diff --git a/glibc-rh794797-2.patch b/glibc-rh794797-2.patch
new file mode 100644
index 0000000..1c6eece
--- /dev/null
+++ b/glibc-rh794797-2.patch
@@ -0,0 +1,119 @@
+--- vfprintf.c 2012-03-07 12:16:21.000000000 -0700
++++ /home/law/UPSTREAM/glibc/stdio-common/vfprintf.c 2012-03-07 12:00:28.006630851 -0700
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 1991-2008, 2009, 2010, 2011 Free Software Foundation, Inc.
++/* Copyright (C) 1991-2011, 2012 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+@@ -12,9 +12,8 @@
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+- License along with the GNU C Library; if not, write to the Free
+- Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+- 02111-1307 USA. */
++ License along with the GNU C Library; if not, see
++ . */
+
+ #include
+ #include
+@@ -823,7 +822,7 @@ vfprintf (FILE *s, const CHAR_T *format,
+ \
+ if (function_done < 0) \
+ { \
+- /* Error in print handler. */ \
++ /* Error in print handler; up to handler to set errno. */ \
+ done = -1; \
+ goto all_done; \
+ } \
+@@ -877,7 +876,7 @@ vfprintf (FILE *s, const CHAR_T *format,
+ \
+ if (function_done < 0) \
+ { \
+- /* Error in print handler. */ \
++ /* Error in print handler; up to handler to set errno. */ \
+ done = -1; \
+ goto all_done; \
+ } \
+@@ -1118,7 +1117,7 @@ vfprintf (FILE *s, const CHAR_T *format,
+ &mbstate); \
+ if (len == (size_t) -1) \
+ { \
+- /* Something went wron gduring the conversion. Bail out. */ \
++ /* Something went wrong during the conversion. Bail out. */ \
+ done = -1; \
+ goto all_done; \
+ } \
+@@ -1574,6 +1606,7 @@ vfprintf (FILE *s, const CHAR_T *format,
+ if (spec == L_('\0'))
+ {
+ /* The format string ended before the specifier is complete. */
++ __set_errno (EINVAL);
+ done = -1;
+ goto all_done;
+ }
+@@ -1671,29 +1704,34 @@ do_positional:
+
+ /* Determine the number of arguments the format string consumes. */
+ nargs = MAX (nargs, max_ref_arg);
+- bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
+- + sizeof (*args_type);
++ /* Calculate total size needed to represent a single argument across
++ all three argument-related arrays. */
++ bytes_per_arg = (sizeof (*args_value) + sizeof (*args_size)
++ + sizeof (*args_type));
+
+ /* Check for potential integer overflow. */
+- if (nargs > SIZE_MAX / bytes_per_arg)
++ if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
+ {
+- done = -1;
+- goto all_done;
++ __set_errno (ERANGE);
++ done = -1;
++ goto all_done;
+ }
+
+- /* Allocate memory for the argument descriptions. */
++ /* Allocate memory for all three argument arrays. */
+ if (__libc_use_alloca (nargs * bytes_per_arg))
+- args_value = alloca (nargs * bytes_per_arg);
++ args_value = alloca (nargs * bytes_per_arg);
+ else
+ {
+- args_value = args_malloced = malloc (nargs * bytes_per_arg);
+- if (args_value == NULL)
+- {
+- done = -1;
+- goto all_done;
+- }
++ args_value = args_malloced = malloc (nargs * bytes_per_arg);
++ if (args_value == NULL)
++ {
++ done = -1;
++ goto all_done;
++ }
+ }
+
++ /* Set up the remaining two arrays to each point past the end of the
++ prior array, since space for all three has been allocated now. */
+ args_size = &args_value[nargs].pa_int;
+ args_type = &args_size[nargs];
+ memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+@@ -1912,6 +1950,7 @@ do_positional:
+ about # of chars. */
+ if (function_done < 0)
+ {
++ /* Function has set errno. */
+ done = -1;
+ goto all_done;
+ }
+@@ -1946,6 +1985,7 @@ do_positional:
+ of chars. */
+ if (function_done < 0)
+ {
++ /* Function has set errno. */
+ done = -1;
+ goto all_done;
+ }
diff --git a/glibc-rh800224.patch b/glibc-rh800224.patch
new file mode 100644
index 0000000..ce8234c
--- /dev/null
+++ b/glibc-rh800224.patch
@@ -0,0 +1,78 @@
+
+2012-03-07 Jeff Law
+
+ * elf/dl-reloc.c (_dl_relocate_object): Move code to allocate
+ l_reloc_result prior to calling ELF_DYNAMIC_RELOCATE.
+
+diff -rup a/elf/dl-reloc.c b/elf/dl-reloc.c
+--- a/elf/dl-reloc.c 2012-01-01 05:16:32.000000000 -0700
++++ b/elf/dl-reloc.c 2012-03-06 15:41:56.486242640 -0700
+@@ -238,32 +238,9 @@ _dl_relocate_object (struct link_map *l,
+ /* String table object symbols. */
+ const char *strtab = (const void *) D_PTR (l, l_info[DT_STRTAB]);
+
+- /* This macro is used as a callback from the ELF_DYNAMIC_RELOCATE code. */
+-#define RESOLVE_MAP(ref, version, r_type) \
+- (ELFW(ST_BIND) ((*ref)->st_info) != STB_LOCAL \
+- ? ((__builtin_expect ((*ref) == l->l_lookup_cache.sym, 0) \
+- && elf_machine_type_class (r_type) == l->l_lookup_cache.type_class) \
+- ? (bump_num_cache_relocations (), \
+- (*ref) = l->l_lookup_cache.ret, \
+- l->l_lookup_cache.value) \
+- : ({ lookup_t _lr; \
+- int _tc = elf_machine_type_class (r_type); \
+- l->l_lookup_cache.type_class = _tc; \
+- l->l_lookup_cache.sym = (*ref); \
+- const struct r_found_version *v = NULL; \
+- if ((version) != NULL && (version)->hash != 0) \
+- v = (version); \
+- _lr = _dl_lookup_symbol_x (strtab + (*ref)->st_name, l, (ref), \
+- scope, v, _tc, \
+- DL_LOOKUP_ADD_DEPENDENCY, NULL); \
+- l->l_lookup_cache.ret = (*ref); \
+- l->l_lookup_cache.value = _lr; })) \
+- : l)
+-
+-#include "dynamic-link.h"
+-
+- ELF_DYNAMIC_RELOCATE (l, lazy, consider_profiling, skip_ifunc);
+-
++ /* ELF_DYNAMIC_RELOCATE may need to examine l_reloc_result
++ when handling MACHINE_IRELATIVE relocs. So we must
++ allocate l_reloc_result prior to calling ELF_DYNAMIC_RELOCATE. */
+ #ifndef PROF
+ if (__builtin_expect (consider_profiling, 0))
+ {
+@@ -290,6 +267,32 @@ _dl_relocate_object (struct link_map *l,
+ }
+ }
+ #endif
++
++ /* This macro is used as a callback from the ELF_DYNAMIC_RELOCATE code. */
++#define RESOLVE_MAP(ref, version, r_type) \
++ (ELFW(ST_BIND) ((*ref)->st_info) != STB_LOCAL \
++ ? ((__builtin_expect ((*ref) == l->l_lookup_cache.sym, 0) \
++ && elf_machine_type_class (r_type) == l->l_lookup_cache.type_class) \
++ ? (bump_num_cache_relocations (), \
++ (*ref) = l->l_lookup_cache.ret, \
++ l->l_lookup_cache.value) \
++ : ({ lookup_t _lr; \
++ int _tc = elf_machine_type_class (r_type); \
++ l->l_lookup_cache.type_class = _tc; \
++ l->l_lookup_cache.sym = (*ref); \
++ const struct r_found_version *v = NULL; \
++ if ((version) != NULL && (version)->hash != 0) \
++ v = (version); \
++ _lr = _dl_lookup_symbol_x (strtab + (*ref)->st_name, l, (ref), \
++ scope, v, _tc, \
++ DL_LOOKUP_ADD_DEPENDENCY, NULL); \
++ l->l_lookup_cache.ret = (*ref); \
++ l->l_lookup_cache.value = _lr; })) \
++ : l)
++
++#include "dynamic-link.h"
++
++ ELF_DYNAMIC_RELOCATE (l, lazy, consider_profiling, skip_ifunc);
+ }
+
+ /* Mark the object so we know this work has been done. */
diff --git a/glibc.spec b/glibc.spec
index 5399069..a2e473b 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -28,7 +28,7 @@
Summary: The GNU libc libraries
Name: glibc
Version: %{glibcversion}
-Release: 25%{?dist}
+Release: 26%{?dist}
# GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
# Things that are linked directly into dynamically linked programs
# and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -98,18 +98,22 @@ Patch31 : %{name}-rh697149.patch
Patch32 : %{name}-rh739743.patch
# Discussion started upstream, patch needs to be submitted
Patch33 : %{name}-rh789238.patch
-# Patch posted upstream, discussion ongoing, Paul E. seems to think it's OK
+# From upstream
Patch34 : %{name}-rh794797.patch
# Posted upstream
Patch35 : %{name}-rh788989.patch
# Posted upstream
Patch36 : %{name}-rh795498.patch
-# Posted upstream (bz 13705)
+# From upstream
Patch37 : %{name}-rh760935.patch
-# Approved upstream, waiting for privs to commit
+# From upstream
Patch38 : %{name}-rh798471.patch
-
-
+# From upstream
+Patch39 : %{name}-rh758888.patch
+# Submitted upstream BZ 13818
+Patch40 : %{name}-rh800224.patch
+# From upstream
+Patch41 : %{name}-rh794797-2.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Obsoletes: glibc-profile < 2.4
@@ -366,6 +370,9 @@ rm -rf %{glibcportsdir}
%patch36 -p1
%patch37 -p1
%patch38 -p1
+%patch39 -p1
+%patch40 -p1
+%patch41 -p1
# A lot of programs still misuse memcpy when they have to use
# memmove. The memcpy implementation below is not tolerant at
@@ -1218,6 +1225,10 @@ rm -f *.filelist*
%endif
%changelog
+* Wed Feb 29 2012 Jeff Law - 2.15-26
+ - Set errno properly in vfprintf (#794797)
+ - Don't kill application when LD_PROFILE is set. (#800224)
+
* Wed Feb 29 2012 Jeff Law - 2.15-25
- Fix out of bounds memory access in resolver (#798471)
- Always mark vDSO as used (#758888)
@@ -1226,7 +1237,7 @@ rm -f *.filelist*
- Fix bogus underflow (#760935)
- Correctly handle dns request where large numbers of A and AAA records
are returned (#795498)
- - Fix nscd crash when group has many members (#788959)
+ - Fix nscd crash when group has many members (#788989)
* Mon Feb 20 2012 Jeff Law - 2.15-23
- Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)