Recompiling glibc with a diff patch

Update: don’t do this, Pat did it for you!

Right after posting this, of course the official patched binaries hit the internet:


Wed Jan 28 19:23:00 UTC 2015
patches/packages/glibc-2.17-x86_64-10_slack14.1.txz: Rebuilt.

So the following is only to be used as a general howto, not as specific instructions.

How to

Yesterday I recompiled glibc with a few diff patches from the helpful post on linux questions here. Today I refreshed that page to see if anything else new was happening on that bug, and there was a comment that applying a diff patch was difficult to do.

So I was inspired to write this post because in fact applying diff patches to glibc in Slackware is actually fairly easy (on a scale of 1 being download a binary and 10 being compile and install glibc from scratch, I’d put it at a 3)

What makes it so easy is that Slackware uses build scripts for each package, and these scripts are included when you download the slackware sources.

So here are the steps I took.

Download the Slackware glibc source directory

The first step is to get the source code you need to compile. Slackware is available from a number of locations. I went to the slackware main site and picked a mirror from the list at I chose Next using a browser, navigate around the source tree to find what you’re looking for—in this case, glibc sources. For 32-bit slackware, they are located at For 64-bit Slackware (what I’m using) I went to (Of course, if you’re using a different mirror, the first bit with “” would change)

Because I like rsync, and because the mirrors support rsync, I used that to download the source directory:

mkdir -p Downloads/slackware/source/l
rsync -av rsync:// Downloads/slackware/source/l/.

But you can also just right-click and save every file if you want. You can’t use wget as follows:

wget --mirror --no-parent

because at least for this mirror, the robots.txt file disallows using wget.

Download the patches

Next you need the patches. Go to the page linked above , and download the patches:

cd Downloads/slackware/source/l/glibc

Then to make your life easier in the next step, use gzip to compress each diff file:

gzip glibc-2.17_CVE-2014-7817.diff
gzip glibc-2.17_CVE-2014-9402.diff
gzip glibc-2.17_CVE-2015-0235.diff

Modify the stock Slackware build script

The next step is to apply these patches by modifying the stock Slackware build script. Open up the file glibc.SlackBuild in your favorite text editor, and scroll down until you see the function that applies the patches. It should look like this:

# This is a patch function to put all glibc patches in the build script
# up near the top.
apply_patches() {
# Use old-style locale directories rather than a single (and strangely
# formatted) /usr/lib/locale/locale-archive file:
zcat $CWD/ | patch -p1 --verbose || exit 1
# The is_IS locale is causing a strange error about the "echn" command

Scroll to the very bottom of this function, and using the prior zcat ... statements as a guide, apply the three patches. I chose to apply them in the order listed in the posting on the Linux Questions post:

... (existing patches) ...
# various patches from GHOST alert thing
zcat $CWD/glibc-2.17_CVE-2014-9402.diff.gz | patch -p1 --verbose || exit 1
zcat $CWD/glibc-2.17_CVE-2015-0235.diff.gz | patch -p1 --verbose || exit 1
zcat $CWD/glibc-2.17_CVE-2014-7817.diff.gz | patch -p1 --verbose || exit 1

Notice that the patches are “unzipped” using zcat. That’s why I recommended gzipping the diff files. If you don’t do that, you have to mess around with the syntax of that line. We’re just lazily copypasting here, and changing a file name is the path of least effort. So gzip it, and use zcat just like all the other diff patches.

An additional edit is needed that will save you some pain. I like to run my build scripts using sudo, but apparently our fearless Slackware leader runs as root, or else has a different $PATH than I do. There are various calls to makepkg towards the end of the script. You should copy and replace to make them all read /sbin/makepkg. If your $PATH is set like mine, your regular user account won’t be able to see the binaries in /sbin. The first time I ran this script, I didn’t get any packages at all for this reason.

So somehow, using your editor, search and replace.

Be careful…the very last call to makepkg already has the /sbin/ part. A double /sbin/sbin/ is not going to work!

Finally, scroll to the very top of the build script, and look for the line that says


Change the 7 to an 8.

Finally finally, make sure that Pat hasn’t already done this work. If you don’t see a 7 as the BUILD variable, then chances are the appropriate patches have already been applied, and you should go download the binary.

Build the packages

The next step is to build the packages. This step must be done as the root user.

sudo ./glibc.SlackBuild

Go have a refreshing drink, this takes a while.

Upgrade glibc

The last step is to upgrade glibc. At the very end of the build process, you should see a message that says something like: “glibc packages built in /glibc-tmp-3ea66757c2278dca4f7e829eb4a941f7”. That is where the packages are.

Because I am neurotic, I usually drop to runlevel 1 before upgrading glibc

So, as root

sudo /sbin/telinit 1

This will shut things down and drop you into a console mode. Log in as root, change to the glibc-tmp directory, and upgrade the packages:

cd /glibc-tmp
/sbin/upgradepkg glibc*t?z

Most likely you will see at least one issue, with the “debug” package not installing. upgradepkg will only upgrade packages that are already installed. That is a good thing.

If the upgrade went well (only the “debug” and maybe the “profile” packages refusing to install), then you’re done.

Reboot, and you should be good to go.

If the upgrade didn’t go well, you’re on your own. Best advice is to force install the existing (version 7) glibc packages by using the --reinstall --install-new options to upgradepkg, so that your system isn’t completely unstable. Then dig down, figure out what broke, and write your own blog post.

Final words

Hosing your system is a time-honored tradition for part-time sysadmins like myself. I’ve done it many times. All it means is that I have an afternoon of work ahead of me to rebuild things. Building glibc can fail, and restarting a system with a broken glibc can be challenging. Make sure you have a rescue disk on hand if this is your first time doing it.

If you’re new to building glibc, there are many ways to completely screw up. Read through the glibc.SlackBuild carefully, and see all the hints that Pat has left, especially the note about needing sanitized kernel headers towards the top.

But don’t be afraid to break your system. Failure is a lesson learned.

Slacking on the Couch

I run Slackware. I also use CouchDB. Seems like a natural fit, but the slackbuild on is stuck at 0.11.

That’s okay, it is a good script and works well with the latest version. However, I don’t want to run the latest release of CouchDB, I want to run 1.2.x from the git repository, because I really like the new replication engine for my work.

So, I had to do some tinkering with the SlackBuild script. Continue reading