%bcond_with 32bit %global security_hardening nonow %global glibc_target_cpu %{_build} %global __brp_elfperms /bin/true %global _ima_sign_command %{nil} Name: glibc Version: 2.42 Release: 3%{?dist} Summary: The GNU C Library Summary(ru): Основная библиотека GNU C License: LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL URL: https://www.gnu.org/software/libc/ Source0: https://ftp.gnu.org/gnu/glibc/glibc-%{version}.tar.xz Source1: locale-gen.sh Source2: locale-gen.conf Source3: macros.ldconfig Patch0: glibc-2.41-fhs-1.patch # NiceOS glibc stable security backports BEGIN # CVE-2026-0861: memalign: reinstate alignment overflow check (CVE-2026-0861) Patch1001: glibc-2.42-1001-CVE-2026-0861-b0ec8fb689df-memalign-reinstate-alignment-overflow-check.patch # CVE-2026-0915: resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) Patch1002: glibc-2.42-1002-CVE-2026-0915-453e6b8dbab9-resolv-fix-nss-dns-backend-for-getnetbyaddr.patch # CVE-2025-15281: posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814) Patch1003: glibc-2.42-1003-CVE-2025-15281-cbf39c26b258-posix-reset-wordexp-t-fields-with-wrde-reuse-bz-33814.patch # CVE-2025-15281: posix: Run tst-wordexp-reuse-mem test Patch1004: glibc-2.42-1004-CVE-2025-15281-1a19d5a507eb-posix-run-tst-wordexp-reuse-mem-test.patch # CVE-2026-4437: resolv: Count records correctly (CVE-2026-4437) Patch1005: glibc-2.42-1005-CVE-2026-4437-8e863fb1c923-resolv-count-records-correctly.patch # CVE-2026-4046: Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046) Patch1006: glibc-2.42-1006-CVE-2026-4046-f13c1bb0f97f-use-pending-character-state-in-ibm1390-ibm1399-character-sets.patch # CVE-2026-5928: libio: Fix ungetwc operating on byte stream [BZ #33998] Patch1007: glibc-2.42-1007-CVE-2026-5928-b4bca35ab9e7-libio-fix-ungetwc-operating-on-byte-stream.patch # CVE-2026-5450: stdio-common: Fix buffer overflow in scanf %mc [BZ #34008] Patch1008: glibc-2.42-1008-CVE-2026-5450-4ebd33dd77ea-stdio-common-fix-buffer-overflow-in-scanf-mc.patch # NiceOS glibc stable security backports END Packager: NICE SOFT GROUP LLC (ООО "НАЙС СОФТ ГРУПП") 5024245440 Vendor: NiceSOFT Distribution: NiceOS.Core BugURL: https://bugs.niceos.ru/ VCS: https://specs.niceos.ru/rpms/%{name} Provides: rtld(GNU_HASH) Provides: /sbin/ldconfig Provides: glibc-common Provides: glibc-tools Provides: glibc-iconv Provides: glibc-i18n Requires: filesystem Requires: tzdata Requires: %{name}-libs = %{version}-%{release} BuildRequires: bison BuildRequires: procps-ng, util-linux, gawk BuildRequires: systemtap-sdt-devel BuildRequires: python3 python3-devel BuildRequires: make >= 4.0 BuildRequires: binutils >= 2.30-17 BuildRequires: diffutils BuildRequires: gcc-c++ BuildRequires: libidn2 BuildRequires: perl %if %{with 32bit} BuildRequires: lib32-gcc %endif %description The GNU C Library (glibc) is the core C runtime library for GNU/Linux systems. It provides the standard C library and other essential runtime components required by most programs. %description -l ru GNU C Library (glibc) — базовая библиотека времени выполнения C для GNU/Linux. Она предоставляет стандартную библиотеку C и другие критически важные компоненты, необходимые большинству программ. %package libs Summary: GNU C runtime libraries Summary(ru): Библиотеки времени выполнения GNU C Conflicts: %{name} < 2.36-5 %description -n %{name}-libs This package contains the shared runtime libraries from glibc that are required to run programs linked against the GNU C Library. %description -l ru -n %{name}-libs Этот подпакет содержит разделяемые библиотеки времени выполнения glibc, необходимые для запуска программ, скомпилированных с GNU C Library. %package devel Summary: Development files for glibc Summary(ru): Файлы для разработки с glibc Requires: %{name} = %{version}-%{release} Provides: glibc-headers = %{version}-%{release} %description -n %{name}-devel This subpackage contains headers and other development files for building software against the GNU C Library (glibc). %description -l ru -n %{name}-devel Этот подпакет содержит заголовочные файлы и другие файлы разработки для сборки программного обеспечения с использованием GNU C Library (glibc). %if %{with 32bit} %{package_32bit} %endif %prep %setup -q %patch -P 0 -p1 # NiceOS glibc stable security backports apply BEGIN %patch -P 1001 -p1 %patch -P 1002 -p1 %patch -P 1003 -p1 %patch -P 1004 -p1 %patch -P 1005 -p1 %patch -P 1006 -p1 %patch -P 1007 -p1 %patch -P 1008 -p1 # NiceOS glibc stable security backports apply END %{__install} -vdm 755 %{_builddir}/%{name}-build # RU: Не предоставляем (Provides) версии библиотек с символом GLIBC_PRIVATE напрямую. # EN: Do not explicitly provide versioned libraries with GLIBC_PRIVATE. %global __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh %global __find_requires %{_builddir}/%{name}-%{version}/find_requires.sh # RU: Создаём скрипты find-provides/find-requires, чтобы отфильтровать ошибки GLIBC_PRIVATE. # EN: Create find-provides/find-requires scripts to filter out GLIBC_PRIVATE noise. cat > find_provides.sh << _EOF #! /bin/sh if [ -d /tools ]; then /tools/lib/rpm/find-provides | grep -v GLIBC_PRIVATE else %{_libdir}/rpm/find-provides | grep -v GLIBC_PRIVATE fi exit 0 _EOF chmod +x find_provides.sh cat > find_requires.sh << _EOF #! /bin/sh if [ -d /tools ]; then /tools/lib/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE else %{_libdir}/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE fi _EOF chmod +x find_requires.sh %build %global optflags_glibc -O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fstack-clash-protection -Wformat -Werror=format-security -Wtrampolines -fno-common %global ldflags_glibc -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack export CFLAGS="%{optflags_glibc}" export CXXFLAGS="%{optflags_glibc}" export LDFLAGS="%{ldflags_glibc}" mkdir build64 pushd build64 echo "rootsbindir=/usr/sbin" > configparms %configure64 --prefix=/usr \ --disable-werror \ --enable-kernel=5.4 \ --enable-stack-protector=strong \ --disable-nscd \ libc_cv_slibdir=/usr/lib make %{?_smp_mflags} popd %if %{with 32bit} mkdir build32 pushd build32 echo "rootsbindir=/usr/sbin" > configparms export CC="gcc -m32" export CXX="g++ -m32" ../configure \ --prefix=/usr \ --host=i686-pc-linux-gnu \ --build=$(../scripts/config.guess) \ --enable-kernel=5.4 \ --disable-nscd \ --libdir=/usr/lib32 \ --libexecdir=/usr/lib32 \ libc_cv_slibdir=/usr/lib32 make %{?_smp_mflags} %endif %install pushd build64 sed '/test-installation/s@$(PERL)@echo not running@' -i ../Makefile make DESTDIR=%{buildroot} install sed '/RTLDLIST=/s@/usr@@g' -i %{buildroot}/usr/bin/ldd find %{buildroot}/usr/lib -type f -name "*.so.*" -print -exec chmod -v 755 {} + sleep 5 for lib in $(find %{buildroot}/usr/lib -type f -name "*.so.*"); do if file "$lib" | grep -q "ELF 32-bit"; then echo "ERROR: !!!!Found a 32-bit library in /usr/lib: $lib" >&2 file "$lib" >&2 exit 1 fi done popd %if %{with 32bit} pushd build32 mkdir -pv %{buildroot}/usr/lib32/ make DESTDIR=$PWD/DESTDIR install cp -avp DESTDIR/usr/lib32 %{buildroot}/usr/ install -vm644 DESTDIR/usr/include/gnu/{lib-names,stubs}-32.h \ %{buildroot}/usr/include/gnu/ find %{buildroot}/usr/lib32 -type f -name "*.so.*" -print -exec chmod -v 755 {} + for lib in $(find %{buildroot}/usr/lib32 -type f -name "*.so.*"); do if file "$lib" | grep -q "ELF 64-bit"; then echo "ERROR: !!!Found a 64-bit library in /usr/lib32: $lib" >&2 file "$lib" >&2 exit 1 fi done popd %endif mkdir -pv %{buildroot}/usr/lib/locale cp -v %{SOURCE2} %{buildroot}%{_sysconfdir} cp -v %{SOURCE1} %{buildroot}%{_sbindir} mkdir -pv %{buildroot}/usr/lib/rpm/macros.d/ cp -v %{SOURCE3} %{buildroot}/usr/lib/rpm/macros.d/ rm -rf %{buildroot}%{_infodir} %if %{with 32bit} ln -s /usr/lib32/ld-linux.so.2 %{buildroot}/usr/lib/ld-lsb.so.3 ln -s /usr/lib/ld-lsb.so.3 %{buildroot}/usr/lib/ld-linux.so.2 %endif # RU: Создаём файл конфигурации nsswitch.conf. # EN: Create the nsswitch.conf configuration file. cat > %{buildroot}/etc/nsswitch.conf << "EOF" # RU: Файл создан: ООО "НАЙС СОФТ ГРУПП" 5024245440 # EN: File created by: NICE SOFT GROUP LLC (NICEOS) 5024245440 # RU: Описание: порядок поиска данных о пользователях/группах/хостах и др. # EN: Description: lookup order for users/groups/hosts and other system databases. passwd: files systemd group: files systemd shadow: files systemd hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns networks: files protocols: files services: files ethers: files rpc: files EOF # RU: Создаём базовый файл конфигурации ld.so.conf. # EN: Create the base ld.so.conf configuration file. cat > %{buildroot}/etc/ld.so.conf << "EOF" # RU: Файл создан: ООО "НАЙС СОФТ ГРУПП" 5024245440 # EN: File created by: NICE SOFT GROUP LLC (NICEOS) 5024245440 # RU: Описание: пути поиска библиотек для динамического компоновщика (ld.so). # EN: Description: library search paths for the dynamic linker (ld.so). /usr/local/lib %if %{with 32bit} /usr/lib32 %endif EOF # RU: Добавляем поддержку include-директории /etc/ld.so.conf.d. # EN: Enable includes from /etc/ld.so.conf.d. cat >> %{buildroot}/etc/ld.so.conf << "EOF" # RU: Дополнено: включение конфигураций из /etc/ld.so.conf.d/*.conf. # EN: Extended: include configuration snippets from /etc/ld.so.conf.d/*.conf. include /etc/ld.so.conf.d/*.conf EOF mkdir -pv %{buildroot}/etc/ld.so.conf.d mkdir -p %{buildroot}/usr/lib/locale %{buildroot}/usr/bin/localedef --prefix=%{buildroot} -i POSIX -f UTF-8 C.UTF-8 2> /dev/null || true %{buildroot}/usr/bin/localedef --prefix=%{buildroot} -i en_US -f ISO-8859-1 en_US %{buildroot}/usr/bin/localedef --prefix=%{buildroot} -i en_US -f UTF-8 en_US.UTF-8 %{buildroot}/usr/bin/localedef --prefix=%{buildroot} -i ru_RU -f UTF-8 ru_RU.UTF-8 %check pushd build64 # RU: # glibc make check может завершиться с ненулевым кодом даже тогда, когда # большая часть тестов выполнена и уже созданы */subdir-tests.sum. # make -k нужен, чтобы тестовый набор продолжал выполнение после отдельных # падений и сформировал максимум доступных результатов. # # EN: # glibc make check may return non-zero even when most tests were executed # and */subdir-tests.sum files were already generated. # make -k keeps the test suite running after individual failures and produces # as many test results as possible. check_status=0 make -k %{?_smp_mflags} check || check_status=$? echo "=== glibc make check exit status: ${check_status} ===" # RU: # В некоторых случаях glibc не создаёт верхнеуровневый tests.sum, если make check # завершился с ошибкой до финального агрегирования. При этом подкаталоги уже # могут содержать корректные subdir-tests.sum. В таком случае собираем общий # tests.sum вручную. # # EN: # In some cases glibc does not create the top-level tests.sum if make check # fails before the final aggregation step. Subdirectories may still contain # valid subdir-tests.sum files, so aggregate them manually. if [ ! -s tests.sum ]; then echo "WARNING: build64/tests.sum not found or empty" echo "WARNING: trying to aggregate tests.sum from */subdir-tests.sum" find . -mindepth 2 -maxdepth 2 -type f -name 'subdir-tests.sum' \ | LC_ALL=C sort > subdir-tests.list if [ ! -s subdir-tests.list ]; then echo "ERROR: no subdir-tests.sum files found" >&2 echo "=== files in build64 ===" ls -la echo "=== possible test summary/log files ===" find . -maxdepth 4 \ \( -name 'tests.sum' \ -o -name 'tests.log' \ -o -name 'subdir-tests.sum' \ -o -name '*.sum' \ -o -name '*.log' \) \ -print exit 1 fi : > tests.sum while IFS= read -r sumfile; do echo "=== adding ${sumfile} ===" cat "${sumfile}" >> tests.sum done < subdir-tests.list fi # RU: После штатной генерации или ручной агрегации tests.sum обязан быть непустым. # EN: After normal generation or manual aggregation, tests.sum must be non-empty. if [ ! -s tests.sum ]; then echo "ERROR: build64/tests.sum is still missing or empty" >&2 echo "=== files in build64 ===" ls -la echo "=== possible test summary/log files ===" find . -maxdepth 4 \ \( -name 'tests.sum' \ -o -name 'tests.log' \ -o -name 'subdir-tests.sum' \ -o -name '*.sum' \ -o -name '*.log' \) \ -print exit 1 fi echo "=== glibc test result summary ===" printf 'PASS: ' grep -c '^PASS:' tests.sum ||: printf 'FAIL: ' grep -c '^FAIL:' tests.sum ||: printf 'UNSUPPORTED: ' grep -c '^UNSUPPORTED:' tests.sum ||: printf 'XFAIL: ' grep -c '^XFAIL:' tests.sum ||: printf 'XPASS: ' grep -c '^XPASS:' tests.sum ||: echo "=== glibc FAIL / XPASS details ===" grep -E '^(FAIL|XPASS):' tests.sum ||: # # Glibc-2.43 / NICE.OS # # UNSUPPORTED is not an error. # XFAIL is expected failure and is not an error. # PASS is OK. # # We reject only unexpected FAIL and unexpected XPASS. # cat > allowed-xpass <<'EOF' XPASS: conform/UNIX98/ndbm.h/linknamespace XPASS: conform/XOPEN2K/ndbm.h/linknamespace XPASS: conform/XOPEN2K8/ndbm.h/linknamespace XPASS: elf/tst-ifunc-isa-1 XPASS: elf/tst-ifunc-isa-1-static XPASS: elf/tst-ifunc-isa-2 XPASS: elf/tst-ifunc-isa-2-static EOF cat > allowed-fail <<'EOF' FAIL: malloc/tst-malloc-too-large-malloc-hugetlb2 FAIL: posix/tst-spawn-cgroup FAIL: stdlib/tst-system FAIL: support/tst-support_descriptors EOF LC_ALL=C sort allowed-xpass > allowed-xpass.sorted LC_ALL=C sort allowed-fail > allowed-fail.sorted grep -E '^XPASS:' tests.sum | LC_ALL=C sort > actual-xpass ||: grep -E '^FAIL:' tests.sum | LC_ALL=C sort > actual-fail ||: comm -23 actual-xpass allowed-xpass.sorted > unexpected-xpass comm -23 actual-fail allowed-fail.sorted > unexpected-fail echo "=== allowed XPASS ===" cat allowed-xpass.sorted ||: echo "=== actual XPASS ===" cat actual-xpass ||: echo "=== unexpected XPASS ===" cat unexpected-xpass ||: echo "=== allowed FAIL ===" cat allowed-fail.sorted ||: echo "=== actual FAIL ===" cat actual-fail ||: echo "=== unexpected FAIL ===" cat unexpected-fail ||: if [ -s unexpected-xpass ]; then echo "ERROR: unexpected glibc XPASS detected" >&2 exit 1 fi if [ -s unexpected-fail ]; then echo "ERROR: unexpected glibc FAIL detected" >&2 exit 1 fi # RU: # Если make check вернул ненулевой код, но все FAIL/XPASS разрешены списками # выше, сборку не валим. Для glibc это нормальная модель контроля тестов # в bootstrap/container-base окружении. # # EN: # If make check returned non-zero but every FAIL/XPASS is explicitly allowed # above, do not fail the build. This is the intended glibc test policy for # the bootstrap/container-base environment. if [ "${check_status}" -ne 0 ]; then echo "WARNING: glibc make check returned ${check_status}, but no unexpected FAIL/XPASS was found" fi popd %files %defattr(-,root,root) %{_libdir}/locale/* %dir %{_sysconfdir}/ld.so.conf.d %config(noreplace) %{_sysconfdir}/nsswitch.conf %config(noreplace) %{_sysconfdir}/ld.so.conf %config(noreplace) %{_sysconfdir}/rpc %attr(0644,root,root) %config(missingok,noreplace) %{_sysconfdir}/ld.so.cache %config %{_sysconfdir}/locale-gen.conf %{_sbindir}/* %{_bindir}/* %{_libexecdir}/* %{_datadir}/i18n/charmaps/* %{_datadir}/i18n/locales/* %{_datadir}/locale/locale.alias %{_libdir}/audit/* %{_libdir}/libpcprofile.so %{_libdir}/gconv/* %{_bindir}/iconv %{_sbindir}/iconvconfig %{_datadir}/locale/*/LC_MESSAGES/* %{_localstatedir}/lib/nss_db/Makefile %{_libdir}/rpm/macros.d/macros.ldconfig %files libs %defattr(-,root,root) %{_libdir}/*.so %{_libdir}/*.so.* %exclude %{_libdir}/libpcprofile.so %files devel %defattr(-,root,root) %{_includedir}/* %{_prefix}/lib/*.a %{_prefix}/lib/*.o %if %{with 32bit} %files_32bit %endif %post -p /sbin/ldconfig %post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig %posttrans -p %{_sbindir}/iconvconfig %postun /sbin/ldconfig if [ -e %{_lib64dir}/gconv/gconv-modules.cache ]; then rm %{_lib64dir}/gconv/gconv-modules.cache fi %changelog * Sun May 24 2026 Stanislav Belikov - 2.42-3 - Backport upstream glibc 2.42 stable security fixes for CVE-2026-5450, CVE-2026-5928. - Keep glibc on the NiceOS 5.2 2.42.x ABI line; do not bump Version. - Added security backport patches: - Patch1007: glibc-2.42-1007-CVE-2026-5928-b4bca35ab9e7-libio-fix-ungetwc-operating-on-byte-stream.patch (CVE-2026-5928; b4bca35ab9e7). - Patch1008: glibc-2.42-1008-CVE-2026-5450-4ebd33dd77ea-stdio-common-fix-buffer-overflow-in-scanf-mc.patch (CVE-2026-5450; 4ebd33dd77ea). * Wed Apr 29 2026 Stanislav Belikov - 2.42-2 - Backport upstream glibc 2.42 stable security fixes for CVE-2026-0861, CVE-2025-15281, CVE-2026-0915, CVE-2026-4046, CVE-2026-4437. - Keep glibc on the NiceOS 5.2 2.42.x ABI line; do not bump Version. - Added security backport patches: - Patch1001: glibc-2.42-1001-CVE-2026-0861-b0ec8fb689df-memalign-reinstate-alignment-overflow-check.patch (CVE-2026-0861; b0ec8fb689df). - Patch1002: glibc-2.42-1002-CVE-2026-0915-453e6b8dbab9-resolv-fix-nss-dns-backend-for-getnetbyaddr.patch (CVE-2026-0915; 453e6b8dbab9). - Patch1003: glibc-2.42-1003-CVE-2025-15281-cbf39c26b258-posix-reset-wordexp-t-fields-with-wrde-reuse-bz-33814.patch (CVE-2025-15281; cbf39c26b258). - Patch1004: glibc-2.42-1004-CVE-2025-15281-1a19d5a507eb-posix-run-tst-wordexp-reuse-mem-test.patch (CVE-2025-15281; 1a19d5a507eb). - Patch1005: glibc-2.42-1005-CVE-2026-4437-8e863fb1c923-resolv-count-records-correctly.patch (CVE-2026-4437; 8e863fb1c923). - Patch1006: glibc-2.42-1006-CVE-2026-4046-f13c1bb0f97f-use-pending-character-state-in-ibm1390-ibm1399-character-sets.patch (CVE-2026-4046; f13c1bb0f97f). * Tue Jan 07 2025 NiceOS Team - 2.42-1 - Initial build for NICE OS Первая сборка для НАЙС.ОС