-Date: Tue, 22 Apr 2025 06:32:35 +0000
-Subject: [PATCH] Address CVE-2025-22872
-Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
-
----
- vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
-index 3c57880..6598c1f 100644
---- a/vendor/golang.org/x/net/html/token.go
-+++ b/vendor/golang.org/x/net/html/token.go
-@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
- if raw {
- z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
- }
-- // Look for a self-closing token like "
".
-- if z.err == nil && z.buf[z.raw.end-2] == '/' {
-+ // Look for a self-closing token (e.g.
).
-+ //
-+ // Originally, we did this by just checking that the last character of the
-+ // tag (ignoring the closing bracket) was a solidus (/) character, but this
-+ // is not always accurate.
-+ //
-+ // We need to be careful that we don't misinterpret a non-self-closing tag
-+ // as self-closing, as can happen if the tag contains unquoted attribute
-+ // values (i.e. ).
-+ //
-+ // To avoid this, we check that the last non-bracket character of the tag
-+ // (z.raw.end-2) isn't the same character as the last non-quote character of
-+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
-+ // attributes.
-+ nAttrs := len(z.attr)
-+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
- return SelfClosingTagToken
- }
- return StartTagToken
---
-2.45.3
-
diff --git a/SPECS/containerized-data-importer/CVE-2025-27144.patch b/SPECS/containerized-data-importer/CVE-2025-27144.patch
deleted file mode 100644
index 6015ed48ca..0000000000
--- a/SPECS/containerized-data-importer/CVE-2025-27144.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From fa324fa38481f9d2da9109cb5983326f62ff7507 Mon Sep 17 00:00:00 2001
-From: Kanishk-Bansal
-Date: Fri, 28 Feb 2025 07:45:53 +0000
-Subject: [PATCH] CVE-2025-27144
-Upstream Ref: https://github.com/go-jose/go-jose/commit/c9ed84d8f0cfadcfad817150158caca6fcbc518b
-
----
- vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++--
- vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go
-index b5a6dcd..cd1de9e 100644
---- a/vendor/gopkg.in/square/go-jose.v2/jwe.go
-+++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go
-@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
-
- // parseEncryptedCompact parses a message in compact format.
- func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
-- parts := strings.Split(input, ".")
-- if len(parts) != 5 {
-+ // Five parts is four separators
-+ if strings.Count(input, ".") != 4 {
- return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
- }
-+ parts := strings.SplitN(input, ".", 5)
-
- rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
- if err != nil {
-diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go
-index 7e261f9..a8d55fb 100644
---- a/vendor/gopkg.in/square/go-jose.v2/jws.go
-+++ b/vendor/gopkg.in/square/go-jose.v2/jws.go
-@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
-
- // parseSignedCompact parses a message in compact format.
- func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
-- parts := strings.Split(input, ".")
-- if len(parts) != 3 {
-+ // Three parts is two separators
-+ if strings.Count(input, ".") != 2 {
- return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
- }
-+ parts := strings.SplitN(input, ".", 3)
-
- if parts[1] != "" && payload != nil {
- return nil, fmt.Errorf("square/go-jose: payload is not detached")
---
-2.45.2
-
diff --git a/SPECS/containerized-data-importer/containerized-data-importer.signatures.json b/SPECS/containerized-data-importer/containerized-data-importer.signatures.json
deleted file mode 100644
index d5ded8e703..0000000000
--- a/SPECS/containerized-data-importer/containerized-data-importer.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
- "containerized-data-importer-1.57.0.tar.gz": "71191e9e98df6d73490ae2bb74fa069bd2967a439f9a76d6bba1822fccc134ce"
- }
-}
diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec
deleted file mode 100644
index 397a471710..0000000000
--- a/SPECS/containerized-data-importer/containerized-data-importer.spec
+++ /dev/null
@@ -1,581 +0,0 @@
-#
-# spec file for package containerized-data-importer
-#
-# Copyright (c) 2022 SUSE LLC
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
-#
-
-Summary: Container native virtualization
-Name: containerized-data-importer
-Version: 1.57.0
-Release: 16%{?dist}
-License: ASL 2.0
-Vendor: Microsoft Corporation
-Distribution: Azure Linux
-Group: System/Packages
-URL: https://github.com/kubevirt/containerized-data-importer
-Source0: https://github.com/kubevirt/containerized-data-importer/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Patch0: CVE-2024-3727.patch
-Patch1: CVE-2022-2879.patch
-Patch2: CVE-2024-24786.patch
-Patch3: CVE-2024-45338.patch
-Patch4: CVE-2023-39325.patch
-Patch5: CVE-2023-44487.patch
-Patch6: CVE-2024-28180.patch
-Patch7: CVE-2023-45288.patch
-Patch8: CVE-2023-3978.patch
-Patch9: CVE-2025-27144.patch
-Patch10: CVE-2025-22868.patch
-Patch11: CVE-2025-22872.patch
-BuildRequires: golang < 1.25
-BuildRequires: golang-packaging
-BuildRequires: libnbd-devel
-BuildRequires: pkgconfig
-BuildRequires: rsync
-BuildRequires: sed
-Provides: cdi = %{version}-%{release}
-ExclusiveArch: x86_64 aarch64
-
-%description
-Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes
-
-%package api
-Summary: CDI API server
-Group: System/Packages
-Provides: cdi-apiserver = %{version}-%{release}
-
-%description api
-The containerized-data-importer-api package provides the kubernetes API extension for CDI
-
-%package cloner
-Summary: Cloner for host assisted cloning
-Group: System/Packages
-
-%description cloner
-Source and Target cloner image for host assisted cloning
-
-%package controller
-Summary: Controller for the data fetching service
-Group: System/Packages
-
-%description controller
-Controller for the data fetching service for VM container images
-
-%package importer
-Summary: Data fetching service
-Group: System/Packages
-Requires: nbdkit
-
-%description importer
-Data fetching service for VM container imagess
-
-%package operator
-Summary: Operator for the data fetching service
-Group: System/Packages
-
-%description operator
-Operator for the data fetching service for VM container images
-
-%package uploadproxy
-Summary: Upload proxy for the data fetching service
-Group: System/Packages
-
-%description uploadproxy
-Upload proxy for the data fetching service for VM container images
-
-%package uploadserver
-Summary: Upload server for the data fetching service
-Group: System/Packages
-
-%description uploadserver
-Upload server for the data fetching service for VM container images
-
-%package manifests
-Summary: YAML manifests used to install CDI
-Group: System/Packages
-
-%description manifests
-This contains the built YAML manifests used to install CDI into a
-kubernetes installation with kubectl apply.
-
-%prep
-# Unpack the sources respecting the GOPATH directory structure expected by the
-# go imports resolver. I.e. if DIR is in GOPATH then DIR/src/foo/bar can be
-# imported as "foo/bar". The same 'visibility' rules apply to the local copies
-# of external dependencies placed in 'vendor' directory when imported from the
-# 'parent' package.
-#
-# Note: having bar symlink'ed to DIR/src/foo/bar does not seem to work. Looks
-# like symlinks in go path are not resolved correctly. Hence the sources need
-# to be 'physically' placed into the proper location.
-%setup -q -n go/src/kubevirt.io/%{name} -c -T
-tar --strip-components=1 -xf %{SOURCE0}
-%autopatch -p1
-
-%build
-
-export GOPATH=%{_builddir}/go
-export GOFLAGS="-mod=vendor"
-export CDI_SOURCE_DATE_EPOCH="$(date -r LICENSE +%s)"
-export CDI_GIT_COMMIT='v%{version}'
-export CDI_GIT_VERSION='v%{version}'
-export CDI_GIT_TREE_STATE="clean"
-
-GOFLAGS="-buildmode=pie ${GOFLAGS}" ./hack/build/build-go.sh build \
- cmd/cdi-apiserver \
- cmd/cdi-cloner \
- cmd/cdi-controller \
- cmd/cdi-importer \
- cmd/cdi-uploadproxy \
- cmd/cdi-uploadserver \
- cmd/cdi-operator \
- tools/cdi-image-size-detection \
- tools/cdi-source-update-poller \
- tools/csv-generator \
- %{nil}
-
-# Disable cgo to build static binaries, so they can run on scratch images
-CGO_ENABLED=0 ./hack/build/build-go.sh build \
- tools/cdi-containerimage-server \
- %{nil}
-
-./hack/build/build-manifests.sh
-
-%install
-mkdir -p %{buildroot}%{_bindir}
-
-install -p -m 0755 _out/cmd/cdi-apiserver/cdi-apiserver %{buildroot}%{_bindir}/cdi-apiserver
-
-install -p -m 0755 cmd/cdi-cloner/cloner_startup.sh %{buildroot}%{_bindir}/
-install -p -m 0755 _out/cmd/cdi-cloner/cdi-cloner %{buildroot}%{_bindir}/
-
-install -p -m 0755 _out/cmd/cdi-controller/cdi-controller %{buildroot}%{_bindir}/cdi-controller
-
-install -p -m 0755 _out/cmd/cdi-importer/cdi-importer %{buildroot}%{_bindir}/cdi-importer
-
-install -p -m 0755 _out/cmd/cdi-operator/cdi-operator %{buildroot}%{_bindir}/cdi-operator
-
-install -p -m 0755 _out/cmd/cdi-uploadproxy/cdi-uploadproxy %{buildroot}%{_bindir}/cdi-uploadproxy
-
-install -p -m 0755 _out/cmd/cdi-uploadserver/cdi-uploadserver %{buildroot}%{_bindir}/cdi-uploadserver
-
-install -p -m 0755 _out/tools/cdi-containerimage-server/cdi-containerimage-server %{buildroot}%{_bindir}/cdi-containerimage-server
-
-install -p -m 0755 _out/tools/cdi-image-size-detection/cdi-image-size-detection %{buildroot}%{_bindir}/cdi-image-size-detection
-
-install -p -m 0755 _out/tools/cdi-source-update-poller/cdi-source-update-poller %{buildroot}%{_bindir}/cdi-source-update-poller
-
-install -p -m 0755 _out/tools/csv-generator/csv-generator %{buildroot}%{_bindir}/csv-generator
-
-# Install release manifests
-mkdir -p %{buildroot}%{_datadir}/cdi/manifests/release
-install -m 0644 _out/manifests/release/cdi-operator.yaml %{buildroot}%{_datadir}/cdi/manifests/release/
-install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/manifests/release/
-
-%files api
-%license LICENSE
-%doc README.md
-%{_bindir}/cdi-apiserver
-
-%files cloner
-%license LICENSE
-%doc README.md
-%{_bindir}/cloner_startup.sh
-%{_bindir}/cdi-cloner
-
-%files controller
-%license LICENSE
-%doc README.md
-%{_bindir}/cdi-controller
-
-%files importer
-%license LICENSE
-%doc README.md
-%{_bindir}/cdi-importer
-%{_bindir}/cdi-containerimage-server
-%{_bindir}/cdi-image-size-detection
-%{_bindir}/cdi-source-update-poller
-
-%files operator
-%license LICENSE
-%doc README.md
-%{_bindir}/cdi-operator
-%{_bindir}/csv-generator
-
-%files uploadproxy
-%license LICENSE
-%doc README.md
-%{_bindir}/cdi-uploadproxy
-
-%files uploadserver
-%license LICENSE
-%doc README.md
-%{_bindir}/cdi-uploadserver
-
-%files manifests
-%license LICENSE
-%doc README.md
-%dir %{_datadir}/cdi
-%dir %{_datadir}/cdi/manifests
-%dir %{_datadir}/cdi/manifests/release
-%{_datadir}/cdi/manifests
-
-%changelog
-* Fri Oct 3 2025 Lee Chee Yang - 1.57.0-16
-- merge from Azure Linux 3.0.20250910-3.0
-- Set BR for golang to < 1.25
-
-* Fri May 30 2025 Ranjan Dutta - 1.57.0-15
-- merge from Azure Linux 3.0.20250521-3.0
-- Patch CVE-2025-22872
-
-* Fri Mar 21 2025 Anuj Mittal - 1.57.0-14
-- Bump Release to rebuild
-
-* Mon Mar 03 2025 Kanishk Bansal - 1.57.0-13
-- Fix CVE-2025-27144, CVE-2025-22868
-
-* Sun Feb 23 2025 Sudipta Pandit - 1.57.0-12
-- Fix CVE-2023-3978 with a backported patch
-
-* Fri Feb 14 2025 Kanishk Bansal - 1.57.0-11
-- Address CVE-2023-45288
-
-* Mon Feb 03 2025 Sharath Srikanth Chellappa - 1.57.0-10
-- Rename cdi binaries to be inline with upstream.
-
-* Wed Jan 29 2025 Kanishk Bansal - 1.57.0-9
-- Fix CVE-2024-28180 with an upstream patch
-
-* Fri Jan 24 2025 Henry Li - 1.57.0-8
-- Add patch for CVE-2023-39325 and CVE-2023-44487
-
-* Tue Dec 31 2024 Rohit Rawat - 1.57.0-7
-- Add patch for CVE-2024-45338
-
-* Mon Nov 25 2024 Bala - 1.57.0-6
-- Fix CVE-2024-24786
-
-* Fri Sep 06 2024 Aditya Dubey - 1.57.0-5
-- Statically building binaries
-
-* Fri Jul 19 2024 Aditya Dubey - 1.57.0-4
-- Building cdi tool binaries within package build
-
-* Wed Jul 10 2024 Thien Trung Vuong - 1.57.0-3
-- Address CVE-2022-2879 by patching vendored github.com/vbatss/tar-split
-
-* Thu Jun 06 2024 Brian Fjeldstad - 1.57.0-2
-- Address CVE-2024-3727 by patching vendored github.com/containers/image
-
-* Fri Oct 27 2023 CBL-Mariner Servicing Account - 1.57.0-1
-- Auto-upgrade to 1.57.0 - Azure Linux 3.0 - package upgrades
-
-* Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.55.0-16
-- Bump release to rebuild with go 1.20.10
-
-* Tue Oct 10 2023 Dan Streetman - 1.55.0-15
-- Bump release to rebuild with updated version of Go.
-
-* Mon Aug 07 2023 CBL-Mariner Servicing Account - 1.55.0-14
-- Bump release to rebuild with go 1.19.12
-
-* Thu Jul 13 2023 CBL-Mariner Servicing Account - 1.55.0-13
-- Bump release to rebuild with go 1.19.11
-
-* Tue Jun 27 2023 Vince Perri - 1.55.0-12
-- Add nbkdit as a dependency for the importer
-
-* Thu Jun 15 2023 CBL-Mariner Servicing Account - 1.55.0-11
-- Bump release to rebuild with go 1.19.10
-
-* Fri May 26 2023 Aditya Dubey - 1.55.0-0
-- Update to verion 1.55.0
-
-* Wed Apr 05 2023 CBL-Mariner Servicing Account - 1.51.0-10
-- Bump release to rebuild with go 1.19.8
-
-* Tue Mar 28 2023 CBL-Mariner Servicing Account - 1.51.0-9
-- Bump release to rebuild with go 1.19.7
-
-* Wed Mar 15 2023 CBL-Mariner Servicing Account - 1.51.0-8
-- Bump release to rebuild with go 1.19.6
-
-* Fri Feb 03 2023 CBL-Mariner Servicing Account - 1.51.0-7
-- Bump release to rebuild with go 1.19.5
-
-* Wed Jan 18 2023 CBL-Mariner Servicing Account - 1.51.0-6
-- Bump release to rebuild with go 1.19.4
-
-* Fri Dec 16 2022 Daniel McIlvaney - 1.51.0-5
-- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717
-
-* Tue Nov 01 2022 Olivia Crain - 1.51.0-4
-- Bump release to rebuild with go 1.18.8
-
-* Mon Aug 22 2022 Ameya Usgaonkar - 1.51.0-3
-- Shorthand nomenclature for containerized-data-importer (cdi)
-- Provide api as apiserver
-
-* Mon Aug 22 2022 Olivia Crain - 1.51.0-2
-- Bump release to rebuild against Go 1.18.5
-
-* Wed Aug 3 2022 Ameya Usgaonkar - 1.51.0-1
-- Initial changes to build for Mariner
-- License verified
-- Initial CBL-Mariner import from openSUSE Tumbleweed (license: same as "License" tag)
-
-* Fri Jul 15 2022 Vasily Ulyanov
-- Update to version 1.51.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.51.0
-
-* Tue Jun 21 2022 Vasily Ulyanov
-- Update to version 1.50.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.50.0
-
-* Tue May 31 2022 Caleb Crane
-- Update to version 1.49.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.49.0
-
-* Mon Apr 25 2022 Caleb Crane
-- Update to version 1.48.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.48.0
-
-* Mon Apr 11 2022 Vasily Ulyanov
-- Update to version 1.47.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.47.0
-
-* Fri Apr 1 2022 Vasily Ulyanov
-- Update to version 1.46.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.46.0
-
-* Thu Mar 10 2022 Vasily Ulyanov
-- Update to version 1.45.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.45.0
-
-* Fri Feb 4 2022 Vasily Ulyanov
-- Pack only cdi-{cr,operator}.yaml into the manifests RPM
-
-* Tue Feb 1 2022 Vasily Ulyanov
-- Update to version 1.44.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.44.0
-
-* Thu Jan 13 2022 Guillaume GARDET
-- Enable build on aarch64
-
-* Mon Jan 10 2022 Vasily Ulyanov
-- Update to version 1.43.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.43.0
-
-* Sun Dec 19 2021 Vasily Ulyanov
-- Update to version 1.42.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.42.0
-
-* Fri Nov 26 2021 Vasily Ulyanov
-- Detect SLE15 SP4 build environment
-
-* Fri Nov 12 2021 Vasily Ulyanov
-- Update to version 1.41.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.41.0
-
-* Mon Oct 11 2021 Vasily Ulyanov
-- Update to version 1.40.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.40.0
-
-* Tue Aug 10 2021 Vasily Ulyanov
-- Update to version 1.37.1
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.37.1
-
-* Mon Jul 12 2021 Vasily Ulyanov
-- Update to version 1.36.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.36.0
-
-* Wed Jun 30 2021 Vasily Ulyanov
-- Generate meta info for containers during rpm build
-
-* Mon Jun 14 2021 Vasily Ulyanov
-- Use registry.suse.com as the default fallback for sle
-- Rename macro registry_path to kubevirt_registry_path
-- Update to version 1.35.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.35.0
-
-* Fri Jun 4 2021 Fabian Vogt
-- Add REGISTRY variable
-
-* Thu May 20 2021 Vasily Ulyanov
-- Update to version 1.34.0
- Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.34.0
-
-* Thu May 20 2021 Vasily Ulyanov
-- Disable changelog generation via tar_scm service (too verbose)
-
-* Thu Apr 29 2021 Vasily Ulyanov
-- Include release number into docker tag
-- Add cdi_containers_meta build service
-
-* Thu Apr 29 2021 Vasily Ulyanov
-- Set default reg_path='registry.opensuse.org/kubevirt'
-- Add _constraints file with disk requirements
-- Drop CDI_VERSION env var since its not used during the build
-
-* Wed Apr 21 2021 Vasily Ulyanov
-- Preparation for submission to SLE15 SP2
- jsc#SLE-11089 jsc#ECO-3633
-
-* Thu Apr 15 2021 Vasily Ulyanov
-- Drop csv-generator
-
-* Wed Apr 7 2021 Vasily Ulyanov
-- Update registry path
-
-* Fri Mar 5 2021 Vasily Ulyanov
-- Fix import of vendor dependencies
- * Arrange the directory layout in buildroot
- * Drop manifest-build-fix.patch
- * Switch to Go 1.14 (used for upstream builds)
-
-* Fri Feb 26 2021 James Fehlig
-- Add a manifests package containing YAML manifests used to
- install CDI
- manifest-build-fix.patch
-
-* Wed Feb 24 2021 jfehlig@suse.com
-- Update to version 1.30.0:
- * Release to quay.io instead of docker (#1635)
- * Preallocation test did not run all scenarios (#1625)
- * Add diagnostic to flake test (#1626)
- * VDDK: avoid crash when specified disk isn't in VM. (#1639)
- * rename importController to uploadController in the upload-controller.go file (#1632)
- * Simplify shouldReconcile function arguments. (#1602)
- * Increase polling interval for upload annotation test (#1630)
- * Remove note about VDDK 7 restriction. (#1631)
- * Remove OLM integration code not removed in #982 (#1624)
- * Fix typos in doc/datavolumes.md (#1621)
- * Support cloning from Filesystem to Block and vice-versa (#1597)
- * Add error to DV when VDDK configmap is missing. (#1627)
- * Add focus for destructive tests. (#1614)
- * Wait for clone to succeed before checking MD5. (#1601)
- * doc: update url in doc/datavolumes.md. (#1609)
- * Enable tests for featuregates (#1600)
- * Make string we are checking for less specific to allow it pass for other platforms. (#1580)
- * Validate image fits in filesystem in a lot more cases. take filesystem overhead into account when resizing. (#1466)
- * Try to use the CDIConfig proxy URL if it is set, if not use port-forward (#1598)
- * Update kubevirtci (#1579)
- * Replaced file copying code with an existing utility function. (#1585)
- * Global preallocation setting is not taken into account correctly. (#1565)
- * Retry finding the pods for looking up the annotations. (#1583)
- * Make DeletePodByName always wait for the pod to stop existing. (#1584)
- * When cleaning up NFS disks, recursively delete their contents. (#1576)
- * Typedef for preallocation status (#1568)
- * Add Data Volume annotations documentation (#1582)
- * core: Preallocate blank block volumes (#1559)
- * Skip test 2555 if running on openshift (#1572)
-
-* Tue Jan 26 2021 jfehlig@suse.com
-- Update to version 1.29.0:
- * Document smartclone disable feature in markdown (#1571)
- * update cdi config docs (#1556)
- * Run bazelisk run //plugins/cmd/uploader:uploader -- -workspace /home/prow/go/src/github.com/kubevirt/project-infra/../containerized-data-importer/WORKSPACE -dry-run=false (#1569)
- * Reduce the noise from the filesystem overhead functionality (#1558)
- * VDDK: work with block devices better (BZ 1913756). (#1564)
- * Add a DV/PVC annotation "storage.bind.immediate.requested" (#1560)
- * Use nbdkit for direct stream for the http importer (#1508)
- * Text-only changes missed in removing the Process phase (#1446) (#1562)
- * Compare logs while ignoring differences in spaces. (#1557)
- * update api for cert configuration (#1542)
- * core: Preallocate blank image disks as well (#1555)
- * Preallocation check all paths (#1535)
- * Remove temporary approver status.
- * Change verbosity for preallocation messages, avoid possible infinite loop (#1551)
- * Add test ids to strict reconciliation tests (#1546)
- * VDDK: more reliable transfers of full disks. (#1547)
- * Stop Using Deprecated Packages (#1548)
- * Run bazelisk run //plugins/cmd/uploader:uploader -- -workspace /home/prow/go/src/github.com/kubevirt/project-infra/../containerized-data-importer/WORKSPACE -dry-run=false (#1543)
- * Preallocation support (#1498)
- * VDDK: incremental copy with changed block tracking (#1517)
- * Run bazelisk run //plugins/cmd/uploader:uploader -- -workspace /home/prow/go/src/github.com/kubevirt/project-infra/../containerized-data-importer/WORKSPACE -dry-run=false (#1536)
- * Add maya-r to approver list.
- * Simplify file host, now a new image only has to be added to bazel. (#1534)
- * Update fedora 33 (#1486)
- * Allow passing default multus network annotation to transfer pods (#1532)
- * Try updating the node taint in a loop (#1510)
- * Add an API for disabling smart-cloning. (#1461)
- * Read-only clone source pods (#1524)
- * Clone source program calls tar instead of getting piped input. This ensures we trap tar errors. (#1521)
- * Add strict reconciliation tests (#1505)
- * Allow specifying of the CONTAINER_DISK_IMAGE with a default of the current value. (#1515)
- * Designate CDI as CDIConfig authority (#1516)
- * Update builder to fedora 33 (#1511)
- * In the operator test there is a critical addons test that removes and (#1513)
- * Create a Datavolume if a coliding PVC with same name exists but is marked to delete (#1477)
- * Fix make target cluster-sync-cdi, add cluster-clean-cdi & cluster-clean-test-infra (#1503)
- * increase code coverage by moving utility functions from api packages (#1479)
- * Pass specific PVC annotations to the transfer pods (#1480)
- * Move configure_storage to test setup. (#1484)
- * Make sure the DV is the main resource and single source of truth for WaitForFirstConsumer. (#1499)
- * Controller support for Multistage Imports (#1450)
- * Pull less from dockerhub when running testsuite (#1478)
- * apiserver should serve up openapi spec (#1485)
- * VDDK: Add more debug logging around nbdkit. (#1465)
- * k8s-reporter: Add Endpoints logging (#1481)
- * Add CDIConfig to CDI (#1475)
- * Run bazelisk run //plugins/cmd/uploader:uploader -- -workspace /home/prow/go/src/github.com/fgimenez/project-infra/../../kubevirt/containerized-data-importer/WORKSPACE -dry-run=false
- * Wait for stray pods to terminate, destroy/re-create at AfterEach. (#1459)
- * Remove the "Process" data processor phase, simplify state machine. (#1446)
- * Scratch import bug (#1424)
- * Dump service resources after failed tests (#1463)
- * VDDK: replace qemu-img with libnbd (#1448)
- * update kubevirtci (#1457)
- * Update WORKSPACE packages to non-404 ones, and add a second mirror. (#1444)
- * Don't wait for NS to deleted in test before starting next test (#1439)
-
-* Tue Oct 27 2020 James Fehlig
-- spec: Fix binary names for several CDI components
-
-* Mon Oct 26 2020 jfehlig@suse.com
-- Update to version 1.25.0:
- * Update builder image to add libnbd (#1452)
- * Add make targets cluster-sync-cdi & cluster-sync-test-infra (#1451)
- * Add library function to determine if a PVC is waiting for first consu… (#1442)
- * Add test_ids for the tests (#1441)
- * Retry upload in case upload pod wasn't 100%% ready when attempting upload (#1440)
- * add finalizer to target PVC before creating clone source pod (#1429)
- * Make CDI infra deployments as critical addons. (#1361)
- * Fix cloning checking fsGroup test in case of use with OCS. (#1435)
- * Fix types.go vs code schema verification to actually fail if they are different. (#1428)
- * Add files used in OpenShift CI. (#1416)
- * Retry upload in case upload pod wasn't 100%% ready when attempting upload (#1437)
- * Check for expected changes after CDI upgrade (#1417)
- * Files in tar archives can have paths relative to ./ (#1432)
- * Attempt to schedula clone sourc/target pods on same node (#1426)
- * Touch ups for filesystem overhead test cases (#1427)
- * Fix imports for images with no info about MediaType. (#1413)
- * Fix size mismatch between source and target in smart clone tests. Ceph no longer (#1421)
- * use snappy compression for cloning instead of gzip (#1419)
- * Update to k8s.io/klog/v2, used by kubernetes 1.19 (#1409)
-
-* Fri Oct 23 2020 jfehlig@suse.com
-- Update to version 1.24.0:
- * add system:authorized to groups checked for clone auth (#1415)
- * Fixing CDIStatus generate-verify issues (#1412)
- * Reserve overhead when validating that a Filesystem has enough space (#1319)
- * Test behavior after client-side upload failure. (#1404)
- * Removed hard coded registry:5000 for vddk datasource test. (#1402)
- * Add library function to determine if a PVC has been populated fully. (#1400)
- * Remove dependency update when building the OR CI build image (#1386)
- * Add test_id for the test cases (#1398)
- * Fix incorrect region parsing from aws s3 endpoint (#1395)
- * Add functional test for cloning if source NS has enought quota and (#1387)
-
-* Fri Oct 23 2020 James Fehlig
-- Initial attempt at packaging CDI
diff --git a/SPECS/docker-compose/CVE-2025-47913.patch b/SPECS/docker-compose/CVE-2025-47913.patch
new file mode 100644
index 0000000000..b50b85e81b
--- /dev/null
+++ b/SPECS/docker-compose/CVE-2025-47913.patch
@@ -0,0 +1,50 @@
+From 3a083d7126710d186760b49c440ce07bdb9a0f27 Mon Sep 17 00:00:00 2001
+From: AllSpark
+Date: Tue, 18 Nov 2025 15:58:07 +0000
+Subject: [PATCH] ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes golang/go#75178
+
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: AI Backport of https://github.com/golang/crypto/commit/559e062ce8bfd6a39925294620b50906ca2a6f95.patch
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index fecba8e..6dc73e0 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ return keys, nil
+ case *failureAgentMsg:
+ return nil, errors.New("agent: failed to list keys")
++ default:
++ return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ }
+- panic("unreachable")
+ }
+
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ return &sig, nil
+ case *failureAgentMsg:
+ return nil, errors.New("agent: failed to sign challenge")
++ default:
++ return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ }
+- panic("unreachable")
+ }
+
+ // unmarshal parses an agent message in packet, returning the parsed
+--
+2.45.4
+
diff --git a/SPECS/docker-compose/docker-compose.spec b/SPECS/docker-compose/docker-compose.spec
index c6c0e53490..b1c83eacc4 100644
--- a/SPECS/docker-compose/docker-compose.spec
+++ b/SPECS/docker-compose/docker-compose.spec
@@ -1,7 +1,7 @@
Summary: Define and run multi-container applications with Docker
Name: docker-compose
Version: 2.27.0
-Release: 6%{?dist}
+Release: 7%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -17,6 +17,7 @@ Patch1: CVE-2024-45338.patch
Patch2: CVE-2025-22869.patch
Patch3: CVE-2024-10846.patch
Patch4: CVE-2025-22872.patch
+Patch5: CVE-2025-47913.patch
BuildRequires: golang
Requires: docker-cli
Obsoletes: moby-compose < %{version}-%{release}
@@ -49,6 +50,10 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl
%{_libexecdir}/docker/cli-plugins/docker-compose
%changelog
+* Mon Jan 5 2025 Lee Chee Yang - 2.27.0-7
+- merge from Azure Linux 3.0.20251206-3.0
+- Patch for CVE-2025-47913
+
* Fri May 30 2025 Ranjan Dutta - 2.27.0-6
- merge from Azure Linux 3.0.20250521-3.0
- Patch CVE-2025-22872
diff --git a/SPECS/edk2/CVE-2025-9230.patch b/SPECS/edk2/CVE-2025-9230.patch
new file mode 100644
index 0000000000..6b3fefacf2
--- /dev/null
+++ b/SPECS/edk2/CVE-2025-9230.patch
@@ -0,0 +1,36 @@
+From 86093db2685b86e658302aec4297c54d664ea874 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni
+Date: Thu, 11 Sep 2025 18:10:12 +0200
+Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
+
+Fixes CVE-2025-9230
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+
+Reviewed-by: Neil Horman
+Reviewed-by: Matt Caswell
+Reviewed-by: Tomas Mraz
+(cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c)
+Signed-off-by: rpm-build
+Upstream-reference: https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def.patch
+---
+ CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
+index 2373092..6b507c3 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
+@@ -228,7 +228,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+ /* Check byte failure */
+ goto err;
+ }
+- if (inlen < (size_t)(tmp[0] - 4)) {
++ if (inlen < 4 + (size_t)tmp[0]) {
+ /* Invalid length value */
+ goto err;
+ }
+--
+2.45.4
+
diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec
index 2673e02176..dd03a807dc 100644
--- a/SPECS/edk2/edk2.spec
+++ b/SPECS/edk2/edk2.spec
@@ -55,7 +55,7 @@ ExclusiveArch: x86_64
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
License: Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
URL: https://www.tianocore.org
@@ -139,6 +139,7 @@ Patch1003: CVE-2024-13176.patch
Patch1004: CVE-2024-2511.patch
Patch1005: CVE-2024-4603.patch
Patch1006: CVE-2025-3770.patch
+Patch1007: CVE-2025-9230.patch
# python3-devel and libuuid-devel are required for building tools.
# python3-devel is also needed for varstore template generation and
@@ -800,6 +801,10 @@ done
/boot/efi/HvLoader.efi
%changelog
+* Mon Jan 5 2025 Lee Chee Yang - 20240524git3e722403cd16-11
+- merge from Azure Linux 3.0.20251206-3.0
+- Patch for CVE-2025-9230
+
* Fri Oct 3 2025 Lee Chee Yang - 20240524git3e722403cd16-10
- merge from Azure Linux 3.0.20250910-3.0
- Patch for CVE-2025-3770
diff --git a/SPECS/elfutils/CVE-2024-25260.patch b/SPECS/elfutils/CVE-2024-25260.patch
new file mode 100644
index 0000000000..834e077aa5
--- /dev/null
+++ b/SPECS/elfutils/CVE-2024-25260.patch
@@ -0,0 +1,37 @@
+From c0e0ac70a6add189194581be409a0ac0eb0a971b Mon Sep 17 00:00:00 2001
+From: Mark Wielaard
+Date: Mon, 13 Nov 2023 22:38:10 +0100
+Subject: [PATCH] backends: Fix arm_machine_flag_name version string.
+
+arm_machine_flag_name checks the version byte and if not zero returns
+a version string. There are only 5 versions defined. So check the
+version byte is not larger.
+
+ * backends/arm_machineflagname.c (arm_machine_flag_name):
+ Check version <= 0, otherwise return NULL.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=31058
+
+Signed-off-by: Mark Wielaard
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: https://sourceware.org/git/?p=elfutils.git;a=patch;h=373f5212677235fc3ca6068b887111554790f944
+---
+ backends/arm_machineflagname.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/backends/arm_machineflagname.c b/backends/arm_machineflagname.c
+index e93092a..d700d5f 100644
+--- a/backends/arm_machineflagname.c
++++ b/backends/arm_machineflagname.c
+@@ -48,7 +48,7 @@ arm_machine_flag_name (Elf64_Word orig, Elf64_Word *flagref)
+ "Version5 EABI",
+ };
+ *flagref &= ~((Elf64_Word) EF_ARM_EABIMASK);
+- return vername[version - 1];
++ return version <= 5 ? vername[version - 1] : NULL;
+ }
+ switch (EF_ARM_EABI_VERSION (orig))
+ {
+--
+2.45.4
+
diff --git a/SPECS/elfutils/elfutils.spec b/SPECS/elfutils/elfutils.spec
index f440508069..cf20fdfb70 100644
--- a/SPECS/elfutils/elfutils.spec
+++ b/SPECS/elfutils/elfutils.spec
@@ -4,7 +4,7 @@
Summary: A collection of utilities and DSOs to handle compiled objects
Name: elfutils
Version: 0.189
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv3+ AND (GPLv2+ OR LGPLv3+)
Vendor: Intel Corporation
Distribution: Edge Microvisor Toolkit
@@ -17,6 +17,7 @@ Patch0: CVE-2025-1372.patch
Patch1: CVE-2025-1376.patch
Patch2: CVE-2025-1377.patch
Patch3: CVE-2025-1352.patch
+Patch4: CVE-2024-25260.patch
BuildRequires: bison >= 1.875
BuildRequires: bzip2-devel
@@ -283,6 +284,10 @@ fi
%defattr(-,root,root)
%changelog
+* Mon Jan 5 2025 Lee Chee Yang - 0.189-8
+- merge from Azure Linux 3.0.20251206-3.0
+- Patch for CVE-2024-25260
+
* Mon Sep 8 2025 Lee Chee Yang - 0.189-7
- merge from Azure Linux 3.0.20250910-3.0.
- add patch for CVE-2025-1352
diff --git a/SPECS/expat/CVE-2024-8176.patch b/SPECS/expat/CVE-2024-8176.patch
new file mode 100644
index 0000000000..47f38ef6dd
--- /dev/null
+++ b/SPECS/expat/CVE-2024-8176.patch
@@ -0,0 +1,1398 @@
+From 35a1dea4c07cb0f13f0736d3a8821a696c27f8b1 Mon Sep 17 00:00:00 2001
+From: Kshitiz Godara
+Date: Thu, 20 Mar 2025 06:36:42 +0000
+Subject: [PATCH] Fix for CVE-2024-8176
+
+Upstream source: https://github.com/libexpat/libexpat/pull/973
+
+Signed-off-by: Kshitiz Godara
+---
+ Changes | 30 ++-
+ lib/xmlparse.c | 566 ++++++++++++++++++++++++++++++++------------
+ tests/alloc_tests.c | 27 +++
+ tests/basic_tests.c | 187 ++++++++++++++-
+ tests/handlers.c | 15 ++
+ tests/handlers.h | 5 +
+ tests/misc_tests.c | 43 ++++
+ 7 files changed, 717 insertions(+), 156 deletions(-)
+
+diff --git a/Changes b/Changes
+index aa19f70..75c62d6 100644
+--- a/Changes
++++ b/Changes
+@@ -11,7 +11,6 @@
+ !! The following topics need *additional skilled C developers* to progress !!
+ !! in a timely manner or at all (loosely ordered by descending priority): !!
+ !! !!
+-!! - , !!
+ !! - teaming up on researching and fixing future security reports and !!
+ !! ClusterFuzz findings with few-days-max response times in communication !!
+ !! in order to (1) have a sound fix ready before the end of a 90 days !!
+@@ -30,6 +29,35 @@
+ !! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
+ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
++ Security fixes:
++ #893 #??? CVE-2024-8176 -- Fix crash from chaining a large number
++ of entities caused by stack overflow by resolving use of
++ recursion, for all three uses of entities:
++ - general entities in character data ("&g1;")
++ - general entities in attribute values ("")
++ - parameter entities ("%p1;")
++ Known impact is (reliable and easy) denial of service:
++ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
++ (Base Score: 7.5, Temporal Score: 7.2)
++ Please note that a layer of compression around XML can
++ significantly reduce the minimum attack payload size.
++
++ Special thanks to:
++ Alexander Gieringer
++ Berkay Eren Ürün
++ Jann Horn
++ Mark Brand
++ Sebastian Andrzej Siewior
++ Snild Dolkow
++ Thomas Pröll
++ Tomas Korbar
++ valord577
++ and
++ Google Project Zero
++ Linutronix
++ Red Hat
++ Siemens
++
+ Release 2.6.4 Wed November 6 2024
+ Security fixes:
+ #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index a4e091e..473c791 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -39,7 +39,7 @@
+ Copyright (c) 2022 Sean McBride
+ Copyright (c) 2023 Owain Davies
+ Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow
+- Copyright (c) 2024 Berkay Eren Ürün
++ Copyright (c) 2024-2025 Berkay Eren Ürün
+ Copyright (c) 2024 Hanno Böck
+ Licensed under the MIT license:
+
+@@ -325,6 +325,10 @@ typedef struct {
+ const XML_Char *publicId;
+ const XML_Char *notation;
+ XML_Bool open;
++ XML_Bool hasMore; /* true if entity has not been completely processed */
++ /* An entity can be open while being already completely processed (hasMore ==
++ XML_FALSE). The reason is the delayed closing of entities until their inner
++ entities are processed and closed */
+ XML_Bool is_param;
+ XML_Bool is_internal; /* true if declared in internal subset outside PE */
+ } ENTITY;
+@@ -415,6 +419,12 @@ typedef struct {
+ int *scaffIndex;
+ } DTD;
+
++enum EntityType {
++ ENTITY_INTERNAL,
++ ENTITY_ATTRIBUTE,
++ ENTITY_VALUE,
++};
++
+ typedef struct open_internal_entity {
+ const char *internalEventPtr;
+ const char *internalEventEndPtr;
+@@ -422,6 +432,7 @@ typedef struct open_internal_entity {
+ ENTITY *entity;
+ int startTagLevel;
+ XML_Bool betweenDecl; /* WFC: PE Between Declarations */
++ enum EntityType type;
+ } OPEN_INTERNAL_ENTITY;
+
+ enum XML_Account {
+@@ -481,8 +492,8 @@ static enum XML_Error doProlog(XML_Parser parser, const ENCODING *enc,
+ const char *next, const char **nextPtr,
+ XML_Bool haveMore, XML_Bool allowClosingDoctype,
+ enum XML_Account account);
+-static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity,
+- XML_Bool betweenDecl);
++static enum XML_Error processEntity(XML_Parser parser, ENTITY *entity,
++ XML_Bool betweenDecl, enum EntityType type);
+ static enum XML_Error doContent(XML_Parser parser, int startTagLevel,
+ const ENCODING *enc, const char *start,
+ const char *end, const char **endPtr,
+@@ -513,18 +524,22 @@ static enum XML_Error storeAttributeValue(XML_Parser parser,
+ const char *ptr, const char *end,
+ STRING_POOL *pool,
+ enum XML_Account account);
+-static enum XML_Error appendAttributeValue(XML_Parser parser,
+- const ENCODING *enc,
+- XML_Bool isCdata, const char *ptr,
+- const char *end, STRING_POOL *pool,
+- enum XML_Account account);
++static enum XML_Error
++appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
++ const char *ptr, const char *end, STRING_POOL *pool,
++ enum XML_Account account, const char **nextPtr);
+ static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc,
+ const char *start, const char *end);
+ static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType);
+ #if XML_GE == 1
+ static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ const char *start, const char *end,
+- enum XML_Account account);
++ enum XML_Account account,
++ const char **nextPtr);
++static enum XML_Error callStoreEntityValue(XML_Parser parser,
++ const ENCODING *enc,
++ const char *start, const char *end,
++ enum XML_Account account);
+ #else
+ static enum XML_Error storeSelfEntityValue(XML_Parser parser, ENTITY *entity);
+ #endif
+@@ -709,6 +724,10 @@ struct XML_ParserStruct {
+ const char *m_positionPtr;
+ OPEN_INTERNAL_ENTITY *m_openInternalEntities;
+ OPEN_INTERNAL_ENTITY *m_freeInternalEntities;
++ OPEN_INTERNAL_ENTITY *m_openAttributeEntities;
++ OPEN_INTERNAL_ENTITY *m_freeAttributeEntities;
++ OPEN_INTERNAL_ENTITY *m_openValueEntities;
++ OPEN_INTERNAL_ENTITY *m_freeValueEntities;
+ XML_Bool m_defaultExpandInternalEntities;
+ int m_tagLevel;
+ ENTITY *m_declEntity;
+@@ -756,6 +775,7 @@ struct XML_ParserStruct {
+ ACCOUNTING m_accounting;
+ ENTITY_STATS m_entity_stats;
+ #endif
++ XML_Bool m_reenter;
+ };
+
+ #define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s)))
+@@ -1028,7 +1048,29 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+ #if defined(XML_TESTING)
+ g_bytesScanned += (unsigned)have_now;
+ #endif
+- const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr);
++ // Run in a loop to eliminate dangerous recursion depths
++ enum XML_Error ret;
++ *endPtr = start;
++ while (1) {
++ // Use endPtr as the new start in each iteration, since it will
++ // be set to the next start point by m_processor.
++ ret = parser->m_processor(parser, *endPtr, end, endPtr);
++
++ // Make parsing status (and in particular XML_SUSPENDED) take
++ // precedence over re-enter flag when they disagree
++ if (parser->m_parsingStatus.parsing != XML_PARSING) {
++ parser->m_reenter = XML_FALSE;
++ }
++
++ if (! parser->m_reenter) {
++ break;
++ }
++
++ parser->m_reenter = XML_FALSE;
++ if (ret != XML_ERROR_NONE)
++ return ret;
++ }
++
+ if (ret == XML_ERROR_NONE) {
+ // if we consumed nothing, remember what we had on this parse attempt.
+ if (*endPtr == start) {
+@@ -1139,6 +1181,8 @@ parserCreate(const XML_Char *encodingName,
+ parser->m_freeBindingList = NULL;
+ parser->m_freeTagList = NULL;
+ parser->m_freeInternalEntities = NULL;
++ parser->m_freeAttributeEntities = NULL;
++ parser->m_freeValueEntities = NULL;
+
+ parser->m_groupSize = 0;
+ parser->m_groupConnector = NULL;
+@@ -1241,6 +1285,8 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_eventEndPtr = NULL;
+ parser->m_positionPtr = NULL;
+ parser->m_openInternalEntities = NULL;
++ parser->m_openAttributeEntities = NULL;
++ parser->m_openValueEntities = NULL;
+ parser->m_defaultExpandInternalEntities = XML_TRUE;
+ parser->m_tagLevel = 0;
+ parser->m_tagStack = NULL;
+@@ -1251,6 +1297,8 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_unknownEncodingData = NULL;
+ parser->m_parentParser = NULL;
+ parser->m_parsingStatus.parsing = XML_INITIALIZED;
++ // Reentry can only be triggered inside m_processor calls
++ parser->m_reenter = XML_FALSE;
+ #ifdef XML_DTD
+ parser->m_isParamEntity = XML_FALSE;
+ parser->m_useForeignDTD = XML_FALSE;
+@@ -1310,6 +1358,24 @@ XML_ParserReset(XML_Parser parser, const XML_Char *encodingName) {
+ openEntity->next = parser->m_freeInternalEntities;
+ parser->m_freeInternalEntities = openEntity;
+ }
++ /* move m_openAttributeEntities to m_freeAttributeEntities (i.e. same task but
++ * for attributes) */
++ openEntityList = parser->m_openAttributeEntities;
++ while (openEntityList) {
++ OPEN_INTERNAL_ENTITY *openEntity = openEntityList;
++ openEntityList = openEntity->next;
++ openEntity->next = parser->m_freeAttributeEntities;
++ parser->m_freeAttributeEntities = openEntity;
++ }
++ /* move m_openValueEntities to m_freeValueEntities (i.e. same task but
++ * for value entities) */
++ openEntityList = parser->m_openValueEntities;
++ while (openEntityList) {
++ OPEN_INTERNAL_ENTITY *openEntity = openEntityList;
++ openEntityList = openEntity->next;
++ openEntity->next = parser->m_freeValueEntities;
++ parser->m_freeValueEntities = openEntity;
++ }
+ moveToFreeBindingList(parser, parser->m_inheritedBindings);
+ FREE(parser, parser->m_unknownEncodingMem);
+ if (parser->m_unknownEncodingRelease)
+@@ -1323,6 +1389,19 @@ XML_ParserReset(XML_Parser parser, const XML_Char *encodingName) {
+ return XML_TRUE;
+ }
+
++static XML_Bool
++parserBusy(XML_Parser parser) {
++ switch (parser->m_parsingStatus.parsing) {
++ case XML_PARSING:
++ case XML_SUSPENDED:
++ return XML_TRUE;
++ case XML_INITIALIZED:
++ case XML_FINISHED:
++ default:
++ return XML_FALSE;
++ }
++}
++
+ enum XML_Status XMLCALL
+ XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName) {
+ if (parser == NULL)
+@@ -1331,8 +1410,7 @@ XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName) {
+ XXX There's no way for the caller to determine which of the
+ XXX possible error cases caused the XML_STATUS_ERROR return.
+ */
+- if (parser->m_parsingStatus.parsing == XML_PARSING
+- || parser->m_parsingStatus.parsing == XML_SUSPENDED)
++ if (parserBusy(parser))
+ return XML_STATUS_ERROR;
+
+ /* Get rid of any previous encoding name */
+@@ -1569,7 +1647,34 @@ XML_ParserFree(XML_Parser parser) {
+ entityList = entityList->next;
+ FREE(parser, openEntity);
+ }
+-
++ /* free m_openAttributeEntities and m_freeAttributeEntities */
++ entityList = parser->m_openAttributeEntities;
++ for (;;) {
++ OPEN_INTERNAL_ENTITY *openEntity;
++ if (entityList == NULL) {
++ if (parser->m_freeAttributeEntities == NULL)
++ break;
++ entityList = parser->m_freeAttributeEntities;
++ parser->m_freeAttributeEntities = NULL;
++ }
++ openEntity = entityList;
++ entityList = entityList->next;
++ FREE(parser, openEntity);
++ }
++ /* free m_openValueEntities and m_freeValueEntities */
++ entityList = parser->m_openValueEntities;
++ for (;;) {
++ OPEN_INTERNAL_ENTITY *openEntity;
++ if (entityList == NULL) {
++ if (parser->m_freeValueEntities == NULL)
++ break;
++ entityList = parser->m_freeValueEntities;
++ parser->m_freeValueEntities = NULL;
++ }
++ openEntity = entityList;
++ entityList = entityList->next;
++ FREE(parser, openEntity);
++ }
+ destroyBindings(parser->m_freeBindingList, parser);
+ destroyBindings(parser->m_inheritedBindings, parser);
+ poolDestroy(&parser->m_tempPool);
+@@ -1611,8 +1716,7 @@ XML_UseForeignDTD(XML_Parser parser, XML_Bool useDTD) {
+ return XML_ERROR_INVALID_ARGUMENT;
+ #ifdef XML_DTD
+ /* block after XML_Parse()/XML_ParseBuffer() has been called */
+- if (parser->m_parsingStatus.parsing == XML_PARSING
+- || parser->m_parsingStatus.parsing == XML_SUSPENDED)
++ if (parserBusy(parser))
+ return XML_ERROR_CANT_CHANGE_FEATURE_ONCE_PARSING;
+ parser->m_useForeignDTD = useDTD;
+ return XML_ERROR_NONE;
+@@ -1627,8 +1731,7 @@ XML_SetReturnNSTriplet(XML_Parser parser, int do_nst) {
+ if (parser == NULL)
+ return;
+ /* block after XML_Parse()/XML_ParseBuffer() has been called */
+- if (parser->m_parsingStatus.parsing == XML_PARSING
+- || parser->m_parsingStatus.parsing == XML_SUSPENDED)
++ if (parserBusy(parser))
+ return;
+ parser->m_ns_triplets = do_nst ? XML_TRUE : XML_FALSE;
+ }
+@@ -1897,8 +2000,7 @@ XML_SetParamEntityParsing(XML_Parser parser,
+ if (parser == NULL)
+ return 0;
+ /* block after XML_Parse()/XML_ParseBuffer() has been called */
+- if (parser->m_parsingStatus.parsing == XML_PARSING
+- || parser->m_parsingStatus.parsing == XML_SUSPENDED)
++ if (parserBusy(parser))
+ return 0;
+ #ifdef XML_DTD
+ parser->m_paramEntityParsing = peParsing;
+@@ -1915,8 +2017,7 @@ XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) {
+ if (parser->m_parentParser)
+ return XML_SetHashSalt(parser->m_parentParser, hash_salt);
+ /* block after XML_Parse()/XML_ParseBuffer() has been called */
+- if (parser->m_parsingStatus.parsing == XML_PARSING
+- || parser->m_parsingStatus.parsing == XML_SUSPENDED)
++ if (parserBusy(parser))
+ return 0;
+ parser->m_hash_secret_salt = hash_salt;
+ return 1;
+@@ -2230,6 +2331,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ return parser->m_bufferEnd;
+ }
+
++static void
++triggerReenter(XML_Parser parser) {
++ parser->m_reenter = XML_TRUE;
++}
++
+ enum XML_Status XMLCALL
+ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+ if (parser == NULL)
+@@ -2704,8 +2810,9 @@ static enum XML_Error PTRCALL
+ contentProcessor(XML_Parser parser, const char *start, const char *end,
+ const char **endPtr) {
+ enum XML_Error result = doContent(
+- parser, 0, parser->m_encoding, start, end, endPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
++ parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, start, end,
++ endPtr, (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_DIRECT);
+ if (result == XML_ERROR_NONE) {
+ if (! storeRawNames(parser))
+ return XML_ERROR_NO_MEMORY;
+@@ -2793,6 +2900,11 @@ externalEntityInitProcessor3(XML_Parser parser, const char *start,
+ return XML_ERROR_NONE;
+ case XML_FINISHED:
+ return XML_ERROR_ABORTED;
++ case XML_PARSING:
++ if (parser->m_reenter) {
++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE
++ }
++ /* Fall through */
+ default:
+ start = next;
+ }
+@@ -2966,7 +3078,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ reportDefault(parser, enc, s, next);
+ break;
+ }
+- result = processInternalEntity(parser, entity, XML_FALSE);
++ result = processEntity(parser, entity, XML_FALSE, ENTITY_INTERNAL);
+ if (result != XML_ERROR_NONE)
+ return result;
+ } else if (parser->m_externalEntityRefHandler) {
+@@ -3092,7 +3204,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ }
+ if ((parser->m_tagLevel == 0)
+ && (parser->m_parsingStatus.parsing != XML_FINISHED)) {
+- if (parser->m_parsingStatus.parsing == XML_SUSPENDED)
++ if (parser->m_parsingStatus.parsing == XML_SUSPENDED
++ || (parser->m_parsingStatus.parsing == XML_PARSING
++ && parser->m_reenter))
+ parser->m_processor = epilogProcessor;
+ else
+ return epilogProcessor(parser, next, end, nextPtr);
+@@ -3153,7 +3267,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ }
+ if ((parser->m_tagLevel == 0)
+ && (parser->m_parsingStatus.parsing != XML_FINISHED)) {
+- if (parser->m_parsingStatus.parsing == XML_SUSPENDED)
++ if (parser->m_parsingStatus.parsing == XML_SUSPENDED
++ || (parser->m_parsingStatus.parsing == XML_PARSING
++ && parser->m_reenter))
+ parser->m_processor = epilogProcessor;
+ else
+ return epilogProcessor(parser, next, end, nextPtr);
+@@ -3293,6 +3409,12 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ return XML_ERROR_NONE;
+ case XML_FINISHED:
+ return XML_ERROR_ABORTED;
++ case XML_PARSING:
++ if (parser->m_reenter) {
++ *nextPtr = next;
++ return XML_ERROR_NONE;
++ }
++ /* Fall through */
+ default:;
+ }
+ }
+@@ -4217,6 +4339,11 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+ return XML_ERROR_NONE;
+ case XML_FINISHED:
+ return XML_ERROR_ABORTED;
++ case XML_PARSING:
++ if (parser->m_reenter) {
++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE
++ }
++ /* Fall through */
+ default:;
+ }
+ }
+@@ -4549,7 +4676,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+ }
+ /* found end of entity value - can store it now */
+ return storeEntityValue(parser, parser->m_encoding, s, end,
+- XML_ACCOUNT_DIRECT);
++ XML_ACCOUNT_DIRECT, NULL);
+ } else if (tok == XML_TOK_XML_DECL) {
+ enum XML_Error result;
+ result = processXmlDecl(parser, 0, start, next);
+@@ -4676,7 +4803,7 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
+ break;
+ }
+ /* found end of entity value - can store it now */
+- return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT);
++ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL);
+ }
+ start = next;
+ }
+@@ -5119,9 +5246,9 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ #if XML_GE == 1
+ // This will store the given replacement text in
+ // parser->m_declEntity->textPtr.
+- enum XML_Error result
+- = storeEntityValue(parser, enc, s + enc->minBytesPerChar,
+- next - enc->minBytesPerChar, XML_ACCOUNT_NONE);
++ enum XML_Error result = callStoreEntityValue(
++ parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar,
++ XML_ACCOUNT_NONE);
+ if (parser->m_declEntity) {
+ parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool);
+ parser->m_declEntity->textLen
+@@ -5546,7 +5673,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ enum XML_Error result;
+ XML_Bool betweenDecl
+ = (role == XML_ROLE_PARAM_ENTITY_REF ? XML_TRUE : XML_FALSE);
+- result = processInternalEntity(parser, entity, betweenDecl);
++ result = processEntity(parser, entity, betweenDecl, ENTITY_INTERNAL);
+ if (result != XML_ERROR_NONE)
+ return result;
+ handleDefault = XML_FALSE;
+@@ -5751,6 +5878,12 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ return XML_ERROR_NONE;
+ case XML_FINISHED:
+ return XML_ERROR_ABORTED;
++ case XML_PARSING:
++ if (parser->m_reenter) {
++ *nextPtr = next;
++ return XML_ERROR_NONE;
++ }
++ /* Fall through */
+ default:
+ s = next;
+ tok = XmlPrologTok(enc, s, end, &next);
+@@ -5825,21 +5958,49 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
+ return XML_ERROR_NONE;
+ case XML_FINISHED:
+ return XML_ERROR_ABORTED;
++ case XML_PARSING:
++ if (parser->m_reenter) {
++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE
++ }
++ /* Fall through */
+ default:;
+ }
+ }
+ }
+
+ static enum XML_Error
+-processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+- const char *textStart, *textEnd;
+- const char *next;
+- enum XML_Error result;
+- OPEN_INTERNAL_ENTITY *openEntity;
++processEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl,
++ enum EntityType type) {
++ OPEN_INTERNAL_ENTITY *openEntity, **openEntityList, **freeEntityList;
++ switch (type) {
++ case ENTITY_INTERNAL:
++ parser->m_processor = internalEntityProcessor;
++ openEntityList = &parser->m_openInternalEntities;
++ freeEntityList = &parser->m_freeInternalEntities;
++ break;
++ case ENTITY_ATTRIBUTE:
++ openEntityList = &parser->m_openAttributeEntities;
++ freeEntityList = &parser->m_freeAttributeEntities;
++ break;
++ case ENTITY_VALUE:
++ openEntityList = &parser->m_openValueEntities;
++ freeEntityList = &parser->m_freeValueEntities;
++ break;
++ /* default case serves merely as a safety net in case of a
++ * wrong entityType. Therefore we exclude the following lines
++ * from the test coverage.
++ *
++ * LCOV_EXCL_START
++ */
++ default:
++ // Should not reach here
++ assert(0);
++ /* LCOV_EXCL_STOP */
++ }
+
+- if (parser->m_freeInternalEntities) {
+- openEntity = parser->m_freeInternalEntities;
+- parser->m_freeInternalEntities = openEntity->next;
++ if (*freeEntityList) {
++ openEntity = *freeEntityList;
++ *freeEntityList = openEntity->next;
+ } else {
+ openEntity
+ = (OPEN_INTERNAL_ENTITY *)MALLOC(parser, sizeof(OPEN_INTERNAL_ENTITY));
+@@ -5847,55 +6008,34 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ entity->open = XML_TRUE;
++ entity->hasMore = XML_TRUE;
+ #if XML_GE == 1
+ entityTrackingOnOpen(parser, entity, __LINE__);
+ #endif
+ entity->processed = 0;
+- openEntity->next = parser->m_openInternalEntities;
+- parser->m_openInternalEntities = openEntity;
++ openEntity->next = *openEntityList;
++ *openEntityList = openEntity;
+ openEntity->entity = entity;
++ openEntity->type = type;
+ openEntity->startTagLevel = parser->m_tagLevel;
+ openEntity->betweenDecl = betweenDecl;
+ openEntity->internalEventPtr = NULL;
+ openEntity->internalEventEndPtr = NULL;
+- textStart = (const char *)entity->textPtr;
+- textEnd = (const char *)(entity->textPtr + entity->textLen);
+- /* Set a safe default value in case 'next' does not get set */
+- next = textStart;
+-
+- if (entity->is_param) {
+- int tok
+- = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+- result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
+- tok, next, &next, XML_FALSE, XML_FALSE,
+- XML_ACCOUNT_ENTITY_EXPANSION);
+- } else {
+- result = doContent(parser, parser->m_tagLevel, parser->m_internalEncoding,
+- textStart, textEnd, &next, XML_FALSE,
+- XML_ACCOUNT_ENTITY_EXPANSION);
+- }
+
+- if (result == XML_ERROR_NONE) {
+- if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) {
+- entity->processed = (int)(next - textStart);
+- parser->m_processor = internalEntityProcessor;
+- } else if (parser->m_openInternalEntities->entity == entity) {
+-#if XML_GE == 1
+- entityTrackingOnClose(parser, entity, __LINE__);
+-#endif /* XML_GE == 1 */
+- entity->open = XML_FALSE;
+- parser->m_openInternalEntities = openEntity->next;
+- /* put openEntity back in list of free instances */
+- openEntity->next = parser->m_freeInternalEntities;
+- parser->m_freeInternalEntities = openEntity;
+- }
++ // Only internal entities make use of the reenter flag
++ // therefore no need to set it for other entity types
++ if (type == ENTITY_INTERNAL) {
++ triggerReenter(parser);
+ }
+- return result;
++ return XML_ERROR_NONE;
+ }
+
+ static enum XML_Error PTRCALL
+ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ const char **nextPtr) {
++ UNUSED_P(s);
++ UNUSED_P(end);
++ UNUSED_P(nextPtr);
+ ENTITY *entity;
+ const char *textStart, *textEnd;
+ const char *next;
+@@ -5905,68 +6045,67 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ return XML_ERROR_UNEXPECTED_STATE;
+
+ entity = openEntity->entity;
+- textStart = ((const char *)entity->textPtr) + entity->processed;
+- textEnd = (const char *)(entity->textPtr + entity->textLen);
+- /* Set a safe default value in case 'next' does not get set */
+- next = textStart;
+-
+- if (entity->is_param) {
+- int tok
+- = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+- result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
+- tok, next, &next, XML_FALSE, XML_TRUE,
+- XML_ACCOUNT_ENTITY_EXPANSION);
+- } else {
+- result = doContent(parser, openEntity->startTagLevel,
+- parser->m_internalEncoding, textStart, textEnd, &next,
+- XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION);
+- }
+
+- if (result != XML_ERROR_NONE)
+- return result;
++ // This will return early
++ if (entity->hasMore) {
++ textStart = ((const char *)entity->textPtr) + entity->processed;
++ textEnd = (const char *)(entity->textPtr + entity->textLen);
++ /* Set a safe default value in case 'next' does not get set */
++ next = textStart;
++
++ if (entity->is_param) {
++ int tok
++ = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
++ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
++ tok, next, &next, XML_FALSE, XML_FALSE,
++ XML_ACCOUNT_ENTITY_EXPANSION);
++ } else {
++ result = doContent(parser, openEntity->startTagLevel,
++ parser->m_internalEncoding, textStart, textEnd, &next,
++ XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION);
++ }
++
++ if (result != XML_ERROR_NONE)
++ return result;
++ // Check if entity is complete, if not, mark down how much of it is
++ // processed
++ if (textEnd != next
++ && (parser->m_parsingStatus.parsing == XML_SUSPENDED
++ || (parser->m_parsingStatus.parsing == XML_PARSING
++ && parser->m_reenter))) {
++ entity->processed = (int)(next - (const char *)entity->textPtr);
++ return result;
++ }
+
+- if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) {
+- entity->processed = (int)(next - (const char *)entity->textPtr);
++ // Entity is complete. We cannot close it here since we need to first
++ // process its possible inner entities (which are added to the
++ // m_openInternalEntities during doProlog or doContent calls above)
++ entity->hasMore = XML_FALSE;
++ triggerReenter(parser);
+ return result;
+- }
++ } // End of entity processing, "if" block will return here
+
++ // Remove fully processed openEntity from open entity list.
+ #if XML_GE == 1
+ entityTrackingOnClose(parser, entity, __LINE__);
+ #endif
++ // openEntity is m_openInternalEntities' head, as we set it at the start of
++ // this function and we skipped doProlog and doContent calls with hasMore set
++ // to false. This means we can directly remove the head of
++ // m_openInternalEntities
++ assert(parser->m_openInternalEntities == openEntity);
+ entity->open = XML_FALSE;
+- parser->m_openInternalEntities = openEntity->next;
++ parser->m_openInternalEntities = parser->m_openInternalEntities->next;
++
+ /* put openEntity back in list of free instances */
+ openEntity->next = parser->m_freeInternalEntities;
+ parser->m_freeInternalEntities = openEntity;
+
+- // If there are more open entities we want to stop right here and have the
+- // upcoming call to XML_ResumeParser continue with entity content, or it would
+- // be ignored altogether.
+- if (parser->m_openInternalEntities != NULL
+- && parser->m_parsingStatus.parsing == XML_SUSPENDED) {
+- return XML_ERROR_NONE;
+- }
+-
+- if (entity->is_param) {
+- int tok;
+- parser->m_processor = prologProcessor;
+- tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+- return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
+- XML_ACCOUNT_DIRECT);
+- } else {
+- parser->m_processor = contentProcessor;
+- /* see externalEntityContentProcessor vs contentProcessor */
+- result = doContent(parser, parser->m_parentParser ? 1 : 0,
+- parser->m_encoding, s, end, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+- XML_ACCOUNT_DIRECT);
+- if (result == XML_ERROR_NONE) {
+- if (! storeRawNames(parser))
+- return XML_ERROR_NO_MEMORY;
+- }
+- return result;
++ if (parser->m_openInternalEntities == NULL) {
++ parser->m_processor = entity->is_param ? prologProcessor : contentProcessor;
+ }
++ triggerReenter(parser);
++ return XML_ERROR_NONE;
+ }
+
+ static enum XML_Error PTRCALL
+@@ -5982,8 +6121,70 @@ static enum XML_Error
+ storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ const char *ptr, const char *end, STRING_POOL *pool,
+ enum XML_Account account) {
+- enum XML_Error result
+- = appendAttributeValue(parser, enc, isCdata, ptr, end, pool, account);
++ const char *next = ptr;
++ enum XML_Error result = XML_ERROR_NONE;
++
++ while (1) {
++ if (! parser->m_openAttributeEntities) {
++ result = appendAttributeValue(parser, enc, isCdata, next, end, pool,
++ account, &next);
++ } else {
++ OPEN_INTERNAL_ENTITY *const openEntity = parser->m_openAttributeEntities;
++ if (! openEntity)
++ return XML_ERROR_UNEXPECTED_STATE;
++
++ ENTITY *const entity = openEntity->entity;
++ const char *const textStart
++ = ((const char *)entity->textPtr) + entity->processed;
++ const char *const textEnd
++ = (const char *)(entity->textPtr + entity->textLen);
++ /* Set a safe default value in case 'next' does not get set */
++ const char *nextInEntity = textStart;
++ if (entity->hasMore) {
++ result = appendAttributeValue(
++ parser, parser->m_internalEncoding, isCdata, textStart, textEnd,
++ pool, XML_ACCOUNT_ENTITY_EXPANSION, &nextInEntity);
++ if (result != XML_ERROR_NONE)
++ break;
++ // Check if entity is complete, if not, mark down how much of it is
++ // processed. A XML_SUSPENDED check here is not required as
++ // appendAttributeValue will never suspend the parser.
++ if (textEnd != nextInEntity) {
++ entity->processed
++ = (int)(nextInEntity - (const char *)entity->textPtr);
++ continue;
++ }
++
++ // Entity is complete. We cannot close it here since we need to first
++ // process its possible inner entities (which are added to the
++ // m_openAttributeEntities during appendAttributeValue)
++ entity->hasMore = XML_FALSE;
++ continue;
++ } // End of entity processing, "if" block skips the rest
++
++ // Remove fully processed openEntity from open entity list.
++#if XML_GE == 1
++ entityTrackingOnClose(parser, entity, __LINE__);
++#endif
++ // openEntity is m_openAttributeEntities' head, since we set it at the
++ // start of this function and because we skipped appendAttributeValue call
++ // with hasMore set to false. This means we can directly remove the head
++ // of m_openAttributeEntities
++ assert(parser->m_openAttributeEntities == openEntity);
++ entity->open = XML_FALSE;
++ parser->m_openAttributeEntities = parser->m_openAttributeEntities->next;
++
++ /* put openEntity back in list of free instances */
++ openEntity->next = parser->m_freeAttributeEntities;
++ parser->m_freeAttributeEntities = openEntity;
++ }
++
++ // Break if an error occurred or there is nothing left to process
++ if (result || (parser->m_openAttributeEntities == NULL && end == next)) {
++ break;
++ }
++ }
++
+ if (result)
+ return result;
+ if (! isCdata && poolLength(pool) && poolLastChar(pool) == 0x20)
+@@ -5996,7 +6197,7 @@ storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ static enum XML_Error
+ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ const char *ptr, const char *end, STRING_POOL *pool,
+- enum XML_Account account) {
++ enum XML_Account account, const char **nextPtr) {
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+ #ifndef XML_DTD
+ UNUSED_P(account);
+@@ -6014,6 +6215,9 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ #endif
+ switch (tok) {
+ case XML_TOK_NONE:
++ if (nextPtr) {
++ *nextPtr = next;
++ }
+ return XML_ERROR_NONE;
+ case XML_TOK_INVALID:
+ if (enc == parser->m_encoding)
+@@ -6154,21 +6358,11 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ return XML_ERROR_ATTRIBUTE_EXTERNAL_ENTITY_REF;
+ } else {
+ enum XML_Error result;
+- const XML_Char *textEnd = entity->textPtr + entity->textLen;
+- entity->open = XML_TRUE;
+-#if XML_GE == 1
+- entityTrackingOnOpen(parser, entity, __LINE__);
+-#endif
+- result = appendAttributeValue(parser, parser->m_internalEncoding,
+- isCdata, (const char *)entity->textPtr,
+- (const char *)textEnd, pool,
+- XML_ACCOUNT_ENTITY_EXPANSION);
+-#if XML_GE == 1
+- entityTrackingOnClose(parser, entity, __LINE__);
+-#endif
+- entity->open = XML_FALSE;
+- if (result)
+- return result;
++ result = processEntity(parser, entity, XML_FALSE, ENTITY_ATTRIBUTE);
++ if ((result == XML_ERROR_NONE) && (nextPtr != NULL)) {
++ *nextPtr = next;
++ }
++ return result;
+ }
+ } break;
+ default:
+@@ -6197,7 +6391,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ static enum XML_Error
+ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ const char *entityTextPtr, const char *entityTextEnd,
+- enum XML_Account account) {
++ enum XML_Account account, const char **nextPtr) {
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+ STRING_POOL *pool = &(dtd->entityValuePool);
+ enum XML_Error result = XML_ERROR_NONE;
+@@ -6215,8 +6409,9 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ return XML_ERROR_NO_MEMORY;
+ }
+
++ const char *next;
+ for (;;) {
+- const char *next
++ next
+ = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+ int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
+
+@@ -6278,16 +6473,8 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ } else
+ dtd->keepProcessing = dtd->standalone;
+ } else {
+- entity->open = XML_TRUE;
+- entityTrackingOnOpen(parser, entity, __LINE__);
+- result = storeEntityValue(
+- parser, parser->m_internalEncoding, (const char *)entity->textPtr,
+- (const char *)(entity->textPtr + entity->textLen),
+- XML_ACCOUNT_ENTITY_EXPANSION);
+- entityTrackingOnClose(parser, entity, __LINE__);
+- entity->open = XML_FALSE;
+- if (result)
+- goto endEntityValue;
++ result = processEntity(parser, entity, XML_FALSE, ENTITY_VALUE);
++ goto endEntityValue;
+ }
+ break;
+ }
+@@ -6375,6 +6562,81 @@ endEntityValue:
+ # ifdef XML_DTD
+ parser->m_prologState.inEntityValue = oldInEntityValue;
+ # endif /* XML_DTD */
++ // If 'nextPtr' is given, it should be updated during the processing
++ if (nextPtr != NULL) {
++ *nextPtr = next;
++ }
++ return result;
++}
++
++static enum XML_Error
++callStoreEntityValue(XML_Parser parser, const ENCODING *enc,
++ const char *entityTextPtr, const char *entityTextEnd,
++ enum XML_Account account) {
++ const char *next = entityTextPtr;
++ enum XML_Error result = XML_ERROR_NONE;
++ while (1) {
++ if (! parser->m_openValueEntities) {
++ result
++ = storeEntityValue(parser, enc, next, entityTextEnd, account, &next);
++ } else {
++ OPEN_INTERNAL_ENTITY *const openEntity = parser->m_openValueEntities;
++ if (! openEntity)
++ return XML_ERROR_UNEXPECTED_STATE;
++
++ ENTITY *const entity = openEntity->entity;
++ const char *const textStart
++ = ((const char *)entity->textPtr) + entity->processed;
++ const char *const textEnd
++ = (const char *)(entity->textPtr + entity->textLen);
++ /* Set a safe default value in case 'next' does not get set */
++ const char *nextInEntity = textStart;
++ if (entity->hasMore) {
++ result = storeEntityValue(parser, parser->m_internalEncoding, textStart,
++ textEnd, XML_ACCOUNT_ENTITY_EXPANSION,
++ &nextInEntity);
++ if (result != XML_ERROR_NONE)
++ break;
++ // Check if entity is complete, if not, mark down how much of it is
++ // processed. A XML_SUSPENDED check here is not required as
++ // appendAttributeValue will never suspend the parser.
++ if (textEnd != nextInEntity) {
++ entity->processed
++ = (int)(nextInEntity - (const char *)entity->textPtr);
++ continue;
++ }
++
++ // Entity is complete. We cannot close it here since we need to first
++ // process its possible inner entities (which are added to the
++ // m_openValueEntities during storeEntityValue)
++ entity->hasMore = XML_FALSE;
++ continue;
++ } // End of entity processing, "if" block skips the rest
++
++ // Remove fully processed openEntity from open entity list.
++# if XML_GE == 1
++ entityTrackingOnClose(parser, entity, __LINE__);
++# endif
++ // openEntity is m_openValueEntities' head, since we set it at the
++ // start of this function and because we skipped storeEntityValue call
++ // with hasMore set to false. This means we can directly remove the head
++ // of m_openValueEntities
++ assert(parser->m_openValueEntities == openEntity);
++ entity->open = XML_FALSE;
++ parser->m_openValueEntities = parser->m_openValueEntities->next;
++
++ /* put openEntity back in list of free instances */
++ openEntity->next = parser->m_freeValueEntities;
++ parser->m_freeValueEntities = openEntity;
++ }
++
++ // Break if an error occurred or there is nothing left to process
++ if (result
++ || (parser->m_openValueEntities == NULL && entityTextEnd == next)) {
++ break;
++ }
++ }
++
+ return result;
+ }
+
+diff --git a/tests/alloc_tests.c b/tests/alloc_tests.c
+index e5d46eb..12ea3b2 100644
+--- a/tests/alloc_tests.c
++++ b/tests/alloc_tests.c
+@@ -19,6 +19,7 @@
+ Copyright (c) 2020 Tim Gates
+ Copyright (c) 2021 Donghee Na
+ Copyright (c) 2023 Sony Corporation / Snild Dolkow
++ Copyright (c) 2025 Berkay Eren Ürün
+ Licensed under the MIT license:
+
+ Permission is hereby granted, free of charge, to any person obtaining
+@@ -450,6 +451,31 @@ START_TEST(test_alloc_internal_entity) {
+ }
+ END_TEST
+
++START_TEST(test_alloc_parameter_entity) {
++ const char *text = "\">"
++ "%param1;"
++ "]> &internal;content";
++ int i;
++ const int alloc_test_max_repeats = 30;
++
++ for (i = 0; i < alloc_test_max_repeats; i++) {
++ g_allocation_count = i;
++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++ if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_ERROR)
++ break;
++ alloc_teardown();
++ alloc_setup();
++ }
++ g_allocation_count = -1;
++ if (i == 0)
++ fail("Parameter entity processed despite duff allocator");
++ if (i == alloc_test_max_repeats)
++ fail("Parameter entity not processed at max allocation count");
++}
++END_TEST
++
+ /* Test the robustness against allocation failure of element handling
+ * Based on test_dtd_default_handling().
+ */
+@@ -2079,6 +2105,7 @@ make_alloc_test_case(Suite *s) {
+ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_external_entity);
+ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_ext_entity_set_encoding);
+ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_internal_entity);
++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_parameter_entity);
+ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_dtd_default_handling);
+ tcase_add_test(tc_alloc, test_alloc_explicit_encoding);
+ tcase_add_test(tc_alloc, test_alloc_set_base);
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index d38b8fd..f0025fc 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -10,7 +10,7 @@
+ Copyright (c) 2003 Greg Stein
+ Copyright (c) 2005-2007 Steven Solie
+ Copyright (c) 2005-2012 Karl Waclawek
+- Copyright (c) 2016-2024 Sebastian Pipping
++ Copyright (c) 2016-2025 Sebastian Pipping
+ Copyright (c) 2017-2022 Rhodri James
+ Copyright (c) 2017 Joe Orton
+ Copyright (c) 2017 José Gutiérrez de la Concha
+@@ -19,6 +19,7 @@
+ Copyright (c) 2020 Tim Gates
+ Copyright (c) 2021 Donghee Na
+ Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow
++ Copyright (c) 2024-2025 Berkay Eren Ürün
+ Licensed under the MIT license:
+
+ Permission is hereby granted, free of charge, to any person obtaining
+@@ -3960,7 +3961,7 @@ START_TEST(test_skipped_null_loaded_ext_entity) {
+ = {"\n"
+ "\n"
+ "%pe2;\n",
+- external_entity_null_loader};
++ external_entity_null_loader, NULL};
+
+ XML_SetUserData(g_parser, &test_data);
+ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+@@ -3978,7 +3979,7 @@ START_TEST(test_skipped_unloaded_ext_entity) {
+ = {"\n"
+ "\n"
+ "%pe2;\n",
+- NULL};
++ NULL, NULL};
+
+ XML_SetUserData(g_parser, &test_data);
+ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+@@ -5278,6 +5279,151 @@ START_TEST(test_pool_integrity_with_unfinished_attr) {
+ }
+ END_TEST
+
++/* Test a possible early return location in internalEntityProcessor */
++START_TEST(test_entity_ref_no_elements) {
++ const char *const text = "\n"
++ "]> &e1;"; // intentionally missing newline
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR);
++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NO_ELEMENTS);
++ XML_ParserFree(parser);
++}
++END_TEST
++
++/* Tests if chained entity references lead to unbounded recursion */
++START_TEST(test_deep_nested_entity) {
++ const size_t N_LINES = 60000;
++ const size_t SIZE_PER_LINE = 50;
++
++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE);
++ if (text == NULL) {
++ fail("malloc failed");
++ }
++
++ char *textPtr = text;
++
++ // Create the XML
++ textPtr += snprintf(textPtr, SIZE_PER_LINE,
++ "\n");
++
++ for (size_t i = 1; i < N_LINES; ++i) {
++ textPtr += snprintf(textPtr, SIZE_PER_LINE, " \n",
++ (long unsigned)i, (long unsigned)(i - 1));
++ }
++
++ snprintf(textPtr, SIZE_PER_LINE, "]> &s%lu;\n",
++ (long unsigned)(N_LINES - 1));
++
++ const XML_Char *const expected = XCS("deepText");
++
++ CharData storage;
++ CharData_Init(&storage);
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++ XML_SetCharacterDataHandler(parser, accumulate_characters);
++ XML_SetUserData(parser, &storage);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR)
++ xml_failure(parser);
++
++ CharData_CheckXMLChars(&storage, expected);
++ XML_ParserFree(parser);
++ free(text);
++}
++END_TEST
++
++/* Tests if chained entity references in attributes
++lead to unbounded recursion */
++START_TEST(test_deep_nested_attribute_entity) {
++ const size_t N_LINES = 60000;
++ const size_t SIZE_PER_LINE = 100;
++
++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE);
++ if (text == NULL) {
++ fail("malloc failed");
++ }
++
++ char *textPtr = text;
++
++ // Create the XML
++ textPtr += snprintf(textPtr, SIZE_PER_LINE,
++ "\n");
++
++ for (size_t i = 1; i < N_LINES; ++i) {
++ textPtr += snprintf(textPtr, SIZE_PER_LINE, " \n",
++ (long unsigned)i, (long unsigned)(i - 1));
++ }
++
++ snprintf(textPtr, SIZE_PER_LINE, "]> mainText\n",
++ (long unsigned)(N_LINES - 1));
++
++ AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}};
++ ElementInfo info[] = {{XCS("foo"), 1, NULL, NULL}, {NULL, 0, NULL, NULL}};
++ info[0].attributes = doc_info;
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ ParserAndElementInfo parserPlusElemenInfo = {parser, info};
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserPlusElemenInfo);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++ free(text);
++}
++END_TEST
++
++START_TEST(test_deep_nested_entity_delayed_interpretation) {
++ const size_t N_LINES = 70000;
++ const size_t SIZE_PER_LINE = 100;
++
++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE);
++ if (text == NULL) {
++ fail("malloc failed");
++ }
++
++ char *textPtr = text;
++
++ // Create the XML
++ textPtr += snprintf(textPtr, SIZE_PER_LINE,
++ "\n");
++
++ for (size_t i = 1; i < N_LINES; ++i) {
++ textPtr += snprintf(textPtr, SIZE_PER_LINE,
++ " \n", (long unsigned)i,
++ (long unsigned)(i - 1));
++ }
++
++ snprintf(textPtr, SIZE_PER_LINE,
++ " \">\n"
++ " %%define_g;\n"
++ "]>\n"
++ "\n",
++ (long unsigned)(N_LINES - 1));
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++ free(text);
++}
++END_TEST
++
+ START_TEST(test_nested_entity_suspend) {
+ const char *const text = "'>\n"
+@@ -5308,6 +5454,35 @@ START_TEST(test_nested_entity_suspend) {
+ }
+ END_TEST
+
++START_TEST(test_nested_entity_suspend_2) {
++ const char *const text = "\n"
++ " \n"
++ " \n"
++ "]>\n"
++ "&ge3;";
++ const XML_Char *const expected = XCS("head3") XCS("head2") XCS("head1")
++ XCS("Z") XCS("tail1") XCS("tail2") XCS("tail3");
++ CharData storage;
++ CharData_Init(&storage);
++ XML_Parser parser = XML_ParserCreate(NULL);
++ ParserPlusStorage parserPlusStorage = {parser, &storage};
++
++ XML_SetCharacterDataHandler(parser, accumulate_char_data_and_suspend);
++ XML_SetUserData(parser, &parserPlusStorage);
++
++ enum XML_Status status = XML_Parse(parser, text, (int)strlen(text), XML_TRUE);
++ while (status == XML_STATUS_SUSPENDED) {
++ status = XML_ResumeParser(parser);
++ }
++ if (status != XML_STATUS_OK)
++ xml_failure(parser);
++
++ CharData_CheckXMLChars(&storage, expected);
++ XML_ParserFree(parser);
++}
++END_TEST
++
+ /* Regression test for quadratic parsing on large tokens */
+ START_TEST(test_big_tokens_scale_linearly) {
+ const struct {
+@@ -6147,7 +6322,13 @@ make_basic_test_case(Suite *s) {
+ tcase_add_test(tc_basic, test_empty_element_abort);
+ tcase_add_test__ifdef_xml_dtd(tc_basic,
+ test_pool_integrity_with_unfinished_attr);
++ tcase_add_test__if_xml_ge(tc_basic, test_entity_ref_no_elements);
++ tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_entity);
++ tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_attribute_entity);
++ tcase_add_test__if_xml_ge(tc_basic,
++ test_deep_nested_entity_delayed_interpretation);
+ tcase_add_test__if_xml_ge(tc_basic, test_nested_entity_suspend);
++ tcase_add_test__if_xml_ge(tc_basic, test_nested_entity_suspend_2);
+ tcase_add_test(tc_basic, test_big_tokens_scale_linearly);
+ tcase_add_test(tc_basic, test_set_reparse_deferral);
+ tcase_add_test(tc_basic, test_reparse_deferral_is_inherited);
+diff --git a/tests/handlers.c b/tests/handlers.c
+index 0211985..bdb5b0e 100644
+--- a/tests/handlers.c
++++ b/tests/handlers.c
+@@ -1882,6 +1882,21 @@ accumulate_entity_decl(void *userData, const XML_Char *entityName,
+ CharData_AppendXMLChars(storage, XCS("\n"), 1);
+ }
+
++
++void XMLCALL
++accumulate_char_data_and_suspend(void *userData, const XML_Char *s, int len) {
++ ParserPlusStorage *const parserPlusStorage = (ParserPlusStorage *)userData;
++
++ CharData_AppendXMLChars(parserPlusStorage->storage, s, len);
++
++ for (int i = 0; i < len; i++) {
++ if (s[i] == 'Z') {
++ XML_StopParser(parserPlusStorage->parser, /*resumable=*/XML_TRUE);
++ break;
++ }
++ }
++}
++
+ void XMLCALL
+ accumulate_start_element(void *userData, const XML_Char *name,
+ const XML_Char **atts) {
+diff --git a/tests/handlers.h b/tests/handlers.h
+index 8850bb9..4d6a08d 100644
+--- a/tests/handlers.h
++++ b/tests/handlers.h
+@@ -325,6 +325,7 @@ extern int XMLCALL external_entity_devaluer(XML_Parser parser,
+ typedef struct ext_hdlr_data {
+ const char *parse_text;
+ XML_ExternalEntityRefHandler handler;
++ CharData *storage;
+ } ExtHdlrData;
+
+ extern int XMLCALL external_entity_oneshot_loader(XML_Parser parser,
+@@ -569,6 +570,10 @@ extern void XMLCALL accumulate_entity_decl(
+ const XML_Char *systemId, const XML_Char *publicId,
+ const XML_Char *notationName);
+
++extern void XMLCALL accumulate_char_data_and_suspend(void *userData,
++ const XML_Char *s,
++ int len);
++
+ extern void XMLCALL accumulate_start_element(void *userData,
+ const XML_Char *name,
+ const XML_Char **atts);
+diff --git a/tests/misc_tests.c b/tests/misc_tests.c
+index 9afe092..f9a78f6 100644
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -59,6 +59,9 @@
+ #include "handlers.h"
+ #include "misc_tests.h"
+
++void XMLCALL accumulate_characters_ext_handler(void *userData,
++ const XML_Char *s, int len);
++
+ /* Test that a failure to allocate the parser structure fails gracefully */
+ START_TEST(test_misc_alloc_create_parser) {
+ XML_Memory_Handling_Suite memsuite = {duff_allocator, realloc, free};
+@@ -519,6 +522,45 @@ START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
+ }
+ END_TEST
+
++/* Adaptation of accumulate_characters that takes ExtHdlrData input to work with
++ * test_renter_loop_finite_content below */
++void XMLCALL
++accumulate_characters_ext_handler(void *userData, const XML_Char *s, int len) {
++ ExtHdlrData *const test_data = (ExtHdlrData *)userData;
++ CharData_AppendXMLChars(test_data->storage, s, len);
++}
++
++/* Test that internalEntityProcessor does not re-enter forever;
++ * based on files tests/xmlconf/xmltest/valid/ext-sa/012.{xml,ent} */
++START_TEST(test_renter_loop_finite_content) {
++ CharData storage;
++ CharData_Init(&storage);
++ const char *const text = "\n"
++ "\n"
++ "\n"
++ "\n"
++ "\n"
++ "\n"
++ "]>\n"
++ "&e1;\n";
++ ExtHdlrData test_data = {"&e4;\n", external_entity_null_loader, &storage};
++ const XML_Char *const expected = XCS("(e5)\n");
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++ XML_SetUserData(parser, &test_data);
++ XML_SetExternalEntityRefHandler(parser, external_entity_oneshot_loader);
++ XML_SetCharacterDataHandler(parser, accumulate_characters_ext_handler);
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR)
++ xml_failure(parser);
++
++ CharData_CheckXMLChars(&storage, expected);
++ XML_ParserFree(parser);
++}
++END_TEST
++
+ void
+ make_miscellaneous_test_case(Suite *s) {
+ TCase *tc_misc = tcase_create("miscellaneous tests");
+@@ -545,4 +587,5 @@ make_miscellaneous_test_case(Suite *s) {
+ tcase_add_test(tc_misc, test_misc_char_handler_stop_without_leak);
+ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
+ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
++ tcase_add_test__if_xml_ge(tc_misc, test_renter_loop_finite_content);
+ }
+--
+2.48.1.431.g5a526e5e18
+
diff --git a/SPECS/expat/CVE-2025-59375.patch b/SPECS/expat/CVE-2025-59375.patch
new file mode 100644
index 0000000000..23b0c12c36
--- /dev/null
+++ b/SPECS/expat/CVE-2025-59375.patch
@@ -0,0 +1,1691 @@
+From 0872c189db6e457084fca335662a9cb49e8ec4c7 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Mon, 1 Sep 2025 18:06:59 +0200
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/libexpat/libexpat/pull/1034.diff.patch
+Upstream PR: https://github.com/libexpat/libexpat/pull/1034
+
+Modified patch to apply to AzureLinux
+Modified by: akhila-guruju
+Date: Mon, 22 Sep 2025 11:33:11 +0000
+Subject: [PATCH] Address CVE-2025-59375
+
+---
+ doc/reference.html | 118 +++++++-
+ doc/xmlwf.1 | 30 +-
+ doc/xmlwf.xml | 26 +-
+ fuzz/xml_parse_fuzzer.c | 14 +-
+ fuzz/xml_parsebuffer_fuzzer.c | 14 +-
+ lib/expat.h | 15 +-
+ lib/internal.h | 8 +
+ lib/libexpat.def.cmake | 3 +
+ lib/xmlparse.c | 521 ++++++++++++++++++++++++++++------
+ tests/alloc_tests.c | 214 ++++++++++++++
+ tests/basic_tests.c | 4 +
+ tests/nsalloc_tests.c | 5 +
+ xmlwf/xmlwf.c | 11 +-
+ xmlwf/xmlwf_helpgen.py | 3 +
+ 14 files changed, 874 insertions(+), 112 deletions(-)
+
+diff --git a/doc/reference.html b/doc/reference.html
+index c2ae9bb..8f14b01 100644
+--- a/doc/reference.html
++++ b/doc/reference.html
+@@ -157,6 +157,8 @@ interface.
+
+
+@@ -1900,7 +1902,7 @@ struct XML_cp {
+ Sets a handler for element declarations in a DTD. The handler gets
+ called with the name of the element in the declaration and a pointer
+ to a structure that contains the element model. It's the user code's
+-responsibility to free model when finished with it. See
++responsibility to free model when finished with via a call to
+ XML_FreeContentModel.
+ There is no need to free the model from the handler, it can be kept
+ around and freed at a later stage.
+@@ -2262,6 +2264,120 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(XML_Parser p,
+
+
+
++XML_SetAllocTrackerMaximumAmplification
++
++/* Added in Expat 2.7.2. */
++XML_Bool
++XML_SetAllocTrackerMaximumAmplification(XML_Parser p,
++ float maximumAmplificationFactor);
++
++
++
++ Sets the maximum tolerated amplification factor
++ between direct input and bytes of dynamic memory allocated
++ (default: 100.0)
++ of parser p to maximumAmplificationFactor, and
++ returns XML_TRUE upon success and XML_FALSE upon error.
++
++
++
++ Note:
++ There are three types of allocations that intentionally bypass tracking and limiting:
++
++
++
++
The amplification factor is calculated as ..
++
amplification := allocated / direct
++
++ .. while parsing, whereas
++ direct is the number of bytes read from the primary document in parsing and
++ allocated is the number of bytes of dynamic memory allocated in the parser hierarchy.
++
++
++
For a call to XML_SetAllocTrackerMaximumAmplification to succeed:
++
++ - parser
p must be a non-NULL root parser (without any parent parsers) and
++ maximumAmplificationFactor must be non-NaN and greater than or equal to 1.0.
++
++
++ Note:
++ If you ever need to increase this value for non-attack payload,
++ please file a bug report.
++
++
++
++ Note:
++ Amplifications factors greater than 100 can been observed near the start of parsing
++ even with benign files in practice.
++
++ So if you do reduce the maximum allowed amplification,
++ please make sure that the activation threshold is still big enough
++ to not end up with undesired false positives (i.e. benign files being rejected).
++
++
XML_SetAllocTrackerActivationThreshold
++
++/* Added in Expat 2.7.2. */
++XML_Bool
++XML_SetAllocTrackerActivationThreshold(XML_Parser p,
++ unsigned long long activationThresholdBytes);
++
++
++
++ Sets number of allocated bytes of dynamic memory
++ needed to activate protection against disproportionate use of RAM
++ (default: 64 MiB)
++ of parser p to activationThresholdBytes, and
++ returns XML_TRUE upon success and XML_FALSE upon error.
++
++
++
++ Note:
++ For types of allocations that intentionally bypass tracking and limiting, please see
++ XML_SetAllocTrackerMaximumAmplification
++ above.
++
++
++
For a call to XML_SetAllocTrackerActivationThreshold to succeed:
++
++ - parser
p must be a non-NULL root parser (without any parent parsers).
++
++
++
++ Note:
++ If you ever need to increase this value for non-attack payload,
++ please file a bug report.
++
++
XML_SetReparseDeferralEnabled
+
+ /* Added in Expat 2.6.0. */
+diff --git a/doc/xmlwf.1 b/doc/xmlwf.1
+index 61b3025..5f50ba9 100644
+--- a/doc/xmlwf.1
++++ b/doc/xmlwf.1
+@@ -5,7 +5,7 @@
+ \\$2 \(la\\$1\(ra\\$3
+ ..
+ .if \n(.g .mso www.tmac
+-.TH XMLWF 1 "November 6, 2024" "" ""
++.TH XMLWF 1 "September 16, 2025" "" ""
+ .SH NAME
+ xmlwf \- Determines if an XML document is well-formed
+ .SH SYNOPSIS
+@@ -88,7 +88,11 @@ supports both.
+ .TP
+ \*(T<\fB\-a\fR\*(T> \fIfactor\fR
+ Sets the maximum tolerated amplification factor
+-for protection against billion laughs attacks (default: 100.0).
++for protection against amplification attacks
++like the billion laughs attack
++(default: 100.0
++for the sum of direct and indirect output and also
++for allocations of dynamic memory).
+ The amplification factor is calculated as ..
+
+ .nf
+@@ -97,12 +101,22 @@ The amplification factor is calculated as ..
+
+ .fi
+
+-\&.. while parsing, whereas
++\&.. with regard to use of entities and ..
++
++.nf
++
++ amplification := allocated / direct
++
++.fi
++
++\&.. with regard to dynamic memory while parsing.
+ is the number of bytes read
+-from the primary document in parsing and
++from the primary document in parsing,
+ is the number of bytes
+ added by expanding entities and reading of external DTD files,
+-combined.
++combined, and
++ is the total number of bytes of dynamic memory
++allocated (and not freed) per hierarchy of parsers.
+
+ \fINOTE\fR:
+ If you ever need to increase this value for non-attack payload,
+@@ -110,8 +124,10 @@ please file a bug report.
+ .TP
+ \*(T<\fB\-b\fR\*(T> \fIbytes\fR
+ Sets the number of output bytes (including amplification)
+-needed to activate protection against billion laughs attacks
+-(default: 8 MiB).
++needed to activate protection against amplification attacks
++like billion laughs
++(default: 8 MiB for the sum of direct and indirect output,
++and 64 MiB for allocations of dynamic memory).
+ This can be thought of as an "activation threshold".
+
+ \fINOTE\fR:
+diff --git a/doc/xmlwf.xml b/doc/xmlwf.xml
+index cf6d984..d152e6f 100644
+--- a/doc/xmlwf.xml
++++ b/doc/xmlwf.xml
+@@ -158,19 +158,31 @@ supports both.
+
+
+ Sets the maximum tolerated amplification factor
+- for protection against billion laughs attacks (default: 100.0).
++ for protection against amplification attacks
++ like the billion laughs attack
++ (default: 100.0
++ for the sum of direct and indirect output and also
++ for allocations of dynamic memory).
+ The amplification factor is calculated as ..
+
+
+ amplification := (direct + indirect) / direct
+
+
+- .. while parsing, whereas
++ .. with regard to use of entities and ..
++
++
++ amplification := allocated / direct
++
++
++ .. with regard to dynamic memory while parsing.
+ <direct> is the number of bytes read
+- from the primary document in parsing and
++ from the primary document in parsing,
+ <indirect> is the number of bytes
+ added by expanding entities and reading of external DTD files,
+- combined.
++ combined, and
++ <allocated> is the total number of bytes of dynamic memory
++ allocated (and not freed) per hierarchy of parsers.
+
+
+ NOTE:
+@@ -185,8 +197,10 @@ supports both.
+
+
+ Sets the number of output bytes (including amplification)
+- needed to activate protection against billion laughs attacks
+- (default: 8 MiB).
++ needed to activate protection against amplification attacks
++ like billion laughs
++ (default: 8 MiB for the sum of direct and indirect output,
++ and 64 MiB for allocations of dynamic memory).
+ This can be thought of as an "activation threshold".
+
+
+diff --git a/fuzz/xml_parse_fuzzer.c b/fuzz/xml_parse_fuzzer.c
+index a7e8414..677fe59 100644
+--- a/fuzz/xml_parse_fuzzer.c
++++ b/fuzz/xml_parse_fuzzer.c
+@@ -89,15 +89,17 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+
+ XML_Parser externalEntityParser
+ = XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
+- assert(externalEntityParser);
+- ParseOneInput(externalEntityParser, data, size);
+- XML_ParserFree(externalEntityParser);
++ if (externalEntityParser != NULL) {
++ ParseOneInput(externalEntityParser, data, size);
++ XML_ParserFree(externalEntityParser);
++ }
+
+ XML_Parser externalDtdParser
+ = XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
+- assert(externalDtdParser);
+- ParseOneInput(externalDtdParser, data, size);
+- XML_ParserFree(externalDtdParser);
++ if (externalDtdParser != NULL) {
++ ParseOneInput(externalDtdParser, data, size);
++ XML_ParserFree(externalDtdParser);
++ }
+
+ // finally frees this parser which served as parent
+ XML_ParserFree(parentParser);
+diff --git a/fuzz/xml_parsebuffer_fuzzer.c b/fuzz/xml_parsebuffer_fuzzer.c
+index 0327aa9..7939f20 100644
+--- a/fuzz/xml_parsebuffer_fuzzer.c
++++ b/fuzz/xml_parsebuffer_fuzzer.c
+@@ -101,15 +101,17 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+
+ XML_Parser externalEntityParser
+ = XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
+- assert(externalEntityParser);
+- ParseOneInput(externalEntityParser, data, size);
+- XML_ParserFree(externalEntityParser);
++ if (externalEntityParser != NULL) {
++ ParseOneInput(externalEntityParser, data, size);
++ XML_ParserFree(externalEntityParser);
++ }
+
+ XML_Parser externalDtdParser
+ = XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
+- assert(externalDtdParser);
+- ParseOneInput(externalDtdParser, data, size);
+- XML_ParserFree(externalDtdParser);
++ if (externalDtdParser != NULL) {
++ ParseOneInput(externalDtdParser, data, size);
++ XML_ParserFree(externalDtdParser);
++ }
+
+ // finally frees this parser which served as parent
+ XML_ParserFree(parentParser);
+diff --git a/lib/expat.h b/lib/expat.h
+index 523b37d..df207e9 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -1032,7 +1032,10 @@ enum XML_FeatureEnum {
+ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
+ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT,
+ /* Added in Expat 2.6.0. */
+- XML_FEATURE_GE
++ XML_FEATURE_GE,
++ /* Added in Expat 2.7.2. */
++ XML_FEATURE_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT,
++ XML_FEATURE_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT,
+ /* Additional features must be added to the end of this enum. */
+ };
+
+@@ -1057,6 +1060,16 @@ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+ XMLPARSEAPI(XML_Bool)
+ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ XML_Parser parser, unsigned long long activationThresholdBytes);
++
++/* Added in Expat 2.7.2. */
++XMLPARSEAPI(XML_Bool)
++XML_SetAllocTrackerMaximumAmplification(XML_Parser parser,
++ float maximumAmplificationFactor);
++
++/* Added in Expat 2.7.2. */
++XMLPARSEAPI(XML_Bool)
++XML_SetAllocTrackerActivationThreshold(
++ XML_Parser parser, unsigned long long activationThresholdBytes);
+ #endif
+
+ /* Added in Expat 2.6.0. */
+diff --git a/lib/internal.h b/lib/internal.h
+index 167ec36..1b763ff 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -145,6 +145,11 @@
+ 100.0f
+ #define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \
+ 8388608 // 8 MiB, 2^23
++
++#define EXPAT_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT 100.0f
++#define EXPAT_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT \
++ 67108864 // 64 MiB, 2^26
++
+ /* NOTE END */
+
+ #include "expat.h" // so we can use type XML_Parser below
+@@ -168,6 +173,9 @@ extern
+ #endif
+ XML_Bool g_reparseDeferralEnabledDefault; // written ONLY in runtests.c
+ #if defined(XML_TESTING)
++void *expat_malloc(XML_Parser parser, size_t size, int sourceLine);
++void expat_free(XML_Parser parser, void *ptr, int sourceLine);
++void *expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine);
+ extern unsigned int g_bytesScanned; // used for testing only
+ #endif
+
+diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
+index 10ee9cd..7a3a7ec 100644
+--- a/lib/libexpat.def.cmake
++++ b/lib/libexpat.def.cmake
+@@ -79,3 +79,6 @@ EXPORTS
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
+ ; added with version 2.6.0
+ XML_SetReparseDeferralEnabled @71
++; added with version 2.7.2
++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification @72
++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold @73
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 473c791..e2847b1 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -234,7 +234,7 @@ typedef struct {
+ unsigned char power;
+ size_t size;
+ size_t used;
+- const XML_Memory_Handling_Suite *mem;
++ XML_Parser parser;
+ } HASH_TABLE;
+
+ static size_t keylen(KEY s);
+@@ -357,7 +357,7 @@ typedef struct {
+ const XML_Char *end;
+ XML_Char *ptr;
+ XML_Char *start;
+- const XML_Memory_Handling_Suite *mem;
++ XML_Parser parser;
+ } STRING_POOL;
+
+ /* The XML_Char before the name is used to determine whether
+@@ -452,6 +452,14 @@ typedef struct accounting {
+ unsigned long long activationThresholdBytes;
+ } ACCOUNTING;
+
++typedef struct MALLOC_TRACKER {
++ XmlBigCount bytesAllocated;
++ XmlBigCount peakBytesAllocated; // updated live only for debug level >=2
++ unsigned long debugLevel;
++ float maximumAmplificationFactor; // >=1.0
++ XmlBigCount activationThresholdBytes;
++} MALLOC_TRACKER;
++
+ typedef struct entity_stats {
+ unsigned int countEverOpened;
+ unsigned int currentDepth;
+@@ -555,27 +563,24 @@ static XML_Bool setContext(XML_Parser parser, const XML_Char *context);
+
+ static void FASTCALL normalizePublicId(XML_Char *s);
+
+-static DTD *dtdCreate(const XML_Memory_Handling_Suite *ms);
++static DTD *dtdCreate(XML_Parser parser);
+ /* do not call if m_parentParser != NULL */
+-static void dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms);
+-static void dtdDestroy(DTD *p, XML_Bool isDocEntity,
+- const XML_Memory_Handling_Suite *ms);
++static void dtdReset(DTD *p, XML_Parser parser);
++static void dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser);
+ static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+- const XML_Memory_Handling_Suite *ms);
++ XML_Parser parser);
+ static int copyEntityTable(XML_Parser oldParser, HASH_TABLE *newTable,
+ STRING_POOL *newPool, const HASH_TABLE *oldTable);
+ static NAMED *lookup(XML_Parser parser, HASH_TABLE *table, KEY name,
+ size_t createSize);
+-static void FASTCALL hashTableInit(HASH_TABLE *table,
+- const XML_Memory_Handling_Suite *ms);
++static void FASTCALL hashTableInit(HASH_TABLE *table, XML_Parser parser);
+ static void FASTCALL hashTableClear(HASH_TABLE *table);
+ static void FASTCALL hashTableDestroy(HASH_TABLE *table);
+ static void FASTCALL hashTableIterInit(HASH_TABLE_ITER *iter,
+ const HASH_TABLE *table);
+ static NAMED *FASTCALL hashTableIterNext(HASH_TABLE_ITER *iter);
+
+-static void FASTCALL poolInit(STRING_POOL *pool,
+- const XML_Memory_Handling_Suite *ms);
++static void FASTCALL poolInit(STRING_POOL *pool, XML_Parser parser);
+ static void FASTCALL poolClear(STRING_POOL *pool);
+ static void FASTCALL poolDestroy(STRING_POOL *pool);
+ static XML_Char *poolAppend(STRING_POOL *pool, const ENCODING *enc,
+@@ -595,15 +600,15 @@ static XML_Content *build_model(XML_Parser parser);
+ static ELEMENT_TYPE *getElementType(XML_Parser parser, const ENCODING *enc,
+ const char *ptr, const char *end);
+
+-static XML_Char *copyString(const XML_Char *s,
+- const XML_Memory_Handling_Suite *memsuite);
++static XML_Char *copyString(const XML_Char *s, XML_Parser parser);
+
+ static unsigned long generate_hash_secret_salt(XML_Parser parser);
+ static XML_Bool startParsing(XML_Parser parser);
+
+ static XML_Parser parserCreate(const XML_Char *encodingName,
+ const XML_Memory_Handling_Suite *memsuite,
+- const XML_Char *nameSep, DTD *dtd);
++ const XML_Char *nameSep, DTD *dtd,
++ XML_Parser parentParser);
+
+ static void parserInit(XML_Parser parser, const XML_Char *encodingName);
+
+@@ -773,14 +778,232 @@ struct XML_ParserStruct {
+ unsigned long m_hash_secret_salt;
+ #if XML_GE == 1
+ ACCOUNTING m_accounting;
++ MALLOC_TRACKER m_alloc_tracker;
+ ENTITY_STATS m_entity_stats;
+ #endif
+ XML_Bool m_reenter;
+ };
+
+-#define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s)))
+-#define REALLOC(parser, p, s) (parser->m_mem.realloc_fcn((p), (s)))
+-#define FREE(parser, p) (parser->m_mem.free_fcn((p)))
++#if XML_GE == 1
++# define MALLOC(parser, s) (expat_malloc((parser), (s), __LINE__))
++# define REALLOC(parser, p, s) (expat_realloc((parser), (p), (s), __LINE__))
++# define FREE(parser, p) (expat_free((parser), (p), __LINE__))
++#else
++# define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s)))
++# define REALLOC(parser, p, s) (parser->m_mem.realloc_fcn((p), (s)))
++# define FREE(parser, p) (parser->m_mem.free_fcn((p)))
++#endif
++
++#if XML_GE == 1
++static void
++expat_heap_stat(XML_Parser rootParser, char operator, XmlBigCount absDiff,
++ XmlBigCount newTotal, XmlBigCount peakTotal, int sourceLine) {
++ // NOTE: This can be +infinity or -nan
++ const float amplification
++ = (float)newTotal / (float)rootParser->m_accounting.countBytesDirect;
++ fprintf(
++ stderr,
++ "expat: Allocations(%p): Direct " EXPAT_FMT_ULL("10") ", allocated %c" EXPAT_FMT_ULL(
++ "10") " to " EXPAT_FMT_ULL("10") " (" EXPAT_FMT_ULL("10") " peak), amplification %8.2f (xmlparse.c:%d)\n",
++ (void *)rootParser, rootParser->m_accounting.countBytesDirect, operator,
++ absDiff, newTotal, peakTotal, (double)amplification, sourceLine);
++}
++
++static bool
++expat_heap_increase_tolerable(XML_Parser rootParser, XmlBigCount increase,
++ int sourceLine) {
++ assert(rootParser != NULL);
++ assert(increase > 0);
++
++ XmlBigCount newTotal = 0;
++ bool tolerable = true;
++
++ // Detect integer overflow
++ if ((XmlBigCount)-1 - rootParser->m_alloc_tracker.bytesAllocated < increase) {
++ tolerable = false;
++ } else {
++ newTotal = rootParser->m_alloc_tracker.bytesAllocated + increase;
++
++ if (newTotal >= rootParser->m_alloc_tracker.activationThresholdBytes) {
++ assert(newTotal > 0);
++ // NOTE: This can be +infinity when dividing by zero but not -nan
++ const float amplification
++ = (float)newTotal / (float)rootParser->m_accounting.countBytesDirect;
++ if (amplification
++ > rootParser->m_alloc_tracker.maximumAmplificationFactor) {
++ tolerable = false;
++ }
++ }
++ }
++
++ if (! tolerable && (rootParser->m_alloc_tracker.debugLevel >= 1)) {
++ expat_heap_stat(rootParser, '+', increase, newTotal, newTotal, sourceLine);
++ }
++
++ return tolerable;
++}
++
++# if defined(XML_TESTING)
++void *
++# else
++static void *
++# endif
++expat_malloc(XML_Parser parser, size_t size, int sourceLine) {
++ // Detect integer overflow
++ if (SIZE_MAX - size < sizeof(size_t)) {
++ return NULL;
++ }
++
++ const XML_Parser rootParser = getRootParserOf(parser, NULL);
++ assert(rootParser->m_parentParser == NULL);
++
++ const size_t bytesToAllocate = sizeof(size_t) + size;
++
++ if ((XmlBigCount)-1 - rootParser->m_alloc_tracker.bytesAllocated
++ < bytesToAllocate) {
++ return NULL; // i.e. signal integer overflow as out-of-memory
++ }
++
++ if (! expat_heap_increase_tolerable(rootParser, bytesToAllocate,
++ sourceLine)) {
++ return NULL; // i.e. signal violation as out-of-memory
++ }
++
++ // Actually allocate
++ void *const mallocedPtr = parser->m_mem.malloc_fcn(bytesToAllocate);
++
++ if (mallocedPtr == NULL) {
++ return NULL;
++ }
++
++ // Update in-block recorded size
++ *(size_t *)mallocedPtr = size;
++
++ // Update accounting
++ rootParser->m_alloc_tracker.bytesAllocated += bytesToAllocate;
++
++ // Report as needed
++ if (rootParser->m_alloc_tracker.debugLevel >= 2) {
++ if (rootParser->m_alloc_tracker.bytesAllocated
++ > rootParser->m_alloc_tracker.peakBytesAllocated) {
++ rootParser->m_alloc_tracker.peakBytesAllocated
++ = rootParser->m_alloc_tracker.bytesAllocated;
++ }
++ expat_heap_stat(rootParser, '+', bytesToAllocate,
++ rootParser->m_alloc_tracker.bytesAllocated,
++ rootParser->m_alloc_tracker.peakBytesAllocated, sourceLine);
++ }
++
++ return (char *)mallocedPtr + sizeof(size_t);
++}
++
++# if defined(XML_TESTING)
++void
++# else
++static void
++# endif
++expat_free(XML_Parser parser, void *ptr, int sourceLine) {
++ assert(parser != NULL);
++
++ if (ptr == NULL) {
++ return;
++ }
++
++ const XML_Parser rootParser = getRootParserOf(parser, NULL);
++ assert(rootParser->m_parentParser == NULL);
++
++ // Extract size (to the eyes of malloc_fcn/realloc_fcn) and
++ // the original pointer returned by malloc/realloc
++ void *const mallocedPtr = (char *)ptr - sizeof(size_t);
++ const size_t bytesAllocated = sizeof(size_t) + *(size_t *)mallocedPtr;
++
++ // Update accounting
++ assert(rootParser->m_alloc_tracker.bytesAllocated >= bytesAllocated);
++ rootParser->m_alloc_tracker.bytesAllocated -= bytesAllocated;
++
++ // Report as needed
++ if (rootParser->m_alloc_tracker.debugLevel >= 2) {
++ expat_heap_stat(rootParser, '-', bytesAllocated,
++ rootParser->m_alloc_tracker.bytesAllocated,
++ rootParser->m_alloc_tracker.peakBytesAllocated, sourceLine);
++ }
++
++ // NOTE: This may be freeing rootParser, so freeing has to come last
++ parser->m_mem.free_fcn(mallocedPtr);
++}
++
++# if defined(XML_TESTING)
++void *
++# else
++static void *
++# endif
++expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine) {
++ assert(parser != NULL);
++
++ if (ptr == NULL) {
++ return expat_malloc(parser, size, sourceLine);
++ }
++
++ if (size == 0) {
++ expat_free(parser, ptr, sourceLine);
++ return NULL;
++ }
++
++ const XML_Parser rootParser = getRootParserOf(parser, NULL);
++ assert(rootParser->m_parentParser == NULL);
++
++ // Extract original size (to the eyes of the caller) and the original
++ // pointer returned by malloc/realloc
++ void *mallocedPtr = (char *)ptr - sizeof(size_t);
++ const size_t prevSize = *(size_t *)mallocedPtr;
++
++ // Classify upcoming change
++ const bool isIncrease = (size > prevSize);
++ const size_t absDiff
++ = (size > prevSize) ? (size - prevSize) : (prevSize - size);
++
++ // Ask for permission from accounting
++ if (isIncrease) {
++ if (! expat_heap_increase_tolerable(rootParser, absDiff, sourceLine)) {
++ return NULL; // i.e. signal violation as out-of-memory
++ }
++ }
++
++ // Actually allocate
++ mallocedPtr = parser->m_mem.realloc_fcn(mallocedPtr, sizeof(size_t) + size);
++
++ if (mallocedPtr == NULL) {
++ return NULL;
++ }
++
++ // Update accounting
++ if (isIncrease) {
++ assert((XmlBigCount)-1 - rootParser->m_alloc_tracker.bytesAllocated
++ >= absDiff);
++ rootParser->m_alloc_tracker.bytesAllocated += absDiff;
++ } else { // i.e. decrease
++ assert(rootParser->m_alloc_tracker.bytesAllocated >= absDiff);
++ rootParser->m_alloc_tracker.bytesAllocated -= absDiff;
++ }
++
++ // Report as needed
++ if (rootParser->m_alloc_tracker.debugLevel >= 2) {
++ if (rootParser->m_alloc_tracker.bytesAllocated
++ > rootParser->m_alloc_tracker.peakBytesAllocated) {
++ rootParser->m_alloc_tracker.peakBytesAllocated
++ = rootParser->m_alloc_tracker.bytesAllocated;
++ }
++ expat_heap_stat(rootParser, isIncrease ? '+' : '-', absDiff,
++ rootParser->m_alloc_tracker.bytesAllocated,
++ rootParser->m_alloc_tracker.peakBytesAllocated, sourceLine);
++ }
++
++ // Update in-block recorded size
++ *(size_t *)mallocedPtr = size;
++
++ return (char *)mallocedPtr + sizeof(size_t);
++}
++#endif // XML_GE == 1
+
+ XML_Parser XMLCALL
+ XML_ParserCreate(const XML_Char *encodingName) {
+@@ -1100,19 +1323,40 @@ XML_Parser XMLCALL
+ XML_ParserCreate_MM(const XML_Char *encodingName,
+ const XML_Memory_Handling_Suite *memsuite,
+ const XML_Char *nameSep) {
+- return parserCreate(encodingName, memsuite, nameSep, NULL);
++ return parserCreate(encodingName, memsuite, nameSep, NULL, NULL);
+ }
+
+ static XML_Parser
+ parserCreate(const XML_Char *encodingName,
+ const XML_Memory_Handling_Suite *memsuite, const XML_Char *nameSep,
+- DTD *dtd) {
+- XML_Parser parser;
++ DTD *dtd, XML_Parser parentParser) {
++ XML_Parser parser = NULL;
++
++#if XML_GE == 1
++ const size_t increase = sizeof(size_t) + sizeof(struct XML_ParserStruct);
++
++ if (parentParser != NULL) {
++ const XML_Parser rootParser = getRootParserOf(parentParser, NULL);
++ if (! expat_heap_increase_tolerable(rootParser, increase, __LINE__)) {
++ return NULL;
++ }
++ }
++#else
++ UNUSED_P(parentParser);
++#endif
+
+ if (memsuite) {
+ XML_Memory_Handling_Suite *mtemp;
++#if XML_GE == 1
++ void *const sizeAndParser = memsuite->malloc_fcn(
++ sizeof(size_t) + sizeof(struct XML_ParserStruct));
++ if (sizeAndParser != NULL) {
++ *(size_t *)sizeAndParser = sizeof(struct XML_ParserStruct);
++ parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t));
++#else
+ parser = memsuite->malloc_fcn(sizeof(struct XML_ParserStruct));
+ if (parser != NULL) {
++#endif
+ mtemp = (XML_Memory_Handling_Suite *)&(parser->m_mem);
+ mtemp->malloc_fcn = memsuite->malloc_fcn;
+ mtemp->realloc_fcn = memsuite->realloc_fcn;
+@@ -1120,18 +1364,67 @@ parserCreate(const XML_Char *encodingName,
+ }
+ } else {
+ XML_Memory_Handling_Suite *mtemp;
++#if XML_GE == 1
++ void *const sizeAndParser
++ = (XML_Parser)malloc(sizeof(size_t) + sizeof(struct XML_ParserStruct));
++ if (sizeAndParser != NULL) {
++ *(size_t *)sizeAndParser = sizeof(struct XML_ParserStruct);
++ parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t));
++#else
+ parser = (XML_Parser)malloc(sizeof(struct XML_ParserStruct));
+ if (parser != NULL) {
++#endif
+ mtemp = (XML_Memory_Handling_Suite *)&(parser->m_mem);
+ mtemp->malloc_fcn = malloc;
+ mtemp->realloc_fcn = realloc;
+ mtemp->free_fcn = free;
+ }
+- }
++ } // cppcheck-suppress[memleak symbolName=sizeAndParser] // Cppcheck >=2.18.0
+
+ if (! parser)
+ return parser;
+
++#if XML_GE == 1
++ // Initialize .m_alloc_tracker
++ memset(&parser->m_alloc_tracker, 0, sizeof(MALLOC_TRACKER));
++ if (parentParser == NULL) {
++ parser->m_alloc_tracker.debugLevel
++ = getDebugLevel("EXPAT_MALLOC_DEBUG", 0u);
++ parser->m_alloc_tracker.maximumAmplificationFactor
++ = EXPAT_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT;
++ parser->m_alloc_tracker.activationThresholdBytes
++ = EXPAT_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT;
++
++ // NOTE: This initialization needs to come this early because these fields
++ // are read by allocation tracking code
++ parser->m_parentParser = NULL;
++ parser->m_accounting.countBytesDirect = 0;
++ } else {
++ parser->m_parentParser = parentParser;
++ }
++
++ // Record XML_ParserStruct allocation we did a few lines up before
++ const XML_Parser rootParser = getRootParserOf(parser, NULL);
++ assert(rootParser->m_parentParser == NULL);
++ assert(SIZE_MAX - rootParser->m_alloc_tracker.bytesAllocated >= increase);
++ rootParser->m_alloc_tracker.bytesAllocated += increase;
++
++ // Report on allocation
++ if (rootParser->m_alloc_tracker.debugLevel >= 2) {
++ if (rootParser->m_alloc_tracker.bytesAllocated
++ > rootParser->m_alloc_tracker.peakBytesAllocated) {
++ rootParser->m_alloc_tracker.peakBytesAllocated
++ = rootParser->m_alloc_tracker.bytesAllocated;
++ }
++
++ expat_heap_stat(rootParser, '+', increase,
++ rootParser->m_alloc_tracker.bytesAllocated,
++ rootParser->m_alloc_tracker.peakBytesAllocated, __LINE__);
++ }
++#else
++ parser->m_parentParser = NULL;
++#endif // XML_GE == 1
++
+ parser->m_buffer = NULL;
+ parser->m_bufferLim = NULL;
+
+@@ -1166,7 +1459,7 @@ parserCreate(const XML_Char *encodingName,
+ if (dtd)
+ parser->m_dtd = dtd;
+ else {
+- parser->m_dtd = dtdCreate(&parser->m_mem);
++ parser->m_dtd = dtdCreate(parser);
+ if (parser->m_dtd == NULL) {
+ FREE(parser, parser->m_dataBuf);
+ FREE(parser, parser->m_atts);
+@@ -1200,8 +1493,8 @@ parserCreate(const XML_Char *encodingName,
+
+ parser->m_protocolEncodingName = NULL;
+
+- poolInit(&parser->m_tempPool, &(parser->m_mem));
+- poolInit(&parser->m_temp2Pool, &(parser->m_mem));
++ poolInit(&parser->m_tempPool, parser);
++ poolInit(&parser->m_temp2Pool, parser);
+ parserInit(parser, encodingName);
+
+ if (encodingName && ! parser->m_protocolEncodingName) {
+@@ -1233,7 +1526,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_processor = prologInitProcessor;
+ XmlPrologStateInit(&parser->m_prologState);
+ if (encodingName != NULL) {
+- parser->m_protocolEncodingName = copyString(encodingName, &(parser->m_mem));
++ parser->m_protocolEncodingName = copyString(encodingName, parser);
+ }
+ parser->m_curBase = NULL;
+ XmlInitEncoding(&parser->m_initEncoding, &parser->m_encoding, 0);
+@@ -1295,7 +1588,6 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_unknownEncodingMem = NULL;
+ parser->m_unknownEncodingRelease = NULL;
+ parser->m_unknownEncodingData = NULL;
+- parser->m_parentParser = NULL;
+ parser->m_parsingStatus.parsing = XML_INITIALIZED;
+ // Reentry can only be triggered inside m_processor calls
+ parser->m_reenter = XML_FALSE;
+@@ -1385,7 +1677,7 @@ XML_ParserReset(XML_Parser parser, const XML_Char *encodingName) {
+ FREE(parser, (void *)parser->m_protocolEncodingName);
+ parser->m_protocolEncodingName = NULL;
+ parserInit(parser, encodingName);
+- dtdReset(parser->m_dtd, &parser->m_mem);
++ dtdReset(parser->m_dtd, parser);
+ return XML_TRUE;
+ }
+
+@@ -1421,7 +1713,7 @@ XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_protocolEncodingName = NULL;
+ else {
+ /* Copy the new encoding name into allocated memory */
+- parser->m_protocolEncodingName = copyString(encodingName, &(parser->m_mem));
++ parser->m_protocolEncodingName = copyString(encodingName, parser);
+ if (! parser->m_protocolEncodingName)
+ return XML_STATUS_ERROR;
+ }
+@@ -1530,9 +1822,10 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ */
+ if (parser->m_ns) {
+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+- parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
++ parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd, oldParser);
+ } else {
+- parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
++ parser
++ = parserCreate(encodingName, &parser->m_mem, NULL, newDtd, oldParser);
+ }
+
+ if (! parser)
+@@ -1576,7 +1869,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ parser->m_prologState.inEntityValue = oldInEntityValue;
+ if (context) {
+ #endif /* XML_DTD */
+- if (! dtdCopy(oldParser, parser->m_dtd, oldDtd, &parser->m_mem)
++ if (! dtdCopy(oldParser, parser->m_dtd, oldDtd, parser)
+ || ! setContext(parser, context)) {
+ XML_ParserFree(parser);
+ return NULL;
+@@ -1688,14 +1981,16 @@ XML_ParserFree(XML_Parser parser) {
+ #else
+ if (parser->m_dtd)
+ #endif /* XML_DTD */
+- dtdDestroy(parser->m_dtd, (XML_Bool)! parser->m_parentParser,
+- &parser->m_mem);
++ dtdDestroy(parser->m_dtd, (XML_Bool)! parser->m_parentParser, parser);
+ FREE(parser, (void *)parser->m_atts);
+ #ifdef XML_ATTR_INFO
+ FREE(parser, (void *)parser->m_attInfo);
+ #endif
+ FREE(parser, parser->m_groupConnector);
+- FREE(parser, parser->m_buffer);
++ // NOTE: We are avoiding FREE(..) here because parser->m_buffer
++ // is not being allocated with MALLOC(..) but with plain
++ // .malloc_fcn(..).
++ parser->m_mem.free_fcn(parser->m_buffer);
+ FREE(parser, parser->m_dataBuf);
+ FREE(parser, parser->m_nsAtts);
+ FREE(parser, parser->m_unknownEncodingMem);
+@@ -2287,7 +2582,9 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ parser->m_errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+- newBuf = (char *)MALLOC(parser, bufferSize);
++ // NOTE: We are avoiding MALLOC(..) here to leave limiting
++ // the input size to the application using Expat.
++ newBuf = (char *)parser->m_mem.malloc_fcn(bufferSize);
+ if (newBuf == 0) {
+ parser->m_errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+@@ -2298,7 +2595,10 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ memcpy(newBuf, &parser->m_bufferPtr[-keep],
+ EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr)
+ + keep);
+- FREE(parser, parser->m_buffer);
++ // NOTE: We are avoiding FREE(..) here because parser->m_buffer
++ // is not being allocated with MALLOC(..) but with plain
++ // .malloc_fcn(..).
++ parser->m_mem.free_fcn(parser->m_buffer);
+ parser->m_buffer = newBuf;
+ parser->m_bufferEnd
+ = parser->m_buffer
+@@ -2314,7 +2614,10 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ if (parser->m_bufferPtr) {
+ memcpy(newBuf, parser->m_bufferPtr,
+ EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr));
+- FREE(parser, parser->m_buffer);
++ // NOTE: We are avoiding FREE(..) here because parser->m_buffer
++ // is not being allocated with MALLOC(..) but with plain
++ // .malloc_fcn(..).
++ parser->m_mem.free_fcn(parser->m_buffer);
+ parser->m_bufferEnd
+ = newBuf
+ + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr);
+@@ -2492,28 +2795,43 @@ XML_GetCurrentColumnNumber(XML_Parser parser) {
+
+ void XMLCALL
+ XML_FreeContentModel(XML_Parser parser, XML_Content *model) {
+- if (parser != NULL)
+- FREE(parser, model);
++ if (parser == NULL)
++ return;
++
++ // NOTE: We are avoiding FREE(..) here because the content model
++ // has been created using plain .malloc_fcn(..) rather than MALLOC(..).
++ parser->m_mem.free_fcn(model);
+ }
+
+ void *XMLCALL
+ XML_MemMalloc(XML_Parser parser, size_t size) {
+ if (parser == NULL)
+ return NULL;
+- return MALLOC(parser, size);
++
++ // NOTE: We are avoiding MALLOC(..) here to not include
++ // user allocations with allocation tracking and limiting.
++ return parser->m_mem.malloc_fcn(size);
+ }
+
+ void *XMLCALL
+ XML_MemRealloc(XML_Parser parser, void *ptr, size_t size) {
+ if (parser == NULL)
+ return NULL;
+- return REALLOC(parser, ptr, size);
++
++ // NOTE: We are avoiding REALLOC(..) here to not include
++ // user allocations with allocation tracking and limiting.
++ return parser->m_mem.realloc_fcn(ptr, size);
+ }
+
+ void XMLCALL
+ XML_MemFree(XML_Parser parser, void *ptr) {
+- if (parser != NULL)
+- FREE(parser, ptr);
++ if (parser == NULL)
++ return;
++
++ // NOTE: We are avoiding FREE(..) here because XML_MemMalloc and
++ // XML_MemRealloc are not using MALLOC(..) and REALLOC(..)
++ // but plain .malloc_fcn(..) and .realloc_fcn(..), internally.
++ parser->m_mem.free_fcn(ptr);
+ }
+
+ void XMLCALL
+@@ -2713,6 +3031,13 @@ XML_GetFeatureList(void) {
+ EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT},
+ /* Added in Expat 2.6.0. */
+ {XML_FEATURE_GE, XML_L("XML_GE"), 0},
++ /* Added in Expat 2.7.2. */
++ {XML_FEATURE_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT,
++ XML_L("XML_AT_MAX_AMP"),
++ (long int)EXPAT_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT},
++ {XML_FEATURE_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT,
++ XML_L("XML_AT_ACT_THRES"),
++ (long int)EXPAT_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT},
+ #endif
+ {XML_FEATURE_END, NULL, 0}};
+
+@@ -2741,6 +3066,29 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ parser->m_accounting.activationThresholdBytes = activationThresholdBytes;
+ return XML_TRUE;
+ }
++
++XML_Bool XMLCALL
++XML_SetAllocTrackerMaximumAmplification(XML_Parser parser,
++ float maximumAmplificationFactor) {
++ if ((parser == NULL) || (parser->m_parentParser != NULL)
++ || isnan(maximumAmplificationFactor)
++ || (maximumAmplificationFactor < 1.0f)) {
++ return XML_FALSE;
++ }
++ parser->m_alloc_tracker.maximumAmplificationFactor
++ = maximumAmplificationFactor;
++ return XML_TRUE;
++}
++
++XML_Bool XMLCALL
++XML_SetAllocTrackerActivationThreshold(
++ XML_Parser parser, unsigned long long activationThresholdBytes) {
++ if ((parser == NULL) || (parser->m_parentParser != NULL)) {
++ return XML_FALSE;
++ }
++ parser->m_alloc_tracker.activationThresholdBytes = activationThresholdBytes;
++ return XML_TRUE;
++}
+ #endif /* XML_GE == 1 */
+
+ XML_Bool XMLCALL
+@@ -5726,8 +6074,12 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ case XML_ROLE_CONTENT_EMPTY:
+ if (dtd->in_eldecl) {
+ if (parser->m_elementDeclHandler) {
++ // NOTE: We are avoiding MALLOC(..) here to so that
++ // applications that are not using XML_FreeContentModel but
++ // plain free(..) or .free_fcn() to free the content model's
++ // memory are safe.
+ XML_Content *content
+- = (XML_Content *)MALLOC(parser, sizeof(XML_Content));
++ = (XML_Content *)parser->m_mem.malloc_fcn(sizeof(XML_Content));
+ if (! content)
+ return XML_ERROR_NO_MEMORY;
+ content->quant = XML_CQUANT_NONE;
+@@ -7116,19 +7468,19 @@ normalizePublicId(XML_Char *publicId) {
+ }
+
+ static DTD *
+-dtdCreate(const XML_Memory_Handling_Suite *ms) {
+- DTD *p = ms->malloc_fcn(sizeof(DTD));
++dtdCreate(XML_Parser parser) {
++ DTD *p = MALLOC(parser, sizeof(DTD));
+ if (p == NULL)
+ return p;
+- poolInit(&(p->pool), ms);
+- poolInit(&(p->entityValuePool), ms);
+- hashTableInit(&(p->generalEntities), ms);
+- hashTableInit(&(p->elementTypes), ms);
+- hashTableInit(&(p->attributeIds), ms);
+- hashTableInit(&(p->prefixes), ms);
++ poolInit(&(p->pool), parser);
++ poolInit(&(p->entityValuePool), parser);
++ hashTableInit(&(p->generalEntities), parser);
++ hashTableInit(&(p->elementTypes), parser);
++ hashTableInit(&(p->attributeIds), parser);
++ hashTableInit(&(p->prefixes), parser);
+ #ifdef XML_DTD
+ p->paramEntityRead = XML_FALSE;
+- hashTableInit(&(p->paramEntities), ms);
++ hashTableInit(&(p->paramEntities), parser);
+ #endif /* XML_DTD */
+ p->defaultPrefix.name = NULL;
+ p->defaultPrefix.binding = NULL;
+@@ -7148,7 +7500,7 @@ dtdCreate(const XML_Memory_Handling_Suite *ms) {
+ }
+
+ static void
+-dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms) {
++dtdReset(DTD *p, XML_Parser parser) {
+ HASH_TABLE_ITER iter;
+ hashTableIterInit(&iter, &(p->elementTypes));
+ for (;;) {
+@@ -7156,7 +7508,7 @@ dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms) {
+ if (! e)
+ break;
+ if (e->allocDefaultAtts != 0)
+- ms->free_fcn(e->defaultAtts);
++ FREE(parser, e->defaultAtts);
+ }
+ hashTableClear(&(p->generalEntities));
+ #ifdef XML_DTD
+@@ -7173,9 +7525,9 @@ dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms) {
+
+ p->in_eldecl = XML_FALSE;
+
+- ms->free_fcn(p->scaffIndex);
++ FREE(parser, p->scaffIndex);
+ p->scaffIndex = NULL;
+- ms->free_fcn(p->scaffold);
++ FREE(parser, p->scaffold);
+ p->scaffold = NULL;
+
+ p->scaffLevel = 0;
+@@ -7189,7 +7541,7 @@ dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms) {
+ }
+
+ static void
+-dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms) {
++dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser) {
+ HASH_TABLE_ITER iter;
+ hashTableIterInit(&iter, &(p->elementTypes));
+ for (;;) {
+@@ -7197,7 +7549,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms) {
+ if (! e)
+ break;
+ if (e->allocDefaultAtts != 0)
+- ms->free_fcn(e->defaultAtts);
++ FREE(parser, e->defaultAtts);
+ }
+ hashTableDestroy(&(p->generalEntities));
+ #ifdef XML_DTD
+@@ -7209,10 +7561,10 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms) {
+ poolDestroy(&(p->pool));
+ poolDestroy(&(p->entityValuePool));
+ if (isDocEntity) {
+- ms->free_fcn(p->scaffIndex);
+- ms->free_fcn(p->scaffold);
++ FREE(parser, p->scaffIndex);
++ FREE(parser, p->scaffold);
+ }
+- ms->free_fcn(p);
++ FREE(parser, p);
+ }
+
+ /* Do a deep copy of the DTD. Return 0 for out of memory, non-zero otherwise.
+@@ -7220,7 +7572,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms) {
+ */
+ static int
+ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+- const XML_Memory_Handling_Suite *ms) {
++ XML_Parser parser) {
+ HASH_TABLE_ITER iter;
+
+ /* Copy the prefix table. */
+@@ -7301,7 +7653,7 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+ }
+ #endif
+ newE->defaultAtts
+- = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
++ = MALLOC(parser, oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+ if (! newE->defaultAtts) {
+ return 0;
+ }
+@@ -7463,7 +7815,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
+ /* table->size is a power of 2 */
+ table->size = (size_t)1 << INIT_POWER;
+ tsize = table->size * sizeof(NAMED *);
+- table->v = table->mem->malloc_fcn(tsize);
++ table->v = MALLOC(table->parser, tsize);
+ if (! table->v) {
+ table->size = 0;
+ return NULL;
+@@ -7503,7 +7855,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
+ }
+
+ size_t tsize = newSize * sizeof(NAMED *);
+- NAMED **newV = table->mem->malloc_fcn(tsize);
++ NAMED **newV = MALLOC(table->parser, tsize);
+ if (! newV)
+ return NULL;
+ memset(newV, 0, tsize);
+@@ -7519,7 +7871,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
+ }
+ newV[j] = table->v[i];
+ }
+- table->mem->free_fcn(table->v);
++ FREE(table->parser, table->v);
+ table->v = newV;
+ table->power = newPower;
+ table->size = newSize;
+@@ -7532,7 +7884,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
+ }
+ }
+ }
+- table->v[i] = table->mem->malloc_fcn(createSize);
++ table->v[i] = MALLOC(table->parser, createSize);
+ if (! table->v[i])
+ return NULL;
+ memset(table->v[i], 0, createSize);
+@@ -7545,7 +7897,7 @@ static void FASTCALL
+ hashTableClear(HASH_TABLE *table) {
+ size_t i;
+ for (i = 0; i < table->size; i++) {
+- table->mem->free_fcn(table->v[i]);
++ FREE(table->parser, table->v[i]);
+ table->v[i] = NULL;
+ }
+ table->used = 0;
+@@ -7555,17 +7907,17 @@ static void FASTCALL
+ hashTableDestroy(HASH_TABLE *table) {
+ size_t i;
+ for (i = 0; i < table->size; i++)
+- table->mem->free_fcn(table->v[i]);
+- table->mem->free_fcn(table->v);
++ FREE(table->parser, table->v[i]);
++ FREE(table->parser, table->v);
+ }
+
+ static void FASTCALL
+-hashTableInit(HASH_TABLE *p, const XML_Memory_Handling_Suite *ms) {
++hashTableInit(HASH_TABLE *p, XML_Parser parser) {
+ p->power = 0;
+ p->size = 0;
+ p->used = 0;
+ p->v = NULL;
+- p->mem = ms;
++ p->parser = parser;
+ }
+
+ static void FASTCALL
+@@ -7585,13 +7937,13 @@ hashTableIterNext(HASH_TABLE_ITER *iter) {
+ }
+
+ static void FASTCALL
+-poolInit(STRING_POOL *pool, const XML_Memory_Handling_Suite *ms) {
++poolInit(STRING_POOL *pool, XML_Parser parser) {
+ pool->blocks = NULL;
+ pool->freeBlocks = NULL;
+ pool->start = NULL;
+ pool->ptr = NULL;
+ pool->end = NULL;
+- pool->mem = ms;
++ pool->parser = parser;
+ }
+
+ static void FASTCALL
+@@ -7618,13 +7970,13 @@ poolDestroy(STRING_POOL *pool) {
+ BLOCK *p = pool->blocks;
+ while (p) {
+ BLOCK *tem = p->next;
+- pool->mem->free_fcn(p);
++ FREE(pool->parser, p);
+ p = tem;
+ }
+ p = pool->freeBlocks;
+ while (p) {
+ BLOCK *tem = p->next;
+- pool->mem->free_fcn(p);
++ FREE(pool->parser, p);
+ p = tem;
+ }
+ }
+@@ -7779,8 +8131,8 @@ poolGrow(STRING_POOL *pool) {
+ if (bytesToAllocate == 0)
+ return XML_FALSE;
+
+- temp = (BLOCK *)pool->mem->realloc_fcn(pool->blocks,
+- (unsigned)bytesToAllocate);
++ temp = (BLOCK *)REALLOC(pool->parser, pool->blocks,
++ (unsigned)bytesToAllocate);
+ if (temp == NULL)
+ return XML_FALSE;
+ pool->blocks = temp;
+@@ -7820,7 +8172,7 @@ poolGrow(STRING_POOL *pool) {
+ if (bytesToAllocate == 0)
+ return XML_FALSE;
+
+- tem = pool->mem->malloc_fcn(bytesToAllocate);
++ tem = MALLOC(pool->parser, bytesToAllocate);
+ if (! tem)
+ return XML_FALSE;
+ tem->size = blockSize;
+@@ -7935,7 +8287,10 @@ build_model(XML_Parser parser) {
+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
+ + (dtd->contentStringLen * sizeof(XML_Char)));
+
+- ret = (XML_Content *)MALLOC(parser, allocsize);
++ // NOTE: We are avoiding MALLOC(..) here to so that
++ // applications that are not using XML_FreeContentModel but plain
++ // free(..) or .free_fcn() to free the content model's memory are safe.
++ ret = (XML_Content *)parser->m_mem.malloc_fcn(allocsize);
+ if (! ret)
+ return NULL;
+
+@@ -8056,7 +8411,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
+ }
+
+ static XML_Char *
+-copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
++copyString(const XML_Char *s, XML_Parser parser) {
+ size_t charsRequired = 0;
+ XML_Char *result;
+
+@@ -8068,7 +8423,7 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+ charsRequired++;
+
+ /* Now allocate space for the copy */
+- result = memsuite->malloc_fcn(charsRequired * sizeof(XML_Char));
++ result = MALLOC(parser, charsRequired * sizeof(XML_Char));
+ if (result == NULL)
+ return NULL;
+ /* Copy the original into place */
+diff --git a/tests/alloc_tests.c b/tests/alloc_tests.c
+index 12ea3b2..47004a9 100644
+--- a/tests/alloc_tests.c
++++ b/tests/alloc_tests.c
+@@ -46,10 +46,16 @@
+ # undef NDEBUG /* because test suite relies on assert(...) at the moment */
+ #endif
+
++#include /* NAN, INFINITY */
++#include
++#include /* for SIZE_MAX */
+ #include
+ #include
+
++#include "expat_config.h"
++
+ #include "expat.h"
++#include "internal.h"
+ #include "common.h"
+ #include "minicheck.h"
+ #include "dummy.h"
+@@ -2085,6 +2091,203 @@ START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) {
+ }
+ END_TEST
+
++START_TEST(test_alloc_tracker_size_recorded) {
++ XML_Memory_Handling_Suite memsuite = {malloc, realloc, free};
++
++ bool values[] = {true, false};
++ for (size_t i = 0; i < sizeof(values) / sizeof(values[0]); i++) {
++ const bool useMemSuite = values[i];
++ set_subtest("useMemSuite=%d", (int)useMemSuite);
++ XML_Parser parser = useMemSuite
++ ? XML_ParserCreate_MM(NULL, &memsuite, XCS("|"))
++ : XML_ParserCreate(NULL);
++
++#if XML_GE == 1
++ void *ptr = expat_malloc(parser, 10, -1);
++
++ assert_true(ptr != NULL);
++ assert_true(*((size_t *)ptr - 1) == 10);
++
++ assert_true(expat_realloc(parser, ptr, SIZE_MAX / 2, -1) == NULL);
++
++ assert_true(*((size_t *)ptr - 1) == 10); // i.e. unchanged
++
++ ptr = expat_realloc(parser, ptr, 20, -1);
++
++ assert_true(ptr != NULL);
++ assert_true(*((size_t *)ptr - 1) == 20);
++
++ expat_free(parser, ptr, -1);
++#endif
++
++ XML_ParserFree(parser);
++ }
++}
++END_TEST
++
++START_TEST(test_alloc_tracker_maximum_amplification) {
++ if (g_reparseDeferralEnabledDefault == XML_TRUE) {
++ return;
++ }
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++ // Get .m_accounting.countBytesDirect from 0 to 3
++ const char *const chunk = "";
++ assert_true(_XML_Parse_SINGLE_BYTES(parser, chunk, (int)strlen(chunk),
++ /*isFinal=*/XML_FALSE)
++ == XML_STATUS_OK);
++
++#if XML_GE == 1
++ // Stop activation threshold from interfering
++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, 0) == XML_TRUE);
++
++ // Exceed maximum amplification: should be rejected.
++ assert_true(expat_malloc(parser, 1000, -1) == NULL);
++
++ // Increase maximum amplification, and try the same amount once more: should
++ // work.
++ assert_true(XML_SetAllocTrackerMaximumAmplification(parser, 3000.0f)
++ == XML_TRUE);
++
++ void *const ptr = expat_malloc(parser, 1000, -1);
++ assert_true(ptr != NULL);
++ expat_free(parser, ptr, -1);
++#endif
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_alloc_tracker_threshold) {
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++#if XML_GE == 1
++ // Exceed maximum amplification *before* (default) threshold: should work.
++ void *const ptr = expat_malloc(parser, 1000, -1);
++ assert_true(ptr != NULL);
++ expat_free(parser, ptr, -1);
++
++ // Exceed maximum amplification *after* threshold: should be rejected.
++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, 999) == XML_TRUE);
++ assert_true(expat_malloc(parser, 1000, -1) == NULL);
++#endif
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_alloc_tracker_getbuffer_unlimited) {
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++#if XML_GE == 1
++ // Artificially lower threshold
++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, 0) == XML_TRUE);
++
++ // Self-test: Prove that threshold is as rejecting as expected
++ assert_true(expat_malloc(parser, 1000, -1) == NULL);
++#endif
++ // XML_GetBuffer should be allowed to pass, though
++ assert_true(XML_GetBuffer(parser, 1000) != NULL);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_alloc_tracker_api) {
++ XML_Parser parserWithoutParent = XML_ParserCreate(NULL);
++ XML_Parser parserWithParent = XML_ExternalEntityParserCreate(
++ parserWithoutParent, XCS("entity123"), NULL);
++ if (parserWithoutParent == NULL)
++ fail("parserWithoutParent is NULL");
++ if (parserWithParent == NULL)
++ fail("parserWithParent is NULL");
++
++#if XML_GE == 1
++ // XML_SetAllocTrackerMaximumAmplification, error cases
++ if (XML_SetAllocTrackerMaximumAmplification(NULL, 123.0f) == XML_TRUE)
++ fail("Call with NULL parser is NOT supposed to succeed");
++ if (XML_SetAllocTrackerMaximumAmplification(parserWithParent, 123.0f)
++ == XML_TRUE)
++ fail("Call with non-root parser is NOT supposed to succeed");
++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, NAN)
++ == XML_TRUE)
++ fail("Call with NaN limit is NOT supposed to succeed");
++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, -1.0f)
++ == XML_TRUE)
++ fail("Call with negative limit is NOT supposed to succeed");
++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, 0.9f)
++ == XML_TRUE)
++ fail("Call with positive limit <1.0 is NOT supposed to succeed");
++
++ // XML_SetAllocTrackerMaximumAmplification, success cases
++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, 1.0f)
++ == XML_FALSE)
++ fail("Call with positive limit >=1.0 is supposed to succeed");
++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, 123456.789f)
++ == XML_FALSE)
++ fail("Call with positive limit >=1.0 is supposed to succeed");
++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, INFINITY)
++ == XML_FALSE)
++ fail("Call with positive limit >=1.0 is supposed to succeed");
++
++ // XML_SetAllocTrackerActivationThreshold, error cases
++ if (XML_SetAllocTrackerActivationThreshold(NULL, 123) == XML_TRUE)
++ fail("Call with NULL parser is NOT supposed to succeed");
++ if (XML_SetAllocTrackerActivationThreshold(parserWithParent, 123) == XML_TRUE)
++ fail("Call with non-root parser is NOT supposed to succeed");
++
++ // XML_SetAllocTrackerActivationThreshold, success cases
++ if (XML_SetAllocTrackerActivationThreshold(parserWithoutParent, 123)
++ == XML_FALSE)
++ fail("Call with non-NULL parentless parser is supposed to succeed");
++#endif // XML_GE == 1
++
++ XML_ParserFree(parserWithParent);
++ XML_ParserFree(parserWithoutParent);
++}
++END_TEST
++
++START_TEST(test_mem_api_cycle) {
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++ void *ptr = XML_MemMalloc(parser, 10);
++
++ assert_true(ptr != NULL);
++ memset(ptr, 'x', 10); // assert writability, with ASan in mind
++
++ ptr = XML_MemRealloc(parser, ptr, 20);
++
++ assert_true(ptr != NULL);
++ memset(ptr, 'y', 20); // assert writability, with ASan in mind
++
++ XML_MemFree(parser, ptr);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_mem_api_unlimited) {
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++#if XML_GE == 1
++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, 0) == XML_TRUE);
++#endif
++
++ void *ptr = XML_MemMalloc(parser, 1000);
++
++ assert_true(ptr != NULL);
++
++ ptr = XML_MemRealloc(parser, ptr, 2000);
++
++ assert_true(ptr != NULL);
++
++ XML_MemFree(parser, ptr);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
+ void
+ make_alloc_test_case(Suite *s) {
+ TCase *tc_alloc = tcase_create("allocation tests");
+@@ -2151,4 +2354,15 @@ make_alloc_test_case(Suite *s) {
+
+ tcase_add_test__ifdef_xml_dtd(
+ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail);
++
++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_size_recorded);
++ tcase_add_test__ifdef_xml_dtd(tc_alloc,
++ test_alloc_tracker_maximum_amplification);
++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_threshold);
++ tcase_add_test__ifdef_xml_dtd(tc_alloc,
++ test_alloc_tracker_getbuffer_unlimited);
++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_api);
++
++ tcase_add_test(tc_alloc, test_mem_api_cycle);
++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_mem_api_unlimited);
+ }
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index f0025fc..da5c0d4 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -3002,6 +3002,10 @@ START_TEST(test_buffer_can_grow_to_max) {
+ for (int i = 0; i < num_prefixes; ++i) {
+ set_subtest("\"%s\"", prefixes[i]);
+ XML_Parser parser = XML_ParserCreate(NULL);
++#if XML_GE == 1
++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, (size_t)-1)
++ == XML_TRUE); // i.e. deactivate
++#endif
+ const int prefix_len = (int)strlen(prefixes[i]);
+ const enum XML_Status s
+ = _XML_Parse_SINGLE_BYTES(parser, prefixes[i], prefix_len, XML_FALSE);
+diff --git a/tests/nsalloc_tests.c b/tests/nsalloc_tests.c
+index ec88586..a8f5718 100644
+--- a/tests/nsalloc_tests.c
++++ b/tests/nsalloc_tests.c
+@@ -454,10 +454,15 @@ START_TEST(test_nsalloc_realloc_attributes) {
+ nsalloc_teardown();
+ nsalloc_setup();
+ }
++#if XML_GE == 1
++ assert_true(
++ i == 0); // because expat_realloc relies on expat_malloc to some extent
++#else
+ if (i == 0)
+ fail("Parsing worked despite failing reallocations");
+ else if (i == max_realloc_count)
+ fail("Parsing failed at max reallocation count");
++#endif
+ }
+ END_TEST
+
+diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
+index 7c0a8cd..92adb1a 100644
+--- a/xmlwf/xmlwf.c
++++ b/xmlwf/xmlwf.c
+@@ -913,11 +913,11 @@ usage(const XML_Char *prog, int rc) {
+ T(" -t write no XML output for [t]iming of plain parsing\n")
+ T(" -N enable adding doctype and [n]otation declarations\n")
+ T("\n")
+- T("billion laughs attack protection:\n")
++ T("amplification attack protection (e.g. billion laughs):\n")
+ T(" NOTE: If you ever need to increase these values for non-attack payload, please file a bug report.\n")
+ T("\n")
+ T(" -a FACTOR set maximum tolerated [a]mplification factor (default: 100.0)\n")
+- T(" -b BYTES set number of output [b]ytes needed to activate (default: 8 MiB)\n")
++ T(" -b BYTES set number of output [b]ytes needed to activate (default: 8 MiB/64 MiB)\n")
+ T("\n")
+ T("reparse deferral:\n")
+ T(" -q disable reparse deferral, and allow [q]uadratic parse runtime with large tokens\n")
+@@ -926,6 +926,10 @@ usage(const XML_Char *prog, int rc) {
+ T(" -h, --help show this [h]elp message and exit\n")
+ T(" -v, --version show program's [v]ersion number and exit\n")
+ T("\n")
++ T("environment variables:\n")
++ T(" EXPAT_MALLOC_DEBUG=(0|1|2)\n")
++ T(" Control verbosity of allocation tracker (default: 0)\n")
++ T("\n")
+ T("exit status:\n")
+ T(" 0 the input files are well-formed and the output (if requested) was written successfully\n")
+ T(" 1 could not allocate data structures, signals a serious problem with execution environment\n")
+@@ -1171,12 +1175,15 @@ tmain(int argc, XML_Char **argv) {
+ #if XML_GE == 1
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+ parser, attackMaximumAmplification);
++ XML_SetAllocTrackerMaximumAmplification(parser,
++ attackMaximumAmplification);
+ #endif
+ }
+ if (attackThresholdGiven) {
+ #if XML_GE == 1
+ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ parser, attackThresholdBytes);
++ XML_SetAllocTrackerActivationThreshold(parser, attackThresholdBytes);
+ #else
+ (void)attackThresholdBytes; // silence -Wunused-but-set-variable
+ #endif
+diff --git a/xmlwf/xmlwf_helpgen.py b/xmlwf/xmlwf_helpgen.py
+index 3d32f5d..dcae018 100755
+--- a/xmlwf/xmlwf_helpgen.py
++++ b/xmlwf/xmlwf_helpgen.py
+@@ -32,6 +32,9 @@
+ import argparse
+
+ epilog = """
++environment variables:
++ EXPAT_MALLOC_DEBUG=(0|1|2)
++ Control verbosity of allocation tracker (default: 0)
+ exit status:
+ 0 the input files are well-formed and the output (if requested) was written successfully
+ 1 could not allocate data structures, signals a serious problem with execution environment
+--
+2.43.0
+
diff --git a/SPECS/expat/expat.signatures.json b/SPECS/expat/expat.signatures.json
new file mode 100644
index 0000000000..faaee12cd6
--- /dev/null
+++ b/SPECS/expat/expat.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+ "expat-2.6.4.tar.bz2": "8dc480b796163d4436e6f1352e71800a774f73dbae213f1860b60607d2a83ada"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/expat/expat.spec b/SPECS/expat/expat.spec
new file mode 100644
index 0000000000..7ccc57245d
--- /dev/null
+++ b/SPECS/expat/expat.spec
@@ -0,0 +1,144 @@
+%define underscore_version %(echo %{version} | cut -d. -f1-3 --output-delimiter="_")
+Summary: An XML parser library
+Name: expat
+Version: 2.6.4
+Release: 3%{?dist}
+License: MIT
+Vendor: Intel Corporation
+Distribution: Edge Microvisor Toolkit
+Group: System Environment/GeneralLibraries
+URL: https://libexpat.github.io/
+Source0: https://github.com/libexpat/libexpat/releases/download/R_%{underscore_version}/%{name}-%{version}.tar.bz2
+Patch0: CVE-2024-8176.patch
+Patch1: CVE-2025-59375.patch
+Requires: %{name}-libs = %{version}-%{release}
+
+BuildRequires: autoconf, libtool, xmlto, gcc-c++
+BuildRequires: make
+BuildRequires: gnupg2
+
+%description
+The Expat package contains a stream oriented C library for parsing XML.
+
+%package devel
+Summary: Header and development files for expat
+Requires: %{name} = %{version}-%{release}
+
+%description devel
+It contains the libraries and header files to create applications
+
+%package libs
+Summary: Libraries for expat
+Group: System Environment/Libraries
+
+%description libs
+This package contains minimal set of shared expat libraries.
+
+%prep
+%autosetup -p1
+
+%build
+%configure \
+ CFLAGS="%{optflags}" \
+ CXXFLAGS="%{optflags}" \
+ --disable-static
+%make_build
+
+%install
+%make_install
+find %{buildroot} -type f -name "*.la" -delete -print
+rm -rf %{buildroot}/%{_docdir}/%{name}
+%{_fixperms} %{buildroot}/*
+
+%check
+%make_build check
+
+%ldconfig_scriptlets
+
+%files
+%defattr(-,root,root)
+%doc AUTHORS Changes
+%{_bindir}/*
+
+%files devel
+%{_includedir}/*
+%{_libdir}/pkgconfig/*
+%{_libdir}/libexpat.so
+%{_libdir}/cmake/expat-%{version}
+%{_mandir}/man1/xmlwf.1.gz
+
+%files libs
+%license COPYING
+%{_libdir}/libexpat.so.1*
+
+%changelog
+* Thu Jan 8 2025 Lee Chee Yang - 2.6.4-3
+- add BuildRequires
+- Initial Edge Microvisor Toolkit import from Azure Linux (license: MIT).
+
+* Tue Sep 23 2025 Akhila Guruju - 2.6.4-2
+- Fix CVE-2025-59375 with a patch
+
+* Thu Mar 20 2025 Kshitiz Godara - 2.6.4-1
+- Fix CVE-2024-8176 with a patch
+
+* Wed Oct 30 2024 Sindhu Karri - 2.6.3-2
+- Fix CVE-2024-50602 with a patch
+
+* Wed Sep 04 2024 Gary Swalling - 2.6.3-1
+- Upgrade to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
+
+* Wed May 22 2024 Neha Agarwal - 2.6.2-1
+- Upgrade to v2.6.2 to fix CVE-2024-28757
+
+* Wed Oct 26 2022 CBL-Mariner Servicing Account - 2.5.0-1
+- Upgrade to 2.5.0
+
+* Mon Sep 19 2022 Betty Lakes - 2.4.8-2
+- Add the patch to address CVE-2022-40674
+
+* Wed Apr 13 2022 Rachel Menge - 2.4.8-1
+- Update source to 2.4.8 to address CVE-2022-23852, CVE-2022-23990,
+ CVE-2022-25235, CVE-2022-25236
+
+* Tue Apr 12 2022 Pawel Winogrodzki - 2.4.3-2
+- Fixing "%%underscore_version" macro definition.
+
+* Sun Jan 16 2022 Rachel Menge - 2.4.3-1
+- Update source to 2.4.3 to address CVE-2021-46143, CVE-2021-45960,
+ CVE-2022-22822 to CVE-2022-22827
+
+* Fri Nov 19 2021 Max Brodeur-Urbas - 2.4.1-1
+- Update to 2.4.1
+- License verified
+- Removed reference to manfiles, generation causes circular dependency.
+
+* Sat May 09 2020 Nick Samson - 2.2.6-4
+- Added %%license line automatically
+
+* Wed Apr 22 2020 Nicolas Ontiveros 2.2.6-3
+- Fix CVE-2018-20843.
+- Remove sha1 macro.
+- Update URL.
+- Update Source0.
+
+* Tue Sep 03 2019 Mateusz Malisz 2.2.6-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Sep 20 2018 Sujay G 2.2.6-1
+- Bump expat version to 2.2.6
+
+* Tue Sep 26 2017 Anish Swaminathan 2.2.4-1
+- Updating version, fixes CVE-2017-9233, CVE-2016-9063, CVE-2016-0718
+
+* Fri Apr 14 2017 Alexey Makhalov 2.2.0-2
+- Added -libs and -devel subpackages
+
+* Fri Oct 21 2016 Kumar Kaushik 2.2.0-1
+- Updating Source/Fixing CVE-2015-1283.
+
+* Tue May 24 2016 Priyesh Padmavilasom 2.1.0-2
+- GA - Bump release of all rpms
+
+* Wed Nov 5 2014 Divya Thaluru 2.1.0-1
+- Initial build. First version
diff --git a/SPECS/fluent-bit/CVE-2025-12970.patch b/SPECS/fluent-bit/CVE-2025-12970.patch
new file mode 100644
index 0000000000..7cd290adb4
--- /dev/null
+++ b/SPECS/fluent-bit/CVE-2025-12970.patch
@@ -0,0 +1,191 @@
+From 8a25d3b24fa4edde3e9cfdb878ce6c2c6e3d7e5b Mon Sep 17 00:00:00 2001
+From: Eduardo Silva
+Date: Thu, 2 Oct 2025 16:36:54 -0600
+Subject: [PATCH] in_docker: add helper for container name parsing
+
+Signed-off-by: Eduardo Silva
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: https://github.com/fluent/fluent-bit/pull/10972.patch
+---
+ plugins/in_docker/cgroup_v1.c | 32 +----------------------
+ plugins/in_docker/cgroup_v2.c | 32 +----------------------
+ plugins/in_docker/docker.c | 48 +++++++++++++++++++++++++++++++++++
+ plugins/in_docker/docker.h | 2 ++
+ 4 files changed, 52 insertions(+), 62 deletions(-)
+
+diff --git a/plugins/in_docker/cgroup_v1.c b/plugins/in_docker/cgroup_v1.c
+index ab40147..86a64b1 100644
+--- a/plugins/in_docker/cgroup_v1.c
++++ b/plugins/in_docker/cgroup_v1.c
+@@ -213,36 +213,6 @@ static char *get_config_file(struct flb_docker *ctx, char *id)
+ return path;
+ }
+
+-static char *extract_name(char *line, char *start)
+-{
+- int skip = 9;
+- int len = 0;
+- char *name;
+- char buff[256];
+- char *curr;
+-
+- if (start != NULL) {
+- curr = start + skip;
+- while (*curr != '"') {
+- buff[len++] = *curr;
+- curr++;
+- }
+-
+- if (len > 0) {
+- name = (char *) flb_calloc(len + 1, sizeof(char));
+- if (!name) {
+- flb_errno();
+- return NULL;
+- }
+- memcpy(name, buff, len);
+-
+- return name;
+- }
+- }
+-
+- return NULL;
+-}
+-
+ static char *get_container_name(struct flb_docker *ctx, char *id)
+ {
+ char *container_name = NULL;
+@@ -266,7 +236,7 @@ static char *get_container_name(struct flb_docker *ctx, char *id)
+ while ((line = read_line(f))) {
+ char *index = strstr(line, DOCKER_NAME_ARG);
+ if (index != NULL) {
+- container_name = extract_name(line, index);
++ container_name = docker_extract_name(line, index);
+ flb_free(line);
+ break;
+ }
+diff --git a/plugins/in_docker/cgroup_v2.c b/plugins/in_docker/cgroup_v2.c
+index 295483c..301fceb 100644
+--- a/plugins/in_docker/cgroup_v2.c
++++ b/plugins/in_docker/cgroup_v2.c
+@@ -230,36 +230,6 @@ static char *get_config_file(struct flb_docker *ctx, char *id)
+ return path;
+ }
+
+-static char *extract_name(char *line, char *start)
+-{
+- int skip = 9;
+- int len = 0;
+- char *name;
+- char buff[256];
+- char *curr;
+-
+- if (start != NULL) {
+- curr = start + skip;
+- while (*curr != '"') {
+- buff[len++] = *curr;
+- curr++;
+- }
+-
+- if (len > 0) {
+- name = (char *) flb_calloc(len + 1, sizeof(char));
+- if (!name) {
+- flb_errno();
+- return NULL;
+- }
+- memcpy(name, buff, len);
+-
+- return name;
+- }
+- }
+-
+- return NULL;
+-}
+-
+ static char *get_container_name(struct flb_docker *ctx, char *id)
+ {
+ char *container_name = NULL;
+@@ -283,7 +253,7 @@ static char *get_container_name(struct flb_docker *ctx, char *id)
+ while ((line = read_line(f))) {
+ char *index = strstr(line, DOCKER_NAME_ARG);
+ if (index != NULL) {
+- container_name = extract_name(line, index);
++ container_name = docker_extract_name(line, index);
+ flb_free(line);
+ break;
+ }
+diff --git a/plugins/in_docker/docker.c b/plugins/in_docker/docker.c
+index 2a1389e..5701c68 100644
+--- a/plugins/in_docker/docker.c
++++ b/plugins/in_docker/docker.c
+@@ -29,9 +29,57 @@
+ #include
+ #include
+ #include
++#include
+
+ #include "docker.h"
+
++char *docker_extract_name(const char *line, const char *start)
++{
++ const char *curr;
++ const char *end;
++ size_t len;
++ char *name;
++
++ if (line == NULL || start == NULL) {
++ return NULL;
++ }
++
++ curr = start + strlen(DOCKER_NAME_ARG);
++ if (*curr != ':') {
++ curr = strchr(curr, ':');
++ if (curr == NULL) {
++ return NULL;
++ }
++ }
++
++ curr++;
++ while (*curr != '\0' && isspace((unsigned char) *curr)) {
++ curr++;
++ }
++
++ if (*curr != '"') {
++ return NULL;
++ }
++
++ curr++;
++ end = strchr(curr, '"');
++ if (end == NULL || end <= curr) {
++ return NULL;
++ }
++
++ len = end - curr;
++ name = flb_malloc(len + 1);
++ if (name == NULL) {
++ flb_errno();
++ return NULL;
++ }
++
++ memcpy(name, curr, len);
++ name[len] = '\0';
++
++ return name;
++}
++
+ static int cb_docker_collect(struct flb_input_instance *i_ins,
+ struct flb_config *config, void *in_context);
+
+diff --git a/plugins/in_docker/docker.h b/plugins/in_docker/docker.h
+index e6f61c1..9a1c9ae 100644
+--- a/plugins/in_docker/docker.h
++++ b/plugins/in_docker/docker.h
+@@ -119,4 +119,6 @@ struct flb_docker {
+ int in_docker_collect(struct flb_input_instance *i_ins,
+ struct flb_config *config, void *in_context);
+ docker_info *in_docker_init_docker_info(char *id);
++char *docker_extract_name(const char *line, const char *start);
++
+ #endif
+--
+2.45.4
+
diff --git a/SPECS/fluent-bit/CVE-2025-58749.patch b/SPECS/fluent-bit/CVE-2025-58749.patch
new file mode 100644
index 0000000000..8b210db8c2
--- /dev/null
+++ b/SPECS/fluent-bit/CVE-2025-58749.patch
@@ -0,0 +1,48 @@
+From 95f506a6e77d3ac7588eac7263f95558edfa7f3b Mon Sep 17 00:00:00 2001
+From: Liu Jia
+Date: Mon, 15 Sep 2025 15:19:51 +0800
+Subject: [PATCH] Merge commit from fork
+
+* fix overflow in check_bulk_memory_overflow
+
+Upstream Patch reference: https://github.com/bytecodealliance/wasm-micro-runtime/commit/95f506a6e77d3ac7588eac7263f95558edfa7f3b.patch
+---
+ .../core/iwasm/compilation/aot_emit_memory.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/compilation/aot_emit_memory.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/compilation/aot_emit_memory.c
+index 8c35c3f..6a01c25 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/compilation/aot_emit_memory.c
++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/compilation/aot_emit_memory.c
+@@ -880,7 +880,7 @@ static LLVMValueRef
+ check_bulk_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx,
+ LLVMValueRef offset, LLVMValueRef bytes)
+ {
+- LLVMValueRef maddr, max_addr, cmp;
++ LLVMValueRef maddr, max_addr, cmp, cmp1, offset1;
+ LLVMValueRef mem_base_addr;
+ LLVMBasicBlockRef block_curr = LLVMGetInsertBlock(comp_ctx->builder);
+ LLVMBasicBlockRef check_succ;
+@@ -922,8 +922,18 @@ check_bulk_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx,
+ if (mem_data_size > 0 && mem_offset + mem_len <= mem_data_size) {
+ /* inside memory space */
+ /* maddr = mem_base_addr + moffset */
++ /* Perform zero extension in advance to avoid LLVMBuildInBoundsGEP2
++ * interpreting a negative address due to sign extension when
++ * mem_offset >= 2GiB */
++ if (comp_ctx->pointer_size == sizeof(uint64)) {
++ offset1 = I64_CONST(mem_offset);
++ }
++ else {
++ offset1 = I32_CONST((uint32)mem_offset);
++ }
++ CHECK_LLVM_CONST(offset1);
+ if (!(maddr = LLVMBuildInBoundsGEP2(comp_ctx->builder, INT8_TYPE,
+- mem_base_addr, &offset, 1,
++ mem_base_addr, &offset1, 1,
+ "maddr"))) {
+ aot_set_last_error("llvm build add failed.");
+ goto fail;
+--
+2.45.4
+
diff --git a/SPECS/fluent-bit/fluent-bit.signatures.json b/SPECS/fluent-bit/fluent-bit.signatures.json
index cb3ed9d7fe..e48e6bf823 100644
--- a/SPECS/fluent-bit/fluent-bit.signatures.json
+++ b/SPECS/fluent-bit/fluent-bit.signatures.json
@@ -1,6 +1,6 @@
{
"Signatures": {
- "fluent-bit-3.1.9.tar.gz": "ac3a3e235e7f8a92d35f10c99f400f0b0571417a92e3c4caa467073733d42547",
+ "fluent-bit-3.1.10.tar.gz": "9ec909e8ce04bc8f3b09862c781956c40da18f60e8ae92b154114b4e20edc5fa",
"fluent_bit.fc": "d59e8180da8c7000c56362ace40e628e9caf7c21047df2a41a1b00dd6c96d5ab",
"fluent_bit.te": "af9350c3885430cc075212b4a1bedc381062c54d187dc58138dc285131283663"
}
diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec
index 4d22720ed3..f49340a472 100644
--- a/SPECS/fluent-bit/fluent-bit.spec
+++ b/SPECS/fluent-bit/fluent-bit.spec
@@ -1,12 +1,13 @@
Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
Name: fluent-bit
-Version: 3.1.9
-Release: 17%{?dist}
+Version: 3.1.10
+Release: 2%{?dist}
License: Apache-2.0
Vendor: Intel Corporation
Distribution: Edge Microvisor Toolkit
URL: https://fluentbit.io
Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# add selinux policies for BMA
Source1: fluent_bit.te
Source2: fluent_bit.fc
Patch0: CVE-2024-34250.patch
@@ -15,9 +16,9 @@ Patch2: CVE-2024-27532.patch
Patch3: CVE-2024-50608.patch
Patch4: CVE-2024-50609.patch
Patch5: CVE-2025-31498.patch
-Patch6: CVE-2025-29087.patch
-Patch7: CVE-2023-53154.patch
-Patch8: CVE-2025-54126.patch
+Patch6: CVE-2025-54126.patch
+Patch7: CVE-2025-58749.patch
+Patch8: CVE-2025-12970.patch
BuildRequires: bison
BuildRequires: cmake
BuildRequires: cyrus-sasl-devel
@@ -187,6 +188,12 @@ install -m 644 %{modulename}.pp %{buildroot}%{_datadir}/selinux/packages/%{modul
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
%changelog
+* Mon Jan 5 2025 Lee Chee Yang - 3.1.10-2
+- merge from Azure Linux 3.0.20251206-3.0
+- Upgrade to 3.1.10
+- Patch for CVE-2025-12970
+- Patch for CVE-2025-58749
+
* Thu Nov 05 2025 Kishan Mochi - 3.1.9-17
- remove inbm selinux
diff --git a/SPECS/gh/CVE-2025-58183.patch b/SPECS/gh/CVE-2025-58183.patch
new file mode 100644
index 0000000000..4368ce717a
--- /dev/null
+++ b/SPECS/gh/CVE-2025-58183.patch
@@ -0,0 +1,83 @@
+From 2c9e7f55aa25221e776bad497448442dde6b2ef0 Mon Sep 17 00:00:00 2001
+From: AllSpark
+Date: Sat, 15 Nov 2025 05:50:08 +0000
+Subject: [PATCH] archive/tar: set a limit on the size of GNU sparse file 1.0
+ regions
+
+Cap the size of the sparse block data to the same limit used for PAX headers (1 MiB). Add errSparseTooLong error and enforce maxSpecialFileSize when reading GNU PAX 1.0 sparse maps. Update comments accordingly.
+
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: AI Backport of https://github.com/vbatts/tar-split/commit/55da7d6b43bd806ee785d783bdf66bcf302af118.patch
+---
+ .../vbatts/tar-split/archive/tar/common.go | 3 +++
+ .../vbatts/tar-split/archive/tar/format.go | 3 +++
+ .../vbatts/tar-split/archive/tar/reader.go | 12 ++++++++++--
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+index dee9e47..bb43fbe 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+@@ -34,6 +34,9 @@ var (
+ errMissData = errors.New("archive/tar: sparse file references non-existent data")
+ errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data")
+ errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole")
++ // errSparseTooLong is returned when the GNU PAX 1.0 sparse map exceeds the
++ // maximum permitted size for special file data (same as PAX headers).
++ errSparseTooLong = errors.New("archive/tar: sparse map too long")
+ )
+
+ type headerError []string
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/format.go b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+index 1f89d0c..62dc505 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/format.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+@@ -143,6 +143,9 @@ const (
+ blockSize = 512 // Size of each block in a tar stream
+ nameSize = 100 // Max length of the name field in USTAR format
+ prefixSize = 155 // Max length of the prefix field in USTAR format
++ // maxSpecialFileSize caps the size of special file data, such as PAX headers.
++ // This is set to 1 MiB to avoid excessive memory allocation on malicious inputs.
++ maxSpecialFileSize = 1 << 20
+ )
+
+ // blockPadding computes the number of bytes needed to pad offset up to the
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+index fcf3215..176b40f 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+@@ -577,12 +577,20 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ cntNewline int64
+ buf bytes.Buffer
+ blk block
++ // totalSize tracks the total size of the sparse map data read.
++ totalSize int
+ )
+
+ // feedTokens copies data in blocks from r into buf until there are
+ // at least cnt newlines in buf. It will not read more blocks than needed.
+ feedTokens := func(n int64) error {
+ for cntNewline < n {
++ // Increase totalSize by the size of the block to enforce a cap
++ totalSize += len(blk)
++ // Enforce the same cap as PAX header size: maxSpecialFileSize
++ if totalSize > maxSpecialFileSize {
++ return errSparseTooLong
++ }
+ if _, err := mustReadFull(r, blk[:]); err != nil {
+ return err
+ }
+@@ -615,8 +623,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ }
+
+ // Parse for all member entries.
+- // numEntries is trusted after this since a potential attacker must have
+- // committed resources proportional to what this library used.
++ // numEntries is trusted after this since feedTokens limits the number of
++ // tokens based on maxSpecialFileSize.
+ if err := feedTokens(2 * numEntries); err != nil {
+ return nil, err
+ }
+--
+2.45.4
+
diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec
index ec7367feb2..77379119cc 100644
--- a/SPECS/gh/gh.spec
+++ b/SPECS/gh/gh.spec
@@ -1,7 +1,7 @@
Summary: GitHub official command line tool
Name: gh
Version: 2.62.0
-Release: 10%{?dist}
+Release: 11%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -23,8 +23,9 @@ Patch7: CVE-2025-27144.patch
Patch8: CVE-2025-22869.patch
Patch9: CVE-2025-22872.patch
Patch10: CVE-2025-48938.patch
+Patch11: CVE-2025-58183.patch
-BuildRequires: golang < 1.23
+BuildRequires: golang < 1.24
BuildRequires: git
Requires: git
%global debug_package %{nil}
@@ -65,6 +66,11 @@ make test
%{_datadir}/zsh/site-functions/_gh
%changelog
+* Mon Jan 5 2025 Lee Chee Yang - 2.62.0-11
+- merge from Azure Linux 3.0.20251206-3.0
+- update BuildRequires golang version
+- Patch for CVE-2025-58183
+
* Mon Sep 8 2025 Lee Chee Yang - 2.62.0-10
- merge from Azure Linux 3.0.20250910-3.0.
- Patch CVE-2025-48938
diff --git a/SPECS/glibc/0001-Remove-Wno-format-cflag-from-tests.patch b/SPECS/glibc/0001-Remove-Wno-format-cflag-from-tests.patch
deleted file mode 100644
index fe35461507..0000000000
--- a/SPECS/glibc/0001-Remove-Wno-format-cflag-from-tests.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 8768893dbd2b055f71c719e5135d9b8720731d81 Mon Sep 17 00:00:00 2001
-From: Rachel Menge
-Date: Fri, 7 Jun 2024 21:17:37 +0000
-Subject: [PATCH] Remove -Wno-format cflag from tests
-
-This flag prevents the error
-"c1: error: '-Wformat-security' ignored without '-Wformat' [-Werror=format-security]"
-The error occurs when glibc is compiled with -Wformat-security which
-requires -Wformat and thus conflicts with tests which use -Wno-format
----
- debug/Makefile | 4 ++--
- time/Makefile | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/debug/Makefile b/debug/Makefile
-index 434e52f7..05363c26 100644
---- a/debug/Makefile
-+++ b/debug/Makefile
-@@ -192,7 +192,7 @@ tests-cc-def-chk =
- tests-c-time64-chk =
- tests-cc-time64-chk =
-
--CFLAGS-tst-fortify.c += -Wno-format -Wno-deprecated-declarations -Wno-error
-+CFLAGS-tst-fortify.c += -Wno-deprecated-declarations
-
- # No additional flags for the default tests.
- define cflags-default
-@@ -215,7 +215,7 @@ src-chk-nongnu = \#undef _GNU_SOURCE
- # cannot be disabled via pragmas, so require -Wno-error to be used.
- define gen-chk-test
- tests-$(1)-$(4)-chk += tst-fortify-$(1)-$(2)-$(3)-$(4)
--CFLAGS-tst-fortify-$(1)-$(2)-$(3)-$(4).$(1) += $(no-fortify-source),-D_FORTIFY_SOURCE=$(3) -Wno-format \
-+CFLAGS-tst-fortify-$(1)-$(2)-$(3)-$(4).$(1) += $(no-fortify-source),-D_FORTIFY_SOURCE=$(3) \
- -Wno-deprecated-declarations \
- -Wno-error
- $(eval $(call cflags-$(2),$(1),$(3),$(4)))
-diff --git a/time/Makefile b/time/Makefile
-index 1d2e667c..8b878bcc 100644
---- a/time/Makefile
-+++ b/time/Makefile
-@@ -102,7 +102,7 @@ CFLAGS-nanosleep.c += -fexceptions -fasynchronous-unwind-tables
- CFLAGS-mktime.c += $(config-cflags-wno-ignored-attributes)
-
- # Don't warn about Y2k problem in strftime format string.
--CFLAGS-test_time.c += -Wno-format
-+CFLAGS-test_time.c += -Wformat
-
- test_time-ARGS= EST5EDT CST
-
---
-2.34.1
-
diff --git a/SPECS/glibc/CVE-2018-20796.nopatch b/SPECS/glibc/CVE-2018-20796.nopatch
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/SPECS/glibc/CVE-2019-6488.nopatch b/SPECS/glibc/CVE-2019-6488.nopatch
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/SPECS/glibc/CVE-2020-1751.nopatch b/SPECS/glibc/CVE-2020-1751.nopatch
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/SPECS/glibc/CVE-2020-6096.nopatch b/SPECS/glibc/CVE-2020-6096.nopatch
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/SPECS/glibc/CVE-2023-4527.patch b/SPECS/glibc/CVE-2023-4527.patch
deleted file mode 100644
index de489ab9d4..0000000000
--- a/SPECS/glibc/CVE-2023-4527.patch
+++ /dev/null
@@ -1,188 +0,0 @@
-From 6562a534ff741667d0725729ebc521bb0dac0e73 Mon Sep 17 00:00:00 2001
-From: Kanishk Bansal
-Date: Thu, 22 May 2025 08:46:55 +0000
-Subject: [PATCH] CVE-2023-4527
-
-Upstream Patch Reference : https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6
-
-https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2023-0002
-
-Signed-off-by: Kanishk Bansal
----
- resolv/Makefile | 2 +
- resolv/nss_dns/dns-host.c | 2 +-
- resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++
- 3 files changed, 132 insertions(+), 1 deletion(-)
- create mode 100644 resolv/tst-resolv-noaaaa-vc.c
-
-diff --git a/resolv/Makefile b/resolv/Makefile
-index 054b1fa3..2f99eb38 100644
---- a/resolv/Makefile
-+++ b/resolv/Makefile
-@@ -102,6 +102,7 @@ tests += \
- tst-resolv-invalid-cname \
- tst-resolv-network \
- tst-resolv-noaaaa \
-+ tst-resolv-noaaaa-vc \
- tst-resolv-nondecimal \
- tst-resolv-res_init-multi \
- tst-resolv-search \
-@@ -293,6 +294,7 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \
- $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \
- $(shared-thread-library)
- $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library)
-+$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library)
- $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
- $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
- $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
-diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
-index 1d60c51f..5d0ab30d 100644
---- a/resolv/nss_dns/dns-host.c
-+++ b/resolv/nss_dns/dns-host.c
-@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
- {
- n = __res_context_search (ctx, name, C_IN, T_A,
- dns_packet_buffer, sizeof (dns_packet_buffer),
-- NULL, NULL, NULL, NULL, NULL);
-+ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL);
- if (n >= 0)
- status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n,
- &abuf, pat, errnop, herrnop, ttlp);
-diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c
-new file mode 100644
-index 00000000..9f5aebd9
---- /dev/null
-+++ b/resolv/tst-resolv-noaaaa-vc.c
-@@ -0,0 +1,129 @@
-+/* Test the RES_NOAAAA resolver option with a large response.
-+ Copyright (C) 2022-2023 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ . */
-+
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+
-+/* Used to keep track of the number of queries. */
-+static volatile unsigned int queries;
-+
-+/* If true, add a large TXT record at the start of the answer section. */
-+static volatile bool stuff_txt;
-+
-+static void
-+response (const struct resolv_response_context *ctx,
-+ struct resolv_response_builder *b,
-+ const char *qname, uint16_t qclass, uint16_t qtype)
-+{
-+ /* If not using TCP, just force its use. */
-+ if (!ctx->tcp)
-+ {
-+ struct resolv_response_flags flags = {.tc = true};
-+ resolv_response_init (b, flags);
-+ resolv_response_add_question (b, qname, qclass, qtype);
-+ return;
-+ }
-+
-+ /* The test needs to send four queries, the first three are used to
-+ grow the NSS buffer via the ERANGE handshake. */
-+ ++queries;
-+ TEST_VERIFY (queries <= 4);
-+
-+ /* AAAA queries are supposed to be disabled. */
-+ TEST_COMPARE (qtype, T_A);
-+ TEST_COMPARE (qclass, C_IN);
-+ TEST_COMPARE_STRING (qname, "example.com");
-+
-+ struct resolv_response_flags flags = {};
-+ resolv_response_init (b, flags);
-+ resolv_response_add_question (b, qname, qclass, qtype);
-+
-+ resolv_response_section (b, ns_s_an);
-+
-+ if (stuff_txt)
-+ {
-+ resolv_response_open_record (b, qname, qclass, T_TXT, 60);
-+ int zero = 0;
-+ for (int i = 0; i <= 15000; ++i)
-+ resolv_response_add_data (b, &zero, sizeof (zero));
-+ resolv_response_close_record (b);
-+ }
-+
-+ for (int i = 0; i < 200; ++i)
-+ {
-+ resolv_response_open_record (b, qname, qclass, qtype, 60);
-+ char ipv4[4] = {192, 0, 2, i + 1};
-+ resolv_response_add_data (b, &ipv4, sizeof (ipv4));
-+ resolv_response_close_record (b);
-+ }
-+}
-+
-+static int
-+do_test (void)
-+{
-+ struct resolv_test *obj = resolv_test_start
-+ ((struct resolv_redirect_config)
-+ {
-+ .response_callback = response
-+ });
-+
-+ _res.options |= RES_NOAAAA;
-+
-+ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt)
-+ {
-+ queries = 0;
-+ stuff_txt = do_stuff_txt;
-+
-+ struct addrinfo *ai = NULL;
-+ int ret;
-+ ret = getaddrinfo ("example.com", "80",
-+ &(struct addrinfo)
-+ {
-+ .ai_family = AF_UNSPEC,
-+ .ai_socktype = SOCK_STREAM,
-+ }, &ai);
-+
-+ char *expected_result;
-+ {
-+ struct xmemstream mem;
-+ xopen_memstream (&mem);
-+ for (int i = 0; i < 200; ++i)
-+ fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1);
-+ xfclose_memstream (&mem);
-+ expected_result = mem.buffer;
-+ }
-+
-+ check_addrinfo ("example.com", ai, ret, expected_result);
-+
-+ free (expected_result);
-+ freeaddrinfo (ai);
-+ }
-+
-+ resolv_test_end (obj);
-+ return 0;
-+}
-+
-+#include
---
-2.45.3
-
diff --git a/SPECS/glibc/CVE-2023-4806.patch b/SPECS/glibc/CVE-2023-4806.patch
deleted file mode 100644
index c8973010fe..0000000000
--- a/SPECS/glibc/CVE-2023-4806.patch
+++ /dev/null
@@ -1,338 +0,0 @@
-From 00ae4f10b504bc4564e9f22f00907093f1ab9338 Mon Sep 17 00:00:00 2001
-From: Siddhesh Poyarekar
-Date: Fri, 15 Sep 2023 13:51:12 -0400
-Subject: [PATCH] getaddrinfo: Fix use after free in getcanonname
- (CVE-2023-4806)
-
-When an NSS plugin only implements the _gethostbyname2_r and
-_getcanonname_r callbacks, getaddrinfo could use memory that was freed
-during tmpbuf resizing, through h_name in a previous query response.
-
-The backing store for res->at->name when doing a query with
-gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
-gethosts during the query. For AF_INET6 lookup with AI_ALL |
-AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
-for a v4 lookup. In this case, if the first call reallocates tmpbuf
-enough number of times, resulting in a malloc, th->h_name (that
-res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
-Now if the second call to gethosts also causes the plugin callback to
-return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
-reference in res->at->name. This then gets dereferenced in the
-getcanonname_r plugin call, resulting in the use after free.
-
-Fix this by copying h_name over and freeing it at the end. This
-resolves BZ #30843, which is assigned CVE-2023-4806.
-
-Signed-off-by: Siddhesh Poyarekar
-(cherry picked from commit 973fe93a5675c42798b2161c6f29c01b0e243994)
-
-Signed-off-by: Kanishk Bansal
-
----
- nss/Makefile | 15 ++++-
- nss/nss_test_gai_hv2_canonname.c | 56 +++++++++++++++++
- nss/tst-nss-gai-hv2-canonname.c | 63 +++++++++++++++++++
- nss/tst-nss-gai-hv2-canonname.h | 1 +
- .../postclean.req | 0
- .../tst-nss-gai-hv2-canonname.script | 2 +
- sysdeps/posix/getaddrinfo.c | 25 +++++---
- 7 files changed, 152 insertions(+), 10 deletions(-)
- create mode 100644 nss/nss_test_gai_hv2_canonname.c
- create mode 100644 nss/tst-nss-gai-hv2-canonname.c
- create mode 100644 nss/tst-nss-gai-hv2-canonname.h
- create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req
- create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
-
-diff --git a/nss/Makefile b/nss/Makefile
-index 06fcdc450f1..8a5126ecf34 100644
---- a/nss/Makefile
-+++ b/nss/Makefile
-@@ -82,6 +82,7 @@ tests-container := \
- tst-nss-test3 \
- tst-reload1 \
- tst-reload2 \
-+ tst-nss-gai-hv2-canonname \
- # tests-container
-
- # Tests which need libdl
-@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes))
- ifeq ($(build-static-nss),yes)
- tests-static += tst-nss-static
- endif
--extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os
-+extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
-+ nss_test_gai_hv2_canonname.os
-
- include ../Rules
-
-@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver
- libof-nss_test1 = extramodules
- libof-nss_test2 = extramodules
- libof-nss_test_errno = extramodules
-+libof-nss_test_gai_hv2_canonname = extramodules
- $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
- $(build-module)
- $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
- $(build-module)
- $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps)
- $(build-module)
-+$(objpfx)/libnss_test_gai_hv2_canonname.so: \
-+ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps)
-+ $(build-module)
- $(objpfx)nss_test2.os : nss_test1.c
- # Use the nss_files suffix for these objects as well.
- $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so
-@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so
- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \
- $(objpfx)/libnss_test_errno.so
- $(make-link)
-+$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
-+ $(objpfx)/libnss_test_gai_hv2_canonname.so
-+ $(make-link)
- $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \
- $(objpfx)/libnss_test1.so$(libnss_files.so-version) \
- $(objpfx)/libnss_test2.so$(libnss_files.so-version) \
-- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version)
-+ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
-+ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
-
- ifeq (yes,$(have-thread-library))
- $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
-@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
- LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
- LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
- LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags
-+LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags
-diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c
-new file mode 100644
-index 00000000000..4439c83c9f4
---- /dev/null
-+++ b/nss/nss_test_gai_hv2_canonname.c
-@@ -0,0 +1,56 @@
-+/* NSS service provider that only provides gethostbyname2_r.
-+ Copyright The GNU Toolchain Authors.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ . */
-+
-+#include
-+#include
-+#include
-+#include "nss/tst-nss-gai-hv2-canonname.h"
-+
-+/* Catch misnamed and functions. */
-+#pragma GCC diagnostic error "-Wmissing-prototypes"
-+NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname)
-+
-+extern enum nss_status _nss_files_gethostbyname2_r (const char *, int,
-+ struct hostent *, char *,
-+ size_t, int *, int *);
-+
-+enum nss_status
-+_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af,
-+ struct hostent *result,
-+ char *buffer, size_t buflen,
-+ int *errnop, int *herrnop)
-+{
-+ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop,
-+ herrnop);
-+}
-+
-+enum nss_status
-+_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer,
-+ size_t buflen, char **result,
-+ int *errnop, int *h_errnop)
-+{
-+ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail
-+ the test. */
-+ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME))
-+ || buflen < sizeof (QUERYNAME))
-+ abort ();
-+
-+ strncpy (buffer, name, buflen);
-+ *result = buffer;
-+ return NSS_STATUS_SUCCESS;
-+}
-diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
-new file mode 100644
-index 00000000000..d5f10c07d6a
---- /dev/null
-+++ b/nss/tst-nss-gai-hv2-canonname.c
-@@ -0,0 +1,63 @@
-+/* Test NSS query path for plugins that only implement gethostbyname2
-+ (#30843).
-+ Copyright The GNU Toolchain Authors.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ . */
-+
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include "nss/tst-nss-gai-hv2-canonname.h"
-+
-+#define PREPARE do_prepare
-+
-+static void do_prepare (int a, char **av)
-+{
-+ FILE *hosts = xfopen ("/etc/hosts", "w");
-+ for (unsigned i = 2; i < 255; i++)
-+ {
-+ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i);
-+ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i);
-+ }
-+ xfclose (hosts);
-+}
-+
-+static int
-+do_test (void)
-+{
-+ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
-+
-+ struct addrinfo hints = {};
-+ struct addrinfo *result = NULL;
-+
-+ hints.ai_family = AF_INET6;
-+ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;
-+
-+ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result);
-+
-+ if (ret != 0)
-+ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret));
-+
-+ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME);
-+
-+ freeaddrinfo(result);
-+ return 0;
-+}
-+
-+#include
-diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h
-new file mode 100644
-index 00000000000..14f2a9cb086
---- /dev/null
-+++ b/nss/tst-nss-gai-hv2-canonname.h
-@@ -0,0 +1 @@
-+#define QUERYNAME "test.example.com"
-diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req
-new file mode 100644
-index 00000000000..e69de29bb2d
-diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
-new file mode 100644
-index 00000000000..31848b4a285
---- /dev/null
-+++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
-@@ -0,0 +1,2 @@
-+cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2
-+su
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index 0356b622be6..b2236b105c1 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -120,6 +120,7 @@ struct gaih_result
- {
- struct gaih_addrtuple *at;
- char *canon;
-+ char *h_name;
- bool free_at;
- bool got_ipv6;
- };
-@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res)
- if (res->free_at)
- free (res->at);
- free (res->canon);
-+ free (res->h_name);
- memset (res, 0, sizeof (*res));
- }
-
-@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
- return 0;
- }
-
--/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name
-- is not copied, and the struct hostent object must not be deallocated
-- prematurely. The new addresses are appended to the tuple array in RES. */
-+/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new
-+ addresses are appended to the tuple array in RES. */
- static bool
- convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
- struct hostent *h, struct gaih_result *res)
-@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
- res->at = array;
- res->free_at = true;
-
-+ /* Duplicate h_name because it may get reclaimed when the underlying storage
-+ is freed. */
-+ if (res->h_name == NULL)
-+ {
-+ res->h_name = __strdup (h->h_name);
-+ if (res->h_name == NULL)
-+ return false;
-+ }
-+
- /* Update the next pointers on reallocation. */
- for (size_t i = 0; i < old; i++)
- array[i].next = array + i + 1;
-@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
- }
- array[i].next = array + i + 1;
- }
-- array[0].name = h->h_name;
- array[count - 1].next = NULL;
-
- return true;
-@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name,
- memory allocation failure. The returned string is allocated on the
- heap; the caller has to free it. */
- static char *
--getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name)
-+getcanonname (nss_action_list nip, const char *hname, const char *name)
- {
- nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r");
- char *s = (char *) name;
- if (cfct != NULL)
- {
- char buf[256];
-- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf),
-- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS)
-+ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno,
-+ &h_errno)) != NSS_STATUS_SUCCESS)
- /* If the canonical name cannot be determined, use the passed
- string. */
- s = (char *) name;
-@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req,
- if ((req->ai_flags & AI_CANONNAME) != 0
- && res->canon == NULL)
- {
-- char *canonbuf = getcanonname (nip, res->at, name);
-+ char *canonbuf = getcanonname (nip, res->h_name, name);
- if (canonbuf == NULL)
- {
- __resolv_context_put (res_ctx);
diff --git a/SPECS/glibc/CVE-2023-4911.patch b/SPECS/glibc/CVE-2023-4911.patch
deleted file mode 100644
index 98da4526b6..0000000000
--- a/SPECS/glibc/CVE-2023-4911.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-backport of https://sourceware.org/git/?p=glibc.git;a=patch;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa
-
-diff -ru glibc-2.38-orig/elf/dl-tunables.c glibc-2.38/elf/dl-tunables.c
---- glibc-2.38-orig/elf/dl-tunables.c 2024-06-17 21:53:23.756408666 +0000
-+++ glibc-2.38/elf/dl-tunables.c 2024-06-17 23:01:00.207961672 +0000
-@@ -180,11 +180,7 @@
- /* If we reach the end of the string before getting a valid name-value
- pair, bail out. */
- if (p[len] == '\0')
-- {
-- if (__libc_enable_secure)
-- tunestr[off] = '\0';
-- return;
-- }
-+ break;
-
- /* We did not find a valid name-value pair before encountering the
- colon. */
-@@ -244,9 +240,16 @@
- }
- }
-
-- if (p[len] != '\0')
-- p += len + 1;
-+ /* We reached the end while processing the tunable string. */
-+ if (p[len] == '\0')
-+ break;
-+
-+ p += len + 1;
- }
-+
-+ /* Terminate tunestr before we leave. */
-+ if (__libc_enable_secure)
-+ tunestr[off] = '\0';
- }
-
- /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
-diff -ru glibc-2.38-orig/elf/tst-env-setuid-tunables.c glibc-2.38/elf/tst-env-setuid-tunables.c
---- glibc-2.38-orig/elf/tst-env-setuid-tunables.c 2024-06-17 21:53:23.808408845 +0000
-+++ glibc-2.38/elf/tst-env-setuid-tunables.c 2024-06-17 23:26:01.648142768 +0000
-@@ -50,6 +50,8 @@
- "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
- "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
- "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
-+ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
-+ "glibc.malloc.check=2",
- "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
- "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
- ":glibc.malloc.garbage=2:glibc.malloc.check=1",
-@@ -68,6 +70,8 @@
- "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
-+ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
-+ "",
- "",
- "",
- "",
-@@ -81,11 +85,18 @@
- {
- const char *val = getenv ("GLIBC_TUNABLES");
-
-+ printf (" [%d] GLIBC_TUNABLES is %s\n", off, val);
-+ fflush (stdout);
- if (val != NULL && strcmp (val, resultstrings[off]) == 0)
- return 0;
-
- if (val != NULL)
-- printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
-+ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
-+ off, val, resultstrings[off]);
-+ else
-+ printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off);
-+
-+ fflush (stdout);
-
- return 1;
- }
-@@ -106,7 +117,9 @@
- if (ret != 0)
- exit (1);
-
-- exit (EXIT_SUCCESS);
-+ /* Special return code to make sure that the child executed all the way
-+ through. */
-+ exit (42);
- }
- else
- {
-@@ -117,10 +130,15 @@
- {
- char buf[INT_BUFSIZE_BOUND (int)];
-
-- printf ("Spawned test for %s (%d)\n", teststrings[i], i);
-- snprintf (buf, sizeof (buf), "%d\n", i);
-- if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
-- exit (1);
-+ printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
-+ snprintf (buf, sizeof (buf), "%d\n", i);
-+ fflush (stdout);
-+ if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
-+ {
-+ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i);
-+ support_record_failure ();
-+ continue;
-+ }
-
- int status = support_capture_subprogram_self_sgid (buf);
-
-@@ -128,9 +146,14 @@
- if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
- return EXIT_UNSUPPORTED;
-
-- ret |= status;
-+ if (WEXITSTATUS (status) != 42)
-+ {
-+ printf (" [%d] child failed with status %d\n", i,
-+ WEXITSTATUS (status));
-+ support_record_failure ();
-+ }
- }
-- return ret;
-+ return 0;
- }
- }
-
diff --git a/SPECS/glibc/CVE-2023-5156.patch b/SPECS/glibc/CVE-2023-5156.patch
deleted file mode 100644
index 562e11bb29..0000000000
--- a/SPECS/glibc/CVE-2023-5156.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 5ee59ca371b99984232d7584fe2b1a758b4421d3 Mon Sep 17 00:00:00 2001
-From: Romain Geissler
-Date: Mon, 25 Sep 2023 01:21:51 +0100
-Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for
- CVE-2023-4806 [BZ #30843]
-
-This patch fixes a very recently added leak in getaddrinfo.
-
-This was assigned CVE-2023-5156.
-
-Resolves: BZ #30884
-Related: BZ #30842
-
-Reviewed-by: Siddhesh Poyarekar
-(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
-
-Signed-off-by: Kanishk Bansal
-
----
- nss/Makefile | 20 ++++++++++++++++++++
- nss/tst-nss-gai-hv2-canonname.c | 3 +++
- sysdeps/posix/getaddrinfo.c | 4 +---
- 3 files changed, 24 insertions(+), 3 deletions(-)
-
-diff --git a/nss/Makefile b/nss/Makefile
-index 8a5126ecf34..668ba34b187 100644
---- a/nss/Makefile
-+++ b/nss/Makefile
-@@ -149,6 +149,15 @@ endif
- extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
- nss_test_gai_hv2_canonname.os
-
-+ifeq ($(run-built-tests),yes)
-+ifneq (no,$(PERL))
-+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
-+endif
-+endif
-+
-+generated += mtrace-tst-nss-gai-hv2-canonname.out \
-+ tst-nss-gai-hv2-canonname.mtrace
-+
- include ../Rules
-
- ifeq (yes,$(have-selinux))
-@@ -217,6 +226,17 @@ endif
- $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
- $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
-
-+tst-nss-gai-hv2-canonname-ENV = \
-+ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
-+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
-+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
-+ $(objpfx)tst-nss-gai-hv2-canonname.out
-+ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
-+ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
-+ && $(common-objpfx)malloc/mtrace \
-+ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
-+ $(evaluate-test)
-+
- # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
- # functions can load testing NSS modules via DT_RPATH.
- LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
-diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
-index d5f10c07d6a..7db53cf09da 100644
---- a/nss/tst-nss-gai-hv2-canonname.c
-+++ b/nss/tst-nss-gai-hv2-canonname.c
-@@ -21,6 +21,7 @@
- #include
- #include
- #include
-+#include
- #include
- #include
- #include "nss/tst-nss-gai-hv2-canonname.h"
-@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
- static int
- do_test (void)
- {
-+ mtrace ();
-+
- __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
-
- struct addrinfo hints = {};
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index b2236b105c1..13082305d3f 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -1196,9 +1196,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
- if (malloc_name)
- free ((char *) name);
- free (addrmem);
-- if (res.free_at)
-- free (res.at);
-- free (res.canon);
-+ gaih_result_reset (&res);
-
- return result;
- }
diff --git a/SPECS/glibc/CVE-2023-6246.patch b/SPECS/glibc/CVE-2023-6246.patch
deleted file mode 100644
index 45c76b29a1..0000000000
--- a/SPECS/glibc/CVE-2023-6246.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-From 23514c72b780f3da097ecf33a793b7ba9c2070d2 Mon Sep 17 00:00:00 2001
-From: Arjun Shankar
-Date: Mon, 15 Jan 2024 17:44:43 +0100
-Subject: [PATCH] syslog: Fix heap buffer overflow in __vsyslog_internal
- (CVE-2023-6246)
-
-__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
-containing a long program name failed to update the required buffer
-size, leading to the allocation and overflow of a too-small buffer on
-the heap. This commit fixes that. It also adds a new regression test
-that uses glibc.malloc.check.
-
-Reviewed-by: Adhemerval Zanella
-Reviewed-by: Carlos O'Donell
-Tested-by: Carlos O'Donell
-(cherry picked from commit 6bd0e4efcc78f3c0115e5ea9739a1642807450da)
----
- misc/Makefile | 8 ++-
- misc/syslog.c | 50 +++++++++++++------
- misc/tst-syslog-long-progname.c | 39 +++++++++++++++
- .../postclean.req | 0
- 4 files changed, 82 insertions(+), 15 deletions(-)
- create mode 100644 misc/tst-syslog-long-progname.c
- create mode 100644 misc/tst-syslog-long-progname.root/postclean.req
-
-diff --git a/misc/Makefile b/misc/Makefile
-index fe0d49c1de..90b31952c5 100644
---- a/misc/Makefile
-+++ b/misc/Makefile
-@@ -289,7 +289,10 @@ tests-special += $(objpfx)tst-error1-mem.out \
- $(objpfx)tst-allocate_once-mem.out
- endif
-
--tests-container := tst-syslog
-+tests-container := \
-+ tst-syslog \
-+ tst-syslog-long-progname \
-+ # tests-container
-
- CFLAGS-select.c += -fexceptions -fasynchronous-unwind-tables
- CFLAGS-tsearch.c += $(uses-callbacks)
-@@ -351,6 +354,9 @@ $(objpfx)tst-allocate_once-mem.out: $(objpfx)tst-allocate_once.out
- $(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \
- $(evaluate-test)
-
-+tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \
-+ LD_PRELOAD=libc_malloc_debug.so.0
-+
- $(objpfx)tst-select: $(librt)
- $(objpfx)tst-select-time64: $(librt)
- $(objpfx)tst-pselect: $(librt)
-diff --git a/misc/syslog.c b/misc/syslog.c
-index 1b8cb722c5..814d224a1e 100644
---- a/misc/syslog.c
-+++ b/misc/syslog.c
-@@ -124,8 +124,9 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- {
- /* Try to use a static buffer as an optimization. */
- char bufs[1024];
-- char *buf = NULL;
-- size_t bufsize = 0;
-+ char *buf = bufs;
-+ size_t bufsize;
-+
- int msgoff;
- int saved_errno = errno;
-
-@@ -177,29 +178,50 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff) \
- "<%d>: %n", __pri, __msgoff
-
-- int l;
-+ int l, vl;
- if (has_ts)
- l = __snprintf (bufs, sizeof bufs,
- SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
- else
- l = __snprintf (bufs, sizeof bufs,
- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
-+
-+ char *pos;
-+ size_t len;
-+
- if (0 <= l && l < sizeof bufs)
- {
-- va_list apc;
-- va_copy (apc, ap);
-+ /* At this point, there is still a chance that we can print the
-+ remaining part of the log into bufs and use that. */
-+ pos = bufs + l;
-+ len = sizeof (bufs) - l;
-+ }
-+ else
-+ {
-+ buf = NULL;
-+ /* We already know that bufs is too small to use for this log message.
-+ The next vsnprintf into bufs is used only to calculate the total
-+ required buffer length. We will discard bufs contents and allocate
-+ an appropriately sized buffer later instead. */
-+ pos = bufs;
-+ len = sizeof (bufs);
-+ }
-
-- /* Restore errno for %m format. */
-- __set_errno (saved_errno);
-+ {
-+ va_list apc;
-+ va_copy (apc, ap);
-
-- int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc,
-- mode_flags);
-- if (0 <= vl && vl < sizeof bufs - l)
-- buf = bufs;
-- bufsize = l + vl;
-+ /* Restore errno for %m format. */
-+ __set_errno (saved_errno);
-
-- va_end (apc);
-- }
-+ vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags);
-+
-+ if (!(0 <= vl && vl < len))
-+ buf = NULL;
-+
-+ bufsize = l + vl;
-+ va_end (apc);
-+ }
-
- if (buf == NULL)
- {
-diff --git a/misc/tst-syslog-long-progname.c b/misc/tst-syslog-long-progname.c
-new file mode 100644
-index 0000000000..88f37a8a00
---- /dev/null
-+++ b/misc/tst-syslog-long-progname.c
-@@ -0,0 +1,39 @@
-+/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246)
-+ Copyright (C) 2023 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ . */
-+
-+#include
-+#include
-+
-+extern char * __progname;
-+
-+static int
-+do_test (void)
-+{
-+ char long_progname[2048];
-+
-+ memset (long_progname, 'X', sizeof (long_progname) - 1);
-+ long_progname[sizeof (long_progname) - 1] = '\0';
-+
-+ __progname = long_progname;
-+
-+ syslog (LOG_INFO, "Hello, World!");
-+
-+ return 0;
-+}
-+
-+#include
-diff --git a/misc/tst-syslog-long-progname.root/postclean.req b/misc/tst-syslog-long-progname.root/postclean.req
-new file mode 100644
-index 0000000000..e69de29bb2
---
-2.43.5
-
diff --git a/SPECS/glibc/CVE-2023-6779.patch b/SPECS/glibc/CVE-2023-6779.patch
deleted file mode 100644
index 3690e606f2..0000000000
--- a/SPECS/glibc/CVE-2023-6779.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From d0338312aace5bbfef85e03055e1212dd0e49578 Mon Sep 17 00:00:00 2001
-From: Arjun Shankar
-Date: Mon, 15 Jan 2024 17:44:44 +0100
-Subject: [PATCH] syslog: Fix heap buffer overflow in __vsyslog_internal
- (CVE-2023-6779)
-
-__vsyslog_internal used the return value of snprintf/vsnprintf to
-calculate buffer sizes for memory allocation. If these functions (for
-any reason) failed and returned -1, the resulting buffer would be too
-small to hold output. This commit fixes that.
-
-All snprintf/vsnprintf calls are checked for negative return values and
-the function silently returns upon encountering them.
-
-Reviewed-by: Carlos O'Donell
-(cherry picked from commit 7e5a0c286da33159d47d0122007aac016f3e02cd)
----
- misc/syslog.c | 39 ++++++++++++++++++++++++++++-----------
- 1 file changed, 28 insertions(+), 11 deletions(-)
-
-diff --git a/misc/syslog.c b/misc/syslog.c
-index 814d224a1e..53440e47ad 100644
---- a/misc/syslog.c
-+++ b/misc/syslog.c
-@@ -185,11 +185,13 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- else
- l = __snprintf (bufs, sizeof bufs,
- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
-+ if (l < 0)
-+ goto out;
-
- char *pos;
- size_t len;
-
-- if (0 <= l && l < sizeof bufs)
-+ if (l < sizeof bufs)
- {
- /* At this point, there is still a chance that we can print the
- remaining part of the log into bufs and use that. */
-@@ -215,12 +217,15 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- __set_errno (saved_errno);
-
- vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags);
-+ va_end (apc);
-+
-+ if (vl < 0)
-+ goto out;
-
-- if (!(0 <= vl && vl < len))
-+ if (vl >= len)
- buf = NULL;
-
- bufsize = l + vl;
-- va_end (apc);
- }
-
- if (buf == NULL)
-@@ -231,25 +236,37 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- /* Tell the cancellation handler to free this buffer. */
- clarg.buf = buf;
-
-+ int cl;
- if (has_ts)
-- __snprintf (buf, l + 1,
-- SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
-+ cl = __snprintf (buf, l + 1,
-+ SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
- else
-- __snprintf (buf, l + 1,
-- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
-+ cl = __snprintf (buf, l + 1,
-+ SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
-+ if (cl != l)
-+ goto out;
-
- va_list apc;
- va_copy (apc, ap);
-- __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,
-- mode_flags);
-+ cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,
-+ mode_flags);
- va_end (apc);
-+
-+ if (cl != vl)
-+ goto out;
- }
- else
- {
-+ int bl;
- /* Nothing much to do but emit an error message. */
-- bufsize = __snprintf (bufs, sizeof bufs,
-- "out of memory[%d]", __getpid ());
-+ bl = __snprintf (bufs, sizeof bufs,
-+ "out of memory[%d]", __getpid ());
-+ if (bl < 0 || bl >= sizeof bufs)
-+ goto out;
-+
-+ bufsize = bl;
- buf = bufs;
-+ msgoff = 0;
- }
- }
-
---
-2.43.5
-
diff --git a/SPECS/glibc/CVE-2023-6780.patch b/SPECS/glibc/CVE-2023-6780.patch
deleted file mode 100644
index 209368253a..0000000000
--- a/SPECS/glibc/CVE-2023-6780.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From d37c2b20a4787463d192b32041c3406c2bd91de0 Mon Sep 17 00:00:00 2001
-From: Arjun Shankar
-Date: Mon, 15 Jan 2024 17:44:45 +0100
-Subject: [PATCH] syslog: Fix integer overflow in __vsyslog_internal
- (CVE-2023-6780)
-
-__vsyslog_internal calculated a buffer size by adding two integers, but
-did not first check if the addition would overflow. This commit fixes
-that.
-
-Reviewed-by: Carlos O'Donell
-Tested-by: Carlos O'Donell
-(cherry picked from commit ddf542da94caf97ff43cc2875c88749880b7259b)
----
- misc/syslog.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/misc/syslog.c b/misc/syslog.c
-index 53440e47ad..4af87f54fd 100644
---- a/misc/syslog.c
-+++ b/misc/syslog.c
-@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94";
- #include
- #include
- #include
-+#include
-
- static int LogType = SOCK_DGRAM; /* type of socket connection */
- static int LogFile = -1; /* fd for log */
-@@ -219,7 +220,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags);
- va_end (apc);
-
-- if (vl < 0)
-+ if (vl < 0 || vl >= INT_MAX - l)
- goto out;
-
- if (vl >= len)
---
-2.43.5
-
diff --git a/SPECS/glibc/CVE-2024-33599.patch b/SPECS/glibc/CVE-2024-33599.patch
deleted file mode 100644
index 2d5610b282..0000000000
--- a/SPECS/glibc/CVE-2024-33599.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 5968aebb86164034b8f8421b4abab2f837a5bdaf Mon Sep 17 00:00:00 2001
-From: Florian Weimer
-Date: Thu, 25 Apr 2024 15:00:45 +0200
-Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup
- cache (bug 31677)
-
-Using alloca matches what other caches do. The request length is
-bounded by MAXKEYLEN.
-
-Reviewed-by: Carlos O'Donell
-(cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa)
-
-Signed-off-by: Kanishk Bansal
-
----
- nscd/netgroupcache.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
-index 06b7d7b6ca8..31b721bbee2 100644
---- a/nscd/netgroupcache.c
-+++ b/nscd/netgroupcache.c
-@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
- = (struct indataset *) mempool_alloc (db,
- sizeof (*dataset) + req->key_len,
- 1);
-- struct indataset dataset_mem;
- bool cacheable = true;
- if (__glibc_unlikely (dataset == NULL))
- {
- cacheable = false;
-- dataset = &dataset_mem;
-+ /* The alloca is safe because nscd_run_worker verfies that
-+ key_len is not larger than MAXKEYLEN. */
-+ dataset = alloca (sizeof (*dataset) + req->key_len);
- }
-
- datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
diff --git a/SPECS/glibc/CVE-2024-33600.patch b/SPECS/glibc/CVE-2024-33600.patch
deleted file mode 100644
index cf1c0687f0..0000000000
--- a/SPECS/glibc/CVE-2024-33600.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From e4cb5367b33c57ae078da755c7432cf33681defa Mon Sep 17 00:00:00 2001
-From: Kanishk Bansal
-Date: Thu, 22 May 2025 09:27:05 +0000
-Subject: [PATCH] CVE-2024-33600
-
-Upstream Patch Reference : https://github.com/bminor/glibc/commit/541ea5172aa658c4bd5c6c6d6fd13903c3d5bb0a, https://github.com/bminor/glibc/commit/2ae9446c1b7a3064743b4a51c0bbae668ee43e4c
-
-Signed-off-by: Kanishk Bansal
----
- nscd/netgroupcache.c | 25 +++++++++++++------------
- 1 file changed, 13 insertions(+), 12 deletions(-)
-
-diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
-index 31b721bb..c3cd79de 100644
---- a/nscd/netgroupcache.c
-+++ b/nscd/netgroupcache.c
-@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- /* No such service. */
- cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
- &key_copy);
-- goto writeout;
-+ goto maybe_cache_add;
- }
-
- memset (&data, '\0', sizeof (data));
-@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- {
- cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
- &key_copy);
-- goto writeout;
-+ goto maybe_cache_add;
- }
-
- total = buffilled;
-@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- }
-
- if (he == NULL && fd != -1)
-- {
-- /* We write the dataset before inserting it to the database
-- since while inserting this thread might block and so would
-- unnecessarily let the receiver wait. */
-- writeout:
-+ /* We write the dataset before inserting it to the database since
-+ while inserting this thread might block and so would
-+ unnecessarily let the receiver wait. */
- writeall (fd, &dataset->resp, dataset->head.recsize);
-- }
-
-+ maybe_cache_add:
- if (cacheable)
- {
- /* If necessary, we also propagate the data to disk. */
-@@ -513,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
-
- datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
- sizeof (innetgroup_response_header),
-- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
-+ he == NULL ? 0 : dh->nreloads + 1,
-+ result == NULL ? db->negtimeout : result->head.ttl);
- /* Set the notfound status and timeout based on the result from
- getnetgrent. */
-- dataset->head.notfound = result->head.notfound;
-+ dataset->head.notfound = result == NULL || result->head.notfound;
- dataset->head.timeout = timeout;
-
- dataset->resp.version = NSCD_VERSION;
-- dataset->resp.found = result->resp.found;
-+ dataset->resp.found = result != NULL && result->resp.found;
- /* Until we find a matching entry the result is 0. */
- dataset->resp.result = 0;
-
-@@ -568,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
- goto out;
- }
-
-- if (he == NULL)
-+ /* addgetnetgrentX may have already sent a notfound response. Do
-+ not send another one. */
-+ if (he == NULL && dataset->resp.found)
- {
- /* We write the dataset before inserting it to the database
- since while inserting this thread might block and so would
---
-2.45.3
-
diff --git a/SPECS/glibc/CVE-2024-33601.patch b/SPECS/glibc/CVE-2024-33601.patch
deleted file mode 100644
index 4829bfc0b9..0000000000
--- a/SPECS/glibc/CVE-2024-33601.patch
+++ /dev/null
@@ -1,390 +0,0 @@
-From 71af8ca864345d39b746d5cee84b94b430fad5db Mon Sep 17 00:00:00 2001
-From: Florian Weimer
-Date: Thu, 25 Apr 2024 15:01:07 +0200
-Subject: [PATCH] CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two
- buffers in addgetnetgrentX (bug 31680)
-
-This avoids potential memory corruption when the underlying NSS
-callback function does not use the buffer space to store all strings
-(e.g., for constant strings).
-
-Instead of custom buffer management, two scratch buffers are used.
-This increases stack usage somewhat.
-
-Scratch buffer allocation failure is handled by return -1
-(an invalid timeout value) instead of terminating the process.
-This fixes bug 31679.
-
-Reviewed-by: Siddhesh Poyarekar
-(cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
-
-Signed-off-by: Kanishk Bansal
-
----
- nscd/netgroupcache.c | 219 ++++++++++++++++++++++++-------------------
- 1 file changed, 121 insertions(+), 98 deletions(-)
-
-diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
-index c3cd79dec59..cc4e270c1f0 100644
---- a/nscd/netgroupcache.c
-+++ b/nscd/netgroupcache.c
-@@ -23,6 +23,7 @@
- #include
- #include
- #include
-+#include
-
- #include "../inet/netgroup.h"
- #include "nscd.h"
-@@ -65,6 +66,16 @@ struct dataset
- char strdata[0];
- };
-
-+/* Send a notfound response to FD. Always returns -1 to indicate an
-+ ephemeral error. */
-+static time_t
-+send_notfound (int fd)
-+{
-+ if (fd != -1)
-+ TEMP_FAILURE_RETRY (send (fd, ¬found, sizeof (notfound), MSG_NOSIGNAL));
-+ return -1;
-+}
-+
- /* Sends a notfound message and prepares a notfound dataset to write to the
- cache. Returns true if there was enough memory to allocate the dataset and
- returns the dataset in DATASETP, total bytes to write in TOTALP and the
-@@ -83,8 +94,7 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
- total = sizeof (notfound);
- timeout = time (NULL) + db->negtimeout;
-
-- if (fd != -1)
-- TEMP_FAILURE_RETRY (send (fd, ¬found, total, MSG_NOSIGNAL));
-+ send_notfound (fd);
-
- dataset = mempool_alloc (db, sizeof (struct dataset) + req->key_len, 1);
- /* If we cannot permanently store the result, so be it. */
-@@ -109,11 +119,78 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
- return cacheable;
- }
-
-+struct addgetnetgrentX_scratch
-+{
-+ /* This is the result that the caller should use. It can be NULL,
-+ point into buffer, or it can be in the cache. */
-+ struct dataset *dataset;
-+
-+ struct scratch_buffer buffer;
-+
-+ /* Used internally in addgetnetgrentX as a staging area. */
-+ struct scratch_buffer tmp;
-+
-+ /* Number of bytes in buffer that are actually used. */
-+ size_t buffer_used;
-+};
-+
-+static void
-+addgetnetgrentX_scratch_init (struct addgetnetgrentX_scratch *scratch)
-+{
-+ scratch->dataset = NULL;
-+ scratch_buffer_init (&scratch->buffer);
-+ scratch_buffer_init (&scratch->tmp);
-+
-+ /* Reserve space for the header. */
-+ scratch->buffer_used = sizeof (struct dataset);
-+ static_assert (sizeof (struct dataset) < sizeof (scratch->tmp.__space),
-+ "initial buffer space");
-+ memset (scratch->tmp.data, 0, sizeof (struct dataset));
-+}
-+
-+static void
-+addgetnetgrentX_scratch_free (struct addgetnetgrentX_scratch *scratch)
-+{
-+ scratch_buffer_free (&scratch->buffer);
-+ scratch_buffer_free (&scratch->tmp);
-+}
-+
-+/* Copy LENGTH bytes from S into SCRATCH. Returns NULL if SCRATCH
-+ could not be resized, otherwise a pointer to the copy. */
-+static char *
-+addgetnetgrentX_append_n (struct addgetnetgrentX_scratch *scratch,
-+ const char *s, size_t length)
-+{
-+ while (true)
-+ {
-+ size_t remaining = scratch->buffer.length - scratch->buffer_used;
-+ if (remaining >= length)
-+ break;
-+ if (!scratch_buffer_grow_preserve (&scratch->buffer))
-+ return NULL;
-+ }
-+ char *copy = scratch->buffer.data + scratch->buffer_used;
-+ memcpy (copy, s, length);
-+ scratch->buffer_used += length;
-+ return copy;
-+}
-+
-+/* Copy S into SCRATCH, including its null terminator. Returns false
-+ if SCRATCH could not be resized. */
-+static bool
-+addgetnetgrentX_append (struct addgetnetgrentX_scratch *scratch, const char *s)
-+{
-+ if (s == NULL)
-+ s = "";
-+ return addgetnetgrentX_append_n (scratch, s, strlen (s) + 1) != NULL;
-+}
-+
-+/* Caller must initialize and free *SCRATCH. If the return value is
-+ negative, this function has sent a notfound response. */
- static time_t
- addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- const char *key, uid_t uid, struct hashentry *he,
-- struct datahead *dh, struct dataset **resultp,
-- void **tofreep)
-+ struct datahead *dh, struct addgetnetgrentX_scratch *scratch)
- {
- if (__glibc_unlikely (debug_level > 0))
- {
-@@ -132,14 +209,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
-
- char *key_copy = NULL;
- struct __netgrent data;
-- size_t buflen = MAX (1024, sizeof (*dataset) + req->key_len);
-- size_t buffilled = sizeof (*dataset);
-- char *buffer = NULL;
- size_t nentries = 0;
- size_t group_len = strlen (key) + 1;
- struct name_list *first_needed
- = alloca (sizeof (struct name_list) + group_len);
-- *tofreep = NULL;
-
- if (netgroup_database == NULL
- && !__nss_database_get (nss_database_netgroup, &netgroup_database))
-@@ -151,8 +224,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- }
-
- memset (&data, '\0', sizeof (data));
-- buffer = xmalloc (buflen);
-- *tofreep = buffer;
- first_needed->next = first_needed;
- memcpy (first_needed->name, key, group_len);
- data.needed_groups = first_needed;
-@@ -195,8 +266,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- while (1)
- {
- int e;
-- status = getfct.f (&data, buffer + buffilled,
-- buflen - buffilled - req->key_len, &e);
-+ status = getfct.f (&data, scratch->tmp.data,
-+ scratch->tmp.length, &e);
- if (status == NSS_STATUS_SUCCESS)
- {
- if (data.type == triple_val)
-@@ -204,68 +275,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- const char *nhost = data.val.triple.host;
- const char *nuser = data.val.triple.user;
- const char *ndomain = data.val.triple.domain;
--
-- size_t hostlen = strlen (nhost ?: "") + 1;
-- size_t userlen = strlen (nuser ?: "") + 1;
-- size_t domainlen = strlen (ndomain ?: "") + 1;
--
-- if (nhost == NULL || nuser == NULL || ndomain == NULL
-- || nhost > nuser || nuser > ndomain)
-- {
-- const char *last = nhost;
-- if (last == NULL
-- || (nuser != NULL && nuser > last))
-- last = nuser;
-- if (last == NULL
-- || (ndomain != NULL && ndomain > last))
-- last = ndomain;
--
-- size_t bufused
-- = (last == NULL
-- ? buffilled
-- : last + strlen (last) + 1 - buffer);
--
-- /* We have to make temporary copies. */
-- size_t needed = hostlen + userlen + domainlen;
--
-- if (buflen - req->key_len - bufused < needed)
-- {
-- buflen += MAX (buflen, 2 * needed);
-- /* Save offset in the old buffer. We don't
-- bother with the NULL check here since
-- we'll do that later anyway. */
-- size_t nhostdiff = nhost - buffer;
-- size_t nuserdiff = nuser - buffer;
-- size_t ndomaindiff = ndomain - buffer;
--
-- char *newbuf = xrealloc (buffer, buflen);
-- /* Fix up the triplet pointers into the new
-- buffer. */
-- nhost = (nhost ? newbuf + nhostdiff
-- : NULL);
-- nuser = (nuser ? newbuf + nuserdiff
-- : NULL);
-- ndomain = (ndomain ? newbuf + ndomaindiff
-- : NULL);
-- *tofreep = buffer = newbuf;
-- }
--
-- nhost = memcpy (buffer + bufused,
-- nhost ?: "", hostlen);
-- nuser = memcpy ((char *) nhost + hostlen,
-- nuser ?: "", userlen);
-- ndomain = memcpy ((char *) nuser + userlen,
-- ndomain ?: "", domainlen);
-- }
--
-- char *wp = buffer + buffilled;
-- wp = memmove (wp, nhost ?: "", hostlen);
-- wp += hostlen;
-- wp = memmove (wp, nuser ?: "", userlen);
-- wp += userlen;
-- wp = memmove (wp, ndomain ?: "", domainlen);
-- wp += domainlen;
-- buffilled = wp - buffer;
-+ if (!(addgetnetgrentX_append (scratch, nhost)
-+ && addgetnetgrentX_append (scratch, nuser)
-+ && addgetnetgrentX_append (scratch, ndomain)))
-+ return send_notfound (fd);
- ++nentries;
- }
- else
-@@ -317,8 +330,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- }
- else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
- {
-- buflen *= 2;
-- *tofreep = buffer = xrealloc (buffer, buflen);
-+ if (!scratch_buffer_grow (&scratch->tmp))
-+ return send_notfound (fd);
- }
- else if (status == NSS_STATUS_RETURN
- || status == NSS_STATUS_NOTFOUND
-@@ -351,10 +364,17 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- goto maybe_cache_add;
- }
-
-- total = buffilled;
-+ /* Capture the result size without the key appended. */
-+ total = scratch->buffer_used;
-+
-+ /* Make a copy of the key. The scratch buffer must not move after
-+ this point. */
-+ key_copy = addgetnetgrentX_append_n (scratch, key, req->key_len);
-+ if (key_copy == NULL)
-+ return send_notfound (fd);
-
- /* Fill in the dataset. */
-- dataset = (struct dataset *) buffer;
-+ dataset = scratch->buffer.data;
- timeout = datahead_init_pos (&dataset->head, total + req->key_len,
- total - offsetof (struct dataset, resp),
- he == NULL ? 0 : dh->nreloads + 1,
-@@ -363,11 +383,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- dataset->resp.version = NSCD_VERSION;
- dataset->resp.found = 1;
- dataset->resp.nresults = nentries;
-- dataset->resp.result_len = buffilled - sizeof (*dataset);
--
-- assert (buflen - buffilled >= req->key_len);
-- key_copy = memcpy (buffer + buffilled, key, req->key_len);
-- buffilled += req->key_len;
-+ dataset->resp.result_len = total - sizeof (*dataset);
-
- /* Now we can determine whether on refill we have to create a new
- record or not. */
-@@ -398,7 +414,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- if (__glibc_likely (newp != NULL))
- {
- /* Adjust pointer into the memory block. */
-- key_copy = (char *) newp + (key_copy - buffer);
-+ key_copy = (char *) newp + (key_copy - (char *) dataset);
-
- dataset = memcpy (newp, dataset, total + req->key_len);
- cacheable = true;
-@@ -439,7 +455,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- }
-
- out:
-- *resultp = dataset;
-+ scratch->dataset = dataset;
-
- return timeout;
- }
-@@ -460,6 +476,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
- if (user != NULL)
- key = strchr (key, '\0') + 1;
- const char *domain = *key++ ? key : NULL;
-+ struct addgetnetgrentX_scratch scratch;
-+
-+ addgetnetgrentX_scratch_init (&scratch);
-
- if (__glibc_unlikely (debug_level > 0))
- {
-@@ -475,12 +494,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
- group, group_len,
- db, uid);
- time_t timeout;
-- void *tofree;
- if (result != NULL)
-- {
-- timeout = result->head.timeout;
-- tofree = NULL;
-- }
-+ timeout = result->head.timeout;
- else
- {
- request_header req_get =
-@@ -489,7 +504,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
- .key_len = group_len
- };
- timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL,
-- &result, &tofree);
-+ &scratch);
-+ result = scratch.dataset;
-+ if (timeout < 0)
-+ goto out;
- }
-
- struct indataset
-@@ -603,7 +621,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
- }
-
- out:
-- free (tofree);
-+ addgetnetgrentX_scratch_free (&scratch);
- return timeout;
- }
-
-@@ -613,11 +631,12 @@ addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req,
- const char *key, uid_t uid, struct hashentry *he,
- struct datahead *dh)
- {
-- struct dataset *ignore;
-- void *tofree;
-- time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh,
-- &ignore, &tofree);
-- free (tofree);
-+ struct addgetnetgrentX_scratch scratch;
-+ addgetnetgrentX_scratch_init (&scratch);
-+ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, &scratch);
-+ addgetnetgrentX_scratch_free (&scratch);
-+ if (timeout < 0)
-+ timeout = 0;
- return timeout;
- }
-
-@@ -661,5 +680,9 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he,
- .key_len = he->len
- };
-
-- return addinnetgrX (db, -1, &req, db->data + he->key, he->owner, he, dh);
-+ int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner,
-+ he, dh);
-+ if (timeout < 0)
-+ timeout = 0;
-+ return timeout;
- }
diff --git a/SPECS/glibc/CVE-2025-0395.patch b/SPECS/glibc/CVE-2025-0395.patch
deleted file mode 100644
index 0def90aa7c..0000000000
--- a/SPECS/glibc/CVE-2025-0395.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From e4b60c61eba1812eeaeaea5d1520ba86ead98607 Mon Sep 17 00:00:00 2001
-From: Kanishk Bansal
-Date: Thu, 22 May 2025 09:35:53 +0000
-Subject: [PATCH] CVE-2025-0395
-
-Upstream Patch Reference : https://github.com/bminor/glibc/commit/c32fd59314c343db88c3ea4a203870481d33c3d2, https://github.com/bminor/glibc/commit/f984e2d7e8299726891a1a497a3c36cd5542a0bf
-
-Signed-off-by: Kanishk Bansal
----
- assert/Makefile | 1 +
- assert/assert.c | 4 +-
- assert/tst-assert-sa-2025-0001.c | 92 ++++++++++++++++++++++++++++++++
- sysdeps/posix/libc_fatal.c | 4 +-
- 4 files changed, 99 insertions(+), 2 deletions(-)
- create mode 100644 assert/tst-assert-sa-2025-0001.c
-
-diff --git a/assert/Makefile b/assert/Makefile
-index 67f4e6a5..b0fc9fc4 100644
---- a/assert/Makefile
-+++ b/assert/Makefile
-@@ -38,6 +38,7 @@ tests := \
- test-assert-perr \
- tst-assert-c++ \
- tst-assert-g++ \
-+ tst-assert-sa-2025-0001 \
- # tests
-
- ifeq ($(have-cxx-thread_local),yes)
-diff --git a/assert/assert.c b/assert/assert.c
-index b7c7a4a1..65a9fedf 100644
---- a/assert/assert.c
-+++ b/assert/assert.c
-@@ -18,6 +18,7 @@
- #include
- #include
- #include
-+#include
- #include
- #include
- #include
-@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
- (void) __fxprintf (NULL, "%s", str);
- (void) fflush (stderr);
-
-- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
-+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
-+ GLRO(dl_pagesize));
- struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
- MAP_ANON | MAP_PRIVATE, -1, 0);
- if (__glibc_likely (buf != MAP_FAILED))
-diff --git a/assert/tst-assert-sa-2025-0001.c b/assert/tst-assert-sa-2025-0001.c
-new file mode 100644
-index 00000000..102cb007
---- /dev/null
-+++ b/assert/tst-assert-sa-2025-0001.c
-@@ -0,0 +1,92 @@
-+/* Test for CVE-2025-0395.
-+ Copyright The GNU Toolchain Authors.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ . */
-+
-+/* Test that a large enough __progname does not result in a buffer overflow
-+ when printing an assertion failure. This was CVE-2025-0395. */
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+#include
-+
-+extern const char *__progname;
-+
-+int
-+do_test (int argc, char **argv)
-+{
-+
-+ support_need_proc ("Reads /proc/self/maps to add guards to writable maps.");
-+ ignore_stderr ();
-+
-+ /* XXX assumes that the assert is on a 2 digit line number. */
-+ const char *prompt = ": %s:99: do_test: Assertion `argc < 1' failed.\n";
-+
-+ int ret = fprintf (stderr, prompt, __FILE__);
-+ if (ret < 0)
-+ FAIL_EXIT1 ("fprintf failed: %m\n");
-+
-+ size_t pagesize = getpagesize ();
-+ size_t namesize = pagesize - 1 - ret;
-+
-+ /* Alter the progname so that the assert message fills the entire page. */
-+ char progname[namesize];
-+ memset (progname, 'A', namesize - 1);
-+ progname[namesize - 1] = '\0';
-+ __progname = progname;
-+
-+ FILE *f = xfopen ("/proc/self/maps", "r");
-+ char *line = NULL;
-+ size_t len = 0;
-+ uintptr_t prev_to = 0;
-+
-+ /* Pad the beginning of every writable mapping with a PROT_NONE map. This
-+ ensures that the mmap in the assert_fail path never ends up below a
-+ writable map and will terminate immediately in case of a buffer
-+ overflow. */
-+ while (xgetline (&line, &len, f))
-+ {
-+ uintptr_t from, to;
-+ char perm[4];
-+
-+ sscanf (line, "%" SCNxPTR "-%" SCNxPTR " %c%c%c%c ",
-+ &from, &to,
-+ &perm[0], &perm[1], &perm[2], &perm[3]);
-+
-+ bool writable = (memchr (perm, 'w', 4) != NULL);
-+
-+ if (prev_to != 0 && from - prev_to > pagesize && writable)
-+ xmmap ((void *) from - pagesize, pagesize, PROT_NONE,
-+ MAP_ANONYMOUS | MAP_PRIVATE, 0);
-+
-+ prev_to = to;
-+ }
-+
-+ xfclose (f);
-+
-+ assert (argc < 1);
-+ return 0;
-+}
-+
-+#define EXPECTED_SIGNAL SIGABRT
-+#define TEST_FUNCTION_ARGV do_test
-+#include
-diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
-index 70edcc10..5b9e4b79 100644
---- a/sysdeps/posix/libc_fatal.c
-+++ b/sysdeps/posix/libc_fatal.c
-@@ -20,6 +20,7 @@
- #include
- #include
- #include
-+#include
- #include
- #include
- #include
-@@ -123,7 +124,8 @@ __libc_message (const char *fmt, ...)
-
- WRITEV_FOR_FATAL (fd, iov, nlist, total);
-
-- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
-+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
-+ GLRO(dl_pagesize));
- struct abort_msg_s *buf = __mmap (NULL, total,
- PROT_READ | PROT_WRITE,
- MAP_ANON | MAP_PRIVATE, -1, 0);
---
-2.45.3
-
diff --git a/SPECS/glibc/CVE-2025-4802.patch b/SPECS/glibc/CVE-2025-4802.patch
deleted file mode 100644
index b766e5da8d..0000000000
--- a/SPECS/glibc/CVE-2025-4802.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 3be3728df2f1912c80abd3288bc6e3a25ad679e4 Mon Sep 17 00:00:00 2001
-From: Adhemerval Zanella
-Date: Mon, 6 Nov 2023 17:25:49 -0300
-Subject: [PATCH] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for
- static
-
-It mimics the ld.so behavior.
-
-Checked on x86_64-linux-gnu.
-Reviewed-by: Siddhesh Poyarekar
-
-(cherry picked from commit 5451fa962cd0a90a0e2ec1d8910a559ace02bba0)
-
-Changes:
-
- git/elf/dl-support.c
- (missing commit 55f41ef8de4a4d0c5762d78659e11202d3c765d4
- ("elf: Remove LD_PROFILE for static binaries"))
----
- elf/dl-support.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
-diff --git a/elf/dl-support.c b/elf/dl-support.c
-index 44a54dea074..d57e6505835 100644
---- a/elf/dl-support.c
-+++ b/elf/dl-support.c
-@@ -276,8 +276,6 @@ _dl_non_dynamic_init (void)
- _dl_main_map.l_phdr = GL(dl_phdr);
- _dl_main_map.l_phnum = GL(dl_phnum);
-
-- _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
--
- /* Set up the data structures for the system-supplied DSO early,
- so they can influence _dl_init_paths. */
- setup_vdso (NULL, NULL);
-@@ -285,6 +283,22 @@ _dl_non_dynamic_init (void)
- /* With vDSO setup we can initialize the function pointers. */
- setup_vdso_pointers ();
-
-+ if (__libc_enable_secure)
-+ {
-+ static const char unsecure_envvars[] =
-+ UNSECURE_ENVVARS
-+ ;
-+ const char *cp = unsecure_envvars;
-+
-+ while (cp < unsecure_envvars + sizeof (unsecure_envvars))
-+ {
-+ __unsetenv (cp);
-+ cp = strchr (cp, '\0') + 1;
-+ }
-+ }
-+
-+ _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
-+
- /* Initialize the data structures for the search paths for shared
- objects. */
- _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH",
-@@ -306,20 +320,6 @@ _dl_non_dynamic_init (void)
- _dl_profile_output
- = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
-
-- if (__libc_enable_secure)
-- {
-- static const char unsecure_envvars[] =
-- UNSECURE_ENVVARS
-- ;
-- const char *cp = unsecure_envvars;
--
-- while (cp < unsecure_envvars + sizeof (unsecure_envvars))
-- {
-- __unsetenv (cp);
-- cp = strchr (cp, '\0') + 1;
-- }
-- }
--
- #ifdef DL_PLATFORM_INIT
- DL_PLATFORM_INIT;
- #endif
diff --git a/SPECS/glibc/glibc-2.34_pthread_cond_wait.patch b/SPECS/glibc/glibc-2.34_pthread_cond_wait.patch
deleted file mode 100644
index bf04421f81..0000000000
--- a/SPECS/glibc/glibc-2.34_pthread_cond_wait.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff -ruN a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
---- a/nptl/pthread_cond_wait.c 2021-11-05 15:04:17.337600296 -0700
-+++ b/nptl/pthread_cond_wait.c 2021-11-05 15:05:23.813388264 -0700
-@@ -589,6 +589,15 @@
- the signal from, which cause it to block using the
- futex). */
- futex_wake (cond->__data.__g_signals + g, 1, private);
-+
-+ /* We might be wrong about stealing, we got the signal
-+ from the an old g1, but ended up returning it to
-+ a different g1. We can't tell whether it is the case.
-+ If it is, we now caused another issue:
-+ now g_refs[g1] is one less than g_size[g1].
-+ The mitigation step is to broadcast g1 and g2, let every
-+ waiter wake up spuriosly. */
-+ __pthread_cond_broadcast(cond);
- break;
- }
- /* TODO Back off. */
diff --git a/SPECS/glibc/glibc-2.35-fhs-1.patch b/SPECS/glibc/glibc-2.35-fhs-1.patch
deleted file mode 100644
index 4ac8d106bb..0000000000
--- a/SPECS/glibc/glibc-2.35-fhs-1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Submitted By: Armin K.
-Date: 2013-02-11
-Initial Package Version: 2.17
-Upstream Status: Not Applicable
-Origin: Self
-Description: This patch removes references to /var/db directory which is not part
- of FHS and replaces them with more suitable directories in /var
- hierarchy - /var/cache/nscd for nscd and /var/lib/nss_db for nss_db.
-
---- a/Makeconfig 2012-12-25 04:02:13.000000000 +0100
-+++ b/Makeconfig 2013-02-11 01:32:32.500667439 +0100
-@@ -250,7 +250,7 @@
-
- # Directory for the database files and Makefile for nss_db.
- ifndef vardbdir
--vardbdir = $(localstatedir)/db
-+vardbdir = $(localstatedir)/lib/nss_db
- endif
- inst_vardbdir = $(install_root)$(vardbdir)
-
---- a/nscd/nscd.h 2012-12-25 04:02:13.000000000 +0100
-+++ b/nscd/nscd.h 2013-02-11 01:32:32.500667439 +0100
-@@ -112,11 +112,11 @@
-
-
- /* Paths of the file for the persistent storage. */
--#define _PATH_NSCD_PASSWD_DB "/var/db/nscd/passwd"
--#define _PATH_NSCD_GROUP_DB "/var/db/nscd/group"
--#define _PATH_NSCD_HOSTS_DB "/var/db/nscd/hosts"
--#define _PATH_NSCD_SERVICES_DB "/var/db/nscd/services"
--#define _PATH_NSCD_NETGROUP_DB "/var/db/nscd/netgroup"
-+#define _PATH_NSCD_PASSWD_DB "/var/cache/nscd/passwd"
-+#define _PATH_NSCD_GROUP_DB "/var/cache/nscd/group"
-+#define _PATH_NSCD_HOSTS_DB "/var/cache/nscd/hosts"
-+#define _PATH_NSCD_SERVICES_DB "/var/cache/nscd/services"
-+#define _PATH_NSCD_NETGROUP_DB "/var/cache/nscd/netgroup"
-
- /* Path used when not using persistent storage. */
- #define _PATH_NSCD_XYZ_DB_TMP "/var/run/nscd/dbXXXXXX"
---- a/nss/db-Makefile 2012-12-25 04:02:13.000000000 +0100
-+++ b/nss/db-Makefile 2013-02-11 01:32:32.500667439 +0100
-@@ -22,7 +22,7 @@
- /etc/rpc /etc/services /etc/shadow /etc/gshadow \
- /etc/netgroup)
-
--VAR_DB = /var/db
-+VAR_DB = /var/lib/nss_db
-
- AWK = awk
- MAKEDB = makedb --quiet
---- a/sysdeps/generic/paths.h 2012-12-25 04:02:13.000000000 +0100
-+++ b/sysdeps/generic/paths.h 2013-02-11 01:32:32.500667439 +0100
-@@ -68,7 +68,7 @@
- /* Provide trailing slash, since mostly used for building pathnames. */
- #define _PATH_DEV "/dev/"
- #define _PATH_TMP "/tmp/"
--#define _PATH_VARDB "/var/db/"
-+#define _PATH_VARDB "/var/lib/nss_db/"
- #define _PATH_VARRUN "/var/run/"
- #define _PATH_VARTMP "/var/tmp/"
-
---- a/sysdeps/unix/sysv/linux/paths.h 2012-12-25 04:02:13.000000000 +0100
-+++ b/sysdeps/unix/sysv/linux/paths.h 2013-02-11 01:32:32.504000831 +0100
-@@ -68,7 +68,7 @@
- /* Provide trailing slash, since mostly used for building pathnames. */
- #define _PATH_DEV "/dev/"
- #define _PATH_TMP "/tmp/"
--#define _PATH_VARDB "/var/db/"
-+#define _PATH_VARDB "/var/lib/nss_db/"
- #define _PATH_VARRUN "/var/run/"
- #define _PATH_VARTMP "/var/tmp/"
-
diff --git a/SPECS/glibc/glibc-2.38-fhs-1.patch b/SPECS/glibc/glibc-2.38-fhs-1.patch
deleted file mode 100644
index 4ac8d106bb..0000000000
--- a/SPECS/glibc/glibc-2.38-fhs-1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Submitted By: Armin K.
-Date: 2013-02-11
-Initial Package Version: 2.17
-Upstream Status: Not Applicable
-Origin: Self
-Description: This patch removes references to /var/db directory which is not part
- of FHS and replaces them with more suitable directories in /var
- hierarchy - /var/cache/nscd for nscd and /var/lib/nss_db for nss_db.
-
---- a/Makeconfig 2012-12-25 04:02:13.000000000 +0100
-+++ b/Makeconfig 2013-02-11 01:32:32.500667439 +0100
-@@ -250,7 +250,7 @@
-
- # Directory for the database files and Makefile for nss_db.
- ifndef vardbdir
--vardbdir = $(localstatedir)/db
-+vardbdir = $(localstatedir)/lib/nss_db
- endif
- inst_vardbdir = $(install_root)$(vardbdir)
-
---- a/nscd/nscd.h 2012-12-25 04:02:13.000000000 +0100
-+++ b/nscd/nscd.h 2013-02-11 01:32:32.500667439 +0100
-@@ -112,11 +112,11 @@
-
-
- /* Paths of the file for the persistent storage. */
--#define _PATH_NSCD_PASSWD_DB "/var/db/nscd/passwd"
--#define _PATH_NSCD_GROUP_DB "/var/db/nscd/group"
--#define _PATH_NSCD_HOSTS_DB "/var/db/nscd/hosts"
--#define _PATH_NSCD_SERVICES_DB "/var/db/nscd/services"
--#define _PATH_NSCD_NETGROUP_DB "/var/db/nscd/netgroup"
-+#define _PATH_NSCD_PASSWD_DB "/var/cache/nscd/passwd"
-+#define _PATH_NSCD_GROUP_DB "/var/cache/nscd/group"
-+#define _PATH_NSCD_HOSTS_DB "/var/cache/nscd/hosts"
-+#define _PATH_NSCD_SERVICES_DB "/var/cache/nscd/services"
-+#define _PATH_NSCD_NETGROUP_DB "/var/cache/nscd/netgroup"
-
- /* Path used when not using persistent storage. */
- #define _PATH_NSCD_XYZ_DB_TMP "/var/run/nscd/dbXXXXXX"
---- a/nss/db-Makefile 2012-12-25 04:02:13.000000000 +0100
-+++ b/nss/db-Makefile 2013-02-11 01:32:32.500667439 +0100
-@@ -22,7 +22,7 @@
- /etc/rpc /etc/services /etc/shadow /etc/gshadow \
- /etc/netgroup)
-
--VAR_DB = /var/db
-+VAR_DB = /var/lib/nss_db
-
- AWK = awk
- MAKEDB = makedb --quiet
---- a/sysdeps/generic/paths.h 2012-12-25 04:02:13.000000000 +0100
-+++ b/sysdeps/generic/paths.h 2013-02-11 01:32:32.500667439 +0100
-@@ -68,7 +68,7 @@
- /* Provide trailing slash, since mostly used for building pathnames. */
- #define _PATH_DEV "/dev/"
- #define _PATH_TMP "/tmp/"
--#define _PATH_VARDB "/var/db/"
-+#define _PATH_VARDB "/var/lib/nss_db/"
- #define _PATH_VARRUN "/var/run/"
- #define _PATH_VARTMP "/var/tmp/"
-
---- a/sysdeps/unix/sysv/linux/paths.h 2012-12-25 04:02:13.000000000 +0100
-+++ b/sysdeps/unix/sysv/linux/paths.h 2013-02-11 01:32:32.504000831 +0100
-@@ -68,7 +68,7 @@
- /* Provide trailing slash, since mostly used for building pathnames. */
- #define _PATH_DEV "/dev/"
- #define _PATH_TMP "/tmp/"
--#define _PATH_VARDB "/var/db/"
-+#define _PATH_VARDB "/var/lib/nss_db/"
- #define _PATH_VARRUN "/var/run/"
- #define _PATH_VARTMP "/var/tmp/"
-
diff --git a/SPECS/glibc/glibc-2.38-memalign_fix-1.patch b/SPECS/glibc/glibc-2.38-memalign_fix-1.patch
deleted file mode 100644
index b04c21f3de..0000000000
--- a/SPECS/glibc/glibc-2.38-memalign_fix-1.patch
+++ /dev/null
@@ -1,585 +0,0 @@
-Submitted By: Xi Ruoyao
-Date: 2023-08-13
-Initial Package Version: 2.38
-Upstream Status: Under review
-Origin: Upstream & Self
- - 1/3: https://sourceware.org/git/?p=glibc.git;a=patch;h=542b11058525
- - 2/3: https://sourceware.org/pipermail/libc-alpha/2023-August/150857.html
- - 3/3: Trivial unused code removal
-Description: Fixes a regression causing posix_memalign()
- very slow in certain conditions to avoid
- breaking ffmpeg-based applications.
-
-From fc01478d06658ace8d57e5328c1e717275acfe84 Mon Sep 17 00:00:00 2001
-From: Florian Weimer
-Date: Fri, 11 Aug 2023 11:18:17 +0200
-Subject: [PATCH 1/3] malloc: Enable merging of remainders in memalign (bug
- 30723)
-
-Previously, calling _int_free from _int_memalign could put remainders
-into the tcache or into fastbins, where they are invisible to the
-low-level allocator. This results in missed merge opportunities
-because once these freed chunks become available to the low-level
-allocator, further memalign allocations (even of the same size are)
-likely obstructing merges.
-
-Furthermore, during forwards merging in _int_memalign, do not
-completely give up when the remainder is too small to serve as a
-chunk on its own. We can still give it back if it can be merged
-with the following unused chunk. This makes it more likely that
-memalign calls in a loop achieve a compact memory layout,
-independently of initial heap layout.
-
-Drop some useless (unsigned long) casts along the way, and tweak
-the style to more closely match GNU on changed lines.
-
-Reviewed-by: DJ Delorie
-(cherry picked from commit 542b1105852568c3ebc712225ae78b8c8ba31a78)
----
- malloc/malloc.c | 197 +++++++++++++++++++++++++++++-------------------
- 1 file changed, 121 insertions(+), 76 deletions(-)
-
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index e2f1a615a4..948f9759af 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -1086,6 +1086,11 @@ typedef struct malloc_chunk* mchunkptr;
-
- static void* _int_malloc(mstate, size_t);
- static void _int_free(mstate, mchunkptr, int);
-+static void _int_free_merge_chunk (mstate, mchunkptr, INTERNAL_SIZE_T);
-+static INTERNAL_SIZE_T _int_free_create_chunk (mstate,
-+ mchunkptr, INTERNAL_SIZE_T,
-+ mchunkptr, INTERNAL_SIZE_T);
-+static void _int_free_maybe_consolidate (mstate, INTERNAL_SIZE_T);
- static void* _int_realloc(mstate, mchunkptr, INTERNAL_SIZE_T,
- INTERNAL_SIZE_T);
- static void* _int_memalign(mstate, size_t, size_t);
-@@ -4637,31 +4642,52 @@ _int_free (mstate av, mchunkptr p, int have_lock)
- if (!have_lock)
- __libc_lock_lock (av->mutex);
-
-- nextchunk = chunk_at_offset(p, size);
--
-- /* Lightweight tests: check whether the block is already the
-- top block. */
-- if (__glibc_unlikely (p == av->top))
-- malloc_printerr ("double free or corruption (top)");
-- /* Or whether the next chunk is beyond the boundaries of the arena. */
-- if (__builtin_expect (contiguous (av)
-- && (char *) nextchunk
-- >= ((char *) av->top + chunksize(av->top)), 0))
-- malloc_printerr ("double free or corruption (out)");
-- /* Or whether the block is actually not marked used. */
-- if (__glibc_unlikely (!prev_inuse(nextchunk)))
-- malloc_printerr ("double free or corruption (!prev)");
--
-- nextsize = chunksize(nextchunk);
-- if (__builtin_expect (chunksize_nomask (nextchunk) <= CHUNK_HDR_SZ, 0)
-- || __builtin_expect (nextsize >= av->system_mem, 0))
-- malloc_printerr ("free(): invalid next size (normal)");
-+ _int_free_merge_chunk (av, p, size);
-
-- free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ);
-+ if (!have_lock)
-+ __libc_lock_unlock (av->mutex);
-+ }
-+ /*
-+ If the chunk was allocated via mmap, release via munmap().
-+ */
-+
-+ else {
-+ munmap_chunk (p);
-+ }
-+}
-+
-+/* Try to merge chunk P of SIZE bytes with its neighbors. Put the
-+ resulting chunk on the appropriate bin list. P must not be on a
-+ bin list yet, and it can be in use. */
-+static void
-+_int_free_merge_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size)
-+{
-+ mchunkptr nextchunk = chunk_at_offset(p, size);
-+
-+ /* Lightweight tests: check whether the block is already the
-+ top block. */
-+ if (__glibc_unlikely (p == av->top))
-+ malloc_printerr ("double free or corruption (top)");
-+ /* Or whether the next chunk is beyond the boundaries of the arena. */
-+ if (__builtin_expect (contiguous (av)
-+ && (char *) nextchunk
-+ >= ((char *) av->top + chunksize(av->top)), 0))
-+ malloc_printerr ("double free or corruption (out)");
-+ /* Or whether the block is actually not marked used. */
-+ if (__glibc_unlikely (!prev_inuse(nextchunk)))
-+ malloc_printerr ("double free or corruption (!prev)");
-+
-+ INTERNAL_SIZE_T nextsize = chunksize(nextchunk);
-+ if (__builtin_expect (chunksize_nomask (nextchunk) <= CHUNK_HDR_SZ, 0)
-+ || __builtin_expect (nextsize >= av->system_mem, 0))
-+ malloc_printerr ("free(): invalid next size (normal)");
-+
-+ free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ);
-
-- /* consolidate backward */
-- if (!prev_inuse(p)) {
-- prevsize = prev_size (p);
-+ /* Consolidate backward. */
-+ if (!prev_inuse(p))
-+ {
-+ INTERNAL_SIZE_T prevsize = prev_size (p);
- size += prevsize;
- p = chunk_at_offset(p, -((long) prevsize));
- if (__glibc_unlikely (chunksize(p) != prevsize))
-@@ -4669,9 +4695,25 @@ _int_free (mstate av, mchunkptr p, int have_lock)
- unlink_chunk (av, p);
- }
-
-- if (nextchunk != av->top) {
-+ /* Write the chunk header, maybe after merging with the following chunk. */
-+ size = _int_free_create_chunk (av, p, size, nextchunk, nextsize);
-+ _int_free_maybe_consolidate (av, size);
-+}
-+
-+/* Create a chunk at P of SIZE bytes, with SIZE potentially increased
-+ to cover the immediately following chunk NEXTCHUNK of NEXTSIZE
-+ bytes (if NEXTCHUNK is unused). The chunk at P is not actually
-+ read and does not have to be initialized. After creation, it is
-+ placed on the appropriate bin list. The function returns the size
-+ of the new chunk. */
-+static INTERNAL_SIZE_T
-+_int_free_create_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size,
-+ mchunkptr nextchunk, INTERNAL_SIZE_T nextsize)
-+{
-+ if (nextchunk != av->top)
-+ {
- /* get and clear inuse bit */
-- nextinuse = inuse_bit_at_offset(nextchunk, nextsize);
-+ bool nextinuse = inuse_bit_at_offset (nextchunk, nextsize);
-
- /* consolidate forward */
- if (!nextinuse) {
-@@ -4686,8 +4728,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
- been given one chance to be used in malloc.
- */
-
-- bck = unsorted_chunks(av);
-- fwd = bck->fd;
-+ mchunkptr bck = unsorted_chunks (av);
-+ mchunkptr fwd = bck->fd;
- if (__glibc_unlikely (fwd->bk != bck))
- malloc_printerr ("free(): corrupted unsorted chunks");
- p->fd = fwd;
-@@ -4706,61 +4748,52 @@ _int_free (mstate av, mchunkptr p, int have_lock)
- check_free_chunk(av, p);
- }
-
-- /*
-- If the chunk borders the current high end of memory,
-- consolidate into top
-- */
--
-- else {
-+ else
-+ {
-+ /* If the chunk borders the current high end of memory,
-+ consolidate into top. */
- size += nextsize;
- set_head(p, size | PREV_INUSE);
- av->top = p;
- check_chunk(av, p);
- }
-
-- /*
-- If freeing a large space, consolidate possibly-surrounding
-- chunks. Then, if the total unused topmost memory exceeds trim
-- threshold, ask malloc_trim to reduce top.
--
-- Unless max_fast is 0, we don't know if there are fastbins
-- bordering top, so we cannot tell for sure whether threshold
-- has been reached unless fastbins are consolidated. But we
-- don't want to consolidate on each free. As a compromise,
-- consolidation is performed if FASTBIN_CONSOLIDATION_THRESHOLD
-- is reached.
-- */
-+ return size;
-+}
-
-- if ((unsigned long)(size) >= FASTBIN_CONSOLIDATION_THRESHOLD) {
-+/* If freeing a large space, consolidate possibly-surrounding
-+ chunks. Then, if the total unused topmost memory exceeds trim
-+ threshold, ask malloc_trim to reduce top. */
-+static void
-+_int_free_maybe_consolidate (mstate av, INTERNAL_SIZE_T size)
-+{
-+ /* Unless max_fast is 0, we don't know if there are fastbins
-+ bordering top, so we cannot tell for sure whether threshold has
-+ been reached unless fastbins are consolidated. But we don't want
-+ to consolidate on each free. As a compromise, consolidation is
-+ performed if FASTBIN_CONSOLIDATION_THRESHOLD is reached. */
-+ if (size >= FASTBIN_CONSOLIDATION_THRESHOLD)
-+ {
- if (atomic_load_relaxed (&av->have_fastchunks))
- malloc_consolidate(av);
-
-- if (av == &main_arena) {
-+ if (av == &main_arena)
-+ {
- #ifndef MORECORE_CANNOT_TRIM
-- if ((unsigned long)(chunksize(av->top)) >=
-- (unsigned long)(mp_.trim_threshold))
-- systrim(mp_.top_pad, av);
-+ if (chunksize (av->top) >= mp_.trim_threshold)
-+ systrim (mp_.top_pad, av);
- #endif
-- } else {
-- /* Always try heap_trim(), even if the top chunk is not
-- large, because the corresponding heap might go away. */
-- heap_info *heap = heap_for_ptr(top(av));
-+ }
-+ else
-+ {
-+ /* Always try heap_trim, even if the top chunk is not large,
-+ because the corresponding heap might go away. */
-+ heap_info *heap = heap_for_ptr (top (av));
-
-- assert(heap->ar_ptr == av);
-- heap_trim(heap, mp_.top_pad);
-- }
-+ assert (heap->ar_ptr == av);
-+ heap_trim (heap, mp_.top_pad);
-+ }
- }
--
-- if (!have_lock)
-- __libc_lock_unlock (av->mutex);
-- }
-- /*
-- If the chunk was allocated via mmap, release via munmap().
-- */
--
-- else {
-- munmap_chunk (p);
-- }
- }
-
- /*
-@@ -5221,7 +5254,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
- (av != &main_arena ? NON_MAIN_ARENA : 0));
- set_inuse_bit_at_offset (newp, newsize);
- set_head_size (p, leadsize | (av != &main_arena ? NON_MAIN_ARENA : 0));
-- _int_free (av, p, 1);
-+ _int_free_merge_chunk (av, p, leadsize);
- p = newp;
-
- assert (newsize >= nb &&
-@@ -5232,15 +5265,27 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
- if (!chunk_is_mmapped (p))
- {
- size = chunksize (p);
-- if ((unsigned long) (size) > (unsigned long) (nb + MINSIZE))
-+ mchunkptr nextchunk = chunk_at_offset(p, size);
-+ INTERNAL_SIZE_T nextsize = chunksize(nextchunk);
-+ if (size > nb)
- {
- remainder_size = size - nb;
-- remainder = chunk_at_offset (p, nb);
-- set_head (remainder, remainder_size | PREV_INUSE |
-- (av != &main_arena ? NON_MAIN_ARENA : 0));
-- set_head_size (p, nb);
-- _int_free (av, remainder, 1);
-- }
-+ if (remainder_size >= MINSIZE
-+ || nextchunk == av->top
-+ || !inuse_bit_at_offset (nextchunk, nextsize))
-+ {
-+ /* We can only give back the tail if it is larger than
-+ MINSIZE, or if the following chunk is unused (top
-+ chunk or unused in-heap chunk). Otherwise we would
-+ create a chunk that is smaller than MINSIZE. */
-+ remainder = chunk_at_offset (p, nb);
-+ set_head_size (p, nb);
-+ remainder_size = _int_free_create_chunk (av, remainder,
-+ remainder_size,
-+ nextchunk, nextsize);
-+ _int_free_maybe_consolidate (av, remainder_size);
-+ }
-+ }
- }
-
- check_inuse_chunk (av, p);
---
-2.41.0
-
-From b37e836b7cc2dba672e1de1cc7e076ba1c712614 Mon Sep 17 00:00:00 2001
-From: Florian Weimer
-Date: Fri, 11 Aug 2023 17:48:13 +0200
-Subject: [PATCH 2/3] malloc: Remove bin scanning from memalign (bug 30723)
-
-On the test workload (mpv --cache=yes with VP9 video decoding), the
-bin scanning has a very poor success rate (less than 2%). The tcache
-scanning has about 50% success rate, so keep that.
-
-Update comments in malloc/tst-memalign-2 to indicate the purpose
-of the tests. Even with the scanning removed, the additional
-merging opportunities since commit 542b1105852568c3ebc712225ae78b
-("malloc: Enable merging of remainders in memalign (bug 30723)")
-are sufficient to pass the existing large bins test.
-
-Link: https://sourceware.org/pipermail/libc-alpha/2023-August/150857.html
----
- malloc/malloc.c | 127 ++--------------------------------------
- malloc/tst-memalign-2.c | 7 ++-
- 2 files changed, 10 insertions(+), 124 deletions(-)
-
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 948f9759af..9c2cab7a59 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -5082,7 +5082,6 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
- mchunkptr remainder; /* spare room at end to split off */
- unsigned long remainder_size; /* its size */
- INTERNAL_SIZE_T size;
-- mchunkptr victim;
-
- nb = checked_request2size (bytes);
- if (nb == 0)
-@@ -5101,129 +5100,13 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
- we don't find anything in those bins, the common malloc code will
- scan starting at 2x. */
-
-- /* This will be set if we found a candidate chunk. */
-- victim = NULL;
-+ /* Call malloc with worst case padding to hit alignment. */
-+ m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
-
-- /* Fast bins are singly-linked, hard to remove a chunk from the middle
-- and unlikely to meet our alignment requirements. We have not done
-- any experimentation with searching for aligned fastbins. */
-+ if (m == 0)
-+ return 0; /* propagate failure */
-
-- if (av != NULL)
-- {
-- int first_bin_index;
-- int first_largebin_index;
-- int last_bin_index;
--
-- if (in_smallbin_range (nb))
-- first_bin_index = smallbin_index (nb);
-- else
-- first_bin_index = largebin_index (nb);
--
-- if (in_smallbin_range (nb * 2))
-- last_bin_index = smallbin_index (nb * 2);
-- else
-- last_bin_index = largebin_index (nb * 2);
--
-- first_largebin_index = largebin_index (MIN_LARGE_SIZE);
--
-- int victim_index; /* its bin index */
--
-- for (victim_index = first_bin_index;
-- victim_index < last_bin_index;
-- victim_index ++)
-- {
-- victim = NULL;
--
-- if (victim_index < first_largebin_index)
-- {
-- /* Check small bins. Small bin chunks are doubly-linked despite
-- being the same size. */
--
-- mchunkptr fwd; /* misc temp for linking */
-- mchunkptr bck; /* misc temp for linking */
--
-- bck = bin_at (av, victim_index);
-- fwd = bck->fd;
-- while (fwd != bck)
-- {
-- if (chunk_ok_for_memalign (fwd, alignment, nb) > 0)
-- {
-- victim = fwd;
--
-- /* Unlink it */
-- victim->fd->bk = victim->bk;
-- victim->bk->fd = victim->fd;
-- break;
-- }
--
-- fwd = fwd->fd;
-- }
-- }
-- else
-- {
-- /* Check large bins. */
-- mchunkptr fwd; /* misc temp for linking */
-- mchunkptr bck; /* misc temp for linking */
-- mchunkptr best = NULL;
-- size_t best_size = 0;
--
-- bck = bin_at (av, victim_index);
-- fwd = bck->fd;
--
-- while (fwd != bck)
-- {
-- int extra;
--
-- if (chunksize (fwd) < nb)
-- break;
-- extra = chunk_ok_for_memalign (fwd, alignment, nb);
-- if (extra > 0
-- && (extra <= best_size || best == NULL))
-- {
-- best = fwd;
-- best_size = extra;
-- }
--
-- fwd = fwd->fd;
-- }
-- victim = best;
--
-- if (victim != NULL)
-- {
-- unlink_chunk (av, victim);
-- break;
-- }
-- }
--
-- if (victim != NULL)
-- break;
-- }
-- }
--
-- /* Strategy: find a spot within that chunk that meets the alignment
-- request, and then possibly free the leading and trailing space.
-- This strategy is incredibly costly and can lead to external
-- fragmentation if header and footer chunks are unused. */
--
-- if (victim != NULL)
-- {
-- p = victim;
-- m = chunk2mem (p);
-- set_inuse (p);
-- if (av != &main_arena)
-- set_non_main_arena (p);
-- }
-- else
-- {
-- /* Call malloc with worst case padding to hit alignment. */
--
-- m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
--
-- if (m == 0)
-- return 0; /* propagate failure */
--
-- p = mem2chunk (m);
-- }
-+ p = mem2chunk (m);
-
- if ((((unsigned long) (m)) % alignment) != 0) /* misaligned */
- {
-diff --git a/malloc/tst-memalign-2.c b/malloc/tst-memalign-2.c
-index f229283dbf..ecd6fa249e 100644
---- a/malloc/tst-memalign-2.c
-+++ b/malloc/tst-memalign-2.c
-@@ -86,7 +86,8 @@ do_test (void)
- TEST_VERIFY (tcache_allocs[i].ptr1 == tcache_allocs[i].ptr2);
- }
-
-- /* Test for non-head tcache hits. */
-+ /* Test for non-head tcache hits. This exercises the memalign
-+ scanning code to find matching allocations. */
- for (i = 0; i < array_length (ptr); ++ i)
- {
- if (i == 4)
-@@ -113,7 +114,9 @@ do_test (void)
- free (p);
- TEST_VERIFY (count > 0);
-
-- /* Large bins test. */
-+ /* Large bins test. This verifies that the over-allocated parts
-+ that memalign releases for future allocations can be reused by
-+ memalign itself at least in some cases. */
-
- for (i = 0; i < LN; ++ i)
- {
---
-2.41.0
-
-From 26973f7b09c33e67f6bcbc79371796c8dd334528 Mon Sep 17 00:00:00 2001
-From: Xi Ruoyao
-Date: Mon, 14 Aug 2023 11:05:18 +0800
-Subject: [PATCH 3/3] malloc: Remove unused functions and variables
-
-Remove unused chunk_ok_for_memalign function and unused local variables
-in _int_free.
-
-Signed-off-by: Xi Ruoyao
----
- malloc/malloc.c | 42 ------------------------------------------
- 1 file changed, 42 deletions(-)
-
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 9c2cab7a59..d0bbbf3710 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -4488,12 +4488,6 @@ _int_free (mstate av, mchunkptr p, int have_lock)
- {
- INTERNAL_SIZE_T size; /* its size */
- mfastbinptr *fb; /* associated fastbin */
-- mchunkptr nextchunk; /* next contiguous chunk */
-- INTERNAL_SIZE_T nextsize; /* its size */
-- int nextinuse; /* true if nextchunk is used */
-- INTERNAL_SIZE_T prevsize; /* size of previous contiguous chunk */
-- mchunkptr bck; /* misc temp for linking */
-- mchunkptr fwd; /* misc temp for linking */
-
- size = chunksize (p);
-
-@@ -5032,42 +5026,6 @@ _int_realloc (mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
- ------------------------------ memalign ------------------------------
- */
-
--/* Returns 0 if the chunk is not and does not contain the requested
-- aligned sub-chunk, else returns the amount of "waste" from
-- trimming. NB is the *chunk* byte size, not the user byte
-- size. */
--static size_t
--chunk_ok_for_memalign (mchunkptr p, size_t alignment, size_t nb)
--{
-- void *m = chunk2mem (p);
-- INTERNAL_SIZE_T size = chunksize (p);
-- void *aligned_m = m;
--
-- if (__glibc_unlikely (misaligned_chunk (p)))
-- malloc_printerr ("_int_memalign(): unaligned chunk detected");
--
-- aligned_m = PTR_ALIGN_UP (m, alignment);
--
-- INTERNAL_SIZE_T front_extra = (intptr_t) aligned_m - (intptr_t) m;
--
-- /* We can't trim off the front as it's too small. */
-- if (front_extra > 0 && front_extra < MINSIZE)
-- return 0;
--
-- /* If it's a perfect fit, it's an exception to the return value rule
-- (we would return zero waste, which looks like "not usable"), so
-- handle it here by returning a small non-zero value instead. */
-- if (size == nb && front_extra == 0)
-- return 1;
--
-- /* If the block we need fits in the chunk, calculate total waste. */
-- if (size > nb + front_extra)
-- return size - nb;
--
-- /* Can't use this chunk. */
-- return 0;
--}
--
- /* BYTES is user requested bytes, not requested chunksize bytes. */
- static void *
- _int_memalign (mstate av, size_t alignment, size_t bytes)
---
-2.41.0
-
diff --git a/SPECS/glibc/glibc.signatures.json b/SPECS/glibc/glibc.signatures.json
deleted file mode 100644
index e6dc92731d..0000000000
--- a/SPECS/glibc/glibc.signatures.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
- "Signatures": {
- "glibc-2.38.tar.xz": "fb82998998b2b29965467bc1b69d152e9c307d2cf301c9eafb4555b770ef3fd2",
- "locale-gen.conf": "94182ce116a42e38ce783d2a867dca1eaf4d6a347d4bff9aac4d6e61cbbfc8f4",
- "locale-gen.sh": "df7169cb9f126875e0a57a4700261e16e6eba2a98312d739f972377150ba9964"
- }
-}
diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec
deleted file mode 100644
index 7a72b87d9f..0000000000
--- a/SPECS/glibc/glibc.spec
+++ /dev/null
@@ -1,613 +0,0 @@
-%global security_hardening nonow
-%define glibc_target_cpu %{_build}
-
-# Don't depend on bash by default
-%define __requires_exclude ^/(bin|usr/bin).*$
-
-# Enable frame pointers for package
-%define _include_frame_pointers 1
-
-Summary: Main C library
-Name: glibc
-Version: 2.38
-Release: 12%{?dist}
-License: BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT
-Vendor: Microsoft Corporation
-Distribution: Azure Linux
-Group: Applications/System
-URL: https://www.gnu.org/software/libc
-Source0: https://ftp.gnu.org/gnu/glibc/%{name}-%{version}.tar.xz
-Source1: locale-gen.sh
-Source2: locale-gen.conf
-Patch0: https://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.38-fhs-1.patch
-# Only applicable on ARMv7 targets.
-Patch1: CVE-2020-6096.nopatch
-# Only applicable on x32 targets.
-Patch2: CVE-2019-6488.nopatch
-# Only applicable on PowerPC targets.
-Patch3: CVE-2020-1751.nopatch
-# Marked by upstream/Ubuntu/Red Hat as not a security bug, no fix available
-# Rationale: Exploit requires crafted pattern in regex compiler meant only for trusted content
-Patch4: CVE-2018-20796.nopatch
-Patch5: https://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.38-memalign_fix-1.patch
-Patch6: CVE-2023-4911.patch
-Patch7: CVE-2023-6246.patch
-Patch8: CVE-2023-6779.patch
-Patch9: CVE-2023-6780.patch
-# Upstream backport for fixing: nscd fails to build with cleanup handler if built with -fexceptions
-Patch10: nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch
-Patch11: glibc-2.34_pthread_cond_wait.patch
-Patch12: CVE-2023-4527.patch
-Patch13: CVE-2023-4806.patch
-Patch14: CVE-2023-5156.patch
-Patch15: CVE-2024-33599.patch
-Patch16: CVE-2024-33600.patch
-# Patch of CVE-2024-33601 fixes CVE-2024-33602 also
-Patch17: CVE-2024-33601.patch
-Patch18: CVE-2025-0395.patch
-
-# Patches for testing
-Patch100: 0001-Remove-Wno-format-cflag-from-tests.patch
-
-BuildRequires: bison
-BuildRequires: gawk
-BuildRequires: gettext
-BuildRequires: kernel-headers
-BuildRequires: texinfo
-Requires: filesystem
-Provides: %{name}-common = %{version}-%{release}
-Provides: /sbin/ldconfig
-Provides: nss_db = %{version}-%{release}
-Provides: rtld(GNU_HASH)
-ExcludeArch: armv7 ppc i386 i686
-
-%description
-This library provides the basic routines for allocating memory,
-searching directories, opening and closing files, reading and
-writing files, string handling, pattern matching, arithmetic,
-and so on.
-
-%package devel
-Summary: Header files for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
-Provides: %{name}-headers = %{version}-%{release}
-
-%description devel
-These are the header files of glibc.
-
-%package static
-Summary: Static glibc library and runtimes
-Group: Applications/System
-Requires: %{name}-devel = %{version}-%{release}
-Provides: %{name}-static%{?_isa} = %{version}-%{release}
-
-%description static
-These are the static artefacts for glibc.
-
-%package lang
-Summary: Additional language files for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
-
-%description lang
-These are the additional language files of glibc.
-
-%package i18n
-Summary: Additional internationalization files for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
-Provides: %{name}-locale-source = %{version}-%{release}
-
-%description i18n
-These are the additional internationalization files of glibc.
-
-%package iconv
-Summary: gconv modules for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
-
-%description iconv
-These are gconv modules for iconv().
-
-%package tools
-Summary: tools for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
-
-%description tools
-Extra tools for glibc.
-
-%package nscd
-Summary: Name Service Cache Daemon
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
-
-%description nscd
-Name Service Cache Daemon
-
-%package locales-all
-Summary: Locale Data for Localized Programs
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
-Requires: %{name}-i18n = %{version}-%{release}
-Requires: %{name}-lang = %{version}-%{release}
-
-%description locales-all
-Locale data for the internationalization features of glibc
-
-%prep
-%autosetup -p1
-sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile
-install -vdm 755 %{_builddir}/%{name}-build
-# do not try to explicitly provide GLIBC_PRIVATE versioned libraries
-%define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh
-%define __find_requires %{_builddir}/%{name}-%{version}/find_requires.sh
-
-# create find-provides and find-requires script in order to ignore GLIBC_PRIVATE errors
-cat > find_provides.sh << _EOF
-#! /bin/sh
-if [ -d /tools ]; then
-/tools/lib/rpm/find-provides | grep -v GLIBC_PRIVATE
-else
-%{_libdir}/rpm/find-provides | grep -v GLIBC_PRIVATE
-fi
-exit 0
-_EOF
-chmod +x find_provides.sh
-
-cat > find_requires.sh << _EOF
-#! /bin/sh
-if [ -d /tools ]; then
-/tools/lib/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE
-else
-%{_libdir}/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE
-fi
-_EOF
-chmod +x find_requires.sh
-#___EOF
-
-%build
-CFLAGS="`echo " %{build_cflags} " | sed 's/-Wp,-D_FORTIFY_SOURCE=2//'`"
-CXXFLAGS="`echo " %{build_cxxflags} " | sed 's/-Wp,-D_FORTIFY_SOURCE=2//'`"
-export CFLAGS
-export CXXFLAGS
-
-cd %{_builddir}/%{name}-build
-echo "rootsbindir=/usr/sbin" > configparms
-../%{name}-%{version}/configure \
- --prefix=%{_prefix} \
- --disable-profile \
- --disable-werror \
- --enable-kernel=4.14 \
- --enable-bind-now \
- --enable-static-pie \
-%ifarch x86_64
- --enable-cet \
-%endif
- --disable-silent-rules \
- libc_cv_slibdir=/usr/lib
-
-make %{?_smp_mflags}
-
-%install
-# Do not remove static libs
-pushd %{_builddir}/glibc-build
-# Create directories
-make install_root=%{buildroot} install
-install -vdm 755 %{buildroot}%{_sysconfdir}/ld.so.conf.d
-install -vdm 755 %{buildroot}%{_var}/cache/nscd
-install -vdm 755 %{buildroot}%{_libdir}/locale
-cp -v ../%{name}-%{version}/nscd/nscd.conf %{buildroot}%{_sysconfdir}/nscd.conf
-# Install locale generation script and config file
-cp -v %{SOURCE2} %{buildroot}%{_sysconfdir}
-cp -v %{SOURCE1} %{buildroot}%{_sbindir}
-# Remove unwanted cruft
-rm -rf %{buildroot}%{_infodir}
-# Install configuration files
-
-# Spaces should not be used in nsswitch.conf in the begining of new line
-# Only tab should be used as it expects the same in source code.
-# Otherwise "altfiles" will not be added. which may cause dbus.service failure
-cat > %{buildroot}%{_sysconfdir}/nsswitch.conf <<- "EOF"
-# Begin /etc/nsswitch.conf
-
- passwd: files
- group: files
- shadow: files
-
- hosts: files dns
- networks: files
-
- protocols: files
- services: files
- ethers: files
- rpc: files
-# End /etc/nsswitch.conf
-EOF
-cat > %{buildroot}%{_sysconfdir}/ld.so.conf <<- "EOF"
-# Begin /etc/ld.so.conf
- %{_prefix}/local/lib
- /opt/lib
- include %{_sysconfdir}/ld.so.conf.d/*.conf
-EOF
-popd
-%find_lang %{name} --all-name
-
-# Generate all locales
-pushd %{_builddir}/%{name}-build
-# Install locales
-make %{?_smp_mflags} install_root=%{buildroot} localedata/install-locale-files
-
-# To reduce footprint of localedata
-# hardlink identical locale files together
-hardlink -vc %{buildroot}%{_libdir}/locale
-popd
-
-# to do not depend on /bin/bash
-sed -i 's@#! /bin/bash@#! /bin/sh@' %{buildroot}%{_bindir}/ldd
-# Fix a hard coded path to the executable loader in the ldd script
-sed '/RTLDLIST=/s@/usr@@g' -i %{buildroot}%{_bindir}/ldd
-sed -i 's@#!/bin/bash@#!/bin/sh@' %{buildroot}%{_bindir}/tzselect
-
-# Determine which static libs are needed in `glibc-devel` - the rest will be put
-# into `glibc-static`. We need to keep the static shims for function that's now
-# in `libc.so` (since 2.34 - see https://developers.redhat.com/articles/2021/12/17/why-glibc-234-removed-libpthread)
-# and the "statically linked bit" of `libc.so` (called `libc_nonshared.a`)
-static_libs_in_devel_pattern="lib\(c_nonshared\|pthread\|dl\|rt\|g\|util\|mcheck\).a"
-ls -1 %{buildroot}%{_libdir}/*.a | grep -e "$static_libs_in_devel_pattern" | sed "s:^%{buildroot}::g" > devel.filelist
-ls -1 %{buildroot}%{_libdir}/*.a | grep -v -e "$static_libs_in_devel_pattern" | sed "s:^%{buildroot}::g" > static.filelist
-
-%check
-cd %{_builddir}/glibc-build
-
-# Results have varied based on the environment the tests are being built
-# Summary of test results in local VM:
-# 3 FAIL : nptl/tst-cancel1, io/tst-lchmod, nptl/tst-mutex10
-# 5040 PASS
-# 152 UNSUPPORTED
-# 12 XFAIL
-# 8 XPASS
-# Summary of test results in pipeline (this has shown varying results):
-# 7 FAIL
-# 5110 PASS
-# 79 UNSUPPORTED
-# 12 XFAIL
-# 8 XPASS
-make %{?_smp_mflags} check ||:
-n=0
-# expected failures in local VM
-grep "^FAIL: nptl/tst-cancel1" tests.sum >/dev/null && n=$((n+1)) ||:
-grep "^FAIL: io/tst-lchmod" tests.sum >/dev/null && n=$((n+1)) ||:
-grep "^FAIL: nptl/tst-mutex10" tests.sum >/dev/null && n=$((n+1)) ||:
-[ `grep ^FAIL tests.sum | wc -l` -eq $n ]
-
-%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
-
-%files
-%defattr(-,root,root)
-%license COPYING COPYING.LIB LICENSES
-%{_libdir}/locale/en_US.utf8
-%{_libdir}/locale/C.utf8
-%dir %{_sysconfdir}/ld.so.conf.d
-%config(noreplace) %{_sysconfdir}/nsswitch.conf
-%config(noreplace) %{_sysconfdir}/ld.so.conf
-%config(noreplace) %{_sysconfdir}/rpc
-%config(missingok,noreplace) %{_sysconfdir}/ld.so.cache
-%config %{_sysconfdir}/locale-gen.conf
-%ifarch aarch64
-/usr/lib/ld-linux-aarch64.so.1
-%endif
-#%%exclude /lib64/libpcprofile.so
-%{_libdir}/*.so*
-%{_sbindir}/ldconfig
-%{_sbindir}/locale-gen.sh
-
-#%%{_sbindir}/zdump
-%{_sbindir}/zic
-%{_sbindir}/iconvconfig
-%{_bindir}/*
-%{_libexecdir}/*
-%{_datadir}/i18n/charmaps/UTF-8.gz
-%{_datadir}/i18n/charmaps/ISO-8859-1.gz
-%{_datadir}/i18n/locales/en_US
-%{_datarootdir}/locale/locale.alias
-%exclude %{_localstatedir}/lib/nss_db/Makefile
-%exclude %{_bindir}/mtrace
-%exclude %{_bindir}/pcprofiledump
-%exclude %{_bindir}/xtrace
-
-%files iconv
-%defattr(-,root,root)
-%{_libdir}/gconv/*
-
-%files tools
-%defattr(-,root,root)
-%{_bindir}/mtrace
-%{_bindir}/pcprofiledump
-%{_bindir}/xtrace
-%{_sbindir}/sln
-%{_libdir}/audit/*
-#/lib64/libpcprofile.so
-
-%files nscd
-%defattr(-,root,root)
-%config(noreplace) %{_sysconfdir}/nscd.conf
-%{_sbindir}/nscd
-%dir %{_localstatedir}/cache/nscd
-
-%files i18n
-%defattr(-,root,root)
-%{_datadir}/i18n/charmaps/*.gz
-%{_datadir}/i18n/locales/*
-
-%files devel -f devel.filelist
-%defattr(-,root,root)
-# TODO: Excluding for now to remove dependency on PERL
-# /usr/bin/mtrace
-# C Runtime files for `-pie`, `-no-pie` and profiled executables as well as for shared libs
-%{_libdir}/{,g,M,S}crt1.o
-# C Runtime files needed for all targets
-%{_libdir}/crt{i,n}.o
-%{_includedir}/*
-
-%files static -f static.filelist
-%defattr(-,root,root)
-# C Runtime files for `-static-pie` and profiled `-static-pie`
-%{_libdir}/{r,gr}crt1.o
-
-%files -f %{name}.lang lang
-%defattr(-,root,root)
-
-%files locales-all
-%defattr(-,root,root)
-%{_libdir}/locale/*
-%exclude %{_libdir}/locale/en_US.utf8
-%exclude %{_libdir}/locale/C.utf8
-
-%changelog
-* Mon Aug 25 2025 Andrew Phelps - 2.38-12
-- Bump to rebuild with build-id fix from toolchain gcc
-
-* Thu May 22 2025 Kanishk Bansal - 2.38-11
-- Patch CVE-2023-4527, CVE-2023-4806, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2025-0395, CVE-2025-4802
-- Fix CVE-2023-5156
-
-* Mon May 12 2025 Andrew Phelps - 2.38-10
-- Add glibc-2.34_pthread_cond_wait.patch
-
-* Wed Feb 19 2025 Chris Co - 2.38-9
-- Re-enable nscd build and packaging
-
-* Mon Aug 26 2024 Rachel Menge - 2.38-8
-- Enable check section for glibc
-
-* Wed Aug 21 2024 Chris Co - 2.38-7
-- Fix syslog failing to print issue
-
-* Mon Jun 17 2024 Nicolas Guibourge - 2.38-6
-- Address CVE-2023-4911, CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
-
-* Wed May 22 2024 Suresh Babu Chalamalasetty - 2.38-5
-- Generate and provide glibc all locales in a sub-package
-
-* Fri May 10 2024 Chris Co - 2.38-4
-- Enable frame pointers compiler flag
-
-* Mon Mar 11 2024 Dan Streetman - 2.38-3
-- provide C.utf8 locale
-
-* Tue Feb 27 2024 Dan Streetman - 2.38-2
-- Do NOT rename en_US.utf8 to en_US.UTF-8 (glibc will reduce UTF-8 to utf8, but NOT utf8 to UTF-8)
-
-* Thu Nov 02 2023 Andrew Phelps - 2.38-1
-- Upgrade to version 2.38
-
-* Wed Oct 04 2023 Minghe Ren - 2.35-6
-- Add patches for CVE-2023-4806 and CVE-2023-5156
-
-* Tue Oct 03 2023 Mandeep Plaha - 2.35-5
-- Patch CVE-2023-4911
-
-* Fri Jun 30 2023 Andrew Phelps - 2.35-4
-- Restore glibc-debuginfo package
-
-* Fri Sep 30 2022 Andy Caldwell - 2.35-3
-- Split `glibc-static` into an actual package containing static libraries and runtime
-
-* Mon May 02 2022 Sriram Nambakam - 2.35-2
-- To remove leading spaces in /etc/nsswitch.conf, use tabs instead of spaces
-
-* Tue Apr 12 2022 Andrew Phelps - 2.35-1
-- Upgrade to version 2.35
-- Cleanup old patch files
-
-* Wed Mar 02 2022 Andy Caldwell - 2.34-3
-- Add support for building `-static-pie` binaries against `glibc`
-- Add additional BuildRequires
-
-* Thu Nov 04 2021 Pawel Winogrodzki - 2.34-2
-- Adding missing BR on "perl(File::Find)".
-- Fixing licensing information.
-- Removing redundant 'Provides'.
-
-* Thu Oct 14 2021 Andrew Phelps - 2.34-1
-- Upgrade to version 2.34
-- License verified
-
-* Fri Sep 24 2021 Pawel Winogrodzki - 2.28-19
-- Adding 'Provides' for 'nss_db'.
-
-* Thu Jul 29 2021 Jon Slobodzian 2.28-18
-- Dash Rolled for Merge from 1.0 branch
-
-* Fri Apr 02 2021 Thomas Crain - 2.28-17
-- Merge the following releases from 1.0 to dev branch
-- lihl@microsoft.com, 2.28-13: Added patch to resolve CVE-2019-7309, Used autosteup
-- thcrain@microsoft.com, 2.28-14: Patch CVE-2019-19126
-- mamalisz@microsoft.com, 2.28-15: Exclude binaries(such as bash) from requires list.
-- nicolasg@microsoft.com, 2.28-16: Patch CVE-2019-25013
-- thcrain@microsoft.com, 2.28-17: Patch CVE-2021-3326
-- nisamson@microsoft.com, 2.28-18: Patch CVE-2021-27618
-
-* Thu Mar 25 2021 Henry Li - 2.28-16
-- Provides glibc-locale-source from glibc-i18n
-- Add back exluded files to glibc-i18n
-
-* Fri Feb 05 2021 Joe Schmitt - 2.28-15
-- Replace incorrect %%{_lib} usage with %%{_libdir}
-
-* Thu Dec 10 2020 Joe Schmitt - 2.28-14
-- Provide isa version of glibc-static.
-
-* Mon Sep 28 2020 Ruying Chen - 2.28-13
-- Move some tools from glibc-tools and glibc-iconv to glibc and provide glibc-common
-- Provide glibc-static and glibc-headers under glibc-devel
-
-* Wed Jul 29 2020 Thomas Crain - 2.28-12
-- Ignore CVE-2018-20796, as it is not a security issue
-
-* Wed Jul 29 2020 Emre Girgin - 2.28-11
-- Disable the debuginfo package for glibc, and use unstripped binaries instead.
-
-* Fri Jun 26 2020 Ruying Chen - 2.28-10
-- Added provides for binary capability.
-
-* Thu Jun 11 2020 Henry Beberman - 2.28-9
-- Disable -Wp,-D_FORTIFY_SOURCE=2 to build with hardened cflags.
-
-* Tue May 19 2020 Emre Girgin - 2.28-8
-- Ignore CVE-2019-6488, CVE-2020-1751, CVE-2020-6096 as they don't apply to aarch64 or x86_64.
-
-* Sat May 09 2020 Nick Samson - 2.28-7
-- Added %%license line automatically
-
-* Fri Mar 20 2020 Andrew Phelps - 2.28-6
-- Configure with --disable-werror.
-
-* Mon Dec 02 2019 Saravanan Somasundaram - 2.28-5
-- Initial CBL-Mariner import from Photon (license: Apache2).
-
-* Fri Jul 12 2019 Ankit Jain - 2.28-4
-- Replaced spaces with tab in nsswitch.conf file
-
-* Fri Mar 08 2019 Alexey Makhalov - 2.28-3
-- Fix CVE-2019-9169
-
-* Tue Jan 22 2019 Anish Swaminathan - 2.28-2
-- Fix CVE-2018-19591
-
-* Tue Aug 28 2018 Alexey Makhalov - 2.28-1
-- Version update. Disable obsolete rpc (use libtirpc) and nsl.
-
-* Tue Jan 23 2018 Xiaolin Li - 2.26-10
-- Fix CVE-2018-1000001 and CVE-2018-6485
-
-* Mon Jan 08 2018 Xiaolin Li - 2.26-9
-- Fix CVE-2017-16997
-
-* Thu Dec 21 2017 Xiaolin Li - 2.26-8
-- Fix CVE-2017-17426
-
-* Tue Nov 14 2017 Alexey Makhalov - 2.26-7
-- Aarch64 support
-
-* Wed Oct 25 2017 Xiaolin Li - 2.26-6
-- Fix CVE-2017-15670 and CVE-2017-15804
-
-* Tue Oct 10 2017 Alexey Makhalov - 2.26-5
-- Compile out tcache.
-
-* Fri Sep 15 2017 Bo Gan - 2.26-4
-- exclude tst-eintr1 per official wiki recommendation.
-
-* Tue Sep 12 2017 Alexey Makhalov - 2.26-3
-- Fix makecheck for run in docker.
-
-* Tue Aug 29 2017 Alexey Makhalov - 2.26-2
-- Fix tunables setter.
-- Add malloc arena fix.
-- Fix makecheck.
-
-* Tue Aug 15 2017 Alexey Makhalov - 2.26-1
-- Version update
-
-* Tue Aug 08 2017 Anish Swaminathan - 2.25-4
-- Apply fix for CVE-2017-1000366
-
-* Thu May 4 2017 Bo Gan - 2.25-3
-- Remove bash dependency in post/postun script
-
-* Fri Apr 21 2017 Alexey Makhalov - 2.25-2
-- Added -iconv -tools and -nscd subpackages
-
-* Wed Mar 22 2017 Alexey Makhalov - 2.25-1
-- Version update
-
-* Wed Dec 14 2016 Alexey Makhalov - 2.24-1
-- Version update
-
-* Wed Nov 23 2016 Alexey Makhalov - 2.22-13
-- Install en_US.UTF-8 locale by default
-
-* Wed Nov 16 2016 Alexey Makhalov - 2.22-12
-- Added i18n subpackage
-
-* Tue Oct 25 2016 Alexey Makhalov - 2.22-11
-- Workaround for build failure with "out of memory" message
-
-* Wed Sep 28 2016 Alexey Makhalov - 2.22-10
-- Added pthread_create-fix-use-after-free.patch
-
-* Tue Jun 14 2016 Divya Thaluru - 2.22-9
-- Enabling rpm debug package and stripping the libraries
-
-* Tue May 24 2016 Priyesh Padmavilasom - 2.22-8
-- GA - Bump release of all rpms
-
-* Mon May 23 2016 Divya Thaluru - 2.22-7
-- Added patch for CVE-2014-9761
-
-* Mon Mar 21 2016 Alexey Makhalov - 2.22-6
-- Security hardening: nonow
-
-* Fri Mar 18 2016 Anish Swaminathan - 2.22-5
-- Change conf file qualifiers
-
-* Fri Mar 11 2016 Priyesh Padmavilasom - 2.22-4
-- Added patch for res_qeury assertion with bad dns config
-- Details: https://sourceware.org/bugzilla/show_bug.cgi?id=19791
-
-* Tue Feb 16 2016 Anish Swaminathan - 2.22-3
-- Added patch for CVE-2015-7547
-
-* Mon Feb 08 2016 Anish Swaminathan - 2.22-2
-- Added patch for bindresvport blacklist
-
-* Tue Jan 12 2016 Xiaolin Li - 2.22-1
-- Updated to version 2.22
-
-* Tue Dec 1 2015 Divya Thaluru - 2.19-8
-- Disabling rpm debug package and stripping the libraries
-
-* Wed Nov 18 2015 Divya Thaluru