From 23e03717fc7326fe0fa1747a540f3151cc0b1f41 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Tue, 27 Jan 2026 06:23:18 +0000
Subject: [PATCH] Patch glibc for CVE-2025-0395

---
 SPECS/glibc/CVE-2025-0395.patch               | 70 +++++++++++++++++++
 SPECS/glibc/glibc.spec                        |  6 +-
 .../manifests/package/pkggen_core_aarch64.txt | 14 ++--
 .../manifests/package/pkggen_core_x86_64.txt  | 14 ++--
 .../manifests/package/toolchain_aarch64.txt   | 18 ++---
 .../manifests/package/toolchain_x86_64.txt    | 18 ++---
 6 files changed, 107 insertions(+), 33 deletions(-)
 create mode 100644 SPECS/glibc/CVE-2025-0395.patch

diff --git a/SPECS/glibc/CVE-2025-0395.patch b/SPECS/glibc/CVE-2025-0395.patch
new file mode 100644
index 00000000000..432ce0163e5
--- /dev/null
+++ b/SPECS/glibc/CVE-2025-0395.patch
@@ -0,0 +1,70 @@
+From 712987b059a7633804261a986a7fd06caa598cb1 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 22 Jan 2025 17:22:02 +0100
+Subject: [PATCH] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
+
+Include the space needed to store the length of the message itself, in
+addition to the message string.  This resolves BZ #32582.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
+
+Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
+backtrace removal.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/bminor/glibc/commit/8b5d4be762419c4f6176261c6fea40ac559b88dc.patch
+---
+ assert/assert.c            | 4 +++-
+ sysdeps/posix/libc_fatal.c | 5 +++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/assert/assert.c b/assert/assert.c
+index 133a183b..9e55eeb4 100644
+--- a/assert/assert.c
++++ b/assert/assert.c
+@@ -18,6 +18,7 @@
+ #include <assert.h>
+ #include <atomic.h>
+ #include <ldsodefs.h>
++#include <libc-pointer-arith.h>
+ #include <libintl.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
+       (void) __fxprintf (NULL, "%s", str);
+       (void) fflush (stderr);
+ 
+-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
++      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
++			GLRO(dl_pagesize));
+       struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
+ 					MAP_ANON | MAP_PRIVATE, -1, 0);
+       if (__glibc_likely (buf != MAP_FAILED))
+diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
+index 2ee0010b..dfa07805 100644
+--- a/sysdeps/posix/libc_fatal.c
++++ b/sysdeps/posix/libc_fatal.c
+@@ -20,6 +20,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <ldsodefs.h>
++#include <libc-pointer-arith.h>
+ #include <paths.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+@@ -125,8 +126,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
+ 
+       if ((action & do_abort))
+ 	{
+-	  total = ((total + 1 + GLRO(dl_pagesize) - 1)
+-		   & ~(GLRO(dl_pagesize) - 1));
++	  total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
++			    GLRO(dl_pagesize));
+ 	  struct abort_msg_s *buf = __mmap (NULL, total,
+ 					    PROT_READ | PROT_WRITE,
+ 					    MAP_ANON | MAP_PRIVATE, -1, 0);
+-- 
+2.45.4
+
diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec
index d5dbc49d2d7..15fd7f08035 100644
--- a/SPECS/glibc/glibc.spec
+++ b/SPECS/glibc/glibc.spec
@@ -7,7 +7,7 @@
 Summary:        Main C library
 Name:           glibc
 Version:        2.35
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -37,6 +37,7 @@ Patch11:        CVE-2024-33600.patch
 Patch12:        CVE-2024-33601.patch
 Patch13:        CVE-2026-0861.patch
 Patch14:        CVE-2026-0915.patch
+Patch15:        CVE-2025-0395.patch
 BuildRequires:  bison
 BuildRequires:  gawk
 BuildRequires:  gettext
@@ -329,6 +330,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %defattr(-,root,root)
 
 %changelog
+* Tue Jan 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.35-9
+- Patch for CVE-2025-0395
+
 * Wed Jan 21 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.35-8
 - Patch for CVE-2026-0915, CVE-2026-0861
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index a562b9c54ae..8df4534e9d6 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,12 +1,12 @@
 filesystem-1.1-20.cm2.aarch64.rpm
 kernel-headers-5.15.186.1-1.cm2.noarch.rpm
-glibc-2.35-8.cm2.aarch64.rpm
-glibc-devel-2.35-8.cm2.aarch64.rpm
-glibc-i18n-2.35-8.cm2.aarch64.rpm
-glibc-iconv-2.35-8.cm2.aarch64.rpm
-glibc-lang-2.35-8.cm2.aarch64.rpm
-glibc-nscd-2.35-8.cm2.aarch64.rpm
-glibc-tools-2.35-8.cm2.aarch64.rpm
+glibc-2.35-9.cm2.aarch64.rpm
+glibc-devel-2.35-9.cm2.aarch64.rpm
+glibc-i18n-2.35-9.cm2.aarch64.rpm
+glibc-iconv-2.35-9.cm2.aarch64.rpm
+glibc-lang-2.35-9.cm2.aarch64.rpm
+glibc-nscd-2.35-9.cm2.aarch64.rpm
+glibc-tools-2.35-9.cm2.aarch64.rpm
 zlib-1.2.13-2.cm2.aarch64.rpm
 zlib-devel-1.2.13-2.cm2.aarch64.rpm
 file-5.40-3.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index bd57b53ab30..1e6cc421e75 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,12 +1,12 @@
 filesystem-1.1-20.cm2.x86_64.rpm
 kernel-headers-5.15.186.1-1.cm2.noarch.rpm
-glibc-2.35-8.cm2.x86_64.rpm
-glibc-devel-2.35-8.cm2.x86_64.rpm
-glibc-i18n-2.35-8.cm2.x86_64.rpm
-glibc-iconv-2.35-8.cm2.x86_64.rpm
-glibc-lang-2.35-8.cm2.x86_64.rpm
-glibc-nscd-2.35-8.cm2.x86_64.rpm
-glibc-tools-2.35-8.cm2.x86_64.rpm
+glibc-2.35-9.cm2.x86_64.rpm
+glibc-devel-2.35-9.cm2.x86_64.rpm
+glibc-i18n-2.35-9.cm2.x86_64.rpm
+glibc-iconv-2.35-9.cm2.x86_64.rpm
+glibc-lang-2.35-9.cm2.x86_64.rpm
+glibc-nscd-2.35-9.cm2.x86_64.rpm
+glibc-tools-2.35-9.cm2.x86_64.rpm
 zlib-1.2.13-2.cm2.x86_64.rpm
 zlib-devel-1.2.13-2.cm2.x86_64.rpm
 file-5.40-3.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 33e32cfcb21..4b52f212c5a 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -106,15 +106,15 @@ glib-debuginfo-2.71.0-9.cm2.aarch64.rpm
 glib-devel-2.71.0-9.cm2.aarch64.rpm
 glib-doc-2.71.0-9.cm2.noarch.rpm
 glib-schemas-2.71.0-9.cm2.aarch64.rpm
-glibc-2.35-8.cm2.aarch64.rpm
-glibc-debuginfo-2.35-8.cm2.aarch64.rpm
-glibc-devel-2.35-8.cm2.aarch64.rpm
-glibc-i18n-2.35-8.cm2.aarch64.rpm
-glibc-iconv-2.35-8.cm2.aarch64.rpm
-glibc-lang-2.35-8.cm2.aarch64.rpm
-glibc-nscd-2.35-8.cm2.aarch64.rpm
-glibc-static-2.35-8.cm2.aarch64.rpm
-glibc-tools-2.35-8.cm2.aarch64.rpm
+glibc-2.35-9.cm2.aarch64.rpm
+glibc-debuginfo-2.35-9.cm2.aarch64.rpm
+glibc-devel-2.35-9.cm2.aarch64.rpm
+glibc-i18n-2.35-9.cm2.aarch64.rpm
+glibc-iconv-2.35-9.cm2.aarch64.rpm
+glibc-lang-2.35-9.cm2.aarch64.rpm
+glibc-nscd-2.35-9.cm2.aarch64.rpm
+glibc-static-2.35-9.cm2.aarch64.rpm
+glibc-tools-2.35-9.cm2.aarch64.rpm
 gmp-6.2.1-4.cm2.aarch64.rpm
 gmp-debuginfo-6.2.1-4.cm2.aarch64.rpm
 gmp-devel-6.2.1-4.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 554b9bc6707..58317a3fbe9 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -111,15 +111,15 @@ glib-debuginfo-2.71.0-9.cm2.x86_64.rpm
 glib-devel-2.71.0-9.cm2.x86_64.rpm
 glib-doc-2.71.0-9.cm2.noarch.rpm
 glib-schemas-2.71.0-9.cm2.x86_64.rpm
-glibc-2.35-8.cm2.x86_64.rpm
-glibc-debuginfo-2.35-8.cm2.x86_64.rpm
-glibc-devel-2.35-8.cm2.x86_64.rpm
-glibc-i18n-2.35-8.cm2.x86_64.rpm
-glibc-iconv-2.35-8.cm2.x86_64.rpm
-glibc-lang-2.35-8.cm2.x86_64.rpm
-glibc-nscd-2.35-8.cm2.x86_64.rpm
-glibc-static-2.35-8.cm2.x86_64.rpm
-glibc-tools-2.35-8.cm2.x86_64.rpm
+glibc-2.35-9.cm2.x86_64.rpm
+glibc-debuginfo-2.35-9.cm2.x86_64.rpm
+glibc-devel-2.35-9.cm2.x86_64.rpm
+glibc-i18n-2.35-9.cm2.x86_64.rpm
+glibc-iconv-2.35-9.cm2.x86_64.rpm
+glibc-lang-2.35-9.cm2.x86_64.rpm
+glibc-nscd-2.35-9.cm2.x86_64.rpm
+glibc-static-2.35-9.cm2.x86_64.rpm
+glibc-tools-2.35-9.cm2.x86_64.rpm
 gmp-6.2.1-4.cm2.x86_64.rpm
 gmp-debuginfo-6.2.1-4.cm2.x86_64.rpm
 gmp-devel-6.2.1-4.cm2.x86_64.rpm