[Buildroot] [git commit] package/{glibc, localedef}: security bump to version 2.43-27-g4070d808b

Peter Korsgaard peter at korsgaard.com
Mon May 11 10:18:28 UTC 2026 

commit: https://gitlab.com/buildroot.org/buildroot/-/commit/e3c662eac9968dcfb598f837d639d51de7217627
branch: https://gitlab.com/buildroot.org/buildroot/-/tree/master

Fixes the following security issues:

CVE-2026-5450: scanf %mc off-by-one heap buffer overflow
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0009;h=3c297fdc8018d26dfa3b1b269b8fdc2d4ab07e81;hb=HEAD

CVE-2026-5928: Potential buffer under-read in ungetwc
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0010;h=ae9953fb717886b93ea55fdede14450a0d4835f4;hb=HEAD

git shortlog 2.43-22-g8362e8ce1..2.43-27-g4070d808b

DJ Delorie (1):
      include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h

Florian Weimer (1):
      Linux: Only define OPEN_TREE_* macros in <sys/mount.h> if undefined (bug 33921)

H.J. Lu (1):
      abilist.awk: Handle weak unversioned defined symbols

Rocket Ma (2):
      libio: Fix ungetwc operating on byte stream [BZ #33998]
      stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]

Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
[Peter: use correct git hash in _IGNORE_CVES for CVE-2026-5928]
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/glibc/glibc.hash       | 2 +-
 package/glibc/glibc.mk         | 8 +++++++-
 package/localedef/localedef.mk | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index c9215dac6f..a6e6874e1f 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from git)
-sha256  c5d012c0417d1a8d72e72ea2cd917422fa04f9ab525f418c537cad5cd9042803  glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9-git4.tar.gz
+sha256  668f890b45fd8d32bb73783ad3b75fe1f396c5c3aa3c3832e616b4c3f0c6066b  glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5-git4.tar.gz
 
 # Hashes for license files
 sha256  edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6  COPYINGv2
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 0a44015818..4a6bc94634 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
+GLIBC_VERSION = 2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
 GLIBC_SITE = https://sourceware.org/git/glibc.git
 GLIBC_SITE_METHOD = git
 
@@ -40,6 +40,12 @@ GLIBC_IGNORE_CVES += CVE-2026-4438
 # Fixed by glibc-2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
 GLIBC_IGNORE_CVES += CVE-2026-4046
 
+# Fixed by glibc-2.43-26-g2890b35cd361df2517525bf2c5f8c63f6f0d4a20
+GLIBC_IGNORE_CVES += CVE-2026-5928
+
+# Fixed by glibc-2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
+GLIBC_IGNORE_CVES += CVE-2026-5450
+
 # This CVE is considered as not being security issues by
 # upstream glibc:
 #  https://security-tracker.debian.org/tracker/CVE-2010-4756
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index ec906fad22..4890e095e3 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
 # Use the same VERSION and SITE as target glibc
 # As in glibc.mk, generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.43-22-g8362e8ce10b24068bacc19552c128dd10e082fd9
+LOCALEDEF_VERSION = 2.43-27-g4070d808bea1c077eb7e7d52b52b91cae98205d5
 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION)$(BR_FMT_VERSION_git).tar.gz
 LOCALEDEF_SITE = https://sourceware.org/git/glibc.git
 LOCALEDEF_SITE_METHOD = git

More information about the buildroot mailing list