NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/rpm: security bump to 4.14.2.1

Browse Source 
- Remove first and second patches (already in version)
- Remove third and fourth patches (not needed since:
  245b5a3b4b)
- Add hash for license file
- Drop autoreconf (as configure.ac is not patched anymore)
- Use new --with-crypto option
- Restrict symlink following on installation (CVE-2017-7500,
  CVE-2017-7501)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Fabrice Fontaine 2019-03-30 15:49:40 +01:00 committed by Thomas Petazzoni
parent 47048e6012
commit 3b4cc264d9
6 changed files with 9 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
package/rpm/0001-configure-ac-use-link-instead-of-compile-for-gcc-flags-test.patch
View File

@ -1,33 +0,0 @@
From b5f1895aae096836d6e8e155ee289e1b10fcabcb Mon Sep 17 00:00:00 2001
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Date: Sat, 10 Oct 2015 23:17:44 +0200
Subject: [PATCH] configure.ac: use link instead of compile for gcc flags test
The logic that tests whether gcc supports or not certain flags uses
AC_COMPILE_IFELSE(). However, when checking for stack smashing
protection support, an AC_LINK_IFELSE() test is needed, since the
build might work but not the link stage if certain libraries are
missing for proper stack smashing protection support.
Therefore, this commit switches to use AC_LINK_IFELSE().
[Upstream commit: https://github.com/rpm-software-management/rpm/commit/b5f1895aae096836d6e8e155ee289e1b10fcabcb]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: James Knight <james.d.knight@live.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 6ece8c9fd..822294c3f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -43,7 +43,7 @@ if test "$GCC" = yes; then
echo
for flag in $cflags_to_try; do
CFLAGS="$CFLAGS $flag -Werror"
- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])],[
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])],[
echo " $flag"
RPMCFLAGS="$RPMCFLAGS $flag"
],[])

45
package/rpm/0002-configure-ac-correct-stack-protector-check.patch
View File

@ -1,45 +0,0 @@
From c810a0aca3f1148d2072d44b91b8cc9caeb4cf19 Mon Sep 17 00:00:00 2001
From: James Knight <james.knight@rockwellcollins.com>
Date: Wed, 16 Nov 2016 15:54:46 -0500
Subject: [PATCH] configure.ac: correct stack protector check
If a used toolchain accepts the `-fstack-protector` option but does not
provide a stack smashing protector implementation (ex. libssp), linking
will fail:
.libs/rpmio.o: In function `Fdescr':
rpmio.c:(.text+0x672): undefined reference to `__stack_chk_fail_local'
.libs/rpmio.o: In function `Fdopen':
rpmio.c:(.text+0xce9): undefined reference to `__stack_chk_fail_local'
.libs/rpmio.o: In function `ufdCopy':
rpmio.c:(.text+0x10f7): undefined reference to `__stack_chk_fail_local'
...
This is a result of testing for `-fstack-protector` support using a main
that GCC does not inject guards. GCC's manual notes that stack protector
code is only added when "[functions] that call alloca, and functions
with buffers larger than 8 bytes" [1]. This commit adjusts the stack
protector check to allocate memory on the stack (via `alloca`).
[1]: https://gcc.gnu.org/onlinedocs/gcc-4.4.2/gcc/Optimize-Options.html
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
[Upstream commit: https://github.com/rpm-software-management/rpm/commit/c810a0aca3f1148d2072d44b91b8cc9caeb4cf19]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index a9730d3bc..b4b3fe8fb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -43,7 +43,7 @@ if test "$GCC" = yes; then
echo
for flag in $cflags_to_try; do
CFLAGS="$CFLAGS $flag -Werror"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])],[
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[alloca(100);]])],[
echo " $flag"
RPMCFLAGS="$RPMCFLAGS $flag"
],[])

55
package/rpm/0003-Detect-bfd.h-to-enable-disable-sepdebugcrcfix-buildi.patch
View File

@ -1,55 +0,0 @@
From edadcf67980764c104c25c7c1a0ba91257b89698 Mon Sep 17 00:00:00 2001
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Date: Thu, 8 Dec 2016 23:33:30 +0100
Subject: [PATCH 1/2] Detect bfd.h to enable/disable sepdebugcrcfix building
tools/sepdebugcrcfix includes <bfd.h>, but this header from binutils
is not checked in the configure script. Due to this, sepdebugcrcfix is
attempted to be built even when <bfd.h> is not available. This commit
addresses that by adding the appropriate configure check.
This fixes the following build error:
tools/sepdebugcrcfix.c:31:17: fatal error: bfd.h: No such file or directory
compilation terminated.
make[3]: *** [tools/sepdebugcrcfix.o] Error 1
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
Makefile.am | 2 ++
configure.ac | 3 +++
2 files changed, 5 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 863138c..d8a68f0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -168,9 +168,11 @@ elfdeps_SOURCES = tools/elfdeps.c
elfdeps_LDADD = rpmio/librpmio.la
elfdeps_LDADD += @WITH_LIBELF_LIB@ @WITH_POPT_LIB@
+if HAS_BFD_H
rpmlibexec_PROGRAMS += sepdebugcrcfix
sepdebugcrcfix_SOURCES = tools/sepdebugcrcfix.c
sepdebugcrcfix_LDADD = @WITH_LIBELF_LIB@
+endif # HAS_BFD_H
endif
endif
diff --git a/configure.ac b/configure.ac
index c5ae701..b99ecb8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -242,6 +242,9 @@ AC_CHECK_HEADERS([dwarf.h], [
])
AM_CONDITIONAL(LIBDWARF,[test "$WITH_LIBDWARF" = yes])
+AC_CHECK_HEADERS([bfd.h])
+AM_CONDITIONAL(HAS_BFD_H, [test "${ac_cv_header_bfd_h}" = "yes"])
+
#=================
# Check for beecrypt library if requested.
AC_ARG_WITH(beecrypt, [ --with-beecrypt build with beecrypt support ],,[with_beecrypt=no])
--
2.7.4

43
package/rpm/0004-tools-sepdebugcrcfix.c-fix-build-with-recent-binutil.patch
View File

@ -1,43 +0,0 @@
From 65afab91444d4996a8e61d1e2d27d52e18417ef5 Mon Sep 17 00:00:00 2001
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Date: Thu, 8 Dec 2016 23:45:55 +0100
Subject: [PATCH 2/2] tools/sepdebugcrcfix.c: fix build with recent binutils
Moderately recent binutils versions install a <bfd.h> header that
checks if config.h is included. While this makes sense in binutils
itself, it does not outside. So the binutils developers have added a
check: if PACKAGE or PACKAGE_VERSION are defined, they assume you're
re-using bfd.h outside of binutils, and therefore including it without
including config.h is legit.
So we take the same approch as numerous users of bfd.h: fake a PACKAGE
definition. See for example tools/perf/util/srcline.c in the Linux
kernel source tree.
This fixes the following build error:
In file included from tools/sepdebugcrcfix.c:31:0:
/home/test/autobuild/run/instance-0/output/host/usr/arc-buildroot-linux-uclibc/sysroot/usr/include/bfd.h:35:2: error: #error config.h must be included before this header
#error config.h must be included before this header
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
tools/sepdebugcrcfix.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/sepdebugcrcfix.c b/tools/sepdebugcrcfix.c
index cd7fa02..e7b480f 100644
--- a/tools/sepdebugcrcfix.c
+++ b/tools/sepdebugcrcfix.c
@@ -28,6 +28,8 @@
#include <error.h>
#include <libelf.h>
#include <gelf.h>
+/* Needed to please <bfd.h> */
+#define PACKAGE "rpm"
#include <bfd.h>
#define _(x) x
--
2.7.4

7
package/rpm/rpm.hash
View File

@ -1,2 +1,5 @@
# From http://rpm.org/wiki/Releases/4.13.0.1 # From https://rpm.org/wiki/Releases/4.14.2.1.html
sha1 9566f95f38fcb214e439c552f378c2f64ba0aff9 rpm-4.13.0.1.tar.bz2 sha256 1139c24b7372f89c0a697096bf9809be70ba55e006c23ff47305c1849d98acda rpm-4.14.2.1.tar.bz2
# Hash for license file
sha256 d56f4f1f290f6920cb053aef0dbcd0b853cda289e2568b364ddbfce220a6f3e0 COPYING

12
package/rpm/rpm.mk
View File

@ -4,8 +4,8 @@
# #
################################################################################ ################################################################################
RPM_VERSION_MAJOR = 4.13 RPM_VERSION_MAJOR = 4.14
RPM_VERSION = $(RPM_VERSION_MAJOR).0.1 RPM_VERSION = $(RPM_VERSION_MAJOR).2.1
RPM_SOURCE = rpm-$(RPM_VERSION).tar.bz2 RPM_SOURCE = rpm-$(RPM_VERSION).tar.bz2
RPM_SITE = http://ftp.rpm.org/releases/rpm-$(RPM_VERSION_MAJOR).x RPM_SITE = http://ftp.rpm.org/releases/rpm-$(RPM_VERSION_MAJOR).x
RPM_DEPENDENCIES = host-pkgconf berkeleydb file popt zlib \ RPM_DEPENDENCIES = host-pkgconf berkeleydb file popt zlib \
@ -13,10 +13,6 @@ RPM_DEPENDENCIES = host-pkgconf berkeleydb file popt zlib \
RPM_LICENSE = GPL-2.0 or LGPL-2.0 (library only) RPM_LICENSE = GPL-2.0 or LGPL-2.0 (library only)
RPM_LICENSE_FILES = COPYING RPM_LICENSE_FILES = COPYING
# 0001-configure-ac-use-link-instead-of-compile-for-gcc-flags-test.patch
# 0002-configure-ac-correct-stack-protector-check.patch
RPM_AUTORECONF = YES
RPM_CONF_OPTS = \ RPM_CONF_OPTS = \
--disable-python \ --disable-python \
--disable-rpath \ --disable-rpath \
@ -35,11 +31,11 @@ endif
ifeq ($(BR2_PACKAGE_LIBNSS),y) ifeq ($(BR2_PACKAGE_LIBNSS),y)
RPM_DEPENDENCIES += libnss RPM_DEPENDENCIES += libnss
RPM_CONF_OPTS += --without-beecrypt RPM_CONF_OPTS += --with-crypto=nss
RPM_CFLAGS += -I$(STAGING_DIR)/usr/include/nss -I$(STAGING_DIR)/usr/include/nspr RPM_CFLAGS += -I$(STAGING_DIR)/usr/include/nss -I$(STAGING_DIR)/usr/include/nspr
else else
RPM_DEPENDENCIES += beecrypt RPM_DEPENDENCIES += beecrypt
RPM_CONF_OPTS += --with-beecrypt RPM_CONF_OPTS += --with-crypto=beecrypt
RPM_CFLAGS += -I$(STAGING_DIR)/usr/include/beecrypt RPM_CFLAGS += -I$(STAGING_DIR)/usr/include/beecrypt
endif endif