diff --git a/SOURCES/glibc-rh2032280-1.patch b/SOURCES/glibc-rh2032280-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6308350731fe17edbcb6d9a2e38231c438ad35f9
--- /dev/null
+++ b/SOURCES/glibc-rh2032280-1.patch
@@ -0,0 +1,64 @@
+commit a7e9dbb7742954814643a8562dcad09abb0b0e5d
+Author: Alexandra Hájková <ahajkova@redhat.com>
+Date: Sat Dec 26 18:45:13 2020 +0100
+
+ Add xchdir to libsupport.
+
+diff --git a/support/Makefile b/support/Makefile
+index dcf3c4baa2a31070..fb95a69ed9158e78 100644
+--- a/support/Makefile
++++ b/support/Makefile
+@@ -82,6 +82,7 @@ libsupport-routines = \
+ xasprintf \
+ xbind \
+ xcalloc \
++ xchdir \
+ xchroot \
+ xclose \
+ xconnect \
+diff --git a/support/xchdir.c b/support/xchdir.c
+new file mode 100644
+index 0000000000000000..beb4feff72832065
+--- /dev/null
++++ b/support/xchdir.c
+@@ -0,0 +1,28 @@
++/* chdir with error checking.
++ Copyright (C) 2020 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <https://www.gnu.org/licenses/>. */
++
++#include <support/check.h>
++#include <support/xunistd.h>
++#include <unistd.h>
++
++void
++xchdir (const char *path)
++{
++ if (chdir (path) != 0)
++ FAIL_EXIT1 ("chdir (\"%s\"): %m", path);
++}
+diff --git a/support/xunistd.h b/support/xunistd.h
+index f99f362cb4763c5b..74fd2771d12c36fe 100644
+--- a/support/xunistd.h
++++ b/support/xunistd.h
+@@ -44,6 +44,7 @@ long xsysconf (int name);
+ long long xlseek (int fd, long long offset, int whence);
+ void xftruncate (int fd, long long length);
+ void xsymlink (const char *target, const char *linkpath);
++void xchdir (const char *path);
+
+ /* Equivalent of "mkdir -p". */
+ void xmkdirp (const char *, mode_t);
diff --git a/SOURCES/glibc-rh2032280-2.patch b/SOURCES/glibc-rh2032280-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..56edb3d5f7b4514e5662e6c69f0ecccfd2ed7063
--- /dev/null
+++ b/SOURCES/glibc-rh2032280-2.patch
@@ -0,0 +1,72 @@
+commit 60854f40ea2d420867ed2f0f052ee7fca661dbff
+Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date: Thu Oct 15 15:14:22 2020 -0300
+
+ support: Add create_temp_file_in_dir
+
+ It allows created a temporary file in a specified directory.
+
+diff --git a/support/support.h b/support/support.h
+index f50f8cc1496d657d..96833bd4e992e6d3 100644
+--- a/support/support.h
++++ b/support/support.h
+@@ -23,6 +23,7 @@
+ #ifndef SUPPORT_H
+ #define SUPPORT_H
+
++#include <stdbool.h>
+ #include <stddef.h>
+ #include <sys/cdefs.h>
+ /* For mode_t. */
+diff --git a/support/temp_file.c b/support/temp_file.c
+index 0bbc7f997264f758..5a2728c94a9c32ae 100644
+--- a/support/temp_file.c
++++ b/support/temp_file.c
+@@ -60,14 +60,12 @@ add_temp_file (const char *name)
+ }
+
+ int
+-create_temp_file (const char *base, char **filename)
++create_temp_file_in_dir (const char *base, const char *dir, char **filename)
+ {
+ char *fname;
+ int fd;
+
+- fname = (char *) xmalloc (strlen (test_dir) + 1 + strlen (base)
+- + sizeof ("XXXXXX"));
+- strcpy (stpcpy (stpcpy (stpcpy (fname, test_dir), "/"), base), "XXXXXX");
++ fname = xasprintf ("%s/%sXXXXXX", dir, base);
+
+ fd = mkstemp (fname);
+ if (fd == -1)
+@@ -86,6 +84,12 @@ create_temp_file (const char *base, char **filename)
+ return fd;
+ }
+
++int
++create_temp_file (const char *base, char **filename)
++{
++ return create_temp_file_in_dir (base, test_dir, filename);
++}
++
+ char *
+ support_create_temp_directory (const char *base)
+ {
+diff --git a/support/temp_file.h b/support/temp_file.h
+index c7795cc577ca22a9..d64563f41f1f50cd 100644
+--- a/support/temp_file.h
++++ b/support/temp_file.h
+@@ -32,6 +32,13 @@ void add_temp_file (const char *name);
+ *FILENAME. */
+ int create_temp_file (const char *base, char **filename);
+
++/* Create a temporary file in directory DIR. Return the opened file
++ descriptor on success, or -1 on failure. Write the file name to
++ *FILENAME if FILENAME is not NULL. In this case, the caller is
++ expected to free *FILENAME. */
++int create_temp_file_in_dir (const char *base, const char *dir,
++ char **filename);
++
+ /* Create a temporary directory and schedule it for deletion. BASE is
+ used as a prefix for the unique directory name, which the function
+ returns. The caller should free this string. */
diff --git a/SOURCES/glibc-rh2032280-3.patch b/SOURCES/glibc-rh2032280-3.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7cb306d3ffd1f9085f1b623df3594bc74406e64d
--- /dev/null
+++ b/SOURCES/glibc-rh2032280-3.patch
@@ -0,0 +1,278 @@
+commit fb7bff12e81c677a6622f724edd4d4987dd9d971
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Tue Jan 18 13:29:36 2022 +0530
+
+ support: Add helpers to create paths longer than PATH_MAX
+
+ Add new helpers support_create_and_chdir_toolong_temp_directory and
+ support_chdir_toolong_temp_directory to create and descend into
+ directory trees longer than PATH_MAX.
+
+ Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+ Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+# Conflicts:
+# support/temp_file.c
+
+diff --git a/support/temp_file.c b/support/temp_file.c
+index 5a2728c94a9c32ae..661c86bad5c0121f 100644
+--- a/support/temp_file.c
++++ b/support/temp_file.c
+@@ -1,5 +1,6 @@
+ /* Temporary file handling for tests.
+- Copyright (C) 1998-2018 Free Software Foundation, Inc.
++ Copyright (C) 1998-2022 Free Software Foundation, Inc.
++ Copyright The GNU Tools Authors.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+@@ -20,15 +21,17 @@
+ some 32-bit platforms. */
+ #define _FILE_OFFSET_BITS 64
+
++#include <support/check.h>
+ #include <support/temp_file.h>
+ #include <support/temp_file-internal.h>
+ #include <support/support.h>
+
++#include <errno.h>
+ #include <paths.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+-#include <unistd.h>
++#include <xunistd.h>
+
+ /* List of temporary files. */
+ static struct temp_name_list
+@@ -36,14 +39,20 @@ static struct temp_name_list
+ struct temp_name_list *next;
+ char *name;
+ pid_t owner;
++ bool toolong;
+ } *temp_name_list;
+
+ /* Location of the temporary files. Set by the test skeleton via
+ support_set_test_dir. The string is not be freed. */
+ static const char *test_dir = _PATH_TMP;
+
+-void
+-add_temp_file (const char *name)
++/* Name of subdirectories in a too long temporary directory tree. */
++static char toolong_subdir[NAME_MAX + 1];
++static bool toolong_initialized;
++static size_t toolong_path_max;
++
++static void
++add_temp_file_internal (const char *name, bool toolong)
+ {
+ struct temp_name_list *newp
+ = (struct temp_name_list *) xcalloc (sizeof (*newp), 1);
+@@ -53,12 +62,19 @@ add_temp_file (const char *name)
+ newp->name = newname;
+ newp->next = temp_name_list;
+ newp->owner = getpid ();
++ newp->toolong = toolong;
+ temp_name_list = newp;
+ }
+ else
+ free (newp);
+ }
+
++void
++add_temp_file (const char *name)
++{
++ add_temp_file_internal (name, false);
++}
++
+ int
+ create_temp_file_in_dir (const char *base, const char *dir, char **filename)
+ {
+@@ -90,8 +106,8 @@ create_temp_file (const char *base, char **filename)
+ return create_temp_file_in_dir (base, test_dir, filename);
+ }
+
+-char *
+-support_create_temp_directory (const char *base)
++static char *
++create_temp_directory_internal (const char *base, bool toolong)
+ {
+ char *path = xasprintf ("%s/%sXXXXXX", test_dir, base);
+ if (mkdtemp (path) == NULL)
+@@ -99,16 +115,132 @@ support_create_temp_directory (const char *base)
+ printf ("error: mkdtemp (\"%s\"): %m", path);
+ exit (1);
+ }
+- add_temp_file (path);
++ add_temp_file_internal (path, toolong);
+ return path;
+ }
+
+-/* Helper functions called by the test skeleton follow. */
++char *
++support_create_temp_directory (const char *base)
++{
++ return create_temp_directory_internal (base, false);
++}
++
++static void
++ensure_toolong_initialized (void)
++{
++ if (!toolong_initialized)
++ FAIL_EXIT1 ("uninitialized toolong directory tree\n");
++}
++
++static void
++initialize_toolong (const char *base)
++{
++ long name_max = pathconf (base, _PC_NAME_MAX);
++ name_max = (name_max < 0 ? 64
++ : (name_max < sizeof (toolong_subdir) ? name_max
++ : sizeof (toolong_subdir) - 1));
++
++ long path_max = pathconf (base, _PC_PATH_MAX);
++ path_max = (path_max < 0 ? 1024
++ : path_max <= PTRDIFF_MAX ? path_max : PTRDIFF_MAX);
++
++ /* Sanity check to ensure that the test does not create temporary directories
++ in different filesystems because this API doesn't support it. */
++ if (toolong_initialized)
++ {
++ if (name_max != strlen (toolong_subdir))
++ FAIL_UNSUPPORTED ("name_max: Temporary directories in different"
++ " filesystems not supported yet\n");
++ if (path_max != toolong_path_max)
++ FAIL_UNSUPPORTED ("path_max: Temporary directories in different"
++ " filesystems not supported yet\n");
++ return;
++ }
++
++ toolong_path_max = path_max;
++
++ size_t len = name_max;
++ memset (toolong_subdir, 'X', len);
++ toolong_initialized = true;
++}
++
++char *
++support_create_and_chdir_toolong_temp_directory (const char *basename)
++{
++ char *base = create_temp_directory_internal (basename, true);
++ xchdir (base);
++
++ initialize_toolong (base);
++
++ size_t sz = strlen (toolong_subdir);
++
++ /* Create directories and descend into them so that the final path is larger
++ than PATH_MAX. */
++ for (size_t i = 0; i <= toolong_path_max / sz; i++)
++ {
++ int ret = mkdir (toolong_subdir, S_IRWXU);
++ if (ret != 0 && errno == ENAMETOOLONG)
++ FAIL_UNSUPPORTED ("Filesystem does not support creating too long "
++ "directory trees\n");
++ else if (ret != 0)
++ FAIL_EXIT1 ("Failed to create directory tree: %m\n");
++ xchdir (toolong_subdir);
++ }
++ return base;
++}
+
+ void
+-support_set_test_dir (const char *path)
++support_chdir_toolong_temp_directory (const char *base)
+ {
+- test_dir = path;
++ ensure_toolong_initialized ();
++
++ xchdir (base);
++
++ size_t sz = strlen (toolong_subdir);
++ for (size_t i = 0; i <= toolong_path_max / sz; i++)
++ xchdir (toolong_subdir);
++}
++
++/* Helper functions called by the test skeleton follow. */
++
++static void
++remove_toolong_subdirs (const char *base)
++{
++ ensure_toolong_initialized ();
++
++ if (chdir (base) != 0)
++ {
++ printf ("warning: toolong cleanup base failed: chdir (\"%s\"): %m\n",
++ base);
++ return;
++ }
++
++ /* Descend. */
++ int levels = 0;
++ size_t sz = strlen (toolong_subdir);
++ for (levels = 0; levels <= toolong_path_max / sz; levels++)
++ if (chdir (toolong_subdir) != 0)
++ {
++ printf ("warning: toolong cleanup failed: chdir (\"%s\"): %m\n",
++ toolong_subdir);
++ break;
++ }
++
++ /* Ascend and remove. */
++ while (--levels >= 0)
++ {
++ if (chdir ("..") != 0)
++ {
++ printf ("warning: toolong cleanup failed: chdir (\"..\"): %m\n");
++ return;
++ }
++ if (remove (toolong_subdir) != 0)
++ {
++ printf ("warning: could not remove subdirectory: %s: %m\n",
++ toolong_subdir);
++ return;
++ }
++ }
+ }
+
+ void
+@@ -123,6 +255,9 @@ support_delete_temp_files (void)
+ around, to prevent PID reuse.) */
+ if (temp_name_list->owner == pid)
+ {
++ if (temp_name_list->toolong)
++ remove_toolong_subdirs (temp_name_list->name);
++
+ if (remove (temp_name_list->name) != 0)
+ printf ("warning: could not remove temporary file: %s: %m\n",
+ temp_name_list->name);
+@@ -147,3 +282,9 @@ support_print_temp_files (FILE *f)
+ fprintf (f, ")\n");
+ }
+ }
++
++void
++support_set_test_dir (const char *path)
++{
++ test_dir = path;
++}
+diff --git a/support/temp_file.h b/support/temp_file.h
+index d64563f41f1f50cd..055e31dcfb843ba6 100644
+--- a/support/temp_file.h
++++ b/support/temp_file.h
+@@ -44,6 +44,15 @@ int create_temp_file_in_dir (const char *base, const char *dir,
+ returns. The caller should free this string. */
+ char *support_create_temp_directory (const char *base);
+
++/* Create a temporary directory tree that is longer than PATH_MAX and schedule
++ it for deletion. BASENAME is used as a prefix for the unique directory
++ name, which the function returns. The caller should free this string. */
++char *support_create_and_chdir_toolong_temp_directory (const char *basename);
++
++/* Change into the innermost directory of the directory tree BASE, which was
++ created using support_create_and_chdir_toolong_temp_directory. */
++void support_chdir_toolong_temp_directory (const char *base);
++
+ __END_DECLS
+
+ #endif /* SUPPORT_TEMP_FILE_H */
diff --git a/SOURCES/glibc-rh2032280-4.patch b/SOURCES/glibc-rh2032280-4.patch
new file mode 100644
index 0000000000000000000000000000000000000000..65ba6515aac8db28421610d641368c1cbcfe66bf
--- /dev/null
+++ b/SOURCES/glibc-rh2032280-4.patch
@@ -0,0 +1,331 @@
+commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Fri Jan 21 23:32:56 2022 +0530
+
+ getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
+
+ No valid path returned by getcwd would fit into 1 byte, so reject the
+ size early and return NULL with errno set to ERANGE. This change is
+ prompted by CVE-2021-3999, which describes a single byte buffer
+ underflow and overflow when all of the following conditions are met:
+
+ - The buffer size (i.e. the second argument of getcwd) is 1 byte
+ - The current working directory is too long
+ - '/' is also mounted on the current working directory
+
+ Sequence of events:
+
+ - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
+ because the linux kernel checks for name length before it checks
+ buffer size
+
+ - The code falls back to the generic getcwd in sysdeps/posix
+
+ - In the generic func, the buf[0] is set to '\0' on line 250
+
+ - this while loop on line 262 is bypassed:
+
+ while (!(thisdev == rootdev && thisino == rootino))
+
+ since the rootfs (/) is bind mounted onto the directory and the flow
+ goes on to line 449, where it puts a '/' in the byte before the
+ buffer.
+
+ - Finally on line 458, it moves 2 bytes (the underflowed byte and the
+ '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.
+
+ - buf is returned on line 469 and errno is not set.
+
+ This resolves BZ #28769.
+
+ Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
+ Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+ Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
+ Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+# Conflicts:
+# sysdeps/posix/getcwd.c
+# sysdeps/unix/sysv/linux/Makefile
+
+diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c
+index b53433a2dc77fafa..fcd7aaea79c6477b 100644
+--- a/sysdeps/posix/getcwd.c
++++ b/sysdeps/posix/getcwd.c
+@@ -238,6 +238,13 @@ __getcwd (char *buf, size_t size)
+ bool fd_needs_closing = false;
+ int fd = AT_FDCWD;
+
++ /* A size of 1 byte is never useful. */
++ if (size == 1)
++ {
++ __set_errno (ERANGE);
++ return NULL;
++ }
++
+ char *path;
+ #ifndef NO_ALLOCATION
+ size_t allocated = size;
+diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
+index 688cf9fa9dea23a6..bb055f9d6b841ff5 100644
+--- a/sysdeps/unix/sysv/linux/Makefile
++++ b/sysdeps/unix/sysv/linux/Makefile
+@@ -180,7 +180,11 @@ sysdep_routines += xstatconv internal_statvfs internal_statvfs64 \
+
+ sysdep_headers += bits/fcntl-linux.h
+
+-tests += tst-fallocate tst-fallocate64
++tests += \
++ tst-fallocate \
++ tst-fallocate64 \
++ tst-getcwd-smallbuff \
++# tests
+ endif
+
+ ifeq ($(subdir),elf)
+diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+new file mode 100644
+index 0000000000000000..d460d6e7662dc5e4
+--- /dev/null
++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+@@ -0,0 +1,241 @@
++/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow
++ buffer when the CWD is too long and is also a mount target of /. See bug
++ #28769 or CVE-2021-3999 for more context.
++ Copyright The GNU Toolchain Authors.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <https://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <fcntl.h>
++#include <intprops.h>
++#include <limits.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/mount.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <support/check.h>
++#include <support/temp_file.h>
++#include <support/xsched.h>
++#include <support/xunistd.h>
++
++static char *base;
++#define BASENAME "tst-getcwd-smallbuff"
++#define MOUNT_NAME "mpoint"
++static int sockfd[2];
++
++static void
++do_cleanup (void)
++{
++ support_chdir_toolong_temp_directory (base);
++ TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0);
++ free (base);
++}
++
++static void
++send_fd (const int sock, const int fd)
++{
++ struct msghdr msg = {0};
++ union
++ {
++ struct cmsghdr hdr;
++ char buf[CMSG_SPACE (sizeof (int))];
++ } cmsgbuf = {0};
++ struct cmsghdr *cmsg;
++ struct iovec vec;
++ char ch = 'A';
++ ssize_t n;
++
++ msg.msg_control = &cmsgbuf.buf;
++ msg.msg_controllen = sizeof (cmsgbuf.buf);
++
++ cmsg = CMSG_FIRSTHDR (&msg);
++ cmsg->cmsg_len = CMSG_LEN (sizeof (int));
++ cmsg->cmsg_level = SOL_SOCKET;
++ cmsg->cmsg_type = SCM_RIGHTS;
++ memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
++
++ vec.iov_base = &ch;
++ vec.iov_len = 1;
++ msg.msg_iov = &vec;
++ msg.msg_iovlen = 1;
++
++ while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR);
++
++ TEST_VERIFY_EXIT (n == 1);
++}
++
++static int
++recv_fd (const int sock)
++{
++ struct msghdr msg = {0};
++ union
++ {
++ struct cmsghdr hdr;
++ char buf[CMSG_SPACE(sizeof(int))];
++ } cmsgbuf = {0};
++ struct cmsghdr *cmsg;
++ struct iovec vec;
++ ssize_t n;
++ char ch = '\0';
++ int fd = -1;
++
++ vec.iov_base = &ch;
++ vec.iov_len = 1;
++ msg.msg_iov = &vec;
++ msg.msg_iovlen = 1;
++
++ msg.msg_control = &cmsgbuf.buf;
++ msg.msg_controllen = sizeof (cmsgbuf.buf);
++
++ while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR);
++ if (n != 1 || ch != 'A')
++ return -1;
++
++ cmsg = CMSG_FIRSTHDR (&msg);
++ if (cmsg == NULL)
++ return -1;
++ if (cmsg->cmsg_type != SCM_RIGHTS)
++ return -1;
++ memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd));
++ if (fd < 0)
++ return -1;
++ return fd;
++}
++
++static int
++child_func (void * const arg)
++{
++ xclose (sockfd[0]);
++ const int sock = sockfd[1];
++ char ch;
++
++ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
++ TEST_VERIFY_EXIT (ch == '1');
++
++ if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL))
++ FAIL_EXIT1 ("mount failed: %m\n");
++ const int fd = xopen ("mpoint",
++ O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0);
++
++ send_fd (sock, fd);
++ xclose (fd);
++
++ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
++ TEST_VERIFY_EXIT (ch == 'a');
++
++ xclose (sock);
++ return 0;
++}
++
++static void
++update_map (char * const mapping, const char * const map_file)
++{
++ const size_t map_len = strlen (mapping);
++
++ const int fd = xopen (map_file, O_WRONLY, 0);
++ xwrite (fd, mapping, map_len);
++ xclose (fd);
++}
++
++static void
++proc_setgroups_write (const long child_pid, const char * const str)
++{
++ const size_t str_len = strlen(str);
++
++ char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)];
++
++ snprintf (setgroups_path, sizeof (setgroups_path),
++ "/proc/%ld/setgroups", child_pid);
++
++ const int fd = open (setgroups_path, O_WRONLY);
++
++ if (fd < 0)
++ {
++ TEST_VERIFY_EXIT (errno == ENOENT);
++ FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid);
++ }
++
++ xwrite (fd, str, str_len);
++ xclose(fd);
++}
++
++static char child_stack[1024 * 1024];
++
++int
++do_test (void)
++{
++ base = support_create_and_chdir_toolong_temp_directory (BASENAME);
++
++ xmkdir (MOUNT_NAME, S_IRWXU);
++ atexit (do_cleanup);
++
++ TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
++ pid_t child_pid = xclone (child_func, NULL, child_stack,
++ sizeof (child_stack),
++ CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD);
++
++ xclose (sockfd[1]);
++ const int sock = sockfd[0];
++
++ char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)];
++ char map_buf[sizeof ("0 1") + INT_STRLEN_BOUND (long)];
++
++ snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map",
++ (long) child_pid);
++ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid());
++ update_map (map_buf, map_path);
++
++ proc_setgroups_write ((long) child_pid, "deny");
++ snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map",
++ (long) child_pid);
++ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid());
++ update_map (map_buf, map_path);
++
++ TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1);
++ const int fd = recv_fd (sock);
++ TEST_VERIFY_EXIT (fd >= 0);
++ TEST_VERIFY_EXIT (fchdir (fd) == 0);
++
++ static char buf[2 * 10 + 1];
++ memset (buf, 'A', sizeof (buf));
++
++ /* Finally, call getcwd and check if it resulted in a buffer underflow. */
++ char * cwd = getcwd (buf + sizeof (buf) / 2, 1);
++ TEST_VERIFY (cwd == NULL);
++ TEST_VERIFY (errno == ERANGE);
++
++ for (int i = 0; i < sizeof (buf); i++)
++ if (buf[i] != 'A')
++ {
++ printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]);
++ support_record_failure ();
++ }
++
++ TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1);
++ xclose (sock);
++ TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid);
++
++ return 0;
++}
++
++#define CLEANUP_HANDLER do_cleanup
++#include <support/test-driver.c>
diff --git a/SOURCES/glibc-rh2032280-5.patch b/SOURCES/glibc-rh2032280-5.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f761b9d3ad9c8f01bd26f8dd1ae8e2e264110baf
--- /dev/null
+++ b/SOURCES/glibc-rh2032280-5.patch
@@ -0,0 +1,121 @@
+commit de8995a2a04163617c1a233b4b81356ef9f9741f
+Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date: Wed Mar 10 12:26:30 2021 -0300
+
+ support: Add xclone
+
+ It is a wrapper for Linux clone syscall, to simplify the call to the
+ use only the most common arguments and remove architecture specific
+ handling (such as ia64 different name and signature).
+
+# Conflicts:
+# support/Makefile
+
+diff --git a/support/Makefile b/support/Makefile
+index fb95a69ed9158e78..d2b95539403e416c 100644
+--- a/support/Makefile
++++ b/support/Makefile
+@@ -84,6 +84,7 @@ libsupport-routines = \
+ xcalloc \
+ xchdir \
+ xchroot \
++ xclone \
+ xclose \
+ xconnect \
+ xcopy_file_range \
+diff --git a/support/xclone.c b/support/xclone.c
+new file mode 100644
+index 0000000000000000..924d2b875402a819
+--- /dev/null
++++ b/support/xclone.c
+@@ -0,0 +1,50 @@
++/* Auxiliary functions to issue the clone syscall.
++ Copyright (C) 2021 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <https://www.gnu.org/licenses/>. */
++
++#ifdef __linux__
++# include <support/check.h>
++# include <stackinfo.h> /* For _STACK_GROWS_{UP,DOWN}. */
++# include <xsched.h>
++
++pid_t
++xclone (int (*fn) (void *arg), void *arg, void *stack, size_t stack_size,
++ int flags)
++{
++ pid_t r = -1;
++
++# ifdef __ia64__
++ extern int __clone2 (int (*fn) (void *arg), void *stack, size_t stack_size,
++ int flags, void *arg, ...);
++ r = __clone2 (f, stack, stack_size, flags, arg, /* ptid */ NULL,
++ /* tls */ NULL, /* ctid */ ctid);
++# else
++# if _STACK_GROWS_DOWN
++ r = clone (fn, stack + stack_size, flags, arg, /* ptid */ NULL,
++ /* tls */ NULL, /* ctid */ NULL);
++# elif _STACK_GROWS_UP
++ r = clone (fn, stack, flags, arg, /* ptid */ NULL, /* tls */ NULL,
++ &ctid);
++# endif
++# endif
++
++ if (r < 0)
++ FAIL_EXIT1 ("clone: %m");
++
++ return r;
++}
++#endif
+diff --git a/support/xsched.h b/support/xsched.h
+new file mode 100644
+index 0000000000000000..eefd731940187b39
+--- /dev/null
++++ b/support/xsched.h
+@@ -0,0 +1,34 @@
++/* Wrapper for sched.h functions.
++ Copyright (C) 2021 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <https://www.gnu.org/licenses/>. */
++
++#ifndef SUPPORT_XSCHED_H
++#define SUPPORT_XSCHED_H
++
++__BEGIN_DECLS
++
++#include <sched.h>
++#include <sys/types.h>
++
++#ifdef __linux__
++pid_t xclone (int (*fn) (void *arg), void *arg, void *stack,
++ size_t stack_size, int flags);
++#endif
++
++__END_DECLS
++
++#endif
diff --git a/SOURCES/glibc-rh2032280-6.patch b/SOURCES/glibc-rh2032280-6.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a8bc55ba22cd17fb8d8ca592c0905e6ad60a2c9e
--- /dev/null
+++ b/SOURCES/glibc-rh2032280-6.patch
@@ -0,0 +1,46 @@
+commit 5b8e7980c5dabd9aaefeba4f0208baa8cf7653ee
+Author: Florian Weimer <fweimer@redhat.com>
+Date: Mon Jan 24 18:14:24 2022 +0100
+
+ Linux: Detect user namespace support in io/tst-getcwd-smallbuff
+
+ Otherwise the test fails with certain container runtimes.
+
+ Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+index d460d6e7662dc5e4..55362f6060a2b3be 100644
+--- a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+@@ -34,6 +34,7 @@
+ #include <sys/un.h>
+ #include <support/check.h>
+ #include <support/temp_file.h>
++#include <support/test-driver.h>
+ #include <support/xsched.h>
+ #include <support/xunistd.h>
+
+@@ -188,6 +189,23 @@ do_test (void)
+ xmkdir (MOUNT_NAME, S_IRWXU);
+ atexit (do_cleanup);
+
++ /* Check whether user namespaces are supported. */
++ {
++ pid_t pid = xfork ();
++ if (pid == 0)
++ {
++ if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0)
++ _exit (EXIT_UNSUPPORTED);
++ else
++ _exit (0);
++ }
++ int status;
++ xwaitpid (pid, &status, 0);
++ TEST_VERIFY_EXIT (WIFEXITED (status));
++ if (WEXITSTATUS (status) != 0)
++ return WEXITSTATUS (status);
++ }
++
+ TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
+ pid_t child_pid = xclone (child_func, NULL, child_stack,
+ sizeof (child_stack),
diff --git a/SOURCES/glibc-rh2032280-7.patch b/SOURCES/glibc-rh2032280-7.patch
new file mode 100644
index 0000000000000000000000000000000000000000..60ea205130f6d2480b2c788b928353af96a6230b
--- /dev/null
+++ b/SOURCES/glibc-rh2032280-7.patch
@@ -0,0 +1,24 @@
+commit 3842ba494963b1d76ad5f68b8d1e5c2279160e31
+Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Tue Jun 1 09:23:40 2021 +0100
+
+ aarch64: align stack in clone [BZ #27939]
+
+ The AArch64 PCS requires 16 byte aligned stack. Previously if the
+ caller passed an unaligned stack to clone then the child crashed.
+
+ Fixes bug 27939.
+
+diff --git a/sysdeps/unix/sysv/linux/aarch64/clone.S b/sysdeps/unix/sysv/linux/aarch64/clone.S
+index e0653048259dd9a3..4a1a999447ee5cf1 100644
+--- a/sysdeps/unix/sysv/linux/aarch64/clone.S
++++ b/sysdeps/unix/sysv/linux/aarch64/clone.S
+@@ -48,6 +48,8 @@ ENTRY(__clone)
+ /* Sanity check args. */
+ mov x0, #-EINVAL
+ cbz x10, .Lsyscall_error
++ /* Align sp. */
++ and x1, x1, -16
+ cbz x1, .Lsyscall_error
+
+ /* Do the system call. */
diff --git a/SOURCES/glibc-rh2045062-1.patch b/SOURCES/glibc-rh2045062-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2885e3f7fd4554170bdd937df6f5639f15c64d95
--- /dev/null
+++ b/SOURCES/glibc-rh2045062-1.patch
@@ -0,0 +1,164 @@
+commit e368b12f6c16b6888dda99ba641e999b9c9643c8
+Author: Florian Weimer <fweimer@redhat.com>
+Date: Mon Jan 17 10:21:34 2022 +0100
+
+ socket: Add the __sockaddr_un_set function
+
+ Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+# Conflicts:
+# socket/Makefile
+
+diff --git a/include/sys/un.h b/include/sys/un.h
+index bdbee999806930f4..152afd9fc7426d8b 100644
+--- a/include/sys/un.h
++++ b/include/sys/un.h
+@@ -1 +1,13 @@
+ #include <socket/sys/un.h>
++
++#ifndef _ISOMAC
++
++/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME.
++ Return 0 on success or -1 on failure (due to overlong PATHNAME).
++ The caller should always use sizeof (struct sockaddr_un) as the
++ socket address length, disregaring the length of PATHNAME.
++ Only concrete (non-abstract) pathnames are supported. */
++int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
++ attribute_hidden;
++
++#endif /* _ISOMAC */
+diff --git a/socket/Makefile b/socket/Makefile
+index b41eb071507a6271..8975a65c2aabbfbc 100644
+--- a/socket/Makefile
++++ b/socket/Makefile
+@@ -29,10 +29,14 @@ headers := sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \
+ routines := accept bind connect getpeername getsockname getsockopt \
+ listen recv recvfrom recvmsg send sendmsg sendto \
+ setsockopt shutdown socket socketpair isfdtype opensock \
+- sockatmark accept4 recvmmsg sendmmsg
++ sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set
+
+ tests := tst-accept4
+
++tests-internal := \
++ tst-sockaddr_un_set \
++ # tests-internal
++
+ aux := sa_len
+
+ include ../Rules
+diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c
+new file mode 100644
+index 0000000000000000..0bd40dc34e3d7efc
+--- /dev/null
++++ b/socket/sockaddr_un_set.c
+@@ -0,0 +1,41 @@
++/* Set the sun_path member of struct sockaddr_un.
++ Copyright (C) 2022 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <https://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <string.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++
++int
++__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
++{
++ size_t name_length = strlen (pathname);
++
++ /* The kernel supports names of exactly sizeof (addr->sun_path)
++ bytes, without a null terminator, but userspace does not; see the
++ SUN_LEN macro. */
++ if (name_length >= sizeof (addr->sun_path))
++ {
++ __set_errno (EINVAL); /* Error code used by the kernel. */
++ return -1;
++ }
++
++ addr->sun_family = AF_UNIX;
++ memcpy (addr->sun_path, pathname, name_length + 1);
++ return 0;
++}
+diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c
+new file mode 100644
+index 0000000000000000..29c2a81afda81b5e
+--- /dev/null
++++ b/socket/tst-sockaddr_un_set.c
+@@ -0,0 +1,62 @@
++/* Test the __sockaddr_un_set function.
++ Copyright (C) 2022 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <https://www.gnu.org/licenses/>. */
++
++/* Re-compile the function because the version in libc is not
++ exported. */
++#include "sockaddr_un_set.c"
++
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++ struct sockaddr_un sun;
++
++ memset (&sun, 0xcc, sizeof (sun));
++ __sockaddr_un_set (&sun, "");
++ TEST_COMPARE (sun.sun_family, AF_UNIX);
++ TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0);
++
++ memset (&sun, 0xcc, sizeof (sun));
++ TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0);
++ TEST_COMPARE_STRING (sun.sun_path, "/example");
++
++ {
++ char pathname[108]; /* Length of sun_path (ABI constant). */
++ memset (pathname, 'x', sizeof (pathname));
++ pathname[sizeof (pathname) - 1] = '\0';
++ memset (&sun, 0xcc, sizeof (sun));
++ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0);
++ TEST_COMPARE (sun.sun_family, AF_UNIX);
++ TEST_COMPARE_STRING (sun.sun_path, pathname);
++ }
++
++ {
++ char pathname[109];
++ memset (pathname, 'x', sizeof (pathname));
++ pathname[sizeof (pathname) - 1] = '\0';
++ memset (&sun, 0xcc, sizeof (sun));
++ errno = 0;
++ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1);
++ TEST_COMPARE (errno, EINVAL);
++ }
++
++ return 0;
++}
++
++#include <support/test-driver.c>
diff --git a/SOURCES/glibc-rh2045062-2.patch b/SOURCES/glibc-rh2045062-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9e746070b2d630a890ba4833a90876678e9f6ed3
--- /dev/null
+++ b/SOURCES/glibc-rh2045062-2.patch
@@ -0,0 +1,32 @@
+commit 226b46770c82899b555986583294b049c6ec9b40
+Author: Florian Weimer <fweimer@redhat.com>
+Date: Mon Jan 17 10:21:34 2022 +0100
+
+ CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)
+
+ Processing an overlong pathname in the sunrpc clnt_create function
+ results in a stack-based buffer overflow.
+
+ Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c
+index 13ced8994e49d4ee..b44357cd88e60599 100644
+--- a/sunrpc/clnt_gen.c
++++ b/sunrpc/clnt_gen.c
+@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers,
+
+ if (strcmp (proto, "unix") == 0)
+ {
+- memset ((char *)&sun, 0, sizeof (sun));
+- sun.sun_family = AF_UNIX;
+- strcpy (sun.sun_path, hostname);
++ if (__sockaddr_un_set (&sun, hostname) < 0)
++ {
++ struct rpc_createerr *ce = &get_rpc_createerr ();
++ ce->cf_stat = RPC_SYSTEMERROR;
++ ce->cf_error.re_errno = errno;
++ return NULL;
++ }
+ sock = RPC_ANYSOCK;
+ client = clntunix_create (&sun, prog, vers, &sock, 0, 0);
+ if (client == NULL)
diff --git a/SOURCES/glibc-rh2045062-3.patch b/SOURCES/glibc-rh2045062-3.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cd1e55db41be47c88123596a1923fce91de8bb0f
--- /dev/null
+++ b/SOURCES/glibc-rh2045062-3.patch
@@ -0,0 +1,80 @@
+commit ef972a4c50014a16132b5c75571cfb6b30bef136
+Author: Martin Sebor <msebor@redhat.com>
+Date: Mon Jan 17 10:21:34 2022 +0100
+
+ sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
+
+ Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+# Conflicts:
+# sunrpc/Makefile
+
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index 85b0b3356aaf81a3..2f8f0597c99e117f 100644
+--- a/sunrpc/Makefile
++++ b/sunrpc/Makefile
+@@ -95,7 +95,8 @@ others += rpcgen
+ endif
+
+ tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \
+- tst-udp-nonblocking
++ tst-udp-nonblocking tst-bug22542
++
+ xtests := tst-getmyaddr
+
+ ifeq ($(have-thread-library),yes)
+@@ -246,3 +247,4 @@ $(objpfx)tst-udp-timeout: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-udp-nonblocking: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-udp-garbage: \
+ $(common-objpfx)linkobj/libc.so $(shared-thread-library)
++$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so
+diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c
+new file mode 100644
+index 0000000000000000..d6cd79787bdef21d
+--- /dev/null
++++ b/sunrpc/tst-bug22542.c
+@@ -0,0 +1,44 @@
++/* Test to verify that overlong hostname is rejected by clnt_create
++ and doesn't cause a buffer overflow (bug 22542).
++
++ Copyright (C) 2022 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <rpc/clnt.h>
++#include <string.h>
++#include <support/check.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++
++static int
++do_test (void)
++{
++ /* Create an arbitrary hostname that's longer than fits in sun_path. */
++ char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2];
++ memset (name, 'x', sizeof name - 1);
++ name [sizeof name - 1] = '\0';
++
++ errno = 0;
++ CLIENT *clnt = clnt_create (name, 0, 0, "unix");
++
++ TEST_VERIFY (clnt == NULL);
++ TEST_COMPARE (errno, EINVAL);
++ return 0;
++}
++
++#include <support/test-driver.c>
diff --git a/SOURCES/glibc-rh2045062-4.patch b/SOURCES/glibc-rh2045062-4.patch
new file mode 100644
index 0000000000000000000000000000000000000000..489c3152c8de0e29bd070239a7f9ef3c88c263b6
--- /dev/null
+++ b/SOURCES/glibc-rh2045062-4.patch
@@ -0,0 +1,101 @@
+commit f545ad4928fa1f27a3075265182b38a4f939a5f7
+Author: Florian Weimer <fweimer@redhat.com>
+Date: Mon Jan 17 10:21:34 2022 +0100
+
+ CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
+
+ The sunrpc function svcunix_create suffers from a stack-based buffer
+ overflow with overlong pathname arguments.
+
+ Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index 2f8f0597c99e117f..5f7087aee494cc2e 100644
+--- a/sunrpc/Makefile
++++ b/sunrpc/Makefile
+@@ -95,7 +95,7 @@ others += rpcgen
+ endif
+
+ tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \
+- tst-udp-nonblocking tst-bug22542
++ tst-udp-nonblocking tst-bug22542 tst-bug28768
+
+ xtests := tst-getmyaddr
+
+diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
+index c2c076aa87f0a2ad..8fac2b35da1d38a5 100644
+--- a/sunrpc/svc_unix.c
++++ b/sunrpc/svc_unix.c
+@@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
+ SVCXPRT *xprt;
+ struct unix_rendezvous *r;
+ struct sockaddr_un addr;
+- socklen_t len = sizeof (struct sockaddr_in);
++ socklen_t len = sizeof (addr);
++
++ if (__sockaddr_un_set (&addr, path) < 0)
++ return NULL;
+
+ if (sock == RPC_ANYSOCK)
+ {
+@@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
+ }
+ madesock = TRUE;
+ }
+- memset (&addr, '\0', sizeof (addr));
+- addr.sun_family = AF_UNIX;
+- len = strlen (path) + 1;
+- memcpy (addr.sun_path, path, len);
+- len += sizeof (addr.sun_family);
+-
+ __bind (sock, (struct sockaddr *) &addr, len);
+
+ if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0
+diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c
+new file mode 100644
+index 0000000000000000..35a4b7b0b3d34350
+--- /dev/null
++++ b/sunrpc/tst-bug28768.c
+@@ -0,0 +1,42 @@
++/* Test to verify that long path is rejected by svcunix_create (bug 28768).
++ Copyright (C) 2022 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <rpc/svc.h>
++#include <shlib-compat.h>
++#include <string.h>
++#include <support/check.h>
++
++/* svcunix_create does not have a default version in linkobj/libc.so. */
++compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1);
++
++static int
++do_test (void)
++{
++ char pathname[109];
++ memset (pathname, 'x', sizeof (pathname));
++ pathname[sizeof (pathname) - 1] = '\0';
++
++ errno = 0;
++ TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL);
++ TEST_COMPARE (errno, EINVAL);
++
++ return 0;
++}
++
++#include <support/test-driver.c>
diff --git a/SOURCES/glibc-rh2045062-5.patch b/SOURCES/glibc-rh2045062-5.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3d7b71e40e10a989e1c0334b7f552765e56ac5bb
--- /dev/null
+++ b/SOURCES/glibc-rh2045062-5.patch
@@ -0,0 +1,54 @@
+commit 36f6e408845c8c539128f3fb9cb132bf1845a2c8
+Author: Florian Weimer <fweimer@redhat.com>
+Date: Tue Mar 9 21:07:24 2021 +0100
+
+ <shlib-compat.h>: Support compat_symbol_reference for _ISOMAC
+
+ This is helpful for testing compat symbols in cases where _ISOMAC
+ is activated implicitly due to -DMODULE_NAME=testsuite and cannot
+ be disabled easily.
+
+diff --git a/include/libc-symbols.h b/include/libc-symbols.h
+index 41436050d060b89f..44e12b63d40cc572 100644
+--- a/include/libc-symbols.h
++++ b/include/libc-symbols.h
+@@ -59,6 +59,19 @@
+ # define IN_MODULE (-1)
+ #endif
+
++/* Use symbol_version_reference to specify the version a symbol
++ reference should link to. Use symbol_version or
++ default_symbol_version for the definition of a versioned symbol.
++ The difference is that the latter is a no-op in non-shared
++ builds. */
++#ifdef __ASSEMBLER__
++# define symbol_version_reference(real, name, version) \
++ .symver real, name##@##version
++#else /* !__ASSEMBLER__ */
++# define symbol_version_reference(real, name, version) \
++ __asm__ (".symver " #real "," #name "@" #version)
++#endif
++
+ #ifndef _ISOMAC
+
+ /* This is defined for the compilation of all C library code. features.h
+@@ -388,19 +401,6 @@ for linking")
+ past the last element in SET. */
+ #define symbol_set_end_p(set, ptr) ((ptr) >= (void *const *) &__stop_##set)
+
+-/* Use symbol_version_reference to specify the version a symbol
+- reference should link to. Use symbol_version or
+- default_symbol_version for the definition of a versioned symbol.
+- The difference is that the latter is a no-op in non-shared
+- builds. */
+-#ifdef __ASSEMBLER__
+-# define symbol_version_reference(real, name, version) \
+- .symver real, name##@##version
+-#else /* !__ASSEMBLER__ */
+-# define symbol_version_reference(real, name, version) \
+- __asm__ (".symver " #real "," #name "@" #version)
+-#endif
+-
+ #ifdef SHARED
+ # define symbol_version(real, name, version) \
+ symbol_version_reference(real, name, version)
diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec
index fbc88acef1f11a12c4a809ad95b08663221b129c..3bc5fb3a445c4023c04d5976f3c6fa513a87b23d 100644
--- a/SPECS/glibc.spec
+++ b/SPECS/glibc.spec
@@ -1,6 +1,6 @@
%define glibcsrcdir glibc-2.28
%define glibcversion 2.28
-%define glibcrelease 164%{?dist}
+%define glibcrelease 164%{?dist}.3
# Pre-release tarballs are pulled in from git using a command that is
# effectively:
#
@@ -719,6 +719,18 @@ Patch582: glibc-rh1966472-1.patch
Patch583: glibc-rh1966472-2.patch
Patch584: glibc-rh1966472-3.patch
Patch585: glibc-rh1966472-4.patch
+Patch586: glibc-rh2032280-1.patch
+Patch587: glibc-rh2032280-2.patch
+Patch588: glibc-rh2032280-3.patch
+Patch589: glibc-rh2032280-4.patch
+Patch590: glibc-rh2032280-5.patch
+Patch591: glibc-rh2032280-6.patch
+Patch592: glibc-rh2032280-7.patch
+Patch593: glibc-rh2045062-1.patch
+Patch594: glibc-rh2045062-2.patch
+Patch595: glibc-rh2045062-3.patch
+Patch596: glibc-rh2045062-4.patch
+Patch597: glibc-rh2045062-5.patch
##############################################################################
# Continued list of core "glibc" package information:
@@ -2631,6 +2643,17 @@ fi
%files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
%changelog
+* Thu Jan 27 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.3
+- CVE-2021-3999: getcwd: align stack on clone in aarch64 and fix a memory leak
+ (#2032280)
+
+* Wed Jan 26 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.2
+- CVE-2022-23218, CVE-2022-23219: Fix buffer overflows in sunrpc clnt_create
+ for "unix" and svcunix_create (#2045062).
+
+* Mon Jan 24 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.1
+- CVE-2021-3999: getcwd: Set errno to ERANGE for size == 1 (#2032280)
+
* Mon Aug 9 2021 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164
- librt: fix NULL pointer dereference (#1966472).