mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-17 18:06:59 +02:00
Merge pull request #1596 from flatcar-linux/dongsu/glibc-2.33-r10
sys-libs/glibc: update to 2.33-r10
This commit is contained in:
Dongsu Park
GitHub
commit
19a486c58d
1
sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-28-glibc-2.33-r10.md
vendored
Normal file
1
sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-28-glibc-2.33-r10.md
vendored
Normal file
@ -0,0 +1 @@
|
||||
- glibc ([CVE-2021-3998](https://nvd.nist.gov/vuln/detail/CVE-2021-3998), [CVE-2021-3999](https://nvd.nist.gov/vuln/detail/CVE-2021-3999), [CVE-2022-23218](https://nvd.nist.gov/vuln/detail/CVE-2022-23218), [CVE-2022-23219](https://nvd.nist.gov/vuln/detail/CVE-2022-23219))
|
||||
@ -1,5 +1,5 @@
|
||||
DIST gcc-multilib-bootstrap-20201208.tar.xz 5528452 BLAKE2B 16699a6e4df5b2f28a21776ae9e3728b26a9ea251f5580aa5349545ad7c9f6145b9cb6a12ca8f5f96b9cb2a3c70b7e66ca702e4c6f083ac00408e0a20a69e613 SHA512 a243f505e17d0a7e144e8713c077582412f61d6cf7f79baa846de4fb77f5e0f27e11c9a785e14624e04ac52287b32164e7995323aa11caef59113ac438254347
|
||||
DIST glibc-2.33-patches-6.tar.xz 64632 BLAKE2B f04ca4320d65c8796c67471cb56d3bf002cc34fb6a81075b85948e41c94df46cb2a3a944cced42d6d2c17ffc11e32a9840810864e655cc0fe18e6e0fe9f3c985 SHA512 b95746cd3415ec9ca275e542a2b5fddd5ce5680aa3bda08e94e96cf431191f7488ef6b7999ff0dfaf7405a4212531a75283e9bd7f5ae65bf572912038877a6df
|
||||
DIST glibc-2.33-patches-8.tar.xz 91220 BLAKE2B 1c9aeaf2d3a58e83aec8ea6eb19776dd05e16430f25de675b467ab18d4fb438374254d06b2072b4272d089237e5f11da6d94a84c38f588b79e94e26b650f6faf SHA512 58d3f444c50e64bbf867cbcc38f4281156c7da3878674038674e1c6706b90919468af9fbd424c2dd949bc2d7d6cb36ed7be2120bb957636cad6b76e56eb54031
|
||||
DIST glibc-2.33.tar.xz 17031280 BLAKE2B 703d12121c1e2c5d9e0c6ba5341f5fb5c4d9111611a83f2360029b5de9c6e5a5611249d1833684a58ed4afdf49cae614365d87ec8721ba0e5d218f593b1f229d SHA512 4cb5777b68b22b746cc51669e0e9282b43c83f6944e42656e6db7195ebb68f2f9260f130fdeb4e3cfc64efae4f58d96c43d388f52be1eb024ca448084684abdb
|
||||
DIST glibc-systemd-20210814.tar.gz 1469 BLAKE2B 10fa7bcb46d4fdce9c0ab353cbd30871e9b09a347a13a9c9a3b5777f931aa3c826c158d2e49532c604d4a834f2fab4089b67495fb88d0398945dc50d45ad9ef1 SHA512 5346a9ea459a1e6ccf665389f2a294de1e16f1e3e05cdf07e3dd99ed0e4f6f8b52cc333d4bff3c75ac90ab6ce70cd4ab2b3e126f920ce7979abd6dda56315efc
|
||||
DIST locale-gen-2.10.tar.gz 7747 BLAKE2B 49f569c5ae5260fca128503bc6f22d6f6f1cda817920c41fdadadf1527bbb4f3eb161f79fa729830666a4673e9092f99f4685ec8fcac8ddea0b8242bca9c1f4f SHA512 e350e60d458d67638e3090711fca05af6fafac06c51b97648244549f8a0621dab7543f09dc7ad4c62392f13bdae8e5875dc6d0b6c3d83efc29d116bc2eef92db
|
||||
DIST locale-gen-2.22.tar.gz 7971 BLAKE2B 2dc66fa69bf51799d0c34459b654fba6998b80a7e322e9b670036c967e269ad921f50195e6e34c4a83c1f0bad191fd5aa3f37defb82271b73acbca07b7e49d08 SHA512 9798b10dbbc792345a7b7a121dec5f4bba9839a8aec010f01a09f3402fd5bf2376f79e03a6a19bc357010db780037a8811c381136ce19be1f1370374906dff38
|
||||
|
||||
@ -1,9 +1,15 @@
|
||||
# Copyright 1999-2021 Gentoo Authors
|
||||
# Copyright 1999-2022 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
PYTHON_COMPAT=( python3_{6..10} )
|
||||
# Bumping notes: https://wiki.gentoo.org/wiki/Project:Toolchain/sys-libs/glibc
|
||||
# Please read & adapt the page as necessary if obsolete.
|
||||
|
||||
# We avoid Python 3.10 here _for now_ (it does work!) to avoid circular dependencies
|
||||
# on upgrades as people migrate to libxcrypt.
|
||||
# https://wiki.gentoo.org/wiki/User:Sam/Portage_help/Circular_dependencies#Python_and_libcrypt
|
||||
PYTHON_COMPAT=( python3_{7,8,9} )
|
||||
TMPFILES_OPTIONAL=1
|
||||
|
||||
inherit python-any-r1 prefix preserve-libs toolchain-funcs flag-o-matic gnuconfig \
|
||||
@ -17,7 +23,7 @@ SLOT="2.2"
|
||||
EMULTILIB_PKG="true"
|
||||
|
||||
# Gentoo patchset (ignored for live ebuilds)
|
||||
PATCH_VER=6
|
||||
PATCH_VER=8
|
||||
PATCH_DEV=dilfridge
|
||||
|
||||
if [[ ${PV} == 9999* ]]; then
|
||||
@ -32,7 +38,7 @@ RELEASE_VER=${PV}
|
||||
|
||||
GCC_BOOTSTRAP_VER=20201208
|
||||
|
||||
LOCALE_GEN_VER=2.10
|
||||
LOCALE_GEN_VER=2.22
|
||||
|
||||
GLIBC_SYSTEMD_VER=20210814
|
||||
|
||||
@ -172,6 +178,12 @@ XFAIL_TEST_LIST=(
|
||||
# https://sourceware.org/PR19329
|
||||
# https://bugs.gentoo.org/719674#c12
|
||||
tst-stack4
|
||||
|
||||
# The following tests fail only inside portage
|
||||
# https://bugs.gentoo.org/831267
|
||||
tst-system
|
||||
tst-strerror
|
||||
tst-strsignal
|
||||
)
|
||||
|
||||
#
|
||||
@ -404,6 +416,9 @@ setup_flags() {
|
||||
# #492892
|
||||
filter-flags -frecord-gcc-switches
|
||||
|
||||
# #829583
|
||||
filter-lfs-flags
|
||||
|
||||
unset CBUILD_OPT CTARGET_OPT
|
||||
if use multilib ; then
|
||||
CTARGET_OPT=$(get_abi_CTARGET)
|
||||
@ -505,14 +520,104 @@ setup_env() {
|
||||
einfo "Skip CC ABI injection. We can't use (cross-)compiler yet."
|
||||
return 0
|
||||
fi
|
||||
local VAR=CFLAGS_${ABI}
|
||||
|
||||
# Glibc does not work with gold (for various reasons) #269274.
|
||||
tc-ld-disable-gold
|
||||
|
||||
if use doc ; then
|
||||
export MAKEINFO=makeinfo
|
||||
else
|
||||
export MAKEINFO=/dev/null
|
||||
fi
|
||||
|
||||
# Reset CC and CXX to the value at start of emerge
|
||||
export CC=${__ORIG_CC:-${CC:-$(tc-getCC ${CTARGET})}}
|
||||
export CXX=${__ORIG_CXX:-${CXX:-$(tc-getCXX ${CTARGET})}}
|
||||
|
||||
# and make sure __ORIC_CC and __ORIG_CXX is defined now.
|
||||
export __ORIG_CC=${CC}
|
||||
export __ORIG_CXX=${CXX}
|
||||
|
||||
if tc-is-clang && ! use custom-cflags && ! is_crosscompile ; then
|
||||
|
||||
# If we are running in an otherwise clang/llvm environment, we need to
|
||||
# recover the proper gcc and binutils settings here, at least until glibc
|
||||
# is finally building with clang. So let's override everything that is
|
||||
# set in the clang profiles.
|
||||
# Want to shoot yourself into the foot? Set USE=custom-cflags, that's always
|
||||
# a good start into that direction.
|
||||
# Also, if you're crosscompiling, let's assume you know what you are doing.
|
||||
# Hopefully.
|
||||
|
||||
local current_binutils_path=$(binutils-config -B)
|
||||
local current_gcc_path=$(gcc-config -B)
|
||||
einfo "Overriding clang configuration, since it won't work here"
|
||||
|
||||
export CC="${current_gcc_path}/gcc"
|
||||
export CXX="${current_gcc_path}/g++"
|
||||
export LD="${current_binutils_path}/ld.bfd"
|
||||
export AR="${current_binutils_path}/ar"
|
||||
export AS="${current_binutils_path}/as"
|
||||
export NM="${current_binutils_path}/nm"
|
||||
export STRIP="${current_binutils_path}/strip"
|
||||
export RANLIB="${current_binutils_path}/ranlib"
|
||||
export OBJCOPY="${current_binutils_path}/objcopy"
|
||||
export STRINGS="${current_binutils_path}/strings"
|
||||
export OBJDUMP="${current_binutils_path}/objdump"
|
||||
export READELF="${current_binutils_path}/readelf"
|
||||
export ADDR2LINE="${current_binutils_path}/addr2line"
|
||||
|
||||
# do we need to also do flags munging here? yes! at least...
|
||||
filter-flags '-fuse-ld=*'
|
||||
filter-flags '-D_FORTIFY_SOURCE=*'
|
||||
|
||||
else
|
||||
|
||||
# this is the "normal" case
|
||||
|
||||
export CC="$(tc-getCC ${CTARGET})"
|
||||
export CXX="$(tc-getCXX ${CTARGET})"
|
||||
|
||||
# Always use tuple-prefixed toolchain. For non-native ABI glibc's configure
|
||||
# can't detect them automatically due to ${CHOST} mismatch and fallbacks
|
||||
# to unprefixed tools. Similar to multilib.eclass:multilib_toolchain_setup().
|
||||
export NM="$(tc-getNM ${CTARGET})"
|
||||
export READELF="$(tc-getREADELF ${CTARGET})"
|
||||
|
||||
fi
|
||||
|
||||
# We need to export CFLAGS with abi information in them because glibc's
|
||||
# configure script checks CFLAGS for some targets (like mips). Keep
|
||||
# around the original clean value to avoid appending multiple ABIs on
|
||||
# top of each other.
|
||||
: ${__GLIBC_CC:=$(tc-getCC ${CTARGET})}
|
||||
export __GLIBC_CC CC="${__GLIBC_CC} ${!VAR}"
|
||||
einfo " $(printf '%15s' 'Manual CC:') ${CC}"
|
||||
# top of each other. (Why does the comment talk about CFLAGS if the code
|
||||
# acts on CC?)
|
||||
export __GLIBC_CC=${CC}
|
||||
export __GLIBC_CXX=${CXX}
|
||||
|
||||
export __abi_CFLAGS="$(get_abi_CFLAGS)"
|
||||
|
||||
# CFLAGS can contain ABI-specific flags like -mfpu=neon, see bug #657760
|
||||
# To build .S (assembly) files with the same ABI-specific flags
|
||||
# upstream currently recommends adding CFLAGS to CC/CXX:
|
||||
# https://sourceware.org/PR23273
|
||||
# Note: Passing CFLAGS via CPPFLAGS overrides glibc's arch-specific CFLAGS
|
||||
# and breaks multiarch support. See 659030#c3 for an example.
|
||||
# The glibc configure script doesn't properly use LDFLAGS all the time.
|
||||
export CC="${__GLIBC_CC} ${__abi_CFLAGS} ${CFLAGS} ${LDFLAGS}"
|
||||
|
||||
# Some of the tests are written in C++, so we need to force our multlib abis in, bug 623548
|
||||
export CXX="${__GLIBC_CXX} ${__abi_CFLAGS} ${CFLAGS}"
|
||||
|
||||
if is_crosscompile; then
|
||||
# Assume worst-case bootstrap: glibc is buil first time
|
||||
# when ${CTARGET}-g++ is not available yet. We avoid
|
||||
# building auxiliary programs that require C++: bug #683074
|
||||
# It should not affect final result.
|
||||
export libc_cv_cxx_link_ok=no
|
||||
# The line above has the same effect. We set CXX explicitly
|
||||
# to make build logs less confusing.
|
||||
export CXX=
|
||||
fi
|
||||
}
|
||||
|
||||
foreach_abi() {
|
||||
@ -713,6 +818,20 @@ sanity_prechecks() {
|
||||
fi
|
||||
}
|
||||
|
||||
upgrade_warning() {
|
||||
if [[ ${MERGE_TYPE} != buildonly && -n ${REPLACING_VERSIONS} && -z ${ROOT} ]]; then
|
||||
local oldv newv=$(ver_cut 1-2 ${PV})
|
||||
for oldv in ${REPLACING_VERSIONS}; do
|
||||
if ver_test ${oldv} -lt ${newv}; then
|
||||
ewarn "After upgrading glibc, please restart all running processes."
|
||||
ewarn "Be sure to include init (telinit u) or systemd (systemctl daemon-reexec)."
|
||||
ewarn "Alternatively, reboot your system."
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# the phases
|
||||
#
|
||||
@ -725,6 +844,7 @@ sanity_prechecks() {
|
||||
pkg_pretend() {
|
||||
einfo "Flatcar: Skipping sanity_prechecks for binpkg installation. src_unpack will take care of compile-time prechecks."
|
||||
# sanity_prechecks
|
||||
upgrade_warning
|
||||
}
|
||||
|
||||
pkg_setup() {
|
||||
@ -796,61 +916,13 @@ src_prepare() {
|
||||
}
|
||||
|
||||
glibc_do_configure() {
|
||||
# Glibc does not work with gold (for various reasons) #269274.
|
||||
tc-ld-disable-gold
|
||||
|
||||
# CXX isnt handled by the multilib system, so if we dont unset here
|
||||
# we accumulate crap across abis
|
||||
unset CXX
|
||||
|
||||
einfo "Configuring glibc for nptl"
|
||||
|
||||
if use doc ; then
|
||||
export MAKEINFO=makeinfo
|
||||
else
|
||||
export MAKEINFO=/dev/null
|
||||
fi
|
||||
|
||||
local v
|
||||
for v in ABI CBUILD CHOST CTARGET CBUILD_OPT CTARGET_OPT CC CXX LD {AS,C,CPP,CXX,LD}FLAGS MAKEINFO NM READELF; do
|
||||
for v in ABI CBUILD CHOST CTARGET CBUILD_OPT CTARGET_OPT CC CXX LD {AS,C,CPP,CXX,LD}FLAGS MAKEINFO NM AR AS STRIP RANLIB OBJCOPY STRINGS OBJDUMP READELF; do
|
||||
einfo " $(printf '%15s' ${v}:) ${!v}"
|
||||
done
|
||||
|
||||
# CFLAGS can contain ABI-specific flags like -mfpu=neon, see bug #657760
|
||||
# To build .S (assembly) files with the same ABI-specific flags
|
||||
# upstream currently recommends adding CFLAGS to CC/CXX:
|
||||
# https://sourceware.org/PR23273
|
||||
# Note: Passing CFLAGS via CPPFLAGS overrides glibc's arch-specific CFLAGS
|
||||
# and breaks multiarch support. See 659030#c3 for an example.
|
||||
# The glibc configure script doesn't properly use LDFLAGS all the time.
|
||||
export CC="$(tc-getCC ${CTARGET}) ${CFLAGS} ${LDFLAGS}"
|
||||
einfo " $(printf '%15s' 'Manual CC:') ${CC}"
|
||||
|
||||
# Some of the tests are written in C++, so we need to force our multlib abis in, bug 623548
|
||||
export CXX="$(tc-getCXX ${CTARGET}) $(get_abi_CFLAGS) ${CFLAGS}"
|
||||
|
||||
if is_crosscompile; then
|
||||
# Assume worst-case bootstrap: glibc is buil first time
|
||||
# when ${CTARGET}-g++ is not available yet. We avoid
|
||||
# building auxiliary programs that require C++: bug #683074
|
||||
# It should not affect final result.
|
||||
export libc_cv_cxx_link_ok=no
|
||||
# The line above has the same effect. We set CXX explicitly
|
||||
# to make build logs less confusing.
|
||||
export CXX=
|
||||
fi
|
||||
einfo " $(printf '%15s' 'Manual CXX:') ${CXX}"
|
||||
|
||||
# Always use tuple-prefixed toolchain. For non-native ABI glibc's configure
|
||||
# can't detect them automatically due to ${CHOST} mismatch and fallbacks
|
||||
# to unprefixed tools. Similar to multilib.eclass:multilib_toolchain_setup().
|
||||
export NM="$(tc-getNM ${CTARGET})"
|
||||
export READELF="$(tc-getREADELF ${CTARGET})"
|
||||
einfo " $(printf '%15s' 'Manual NM:') ${NM}"
|
||||
einfo " $(printf '%15s' 'Manual READELF:') ${READELF}"
|
||||
|
||||
echo
|
||||
|
||||
local myconf=()
|
||||
|
||||
case ${CTARGET} in
|
||||
@ -1189,13 +1261,13 @@ run_locale_gen() {
|
||||
root="$2"
|
||||
fi
|
||||
|
||||
local locale_list="${root}/etc/locale.gen"
|
||||
local locale_list="${root%/}/etc/locale.gen"
|
||||
|
||||
pushd "${ED}"/$(get_libdir) >/dev/null
|
||||
|
||||
if [[ -z $(locale-gen --list --config "${locale_list}") ]] ; then
|
||||
[[ -z ${inplace} ]] && ewarn "Generating all locales; edit /etc/locale.gen to save time/space"
|
||||
locale_list="${root}/usr/share/i18n/SUPPORTED"
|
||||
locale_list="${root%/}/usr/share/i18n/SUPPORTED"
|
||||
fi
|
||||
|
||||
set -- locale-gen ${inplace} --jobs $(makeopts_jobs) --config "${locale_list}" \
|
||||
@ -1478,6 +1550,12 @@ glibc_sanity_check() {
|
||||
# (e.g. /var/tmp/portage:${HOSTNAME})
|
||||
pushd "${ED}"/$(get_libdir) >/dev/null
|
||||
|
||||
# first let's find the actual dynamic linker here
|
||||
# symlinks may point to the wrong abi
|
||||
local newldso=$(find . -maxdepth 1 -name 'ld-*so' -type f -print -quit)
|
||||
|
||||
einfo Last-minute run tests with ${newldso} in /$(get_libdir) ...
|
||||
|
||||
local x striptest
|
||||
for x in cal date env free ls true uname uptime ; do
|
||||
x=$(type -p ${x})
|
||||
@ -1490,7 +1568,7 @@ glibc_sanity_check() {
|
||||
# We need to clear the locale settings as the upgrade might want
|
||||
# incompatible locale data. This test is not for verifying that.
|
||||
LC_ALL=C \
|
||||
./ld-*.so --library-path . ${x} > /dev/null \
|
||||
${newldso} --library-path . ${x} > /dev/null \
|
||||
|| die "simple run test (${x}) failed"
|
||||
done
|
||||
|
||||
@ -1523,10 +1601,9 @@ pkg_preinst() {
|
||||
# Keep around libcrypt so that Perl doesn't break when merging libxcrypt
|
||||
# (libxcrypt is the new provider for now of libcrypt.so.{1,2}).
|
||||
# bug #802207
|
||||
if ! use crypt && has_version "${CATEGORY}/${PN}[crypt]"; then
|
||||
if ! use crypt && has_version "${CATEGORY}/${PN}[crypt]" && ! has preserve-libs ${FEATURES}; then
|
||||
PRESERVED_OLD_LIBCRYPT=1
|
||||
preserve_old_lib /$(get_libdir)/libcrypt$(get_libname 1)
|
||||
cp "${EROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
|
||||
cp -p "${EROOT}/$(get_libdir)/libcrypt$(get_libname 1)" "${T}/libcrypt$(get_libname 1)" || die
|
||||
else
|
||||
PRESERVED_OLD_LIBCRYPT=0
|
||||
fi
|
||||
@ -1545,6 +1622,8 @@ pkg_postinst() {
|
||||
use compile-locales || run_locale_gen "${EROOT}/"
|
||||
fi
|
||||
|
||||
upgrade_warning
|
||||
|
||||
# Check for sanity of /etc/nsswitch.conf, take 2
|
||||
if [[ -e ${EROOT}/etc/nsswitch.conf ]] && ! has_version sys-auth/libnss-nis ; then
|
||||
local entry
|
||||
@ -1561,10 +1640,11 @@ pkg_postinst() {
|
||||
fi
|
||||
|
||||
if [[ ${PRESERVED_OLD_LIBCRYPT} -eq 1 ]] ; then
|
||||
cp -p "${T}/libcrypt$(get_libname 1)" "${EROOT}/$(get_libdir)/libcrypt$(get_libname 1)" || die
|
||||
preserve_old_lib_notify /$(get_libdir)/libcrypt$(get_libname 1)
|
||||
cp "${T}"/crypt.h "${EROOT}"/usr/include/crypt.h || eerror "Error restoring crypt.h, please file a bug"
|
||||
|
||||
elog "Please ignore a possible later error message about a file collision involving"
|
||||
elog "/usr/include/crypt.h. We need to preserve this file for the moment to keep"
|
||||
elog "${EROOT}/$(get_libdir)/libcrypt$(get_libname 1). We need to preserve this file for the moment to keep"
|
||||
elog "the upgrade working, but it also needs to be overwritten when"
|
||||
elog "sys-libs/libxcrypt is installed. See bug 802210 for more details."
|
||||
fi
|
||||
@ -1,5 +1,5 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="project">
|
||||
<email>toolchain@gentoo.org</email>
|
||||
@ -7,6 +7,7 @@
|
||||
</maintainer>
|
||||
<use>
|
||||
<flag name="cet">Enable Intel Control-flow Enforcement Technology (needs binutils 2.29 and gcc 8)</flag>
|
||||
<flag name="clone3">Enable the new clone3 syscall within glibc. Can be disabled to allow compatibility with older Electron applications.</flag>
|
||||
<flag name="compile-locales">build *all* locales in src_install; this is generally meant for stage building only as it ignores /etc/locale.gen file and can be pretty slow</flag>
|
||||
<flag name="crypt">build and install libcrypt and crypt.h</flag>
|
||||
<flag name="debug">When USE=hardened, allow fortify/stack violations to dump core (SIGABRT) and not kill self (SIGKILL)</flag>
|
||||
@ -14,7 +15,6 @@
|
||||
<flag name="multiarch">enable optimizations for multiple CPU architectures (detected at runtime)</flag>
|
||||
<flag name="multilib-bootstrap">Provide prebuilt libgcc.a and crt files if missing. Only needed for ABI switch.</flag>
|
||||
<flag name="nscd">Build, and enable support for, the Name Service Cache Daemon</flag>
|
||||
<flag name="rpc">Enable obsolete RPC/NIS layers</flag>
|
||||
<flag name="ssp">protect stack of glibc internals</flag>
|
||||
<flag name="static-pie">Enable static PIE support (runtime files for -static-pie gcc option).</flag>
|
||||
<flag name="suid">Make internal pt_chown helper setuid -- not needed if using Linux and have /dev/pts mounted with gid=5</flag>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user