diff --git a/changelog/security/2024-02-08-glibc-update.md b/changelog/security/2024-02-08-glibc-update.md new file mode 100644 index 00000000000..9177ba32811 --- /dev/null +++ b/changelog/security/2024-02-08-glibc-update.md @@ -0,0 +1 @@ +- glibc ([CVE-2023-5156](https://nvd.nist.gov/vuln/detail/CVE-2023-5156), [CVE-2023-6246](https://nvd.nist.gov/vuln/detail/CVE-2023-6246), [CVE-2023-6779](https://nvd.nist.gov/vuln/detail/CVE-2023-6779), [CVE-2023-6780](https://nvd.nist.gov/vuln/detail/CVE-2023-6780)) diff --git a/changelog/updates/2024-02-08-glibc-update.md b/changelog/updates/2024-02-08-glibc-update.md new file mode 100644 index 00000000000..b5cd7463d1b --- /dev/null +++ b/changelog/updates/2024-02-08-glibc-update.md @@ -0,0 +1 @@ +- glibc ([2.38](https://sourceware.org/pipermail/libc-alpha/2023-July/150524.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest index 4ae3c2dbb3c..c62295ae832 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest @@ -1,4 +1,4 @@ DIST gcc-multilib-bootstrap-20201208.tar.xz 5528452 BLAKE2B 16699a6e4df5b2f28a21776ae9e3728b26a9ea251f5580aa5349545ad7c9f6145b9cb6a12ca8f5f96b9cb2a3c70b7e66ca702e4c6f083ac00408e0a20a69e613 SHA512 a243f505e17d0a7e144e8713c077582412f61d6cf7f79baa846de4fb77f5e0f27e11c9a785e14624e04ac52287b32164e7995323aa11caef59113ac438254347 -DIST glibc-2.37-patches-10.tar.xz 72768 BLAKE2B 20501519a570a5d277a3c1460373edea4131602b07037a81d855f1dcbc5b8d40fa6edae500a9f30e9541389dc1b4a7406cbee8e8a85a3131932e23f807e1b211 SHA512 f1e3791befa98ec5a83c919f6563c4c0c9e7bb2bf53bd0adf9235344d914a8d127f2da595a6850fd75b6828a81914241f8964bf004070888fbc77795f0f727cc -DIST glibc-2.37.tar.xz 18674604 BLAKE2B 8139cd977b2ed3bfdbde5ffb1cda8f759763dbb83071167272fef798cfbdc0d17cfd1ec893d126c52c91511b7961f3ad12eed34534b99412dfa04a1cdd5b4ea3 SHA512 4fc5932f206bb1b8b54828a28af1a681616b838bbab60c81c82155f3629cbfe1301d271af65511ed917f4c6949a025429221fe6035753282f15346919f15b90c +DIST glibc-2.38-patches-10.tar.xz 60792 BLAKE2B e228568f9e9cfa719ee9f2f91d220efa53e4eba617377fdf37bf7381b9f7c43036dfe62dd284b4228e9a99d41223ed0416ed058407a630b84064962518cba90b SHA512 573661299d75b63b7e2f771e9032193492e762e64cbb495b42bb7ad1021532f54f19d829a721e8070c79b2ad5edef077584cc4c76896d951cc93275592cf255c +DIST glibc-2.38.tar.xz 18913712 BLAKE2B f9b039f0ef98a7dd8e1cba228ed10286b9e4fbe4dd89af4d26fa5c4e4cf266f19c2746b44d797ce54739d86499e74cf334aaf311bcf6e30120fd7748453e653f SHA512 a6dd5e42dcd63d58e2820c783522c8c895890b6e8c8e6c83b025553de0cc77cdf227e7044e431ead98c89c68a9ce4dd63509b47e647775fb2075f011849c1900 DIST glibc-systemd-20210729.tar.gz 1480 BLAKE2B 37722c7579df782d890e44dbab99c3de52ab466eb9de80d82405e9bb5620bf39ffc8c5f466a435bdb86ef6d36dd7019c0736573916bda6c67d02a2581e0ec979 SHA512 efd75af58b50522c28cdac7abd1fc56555bc1bb042512c90d8340c1ec09c5791b3872a305bf83723252bbde5855b75d958c041083457765c4cfd170732d09238 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.37-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.37-r7.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild index 63769cfee42..7848c4ed4f3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.37-r7.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -6,7 +6,7 @@ EAPI=8 # Bumping notes: https://wiki.gentoo.org/wiki/Project:Toolchain/sys-libs/glibc # Please read & adapt the page as necessary if obsolete. -PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_COMPAT=( python3_{10..12} ) TMPFILES_OPTIONAL=1 inherit python-any-r1 prefix preserve-libs toolchain-funcs flag-o-matic gnuconfig \ @@ -39,7 +39,7 @@ MIN_PAX_UTILS_VER="1.3.3" if [[ ${PV} == 9999* ]]; then inherit git-r3 else - KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" SRC_URI="mirror://gnu/glibc/${P}.tar.xz" SRC_URI+=" https://dev.gentoo.org/~${PATCH_DEV}/distfiles/${P}-patches-${PATCH_VER}.tar.xz" fi @@ -88,6 +88,8 @@ fi # * normal 'strip' command trims '.symtab' # Thus our main goal here is to prevent 'libpthread.so.0' from # losing it's '.symtab' entries. +# - similarly, valgrind requires knowledge about symbols in ld.so: +# bug #920753 # As Gentoo's strip does not allow us to pass less aggressive stripping # options and does not check the machine target we strip selectively. @@ -122,7 +124,7 @@ COMMON_DEPEND=" ) ) suid? ( caps? ( sys-libs/libcap ) ) selinux? ( sys-libs/libselinux ) - systemtap? ( dev-util/systemtap ) + systemtap? ( dev-debug/systemtap ) " DEPEND="${COMMON_DEPEND} " @@ -168,6 +170,8 @@ XFAIL_TEST_LIST=( tst-system tst-strerror tst-strsignal + # Fails with certain PORTAGE_NICENESS/PORTAGE_SCHEDULING_POLICY + tst-sched1 ) XFAIL_NSPAWN_TEST_LIST=( @@ -190,7 +194,6 @@ XFAIL_NSPAWN_TEST_LIST=( # These fail if --suppress-sync and/or low priority is set tst-sync_file_range - tst-sched1 test-errno ) @@ -657,8 +660,8 @@ setup_env() { export CXX="${glibc__GLIBC_CXX} ${glibc__abi_CFLAGS} ${CFLAGS}" if is_crosscompile; then - # Assume worst-case bootstrap: glibc is buil first time - # when ${CTARGET}-g++ is not available yet. We avoid + # Assume worst-case bootstrap: glibc is built for the first time + # with ${CTARGET}-g++ not available yet. We avoid # building auxiliary programs that require C++: bug #683074 # It should not affect final result. export libc_cv_cxx_link_ok=no @@ -1020,6 +1023,7 @@ glibc_do_configure() { myconf+=( --disable-werror --enable-bind-now + --enable-fortify-source --build=${CBUILD_OPT:-${CBUILD}} --host=${CTARGET_OPT:-${CTARGET}} $(use_enable profile) @@ -1051,15 +1055,10 @@ glibc_do_configure() { # https://bugs.gentoo.org/753740 libc_cv_complocaledir='${exec_prefix}/lib/locale' - # -march= option tricks build system to infer too - # high ISA level: https://sourceware.org/PR27318 - libc_cv_include_x86_isa_level=no - - # Explicit override of https://sourceware.org/PR27991 - # exposes a bug in glibc's configure: - # https://sourceware.org/PR27991 - libc_cv_have_x86_lahf_sahf=no - libc_cv_have_x86_movbe=no + # On aarch64 there is no way to override -mcpu=native, and if + # the current cpu does not support SVE configure fails. + # Let's boldly assume our toolchain can always build SVE instructions. + libc_cv_aarch64_sve_asm=yes ${EXTRA_ECONF} ) @@ -1099,7 +1098,7 @@ glibc_do_configure() { # add x32 to it, gcc/glibc don't yet support x32. # if [[ -n ${GCC_BOOTSTRAP_VER} ]] && use multilib-bootstrap ; then - echo 'main(){}' > "${T}"/test.c + echo 'int main(void){}' > "${T}"/test.c || die if ! $(tc-getCC ${CTARGET}) ${CFLAGS} ${LDFLAGS} "${T}"/test.c -Wl,-emain -lgcc 2>/dev/null ; then sed -i -e '/^CC = /s:$: -B$(objdir)/../'"gcc-multilib-bootstrap-${GCC_BOOTSTRAP_VER}/${ABI}:" config.make || die fi @@ -1169,7 +1168,15 @@ glibc_headers_configure() { popd >/dev/null fi + local myconf=() + case ${CTARGET} in + aarch64*) + # The configure checks fail during cross-build, so disable here + # for headers-only + myconf+=( + --disable-mathvec + ) ;; riscv*) # RISC-V interrogates the compiler to determine which target to # build. If building the headers then we don't strictly need a @@ -1188,7 +1195,6 @@ glibc_headers_configure() { ) ;; esac - local myconf=() myconf+=( --disable-sanity-checks --enable-hacker-mode @@ -1272,7 +1278,7 @@ glibc_src_test() { # we give the tests a bit more time to avoid spurious # bug reports on slow arches - SANDBOX_ON=0 LD_PRELOAD= TIMEOUTFACTOR=16 emake ${myxfailparams} check + SANDBOX_ON=0 LD_PRELOAD= TIMEOUTFACTOR=32 emake ${myxfailparams} check } src_test() { @@ -1345,6 +1351,8 @@ glibc_do_src_install() { # gdb thread introspection relies on local libpthreads symbols. stripping breaks it # See Note [Disable automatic stripping] # dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so + # valgrind requires knowledge about ld.so symbols. + # dostrip -x $(alt_libdir)/ld-*.so* if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then # Move versioned .a file out of libdir to evade portage QA checks @@ -1660,6 +1668,21 @@ pkg_preinst() { fi } +glibc_refresh_ldconfig() { + if [[ ${MERGE_TYPE} == buildonly ]]; then + return + fi + + # Version check could be added to avoid unnecessary work, but ldconfig + # should finish quickly enough to not matter. + ebegin "Refreshing ld.so.cache" + ldconfig -i + if ! eend $?; then + ewarn "Failed to refresh the ld.so.cache for you. Some programs may be broken" + ewarn "before you manually do so (ldconfig -i)." + fi +} + pkg_postinst() { # nothing to do if just installing headers just_headers && return @@ -1670,6 +1693,17 @@ pkg_postinst() { fi if ! is_crosscompile && [[ -z ${ROOT} ]] ; then + # glibc-2.38+ on loong has ldconfig support added, but the ELF e_flags + # handling has changed as well, which means stale ldconfig auxiliary + # cache entries and failure to lookup libgcc_s / libstdc++ (breaking + # every C++ application) / libgomp etc., among other breakages. + # + # To fix this, simply refresh the ld.so.cache without using the + # auxiliary cache if we're natively installing on loong. This should + # be done relatively soon because we want to minimize the breakage + # window for the affected programs. + use loong && glibc_refresh_ldconfig + use compile-locales || run_locale_gen "${EROOT}/" fi