List of fixes from the 2.26 branch NEWS files:
CVE-2017-15670: The glob function, when invoked with GLOB_TILDE,
suffered from a one-byte overflow during ~ operator processing (either
on the stack or the heap, depending on the length of the user name).
Reported by Tim Rühsen.
CVE-2017-15671: The glob function, when invoked with GLOB_TILDE,
would sometimes fail to free memory allocated during ~ operator
processing, leading to a memory leak and, potentially, to a denial
of service.
CVE-2017-15804: The glob function, when invoked with GLOB_TILDE and
without GLOB_NOESCAPE, could write past the end of a buffer while
unescaping user names. Reported by Tim Rühsen.
CVE-2017-17426: The malloc function, when called with an object size near
the value SIZE_MAX, would return a pointer to a buffer which is too small,
instead of NULL. This was a regression introduced with the new malloc
thread cache in glibc 2.26. Reported by Iain Buclaw.
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, we do a full git clone of the repository, which takes quite
some time, especially on slow networks.
This was done like that because the initial patch was using the official
repository as the source of the download, and that repository did not
offer remotely-generated tarballs.
But now we've switched to using a mirror on github, which does provide
such a tarball, which provides faster downloads.
Use that.
However, the tarball from github differs from the one we were generating
locally, because the paths inside are different. WE used to create a
archive with paths starting with glibc-glibc-2.26-73-g4b692dfb95[...],
while github does away with the git-describe prefix, and generates paths
that start with just glibc-4b692dffb95[...]. The content are exactly
identicall (checked with a diff), though.
Update the hash accordingly.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit finally bumps ARC tools to the most recent arc-2017.09 release version.
ARC GNU tools of version arc-2017.09 bring some quite significant changes like:
* Binutils v2.29 with additional ARC patches
* GCC 7.1.1 with additional ARC patches
* glibc 2.26 with additional ARC patches
More information on this release could be found here:
https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/releases/tag/arc-2017.09-release
Signed-off-by: Evgeniy Didin <didin@synopsys.com>
Cc: Alexey Brodkin <abrodkin@synopsys.com>
Cc: arc-buildroot@synopsys.com
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
glibc upstream has ruled against doing regular point-releases, but they
do have a lot of interesting and important fixes for regressions and
security.
Backporting each patch, or cherry-picking individual patches is off
limits for us, so we just switch to using the currently-latest HEAD of
the maintenance branch instead.
The version number is obtained with:
$ git describe --match 'glibc-*' --abbrev=40 origin/release/2.26/master
The alternative options were:
- download the tarball from the git tree
--> does not work; not an option
- download the 2.26 tarball, and bundle the individual patches in
Buildroot
--> maintenance of patches is a burden; not an option
- download the 2.26 tarball, maintain the list of patches to download from
the git tree
--> not an option for the same reason
So we end up just doing a git clone. The git tree is today about ten
times the size of the tarball, so a rough estimate makes it at about ten
times the download time.
Also upstream doesn't officially provide an https download location [1].
There is one but it's not reliable, sometimes the connection time out and
end-up with a corrupted git repo:
fatal: unable to access 'https://sourceware.org/git/glibc.git/': Failed to connect to sourceware.org port 443: Connection timed out
So switch to using a git mirror from github which is updated once a day [2].
This allow at the same time to clone the git repository faster.
Note: The glibc 2.26 patches are not kept for the arc toolchain since they
are fixing an issue with the new float128 support introduced in x86, x86_64
and powerpc64le.
[1] https://sourceware.org/git/?p=glibc.git;a=summary
[2] https://github.com/bminor/glibc.git
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@openwide.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Evgeniy Didin <didin@synopsys.com>
CC: Alexey Brodkin <abrodkin@synopsys.com>
[Romain: bump 4b692dffb95ac4812b161eb6a16113d7e824982e]
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[yann.morin.1998@free.fr: update comment to never decide on the mirror]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Finally there's working ARC port of glibc thanks to Vineet and Cuper!
This port is based on pretty recent glibc's master branch and ARC
changes are being reviewed now in glibc's mailing list.
Thus we again have to use sources from our GitHub but as soon as there's
a glibc release with our patches applied we'll switch to upstream releases
and will drop our glibc GitHub repo alltogether.
Note now we cut tags in glibc repo simultaneously with tags
in Binutils and GCC repos and so to make sure everything works in the best
way we plan to update glibc tag together with Binutils and GCC.
Also note as of today ARCompact (AKA ARCv1 ISA) is not supported in glibc
but we plan to fix it soonish so for now we make glibc intentionally
dependent on archs38.
Also note we are not creating directory "2.26" because all patches for glibc
ver 2.26 applies to arc glibc port.
Signed-off-by: Evgeniy Didin <didin@synopsys.com>
CC: Alexey Brodkin <abrodkin@synopsys.com>
CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CC: Waldemar Brodkorb <wbx@openadk.org>
CC: Romain Naour <romain.naour@gmail.com>
Cc: Cupertino Miranda <cmiranda@synopsys.com>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: Anton Kolesov <akolesov@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We do not support uClibc-ng/musl C library version choice support,
do the same for GNU C Library.
No legacy handling required as only version choice is removed.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas: move 3.2 kernel headers dependency to the libc choice in
toolchain/toolchain-buildroot/Config.in file, and added a Config.in
comment about it.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We don't want a dozen glibc versions and there's no particular reason to
keep this old version around so drop it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
[Thomas: add entry to Config.in.legacy.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In commit 500de2598a, support for eglibc
was removed, but forgot to remove the corresponding hashes from the hash
file. This commit fixes this mistake.
Reported-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Mask out glibc for sparc as well since it's no longer available.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Clarify the reason it's not available for sparc < v9.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Switch default to version 2.21 and drop 2.20.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- Add version 2.21
- Add a hash value for it
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
