From 64e1541d8b01e89fdcc9158c83a361a4d7dda5e6 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 27 Mar 2023 14:33:35 +0200 Subject: [PATCH 1/5] profiles: Drop accept keywords for sys-firmware/intel-microcode It became stable for amd64. Not used in arm64. --- .../profiles/coreos/base/package.accept_keywords | 4 ---- 1 file changed, 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index df829c2f12..abd4676955 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -44,7 +44,3 @@ =sys-libs/liburing-2.1-r2 ~amd64 ~arm64 =app-crypt/adcli-0.9.2 ~amd64 ~arm64 - -# update intel-microcode to latest version. -# Also required for CVE-2022-21216, CVE-2022-33196, CVE-2022-38090 -=sys-firmware/intel-microcode-20230214_p20230212 ~amd64 From c393727ada87d0821013759d1587332f8bdc373a Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 27 Mar 2023 18:18:04 +0200 Subject: [PATCH 2/5] coreos/user-patches: Drop patches for app-portage/portage-utils We are about to update to version 0.95, which already contains these patches. --- ...t-the-ignored-parent-line-in-warning.patch | 29 ---- ...dle-empty-repo-names-in-parent-files.patch | 141 ------------------ .../app-portage/portage-utils/README.md | 1 - 3 files changed, 171 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/0001-main-Print-the-ignored-parent-line-in-warning.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/0002-main-Handle-empty-repo-names-in-parent-files.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/0001-main-Print-the-ignored-parent-line-in-warning.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/0001-main-Print-the-ignored-parent-line-in-warning.patch deleted file mode 100644 index 0b118d9a08..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/0001-main-Print-the-ignored-parent-line-in-warning.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 9c67a37fc7709c9e314bc56ccdf7727bee02fc92 Mon Sep 17 00:00:00 2001 -From: Krzesimir Nowak -Date: Wed, 14 Dec 2022 12:52:25 +0100 -Subject: [PATCH 1/2] main: Print the ignored parent line in warning - -If repo name in the parent line was empty, nothing was printed. - -Signed-off-by: Krzesimir Nowak -Signed-off-by: Fabian Groffen ---- - main.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/main.c b/main.c -index 809a085..f6a39f9 100644 ---- a/main.c -+++ b/main.c -@@ -646,6 +646,8 @@ read_portage_profile(const char *profile, env_vars vars[], set *masks) - repo_name = NULL; - } - if (repo_name == NULL) { -+ /* bring back the colon to see the ignored parent line */ -+ *(--p) = ':'; - warn("ignoring parent with unknown repo in profile %s: %s", - profile, s); - continue; --- -2.25.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/0002-main-Handle-empty-repo-names-in-parent-files.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/0002-main-Handle-empty-repo-names-in-parent-files.patch deleted file mode 100644 index d0ea64bb02..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/0002-main-Handle-empty-repo-names-in-parent-files.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 8f7064fdf7aa08e00bb24e5e479c1df4be9ae5e7 Mon Sep 17 00:00:00 2001 -From: Krzesimir Nowak -Date: Wed, 14 Dec 2022 12:53:33 +0100 -Subject: [PATCH 2/2] main: Handle empty repo names in parent files - -Empty repo name is documented in portage(5). - -Signed-off-by: Krzesimir Nowak -Signed-off-by: Fabian Groffen ---- - main.c | 105 ++++++++++++++++++++++++++++++++++++++++++++++++--------- - 1 file changed, 89 insertions(+), 16 deletions(-) - -diff --git a/main.c b/main.c -index f6a39f9..347a50b 100644 ---- a/main.c -+++ b/main.c -@@ -598,6 +598,65 @@ read_portage_file(const char *file, enum portage_file_type type, void *data) - fprintf(stderr, "read profile %s\n", file); - } - -+/* Helper to check if a string starts with a prefix. If so, returns -+ * true and gets the length of the prefix. Otherwise returns false, -+ * leaving the prefix length unmodified. */ -+static bool -+starts_with(const char *str, const char *prefix, size_t *prefix_len) -+{ -+ const char *s; -+ const char *p; -+ size_t len; -+ -+ if (prefix == NULL) { -+ /* every string starts with a null string */ -+ if (prefix_len != NULL) -+ *prefix_len = 0; -+ return true; -+ } -+ if (str == NULL) -+ /* null string only starts with a null string, and prefix isn't null */ -+ return false; -+ -+ len = 0; -+ for (s = str, p = prefix; *s != '\0' && *p != '\0'; ++s, ++p, ++len) { -+ if (*s != *p) -+ return false; -+ } -+ if (*p == '\0') { -+ if (prefix_len != NULL) -+ *prefix_len = len; -+ return true; -+ } -+ return false; -+} -+ -+/* Helper to figure out inside of which overlay a path is. Returns -+ * null if nonesuch is found. */ -+static const char * -+overlay_from_path (const char *path) -+{ -+ size_t n; -+ char *overlay; -+ size_t max_match = 0; -+ const char *found_overlay = NULL; -+ -+ array_for_each(overlays, n, overlay) { -+ size_t overlay_len; -+ -+ if (!starts_with(path, overlay, &overlay_len)) -+ continue; -+ -+ if (overlay_len <= max_match) -+ continue; -+ -+ max_match = overlay_len; -+ found_overlay = overlay; -+ } -+ -+ return found_overlay; -+} -+ - /* Helper to recursively read stacked make.defaults in profiles */ - static void - read_portage_profile(const char *profile, env_vars vars[], set *masks) -@@ -634,24 +693,38 @@ read_portage_profile(const char *profile, env_vars vars[], set *masks) - /* split repo from target */ - *p++ = '\0'; - -- /* match the repo */ -- repo_name = NULL; -- array_for_each(overlays, n, overlay) { -- repo_name = xarrayget(overlay_names, n); -- if (strcmp(repo_name, s) == 0) { -- snprintf(profile_file, sizeof(profile_file), -- "%s/profiles/%s/", overlay, p); -- break; -+ if (s[0] == '\0') { -+ /* empty repo name means a repo where the profile is */ -+ const char* current_overlay = overlay_from_path (profile); -+ if (current_overlay == NULL) { -+ /* bring back the colon to see the ignored parent line */ -+ *(--p) = ':'; -+ warn("could not figure out current repo of profile %s, ignoring parent %s", -+ profile, s); -+ continue; - } -+ snprintf(profile_file, sizeof(profile_file), -+ "%s/profiles/%s", current_overlay, p); -+ } else { -+ /* match the repo */ - repo_name = NULL; -- } -- if (repo_name == NULL) { -- /* bring back the colon to see the ignored parent line */ -- *(--p) = ':'; -- warn("ignoring parent with unknown repo in profile %s: %s", -- profile, s); -- continue; -- } -+ array_for_each(overlays, n, overlay) { -+ repo_name = xarrayget(overlay_names, n); -+ if (strcmp(repo_name, s) == 0) { -+ snprintf(profile_file, sizeof(profile_file), -+ "%s/profiles/%s/", overlay, p); -+ break; -+ } -+ repo_name = NULL; -+ } -+ if (repo_name == NULL) { -+ /* bring back the colon to see the ignored parent line */ -+ *(--p) = ':'; -+ warn("ignoring parent with unknown repo in profile %s: %s", -+ profile, s); -+ continue; -+ } -+ } - } else { - snprintf(profile_file + profile_len, - sizeof(profile_file) - profile_len, "%s", s); --- -2.25.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/README.md deleted file mode 100644 index 8a6e22d8da..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-portage/portage-utils/README.md +++ /dev/null @@ -1 +0,0 @@ -Drop `0001-main-Print-the-ignored-parent-line-in-warning.patch` and `0002-main-Handle-empty-repo-names-in-parent-files.patch` when we have portage-utils 0.94.5 or greater. From 919a46c68c639dcbc0fd2bc2cee849ba0d9f6c59 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 27 Mar 2023 18:19:59 +0200 Subject: [PATCH 3/5] profiles: Add accept keywords for app-portage/portage-utils --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index abd4676955..0f3c38d936 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -6,6 +6,9 @@ =app-editors/vim-9.0.1363 ~amd64 ~arm64 =app-editors/vim-core-9.0.1363 ~amd64 ~arm64 +# To keep the same version on both arches +=app-portage/portage-utils-0.95 ~arm64 + =coreos-devel/fero-client-0.1.1 ** # Accept unstable host Rust compilers From 9a9e75d32429476a26d4150d17825138e7b56c15 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 27 Mar 2023 18:26:31 +0200 Subject: [PATCH 4/5] profiles: Update accept keywords for app-editors/vim-{,core} --- .../profiles/coreos/base/package.accept_keywords | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 0f3c38d936..9b2e8961ce 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -2,9 +2,10 @@ # Copyright (c) 2013 The CoreOS Authors. All rights reserved. # Distributed under the terms of the GNU General Public License v2 -# Necessary to fix CVE-2023-0288 and CVE-2023-0433. -=app-editors/vim-9.0.1363 ~amd64 ~arm64 -=app-editors/vim-core-9.0.1363 ~amd64 ~arm64 +# Necessary to fix CVE-2023-0288, CVE-2023-0433, CVE-2023-1127, +# CVE-2023-1175 and CVE-2023-1170. +=app-editors/vim-9.0.1403 ~amd64 ~arm64 +=app-editors/vim-core-9.0.1403 ~amd64 ~arm64 # To keep the same version on both arches =app-portage/portage-utils-0.95 ~arm64 From e443212d7a9770f33a97a62ee77e3654768b9ed9 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 27 Mar 2023 18:37:21 +0200 Subject: [PATCH 5/5] profiles: Add accept keywords for app-arch/tar --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 9b2e8961ce..62ab430206 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -2,6 +2,9 @@ # Copyright (c) 2013 The CoreOS Authors. All rights reserved. # Distributed under the terms of the GNU General Public License v2 +# Necessary to fix CVE-2022-48303. +=app-arch/tar-1.34-r3 ~amd64 ~arm64 + # Necessary to fix CVE-2023-0288, CVE-2023-0433, CVE-2023-1127, # CVE-2023-1175 and CVE-2023-1170. =app-editors/vim-9.0.1403 ~amd64 ~arm64