fix:CVE-2023-5156

backport-CVE-2023-5156.patch

@@ -0,0 +1,29 @@
+From ec6b95c3303c700eb89eebeda2d7264cc184a796 Mon Sep 17 00:00:00 2001
+From: Romain Geissler <romain.geissler@amadeus.com>
+Date: Mon, 25 Sep 2023 01:21:51 +0100
+Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for
+ CVE-2023-4806 [BZ #30843]
+
+This patch fixes a very recently added leak in getaddrinfo.
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+---
+ sysdeps/posix/getaddrinfo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 614ee39f..b3321913 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -1160,6 +1160,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+   if (res.malloc_h_name){
+     free (res.h_name);
++    res.malloc_h_name = false;
+   }
+ 
+   return result;
+-- 
+2.23.0
+

glibc.spec

@@ -70,7 +70,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.34
-Release: 	135
+Release: 	136
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -276,6 +276,7 @@ Patch185: time-strftime_l-Avoid-an-unbounded-alloca.patch
 Patch186: backport-string-strerror-must-not-return-NULL-bug-30555.patch
 Patch187: backport-CVE-2023-4813.patch
 Patch188: backport-CVE-2023-4806.patch
+Patch189: backport-CVE-2023-5156.patch
 
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch 
@@ -1499,6 +1500,9 @@ fi
 %endif
 
 %changelog
+* Tue Sep 26 2023 zhanghao<zhanghao383@huawei.com> - 2.34-136
+- fix CVE-2023-5156
+
 * Mon Sep 25 2023 zhanghao<zhanghao383@huawei.com> - 2.34-135
 - fix CVE-2023-4806 CVE-2023-5156