Commit Graph

127 Commits

Author SHA1 Message Date
Peter Korsgaard
75e7c7ba8c package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0
Fixes the following security issues:

CVE-2023-6246: syslog: Fix heap buffer overflow in __vsyslog_internal
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0001;hb=HEAD

CVE-2023-6779: syslog: Heap buffer overflow in __vsyslog_internal
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0002;hb=HEAD

CVE-2023-6780: syslog: Integer overflow in __vsyslog_internal
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0003;hb=HEAD

For details, see the Qualys advisory:
https://www.openwall.com/lists/oss-security/2024/01/30/6

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-01 11:58:51 +01:00
Peter Korsgaard
62b767fd3e package/glibc: add CVE ignore for CVE-2023-4806
Commit 8519de517e (package/{glibc, localedef}: security bump to version
glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701) correctly mentioned
CVE-2023-4806 in the commit message, but forgot to add an ignore for it.

Fix that.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-01 11:58:42 +01:00
Peter Korsgaard
1d97f8c41e package/glibc: drop extra ')' in comment
No functional change.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-01-08 09:04:42 +01:00
Thomas Petazzoni
adaae82c58 package/glibc: ignore CVEs not considered as security issues by upstream
5 CVEs affecting glibc according to the NVD database are considered as
not being security issues by upstream glibc developers:

* CVE-2010-4756: The glob implementation in the GNU C Library (aka
  glibc or libc6) allows remote authenticated users to cause a denial
  of service (CPU and memory consumption) via crafted glob expressions
  that do not match any pathnames. glibc maintainers position: "That's
  standard POSIX behaviour implemented by (e)glibc. Applications using
  glob need to impose limits for themselves"

* CVE-2019-1010022: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may bypass stack guard
  protection. The component is: nptl. The attack vector is: Exploit
  stack buffer overflow vulnerability and use this bypass
  vulnerability to bypass stack guard. NOTE: Upstream comments
  indicate "this is being treated as a non-security bug and no real
  threat. glibc maintainers position: "Not treated as a security issue
  by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"

* CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
  current loaded library with malicious ELF file. The impact is: In
  worst case attacker may evaluate privileges. The component is:
  libld. The attack vector is: Attacker sends 2 ELF files to victim
  and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
  indicate "this is being treated as a non-security bug and no real
  threat. glibc maintainers position: "Not treated as a security issue
  by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"

* CVE-2019-1010024: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may bypass ASLR using cache of
  thread stack and heap. The component is: glibc. NOTE: Upstream
  comments indicate "this is being treated as a non-security bug and
  no real threat. glibc maintainers position: "Not treated as a
  security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22852"

* CVE-2019-1010025: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may guess the heap addresses of
  pthread_created thread. The component is: glibc. NOTE: the vendor's
  position is "ASLR bypass itself is not a vulnerability. Glibc
  maintainers position: "Not treated as a security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22853"

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-23 11:11:37 +01:00
Thomas Petazzoni
af8c0e5c74 package/glibc: add proper CPE ID version detail
As reported in bug 15895, the GLIBC_VERSION field having a value
looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it
prevents the CPE/CVE matching with the NVD database to work correctly.

This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from
GLIBC_VERSION, by extracting the base version.

Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have
clearly been fixed between 2.38 and
2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number
of other CVEs still affecting the glibc package, but they are not
related to this
2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range.

Fixes: #15895

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-23 10:58:40 +01:00
Peter Korsgaard
8519de517e package/{glibc, localedef}: security bump to version glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701
Fixes the following security issues:

  CVE-2023-4527: If the system is configured in no-aaaa mode via
  /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
  family, and a DNS response is received over TCP that is larger than
  2048 bytes, getaddrinfo may potentially disclose stack contents via
  the returned address data, or crash.

  CVE-2023-4806: When an NSS plugin only implements the
  _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
  memory that was freed during buffer resizing, potentially causing a
  crash or read or write to arbitrary memory.

  CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
  an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
  AI_ALL and AI_V4MAPPED flags set.

  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
  environment of a setuid program and NAME is valid, it may result in a
  buffer overflow, which could be exploited to achieve escalated
  privileges.  This flaw was introduced in glibc 2.34.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-10-05 21:54:10 +02:00
Romain Naour
34f8d874ee package/{glibc, localedef}: bump to version 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675
Enable mathvec explicitly on aarch64(be) since it's now enabled by
default [1]. aarch64 mathvec requires at gcc-10 but Buildroot already
provide gcc-11 as minimum version.

Don't use --enable-fortify-source for now in order to keep original
behavior while doing the glibc version bump (and because some
architecture doesn't support well fortify-source, i.e Microblaze).
Postpone this change to a follow up commit.

Keep the "deprecated" libcrypt enabled just in case if some
application are not yet ready to use an alternative such as libxcrypt.

Security related changes:

  CVE-2023-25139: When the printf family of functions is called with a
  format specifier that uses an <apostrophe> (enable grouping) and a
  minimum width specifier, the resulting output could be larger than
  reasonably expected by a caller that computed a tight bound on the
  buffer size.  The resulting larger than expected output could result
  in a buffer overflow in the printf family of functions.

See:
https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html

Runtime tested with Qemu on Gitlab-ci:
https://gitlab.com/kubu93/buildroot/-/pipelines/998435203
https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/998926028

[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=cd94326a1326c4e3f1ee7a8d0a161cc0bdcaf07e

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-29 21:28:05 +02:00
Romain Naour
a379499f73 package/glibc: bump to version 2.37
See:
https://sourceware.org/glibc/wiki/Release/2.37
https://lists.gnu.org/archive/html/info-gnu/2023-02/msg00000.html

Security related changes:

  CVE-2022-39046: When the syslog function is passed a crafted input
  string larger than 1024 bytes, it reads uninitialized memory from the
  heap and prints it to the target log file, potentially revealing a
  portion of the contents of the heap

Remove patch 0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch fixed
in 2.37 release by [1].

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=29249

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Sebastian Weyer <sebastian.weyer@smile.fr>
Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-04-10 21:11:07 +02:00
James Hilliard
87ee360f3a package/{glibc, localedef}: bump to version 2.36-81-g4f4d7a13edfd2fdc57c9d76e1fd6d017fb47550c
Drop patches which are now upstream.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-01-07 20:28:23 +01:00
James Hilliard
7630d0dde3 package/{glibc, localedef}: bump to version 2.36-66-ga1dc0be03c9dd850b864bd7a9c03cf8e396eb7ca
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-10-26 21:50:06 +02:00
Michael Fischer
80c8c15c85 package/{glibc, localedef}: bump to version glibc-2.36-44-g2628500f5dff1dd99c49a09b418b3b1ea3a6b5d3
patch 0002: already applied upstream

Signed-off-by: Michael Fischer <mf@go-sys.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-09-23 23:44:08 +02:00
James Hilliard
8d6e07e525 package/{glibc, localedef}: bump to version 2.35-134-gb6aade18a7e5719c942aa2da6cf3157aca993fa4
Contains various fixes some of which may effect pthread fork handling.

Add patch reverting a commit breaking builds.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-07-20 23:51:51 +02:00
James Hilliard
1386336fc8 package/{glibc, localedef}: bump to version 2.35-96-g2c4fc8e5ca742c6a3a1933799495bb0b00a807f0
Fixes:
Generating locale C.UTF-8
[error] LC_MONETARY: value for field `mon_decimal_point' must not be an empty string
[error] no output file produced because errors were issued

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2022-05-17 07:47:15 +02:00
Fabrice Fontaine
13bb9642ad package/glibc: can't be built without optimization
Fix the following build failure:

In file included from <command-line>:
./../include/libc-symbols.h:75:3: error: #error "glibc cannot be compiled without optimization"
   75 | # error "glibc cannot be compiled without optimization"
      |   ^~~~~

Fixes:
 - http://autobuild.buildroot.org/results/1ba20982d5ec0edc751a11a2d5639f5f6477b9bc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2022-05-16 23:46:53 +02:00
Fabrice Fontaine
d11d2d4746 package/glibc: can't be built with Optimize for fast
Fix the following build failure:

In file included from <command-line>:
./../include/libc-symbols.h:82:3: error: #error "glibc must not be compiled with -ffast-math"
   82 | # error "glibc must not be compiled with -ffast-math"
      |   ^~~~~

Fixes:
 - http://autobuild.buildroot.org/results/3d91f3685ae6c3e1f765d419ea2c0da4cb0eb3be

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2022-05-16 23:46:51 +02:00
Waldemar Brodkorb
68d0aede59 package/{glibc, localedef}: update to 2.35
https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html

- Remove upstreamed patch 0001. Patches to localedef are not upstream.
- allow to use optimization CFLAGS (not CPPFLAGS) which are nowadays
  supported by upstream (except nios2)
- enable support for or1k, which is now included upstream
- runtime tested with qemu-system for aarch64/arm/microblaze/mips/mips64/nios2/
  or1k/powerpc/powerpc64/powerpc64le/riscv32/riscv64/s390x/sh4/sparc64/x86/x86_64

Since only a single version is supported (no csky fork any more), move
the hash file out of the version directory. Also, make a symlink from
the localedef to the glibc hash file rather than copying it.

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
[Arnout: make localedef.hash a symlink]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-05-10 21:44:34 +02:00
Yann E. MORIN
525ffc2bb1 package/glibc: allow runing on kernels older than used for the headers
Currently, we configure glibc to not add compatibility support for
kernels older than the one used for the headers. This is on the
expectation that the system will never run on a kernel that is older
than the one used for the headers or, when Buildroot builds the kernel,
on another, older kernel.

However, in some situations, it is possible to build for a generic
system, where the kernel may be a different version. This can be the
case, for example, when Building an image that is to be used in a
container that can run on a range of machines each with different kernel
versions. In such a case, it is interesting to build glibc in a way as
to take better advantage of the newer kernels, and thus using newer
kernel headers, while still allowing running on older kernels, and thus
carrying more compatibility code.

We add an option to glibc to allow the user to enable compatibility
shims. To simplify the case, when that option is enabled, we just let
glibc enable as old compatibility shims as supported by the current
architecture.

The code size increase is very small. For an ARM Cortex-A7, with
gcc-10.3.0, the delta is as follows (other files installed by glibc had
no size delta; sizes in bytes):
    file                  | no compat | compat    | delta
    ----------------------+-----------+-----------+-------
    ld-linux-armhf.so.3   | 200216    | 200284    | +  68
    libc.so.6             | 1814496   | 1823120   | +8624
                                            ------+-------
                                            Total | +8692

No runtime overhead has been measured; the overhead is most probably
in the measurement noise. Indeed, the compatibility shims are very
lightweight. For example, there are 9 arch-generic shims:
    renameat2(), execveat(), mlock2(), statx(), faccessat2(),
    close_range(), time64-related syscall shenanigans, a waitid()
    feature, and a futex operation (LOCK_PI2)
and then each arch may define a few others. i386 has less than 20
(mostly related to socket options, and one for the ordering of the
clone() arguments), while ARM seems to have only two (mlock2() and a
configurable futex feature).

Note: however, as Arnout pointed out, some programs may still actually
fail to run even with such compatibility shim, if they really expect the
shimed syscalls to really exist and have no fallback (and/or no proper
error-handling). Still, in the vast majority of cases, those
compatibility shims are enough to have a system running.

Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Tested-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-02-06 11:55:31 +01:00
Peter Korsgaard
1983d2e6a3 package/{glibc, localedef}: security bump for additional post-2.34.x fixes
Fixes the following security issues:

  CVE-2022-23219: Passing an overlong file name to the clnt_create
  legacy function could result in a stack-based buffer overflow when
  using the "unix" protocol.  Reported by Martin Sebor.

  CVE-2022-23218: Passing an overlong file name to the svcunix_create
  legacy function could result in a stack-based buffer overflow.

  CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath
  function could result in a memory leak and potential access of
  uninitialized memory.  Reported by Qualys.

  CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd
  function may result in an off-by-one buffer underflow and overflow
  when the current working directory is longer than PATH_MAX and also
  corresponds to the / directory through an unprivileged mount
  namespace.  Reported by Qualys.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-02-05 13:51:09 +01:00
Norbert Lange
b7a00b39bc package/glibc: force -fno-lto
glibc requires compilation barriers between files, and will fail with
LTO enabled.

So force LTO off by appending -fno-lto to the flags, but only if the GCC
version is recent enough that an LTO build would be possible.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2022-01-09 23:26:36 +01:00
Romain Naour
ebc6c7e5b4 package/glibc: remove glibc csky fork
Before removing csky gcc fork, remove the glibc fork.

csky support has been merged in glibc 2.29 [1].

[1] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5f72b00591ce4d1b4c0418294ffe1623983d5679

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Guo Ren <ren_guo@c-sky.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asked-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-10-17 18:59:18 +02:00
Petr Vorel
e17e37bcea package/glibc: bump version to 2.34-9-g9acab0bba6a5a57323b1f94bf95b21618a9e5aa4
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-08-26 23:41:25 +02:00
Joel Stanley
521904510d package/glibc: Use 2.33 for RISC-V 32-bit
RISC-V 32-bit was special cased to use glibc master as support was not
in a released version.

Recently 2.33 was released, so RV32 can now use the same glibc version
as other platforms.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-08-07 11:58:04 +02:00
Maxim Kochetkov
d5ce3b5db5 package/glibc: bump to version 2.33-46-gedfd11197ecf3629bbb4b66c5814da09a61a7f9f
See:
https://sourceware.org/pipermail/libc-announce/2021/000030.html

Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-07-24 22:27:32 +02:00
Peter Korsgaard
8a6b0b5696 package/glibc: security bump for additional post-2.32.x fixes
Fixes the following security issue:

- CVE-2021-3326: Assertion failure in ISO-2022-JP-3 gconv module related to
  combining characters

For details, see https://sourceware.org/bugzilla/show_bug.cgi?id=27256 and
https://www.openwall.com/lists/oss-security/2021/01/27/3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-01-29 09:32:24 +01:00
Matt Weber
63332c33aa package: provide CPE ID details for numerous packages
This patch adds CPE ID information for a significant number of
packages.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-04 21:43:54 +01:00
Thomas Petazzoni
40258a3f39 package/glibc: drop ARC-specific version
We're now using 2.32 as the default glibc version, so we no longer
need to use a special version for the ARC architecture.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-29 23:28:57 +01:00
Romain Naour
182ea9477b package/glibc: bump to version 2.32-23-g050022910be1d1f5c11cd5168f1685ad4f9580d2
See:
https://sourceware.org/pipermail/libc-announce/2020/000029.html

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-29 23:28:57 +01:00
Thomas Petazzoni
9853983336 package/glibc, toolchain/toolchain-buildroot: disable native RPC in glibc toolchains
Support for obsolete RPC was dropped in glibc 2.14 (2011-05-31), then
reinstated and marked obsolete in glibc 2.16 (2012-06-30), and finally
dropped for good in 2.32 (2020-08-04), which we are about to start
using.

In preparation for that, drop the usage of obsolete RPC support in
glibc.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: add a bit of history]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-29 23:28:57 +01:00
Vineet Gupta
8f91556ccb package/glibc: use upstream 2.32 for the ARC architecture
The ARC glibc port was merged upstream in 2.32, so use that instead of
the one available from Synosys's Github.

Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-19 22:19:35 +02:00
Alistair Francis
a4889545aa package/glibc: use upstream glibc for RISC-V 32-bit
Until glibc 2.33 gets released, we use the current 2.32 master branch.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-03 23:45:48 +02:00
Peter Korsgaard
aa70a16caf package/glibc: security bump for additional post-2.31.x fixes
Fixes the following security issue:

  CVE-2016-10228: An infinite loop has been fixed in the iconv program when
  invoked with the -c option and when processing invalid multi-byte input
  sequences.  Reported by Jan Engelhardt.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 22:57:25 +02:00
Romain Naour
9f6d4c3a87 package/{glibc, localedef}: bump to version 2.31
For glibc 2.31.x:

  - Update LICENSES file hash due to url change:
    "Prefer https to http for gnu.org and fsf.org URLs"

  - riscv64 does not build with kernel headers < 5.0, but upstream
    has not yet comitted a single fix, neither in master nor in the
    maintenance branch:
       https://sourceware.org/ml/libc-alpha/2020-02/msg00018.html

For localedef 2.31.x:

  - Remove upstream patch for localedef:
    0003-localedef-Use-initializer-for-flexible-array-member-.patch

Note that this version bump required some patches applied on
several packages (already applied):
    [Busybox] 13f2d688a2
    [openssh] bad75bca31
    [gcc] disable libsanitizer with gcc 7.5

See:
https://sourceware.org/legacy-ml/libc-announce/2020/msg00001.html

Tested by toolchain builder:
https://gitlab.com/kubu93/toolchains-builder/pipelines/129551000

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-07-27 15:26:30 +02:00
Romain Naour
6577049128 package/glibc: disable Werror for gcc 10 build
Currently glibc 2.30 is build by default with Werror enabled but it
has only been tested with compiler version available at the time of
the release [1] (gcc 6.2 up to gcc 9.2.1). It's recommended to use
those version with glibc 2.30.

For the same reason why we remove Werror in packages's compiler
flags. Building with Werror is not bulletproof when we start
using a newer compiler that introduce new warnings.
This is the case here with gcc 10, as reported by Yegor Yefremov
[2].

Fixing compiler warnings would require backporting many patches [3]
not even backported by Glibc maintainers to the 2.30 stable
branch. Instead, disable Werror by using --disable-werror.
Most (if not all) gcc 10 warnings will be fixed with Glibc 2.31.

[1] https://sourceware.org/git/?p=glibc.git;a=blob;f=INSTALL;h=62e78725f57080a1cb638cccd28ca3c2ffc5a22c#l466
[2] http://lists.busybox.net/pipermail/buildroot/2020-June/285715.html
[3] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=cba932a5a9e91cffd7f4172d7e91f9b2efb1f84b
    https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=de18a7061c9bdff73d66502c55d6a3ea671fc6d9
    https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=49348beafe9ba150c9bd48595b3f372299bddbb0
    https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=70c6e15654928c603c6d24bd01cf62e7a8e2ce9b
    https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=c7bf5ceab6ec776ac7350d3b0190776bf532ac54
    https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=e1d559f337de2c8ab68a6749dfe873477c883807

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Tested-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-06-29 22:35:10 +02:00
Romain Naour
d58fbd0e13 package/glibc: remove outdated cvs configure option
--without-cvs has been removed from glibc tree since glibc 2.15 [1]

[1] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=92963737c4376bcfd65235d5c325fa7f48302f89

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-06-18 21:32:47 +02:00
Thomas Petazzoni
a6569f2b3d Merge branch 'next'
A few conflicts had to be resolved:

 - Version number and hash for mesa3d-headers/mesa3d
 - Patches added in qemu, and the qemu version number
 - The gnuconfig README.buildroot

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-06-02 21:59:52 +02:00
Evgeniy Didin
b5a1306e1a toolchain: update ARC tools to arc-2020.03-release
This commit bumps ARC toolchain to arc-2020.03-release.

ARC GNU tools of version arc-2020.03-release bring some quite significant
changes like:
* Binutils 2.34 with additional ARC patches
* GCC 9.3 with additional ARC patches
* glibc 2.30 with additional ARC patches
* GDB 10-prerelease with additional ARC patches

Signed-off-by: Evgeniy Didin <Evgeniy.Didin@synopsys.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: arc-buildroot@synopsys.com
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-29 23:27:04 +02:00
Peter Korsgaard
6488684e2b package/glibc: bump version for additional post-2.30 security fixes
Fixes the following security vulnerabilities:

CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
  corruption when they were passed a pseudo-zero argument.  Reported by Guido
  Vranken / ForAllSecure Mayhem.

CVE-2020-1751: A defect in the PowerPC backtrace function could cause an
  out-of-bounds write when executed in a signal frame context.

CVE-2020-1752: A use-after-free vulnerability in the glob function when
  expanding ~user has been fixed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-12 12:27:19 +02:00
Romain Naour
c8cbe97190 package/glibc: add comment about updating localedef in sync
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-26 09:07:38 +01:00
Evgeniy Didin
e52073f2f3 package/toolchain: bumb ARC tools to arc-2019.09 release
This commit bumps ARC toolchain to most recent arc-2019.09 release version.

ARC GNU tools of version arc-2019.09 bring some quite significant changes like:
* Binutils v2_33.20191002 with additional ARC patches
* GCC 9.2.1 with additional ARC patches
* glibc 2.30 with additional ARC patches

More information on this release could be found here:
https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/releases/tag/arc-2019.09-release

Signed-off-by: Evgeniy Didin <Evgeniy.Didin@synopsys.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: arc-buildroot@synopsys.com
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-01-17 21:34:05 +01:00
Peter Korsgaard
bda95544b9 package/glibc: bump version for post-2.30 security fixes
Fixes the following security vulnerability:

- CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
  environment variable during program execution after a security
  transition, allowing local attackers to restrict the possible mapping
  addresses for loaded libraries and thus bypass ASLR for a setuid
  program.  Reported by Marcin Kościelnicki.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-12-14 21:55:42 +01:00
Carlos Santos
862cda57e5 package/glibc: drop dependency of utilities on bash
The dependency was added because ldd uses bash-specific syntax to
localize messages. Add a post-patch hook, instead, to replace the
occurrences of $"foo" by "foo", simply, so the code becomes POSIX
sh compliant if bash is not selected.

Also set the configuration environment accordingly to replace the
/bin/bash hashbang by /bin/sh.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-12-05 23:15:45 +01:00
Peter Korsgaard
7b24bd59c8 Merge branch 'next'
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-12-02 09:39:41 +01:00
Pascal de Bruijn
283c5d474e package/glibc: install locale utility only when BR2_PACKAGE_GLIBC_UTILS=y
Fixes: fb1ee93ca4

Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-11-26 22:36:17 +01:00
Pascal de Bruijn
fb1ee93ca4 package/glibc: install locale utility when NLS is enabled
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-11-26 12:51:59 +01:00
Peter Korsgaard
e487649e2e package/glibc: install utilities into their standard locations
As pointed out by Carlos, ldconfig normally goes into /sbin, and getconf +
ldd into /usr/bin, so do that here as well instead of installing everything
to /bin.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-11-23 13:42:20 +01:00
Nikita Sobolev
c6cd512fe2 glibc: install glibc utils to target
With this patch we introduce an option for glibc, which
installs getconf, ldconfig and ldd utilities on target, that
may be useful in debugging. By default these utilities are
built, but not installed to the target.
ldd is a bash script, so it has bash dependency.

Signed-off-by: Nikita Sobolev <Nikita.Sobolev@synopsys.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2019-11-23 11:53:14 +01:00
Evgeniy Didin
6a1e1ee9bc toolchain: bump ARC tools to arc-2019.09-rc1
This commit bumps ARC toolchain to arc-2019.09-rc1.
We want to test how new toolchain-rc1 builds packages,
so we can make fixes before release of toolcain.

ARC GNU tools of version arc-2019.09-rc1 bring some quite significant changes like:
* Binutils v2_33.20191002 with additional ARC patches
* GCC 9.2.0 with additional ARC patches
* glibc 2.30 with additional ARC patches

Please note that it is a release candidate and it might contain some breakages,
please don't use it for production builds.

Signed-off-by: Evgeniy Didin <Evgeniy.Didin@synopsys.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: arc-buildroot@synopsys.com
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-11-06 15:47:34 +01:00
Evgeniy Didin
12ebdfd37c toolchain: bump ARC tools to arc-2019.09-eng002
This commit bumps ARC toolchain to arc-2019.09-eng002.  We want to
test how new toolchain-eng002 builds packages, so we can make fixes
before release of toolcain.

Please note that it is an engineering build and it might have all
kinds of breakages, please don't use it for production builds

Signed-off-by: Evgeniy Didin <Evgeniy.Didin@synopsys.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: arc-buildroot@synopsys.com
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-10-27 20:16:05 +01:00
Romain Naour
a7914499b8 package/glibc: bump to version 2.30
With Glibc 2.30, GCC 6.2 or later is required to build the GNU C
Library. Disable Glibc for GCC 5.x.

CVE-2019-7309, CVE-2019-9169.

See:
https://sourceware.org/ml/libc-alpha/2019-08/msg00029.html

Tested with toolchain-builder:
https://gitlab.com/kubu93/toolchains-builder/pipelines/76423684

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-17 15:05:00 +02:00
Peter Korsgaard
840ecb29f5 package/glibc: bump version for additional post-2.29 fixes
The following additional bugs are fixed:

  [16573] malloc: Set and reset all hooks for tracing
  [18035] Fix pldd hang
  [20568] Fix crash in _IO_wfile_sync
  [24228] old x86 applications that use legacy libio crash on exit
  [24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
  [24744] io: Remove the copy_file_range emulation

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-04 18:51:25 +02:00