diff -Nru glibc-2.35/debian/changelog glibc-2.35/debian/changelog
--- glibc-2.35/debian/changelog	2023-07-26 08:27:54.000000000 +0000
+++ glibc-2.35/debian/changelog	2023-09-25 14:45:50.000000000 +0000
@@ -1,3 +1,12 @@
+glibc (2.35-0ubuntu3.4) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: privilege escalation in ld.so
+    - debian/patches/any/CVE-2023-4911.patch: terminate immediately if end
+      of input is reached in elf/dl-tunables.c.
+    - CVE-2023-4911
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 25 Sep 2023 10:45:50 -0400
+
 glibc (2.35-0ubuntu3.3) jammy; urgency=medium
 
   * Drop SVE patches due to kernal-related performance regression
diff -Nru glibc-2.35/debian/patches/any/CVE-2023-4911.patch glibc-2.35/debian/patches/any/CVE-2023-4911.patch
--- glibc-2.35/debian/patches/any/CVE-2023-4911.patch	1970-01-01 00:00:00.000000000 +0000
+++ glibc-2.35/debian/patches/any/CVE-2023-4911.patch	2023-09-25 14:45:50.000000000 +0000
@@ -0,0 +1,66 @@
+Updated: 2023-09-29 (to work-around toolchain issue)
+
+From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@redhat.com>
+Date: Mon, 11 Sep 2023 18:53:15 -0400
+Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+---
+Changes from v1:
+
+- Also null-terminate tunestr before exiting.
+
+ elf/dl-tunables.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -166,7 +166,7 @@ __tunable_set_val (tunable_id_t id, tuna
+    environment variable value for GLIBC_TUNABLES.  VALSTRING is the original
+    environment variable string which we use to make NULL terminated values so
+    that we don't have to allocate memory again for it.  */
+-static void
++__attribute__ ((noinline)) static void
+ parse_tunables (char *tunestr, char *valstring)
+ {
+   if (tunestr == NULL || *tunestr == '\0')
+@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *val
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *val
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ #endif
+ 
diff -Nru glibc-2.35/debian/patches/series glibc-2.35/debian/patches/series
--- glibc-2.35/debian/patches/series	2023-07-26 08:23:48.000000000 +0000
+++ glibc-2.35/debian/patches/series	2023-09-25 14:45:50.000000000 +0000
@@ -190,3 +190,4 @@
 lp2011421/0002-x86-Check-minimum-maximum-of-non_temporal_threshold-.patch
 
 lp1992159-socket-Fix-mistyped-define-statement-in-socket-sys-s.patch
+any/CVE-2023-4911.patch