++++
+ resolv/tst-resolv-network.c  | 6 ++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
+index 1e6511a4..4c365660 100644
+--- a/resolv/nss_dns/dns-network.c
++++ b/resolv/nss_dns/dns-network.c
+@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result,
+       sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2],
+ 	       net_bytes[1], net_bytes[0]);
+       break;
++    default:
++      /* Default network (net is originally zero).  */
++      strcpy (qbuf, "0.0.0.0.in-addr.arpa");
++      break;
+     }
+ 
+   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
+diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c
+index ada71371..19b847d8 100644
+--- a/resolv/tst-resolv-network.c
++++ b/resolv/tst-resolv-network.c
+@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx,
+ {
+   switch (code)
+     {
++    case 0:
++      send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa");
++      break;
+     case 1:
+       send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa");
+       break;
+@@ -265,6 +268,9 @@ do_test (void)
+                 "error: TRY_AGAIN\n");
+ 
+   /* Lookup by address, success cases.  */
++  check_reverse (0,
++                 "name: 0.in-addr.arpa\n"
++                 "net: 0x00000000\n");
+   check_reverse (1,
+                  "name: 1.in-addr.arpa\n"
+                  "net: 0x00000001\n");
+-- 
+2.45.4
+

SPECS/glibc/glibc.spec

@@ -10,7 +10,7 @@
 Summary:        Main C library
 Name:           glibc
 Version:        2.38
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -53,6 +53,8 @@ Patch22:        CVE-2025-8058.patch
 
 # Patches for testing
 Patch100:       0001-Remove-Wno-format-cflag-from-tests.patch
+Patch101:       CVE-2026-0861.patch
+Patch102:       CVE-2026-0915.patch
 
 BuildRequires:  bison
 BuildRequires:  gawk
@@ -382,6 +384,9 @@ grep "^FAIL: string/test-mempcpy" tests.sum >/dev/null && n=$((n+1)) ||:
 %exclude %{_libdir}/locale/C.utf8
 
 %changelog
+* Mon Jan 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.38-17
+- Patch for CVE-2026-0861, CVE-2026-0915
+
 * Fri Nov 07 2025 Andrew Phelps <anphel@microsoft.com> - 2.38-16
 - Ignore additional expected package test failures