mirror of
https://anongit.gentoo.org/git/repo/gentoo.git
synced 2026-05-06 07:27:03 -04:00
sys-libs/musl: backport security fixes
Liam Wachter (1):
dns: fix nameserver OOB read in IPv6-disabled fallback
Luca Kellermann (1):
qsort: fix shift UB in shl and shr
Rich Felker (4):
fix incorrect access to tzname[] by strptime %Z conversion specifier
fix pathological slowness & incorrect mappings in iconv gb18030 decoder
qsort: fix leonardo heap corruption from bug in doubleword ctz primitive
qsort: hard-preclude oob array writes independent of any invariants
Szabolcs Nagy (1):
regex: reject invalid \digit back reference in BRE
Bug: https://bugs.gentoo.org/972527
Signed-off-by: Sam James <sam@gentoo.org>
This commit is contained in:
Sam James
@@ -2,6 +2,7 @@ DIST getconf.c 11614 BLAKE2B ba49a573fc16d51780a0b0b81fbf7b64a1142f1dbad203c9609
|
||||
DIST iconv.c 2577 BLAKE2B 070ca87b30c90ab98c27d5faf7a2fcb64ff7c67ca212ee6072165b2146979c551f714954dbd465462a171837c59b6ea027e0206458a2df0f977e45f01be3ce48 SHA512 9d42d66fb1facce2b85dad919be5be819ee290bd26ca2db00982b2f8e055a0196290a008711cbe2b18ec9eee8d2270e3b3a4692c5a1b807013baa5c2b70a2bbf
|
||||
DIST musl-1.2.5.tar.gz 1080786 BLAKE2B 6065dc1e01874d1b96abe714147dcc0b41ca702ca9e9c44e85864185dab0b6d085a692745db0822c94a79325e1a91dad60c52f467717d9323b2b3c6ad0a17545 SHA512 7bb7f7833923cd69c7a1a9b8a5f1784bfd5289663eb6061dcd43d583e45987df8a68a1be05d75cc1c88a3f5b610653d1a70f4a9cff4d8f7fd41ae73ee058c17c
|
||||
DIST musl-1.2.5.tar.gz.asc 490 BLAKE2B f0d91b20aa7729449bd02a60adf17e8287904ed5971851a34b15f500011137ddc3f338d24712ff0481f1d6f9a749d87014a82b26a3bd9de660ddbf29678a8777 SHA512 c8aebf05b14abbd33ff568ca17ddd8b29e6f53cbb1cb85e00b64f15516ffc46a7a064c996a7bb1c9681a361a4921204ac58e4a1cfd7bd3ad60d7f2b0151d9229
|
||||
DIST musl-1.2.6-patches.tar.xz 7128 BLAKE2B 5e71184b5ab6b119105c897d811f52ea4169408fe6d91f77675b5378daef6aacb10650ca2dbdaeddc03c8aff3f774d02721b35d8fab9b7036e8fe68f969c132a SHA512 a4a37acc82874ce4f0e2aa512887c4d7cae3b9a895d06dce9ebb746ffe062f31d1ace0b815123563fdcdfcc2d6cedf3283911b8ec0eac62f8cd27877fea5ef7f
|
||||
DIST musl-1.2.6.tar.gz 1082499 BLAKE2B b13a95bacd1557ac3044bff63cb09bcc7f3b606a81eada2506461a34691502d25b54f0157e9c320b936d896496bd0c3bc4efbd91e8dab803e000e8c90d328800 SHA512 1adad96eddb3a2eb0cacb3e363b0046568925fcdd75cf8b0503f2139df1f693d64730779ca0ce8131b7624ab2d37f4247bb1d3393c523de6e30d2b1d7732555c
|
||||
DIST musl-1.2.6.tar.gz.asc 490 BLAKE2B c4270fd7e3f1e6a5a0ea39d386549c257329ede5f32e7823588b7b8c0703faa02d278c8a926d27821ae15a8c497b5eca2eb62633428a1b65ea4ed07c4154ebd9 SHA512 59f15ffb206bd25b99cccc49a9dfe8fcd0f8ad78b9f769cc650c113f6fff35f9c5b6a431e5a9952f2fab5da20ce1586f1429d40947cf68164712ebbfc2b637fe
|
||||
DIST musl-getent-93a08815f8598db442d8b766b463d0150ed8e2ab.c 11656 BLAKE2B 1b7bf7102a1eb91a8cb881ed8ca65eb8eed911dd50238e97dc2952d89d4c6ebed6bfd046a2b38776c550b2872ab54ced8cb452fcc2ad56e5616f722debda761f SHA512 7f5b9d934d82deb5f8b23e16169a5d9b99ccab3a4708df06a95d685e1b24a3a3e69b3dcf4942f2f66c12a3d4bf0c5827e2ee2e8c4d7b1997359fccc2ac212dee
|
||||
|
||||
@@ -0,0 +1,261 @@
|
||||
# Copyright 1999-2026 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=8
|
||||
|
||||
inherit crossdev flag-o-matic toolchain-funcs prefix
|
||||
|
||||
DESCRIPTION="Light, fast and, simple C library focused on standards-conformance and safety"
|
||||
HOMEPAGE="https://musl.libc.org"
|
||||
|
||||
if [[ ${PV} == 9999 ]] ; then
|
||||
EGIT_REPO_URI="https://git.musl-libc.org/git/musl"
|
||||
inherit git-r3
|
||||
else
|
||||
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/musl.asc
|
||||
inherit verify-sig
|
||||
|
||||
SRC_URI="
|
||||
https://musl.libc.org/releases/${P}.tar.gz
|
||||
https://distfiles.gentoo.org/pub/proj/musl/${P}-patches.tar.xz
|
||||
verify-sig? ( https://musl.libc.org/releases/${P}.tar.gz.asc )
|
||||
"
|
||||
KEYWORDS="-* ~amd64 ~arm ~arm64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86"
|
||||
|
||||
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-musl )"
|
||||
fi
|
||||
|
||||
GETENT_COMMIT="93a08815f8598db442d8b766b463d0150ed8e2ab"
|
||||
GETENT_FILE="musl-getent-${GETENT_COMMIT}.c"
|
||||
SRC_URI+="
|
||||
https://dev.gentoo.org/~blueness/musl-misc/getconf.c
|
||||
https://gitlab.alpinelinux.org/alpine/aports/-/raw/${GETENT_COMMIT}/main/musl/getent.c -> ${GETENT_FILE}
|
||||
https://dev.gentoo.org/~blueness/musl-misc/iconv.c
|
||||
"
|
||||
|
||||
LICENSE="MIT LGPL-2 GPL-2"
|
||||
SLOT="0"
|
||||
IUSE="crypt headers-only split-usr"
|
||||
|
||||
QA_SONAME="usr/lib/libc.so"
|
||||
QA_DT_NEEDED="usr/lib/libc.so"
|
||||
# bug #830213
|
||||
QA_PRESTRIPPED="usr/lib/crtn.o"
|
||||
|
||||
# We want crypt on by default for this as sys-libs/libxcrypt isn't (yet?)
|
||||
# built as part as crossdev. Also, elide the blockers when in cross-*,
|
||||
# as it doesn't make sense to block the normal CBUILD libxcrypt at all
|
||||
# there when we're installing into /usr/${CHOST} anyway.
|
||||
if is_crosspkg ; then
|
||||
IUSE="${IUSE/crypt/+crypt}"
|
||||
else
|
||||
RDEPEND="crypt? ( !sys-libs/libxcrypt[system] )"
|
||||
PDEPEND="!crypt? ( sys-libs/libxcrypt[system] )"
|
||||
fi
|
||||
|
||||
PATCHES=(
|
||||
"${FILESDIR}"/${PN}-getifaddrs-qemu-workaround.patch
|
||||
"${WORKDIR}"/${P}-patches
|
||||
)
|
||||
|
||||
just_headers() {
|
||||
use headers-only && target_is_not_host
|
||||
}
|
||||
|
||||
pkg_setup() {
|
||||
if [[ ${CTARGET} == ${CHOST} ]] ; then
|
||||
case ${CHOST} in
|
||||
*-musl*) ;;
|
||||
*) die "Use sys-devel/crossdev to build a musl toolchain" ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# Fix for bug #667126, copied from glibc ebuild:
|
||||
# make sure host make.conf doesn't pollute us
|
||||
if target_is_not_host || tc-is-cross-compiler ; then
|
||||
CHOST=${CTARGET} strip-unsupported-flags
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
if [[ ${PV} == 9999 ]] ; then
|
||||
git-r3_src_unpack
|
||||
elif use verify-sig ; then
|
||||
# We only verify the release; not the additional (fixed, safe) files
|
||||
# we download.
|
||||
# (Seem to get IPC error on verifying in cross?)
|
||||
! target_is_not_host && verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
|
||||
fi
|
||||
|
||||
default
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
default
|
||||
|
||||
mkdir "${WORKDIR}"/misc || die
|
||||
cp "${DISTDIR}"/getconf.c "${WORKDIR}"/misc/getconf.c || die
|
||||
cp "${DISTDIR}/${GETENT_FILE}" "${WORKDIR}"/misc/getent.c || die
|
||||
cp "${DISTDIR}"/iconv.c "${WORKDIR}"/misc/iconv.c || die
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
strip-flags && filter-lto # Prevent issues caused by aggressive optimizations & bug #877343
|
||||
tc-getCC ${CTARGET}
|
||||
|
||||
just_headers && export CC=true
|
||||
|
||||
local sysroot
|
||||
target_is_not_host && sysroot=/usr/${CTARGET}
|
||||
./configure \
|
||||
--target=${CTARGET} \
|
||||
--prefix="${EPREFIX}${sysroot}/usr" \
|
||||
--syslibdir="${EPREFIX}${sysroot}/lib" \
|
||||
--disable-gcc-wrapper || die
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
emake obj/include/bits/alltypes.h
|
||||
just_headers && return 0
|
||||
|
||||
emake
|
||||
if ! is_crosspkg ; then
|
||||
emake -C "${T}" getconf getent iconv \
|
||||
CC="$(tc-getCC)" \
|
||||
CFLAGS="${CFLAGS}" \
|
||||
CPPFLAGS="${CPPFLAGS}" \
|
||||
LDFLAGS="${LDFLAGS}" \
|
||||
VPATH="${WORKDIR}/misc"
|
||||
fi
|
||||
|
||||
$(tc-getCC) ${CPPFLAGS} ${CFLAGS} -c -o libssp_nonshared.o "${FILESDIR}"/stack_chk_fail_local.c || die
|
||||
$(tc-getAR) -rcs libssp_nonshared.a libssp_nonshared.o || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
local target="install"
|
||||
just_headers && target="install-headers"
|
||||
emake DESTDIR="${D}" ${target}
|
||||
just_headers && return 0
|
||||
|
||||
# musl provides ldd via a sym link to its ld.so
|
||||
local sysroot=
|
||||
target_is_not_host && sysroot=/usr/${CTARGET}
|
||||
local ldso=$(basename "${ED}${sysroot}"/lib/ld-musl-*)
|
||||
dosym -r "${sysroot}/lib/${ldso}" "${sysroot}/usr/bin/ldd"
|
||||
|
||||
if ! use crypt ; then
|
||||
# Allow sys-libs/libxcrypt[system] to provide it instead
|
||||
rm "${ED}${sysroot}/usr/include/crypt.h" || die
|
||||
rm "${ED}${sysroot}"/usr/*/libcrypt.a || die
|
||||
fi
|
||||
|
||||
if ! is_crosspkg ; then
|
||||
# Fish out of config:
|
||||
# ARCH = ...
|
||||
# SUBARCH = ...
|
||||
# and print $(ARCH)$(SUBARCH).
|
||||
local arch=$(awk '{ k[$1] = $3 } END { printf("%s%s", k["ARCH"], k["SUBARCH"]); }' config.mak)
|
||||
|
||||
# The musl build system seems to create a symlink:
|
||||
# ${D}/lib/ld-musl-${arch}.so.1 -> /usr/lib/libc.so.1 (absolute)
|
||||
# During cross or within prefix, there's no guarantee that the host is
|
||||
# using musl so that file may not exist. Use a relative symlink within
|
||||
# ${D} instead.
|
||||
rm "${ED}"/lib/ld-musl-${arch}.so.1 || die
|
||||
if use split-usr; then
|
||||
dosym ../usr/lib/libc.so /lib/ld-musl-${arch}.so.1
|
||||
# If it's still a dead symlink, OK, we really do need to abort.
|
||||
[[ -e "${ED}"/lib/ld-musl-${arch}.so.1 ]] || die
|
||||
else
|
||||
dosym libc.so /usr/lib/ld-musl-${arch}.so.1
|
||||
[[ -e "${ED}"/usr/lib/ld-musl-${arch}.so.1 ]] || die
|
||||
fi
|
||||
|
||||
cp "${FILESDIR}"/ldconfig.in-r3 "${T}"/ldconfig.in || die
|
||||
sed -e "s|@@ARCH@@|${arch}|" "${T}"/ldconfig.in > "${T}"/ldconfig || die
|
||||
eprefixify "${T}"/ldconfig
|
||||
into /
|
||||
dosbin "${T}"/ldconfig
|
||||
into /usr
|
||||
dobin "${T}"/getconf
|
||||
dobin "${T}"/getent
|
||||
dobin "${T}"/iconv
|
||||
newenvd - "00musl" <<-EOF
|
||||
# 00musl autogenerated by sys-libs/musl ebuild; DO NOT EDIT.
|
||||
LDPATH="include ld.so.conf.d/*.conf"
|
||||
EOF
|
||||
fi
|
||||
|
||||
if target_is_not_host ; then
|
||||
into /usr/${CTARGET}
|
||||
dolib.a libssp_nonshared.a
|
||||
else
|
||||
dolib.a libssp_nonshared.a
|
||||
fi
|
||||
}
|
||||
|
||||
# Simple test to make sure our new musl isn't completely broken.
|
||||
# Make sure we don't test with statically built binaries since
|
||||
# they will fail. Also, skip if this musl is a cross compiler.
|
||||
#
|
||||
# If coreutils is built with USE=multicall, some of these files
|
||||
# will just be wrapper scripts, not actual ELFs we can test.
|
||||
musl_sanity_check() {
|
||||
cd / #228809
|
||||
|
||||
# We enter ${ED} so to avoid trouble if the path contains
|
||||
# special characters; for instance if the path contains the
|
||||
# colon character (:), then the linker will try to split it
|
||||
# and look for the libraries in an unexpected place. This can
|
||||
# lead to unsafe code execution if the generated prefix is
|
||||
# within a world-writable directory.
|
||||
# (e.g. /var/tmp/portage:${HOSTNAME})
|
||||
pushd "${ED}"/usr/$(get_libdir) >/dev/null
|
||||
|
||||
# first let's find the actual dynamic linker here
|
||||
# symlinks may point to the wrong abi
|
||||
local newldso=$(find . -maxdepth 1 -name 'libc.so' -type f -print -quit)
|
||||
|
||||
einfo Last-minute run tests with ${newldso} in /usr/$(get_libdir) ...
|
||||
|
||||
local x striptest
|
||||
for x in cal date env free ls true uname uptime ; do
|
||||
x=$(type -p ${x})
|
||||
[[ -z ${x} || ${x} != ${EPREFIX}/* ]] && continue
|
||||
striptest=$(LC_ALL="C" file -L ${x} 2>/dev/null) || continue
|
||||
case ${striptest} in
|
||||
*"statically linked"*) continue;;
|
||||
*"static-pie linked"*) continue;;
|
||||
*"ASCII text"*) continue;;
|
||||
esac
|
||||
# We need to clear the locale settings as the upgrade might want
|
||||
# incompatible locale data. This test is not for verifying that.
|
||||
LC_ALL=C \
|
||||
${newldso} --library-path . ${x} > /dev/null \
|
||||
|| die "simple run test (${x}) failed"
|
||||
done
|
||||
|
||||
popd >/dev/null
|
||||
}
|
||||
|
||||
pkg_preinst() {
|
||||
# Nothing to do if just installing headers
|
||||
just_headers && return
|
||||
|
||||
# Prepare /etc/ld.so.conf.d/ for files
|
||||
mkdir -p "${EROOT}"/etc/ld.so.conf.d
|
||||
|
||||
[[ -n ${ROOT} ]] && return 0
|
||||
[[ -d ${ED}/usr/$(get_libdir) ]] || return 0
|
||||
target_is_not_host && return 0
|
||||
musl_sanity_check
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
target_is_not_host && return 0
|
||||
|
||||
[[ -n "${ROOT}" ]] && return 0
|
||||
|
||||
ldconfig || die
|
||||
}
|
||||
Reference in New Issue
Block a user