From 2d3118b1b1b1c25631bafd9ddbe6bd739051d02d Mon Sep 17 00:00:00 2001 From: Qingqing Li Date: Wed, 30 Jul 2025 15:35:01 +0800 Subject: [PATCH] posix: Fix double-free after allocation failure in regcomp (bug 33185), CVE-2025-8058 --- glibc.spec | 6 ++- ...-free-after-allocation-failure-in-re.patch | 45 +++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 posix-Fix-double-free-after-allocation-failure-in-re.patch diff --git a/glibc.spec b/glibc.spec index ed57478..efa0b1f 100644 --- a/glibc.spec +++ b/glibc.spec @@ -62,7 +62,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 108 +Release: 109 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -178,6 +178,7 @@ Patch91: backport-0001-posix-Sync-fnmatch-with-gnulib.patch Patch92: backport-0002-posix-Fix-fnmatch.c-on-bootstrap.patch Patch93: backport-0003-posix-Falling-back-to-non-wide-mode-in-case-of-encod.patch Patch94: backport-0004-posix-Remove-alloca-usage-for-internal-fnmatch-imple.patch +Patch95: posix-Fix-double-free-after-allocation-failure-in-re.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1294,6 +1295,9 @@ fi %endif %changelog +* Wed Jul 30 2025 Qingqing Li 2.28-109 +- posix: Fix double-free after allocation failure in regcomp (bug 33185), CVE-2025-8058 + * Wed Jul 23 2025 liumingran 2.28-108 - Type:bugfix - ID:NA diff --git a/posix-Fix-double-free-after-allocation-failure-in-re.patch b/posix-Fix-double-free-after-allocation-failure-in-re.patch new file mode 100644 index 0000000..26995c1 --- /dev/null +++ b/posix-Fix-double-free-after-allocation-failure-in-re.patch @@ -0,0 +1,45 @@ +rom 90db02ef73907d830b1d8d86d554ba35626b006f Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 21 Jul 2025 21:43:49 +0200 +Subject: [PATCH] posix: Fix double-free after allocation failure in +regcomp (bug 33185) + + If a memory allocation failure occurs during bracket expression + parsing in regcomp, a double-free error may result. + + Reported-by: Anastasia Belova + Co-authored-by: Paul Eggert + Reviewed-by: Andreas K. Huettel + (cherry picked from commit 7ea06e994093fa0bcca0d0ee2c1db271d8d7885d) + + Conflict: picked parts of the origin patch and reserved the function + parts. +--- + posix/regcomp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/posix/regcomp.c b/posix/regcomp.c +index 90a2ab9f..3123ac5f 100644 +--- a/posix/regcomp.c ++++ b/posix/regcomp.c +@@ -3386,6 +3386,7 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, + { + #ifdef RE_ENABLE_I18N + free_charset (mbcset); ++ mbcset = NULL; + #endif + /* Build a tree for simple bracket. */ + br_token.type = SIMPLE_BRACKET; +@@ -3401,7 +3402,8 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, + parse_bracket_exp_free_return: + re_free (sbcset); + #ifdef RE_ENABLE_I18N +- free_charset (mbcset); ++ if (__glibc_likely (mbcset != NULL)) ++ free_charset (mbcset); + #endif /* RE_ENABLE_I18N */ + return NULL; + } +-- +2.27.0 + -- Gitee