Tue Jan 25 06:16:36 UTC 202220220125061636

It may look like we're currently experiencing more stuckness, but this will
lead us to Quality. We'll have this release in the can before you know it.
a/aaa_glibc-solibs-2.33-x86_64-5.txz:  Rebuilt.
a/aaa_libraries-15.0-x86_64-16.txz:  Rebuilt.
  Rebuilt to pick up the patched libexpat.so.1.8.3.
a/kernel-firmware-20220124_eb8ea1b-noarch-1.txz:  Upgraded.
a/kernel-generic-5.15.16-x86_64-2.txz:  Upgraded.
a/kernel-huge-5.15.16-x86_64-2.txz:  Upgraded.
  -9P_FSCACHE n
   9P_FS m -> y
  Thanks to peake.
a/kernel-modules-5.15.16-x86_64-2.txz:  Upgraded.
a/mkinitrd-1.4.11-x86_64-27.txz:  Rebuilt.
  mkinitrd_command_generator.sh: properly detect partitions of a RAID device.
  Thanks to perrin4869.
a/util-linux-2.37.3-x86_64-1.txz:  Upgraded.
  This release fixes two security mount(8) and umount(8) issues:
  An issue related to parsing the /proc/self/mountinfo file allows an
  unprivileged user to unmount other user's filesystems that are either
  world-writable themselves or mounted in a world-writable directory.
  Improper UID check in libmount allows an unprivileged user to unmount
  FUSE filesystems of users with similar UID.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3995
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3996
  (* Security fix *)
ap/vim-8.2.4212-x86_64-1.txz:  Upgraded.
d/git-2.35.0-x86_64-1.txz:  Upgraded.
d/kernel-headers-5.15.16-x86-2.txz:  Upgraded.
k/kernel-source-5.15.16-noarch-2.txz:  Upgraded.
l/expat-2.4.3-x86_64-2.txz:  Rebuilt.
  Fix signed integer overflow in function XML_GetBuffer for when
  XML_CONTEXT_BYTES is defined to >0 (which is both common and
  default). Impact is denial of service or other undefined behavior.
  While we're here, also patch a memory leak on output file opening error.
  Thanks to marav.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852
  (* Security fix *)
l/fluidsynth-2.2.5-x86_64-1.txz:  Upgraded.
l/glibc-2.33-x86_64-5.txz:  Rebuilt.
  This update patches two security issues:
  Unexpected return value from glibc's realpath().
  Off-by-one buffer overflow/underflow in glibc's getcwd().
  Thanks to Qualys Research Labs for reporting these issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3998
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3999
  (* Security fix *)
l/glibc-i18n-2.33-x86_64-5.txz:  Rebuilt.
l/glibc-profile-2.33-x86_64-5.txz:  Rebuilt.
l/tdb-1.4.6-x86_64-1.txz:  Upgraded.
x/xf86-input-libinput-1.2.1-x86_64-1.txz:  Upgraded.
xap/mozilla-thunderbird-91.5.1-x86_64-1.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.5.1/releasenotes/
xap/vim-gvim-8.2.4212-x86_64-1.txz:  Upgraded.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.

15 files changed, 679 insertions, 13 deletions

diff --git a/source/a/aaa_libraries/aaa_libraries.SlackBuild b/source/a/aaa_libraries/aaa_libraries.SlackBuild
index da891fca6..16f2505c0 100755
--- a/source/a/aaa_libraries/aaa_libraries.SlackBuild
+++ b/source/a/aaa_libraries/aaa_libraries.SlackBuild
@@ -23,7 +23,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=aaa_libraries
 VERSION=${VERSION:-15.0}
-BUILD=${BUILD:-15}
+BUILD=${BUILD:-16}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
diff --git a/source/a/mkinitrd/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch b/source/a/mkinitrd/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch
new file mode 100644
index 000000000..e24b7c7c4
--- /dev/null
+++ b/source/a/mkinitrd/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch
@@ -0,0 +1,23 @@
+--- ./mkinitrd_command_generator.sh.orig	2021-03-28 13:22:55.628927615 -0500
++++ ./mkinitrd_command_generator.sh	2022-01-24 21:29:00.382517371 -0600
+@@ -302,12 +302,19 @@
+   fi
+ 
+   # Finally, we should check if base device is
+-  #   a real block device or a RAID volume:
++  # a real block device or a RAID volume:
+   for MD in  $(cat /proc/mdstat | grep -w active | cut -d' ' -f1) ; do
+     if [ "$BASEDEV" = "/dev/$MD" ]; then
+       USING_RAID=1
+       break
+     fi
++  done
++  # Additional check in case $BASEDEV is a partition of /dev/$MD:
++  for BLK in $(sfdisk -ld /dev/$MD 2> /dev/null | grep "^/dev" | cut -d " " -f 1); do
++    if [ "$BASEDEV" = "$BLK" ]; then
++      USING_RAID=1
++      break
++    fi
+   done
+ }
+ 
diff --git a/source/a/mkinitrd/mkinitrd.SlackBuild b/source/a/mkinitrd/mkinitrd.SlackBuild
index 6b5070396..500b919a1 100755
--- a/source/a/mkinitrd/mkinitrd.SlackBuild
+++ b/source/a/mkinitrd/mkinitrd.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=mkinitrd
 VERSION=${VERSION:-1.4.11}
 BB=1.32.1
-BUILD=${BUILD:-26}
+BUILD=${BUILD:-27}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
@@ -125,6 +125,9 @@ chmod 755 $PKG/sbin/mkinitrd
 # Don't include 40-usb_modeswitch.rules on the initrd:
 ( cd $PKG/sbin ; zcat $CWD/0003-blacklist.40-usb_modeswitch.rules.patch.gz | patch -p1 --verbose || exit 1) || exit 1
 rm -f $PKG/sbin/mkinitrd.orig
+# Use -R if we detect the root partition is a partition of a RAID device:
+( cd $PKG/usr/share/mkinitrd ; zcat $CWD/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch.gz | patch -p1 --verbose || exit 1) || exit 1
+rm -f $PKG/usr/share/mkinitrd/mkinitrd_command_generator.sh.orig
 
 mkdir -p $PKG/usr/man/man{5,8}
 cat $CWD/mkinitrd.conf.5 | gzip -9c > $PKG/usr/man/man5/mkinitrd.conf.5.gz
diff --git a/source/a/util-linux/util-linux.SlackBuild b/source/a/util-linux/util-linux.SlackBuild
index b99088dac..fd08893f2 100755
--- a/source/a/util-linux/util-linux.SlackBuild
+++ b/source/a/util-linux/util-linux.SlackBuild
@@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=util-linux
 VERSION=${VERSION:-$(echo util-linux*.tar.xz | cut -d - -f 3  | rev | cut -f 3- -d . | rev)}
-BUILD=${BUILD:-6}
+BUILD=${BUILD:-1}
 
 ADJTIMEXVERS=1.29
 SETSERIALVERS=2.17
diff --git a/source/k/build-all-kernels.sh b/source/k/build-all-kernels.sh
index 09e684b17..1fddd02ce 100755
--- a/source/k/build-all-kernels.sh
+++ b/source/k/build-all-kernels.sh
@@ -27,7 +27,7 @@
 
 cd $(dirname $0) ; CWD=$(pwd)
 
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 if [ -z "$VERSION" ]; then
   # Get the filename of the newest kernel tarball:
   KERNEL_SOURCE_FILE="$(/bin/ls -t linux-*.tar.?z | head -n 1 )"
diff --git a/source/k/kernel-configs/config-huge-5.15.16 b/source/k/kernel-configs/config-huge-5.15.16
index bc008e644..531eee499 100644
--- a/source/k/kernel-configs/config-huge-5.15.16
+++ b/source/k/kernel-configs/config-huge-5.15.16
@@ -9340,8 +9340,7 @@ CONFIG_AFS_FS=m
 # CONFIG_AFS_DEBUG is not set
 # CONFIG_AFS_FSCACHE is not set
 # CONFIG_AFS_DEBUG_CURSOR is not set
-CONFIG_9P_FS=m
-# CONFIG_9P_FSCACHE is not set
+CONFIG_9P_FS=y
 CONFIG_9P_FS_POSIX_ACL=y
 # CONFIG_9P_FS_SECURITY is not set
 CONFIG_NLS=y
diff --git a/source/k/kernel-configs/config-huge-5.15.16.x64 b/source/k/kernel-configs/config-huge-5.15.16.x64
index 0d5b67fb7..f3014b566 100644
--- a/source/k/kernel-configs/config-huge-5.15.16.x64
+++ b/source/k/kernel-configs/config-huge-5.15.16.x64
@@ -9362,8 +9362,7 @@ CONFIG_AFS_FS=m
 # CONFIG_AFS_DEBUG is not set
 # CONFIG_AFS_FSCACHE is not set
 # CONFIG_AFS_DEBUG_CURSOR is not set
-CONFIG_9P_FS=m
-# CONFIG_9P_FSCACHE is not set
+CONFIG_9P_FS=y
 CONFIG_9P_FS_POSIX_ACL=y
 # CONFIG_9P_FS_SECURITY is not set
 CONFIG_NLS=y
diff --git a/source/k/kernel-configs/config-huge-smp-5.15.16-smp b/source/k/kernel-configs/config-huge-smp-5.15.16-smp
index 489c923ad..239c5123d 100644
--- a/source/k/kernel-configs/config-huge-smp-5.15.16-smp
+++ b/source/k/kernel-configs/config-huge-smp-5.15.16-smp
@@ -9407,8 +9407,7 @@ CONFIG_AFS_FS=m
 # CONFIG_AFS_DEBUG is not set
 # CONFIG_AFS_FSCACHE is not set
 # CONFIG_AFS_DEBUG_CURSOR is not set
-CONFIG_9P_FS=m
-# CONFIG_9P_FSCACHE is not set
+CONFIG_9P_FS=y
 CONFIG_9P_FS_POSIX_ACL=y
 # CONFIG_9P_FS_SECURITY is not set
 CONFIG_NLS=y
diff --git a/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch b/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch
new file mode 100644
index 000000000..c2b55ca85
--- /dev/null
+++ b/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch
@@ -0,0 +1,115 @@
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH 1/3] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
++    /* Detect and prevent integer overflow */
++    if (keep > INT_MAX - neededSize) {
++      parser->m_errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
+     neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+     if (neededSize
+
+From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 23 Jan 2022 18:17:04 +0100
+Subject: [PATCH 2/3] tests: Cover integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/tests/runtests.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index e89e8220..579dad1a 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
+ }
+ END_TEST
+ 
++/* Test for signed integer overflow CVE-2022-23852 */
++#if defined(XML_CONTEXT_BYTES)
++START_TEST(test_get_buffer_3_overflow) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  assert(parser != NULL);
++
++  const char *const text = "\n";
++  const int expectedKeepValue = (int)strlen(text);
++
++  // After this call, variable "keep" in XML_GetBuffer will
++  // have value expectedKeepValue
++  if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
++      == XML_STATUS_ERROR)
++    xml_failure(parser);
++
++  assert(expectedKeepValue > 0);
++  if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
++    fail("enlarging buffer not failed");
++
++  XML_ParserFree(parser);
++}
++END_TEST
++#endif // defined(XML_CONTEXT_BYTES)
++
+ /* Test position information macros */
+ START_TEST(test_byte_info_at_end) {
+   const char *text = "<doc></doc>";
+@@ -11731,6 +11755,9 @@ make_suite(void) {
+   tcase_add_test(tc_basic, test_empty_parse);
+   tcase_add_test(tc_basic, test_get_buffer_1);
+   tcase_add_test(tc_basic, test_get_buffer_2);
++#if defined(XML_CONTEXT_BYTES)
++  tcase_add_test(tc_basic, test_get_buffer_3_overflow);
++#endif
+   tcase_add_test(tc_basic, test_byte_info_at_end);
+   tcase_add_test(tc_basic, test_byte_info_at_error);
+   tcase_add_test(tc_basic, test_byte_info_at_cdata);
+
+From 99cec436fbd9444f57ee74ca8ae4c0a13e561a4f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 22 Jan 2022 17:49:17 +0100
+Subject: [PATCH 3/3] Changes: Document CVE-2022-23852
+
+---
+ expat/Changes | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/expat/Changes b/expat/Changes
+index 7540d38c..64d75d05 100644
+--- a/expat/Changes
++++ b/expat/Changes
+@@ -2,6 +2,18 @@ NOTE: We are looking for help with a few things:
+       https://github.com/libexpat/libexpat/labels/help%20wanted
+       If you can help, please get in touch.  Thanks!
+ 
++Release x.x.x xxx xxxxxxx xx xxxx
++        Security fixes:
++            #550  CVE-2022-23852 -- Fix signed integer overflow
++                    (undefined behavior) in function XML_GetBuffer
++                    (that is also called by function XML_Parse internally)
++                    for when XML_CONTEXT_BYTES is defined to >0 (which is both
++                    common and default).
++                    Impact is denial of service or more.
++
++        Special thanks to:
++            Samanta Navarro
++
+ Release 2.4.3 Sun January 16 2022
+         Security fixes:
+        #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
diff --git a/source/l/expat/5f100ffa78b74da8020b71d1582a8979193c1359.patch b/source/l/expat/5f100ffa78b74da8020b71d1582a8979193c1359.patch
new file mode 100644
index 000000000..59404f309
--- /dev/null
+++ b/source/l/expat/5f100ffa78b74da8020b71d1582a8979193c1359.patch
@@ -0,0 +1,45 @@
+From 85a6f8fcdb2bc1530934f8cf684bdab86f1f2a1c Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 20 Jan 2022 04:41:47 +0100
+Subject: [PATCH] xmlwf: Fix a memory leak on output file opening error
+
+---
+ expat/Changes       | 6 ++++++
+ expat/xmlwf/xmlwf.c | 4 ++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/expat/Changes b/expat/Changes
+index 64d75d05..5ff5da5e 100644
+--- a/expat/Changes
++++ b/expat/Changes
+@@ -11,8 +11,14 @@ Release x.x.x xxx xxxxxxx xx xxxx
+                     common and default).
+                     Impact is denial of service or more.
+ 
++        Bug fixes:
++       #544 #545  xmlwf: Fix a memory leak on output file opening error
++
+         Special thanks to:
++            hwt0415
+             Samanta Navarro
++                 and
++            Clang LeakSan and the Clang team
+ 
+ Release 2.4.3 Sun January 16 2022
+         Security fixes:
+diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c
+index 29118bb6..b6f300b0 100644
+--- a/expat/xmlwf/xmlwf.c
++++ b/expat/xmlwf/xmlwf.c
+@@ -1175,9 +1175,9 @@ tmain(int argc, XML_Char **argv) {
+       if (! userData.fp) {
+         tperror(outName);
+         exitCode = XMLWF_EXIT_OUTPUT_ERROR;
++        free(outName);
++        XML_ParserFree(parser);
+         if (continueOnError) {
+-          free(outName);
+-          cleanupUserData(&userData);
+           continue;
+         } else {
+           break;
diff --git a/source/l/expat/expat.SlackBuild b/source/l/expat/expat.SlackBuild
index ac9926fa2..e0ec90853 100755
--- a/source/l/expat/expat.SlackBuild
+++ b/source/l/expat/expat.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=expat
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
@@ -73,6 +73,10 @@ cd expat-$VERSION || exit 1
 chown -R root:root .
 find . -perm 777 -exec chmod 755 {} \+
 find . -perm 664 -exec chmod 644 {} \+
+
+zcat $CWD/178d26f50af21ec23d6e43814b9b602590b5865c.patch.gz | patch -p2 --verbose || exit 1
+zcat $CWD/5f100ffa78b74da8020b71d1582a8979193c1359.patch.gz | patch -p2 --verbose || exit 1
+
 CFLAGS="$SLKCFLAGS" \
 ./configure \
   --prefix=/usr \
diff --git a/source/l/glibc/glibc.SlackBuild b/source/l/glibc/glibc.SlackBuild
index d0f49b5c6..7a1a5d5d5 100755
--- a/source/l/glibc/glibc.SlackBuild
+++ b/source/l/glibc/glibc.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=glibc
 VERSION=${VERSION:-$(echo glibc-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
 CHECKOUT=${CHECKOUT:-""}
-BUILD=${BUILD:-4}
+BUILD=${BUILD:-5}
 
 # I was considering disabling NSCD, but MoZes talked me out of it.  :)
 #DISABLE_NSCD=" --disable-nscd "
diff --git a/source/l/glibc/patches/glibc.CVE-2021-3998.patch b/source/l/glibc/patches/glibc.CVE-2021-3998.patch
new file mode 100644
index 000000000..45602d050
--- /dev/null
+++ b/source/l/glibc/patches/glibc.CVE-2021-3998.patch
@@ -0,0 +1,123 @@
+From f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5 Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Thu, 13 Jan 2022 11:28:36 +0530
+Subject: [PATCH] realpath: Set errno to ENAMETOOLONG for result larger than
+ PATH_MAX [BZ #28770]
+
+realpath returns an allocated string when the result exceeds PATH_MAX,
+which is unexpected when its second argument is not NULL.  This results
+in the second argument (resolved) being uninitialized and also results
+in a memory leak since the caller expects resolved to be the same as the
+returned value.
+
+Return NULL and set errno to ENAMETOOLONG if the result exceeds
+PATH_MAX.  This fixes [BZ #28770], which is CVE-2021-3998.
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+(cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb)
+---
+ NEWS                          |  4 +++
+ stdlib/Makefile               |  1 +
+ stdlib/canonicalize.c         | 12 +++++++--
+ stdlib/tst-realpath-toolong.c | 49 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 64 insertions(+), 2 deletions(-)
+ create mode 100644 stdlib/tst-realpath-toolong.c
+
+--- ./NEWS.orig	2021-02-01 11:15:33.000000000 -0600
++++ ./NEWS	2022-01-24 13:32:24.268678228 -0600
+@@ -118,6 +118,10 @@
+   CVE-2019-25013: A buffer overflow has been fixed in the iconv function when
+   invoked with EUC-KR input containing invalid multibyte input sequences.
+ 
++  CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath
++  function could result in a memory leak and potential access of
++  uninitialized memory.  Reported by Qualys.
++
+ The following bugs are resolved with this release:
+ 
+   [10635] libc: realpath portability patches
+--- ./stdlib/canonicalize.c.orig	2021-02-01 11:15:33.000000000 -0600
++++ ./stdlib/canonicalize.c	2022-01-24 13:32:24.268678228 -0600
+@@ -400,8 +400,16 @@
+ 
+ error:
+   *dest++ = '\0';
+-  if (resolved != NULL && dest - rname <= get_path_max ())
+-    rname = strcpy (resolved, rname);
++  if (resolved != NULL)
++    {
++      if (dest - rname <= get_path_max ())
++	rname = strcpy (resolved, rname);
++      else
++	{
++	  failed = true;
++	  __set_errno (ENAMETOOLONG);
++	}
++    }
+ 
+ error_nomem:
+   scratch_buffer_free (&extra_buffer);
+--- ./stdlib/Makefile.orig	2022-01-24 13:32:24.268678228 -0600
++++ ./stdlib/Makefile	2022-01-24 13:32:59.968676254 -0600
+@@ -86,7 +86,7 @@
+ 		   tst-makecontext-align test-bz22786 tst-strtod-nan-sign \
+ 		   tst-swapcontext1 tst-setcontext4 tst-setcontext5 \
+ 		   tst-setcontext6 tst-setcontext7 tst-setcontext8 \
+-		   tst-setcontext9 tst-bz20544 tst-canon-bz26341
++		   tst-setcontext9 tst-bz20544 tst-canon-bz26341 tst-realpath-toolong
+ 
+ tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
+ 		   tst-tls-atexit tst-tls-atexit-nodelete
+--- ./stdlib/tst-realpath-toolong.c.orig	2022-01-24 13:32:24.268678228 -0600
++++ ./stdlib/tst-realpath-toolong.c	2022-01-24 13:32:24.268678228 -0600
+@@ -0,0 +1,49 @@
++/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds
++   NAME_MAX.
++   Copyright The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <limits.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <support/check.h>
++#include <support/temp_file.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++
++#define BASENAME "tst-realpath-toolong."
++
++int
++do_test (void)
++{
++  char *base = support_create_and_chdir_toolong_temp_directory (BASENAME);
++
++  char buf[PATH_MAX + 1];
++  const char *res = realpath (".", buf);
++
++  /* canonicalize.c states that if the real path is >= PATH_MAX, then
++     realpath returns NULL and sets ENAMETOOLONG.  */
++  TEST_VERIFY (res == NULL);
++  TEST_VERIFY (errno == ENAMETOOLONG);
++
++  free (base);
++  return 0;
++}
++
++#include <support/test-driver.c>
diff --git a/source/l/glibc/patches/glibc.CVE-2021-3999.patch b/source/l/glibc/patches/glibc.CVE-2021-3999.patch
new file mode 100644
index 000000000..0644f798a
--- /dev/null
+++ b/source/l/glibc/patches/glibc.CVE-2021-3999.patch
@@ -0,0 +1,356 @@
+From 472e799a5f2102bc0c3206dbd5a801765fceb39c Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Fri, 21 Jan 2022 23:32:56 +0530
+Subject: [PATCH] getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
+
+No valid path returned by getcwd would fit into 1 byte, so reject the
+size early and return NULL with errno set to ERANGE.  This change is
+prompted by CVE-2021-3999, which describes a single byte buffer
+underflow and overflow when all of the following conditions are met:
+
+- The buffer size (i.e. the second argument of getcwd) is 1 byte
+- The current working directory is too long
+- '/' is also mounted on the current working directory
+
+Sequence of events:
+
+- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
+  because the linux kernel checks for name length before it checks
+  buffer size
+
+- The code falls back to the generic getcwd in sysdeps/posix
+
+- In the generic func, the buf[0] is set to '\0' on line 250
+
+- this while loop on line 262 is bypassed:
+
+    while (!(thisdev == rootdev && thisino == rootino))
+
+  since the rootfs (/) is bind mounted onto the directory and the flow
+  goes on to line 449, where it puts a '/' in the byte before the
+  buffer.
+
+- Finally on line 458, it moves 2 bytes (the underflowed byte and the
+  '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.
+
+- buf is returned on line 469 and errno is not set.
+
+This resolves BZ #28769.
+
+Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+(cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e)
+---
+ NEWS                                          |   6 +
+ sysdeps/posix/getcwd.c                        |   7 +
+ sysdeps/unix/sysv/linux/Makefile              |   7 +-
+ .../unix/sysv/linux/tst-getcwd-smallbuff.c    | 241 ++++++++++++++++++
+ 4 files changed, 260 insertions(+), 1 deletion(-)
+ create mode 100644 sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+
+diff --git a/NEWS b/NEWS
+index b4f81c2668..8d7467d2c1 100644
+--- a/NEWS
++++ b/NEWS
+@@ -20,6 +20,12 @@ Security related changes:
+   function could result in a memory leak and potential access of
+   uninitialized memory.  Reported by Qualys.
+ 
++  CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd
++  function may result in an off-by-one buffer underflow and overflow
++  when the current working directory is longer than PATH_MAX and also
++  corresponds to the / directory through an unprivileged mount
++  namespace.  Reported by Qualys.
++
+ The following bugs are resolved with this release:
+ 
+   [12889] nptl: Fix race between pthread_kill and thread exit
+diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c
+index 13680026ff..b6984a382c 100644
+--- a/sysdeps/posix/getcwd.c
++++ b/sysdeps/posix/getcwd.c
+@@ -187,6 +187,13 @@ __getcwd_generic (char *buf, size_t size)
+   size_t allocated = size;
+   size_t used;
+ 
++  /* A size of 1 byte is never useful.  */
++  if (allocated == 1)
++    {
++      __set_errno (ERANGE);
++      return NULL;
++    }
++
+ #if HAVE_MINIMALLY_WORKING_GETCWD
+   /* If AT_FDCWD is not defined, the algorithm below is O(N**2) and
+      this is much slower than the system getcwd (at least on
+diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
+index 76ad06361c..9380d3848d 100644
+--- a/sysdeps/unix/sysv/linux/Makefile
++++ b/sysdeps/unix/sysv/linux/Makefile
+@@ -331,7 +331,12 @@ sysdep_routines += xstatconv internal_statvfs \
+ 
+ sysdep_headers += bits/fcntl-linux.h
+ 
+-tests += tst-fallocate tst-fallocate64 tst-o_path-locks
++tests += \
++  tst-fallocate \
++  tst-fallocate64 \
++  tst-getcwd-smallbuff \
++  tst-o_path-locks \
++# tests
+ endif
+ 
+ ifeq ($(subdir),elf)
+diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+new file mode 100644
+index 0000000000..d460d6e766
+--- /dev/null
++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+@@ -0,0 +1,241 @@
++/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow
++   buffer when the CWD is too long and is also a mount target of /.  See bug
++   #28769 or CVE-2021-3999 for more context.
++   Copyright The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <fcntl.h>
++#include <intprops.h>
++#include <limits.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/mount.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <support/check.h>
++#include <support/temp_file.h>
++#include <support/xsched.h>
++#include <support/xunistd.h>
++
++static char *base;
++#define BASENAME "tst-getcwd-smallbuff"
++#define MOUNT_NAME "mpoint"
++static int sockfd[2];
++
++static void
++do_cleanup (void)
++{
++  support_chdir_toolong_temp_directory (base);
++  TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0);
++  free (base);
++}
++
++static void
++send_fd (const int sock, const int fd)
++{
++  struct msghdr msg = {0};
++  union
++    {
++      struct cmsghdr hdr;
++      char buf[CMSG_SPACE (sizeof (int))];
++    } cmsgbuf = {0};
++  struct cmsghdr *cmsg;
++  struct iovec vec;
++  char ch = 'A';
++  ssize_t n;
++
++  msg.msg_control = &cmsgbuf.buf;
++  msg.msg_controllen = sizeof (cmsgbuf.buf);
++
++  cmsg = CMSG_FIRSTHDR (&msg);
++  cmsg->cmsg_len = CMSG_LEN (sizeof (int));
++  cmsg->cmsg_level = SOL_SOCKET;
++  cmsg->cmsg_type = SCM_RIGHTS;
++  memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
++
++  vec.iov_base = &ch;
++  vec.iov_len = 1;
++  msg.msg_iov = &vec;
++  msg.msg_iovlen = 1;
++
++  while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR);
++
++  TEST_VERIFY_EXIT (n == 1);
++}
++
++static int
++recv_fd (const int sock)
++{
++  struct msghdr msg = {0};
++  union
++    {
++      struct cmsghdr hdr;
++      char buf[CMSG_SPACE(sizeof(int))];
++    } cmsgbuf = {0};
++  struct cmsghdr *cmsg;
++  struct iovec vec;
++  ssize_t n;
++  char ch = '\0';
++  int fd = -1;
++
++  vec.iov_base = &ch;
++  vec.iov_len = 1;
++  msg.msg_iov = &vec;
++  msg.msg_iovlen = 1;
++
++  msg.msg_control = &cmsgbuf.buf;
++  msg.msg_controllen = sizeof (cmsgbuf.buf);
++
++  while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR);
++  if (n != 1 || ch != 'A')
++    return -1;
++
++  cmsg = CMSG_FIRSTHDR (&msg);
++  if (cmsg == NULL)
++    return -1;
++  if (cmsg->cmsg_type != SCM_RIGHTS)
++    return -1;
++  memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd));
++  if (fd < 0)
++    return -1;
++  return fd;
++}
++
++static int
++child_func (void * const arg)
++{
++  xclose (sockfd[0]);
++  const int sock = sockfd[1];
++  char ch;
++
++  TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
++  TEST_VERIFY_EXIT (ch == '1');
++
++  if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL))
++    FAIL_EXIT1 ("mount failed: %m\n");
++  const int fd = xopen ("mpoint",
++			O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0);
++
++  send_fd (sock, fd);
++  xclose (fd);
++
++  TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
++  TEST_VERIFY_EXIT (ch == 'a');
++
++  xclose (sock);
++  return 0;
++}
++
++static void
++update_map (char * const mapping, const char * const map_file)
++{
++  const size_t map_len = strlen (mapping);
++
++  const int fd = xopen (map_file, O_WRONLY, 0);
++  xwrite (fd, mapping, map_len);
++  xclose (fd);
++}
++
++static void
++proc_setgroups_write (const long child_pid, const char * const str)
++{
++  const size_t str_len = strlen(str);
++
++  char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)];
++
++  snprintf (setgroups_path, sizeof (setgroups_path),
++	    "/proc/%ld/setgroups", child_pid);
++
++  const int fd = open (setgroups_path, O_WRONLY);
++
++  if (fd < 0)
++    {
++      TEST_VERIFY_EXIT (errno == ENOENT);
++      FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid);
++    }
++
++  xwrite (fd, str, str_len);
++  xclose(fd);
++}
++
++static char child_stack[1024 * 1024];
++
++int
++do_test (void)
++{
++  base = support_create_and_chdir_toolong_temp_directory (BASENAME);
++
++  xmkdir (MOUNT_NAME, S_IRWXU);
++  atexit (do_cleanup);
++
++  TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
++  pid_t child_pid = xclone (child_func, NULL, child_stack,
++			    sizeof (child_stack),
++			    CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD);
++
++  xclose (sockfd[1]);
++  const int sock = sockfd[0];
++
++  char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)];
++  char map_buf[sizeof ("0  1") + INT_STRLEN_BOUND (long)];
++
++  snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map",
++	    (long) child_pid);
++  snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid());
++  update_map (map_buf, map_path);
++
++  proc_setgroups_write ((long) child_pid, "deny");
++  snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map",
++	    (long) child_pid);
++  snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid());
++  update_map (map_buf, map_path);
++
++  TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1);
++  const int fd = recv_fd (sock);
++  TEST_VERIFY_EXIT (fd >= 0);
++  TEST_VERIFY_EXIT (fchdir (fd) == 0);
++
++  static char buf[2 * 10 + 1];
++  memset (buf, 'A', sizeof (buf));
++
++  /* Finally, call getcwd and check if it resulted in a buffer underflow.  */
++  char * cwd = getcwd (buf + sizeof (buf) / 2, 1);
++  TEST_VERIFY (cwd == NULL);
++  TEST_VERIFY (errno == ERANGE);
++
++  for (int i = 0; i < sizeof (buf); i++)
++    if (buf[i] != 'A')
++      {
++	printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]);
++	support_record_failure ();
++      }
++
++  TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1);
++  xclose (sock);
++  TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid);
++
++  return 0;
++}
++
++#define CLEANUP_HANDLER do_cleanup
++#include <support/test-driver.c>
+-- 
+2.27.0
+
+
diff --git a/source/l/tdb/tdb.SlackBuild b/source/l/tdb/tdb.SlackBuild
index c903a9a52..2a1ec9ac4 100755
--- a/source/l/tdb/tdb.SlackBuild
+++ b/source/l/tdb/tdb.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=tdb
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-3}
+BUILD=${BUILD:-1}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then