input/glibc.spec
raw · 19.6 KiB
%bcond_with 32bit
%global security_hardening nonow
%global glibc_target_cpu %{_build}
%global __brp_elfperms /bin/true
%global _ima_sign_command %{nil}
Name: glibc
Version: 2.42
Release: 3%{?dist}
Summary: The GNU C Library
Summary(ru): Основная библиотека GNU C
License: LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL
URL: https://www.gnu.org/software/libc/
Source0: https://ftp.gnu.org/gnu/glibc/glibc-%{version}.tar.xz
Source1: locale-gen.sh
Source2: locale-gen.conf
Source3: macros.ldconfig
Patch0: glibc-2.41-fhs-1.patch
# NiceOS glibc stable security backports BEGIN
# CVE-2026-0861: memalign: reinstate alignment overflow check (CVE-2026-0861)
Patch1001: glibc-2.42-1001-CVE-2026-0861-b0ec8fb689df-memalign-reinstate-alignment-overflow-check.patch
# CVE-2026-0915: resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
Patch1002: glibc-2.42-1002-CVE-2026-0915-453e6b8dbab9-resolv-fix-nss-dns-backend-for-getnetbyaddr.patch
# CVE-2025-15281: posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
Patch1003: glibc-2.42-1003-CVE-2025-15281-cbf39c26b258-posix-reset-wordexp-t-fields-with-wrde-reuse-bz-33814.patch
# CVE-2025-15281: posix: Run tst-wordexp-reuse-mem test
Patch1004: glibc-2.42-1004-CVE-2025-15281-1a19d5a507eb-posix-run-tst-wordexp-reuse-mem-test.patch
# CVE-2026-4437: resolv: Count records correctly (CVE-2026-4437)
Patch1005: glibc-2.42-1005-CVE-2026-4437-8e863fb1c923-resolv-count-records-correctly.patch
# CVE-2026-4046: Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046)
Patch1006: glibc-2.42-1006-CVE-2026-4046-f13c1bb0f97f-use-pending-character-state-in-ibm1390-ibm1399-character-sets.patch
# CVE-2026-5928: libio: Fix ungetwc operating on byte stream [BZ #33998]
Patch1007: glibc-2.42-1007-CVE-2026-5928-b4bca35ab9e7-libio-fix-ungetwc-operating-on-byte-stream.patch
# CVE-2026-5450: stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]
Patch1008: glibc-2.42-1008-CVE-2026-5450-4ebd33dd77ea-stdio-common-fix-buffer-overflow-in-scanf-mc.patch
# NiceOS glibc stable security backports END
Packager: NICE SOFT GROUP LLC (ООО "НАЙС СОФТ ГРУПП") 5024245440 <niceos@ncsgp.ru>
Vendor: NiceSOFT
Distribution: NiceOS.Core
BugURL: https://bugs.niceos.ru/
VCS: https://specs.niceos.ru/rpms/%{name}
Provides: rtld(GNU_HASH)
Provides: /sbin/ldconfig
Provides: glibc-common
Provides: glibc-tools
Provides: glibc-iconv
Provides: glibc-i18n
Requires: filesystem
Requires: tzdata
Requires: %{name}-libs = %{version}-%{release}
BuildRequires: bison
BuildRequires: procps-ng, util-linux, gawk
BuildRequires: systemtap-sdt-devel
BuildRequires: python3 python3-devel
BuildRequires: make >= 4.0
BuildRequires: binutils >= 2.30-17
BuildRequires: diffutils
BuildRequires: gcc-c++
BuildRequires: libidn2
BuildRequires: perl
%if %{with 32bit}
BuildRequires: lib32-gcc
%endif
%description
The GNU C Library (glibc) is the core C runtime library for GNU/Linux systems.
It provides the standard C library and other essential runtime components
required by most programs.
%description -l ru
GNU C Library (glibc) — базовая библиотека времени выполнения C для GNU/Linux.
Она предоставляет стандартную библиотеку C и другие критически важные компоненты,
необходимые большинству программ.
%package libs
Summary: GNU C runtime libraries
Summary(ru): Библиотеки времени выполнения GNU C
Conflicts: %{name} < 2.36-5
%description -n %{name}-libs
This package contains the shared runtime libraries from glibc that are required
to run programs linked against the GNU C Library.
%description -l ru -n %{name}-libs
Этот подпакет содержит разделяемые библиотеки времени выполнения glibc,
необходимые для запуска программ, скомпилированных с GNU C Library.
%package devel
Summary: Development files for glibc
Summary(ru): Файлы для разработки с glibc
Requires: %{name} = %{version}-%{release}
Provides: glibc-headers = %{version}-%{release}
%description -n %{name}-devel
This subpackage contains headers and other development files for building
software against the GNU C Library (glibc).
%description -l ru -n %{name}-devel
Этот подпакет содержит заголовочные файлы и другие файлы разработки для сборки
программного обеспечения с использованием GNU C Library (glibc).
%if %{with 32bit}
%{package_32bit}
%endif
%prep
%setup -q
%patch -P 0 -p1
# NiceOS glibc stable security backports apply BEGIN
%patch -P 1001 -p1
%patch -P 1002 -p1
%patch -P 1003 -p1
%patch -P 1004 -p1
%patch -P 1005 -p1
%patch -P 1006 -p1
%patch -P 1007 -p1
%patch -P 1008 -p1
# NiceOS glibc stable security backports apply END
%{__install} -vdm 755 %{_builddir}/%{name}-build
# RU: Не предоставляем (Provides) версии библиотек с символом GLIBC_PRIVATE напрямую.
# EN: Do not explicitly provide versioned libraries with GLIBC_PRIVATE.
%global __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh
%global __find_requires %{_builddir}/%{name}-%{version}/find_requires.sh
# RU: Создаём скрипты find-provides/find-requires, чтобы отфильтровать ошибки GLIBC_PRIVATE.
# EN: Create find-provides/find-requires scripts to filter out GLIBC_PRIVATE noise.
cat > find_provides.sh << _EOF
#! /bin/sh
if [ -d /tools ]; then
/tools/lib/rpm/find-provides | grep -v GLIBC_PRIVATE
else
%{_libdir}/rpm/find-provides | grep -v GLIBC_PRIVATE
fi
exit 0
_EOF
chmod +x find_provides.sh
cat > find_requires.sh << _EOF
#! /bin/sh
if [ -d /tools ]; then
/tools/lib/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE
else
%{_libdir}/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE
fi
_EOF
chmod +x find_requires.sh
%build
%global optflags_glibc -O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fstack-clash-protection -Wformat -Werror=format-security -Wtrampolines -fno-common
%global ldflags_glibc -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
export CFLAGS="%{optflags_glibc}"
export CXXFLAGS="%{optflags_glibc}"
export LDFLAGS="%{ldflags_glibc}"
mkdir build64
pushd build64
echo "rootsbindir=/usr/sbin" > configparms
%configure64 --prefix=/usr \
--disable-werror \
--enable-kernel=5.4 \
--enable-stack-protector=strong \
--disable-nscd \
libc_cv_slibdir=/usr/lib
make %{?_smp_mflags}
popd
%if %{with 32bit}
mkdir build32
pushd build32
echo "rootsbindir=/usr/sbin" > configparms
export CC="gcc -m32"
export CXX="g++ -m32"
../configure \
--prefix=/usr \
--host=i686-pc-linux-gnu \
--build=$(../scripts/config.guess) \
--enable-kernel=5.4 \
--disable-nscd \
--libdir=/usr/lib32 \
--libexecdir=/usr/lib32 \
libc_cv_slibdir=/usr/lib32
make %{?_smp_mflags}
%endif
%install
pushd build64
sed '/test-installation/s@$(PERL)@echo not running@' -i ../Makefile
make DESTDIR=%{buildroot} install
sed '/RTLDLIST=/s@/usr@@g' -i %{buildroot}/usr/bin/ldd
find %{buildroot}/usr/lib -type f -name "*.so.*" -print -exec chmod -v 755 {} +
sleep 5
for lib in $(find %{buildroot}/usr/lib -type f -name "*.so.*"); do
if file "$lib" | grep -q "ELF 32-bit"; then
echo "ERROR: !!!!Found a 32-bit library in /usr/lib: $lib" >&2
file "$lib" >&2
exit 1
fi
done
popd
%if %{with 32bit}
pushd build32
mkdir -pv %{buildroot}/usr/lib32/
make DESTDIR=$PWD/DESTDIR install
cp -avp DESTDIR/usr/lib32 %{buildroot}/usr/
install -vm644 DESTDIR/usr/include/gnu/{lib-names,stubs}-32.h \
%{buildroot}/usr/include/gnu/
find %{buildroot}/usr/lib32 -type f -name "*.so.*" -print -exec chmod -v 755 {} +
for lib in $(find %{buildroot}/usr/lib32 -type f -name "*.so.*"); do
if file "$lib" | grep -q "ELF 64-bit"; then
echo "ERROR: !!!Found a 64-bit library in /usr/lib32: $lib" >&2
file "$lib" >&2
exit 1
fi
done
popd
%endif
mkdir -pv %{buildroot}/usr/lib/locale
cp -v %{SOURCE2} %{buildroot}%{_sysconfdir}
cp -v %{SOURCE1} %{buildroot}%{_sbindir}
mkdir -pv %{buildroot}/usr/lib/rpm/macros.d/
cp -v %{SOURCE3} %{buildroot}/usr/lib/rpm/macros.d/
rm -rf %{buildroot}%{_infodir}
%if %{with 32bit}
ln -s /usr/lib32/ld-linux.so.2 %{buildroot}/usr/lib/ld-lsb.so.3
ln -s /usr/lib/ld-lsb.so.3 %{buildroot}/usr/lib/ld-linux.so.2
%endif
# RU: Создаём файл конфигурации nsswitch.conf.
# EN: Create the nsswitch.conf configuration file.
cat > %{buildroot}/etc/nsswitch.conf << "EOF"
# RU: Файл создан: ООО "НАЙС СОФТ ГРУПП" 5024245440 <niceos@ncsgp.ru>
# EN: File created by: NICE SOFT GROUP LLC (NICEOS) 5024245440 <niceos@ncsgp.ru>
# RU: Описание: порядок поиска данных о пользователях/группах/хостах и др.
# EN: Description: lookup order for users/groups/hosts and other system databases.
passwd: files systemd
group: files systemd
shadow: files systemd
hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
EOF
# RU: Создаём базовый файл конфигурации ld.so.conf.
# EN: Create the base ld.so.conf configuration file.
cat > %{buildroot}/etc/ld.so.conf << "EOF"
# RU: Файл создан: ООО "НАЙС СОФТ ГРУПП" 5024245440 <niceos@ncsgp.ru>
# EN: File created by: NICE SOFT GROUP LLC (NICEOS) 5024245440 <niceos@ncsgp.ru>
# RU: Описание: пути поиска библиотек для динамического компоновщика (ld.so).
# EN: Description: library search paths for the dynamic linker (ld.so).
/usr/local/lib
%if %{with 32bit}
/usr/lib32
%endif
EOF
# RU: Добавляем поддержку include-директории /etc/ld.so.conf.d.
# EN: Enable includes from /etc/ld.so.conf.d.
cat >> %{buildroot}/etc/ld.so.conf << "EOF"
# RU: Дополнено: включение конфигураций из /etc/ld.so.conf.d/*.conf.
# EN: Extended: include configuration snippets from /etc/ld.so.conf.d/*.conf.
include /etc/ld.so.conf.d/*.conf
EOF
mkdir -pv %{buildroot}/etc/ld.so.conf.d
mkdir -p %{buildroot}/usr/lib/locale
%{buildroot}/usr/bin/localedef --prefix=%{buildroot} -i POSIX -f UTF-8 C.UTF-8 2> /dev/null || true
%{buildroot}/usr/bin/localedef --prefix=%{buildroot} -i en_US -f ISO-8859-1 en_US
%{buildroot}/usr/bin/localedef --prefix=%{buildroot} -i en_US -f UTF-8 en_US.UTF-8
%{buildroot}/usr/bin/localedef --prefix=%{buildroot} -i ru_RU -f UTF-8 ru_RU.UTF-8
%check
pushd build64
# RU:
# glibc make check может завершиться с ненулевым кодом даже тогда, когда
# большая часть тестов выполнена и уже созданы */subdir-tests.sum.
# make -k нужен, чтобы тестовый набор продолжал выполнение после отдельных
# падений и сформировал максимум доступных результатов.
#
# EN:
# glibc make check may return non-zero even when most tests were executed
# and */subdir-tests.sum files were already generated.
# make -k keeps the test suite running after individual failures and produces
# as many test results as possible.
check_status=0
make -k %{?_smp_mflags} check || check_status=$?
echo "=== glibc make check exit status: ${check_status} ==="
# RU:
# В некоторых случаях glibc не создаёт верхнеуровневый tests.sum, если make check
# завершился с ошибкой до финального агрегирования. При этом подкаталоги уже
# могут содержать корректные subdir-tests.sum. В таком случае собираем общий
# tests.sum вручную.
#
# EN:
# In some cases glibc does not create the top-level tests.sum if make check
# fails before the final aggregation step. Subdirectories may still contain
# valid subdir-tests.sum files, so aggregate them manually.
if [ ! -s tests.sum ]; then
echo "WARNING: build64/tests.sum not found or empty"
echo "WARNING: trying to aggregate tests.sum from */subdir-tests.sum"
find . -mindepth 2 -maxdepth 2 -type f -name 'subdir-tests.sum' \
| LC_ALL=C sort > subdir-tests.list
if [ ! -s subdir-tests.list ]; then
echo "ERROR: no subdir-tests.sum files found" >&2
echo "=== files in build64 ==="
ls -la
echo "=== possible test summary/log files ==="
find . -maxdepth 4 \
\( -name 'tests.sum' \
-o -name 'tests.log' \
-o -name 'subdir-tests.sum' \
-o -name '*.sum' \
-o -name '*.log' \) \
-print
exit 1
fi
: > tests.sum
while IFS= read -r sumfile; do
echo "=== adding ${sumfile} ==="
cat "${sumfile}" >> tests.sum
done < subdir-tests.list
fi
# RU: После штатной генерации или ручной агрегации tests.sum обязан быть непустым.
# EN: After normal generation or manual aggregation, tests.sum must be non-empty.
if [ ! -s tests.sum ]; then
echo "ERROR: build64/tests.sum is still missing or empty" >&2
echo "=== files in build64 ==="
ls -la
echo "=== possible test summary/log files ==="
find . -maxdepth 4 \
\( -name 'tests.sum' \
-o -name 'tests.log' \
-o -name 'subdir-tests.sum' \
-o -name '*.sum' \
-o -name '*.log' \) \
-print
exit 1
fi
echo "=== glibc test result summary ==="
printf 'PASS: '
grep -c '^PASS:' tests.sum ||:
printf 'FAIL: '
grep -c '^FAIL:' tests.sum ||:
printf 'UNSUPPORTED: '
grep -c '^UNSUPPORTED:' tests.sum ||:
printf 'XFAIL: '
grep -c '^XFAIL:' tests.sum ||:
printf 'XPASS: '
grep -c '^XPASS:' tests.sum ||:
echo "=== glibc FAIL / XPASS details ==="
grep -E '^(FAIL|XPASS):' tests.sum ||:
#
# Glibc-2.43 / NICE.OS
#
# UNSUPPORTED is not an error.
# XFAIL is expected failure and is not an error.
# PASS is OK.
#
# We reject only unexpected FAIL and unexpected XPASS.
#
cat > allowed-xpass <<'EOF'
XPASS: conform/UNIX98/ndbm.h/linknamespace
XPASS: conform/XOPEN2K/ndbm.h/linknamespace
XPASS: conform/XOPEN2K8/ndbm.h/linknamespace
XPASS: elf/tst-ifunc-isa-1
XPASS: elf/tst-ifunc-isa-1-static
XPASS: elf/tst-ifunc-isa-2
XPASS: elf/tst-ifunc-isa-2-static
EOF
cat > allowed-fail <<'EOF'
FAIL: malloc/tst-malloc-too-large-malloc-hugetlb2
FAIL: posix/tst-spawn-cgroup
FAIL: stdlib/tst-system
FAIL: support/tst-support_descriptors
EOF
LC_ALL=C sort allowed-xpass > allowed-xpass.sorted
LC_ALL=C sort allowed-fail > allowed-fail.sorted
grep -E '^XPASS:' tests.sum | LC_ALL=C sort > actual-xpass ||:
grep -E '^FAIL:' tests.sum | LC_ALL=C sort > actual-fail ||:
comm -23 actual-xpass allowed-xpass.sorted > unexpected-xpass
comm -23 actual-fail allowed-fail.sorted > unexpected-fail
echo "=== allowed XPASS ==="
cat allowed-xpass.sorted ||:
echo "=== actual XPASS ==="
cat actual-xpass ||:
echo "=== unexpected XPASS ==="
cat unexpected-xpass ||:
echo "=== allowed FAIL ==="
cat allowed-fail.sorted ||:
echo "=== actual FAIL ==="
cat actual-fail ||:
echo "=== unexpected FAIL ==="
cat unexpected-fail ||:
if [ -s unexpected-xpass ]; then
echo "ERROR: unexpected glibc XPASS detected" >&2
exit 1
fi
if [ -s unexpected-fail ]; then
echo "ERROR: unexpected glibc FAIL detected" >&2
exit 1
fi
# RU:
# Если make check вернул ненулевой код, но все FAIL/XPASS разрешены списками
# выше, сборку не валим. Для glibc это нормальная модель контроля тестов
# в bootstrap/container-base окружении.
#
# EN:
# If make check returned non-zero but every FAIL/XPASS is explicitly allowed
# above, do not fail the build. This is the intended glibc test policy for
# the bootstrap/container-base environment.
if [ "${check_status}" -ne 0 ]; then
echo "WARNING: glibc make check returned ${check_status}, but no unexpected FAIL/XPASS was found"
fi
popd
%files
%defattr(-,root,root)
%{_libdir}/locale/*
%dir %{_sysconfdir}/ld.so.conf.d
%config(noreplace) %{_sysconfdir}/nsswitch.conf
%config(noreplace) %{_sysconfdir}/ld.so.conf
%config(noreplace) %{_sysconfdir}/rpc
%attr(0644,root,root) %config(missingok,noreplace) %{_sysconfdir}/ld.so.cache
%config %{_sysconfdir}/locale-gen.conf
%{_sbindir}/*
%{_bindir}/*
%{_libexecdir}/*
%{_datadir}/i18n/charmaps/*
%{_datadir}/i18n/locales/*
%{_datadir}/locale/locale.alias
%{_libdir}/audit/*
%{_libdir}/libpcprofile.so
%{_libdir}/gconv/*
%{_bindir}/iconv
%{_sbindir}/iconvconfig
%{_datadir}/locale/*/LC_MESSAGES/*
%{_localstatedir}/lib/nss_db/Makefile
%{_libdir}/rpm/macros.d/macros.ldconfig
%files libs
%defattr(-,root,root)
%{_libdir}/*.so
%{_libdir}/*.so.*
%exclude %{_libdir}/libpcprofile.so
%files devel
%defattr(-,root,root)
%{_includedir}/*
%{_prefix}/lib/*.a
%{_prefix}/lib/*.o
%if %{with 32bit}
%files_32bit
%endif
%post -p /sbin/ldconfig
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%posttrans -p %{_sbindir}/iconvconfig
%postun
/sbin/ldconfig
if [ -e %{_lib64dir}/gconv/gconv-modules.cache ]; then
rm %{_lib64dir}/gconv/gconv-modules.cache
fi
%changelog
* Sun May 24 2026 Stanislav Belikov <niceos@ncsgp.ru> - 2.42-3
- Backport upstream glibc 2.42 stable security fixes for CVE-2026-5450, CVE-2026-5928.
- Keep glibc on the NiceOS 5.2 2.42.x ABI line; do not bump Version.
- Added security backport patches:
- Patch1007: glibc-2.42-1007-CVE-2026-5928-b4bca35ab9e7-libio-fix-ungetwc-operating-on-byte-stream.patch (CVE-2026-5928; b4bca35ab9e7).
- Patch1008: glibc-2.42-1008-CVE-2026-5450-4ebd33dd77ea-stdio-common-fix-buffer-overflow-in-scanf-mc.patch (CVE-2026-5450; 4ebd33dd77ea).
* Wed Apr 29 2026 Stanislav Belikov <niceos@ncsgp.ru> - 2.42-2
- Backport upstream glibc 2.42 stable security fixes for CVE-2026-0861, CVE-2025-15281, CVE-2026-0915, CVE-2026-4046, CVE-2026-4437.
- Keep glibc on the NiceOS 5.2 2.42.x ABI line; do not bump Version.
- Added security backport patches:
- Patch1001: glibc-2.42-1001-CVE-2026-0861-b0ec8fb689df-memalign-reinstate-alignment-overflow-check.patch (CVE-2026-0861; b0ec8fb689df).
- Patch1002: glibc-2.42-1002-CVE-2026-0915-453e6b8dbab9-resolv-fix-nss-dns-backend-for-getnetbyaddr.patch (CVE-2026-0915; 453e6b8dbab9).
- Patch1003: glibc-2.42-1003-CVE-2025-15281-cbf39c26b258-posix-reset-wordexp-t-fields-with-wrde-reuse-bz-33814.patch (CVE-2025-15281; cbf39c26b258).
- Patch1004: glibc-2.42-1004-CVE-2025-15281-1a19d5a507eb-posix-run-tst-wordexp-reuse-mem-test.patch (CVE-2025-15281; 1a19d5a507eb).
- Patch1005: glibc-2.42-1005-CVE-2026-4437-8e863fb1c923-resolv-count-records-correctly.patch (CVE-2026-4437; 8e863fb1c923).
- Patch1006: glibc-2.42-1006-CVE-2026-4046-f13c1bb0f97f-use-pending-character-state-in-ibm1390-ibm1399-character-sets.patch (CVE-2026-4046; f13c1bb0f97f).
* Tue Jan 07 2025 NiceOS Team <niceos@ncsgp.ru> - 2.42-1
- Initial build for NICE OS
Первая сборка для НАЙС.ОС