"The only viable vector for exploitation of this bug is local, if a static
setuid program exists, and that program calls dlopen, then it may search
LD_LIBRARY_PATH to locate the SONAME to load. No such program has been
discovered at the time of publishing this advisory, but the presence of
custom setuid programs, although strongly discouraged as a security
practice, cannot be discounted."
 which is highly improbable; so not urgent.

Despite lack of a fix, assigning now to basesystem.

Assignee: bugsquad => basesystem
Status comment: (none) => Await fix

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). (CVE-2025-4802)

References:
https://www.openwall.com/lists/oss-security/2025/05/16/7
https://www.openwall.com/lists/oss-security/2025/05/17/2
========================

Updated packages in core/updates_testing:
========================
glibc-2.36-56.mga9
glibc-devel-2.36-56.mga9
glibc-doc-2.36-56.mga9
glibc-i18ndata-2.36-56.mga9
glibc-profile-2.36-56.mga9
glibc-static-devel-2.36-56.mga9
glibc-utils-2.36-56.mga9
nscd-2.36-56.mga9

from SRPM:
glibc-2.36-56.mga9.src.rpm

Assignee: basesystem => qa-bugs
Status: NEW => ASSIGNED
Status comment: Await fix => (none)

I saw this error when updating glibc, in one of the Mageia 9 VMs and containers I use for testing:
"""
Error: Missing /usr/lib64/gconv/gconv-modules.cache file.
"""

The file is indeed missing.

After looking at the glibc rpm script, to create the missing file, I run this command as root:
"""
/usr/sbin/iconvconfig -o /usr/lib64/gconv/gconv-modules.cache --nostdlib /usr/lib64/gconv
"""

This only happened in one of the updated VMs and containers with Mageia 9. No idea why this VM had an issue.

Will continue testing.

MGA9-32, AMD A6-3420M APU with Radeon(tm) HD Graphics, old Laptop

The following 10 packages are going to be installed:

- firefox-128.10.1-2.mga9.i586
- firefox-en_CA-128.10.1-1.mga9.noarch
- firefox-en_GB-128.10.1-1.mga9.noarch
- firefox-en_US-128.10.1-1.mga9.noarch
- glibc-2.36-56.mga9.i586
- libnss3-3.111.0-1.mga9.i586
- nss-3.111.0-1.mga9.i586
- nss-myhostname-253.31-1.mga9.i586
- rootcerts-20250424.00-1.mga9.noarch
- rootcerts-java-20250424.00-1.mga9.noarch

3.4KB of additional disk space will be used.

---rebooted

spending time using firefox, etc.  - working


it was added with firefox.   I also added the nscd after the fact.

CC: (none) => brtians1

(In reply to PC LX from comment #3)
> I saw this error when updating glibc, in one of the Mageia 9 VMs and
> containers I use for testing:
> """
> Error: Missing /usr/lib64/gconv/gconv-modules.cache file.
> """
This was reported time ago but with the current status of the services is hard to find :(

(In reply to katnatek from comment #5)
> (In reply to PC LX from comment #3)
> > I saw this error when updating glibc, in one of the Mageia 9 VMs and
> > containers I use for testing:
> > """
> > Error: Missing /usr/lib64/gconv/gconv-modules.cache file.
> > """
> This was reported time ago but with the current status of the services is
> hard to find :(

https://bugs.mageia.org/show_bug.cgi?id=31909 (was less difficult from external search)

RH x86_64

installing glibc-2.36-56.mga9.x86_64.rpm glibc-devel-2.36-56.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: glibc                 ##################################################################################################
      2/2: glibc-devel           ##################################################################################################
      1/2: removing glibc-devel-6:2.36-55.mga9.x86_64
                                 ##################################################################################################
      2/2: removing glibc-6:2.36-55.mga9.x86_64
                                 ##################################################################################################
You should restart your computer for glibc
Error: Missing /usr/lib64/gconv/gconv-modules.cache file.n

Reboot

Not issues detected, play videos, audios, browse internet, open text files and terminal

MGA9-64, GNOME, AMD Ryzen 5600, Nvidia 1050 (550 driver)

Installed including nscd.

No issues to report.

MGA9-64 Plasma, i5-7500, nvidia Quadro K620 graphics. 

Updated using drakrpm-update with no errors reported. After the reboot, tried this and that, no issues to report.

CC: (none) => andrewsfarm

MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, old laptop.

No installation issues, and no issues to report after the reboot.

This looks good to me, tested on both arches. Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0164.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED