diff -Nru klibc-2.0.4/debian/changelog klibc-2.0.4/debian/changelog
--- klibc-2.0.4/debian/changelog	2017-11-09 21:14:08.000000000 +0000
+++ klibc-2.0.4/debian/changelog	2022-04-25 14:39:01.000000000 +0000
@@ -1,3 +1,37 @@
+klibc (2.0.4-9ubuntu2.2) bionic; urgency=medium
+
+  [ Khaled Elmously ]
+  * d/p/lp1947099-honour-user-requested-timeouts-in-all-cases.patch:
+    Honour user-specified timeouts even in error cases. (LP: #1947099)
+
+  [ Mauricio Faria de Oliveira ]
+  * d/p/lp1947099-fix-for-no-timeout-specified.patch: Check for an
+    user-specified timeout before checking/adjusting timeout values.
+
+ -- Mauricio Faria de Oliveira <mfo@canonical.com>  Mon, 25 Apr 2022 11:39:01 -0300
+
+klibc (2.0.4-9ubuntu2.1) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: integer overflow in calloc
+    - debian/patches/CVE-2021-31870.patch: add overflow check
+      when performing the multiplication in usr/klibc/calloc.c. 
+    - CVE-2021-31870
+  * SECURITY UPDATE: integer overflow in cpio 
+    - debian/patches/CVE-2021-31871.patch: remove cast to unsigned
+      to avoid a possible overflow in 64 bit systems in 
+      usr/utils/cpio.c.
+    - CVE-2021-31871
+  * SECURITY UPDATE: integer overflow in read_in_new_ascii
+    - debian/patches/CVE-2021-31872.patch: ensure that c_namesize
+      and c_filesize are smaller than LONG_MAX in usr/utils/cpio.c.
+    - CVE-2021-31872
+  * SECURITY UPDATE: integer overflow in malloc
+    - debian/patches/CVE-2021-31873.patch: ensure that size is smaller
+      than PTRDIFF_MAX in usr/klibc/malloc.c.
+    - CVE-2021-31873
+
+ -- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>  Wed, 13 Apr 2022 10:41:23 +0200
+
 klibc (2.0.4-9ubuntu2) bionic; urgency=medium
 
   * Write DNS domain in place of DOMAINSEARCH if that wasn't provided by the
diff -Nru klibc-2.0.4/debian/patches/CVE-2021-31870.patch klibc-2.0.4/debian/patches/CVE-2021-31870.patch
--- klibc-2.0.4/debian/patches/CVE-2021-31870.patch	1970-01-01 00:00:00.000000000 +0000
+++ klibc-2.0.4/debian/patches/CVE-2021-31870.patch	2022-04-13 08:40:59.000000000 +0000
@@ -0,0 +1,45 @@
+From 292650f04c2b5348b4efbad61fb014ed09b4f3f2 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 04:29:50 +0200
+Subject: [klibc] calloc: Fail if multiplication overflows
+
+calloc() multiplies its 2 arguments together and passes the result to
+malloc().  Since the factors and product both have type size_t, this
+can result in an integer overflow and subsequent buffer overflow.
+Check for this and fail if it happens.
+
+CVE-2021-31870
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/klibc/calloc.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c
+index 53dcc6b2f6bf6..4a81cda15e1ce 100644
+--- a/usr/klibc/calloc.c
++++ b/usr/klibc/calloc.c
+@@ -2,12 +2,17 @@
+  * calloc.c
+  */
+ 
++#include <errno.h>
+ #include <stdlib.h>
+ #include <string.h>
+ 
+-/* FIXME: This should look for multiplication overflow */
+-
+ void *calloc(size_t nmemb, size_t size)
+ {
+-	return zalloc(nmemb * size);
++	unsigned long prod;
++
++	if (__builtin_umull_overflow(nmemb, size, &prod)) {
++		errno = ENOMEM;
++		return NULL;
++	}
++	return zalloc(prod);
+ }
+-- 
+cgit 
+
diff -Nru klibc-2.0.4/debian/patches/CVE-2021-31871.patch klibc-2.0.4/debian/patches/CVE-2021-31871.patch
--- klibc-2.0.4/debian/patches/CVE-2021-31871.patch	1970-01-01 00:00:00.000000000 +0000
+++ klibc-2.0.4/debian/patches/CVE-2021-31871.patch	2022-04-13 08:41:06.000000000 +0000
@@ -0,0 +1,31 @@
+From 2e48a12ab1e30d43498c2d53e878a11a1b5102d5 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 19:46:47 +0200
+Subject: [klibc] cpio: Fix possible crash on 64-bit systems
+
+copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
+If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
+null pointer and a subsequent SIGSEGV.
+
+The previous commit made this impossible on 32-bit systems.
+
+CVE-2021-31871
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/utils/cpio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: klibc-2.0.4/usr/utils/cpio.c
+===================================================================
+--- klibc-2.0.4.orig/usr/utils/cpio.c
++++ klibc-2.0.4/usr/utils/cpio.c
+@@ -831,7 +831,7 @@ static void copyin_link(struct new_cpio_
+ 	char *link_name = NULL;	/* Name of hard and symbolic links.  */
+ 	int res;		/* Result of various function calls.  */
+ 
+-	link_name = (char *)xmalloc((unsigned int)file_hdr->c_filesize + 1);
++	link_name = (char *)xmalloc(file_hdr->c_filesize + 1);
+ 	link_name[file_hdr->c_filesize] = '\0';
+ 	tape_buffered_read(link_name, in_file_des, file_hdr->c_filesize);
+ 	tape_skip_padding(in_file_des, file_hdr->c_filesize);
diff -Nru klibc-2.0.4/debian/patches/CVE-2021-31872.patch klibc-2.0.4/debian/patches/CVE-2021-31872.patch
--- klibc-2.0.4/debian/patches/CVE-2021-31872.patch	1970-01-01 00:00:00.000000000 +0000
+++ klibc-2.0.4/debian/patches/CVE-2021-31872.patch	2022-04-13 08:40:55.000000000 +0000
@@ -0,0 +1,70 @@
+From 9b1c91577aef7f2e72c3aa11a27749160bd278ff Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 05:16:34 +0200
+Subject: [klibc] cpio: Fix possible integer overflow on 32-bit systems
+
+The maximum name and file sizes in the "new" header format are 32-bit
+unsigned values.  However, the I/O functions mostly use long for sizes
+and offsets, so that sizes >= 2^31 are handled wrongly on 32-bit
+systems.
+
+The current GNU cpio code doesn't seem to have this problem, but the
+divergence between this version and that is large enough that I can't
+simply cherry-pick a fix for it.
+
+As a short-term fix, in read_in_new_ascii(), fail if c_namesize or
+c_filesize is > LONG_MAX.
+
+CVE-2021-31872
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/utils/cpio.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
+index cb616791c0aa4..ac481310bf982 100644
+--- a/usr/utils/cpio.c
++++ b/usr/utils/cpio.c
+@@ -17,6 +17,7 @@
+ 
+ #include <errno.h>
+ #include <fcntl.h>
++#include <limits.h>
+ #include <malloc.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -904,6 +905,15 @@ static void read_in_new_ascii(struct new_cpio_header *file_hdr, int in_des)
+ 		file_hdr->c_hdr[i] = strtoul(hexbuf, NULL, 16);
+ 		ah += 8;
+ 	}
++
++	/* Sizes > LONG_MAX can currently result in integer overflow
++	   in various places.  Fail if name is too large. */
++	if (file_hdr->c_namesize > LONG_MAX) {
++		fprintf(stderr, "%s: name size out of range\n",
++			progname);
++		exit(1);
++	}
++
+ 	/* Read file name from input.  */
+ 	free(file_hdr->c_name);
+ 	file_hdr->c_name = (char *)xmalloc(file_hdr->c_namesize);
+@@ -914,6 +924,14 @@ static void read_in_new_ascii(struct new_cpio_header *file_hdr, int in_des)
+ 	   is rounded up to the next long-word, so we might need to drop
+ 	   1-3 bytes.  */
+ 	tape_skip_padding(in_des, file_hdr->c_namesize + 110);
++
++	/* Fail if file is too large.  We could check this earlier
++	   but it's helpful to report the name. */
++	if (file_hdr->c_filesize > LONG_MAX) {
++		fprintf(stderr, "%s: %s: file size out of range\n",
++			progname, file_hdr->c_name);
++		exit(1);
++	}
+ }
+ 
+ /* Return 16-bit integer I with the bytes swapped.  */
+-- 
+cgit 
+
diff -Nru klibc-2.0.4/debian/patches/CVE-2021-31873.patch klibc-2.0.4/debian/patches/CVE-2021-31873.patch
--- klibc-2.0.4/debian/patches/CVE-2021-31873.patch	1970-01-01 00:00:00.000000000 +0000
+++ klibc-2.0.4/debian/patches/CVE-2021-31873.patch	2022-04-13 08:41:23.000000000 +0000
@@ -0,0 +1,48 @@
+From a31ae8c508fc8d1bca4f57e9f9f88127572d5202 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 04:03:49 +0200
+Subject: [klibc] malloc: Fail if requested size > PTRDIFF_MAX
+
+malloc() adds some overhead to the requested size, which may result in
+an integer overflow and subsequent buffer overflow if it is close to
+SIZE_MAX.  It should fail if size is large enough for this to happen.
+
+Further, it's not legal for a C object to be larger than
+PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could
+overflow.  So return failure immediately if size is greater than that.
+
+CVE-2021-31873
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/klibc/malloc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+Index: klibc-2.0.4/usr/klibc/malloc.c
+===================================================================
+--- klibc-2.0.4.orig/usr/klibc/malloc.c
++++ klibc-2.0.4/usr/klibc/malloc.c
+@@ -6,6 +6,7 @@
+ 
+ #include <stdlib.h>
+ #include <unistd.h>
++#include <errno.h>
+ #include <sys/mman.h>
+ #include <assert.h>
+ #include "malloc.h"
+@@ -146,6 +147,15 @@ void *malloc(size_t size)
+ 	if (size == 0)
+ 		return NULL;
+ 
++	/* Various additions below will overflow if size is close to
++	   SIZE_MAX.  Further, it's not legal for a C object to be
++	   larger than PTRDIFF_MAX (half of SIZE_MAX) as pointer
++	   arithmetic within it could overflow. */
++	if (size > PTRDIFF_MAX) {
++		errno = ENOMEM;
++		return NULL;
++	}
++
+ 	/* Add the obligatory arena header, and round up */
+ 	size = (size + 2 * sizeof(struct arena_header) - 1) & ARENA_SIZE_MASK;
+ 
diff -Nru klibc-2.0.4/debian/patches/lp1947099-fix-for-no-timeout-specified.patch klibc-2.0.4/debian/patches/lp1947099-fix-for-no-timeout-specified.patch
--- klibc-2.0.4/debian/patches/lp1947099-fix-for-no-timeout-specified.patch	1970-01-01 00:00:00.000000000 +0000
+++ klibc-2.0.4/debian/patches/lp1947099-fix-for-no-timeout-specified.patch	2022-04-25 14:38:36.000000000 +0000
@@ -0,0 +1,23 @@
+Description: Check for an user-specified timeout before checking/adjusting timeout values.
+ If there's no '-t' parameter, then loop_timeout == -1, which breaks the
+ check/adjust introduced here; thus check for '>= 0' as in the inner loop.
+ .
+ This should be forwarded upstream as part of the discussion on the patch.
+Author: Mauricio Faria de Oliveira <mfo@canonical.com>
+Forwarded: no
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1947099
+
+Index: klibc-2.0.4/usr/kinit/ipconfig/main.c
+===================================================================
+--- klibc-2.0.4.orig/usr/kinit/ipconfig/main.c
++++ klibc-2.0.4/usr/kinit/ipconfig/main.c
+@@ -445,7 +445,8 @@ static int loop(void)
+ 		/* Compensate for already-lost time */
+ 		/* Make sure to never exceed user-specified timeouts */
+ 		gettimeofday(&now, NULL);
+-		if (now.tv_sec + timeout > start + loop_timeout) {
++		if (loop_timeout >= 0 &&
++		    now.tv_sec + timeout > start + loop_timeout) {
+ 			timeout = loop_timeout - (now.tv_sec - start);
+ 			printf("Lowered timeout to match user request = (%d s) \n", timeout);
+ 		}
diff -Nru klibc-2.0.4/debian/patches/lp1947099-honour-user-requested-timeouts-in-all-cases.patch klibc-2.0.4/debian/patches/lp1947099-honour-user-requested-timeouts-in-all-cases.patch
--- klibc-2.0.4/debian/patches/lp1947099-honour-user-requested-timeouts-in-all-cases.patch	1970-01-01 00:00:00.000000000 +0000
+++ klibc-2.0.4/debian/patches/lp1947099-honour-user-requested-timeouts-in-all-cases.patch	2022-04-25 14:38:36.000000000 +0000
@@ -0,0 +1,29 @@
+Description: Honour user-specified timeouts even in error cases.
+ This change has been made to avoid 10 second timeout in case of
+ an error if this would validate an earlier timeout specified by the user.
+ .
+ klibc (2.0.4-9ubuntu3) bionic; urgency=medium
+ .
+   [Khaled Elmously]
+   * Honour user-specified timeouts even in error cases. (LP: #1947099)
+Author: Khaled Elmously <khalid.elmously@canonical.com>
+Forwarded: https://lists.zytor.com/archives/klibc/2021-December/004629.html
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1947099
+
+--- klibc-2.0.4.orig/usr/kinit/ipconfig/main.c
++++ klibc-2.0.4/usr/kinit/ipconfig/main.c
+@@ -442,6 +442,14 @@ static int loop(void)
+ 		if (pending == 0 || (bringup_first && done))
+ 			break;
+ 
++		/* Compensate for already-lost time */
++		/* Make sure to never exceed user-specified timeouts */
++		gettimeofday(&now, NULL);
++		if (now.tv_sec + timeout > start + loop_timeout) {
++			timeout = loop_timeout - (now.tv_sec - start);
++			printf("Lowered timeout to match user request = (%d s) \n", timeout);
++		}
++
+ 		timeout_ms = timeout * 1000;
+ 
+ 		for (x = 0; x < 2; x++) {
diff -Nru klibc-2.0.4/debian/patches/series klibc-2.0.4/debian/patches/series
--- klibc-2.0.4/debian/patches/series	2017-11-09 21:13:32.000000000 +0000
+++ klibc-2.0.4/debian/patches/series	2022-04-25 14:38:36.000000000 +0000
@@ -20,3 +20,9 @@
 broadcast_dhcp_send.patch
 dhcp-one-socket-per-interface.patch
 0001-Write-DNS-domain-from-DHCP-if-we-have-no-DOMAINSEARC.patch
+CVE-2021-31870.patch
+CVE-2021-31871.patch
+CVE-2021-31872.patch
+CVE-2021-31873.patch
+lp1947099-honour-user-requested-timeouts-in-all-cases.patch
+lp1947099-fix-for-no-timeout-specified.patch