From 9f00424e1c2949a29f57764534f206f8e2b6073b Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 09:00:34 +0100 Subject: [PATCH 01/14] coreos: Drop user patch for app-arch/ncompress We are about to update to 5.0-r1 that fixes the same issue. --- .../ncompress/0001-Fix-link-creation.patch | 41 ------------------- .../user-patches/app-arch/ncompress/README.md | 3 -- 2 files changed, 44 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch deleted file mode 100644 index b8e031ed44..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 67176ea3ab5eccd004ca9cacef103d1f0636828a Mon Sep 17 00:00:00 2001 -From: Krzesimir Nowak -Date: Mon, 16 Jan 2023 10:26:24 +0100 -Subject: [PATCH] "Fix" link creation - -It's not a proper fix as it stands, because it would try to create a -hardlink at $(DESTDIR)$(BINDIR)/uncompress using compress from a -current working directory (so this may work only by chance if compress -actually exists there), but app-arch/ncompress is also patching -Makefile.def to use symbolic links. So those two hacks together should -do the trick by creating a symbolic link at -$(DESTDIR)$(BINDIR)/uncompress pointing to compress in the same -directory, instead of creating a dangling symlink. ---- - Makefile.def | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile.def b/Makefile.def -index 94c9719..0fafc7a 100644 ---- a/Makefile.def -+++ b/Makefile.def -@@ -44,14 +44,14 @@ install_core: compress - mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR) - cp compress $(DESTDIR)$(BINDIR)/compress - rm -f $(DESTDIR)$(BINDIR)/uncompress -- ln $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/uncompress -+ ln compress $(DESTDIR)$(BINDIR)/uncompress - cp compress.1 uncompress.1 $(DESTDIR)$(MANDIR)/. - chmod 0644 $(DESTDIR)$(MANDIR)/compress.1 $(DESTDIR)$(MANDIR)/uncompress.1 - - install_extra: install_core - mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR) - rm -f $(DESTDIR)$(BINDIR)/zcat -- ln -f $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/zcat -+ ln -f compress $(DESTDIR)$(BINDIR)/zcat - cp zcmp zdiff zmore $(DESTDIR)$(BINDIR)/. - chmod 0755 $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/zcmp $(DESTDIR)$(BINDIR)/zdiff $(DESTDIR)$(BINDIR)/zmore - cp zcmp.1 zmore.1 $(DESTDIR)$(MANDIR)/. --- -2.25.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md deleted file mode 100644 index e8c9c61244..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md +++ /dev/null @@ -1,3 +0,0 @@ -Drop `0001-Fix-link-creation.patch` when we have ncompress 5.0-r1 or greater. - -See https://github.com/gentoo/gentoo/pull/29131. From e3bed9f973bef2fb2f422381aeedd27ddf8d5a82 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 09:02:20 +0100 Subject: [PATCH 02/14] profiles: Add accept keywords for app-arch/ncompress This pulls in a fix for uncompress symlink. --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index ac519872ef..a130ad4b00 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -2,6 +2,9 @@ # Copyright (c) 2013 The CoreOS Authors. All rights reserved. # Distributed under the terms of the GNU General Public License v2 +# Necessary for the symlink fix for uncompress utility. +=app-arch/ncompress-5.0-r1 ~amd64 ~arm64 + =app-arch/zstd-1.4.9 ~amd64 ~arm64 =coreos-devel/fero-client-0.1.1 ** From 3c493aa788001b92f2c3562c02c4f3b38609bd7a Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 09:08:59 +0100 Subject: [PATCH 03/14] profiles: Add accept keywords for app-editors/vim --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index a130ad4b00..f48f0c2515 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -7,6 +7,9 @@ =app-arch/zstd-1.4.9 ~amd64 ~arm64 +# Necessary to fix CVE-2023-0049, CVE-2023-0051 and CVE-2023-0054. +=app-editors/vim-9.0.1157 ~amd64 ~arm64 + =coreos-devel/fero-client-0.1.1 ** # Accept unstable host Rust compilers From 3a41c4b1b56483a077e304766fc9a679bc11d036 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 09:11:11 +0100 Subject: [PATCH 04/14] profiles: Add accept keywords for app-editors/vim-core --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index f48f0c2515..118ecb5f53 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -9,6 +9,7 @@ # Necessary to fix CVE-2023-0049, CVE-2023-0051 and CVE-2023-0054. =app-editors/vim-9.0.1157 ~amd64 ~arm64 +=app-editors/vim-core-9.0.1157 ~amd64 ~arm64 =coreos-devel/fero-client-0.1.1 ** From bdacc717e27bf7f9e6cd793ef1a3ec379026c03b Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 11:01:50 +0100 Subject: [PATCH 05/14] profiles: Add accept keywords for app-emulation/qemu --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 118ecb5f53..2c57e704c8 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -11,6 +11,9 @@ =app-editors/vim-9.0.1157 ~amd64 ~arm64 =app-editors/vim-core-9.0.1157 ~amd64 ~arm64 +# Keep the version of qemu the same on all arches. +=app-emulation/qemu-7.2.0 ~arm64 + =coreos-devel/fero-client-0.1.1 ** # Accept unstable host Rust compilers From 0c15ec25697e1fa4b5feb592ea6f930cb6428b9a Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 11:01:31 +0100 Subject: [PATCH 06/14] profiles: Bump version of dev-util/bpftool in accept keywords --- .../profiles/coreos/arm64/package.accept_keywords | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords index b94165b00f..9b6c3a40fe 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords @@ -13,7 +13,7 @@ =dev-lang/yasm-1.3.0-r1 ~arm64 # needed to force enable bpftool for arm64 -=dev-util/bpftool-5.19.8 ** +=dev-util/bpftool-5.19.12 ** # needed to address CVE-2022-23521, CVE-2022-41903 =dev-vcs/git-2.38.3 ~arm64 From b54879d9cc0ca618c1ee3e7ab54e7fdbe51f6d22 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 11:02:18 +0100 Subject: [PATCH 07/14] profiles: Drop accept keywords for dev-vcs/git We update to 2.39.1, which is stable for both amd64 and arm64. --- .../profiles/coreos/arm64/package.accept_keywords | 3 --- 1 file changed, 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords index 9b6c3a40fe..9c9902f00b 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords @@ -15,9 +15,6 @@ # needed to force enable bpftool for arm64 =dev-util/bpftool-5.19.12 ** -# needed to address CVE-2022-23521, CVE-2022-41903 -=dev-vcs/git-2.38.3 ~arm64 - =net-dns/c-ares-1.17.2 ~arm64 =net-firewall/conntrack-tools-1.4.6-r1 ~arm64 =net-libs/libnetfilter_cthelper-1.0.0-r1 ~arm64 From 452a1201a952b623ecb56a3f053936c42608c0f7 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 14:34:05 +0100 Subject: [PATCH 08/14] profiles: Drop obsolete use flag for dev-vcs/git --- .../third_party/coreos-overlay/profiles/coreos/base/package.use | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 96834a54f5..736735cf52 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -9,7 +9,7 @@ dev-libs/dbus-glib tools dev-libs/libxml2 -python dev-libs/libxslt -python dev-util/perf -doc -dev-vcs/git webdav curl bash-completion +dev-vcs/git webdav curl net-misc/curl kerberos telnet net-misc/iputils arping tracepath sys-devel/gettext -git From d51b66201f391382ac5a9cc31008c03de882d421 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 11:29:07 +0100 Subject: [PATCH 09/14] profiles: Add accept keywords for net-dns/bind-tools --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 2c57e704c8..ef0b6ba53d 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -22,6 +22,9 @@ =dev-libs/libgcrypt-1.9.4 ~amd64 ~arm64 +# Keep the version of bind-tools the same on all arches. +=net-dns/bind-tools-9.16.36 ~arm64 + # Required for addressing CVE-2022-29154 =net-misc/rsync-3.2.7-r1 ~amd64 ~arm64 From d2c835e6bbeb9ed94be1ea42a1b4879b0dd8688e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 11:42:24 +0100 Subject: [PATCH 10/14] profiles: Add accept keywords for net-misc/curl --- .../profiles/coreos/base/package.accept_keywords | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index ef0b6ba53d..b5dee58e10 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -28,6 +28,10 @@ # Required for addressing CVE-2022-29154 =net-misc/rsync-3.2.7-r1 ~amd64 ~arm64 +# Keep the version of curl the same on all arches. +# Also needed for CVE-2022-43551 and CVE-2022-43552. +=net-misc/curl-7.87.0-r2 ~arm64 + =sys-fs/cryptsetup-2.4.1-r1 ~amd64 ~arm64 # Keep iproute in sync with kernel version. From 14fb10149a2393e607dee6840ef46918b20f489c Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 23 Jan 2023 11:48:58 +0100 Subject: [PATCH 11/14] profiles: Bump version of net-misc/rsync in accept keywords --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index b5dee58e10..23a712da51 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -26,7 +26,7 @@ =net-dns/bind-tools-9.16.36 ~arm64 # Required for addressing CVE-2022-29154 -=net-misc/rsync-3.2.7-r1 ~amd64 ~arm64 +=net-misc/rsync-3.2.7-r2 ~amd64 ~arm64 # Keep the version of curl the same on all arches. # Also needed for CVE-2022-43551 and CVE-2022-43552. From d51554d27d660718ba604535721f3c80993aa8a5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 24 Jan 2023 08:43:31 +0100 Subject: [PATCH 12/14] coreos-base/update_engine: Stop using deprecated stuff --- ..._engine-0.4.10-r9.ebuild => update_engine-0.4.10-r10.ebuild} | 0 .../coreos-base/update_engine/update_engine-9999.ebuild | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/{update_engine-0.4.10-r9.ebuild => update_engine-0.4.10-r10.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r10.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r9.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r10.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild index edd06be950..297549bd82 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild @@ -8,7 +8,7 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="12d43a8e71293567f10d940465113550188a4ce8" # flatcar-master + CROS_WORKON_COMMIT="c6f566d47d8949632f7f43871eb8d5c625af3209" # flatcar-master KEYWORDS="amd64 arm64" fi From c694ab958ffb4643f85171e0ef715372d3751574 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 24 Jan 2023 15:50:17 +0100 Subject: [PATCH 13/14] profiles: Mask sys-devel/gcc versions that are stable only on one arch --- .../coreos-overlay/profiles/coreos/base/package.mask | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask index 7d04948e69..68d088c019 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask @@ -21,3 +21,8 @@ # Python 3.10 is stable in portage-stable, so avoid picking it # up. Drop this when we switch to it. >=dev-lang/python-3.10 + +# sys-devel/gcc-11.3.1_p20221209 is the latest gcc version that is +# stable on both amd64 and arm64. There are newer versions of gcc +# which are stable only on one of them, so mask them. +>sys-devel/gcc-11.3.1_p20221209 From a6e7097ac8810991d8aa0eafc0b17f9d17036b87 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 25 Jan 2023 14:24:41 +0100 Subject: [PATCH 14/14] coreos/user-patches: Add a user patch sys-devel/gcc --- .../sys-devel/gcc/0001-constexpr.patch | 14 ++++++++++++++ .../coreos/user-patches/sys-devel/gcc/README.md | 6 ++++++ 2 files changed, 20 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch new file mode 100644 index 0000000000..938b3d6ace --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch @@ -0,0 +1,14 @@ +The constexpr keyword is missing for a function that was invoked from +another constexpr function. Add the missing keyword. + +--- a/libstdc++-v3/src/c++17/memory_resource.cc 2022-12-09 22:33:43.000000000 -0000 ++++ b/libstdc++-v3/src/c++17/memory_resource.cc 2023-01-25 13:14:24.025359063 -0000 +@@ -603,7 +603,7 @@ + void* pointer = nullptr; + aligned_size _M_size; + +- size_t size() const noexcept ++ constexpr size_t size() const noexcept + { + if (_M_size.value == size_t(-1)) [[unlikely]] + return size_t(-1); diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md new file mode 100644 index 0000000000..9a331e1e86 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md @@ -0,0 +1,6 @@ +Drop `0001-constexpr.patch` when not applicable any more. It's a weird +issue, because building the same version of the compiler worked fine +before. Maybe some patch from gcc patches is at fault here. Didn't +investigate in hope that the issue is ephemeral. Some newer version of +gcc is already marked as stable for both amd64 and arm64 in Gentoo, so +this patch will most likely be dropped next week.