diff options
author | Bart De Vries | 2023-10-05 11:36:08 +0200 |
---|---|---|
committer | Bart De Vries | 2023-10-05 16:37:17 +0200 |
commit | 0ef3c43365f79e1c88073c903935727353406d21 (patch) | |
tree | a9cee96e6945a7fd1ea9edec30f54132066fda2a | |
parent | 3dc0ca88c89bc7615acf31af54f5154edcf6776f (diff) | |
download | aur-0ef3c43365f79e1c88073c903935727353406d21.tar.gz |
Fix CVEs
-rw-r--r-- | .SRCINFO | 8 | ||||
-rw-r--r-- | 0003-glibc-2.35-make-4.4-MAKEFLAGS.patch | 102 | ||||
-rw-r--r-- | 0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch | 184 | ||||
-rw-r--r-- | PKGBUILD | 12 |
4 files changed, 194 insertions, 112 deletions
@@ -1,6 +1,6 @@ pkgbase = glibc-widevine pkgver = 2.35 - pkgrel = 5.2 + pkgrel = 5.3 url = https://www.gnu.org/software/libc arch = x86_64 arch = armv7h @@ -16,7 +16,7 @@ pkgbase = glibc-widevine options = staticlibs options = !lto options = !distcc - source = git+https://sourceware.org/git/glibc.git#commit=28ea43f8d64f0dd1f2de75525157730e1532e600 + source = git+https://sourceware.org/git/glibc.git#commit=c84018a05aec80f5ee6f682db0da1130b0196aef source = locale.gen.txt source = locale-gen source = sdt.h @@ -24,7 +24,7 @@ pkgbase = glibc-widevine source = disable-clone3.diff source = 0001-sys-libs-glibc-add-support-for-SHT_RELR-sections.patch source = 0002-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch - source = 0003-glibc-2.35-make-4.4-MAKEFLAGS.patch + source = 0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch validpgpkeys = 7273542B39962DF7B299931416792B4EA25340F8 validpgpkeys = BC7C7372637EC10C57D7AA6579C43DFBF1CF2187 b2sums = SKIP @@ -35,7 +35,7 @@ pkgbase = glibc-widevine b2sums = edef5f724f68ea95c6b0127bd13a10245f548afc381b2d0a6d1d06ee9f87b7dd89c6becd35d5ae722bf838594eb870a747f67f07f46e7d63f8c8d1a43cce4a52 b2sums = 7da85639771d4972e913b0458906bbccf1b30143940669e1b58b0ceab2e8dffc3a6c4b641a842e63b49a9b7ff01dddc3f1296d35ab505f67b6e625e208d01a8c b2sums = b10f7479a283fdb1916f72e9d8cc9304e068d87f3805a9d2c51e748c79c9547735405e1e86a438ffe87d5ba0adece555740c221fe3bf84990c21e2737d3bb197 - b2sums = 7b5d512df13ba1747a5a099bc7b9ff7d44ba94176c18d65fe37ab0145214f43949597bdffb3ee8c46954f7cedd0d1e708a237ccdb491a163493f5b43eac7bdda + b2sums = e7467882e2f9faf66d1cce60bc824ff496b7c12a2ea6cd54038818d92936cea0ccc5ca8ee29d126c0737603837c9c09145e110934e4b2f3230b32e31cd2c315e pkgname = glibc-widevine pkgdesc = GNU C Library diff --git a/0003-glibc-2.35-make-4.4-MAKEFLAGS.patch b/0003-glibc-2.35-make-4.4-MAKEFLAGS.patch deleted file mode 100644 index 51fbe5f54074..000000000000 --- a/0003-glibc-2.35-make-4.4-MAKEFLAGS.patch +++ /dev/null @@ -1,102 +0,0 @@ -https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=2d7ed98add14f75041499ac189696c9bd3d757fe -https://bugs.gentoo.org/869263 - -From 2d7ed98add14f75041499ac189696c9bd3d757fe Mon Sep 17 00:00:00 2001 -From: Sergei Trofimovich <slyich@gmail.com> -Date: Tue, 13 Sep 2022 13:39:13 -0400 -Subject: [PATCH] Makerules: fix MAKEFLAGS assignment for upcoming make-4.4 - [BZ# 29564] - -make-4.4 will add long flags to MAKEFLAGS variable: - - * WARNING: Backward-incompatibility! - Previously only simple (one-letter) options were added to the MAKEFLAGS - variable that was visible while parsing makefiles. Now, all options - are available in MAKEFLAGS. - -This causes locale builds to fail when long options are used: - - $ make --shuffle - ... - make -C localedata install-locales - make: invalid shuffle mode: '1662724426r' - -The change fixes it by passing eash option via whitespace and dashes. -That way option is appended to both single-word form and whitespace -separated form. - -While at it fixed --silent mode detection in $(MAKEFLAGS) by filtering -out --long-options. Otherwise options like --shuffle flag enable silent -mode unintentionally. $(silent-make) variable consolidates the checks. - -Resolves: BZ# 29564 - -CC: Paul Smith <psmith@gnu.org> -CC: Siddhesh Poyarekar <siddhesh@gotplt.org> -Signed-off-by: Sergei Trofimovich <slyich@gmail.com> -Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> ---- a/Makeconfig -+++ b/Makeconfig -@@ -43,6 +43,22 @@ else - $(error objdir must be defined by the build-directory Makefile) - endif - -+# Did we request 'make -s' run? "yes" or "no". -+# Starting from make-4.4 MAKEFLAGS now contains long -+# options like '--shuffle'. To detect presence of 's' -+# we pick first word with short options. Long options -+# are guaranteed to come after whitespace. We use '-' -+# prefix to always have a word before long options -+# even if no short options were passed. -+# Typical MAKEFLAGS values to watch for: -+# "rs --shuffle=42" (silent) -+# " --shuffle" (not silent) -+ifeq ($(findstring s, $(firstword -$(MAKEFLAGS))),) -+silent-make := no -+else -+silent-make := yes -+endif -+ - # Root of the sysdeps tree. - sysdep_dir := $(..)sysdeps - export sysdep_dir := $(sysdep_dir) -@@ -917,7 +933,7 @@ endif - # umpteen zillion filenames along with it (we use `...' instead) - # but we don't want this echoing done when the user has said - # he doesn't want to see commands echoed by using -s. --ifneq "$(findstring s,$(MAKEFLAGS))" "" # if -s -+ifeq ($(silent-make),yes) # if -s - +cmdecho := echo >/dev/null - else # not -s - +cmdecho := echo ---- a/Makerules -+++ b/Makerules -@@ -794,7 +794,7 @@ endif - # Maximize efficiency by minimizing the number of rules. - .SUFFIXES: # Clear the suffix list. We don't use suffix rules. - # Don't define any builtin rules. --MAKEFLAGS := $(MAKEFLAGS)r -+MAKEFLAGS := $(MAKEFLAGS) -r - - # Generic rule for making directories. - %/: -@@ -811,7 +811,7 @@ MAKEFLAGS := $(MAKEFLAGS)r - .PRECIOUS: $(foreach l,$(libtypes),$(patsubst %,$(common-objpfx)$l,c)) - - # Use the verbose option of ar and tar when not running silently. --ifeq "$(findstring s,$(MAKEFLAGS))" "" # if not -s -+ifeq ($(silent-make),no) # if not -s - verbose := v - else # -s - verbose := ---- a/elf/rtld-Rules -+++ b/elf/rtld-Rules -@@ -52,7 +52,7 @@ $(objpfx)rtld-libc.a: $(foreach dir,$(rtld-subdirs),\ - mv -f $@T $@ - - # Use the verbose option of ar and tar when not running silently. --ifeq "$(findstring s,$(MAKEFLAGS))" "" # if not -s -+ifeq ($(silent-make),no) # if not -s - verbose := v - else # -s - verbose := diff --git a/0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch b/0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch new file mode 100644 index 000000000000..f1fb7f793b58 --- /dev/null +++ b/0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch @@ -0,0 +1,184 @@ +From 039ff51ac7e02db1cfc0c23e38ac7bfbb00221d1 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Fri, 11 Aug 2023 10:10:16 +0200 +Subject: [PATCH] nscd: Do not rebuild getaddrinfo (bug 30709) + +The nscd daemon caches hosts data from NSS modules verbatim, without +filtering protocol families or sorting them (otherwise separate caches +would be needed for certain ai_flags combinations). The cache +implementation is complete separate from the getaddrinfo code. This +means that rebuilding getaddrinfo is not needed. The only function +actually used is __bump_nl_timestamp from check_pf.c, and this change +moves it into nscd/connections.c. + +Tested on x86_64-linux-gnu with -fexceptions, built with +build-many-glibcs.py. I also backported this patch into a distribution +that still supports nscd and verified manually that caching still works. + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +--- + include/ifaddrs.h | 4 --- + inet/check_pf.c | 9 ------ + nscd/Makefile | 2 +- + nscd/connections.c | 11 +++++++ + nscd/gai.c | 50 ------------------------------ + sysdeps/unix/sysv/linux/check_pf.c | 17 +--------- + 6 files changed, 13 insertions(+), 80 deletions(-) + delete mode 100644 nscd/gai.c + +diff --git a/include/ifaddrs.h b/include/ifaddrs.h +index 416118f1b3..19a3afb19f 100644 +--- a/include/ifaddrs.h ++++ b/include/ifaddrs.h +@@ -34,9 +34,5 @@ extern void __check_native (uint32_t a1_index, int *a1_native, + uint32_t a2_index, int *a2_native) + attribute_hidden; + +-#if IS_IN (nscd) +-extern uint32_t __bump_nl_timestamp (void) attribute_hidden; +-#endif +- + # endif /* !_ISOMAC */ + #endif /* ifaddrs.h */ +diff --git a/inet/check_pf.c b/inet/check_pf.c +index 5310c99121..6d1475920f 100644 +--- a/inet/check_pf.c ++++ b/inet/check_pf.c +@@ -60,12 +60,3 @@ __free_in6ai (struct in6addrinfo *in6ai) + { + /* Nothing to do. */ + } +- +- +-#if IS_IN (nscd) +-uint32_t +-__bump_nl_timestamp (void) +-{ +- return 0; +-} +-#endif +diff --git a/nscd/Makefile b/nscd/Makefile +index 2a0489f4cf..16b6460ee9 100644 +--- a/nscd/Makefile ++++ b/nscd/Makefile +@@ -35,7 +35,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \ + getgrnam_r getgrgid_r hstcache gethstbyad_r gethstbynm3_r \ + getsrvbynm_r getsrvbypt_r servicescache \ + dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \ +- xmalloc xstrdup aicache initgrcache gai res_hconf \ ++ xmalloc xstrdup aicache initgrcache res_hconf \ + netgroupcache cachedumper + + ifeq ($(build-nscd)$(have-thread-library),yesyes) +diff --git a/nscd/connections.c b/nscd/connections.c +index a405a44a9b..15693e5090 100644 +--- a/nscd/connections.c ++++ b/nscd/connections.c +@@ -256,6 +256,17 @@ int inotify_fd = -1; + #ifdef HAVE_NETLINK + /* Descriptor for netlink status updates. */ + static int nl_status_fd = -1; ++ ++static uint32_t ++__bump_nl_timestamp (void) ++{ ++ static uint32_t nl_timestamp; ++ ++ if (atomic_fetch_add_relaxed (&nl_timestamp, 1) + 1 == 0) ++ atomic_fetch_add_relaxed (&nl_timestamp, 1); ++ ++ return nl_timestamp; ++} + #endif + + /* Number of times clients had to wait. */ +diff --git a/nscd/gai.c b/nscd/gai.c +deleted file mode 100644 +index e29f3fe583..0000000000 +--- a/nscd/gai.c ++++ /dev/null +@@ -1,50 +0,0 @@ +-/* Copyright (C) 2004-2022 Free Software Foundation, Inc. +- This file is part of the GNU C Library. +- +- This program is free software; you can redistribute it and/or modify +- it under the terms of the GNU General Public License as published +- by the Free Software Foundation; version 2 of the License, or +- (at your option) any later version. +- +- This program is distributed in the hope that it will be useful, +- but WITHOUT ANY WARRANTY; without even the implied warranty of +- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- GNU General Public License for more details. +- +- You should have received a copy of the GNU General Public License +- along with this program; if not, see <https://www.gnu.org/licenses/>. */ +- +-#include <alloca.h> +-#include <sys/stat.h> +- +-/* This file uses the getaddrinfo code but it compiles it without NSCD +- support. We just need a few symbol renames. */ +-#define __ioctl ioctl +-#define __getsockname getsockname +-#define __socket socket +-#define __recvmsg recvmsg +-#define __bind bind +-#define __sendto sendto +-#define __strchrnul strchrnul +-#define __getline getline +-#define __qsort_r qsort_r +-/* nscd uses 1MB or 2MB thread stacks. */ +-#define __libc_use_alloca(size) (size <= __MAX_ALLOCA_CUTOFF) +-#define __getifaddrs getifaddrs +-#define __freeifaddrs freeifaddrs +-#undef __fstat64 +-#define __fstat64 fstat64 +-#undef __stat64 +-#define __stat64 stat64 +- +-/* We are nscd, so we don't want to be talking to ourselves. */ +-#undef USE_NSCD +- +-#include <getaddrinfo.c> +- +-/* Support code. */ +-#include <check_pf.c> +-#include <check_native.c> +- +-/* Some variables normally defined in libc. */ +-nss_action_list __nss_hosts_database attribute_hidden; +diff --git a/sysdeps/unix/sysv/linux/check_pf.c b/sysdeps/unix/sysv/linux/check_pf.c +index 2b0b8b6368..3aa6a00348 100644 +--- a/sysdeps/unix/sysv/linux/check_pf.c ++++ b/sysdeps/unix/sysv/linux/check_pf.c +@@ -66,25 +66,10 @@ static struct cached_data *cache; + __libc_lock_define_initialized (static, lock); + + +-#if IS_IN (nscd) +-static uint32_t nl_timestamp; +- +-uint32_t +-__bump_nl_timestamp (void) +-{ +- if (atomic_increment_val (&nl_timestamp) == 0) +- atomic_increment (&nl_timestamp); +- +- return nl_timestamp; +-} +-#endif +- + static inline uint32_t + get_nl_timestamp (void) + { +-#if IS_IN (nscd) +- return nl_timestamp; +-#elif defined USE_NSCD ++#if defined USE_NSCD + return __nscd_get_nl_timestamp (); + #else + return 0; +-- +2.42.0 + @@ -18,8 +18,8 @@ pkgname=glibc-widevine provides=("glibc=2.35") conflicts=("glibc") pkgver=2.35 -_commit=28ea43f8d64f0dd1f2de75525157730e1532e600 -pkgrel=5.2 +_commit=c84018a05aec80f5ee6f682db0da1130b0196aef +pkgrel=5.3 arch=('x86_64' 'armv7h' 'aarch64') url='https://www.gnu.org/software/libc' license=(GPL LGPL) @@ -32,7 +32,7 @@ source=(git+https://sourceware.org/git/glibc.git#commit=${_commit} disable-clone3.diff 0001-sys-libs-glibc-add-support-for-SHT_RELR-sections.patch 0002-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch - 0003-glibc-2.35-make-4.4-MAKEFLAGS.patch + 0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch ) validpgpkeys=(7273542B39962DF7B299931416792B4EA25340F8 # Carlos O'Donell BC7C7372637EC10C57D7AA6579C43DFBF1CF2187) # Siddhesh Poyarekar @@ -45,7 +45,7 @@ b2sums=('SKIP' 'edef5f724f68ea95c6b0127bd13a10245f548afc381b2d0a6d1d06ee9f87b7dd89c6becd35d5ae722bf838594eb870a747f67f07f46e7d63f8c8d1a43cce4a52' '7da85639771d4972e913b0458906bbccf1b30143940669e1b58b0ceab2e8dffc3a6c4b641a842e63b49a9b7ff01dddc3f1296d35ab505f67b6e625e208d01a8c' 'b10f7479a283fdb1916f72e9d8cc9304e068d87f3805a9d2c51e748c79c9547735405e1e86a438ffe87d5ba0adece555740c221fe3bf84990c21e2737d3bb197' - '7b5d512df13ba1747a5a099bc7b9ff7d44ba94176c18d65fe37ab0145214f43949597bdffb3ee8c46954f7cedd0d1e708a237ccdb491a163493f5b43eac7bdda') + 'e7467882e2f9faf66d1cce60bc824ff496b7c12a2ea6cd54038818d92936cea0ccc5ca8ee29d126c0737603837c9c09145e110934e4b2f3230b32e31cd2c315e') prepare() { mkdir -p glibc-build @@ -65,8 +65,8 @@ prepare() { # dl-tls: libwidevinecdm 64Byte alignment patch -p1 -i "$srcdir"/0002-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch - # patch for make-4.4 in combination with older glibc - patch -p1 -i "$srcdir"/0003-glibc-2.35-make-4.4-MAKEFLAGS.patch + # nscd: Do not rebuild getaddrinfo (bug 30709) + patch -p1 -i "$srcdir"/0003-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch } build() { |