diff --git a/glibc.changes b/glibc.changes
index 723c6d2..e26d1a2 100644
--- a/glibc.changes
+++ b/glibc.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed May 23 08:18:00 UTC 2018 - schwab@suse.de
+
+- mempcpy-avx512.patch: Don't write beyond destination in
+ __mempcpy_avx512_no_vzeroupper (CVE-2018-11237, bsc#1094154)
+- realpath-ssize-max-overflow.patch: Fix overflow in path length
+ computation (CVE-2018-11236, bsc#1094161, BZ #22786)
+- Use %license also for COPYING, COPYING.LIB
+
-------------------------------------------------------------------
Thu Apr 12 08:12:30 UTC 2018 - schwab@suse.de
@@ -7,7 +16,7 @@ Thu Apr 12 08:12:30 UTC 2018 - schwab@suse.de
Thu Mar 29 09:53:52 UTC 2018 - schwab@suse.de
- i386-memmove-sse2-unaligned.patch: Fix SSE2 memmove issue when crossing
- 2GB boundary (BZ #22644)
+ 2GB boundary (CVE-2017-18269, bnc#1094150, BZ #22644)
-------------------------------------------------------------------
Tue Mar 27 11:30:49 UTC 2018 - schwab@suse.de
diff --git a/glibc.spec b/glibc.spec
index f145d79..6e210aa 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -302,8 +302,12 @@ Patch1008: riscv-tls-init.patch
Patch1009: riscv-fmax-fmin-nan.patch
# PATCH-FIX-UPSTREAM Fix crash in resolver on memory allocation failure (BZ #23005)
Patch1010: res-send-enomem.patch
-# PATCH-FIX-UPSTREAM memmove-sse2-unaligned on 32bit x86 produces garbage when crossing 2GB threshold (BZ #22644)
+# PATCH-FIX-UPSTREAM memmove-sse2-unaligned on 32bit x86 produces garbage when crossing 2GB threshold (CVE-2017-18269, BZ #22644)
Patch1011: i386-memmove-sse2-unaligned.patch
+# PATCH-FIX-UPSTREAM __mempcpy_avx512_no_vzeroupper mishandles large copies (CVE-2018-11237, BZ #23196)
+Patch1012: mempcpy-avx512.patch
+# PATCH-FIX-UPSTREAM realpath-ssize-max-overflow.patch: Fix overflow in path length computation (CVE-2018-11236, BZ #22786)
+Patch1013: realpath-ssize-max-overflow.patch
###
# Patches awaiting upstream approval
@@ -525,6 +529,8 @@ mv crypt_blowfish-%crypt_bf_version/*.[chS] crypt/
%patch1009 -p1
%patch1010 -p1
%patch1011 -p1
+%patch1012 -p1
+%patch1013 -p1
%patch2000 -p1
%patch2004 -p1
@@ -1252,7 +1258,8 @@ exit 0
%files devel
%defattr(-,root,root)
-%doc COPYING COPYING.LIB NEWS README
+%license COPYING COPYING.LIB
+%doc NEWS README
%doc %{_mandir}/man1/catchsegv.1.gz
%doc %{_mandir}/man3/*
%{_bindir}/catchsegv
diff --git a/mempcpy-avx512.patch b/mempcpy-avx512.patch
new file mode 100644
index 0000000..0fe123c
--- /dev/null
+++ b/mempcpy-avx512.patch
@@ -0,0 +1,42 @@
+ [BZ #23196]
+ CVE-2018-11237
+ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+ (L(preloop_large)): Save initial destination pointer in %r11 and
+ use it instead of %rax after the loop.
+ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
+Index: glibc-2.27/string/test-mempcpy.c
+===================================================================
+--- glibc-2.27.orig/string/test-mempcpy.c
++++ glibc-2.27/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+ . */
+
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
++#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+Index: glibc-2.27/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+===================================================================
+--- glibc-2.27.orig/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++++ glibc-2.27/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -336,6 +336,7 @@ L(preloop_large):
+ vmovups (%rsi), %zmm4
+ vmovups 0x40(%rsi), %zmm5
+
++ mov %rdi, %r11
+ /* Align destination for access with non-temporal stores in the loop. */
+ mov %rdi, %r8
+ and $-0x80, %rdi
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+ cmp $256, %rdx
+ ja L(gobble_256bytes_nt_loop)
+ sfence
+- vmovups %zmm4, (%rax)
+- vmovups %zmm5, 0x40(%rax)
++ vmovups %zmm4, (%r11)
++ vmovups %zmm5, 0x40(%r11)
+ jmp L(check)
+
+ L(preloop_large_bkw):
diff --git a/realpath-ssize-max-overflow.patch b/realpath-ssize-max-overflow.patch
new file mode 100644
index 0000000..b9ddb09
--- /dev/null
+++ b/realpath-ssize-max-overflow.patch
@@ -0,0 +1,129 @@
+2018-05-09 Paul Pluzhnikov
+
+ [BZ #22786]
+ * stdlib/canonicalize.c (__realpath): Fix overflow in path length
+ computation.
+ * stdlib/Makefile (test-bz22786): New test.
+ * stdlib/test-bz22786.c: New test.
+
+Index: glibc-2.27/stdlib/Makefile
+===================================================================
+--- glibc-2.27.orig/stdlib/Makefile
++++ glibc-2.27/stdlib/Makefile
+@@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb t
+ tst-cxa_atexit tst-on_exit test-atexit-race \
+ test-at_quick_exit-race test-cxa_atexit-race \
+ test-on_exit-race test-dlclose-exit-race \
+- tst-makecontext-align
++ tst-makecontext-align test-bz22786
+
+ tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
+ tst-tls-atexit tst-tls-atexit-nodelete
+Index: glibc-2.27/stdlib/canonicalize.c
+===================================================================
+--- glibc-2.27.orig/stdlib/canonicalize.c
++++ glibc-2.27/stdlib/canonicalize.c
+@@ -181,7 +181,7 @@ __realpath (const char *name, char *reso
+ extra_buf = __alloca (path_max);
+
+ len = strlen (end);
+- if ((long int) (n + len) >= path_max)
++ if (path_max - n <= len)
+ {
+ __set_errno (ENAMETOOLONG);
+ goto error;
+Index: glibc-2.27/stdlib/test-bz22786.c
+===================================================================
+--- /dev/null
++++ glibc-2.27/stdlib/test-bz22786.c
+@@ -0,0 +1,90 @@
++/* Bug 22786: test for buffer overflow in realpath.
++ Copyright (C) 2018 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ . */
++
++/* This file must be run from within a directory called "stdlib". */
++
++#include
++#include
++#include
++#include
++#include
++#include
++#include
++#include
++#include
++#include
++
++static int
++do_test (void)
++{
++ const char dir[] = "bz22786";
++ const char lnk[] = "bz22786/symlink";
++
++ rmdir (dir);
++ if (mkdir (dir, 0755) != 0 && errno != EEXIST)
++ {
++ printf ("mkdir %s: %m\n", dir);
++ return EXIT_FAILURE;
++ }
++ if (symlink (".", lnk) != 0 && errno != EEXIST)
++ {
++ printf ("symlink (%s, %s): %m\n", dir, lnk);
++ return EXIT_FAILURE;
++ }
++
++ const size_t path_len = (size_t) INT_MAX + 1;
++
++ DIAG_PUSH_NEEDS_COMMENT;
++#if __GNUC_PREREQ (7, 0)
++ /* GCC 7 warns about too-large allocations; here we need such
++ allocation to succeed for the test to work. */
++ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
++#endif
++ char *path = malloc (path_len);
++ DIAG_POP_NEEDS_COMMENT;
++
++ if (path == NULL)
++ {
++ printf ("malloc (%zu): %m\n", path_len);
++ return EXIT_UNSUPPORTED;
++ }
++
++ /* Construct very long path = "bz22786/symlink/aaaa....." */
++ char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
++ *(p++) = '/';
++ memset (p, 'a', path_len - (path - p) - 2);
++ p[path_len - (path - p) - 1] = '\0';
++
++ /* This call crashes before the fix for bz22786 on 32-bit platforms. */
++ p = realpath (path, NULL);
++
++ if (p != NULL || errno != ENAMETOOLONG)
++ {
++ printf ("realpath: %s (%m)", p);
++ return EXIT_FAILURE;
++ }
++
++ /* Cleanup. */
++ unlink (lnk);
++ rmdir (dir);
++
++ return 0;
++}
++
++#define TEST_FUNCTION do_test
++#include