Update dhcpcd to 8.1.9 to address the following security issues:
* CVE-2019-11577
* CVE-2019-11766
Note, dhcpcd is not a standard tool of Flatcar, because by default
networking is configured via systemd-networkd. We update the package
just for potential use cases that still depend on dhcpcd. However,
in the long term, we should not ship dhcpcd in the production images.
Now that curl has its own license file, it should be also added to
`MISC-FREE` license group, just like Gentoo.
Simply sync `license_groups` with Gentoo.
Now that curl >= 7.70 requires its own license file, we need to make
it included in the SDK, so that `/var/gentoo/repos/gentoo/licenses/curl`
can be available. Without that file, the image build step fails due to
a missing license file for curl.
We need to update net-misc/curl to 7.74.0, mainly to address the
following security issues:
* CVE-2020-8169
* CVE-2020-8231
* CVE-2020-8284
* CVE-2020-8285
* CVE-2020-8286
Github Actions for Rust started failing with following errors:
```
Error: Unable to process command '::set-env name=PULL_REQUEST_NUMBER::718' successfully.
Error: The `set-env` command is disabled. Please upgrade to using
Environment Files or opt into unsecure command execution by setting the
`ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For
more information see:
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
```
It happens because we have used peter-evans/create-pull-request@v2,
which did not have a bug fix for the set-env issue.
The bug was fixed in create-pull-request
[v3.4.1](https://github.com/peter-evans/create-pull-request/releases/tag/v3.4.1).
So we just need to update the version to `v3`, which already includes
v3.4.1.
It is already possible to enable kernel config `CONFIG_DEBUG_INFO_BTF`
using dwarves 1.18 included in the current Flatcar SDK, as long as its
arch is amd64.
However, Kernel build fails in case of arm64, when Kernel version is
>= 5.9 and dwarves version is <= 1.18, like the following:
```
+ pahole -J .tmp_vmlinux.btf
PAHOLE: Error: Found symbol of zero size when encoding btf
(sym: '__kvm_nvhe_arm64_ssbd_callback_required', cu: '../source/arch/arm64/kernel/cpu_errata.c').
PAHOLE: Error: Use '-j' or '--force' to ignore such symbols and force emit the btf.
../source/scripts/link-vmlinux.sh: line 141: 1929102 Segmentation fault
```
The bug was fixed via
https://git.kernel.org/pub/scm/devel/pahole/pahole.git/commit/?id=2e719cca6672,
("btf_encoder: revamp how per-CPU variables are encoded").
The fix was first included in dwarves
[1.19](https://git.kernel.org/pub/scm/devel/pahole/pahole.git/tag/?h=v1.19).
Thus we need to get dwarves 1.19 included in Flatcar SDK, so that the
next Alpha Kernels could have `CONFIG_DEBUG_INFO_BTF` enabled.
This commit introduces Flatcar specific modification
to the Gentoo recipes for updating to gcc-9.3.0 introduced
in the previous commit. The changes are required
in order to make things build with the Flatcar SDK.
The commit also removes old, stale, unused recipes.
The changes include:
dev-util/perf/perf-4.9.13.ebuild: fix binutils ebuild RDEPEND
dev-util/perf/perf-5.8.ebuild: remove python3_{8} compat; unmask arm64, amd64
sys-devel/binutils: remove old, stale versions
sys-devel/binutils/binutils-2.35.ebuild: backport to EAPI6 because our
outdated emerge does not handle BDEPEND dependencies correctly,
resulting in BDEPEND being pulled in as runtime deps.
Unmask for amd64 and arm64.
sys-devel/binutils/binutils-9999.ebuild: backport to EAPI6
net-dns/dnsmasq: remove old, stale versions
sys-devel/crossdev: remove old versions
sys-devel/gcc: remove old versions
sys-devel/gcc/gcc-9.3.0-r1.ebuild: use EAPI6 because of emerge
BDEPEND issue (see above)
sys-devel/libtool/libtool-2.4.6-r6.ebuild: use EAPI6 because of emerge
BDEPEND issue (see above)
sys-kernel/linux-headers: remove old versions
ys-kernel/linux-headers/linux-headers-5.8.ebuild: unmask for amd64, arm64
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
This commit includes the necessary changes to upgrade the SDK
compiler to gcc-9.3.0. The changes include:
eclass: update toolchain.eclass to EAPI7
acct-(user|group): add dnsmasq user / group
net-dns/dnsmasq: update to dnsmasq-2.82
dev-util/perf: update to perf-5.8.ebuild
sys-devel/binutils: update to binutils-2.35.ebuild
sys-libs/binutils-libs: update to binutils-libs-2.35.ebuild
sys-devel/crossdev: update to crossdev-20200801.ebuild
sys-devel/gcc: update to gcc-9.3.0-r1.ebuild
sys-devel/libtool: update to libtool-2.4.6-r6.ebuild
sys-kernel/linux-headers: update to linux-headers-5.9.ebuild
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
To build Kernel with `CONFIG_DEBUG_INFO_BTF`, we need to get pahole, a
part of dwarves included in the Flatcar SDK.
So simply import `dev-util/dwarves` from upstream Gentoo.
To be able to build `net-fs/samba` 4.11, we need to import
`net-libs/gnutls` from upstream Gentoo. Since gnutls is one of the
hard requirements of upstream Samba, we are not able to disable the
dependency on gnutls.
Now that `dev-lang/tcl` is included in SDK, we can now build
dev-db/sqlite without having to rely on third-party patches
in coreos-overlay.
So simply sync sqlite with Gentoo upstream, and update to the latest
version 3.33.0.
Now that dev-libs/glib was updated to 2.64.5, we need to also update
dev-util/gdbus-codegen to 2.64.5.
Otherwise we would see strange slot conflicts like:
```
* Error: The above package list contains packages which cannot be
* installed at the same time on the same system.
(dev-libs/glib-2.64.5:2/2::portage-stable, ebuild scheduled for merge) pulled in by
>=dev-libs/glib-2.58.3:2 required by (dev-util/gdbus-codegen-2.58.3:0/0::portage-stable, binary scheduled for merge)
(dev-util/gdbus-codegen-2.58.3:0/0::portage-stable, binary scheduled for merge) pulled in by
dev-util/gdbus-codegen required by (coreos-base/hard-host-depends-0.0.1-r194:0/0::coreos, binary scheduled for merge)
```
The bootstrap_sdk stage still requires `sys-apps/makedev` to be
available, as listed in `profiles/default/linux/packages.build`.
We need to bring it back to make the SDK build work again.
This reverts commit df8159f565972eb31455ff5e4cbfba8c4a12bb52.
To make the SDK build work again, we need to bring back dev-db/sqlite
3.31.1 in portage-stable. It is not enough to have it in coreos-overlay.
This reverts commit 4a7a4e3d272812963c3cd21431d1849ca9df11e4.
Update net-libs/libpcap to 1.9.1, to address security issue
CVE-2019-15163, an issue of allowing attackers to cause a denial of
service (NULL pointer dereference and daemon crash) if a crypt() call
fails.
Update rsync to 3.2.3, actually to update zlib bundled in rsync.
It is to address security issue CVE-2016-9841, an issue of allowing
context-dependent attackers to have unspecified impact by leveraging
improper pointer arithmetic.
Update app-misc/jq to 1.6-r3, to address security issue CVE-2015-8863.
It is mainly to fix off-by-one error in the tokenadd function. It allows
remote attackers to cause a denial of service (crash) via a long
JSON-encoded number, which triggers a heap-based buffer overflow.
Improve body text of each PR for `virtual/rust`, by mentioning that
it should be merged together with its paired PR in coreos-overlay.
Explicitly name `virtual/rust` instead of `Cargo`, because there is
no more ebuild for `cargo`.
Rename the dispatched event-type name to `rust-pull-request-main`, as
`cargo` has already disappeared.
Make the repository-dispatch action receive additional client-payload with
a field `coreos-overlay-pull-request-number` sent by the corresponding PR
in coreos-overlay. The PR number is then used for adding a link in the body
text, for pointing back to the PR in coreos-overlay.
pkg-config 0.29 or newer introduced a macro `PKG_CHECK_MODULES_STATIC`,
which is needed by ebuilds like dev-util/strace >= 5.5.
So we should update pkg-config to 0.29.2, to avoid such issues.
(see 0efb668bd5)
```
***** autoconf *****
***** PWD: /build/amd64-usr/var/tmp/portage/dev-util/strace-5.6/work/strace-5.6
***** autoconf --force -I /build/amd64-usr/usr/share/aclocal
configure:17585: error: possibly undefined macro: PKG_CHECK_MODULES_STATIC
```
The metadata/md5-cache folder is machine-generated based on the
other files in the repository. It causes merge conflicts when at
one time they were not regernated in a commit and then later a
commit does it and includes cache changes which are incompatible
with later or newer states.
Remove the folder as it is not necessary to have it and was removed
in upstream Gentoo, too.
Whenever a new upstream Rust release appears, a Github workflow in
`coreos-overlay` creates a new pull request for `dev-lang/rust`.
At the same time, it sends a repository dispatch event to
portage-stable, so it also creates a pull request for `virtual/rust`.
Kernel 5.8-rc2 or newer added a commit
f2f02ebd8f
("kbuild: improve cc-option to clean up all temporary files") , which
causes make commands to create an object output directory. Apparently
harmless. The commit was backported to stable Kernels, 4.19.131, 5.4.50,
5.7.7.
In Flatcar and Gentoo, however, `getfilevar()` in `linux-info.eclass`
runs a make command, which creates `${M}`, an object output directory,
with a root account. As Gentoo sandbox creates everything as non-root
account, the subsequent steps like `src_unpack` fail to touch the same
directory.
Upstream Gentoo already has a fix
5a3acd443c
("linux-info.eclass: Pass M=${T} to the Linux Makefile unconditionally.").
See also https://bugs.gentoo.org/729178 .
So simply sync `linux-info.eclass` with Gentoo.
