summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorBart De Vries2023-10-05 11:36:08 +0200
committerBart De Vries2023-10-05 16:37:17 +0200
commit0ef3c43365f79e1c88073c903935727353406d21 (patch)
treea9cee96e6945a7fd1ea9edec30f54132066fda2a
parent3dc0ca88c89bc7615acf31af54f5154edcf6776f (diff)
downloadaur-0ef3c43365f79e1c88073c903935727353406d21.tar.gz
Fix CVEs
Diffstat
-rw-r--r--.SRCINFO8
-rw-r--r--0003-glibc-2.35-make-4.4-MAKEFLAGS.patch102
-rw-r--r--0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch184
-rw-r--r--PKGBUILD12
4 files changed, 194 insertions, 112 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 684c7470acd6..59cc9471ce2e 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = glibc-widevine
pkgver = 2.35
- pkgrel = 5.2
+ pkgrel = 5.3
url = https://www.gnu.org/software/libc
arch = x86_64
arch = armv7h
@@ -16,7 +16,7 @@ pkgbase = glibc-widevine
options = staticlibs
options = !lto
options = !distcc
- source = git+https://sourceware.org/git/glibc.git#commit=28ea43f8d64f0dd1f2de75525157730e1532e600
+ source = git+https://sourceware.org/git/glibc.git#commit=c84018a05aec80f5ee6f682db0da1130b0196aef
source = locale.gen.txt
source = locale-gen
source = sdt.h
@@ -24,7 +24,7 @@ pkgbase = glibc-widevine
source = disable-clone3.diff
source = 0001-sys-libs-glibc-add-support-for-SHT_RELR-sections.patch
source = 0002-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch
- source = 0003-glibc-2.35-make-4.4-MAKEFLAGS.patch
+ source = 0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch
validpgpkeys = 7273542B39962DF7B299931416792B4EA25340F8
validpgpkeys = BC7C7372637EC10C57D7AA6579C43DFBF1CF2187
b2sums = SKIP
@@ -35,7 +35,7 @@ pkgbase = glibc-widevine
b2sums = edef5f724f68ea95c6b0127bd13a10245f548afc381b2d0a6d1d06ee9f87b7dd89c6becd35d5ae722bf838594eb870a747f67f07f46e7d63f8c8d1a43cce4a52
b2sums = 7da85639771d4972e913b0458906bbccf1b30143940669e1b58b0ceab2e8dffc3a6c4b641a842e63b49a9b7ff01dddc3f1296d35ab505f67b6e625e208d01a8c
b2sums = b10f7479a283fdb1916f72e9d8cc9304e068d87f3805a9d2c51e748c79c9547735405e1e86a438ffe87d5ba0adece555740c221fe3bf84990c21e2737d3bb197
- b2sums = 7b5d512df13ba1747a5a099bc7b9ff7d44ba94176c18d65fe37ab0145214f43949597bdffb3ee8c46954f7cedd0d1e708a237ccdb491a163493f5b43eac7bdda
+ b2sums = e7467882e2f9faf66d1cce60bc824ff496b7c12a2ea6cd54038818d92936cea0ccc5ca8ee29d126c0737603837c9c09145e110934e4b2f3230b32e31cd2c315e
pkgname = glibc-widevine
pkgdesc = GNU C Library
diff --git a/0003-glibc-2.35-make-4.4-MAKEFLAGS.patch b/0003-glibc-2.35-make-4.4-MAKEFLAGS.patch
deleted file mode 100644
index 51fbe5f54074..000000000000
--- a/0003-glibc-2.35-make-4.4-MAKEFLAGS.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=2d7ed98add14f75041499ac189696c9bd3d757fe
-https://bugs.gentoo.org/869263
-
-From 2d7ed98add14f75041499ac189696c9bd3d757fe Mon Sep 17 00:00:00 2001
-From: Sergei Trofimovich <slyich@gmail.com>
-Date: Tue, 13 Sep 2022 13:39:13 -0400
-Subject: [PATCH] Makerules: fix MAKEFLAGS assignment for upcoming make-4.4
- [BZ# 29564]
-
-make-4.4 will add long flags to MAKEFLAGS variable:
-
- * WARNING: Backward-incompatibility!
- Previously only simple (one-letter) options were added to the MAKEFLAGS
- variable that was visible while parsing makefiles. Now, all options
- are available in MAKEFLAGS.
-
-This causes locale builds to fail when long options are used:
-
- $ make --shuffle
- ...
- make -C localedata install-locales
- make: invalid shuffle mode: '1662724426r'
-
-The change fixes it by passing eash option via whitespace and dashes.
-That way option is appended to both single-word form and whitespace
-separated form.
-
-While at it fixed --silent mode detection in $(MAKEFLAGS) by filtering
-out --long-options. Otherwise options like --shuffle flag enable silent
-mode unintentionally. $(silent-make) variable consolidates the checks.
-
-Resolves: BZ# 29564
-
-CC: Paul Smith <psmith@gnu.org>
-CC: Siddhesh Poyarekar <siddhesh@gotplt.org>
-Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
-Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---- a/Makeconfig
-+++ b/Makeconfig
-@@ -43,6 +43,22 @@ else
- $(error objdir must be defined by the build-directory Makefile)
- endif
-
-+# Did we request 'make -s' run? "yes" or "no".
-+# Starting from make-4.4 MAKEFLAGS now contains long
-+# options like '--shuffle'. To detect presence of 's'
-+# we pick first word with short options. Long options
-+# are guaranteed to come after whitespace. We use '-'
-+# prefix to always have a word before long options
-+# even if no short options were passed.
-+# Typical MAKEFLAGS values to watch for:
-+# "rs --shuffle=42" (silent)
-+# " --shuffle" (not silent)
-+ifeq ($(findstring s, $(firstword -$(MAKEFLAGS))),)
-+silent-make := no
-+else
-+silent-make := yes
-+endif
-+
- # Root of the sysdeps tree.
- sysdep_dir := $(..)sysdeps
- export sysdep_dir := $(sysdep_dir)
-@@ -917,7 +933,7 @@ endif
- # umpteen zillion filenames along with it (we use `...' instead)
- # but we don't want this echoing done when the user has said
- # he doesn't want to see commands echoed by using -s.
--ifneq "$(findstring s,$(MAKEFLAGS))" "" # if -s
-+ifeq ($(silent-make),yes) # if -s
- +cmdecho := echo >/dev/null
- else # not -s
- +cmdecho := echo
---- a/Makerules
-+++ b/Makerules
-@@ -794,7 +794,7 @@ endif
- # Maximize efficiency by minimizing the number of rules.
- .SUFFIXES: # Clear the suffix list. We don't use suffix rules.
- # Don't define any builtin rules.
--MAKEFLAGS := $(MAKEFLAGS)r
-+MAKEFLAGS := $(MAKEFLAGS) -r
-
- # Generic rule for making directories.
- %/:
-@@ -811,7 +811,7 @@ MAKEFLAGS := $(MAKEFLAGS)r
- .PRECIOUS: $(foreach l,$(libtypes),$(patsubst %,$(common-objpfx)$l,c))
-
- # Use the verbose option of ar and tar when not running silently.
--ifeq "$(findstring s,$(MAKEFLAGS))" "" # if not -s
-+ifeq ($(silent-make),no) # if not -s
- verbose := v
- else # -s
- verbose :=
---- a/elf/rtld-Rules
-+++ b/elf/rtld-Rules
-@@ -52,7 +52,7 @@ $(objpfx)rtld-libc.a: $(foreach dir,$(rtld-subdirs),\
- mv -f $@T $@
-
- # Use the verbose option of ar and tar when not running silently.
--ifeq "$(findstring s,$(MAKEFLAGS))" "" # if not -s
-+ifeq ($(silent-make),no) # if not -s
- verbose := v
- else # -s
- verbose :=
diff --git a/0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch b/0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch
new file mode 100644
index 000000000000..f1fb7f793b58
--- /dev/null
+++ b/0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch
@@ -0,0 +1,184 @@
+From 039ff51ac7e02db1cfc0c23e38ac7bfbb00221d1 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Fri, 11 Aug 2023 10:10:16 +0200
+Subject: [PATCH] nscd: Do not rebuild getaddrinfo (bug 30709)
+
+The nscd daemon caches hosts data from NSS modules verbatim, without
+filtering protocol families or sorting them (otherwise separate caches
+would be needed for certain ai_flags combinations). The cache
+implementation is complete separate from the getaddrinfo code. This
+means that rebuilding getaddrinfo is not needed. The only function
+actually used is __bump_nl_timestamp from check_pf.c, and this change
+moves it into nscd/connections.c.
+
+Tested on x86_64-linux-gnu with -fexceptions, built with
+build-many-glibcs.py. I also backported this patch into a distribution
+that still supports nscd and verified manually that caching still works.
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+---
+ include/ifaddrs.h | 4 ---
+ inet/check_pf.c | 9 ------
+ nscd/Makefile | 2 +-
+ nscd/connections.c | 11 +++++++
+ nscd/gai.c | 50 ------------------------------
+ sysdeps/unix/sysv/linux/check_pf.c | 17 +---------
+ 6 files changed, 13 insertions(+), 80 deletions(-)
+ delete mode 100644 nscd/gai.c
+
+diff --git a/include/ifaddrs.h b/include/ifaddrs.h
+index 416118f1b3..19a3afb19f 100644
+--- a/include/ifaddrs.h
++++ b/include/ifaddrs.h
+@@ -34,9 +34,5 @@ extern void __check_native (uint32_t a1_index, int *a1_native,
+ uint32_t a2_index, int *a2_native)
+ attribute_hidden;
+
+-#if IS_IN (nscd)
+-extern uint32_t __bump_nl_timestamp (void) attribute_hidden;
+-#endif
+-
+ # endif /* !_ISOMAC */
+ #endif /* ifaddrs.h */
+diff --git a/inet/check_pf.c b/inet/check_pf.c
+index 5310c99121..6d1475920f 100644
+--- a/inet/check_pf.c
++++ b/inet/check_pf.c
+@@ -60,12 +60,3 @@ __free_in6ai (struct in6addrinfo *in6ai)
+ {
+ /* Nothing to do. */
+ }
+-
+-
+-#if IS_IN (nscd)
+-uint32_t
+-__bump_nl_timestamp (void)
+-{
+- return 0;
+-}
+-#endif
+diff --git a/nscd/Makefile b/nscd/Makefile
+index 2a0489f4cf..16b6460ee9 100644
+--- a/nscd/Makefile
++++ b/nscd/Makefile
+@@ -35,7 +35,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \
+ getgrnam_r getgrgid_r hstcache gethstbyad_r gethstbynm3_r \
+ getsrvbynm_r getsrvbypt_r servicescache \
+ dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \
+- xmalloc xstrdup aicache initgrcache gai res_hconf \
++ xmalloc xstrdup aicache initgrcache res_hconf \
+ netgroupcache cachedumper
+
+ ifeq ($(build-nscd)$(have-thread-library),yesyes)
+diff --git a/nscd/connections.c b/nscd/connections.c
+index a405a44a9b..15693e5090 100644
+--- a/nscd/connections.c
++++ b/nscd/connections.c
+@@ -256,6 +256,17 @@ int inotify_fd = -1;
+ #ifdef HAVE_NETLINK
+ /* Descriptor for netlink status updates. */
+ static int nl_status_fd = -1;
++
++static uint32_t
++__bump_nl_timestamp (void)
++{
++ static uint32_t nl_timestamp;
++
++ if (atomic_fetch_add_relaxed (&nl_timestamp, 1) + 1 == 0)
++ atomic_fetch_add_relaxed (&nl_timestamp, 1);
++
++ return nl_timestamp;
++}
+ #endif
+
+ /* Number of times clients had to wait. */
+diff --git a/nscd/gai.c b/nscd/gai.c
+deleted file mode 100644
+index e29f3fe583..0000000000
+--- a/nscd/gai.c
++++ /dev/null
+@@ -1,50 +0,0 @@
+-/* Copyright (C) 2004-2022 Free Software Foundation, Inc.
+- This file is part of the GNU C Library.
+-
+- This program is free software; you can redistribute it and/or modify
+- it under the terms of the GNU General Public License as published
+- by the Free Software Foundation; version 2 of the License, or
+- (at your option) any later version.
+-
+- This program is distributed in the hope that it will be useful,
+- but WITHOUT ANY WARRANTY; without even the implied warranty of
+- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU General Public License for more details.
+-
+- You should have received a copy of the GNU General Public License
+- along with this program; if not, see <https://www.gnu.org/licenses/>. */
+-
+-#include <alloca.h>
+-#include <sys/stat.h>
+-
+-/* This file uses the getaddrinfo code but it compiles it without NSCD
+- support. We just need a few symbol renames. */
+-#define __ioctl ioctl
+-#define __getsockname getsockname
+-#define __socket socket
+-#define __recvmsg recvmsg
+-#define __bind bind
+-#define __sendto sendto
+-#define __strchrnul strchrnul
+-#define __getline getline
+-#define __qsort_r qsort_r
+-/* nscd uses 1MB or 2MB thread stacks. */
+-#define __libc_use_alloca(size) (size <= __MAX_ALLOCA_CUTOFF)
+-#define __getifaddrs getifaddrs
+-#define __freeifaddrs freeifaddrs
+-#undef __fstat64
+-#define __fstat64 fstat64
+-#undef __stat64
+-#define __stat64 stat64
+-
+-/* We are nscd, so we don't want to be talking to ourselves. */
+-#undef USE_NSCD
+-
+-#include <getaddrinfo.c>
+-
+-/* Support code. */
+-#include <check_pf.c>
+-#include <check_native.c>
+-
+-/* Some variables normally defined in libc. */
+-nss_action_list __nss_hosts_database attribute_hidden;
+diff --git a/sysdeps/unix/sysv/linux/check_pf.c b/sysdeps/unix/sysv/linux/check_pf.c
+index 2b0b8b6368..3aa6a00348 100644
+--- a/sysdeps/unix/sysv/linux/check_pf.c
++++ b/sysdeps/unix/sysv/linux/check_pf.c
+@@ -66,25 +66,10 @@ static struct cached_data *cache;
+ __libc_lock_define_initialized (static, lock);
+
+
+-#if IS_IN (nscd)
+-static uint32_t nl_timestamp;
+-
+-uint32_t
+-__bump_nl_timestamp (void)
+-{
+- if (atomic_increment_val (&nl_timestamp) == 0)
+- atomic_increment (&nl_timestamp);
+-
+- return nl_timestamp;
+-}
+-#endif
+-
+ static inline uint32_t
+ get_nl_timestamp (void)
+ {
+-#if IS_IN (nscd)
+- return nl_timestamp;
+-#elif defined USE_NSCD
++#if defined USE_NSCD
+ return __nscd_get_nl_timestamp ();
+ #else
+ return 0;
+--
+2.42.0
+
diff --git a/PKGBUILD b/PKGBUILD
index 97508fbafa4c..136818677498 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -18,8 +18,8 @@ pkgname=glibc-widevine
provides=("glibc=2.35")
conflicts=("glibc")
pkgver=2.35
-_commit=28ea43f8d64f0dd1f2de75525157730e1532e600
-pkgrel=5.2
+_commit=c84018a05aec80f5ee6f682db0da1130b0196aef
+pkgrel=5.3
arch=('x86_64' 'armv7h' 'aarch64')
url='https://www.gnu.org/software/libc'
license=(GPL LGPL)
@@ -32,7 +32,7 @@ source=(git+https://sourceware.org/git/glibc.git#commit=${_commit}
disable-clone3.diff
0001-sys-libs-glibc-add-support-for-SHT_RELR-sections.patch
0002-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch
- 0003-glibc-2.35-make-4.4-MAKEFLAGS.patch
+ 0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch
)
validpgpkeys=(7273542B39962DF7B299931416792B4EA25340F8 # Carlos O'Donell
BC7C7372637EC10C57D7AA6579C43DFBF1CF2187) # Siddhesh Poyarekar
@@ -45,7 +45,7 @@ b2sums=('SKIP'
'edef5f724f68ea95c6b0127bd13a10245f548afc381b2d0a6d1d06ee9f87b7dd89c6becd35d5ae722bf838594eb870a747f67f07f46e7d63f8c8d1a43cce4a52'
'7da85639771d4972e913b0458906bbccf1b30143940669e1b58b0ceab2e8dffc3a6c4b641a842e63b49a9b7ff01dddc3f1296d35ab505f67b6e625e208d01a8c'
'b10f7479a283fdb1916f72e9d8cc9304e068d87f3805a9d2c51e748c79c9547735405e1e86a438ffe87d5ba0adece555740c221fe3bf84990c21e2737d3bb197'
- '7b5d512df13ba1747a5a099bc7b9ff7d44ba94176c18d65fe37ab0145214f43949597bdffb3ee8c46954f7cedd0d1e708a237ccdb491a163493f5b43eac7bdda')
+ 'e7467882e2f9faf66d1cce60bc824ff496b7c12a2ea6cd54038818d92936cea0ccc5ca8ee29d126c0737603837c9c09145e110934e4b2f3230b32e31cd2c315e')
prepare() {
mkdir -p glibc-build
@@ -65,8 +65,8 @@ prepare() {
# dl-tls: libwidevinecdm 64Byte alignment
patch -p1 -i "$srcdir"/0002-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch
- # patch for make-4.4 in combination with older glibc
- patch -p1 -i "$srcdir"/0003-glibc-2.35-make-4.4-MAKEFLAGS.patch
+ # nscd: Do not rebuild getaddrinfo (bug 30709)
+ patch -p1 -i "$srcdir"/0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch
}
build() {