From f1a8cc4c7b5062cfed16e5f69695cb62029333b1 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Thu, 16 May 2024 11:10:45 +0200
Subject: [PATCH 1/3] sys-libs/glibc: Sync with Gentoo

It's from Gentoo commit 1df9b3482f2e199390ecbe04a76f5397e450218f.
---
 .../coreos-overlay/sys-libs/glibc/Manifest    |  2 +-
 .../coreos-overlay/sys-libs/glibc/README.md   |  9 -----
 .../sys-libs/glibc/files/nscd-conf.tmpfiles   |  2 -
 ...-2.38-r10.ebuild => glibc-2.38-r13.ebuild} | 37 ++++++++-----------
 4 files changed, 16 insertions(+), 34 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
 rename sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/{glibc-2.38-r10.ebuild => glibc-2.38-r13.ebuild} (98%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
index c62295ae83..7d3514d9b4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
@@ -1,4 +1,4 @@
 DIST gcc-multilib-bootstrap-20201208.tar.xz 5528452 BLAKE2B 16699a6e4df5b2f28a21776ae9e3728b26a9ea251f5580aa5349545ad7c9f6145b9cb6a12ca8f5f96b9cb2a3c70b7e66ca702e4c6f083ac00408e0a20a69e613 SHA512 a243f505e17d0a7e144e8713c077582412f61d6cf7f79baa846de4fb77f5e0f27e11c9a785e14624e04ac52287b32164e7995323aa11caef59113ac438254347
-DIST glibc-2.38-patches-10.tar.xz 60792 BLAKE2B e228568f9e9cfa719ee9f2f91d220efa53e4eba617377fdf37bf7381b9f7c43036dfe62dd284b4228e9a99d41223ed0416ed058407a630b84064962518cba90b SHA512 573661299d75b63b7e2f771e9032193492e762e64cbb495b42bb7ad1021532f54f19d829a721e8070c79b2ad5edef077584cc4c76896d951cc93275592cf255c
+DIST glibc-2.38-patches-13.tar.xz 92708 BLAKE2B b2f05a793c92ea0b7901d2124fcd968fa846fdf687f8cbdbc17795c33fae2d538133fae66d575c5b98a7a05a29f9f816e7ecd45f3be5ed10ef65adbf92c7fc4d SHA512 24e45a88fa7676ef22a7e2bb864dff27262f69900c4ef76d21c6fee498d728949b6f5d03dd094d1774a66a8a47b779bf4b16ee31e5306bcdb55cedcc0a1c5e9f
 DIST glibc-2.38.tar.xz 18913712 BLAKE2B f9b039f0ef98a7dd8e1cba228ed10286b9e4fbe4dd89af4d26fa5c4e4cf266f19c2746b44d797ce54739d86499e74cf334aaf311bcf6e30120fd7748453e653f SHA512 a6dd5e42dcd63d58e2820c783522c8c895890b6e8c8e6c83b025553de0cc77cdf227e7044e431ead98c89c68a9ce4dd63509b47e647775fb2075f011849c1900
 DIST glibc-systemd-20210729.tar.gz 1480 BLAKE2B 37722c7579df782d890e44dbab99c3de52ab466eb9de80d82405e9bb5620bf39ffc8c5f466a435bdb86ef6d36dd7019c0736573916bda6c67d02a2581e0ec979 SHA512 efd75af58b50522c28cdac7abd1fc56555bc1bb042512c90d8340c1ec09c5791b3872a305bf83723252bbde5855b75d958c041083457765c4cfd170732d09238
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
deleted file mode 100644
index 0bcb9dd9ee..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# GLibc
-
-The system's C library, sometimes referred to as "service pack for the C
-language". The build recipe has a single modification over the one Gentoo
-upstream uses: in the installation callback `glibc_do_src_install`, we remove
-all of glibc's `/etc` files right after the stock glibc build diligently
-installed them, since we ship our own `/etc` stuff via the `baseimage` recipe.
-The addition sits at the end of the `glibc_do_src_install` function and is duly
-labelled `## Flatcar Container Linux: ...`.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
deleted file mode 100644
index 0cf43dcb7a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
+++ /dev/null
@@ -1,2 +0,0 @@
-L /etc/nscd.conf	-	-	-	-	../usr/share/baselayout/nscd.conf
-d /var/db/nscd		-	-	-	-	-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
similarity index 98%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
index 7848c4ed4f..1de5a90ac2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
@@ -20,7 +20,7 @@ SLOT="2.2"
 EMULTILIB_PKG="true"
 
 # Gentoo patchset (ignored for live ebuilds)
-PATCH_VER=10
+PATCH_VER=13
 PATCH_DEV=dilfridge
 
 # gcc mulitilib bootstrap files version
@@ -576,10 +576,12 @@ setup_env() {
 	# Reset CC and CXX to the value at start of emerge
 	export CC=${glibc__ORIG_CC:-${CC:-$(tc-getCC ${CTARGET})}}
 	export CXX=${glibc__ORIG_CXX:-${CXX:-$(tc-getCXX ${CTARGET})}}
+	export CPP=${glibc__ORIG_CPP:-${CPP:-$(tc-getCPP ${CTARGET})}}
 
 	# and make sure glibc__ORIG_CC and glibc__ORIG_CXX is defined now.
 	export glibc__ORIG_CC=${CC}
 	export glibc__ORIG_CXX=${CXX}
+	export glibc__ORIG_CPP=${CPP}
 
 	if tc-is-clang && ! use custom-cflags && ! is_crosscompile ; then
 		export glibc__force_gcc=yes
@@ -606,6 +608,7 @@ setup_env() {
 		export CC="${current_gcc_path}/gcc"
 		export CPP="${current_gcc_path}/cpp"
 		export CXX="${current_gcc_path}/g++"
+		export CPP="$(tc-getCPP ${CTARGET})"
 		export LD="${current_binutils_path}/ld.bfd"
 		export AR="${current_binutils_path}/ar"
 		export AS="${current_binutils_path}/as"
@@ -644,6 +647,7 @@ setup_env() {
 	# acts on CC?)
 	export glibc__GLIBC_CC=${CC}
 	export glibc__GLIBC_CXX=${CXX}
+	export glibc__GLIBC_CPP=${CPP}
 
 	export glibc__abi_CFLAGS="$(get_abi_CFLAGS)"
 
@@ -659,6 +663,8 @@ setup_env() {
 	# Some of the tests are written in C++, so we need to force our multlib abis in, bug 623548
 	export CXX="${glibc__GLIBC_CXX} ${glibc__abi_CFLAGS} ${CFLAGS}"
 
+	export CPP="${glibc__GLIBC_CPP} ${glibc__abi_CFLAGS} ${CFLAGS}"
+
 	if is_crosscompile; then
 		# Assume worst-case bootstrap: glibc is built for the first time
 		# with ${CTARGET}-g++ not available yet. We avoid
@@ -1266,6 +1272,11 @@ glibc_src_test() {
 			ewarn "Skipping extra tests because in systemd-nspawn container"
 			XFAIL_TEST_LIST+=( "${XFAIL_NSPAWN_TEST_LIST[@]}" )
 		fi
+		if [[ "$(nice)" == "19" ]] ; then
+			# Expects to be able to increase niceness, which it can't do if
+			# already at the highest nice value
+			XFAIL_TEST_LIST+=( "tst-nice" )
+		fi
 
 		for myt in ${XFAIL_TEST_LIST[@]} ; do
 			myxfailparams+="test-xfail-${myt}=yes "
@@ -1343,16 +1354,15 @@ glibc_do_src_install() {
 	# '#define VERSION "2.26.90"' -> '2.26.90'
 	local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h)
 
-	# Flatcar: override this and strip everything to keep image size at bay
 	# Avoid stripping binaries not targeted by ${CHOST}. Or else
 	# ${CHOST}-strip would break binaries build for ${CTARGET}.
-	# is_crosscompile && dostrip -x /
+	is_crosscompile && dostrip -x /
 
 	# gdb thread introspection relies on local libpthreads symbols. stripping breaks it
 	# See Note [Disable automatic stripping]
-	# dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
+	dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
 	# valgrind requires knowledge about ld.so symbols.
-	# dostrip -x $(alt_libdir)/ld-*.so*
+	dostrip -x $(alt_libdir)/ld-*.so*
 
 	if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then
 		# Move versioned .a file out of libdir to evade portage QA checks
@@ -1540,23 +1550,6 @@ glibc_do_src_install() {
 	if use compile-locales && ! is_crosscompile ; then
 		run_locale_gen --inplace-glibc "${ED}/"
 	fi
-
-	## Flatcar Container Linux: Add some local changes:
-	# - Config files are installed by baselayout, not glibc.
-	# - Install nscd/systemd stuff in /usr.
-
-	# Use tmpfiles to put nscd.conf in /etc and create directories.
-	insinto /usr/share/baselayout
-	if ! in_iuse nscd || use nscd ; then
-		doins "${S}"/nscd/nscd.conf || die
-		newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die
-	fi
-
-	# Clean out any default configs.
-	rm -rf "${ED}"/etc
-
-	# Restore this one for the SDK.
-	test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc
 }
 
 glibc_headers_install() {

From 9bb51f86e98102ad1b8eb797a6ace9c40ed168b1 Mon Sep 17 00:00:00 2001
From: Thilo Fromm <thilofromm@microsoft.com>
Date: Fri, 22 Sep 2023 15:03:37 +0200
Subject: [PATCH 2/3] sys-libs/glibc: Apply Flatcar modifications

  - take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
  - comment out 'dostrip -x' to force the OS image binaries to be stripped
  - remove everything glibc wants to put under /etc since we use
    baselayout to provide that

Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
---
 .../coreos-overlay/sys-libs/glibc/README.md   |  9 +++++++
 .../sys-libs/glibc/files/nscd-conf.tmpfiles   |  2 ++
 .../sys-libs/glibc/glibc-2.38-r13.ebuild      | 24 ++++++++++++++++---
 3 files changed, 32 insertions(+), 3 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
new file mode 100644
index 0000000000..0bcb9dd9ee
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
@@ -0,0 +1,9 @@
+# GLibc
+
+The system's C library, sometimes referred to as "service pack for the C
+language". The build recipe has a single modification over the one Gentoo
+upstream uses: in the installation callback `glibc_do_src_install`, we remove
+all of glibc's `/etc` files right after the stock glibc build diligently
+installed them, since we ship our own `/etc` stuff via the `baseimage` recipe.
+The addition sits at the end of the `glibc_do_src_install` function and is duly
+labelled `## Flatcar Container Linux: ...`.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
new file mode 100644
index 0000000000..0cf43dcb7a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
@@ -0,0 +1,2 @@
+L /etc/nscd.conf	-	-	-	-	../usr/share/baselayout/nscd.conf
+d /var/db/nscd		-	-	-	-	-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
index 1de5a90ac2..c28e70daaf 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
@@ -1354,15 +1354,16 @@ glibc_do_src_install() {
 	# '#define VERSION "2.26.90"' -> '2.26.90'
 	local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h)
 
+	# Flatcar: override this and strip everything to keep image size at bay
 	# Avoid stripping binaries not targeted by ${CHOST}. Or else
 	# ${CHOST}-strip would break binaries build for ${CTARGET}.
-	is_crosscompile && dostrip -x /
+	# is_crosscompile && dostrip -x /
 
 	# gdb thread introspection relies on local libpthreads symbols. stripping breaks it
 	# See Note [Disable automatic stripping]
-	dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
+	# dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
 	# valgrind requires knowledge about ld.so symbols.
-	dostrip -x $(alt_libdir)/ld-*.so*
+	# dostrip -x $(alt_libdir)/ld-*.so*
 
 	if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then
 		# Move versioned .a file out of libdir to evade portage QA checks
@@ -1550,6 +1551,23 @@ glibc_do_src_install() {
 	if use compile-locales && ! is_crosscompile ; then
 		run_locale_gen --inplace-glibc "${ED}/"
 	fi
+
+	## Flatcar Container Linux: Add some local changes:
+	# - Config files are installed by baselayout, not glibc.
+	# - Install nscd/systemd stuff in /usr.
+
+	# Use tmpfiles to put nscd.conf in /etc and create directories.
+	insinto /usr/share/baselayout
+	if ! in_iuse nscd || use nscd ; then
+		doins "${S}"/nscd/nscd.conf || die
+		newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die
+	fi
+
+	# Clean out any default configs.
+	rm -rf "${ED}"/etc
+
+	# Restore this one for the SDK.
+	test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc
 }
 
 glibc_headers_install() {

From e9047ca1fb767733654ec2c7913199ac35384950 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Thu, 16 May 2024 11:20:45 +0200
Subject: [PATCH 3/3] changelog: add security changelog for glibc 2.38-r13

---
 changelog/security/2024-05-16-glibc-2.38-r13.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/security/2024-05-16-glibc-2.38-r13.md

diff --git a/changelog/security/2024-05-16-glibc-2.38-r13.md b/changelog/security/2024-05-16-glibc-2.38-r13.md
new file mode 100644
index 0000000000..fb6d52c54a
--- /dev/null
+++ b/changelog/security/2024-05-16-glibc-2.38-r13.md
@@ -0,0 +1 @@
+- glibc ([CVE-2024-2961](https://nvd.nist.gov/vuln/detail/CVE-2024-2961), [CVE-2024-33599](https://nvd.nist.gov/vuln/detail/CVE-2024-33599), [CVE-2024-33600](https://nvd.nist.gov/vuln/detail/CVE-2024-33600), [CVE-2024-33601](https://nvd.nist.gov/vuln/detail/CVE-2024-33601), [CVE-2024-33602](https://nvd.nist.gov/vuln/detail/CVE-2024-33602))