From patchwork Sat Mar 30 14:49:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Fabrice Fontaine X-Patchwork-Id: 1070876 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="OpZuBinL"; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44WhNR1g2qz9sRx for ; Sun, 31 Mar 2019 01:50:15 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 6BC4225B01; Sat, 30 Mar 2019 14:50:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id akKjbuWK70hg; Sat, 30 Mar 2019 14:50:02 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id B648B22128; Sat, 30 Mar 2019 14:50:02 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id AF0D11BF83A for ; Sat, 30 Mar 2019 14:49:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id ACC0A875DA for ; Sat, 30 Mar 2019 14:49:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8HNa-4yDySV for ; Sat, 30 Mar 2019 14:49:56 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by hemlock.osuosl.org (Postfix) with ESMTPS id 5F0D287540 for ; Sat, 30 Mar 2019 14:49:56 +0000 (UTC) Received: by mail-wr1-f44.google.com with SMTP id k11so6138050wro.5 for ; Sat, 30 Mar 2019 07:49:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=NfJ1S1hrwgdfsv/4QXk8aHuP0AZKta42rJyyRmLoXDI=; b=OpZuBinL+63BQ80Z5pj2ZoATB9ZwT5heZ1rX/6dhpjGGUulSaG6xz5xtRsw+ys5woa czqAueinYnWK/z0eRt1u5/VG+gypKHoEReaMkKw948jHu4RUVl3A5Jit1r1fbpFtLcxu p7byBqkWOuojYj+6voQqInjXPDwkunXHwoKeiqHv8fPIJAkwUarCDnQB5BKSjVeTlGfs N681qag+HL5IjVNq11ogBAp0oY3FbIi3Spyuyz839wds2C4r6tFdeFV5Lin0NsIf7+l/ tnxoea+O4mryD0TVziza3M/LUfUEEj8pLxE4/B142Lmi9TjMOZC+XLAC8QtBQMvIpEt6 nCQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=NfJ1S1hrwgdfsv/4QXk8aHuP0AZKta42rJyyRmLoXDI=; b=cL3NT9qT3VTnxRjpZE/DoZMfltBqNdS09u8c0ha7EdfsbdeBFw5vki3MgJe1lK914t cUqMimP6WYuXv9wcvXFczKnN1blq9Gecumtp6PmLeu5l+bD4wwqHPAr+YQ3jYZMNXzbK JwdgGhOXUtJ0Hh7b9a9Dz0HemgwgrG82txk+1hboU1DO4DkWRH/1mgxMxE1SRwpjs8Zw ZuIwHUpw+W6GiLiO7WA2iF71wLOldfyjC6f3yfHrABVDaffTHN+lgA5CuKNEvcaY1l3J 1wtjfzMvaowfD3kkCBJfv/BX02qOg4EHKOLIEyhYdFFLTuSJcfGfHCGamQEfLHmJsUXT /+5w== X-Gm-Message-State: APjAAAXRjxn51zkEPAfhYvGMKoLufoU8OIYKNeMh1C7tSpXd25HDJj9u kC33ieTs/V2h9pzJrhWGXxrQQbtZXxM= X-Google-Smtp-Source: APXvYqyjqCeCINW6l5NVlJaJC2y8siE7aNAMF3COdelNxM3jYDOK3TxqjH3USfzwRmb9fbK22C3j9Q== X-Received: by 2002:a5d:5310:: with SMTP id e16mr14865368wrv.142.1553957394485; Sat, 30 Mar 2019 07:49:54 -0700 (PDT) Received: from kali.home (lfbn-ren-1-314-196.w2-10.abo.wanadoo.fr. [2.10.15.196]) by smtp.gmail.com with ESMTPSA id x11sm4186862wmh.2.2019.03.30.07.49.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 30 Mar 2019 07:49:53 -0700 (PDT) From: Fabrice Fontaine To: buildroot@buildroot.org Date: Sat, 30 Mar 2019 15:49:40 +0100 Message-Id: <20190330144947.27638-1-fontaine.fabrice@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH v2,1/8] package/rpm: security bump to 4.14.2.1 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Petazzoni , James Knight , Fabrice Fontaine , James Knight Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" - Remove first and second patches (already in version) - Remove third and fourth patches (not needed since: https://github.com/rpm-software-management/rpm/commit/245b5a3b4b6d616adf47361137987e90f8dab22c) - Add hash for license file - Drop autoreconf (as configure.ac is not patched anymore) - Use new --with-crypto option - Restrict symlink following on installation (CVE-2017-7500, CVE-2017-7501) Signed-off-by: Fabrice Fontaine --- Changes v1 -> v2 (after review of Thomas Petazzoni): - Put bump as the first patch in the serie ...nstead-of-compile-for-gcc-flags-test.patch | 33 ----------- ...ure-ac-correct-stack-protector-check.patch | 45 --------------- ...enable-disable-sepdebugcrcfix-buildi.patch | 55 ------------------- ...cfix.c-fix-build-with-recent-binutil.patch | 43 --------------- package/rpm/rpm.hash | 7 ++- package/rpm/rpm.mk | 12 ++-- 6 files changed, 9 insertions(+), 186 deletions(-) delete mode 100644 package/rpm/0001-configure-ac-use-link-instead-of-compile-for-gcc-flags-test.patch delete mode 100644 package/rpm/0002-configure-ac-correct-stack-protector-check.patch delete mode 100644 package/rpm/0003-Detect-bfd.h-to-enable-disable-sepdebugcrcfix-buildi.patch delete mode 100644 package/rpm/0004-tools-sepdebugcrcfix.c-fix-build-with-recent-binutil.patch diff --git a/package/rpm/0001-configure-ac-use-link-instead-of-compile-for-gcc-flags-test.patch b/package/rpm/0001-configure-ac-use-link-instead-of-compile-for-gcc-flags-test.patch deleted file mode 100644 index 6f6a2aba51..0000000000 --- a/package/rpm/0001-configure-ac-use-link-instead-of-compile-for-gcc-flags-test.patch +++ /dev/null @@ -1,33 +0,0 @@ -From b5f1895aae096836d6e8e155ee289e1b10fcabcb Mon Sep 17 00:00:00 2001 -From: Thomas Petazzoni -Date: Sat, 10 Oct 2015 23:17:44 +0200 -Subject: [PATCH] configure.ac: use link instead of compile for gcc flags test - -The logic that tests whether gcc supports or not certain flags uses -AC_COMPILE_IFELSE(). However, when checking for stack smashing -protection support, an AC_LINK_IFELSE() test is needed, since the -build might work but not the link stage if certain libraries are -missing for proper stack smashing protection support. - -Therefore, this commit switches to use AC_LINK_IFELSE(). - -[Upstream commit: https://github.com/rpm-software-management/rpm/commit/b5f1895aae096836d6e8e155ee289e1b10fcabcb] -Signed-off-by: Thomas Petazzoni -Signed-off-by: James Knight ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 6ece8c9fd..822294c3f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -43,7 +43,7 @@ if test "$GCC" = yes; then - echo - for flag in $cflags_to_try; do - CFLAGS="$CFLAGS $flag -Werror" -- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])],[ -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])],[ - echo " $flag" - RPMCFLAGS="$RPMCFLAGS $flag" - ],[]) diff --git a/package/rpm/0002-configure-ac-correct-stack-protector-check.patch b/package/rpm/0002-configure-ac-correct-stack-protector-check.patch deleted file mode 100644 index 9d2942b4fa..0000000000 --- a/package/rpm/0002-configure-ac-correct-stack-protector-check.patch +++ /dev/null @@ -1,45 +0,0 @@ -From c810a0aca3f1148d2072d44b91b8cc9caeb4cf19 Mon Sep 17 00:00:00 2001 -From: James Knight -Date: Wed, 16 Nov 2016 15:54:46 -0500 -Subject: [PATCH] configure.ac: correct stack protector check - -If a used toolchain accepts the `-fstack-protector` option but does not -provide a stack smashing protector implementation (ex. libssp), linking -will fail: - - .libs/rpmio.o: In function `Fdescr': - rpmio.c:(.text+0x672): undefined reference to `__stack_chk_fail_local' - .libs/rpmio.o: In function `Fdopen': - rpmio.c:(.text+0xce9): undefined reference to `__stack_chk_fail_local' - .libs/rpmio.o: In function `ufdCopy': - rpmio.c:(.text+0x10f7): undefined reference to `__stack_chk_fail_local' - ... - -This is a result of testing for `-fstack-protector` support using a main -that GCC does not inject guards. GCC's manual notes that stack protector -code is only added when "[functions] that call alloca, and functions -with buffers larger than 8 bytes" [1]. This commit adjusts the stack -protector check to allocate memory on the stack (via `alloca`). - -[1]: https://gcc.gnu.org/onlinedocs/gcc-4.4.2/gcc/Optimize-Options.html - -Signed-off-by: James Knight -[Upstream commit: https://github.com/rpm-software-management/rpm/commit/c810a0aca3f1148d2072d44b91b8cc9caeb4cf19] -Signed-off-by: Thomas Petazzoni ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index a9730d3bc..b4b3fe8fb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -43,7 +43,7 @@ if test "$GCC" = yes; then - echo - for flag in $cflags_to_try; do - CFLAGS="$CFLAGS $flag -Werror" -- AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])],[ -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[alloca(100);]])],[ - echo " $flag" - RPMCFLAGS="$RPMCFLAGS $flag" - ],[]) diff --git a/package/rpm/0003-Detect-bfd.h-to-enable-disable-sepdebugcrcfix-buildi.patch b/package/rpm/0003-Detect-bfd.h-to-enable-disable-sepdebugcrcfix-buildi.patch deleted file mode 100644 index e1fd0697e6..0000000000 --- a/package/rpm/0003-Detect-bfd.h-to-enable-disable-sepdebugcrcfix-buildi.patch +++ /dev/null @@ -1,55 +0,0 @@ -From edadcf67980764c104c25c7c1a0ba91257b89698 Mon Sep 17 00:00:00 2001 -From: Thomas Petazzoni -Date: Thu, 8 Dec 2016 23:33:30 +0100 -Subject: [PATCH 1/2] Detect bfd.h to enable/disable sepdebugcrcfix building - -tools/sepdebugcrcfix includes , but this header from binutils -is not checked in the configure script. Due to this, sepdebugcrcfix is -attempted to be built even when is not available. This commit -addresses that by adding the appropriate configure check. - -This fixes the following build error: - -tools/sepdebugcrcfix.c:31:17: fatal error: bfd.h: No such file or directory -compilation terminated. -make[3]: *** [tools/sepdebugcrcfix.o] Error 1 - -Signed-off-by: Thomas Petazzoni ---- - Makefile.am | 2 ++ - configure.ac | 3 +++ - 2 files changed, 5 insertions(+) - -diff --git a/Makefile.am b/Makefile.am -index 863138c..d8a68f0 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -168,9 +168,11 @@ elfdeps_SOURCES = tools/elfdeps.c - elfdeps_LDADD = rpmio/librpmio.la - elfdeps_LDADD += @WITH_LIBELF_LIB@ @WITH_POPT_LIB@ - -+if HAS_BFD_H - rpmlibexec_PROGRAMS += sepdebugcrcfix - sepdebugcrcfix_SOURCES = tools/sepdebugcrcfix.c - sepdebugcrcfix_LDADD = @WITH_LIBELF_LIB@ -+endif # HAS_BFD_H - endif - endif - -diff --git a/configure.ac b/configure.ac -index c5ae701..b99ecb8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -242,6 +242,9 @@ AC_CHECK_HEADERS([dwarf.h], [ - ]) - AM_CONDITIONAL(LIBDWARF,[test "$WITH_LIBDWARF" = yes]) - -+AC_CHECK_HEADERS([bfd.h]) -+AM_CONDITIONAL(HAS_BFD_H, [test "${ac_cv_header_bfd_h}" = "yes"]) -+ - #================= - # Check for beecrypt library if requested. - AC_ARG_WITH(beecrypt, [ --with-beecrypt build with beecrypt support ],,[with_beecrypt=no]) --- -2.7.4 - diff --git a/package/rpm/0004-tools-sepdebugcrcfix.c-fix-build-with-recent-binutil.patch b/package/rpm/0004-tools-sepdebugcrcfix.c-fix-build-with-recent-binutil.patch deleted file mode 100644 index bebe94511d..0000000000 --- a/package/rpm/0004-tools-sepdebugcrcfix.c-fix-build-with-recent-binutil.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 65afab91444d4996a8e61d1e2d27d52e18417ef5 Mon Sep 17 00:00:00 2001 -From: Thomas Petazzoni -Date: Thu, 8 Dec 2016 23:45:55 +0100 -Subject: [PATCH 2/2] tools/sepdebugcrcfix.c: fix build with recent binutils - -Moderately recent binutils versions install a header that -checks if config.h is included. While this makes sense in binutils -itself, it does not outside. So the binutils developers have added a -check: if PACKAGE or PACKAGE_VERSION are defined, they assume you're -re-using bfd.h outside of binutils, and therefore including it without -including config.h is legit. - -So we take the same approch as numerous users of bfd.h: fake a PACKAGE -definition. See for example tools/perf/util/srcline.c in the Linux -kernel source tree. - -This fixes the following build error: - -In file included from tools/sepdebugcrcfix.c:31:0: -/home/test/autobuild/run/instance-0/output/host/usr/arc-buildroot-linux-uclibc/sysroot/usr/include/bfd.h:35:2: error: #error config.h must be included before this header - #error config.h must be included before this header - -Signed-off-by: Thomas Petazzoni ---- - tools/sepdebugcrcfix.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tools/sepdebugcrcfix.c b/tools/sepdebugcrcfix.c -index cd7fa02..e7b480f 100644 ---- a/tools/sepdebugcrcfix.c -+++ b/tools/sepdebugcrcfix.c -@@ -28,6 +28,8 @@ - #include - #include - #include -+/* Needed to please */ -+#define PACKAGE "rpm" - #include - - #define _(x) x --- -2.7.4 - diff --git a/package/rpm/rpm.hash b/package/rpm/rpm.hash index 7ae9ec73d9..b550e12721 100644 --- a/package/rpm/rpm.hash +++ b/package/rpm/rpm.hash @@ -1,2 +1,5 @@ -# From http://rpm.org/wiki/Releases/4.13.0.1 -sha1 9566f95f38fcb214e439c552f378c2f64ba0aff9 rpm-4.13.0.1.tar.bz2 +# From https://rpm.org/wiki/Releases/4.14.2.1.html +sha256 1139c24b7372f89c0a697096bf9809be70ba55e006c23ff47305c1849d98acda rpm-4.14.2.1.tar.bz2 + +# Hash for license file +sha256 d56f4f1f290f6920cb053aef0dbcd0b853cda289e2568b364ddbfce220a6f3e0 COPYING diff --git a/package/rpm/rpm.mk b/package/rpm/rpm.mk index 87c2059e71..eb9a4a5a51 100644 --- a/package/rpm/rpm.mk +++ b/package/rpm/rpm.mk @@ -4,8 +4,8 @@ # ################################################################################ -RPM_VERSION_MAJOR = 4.13 -RPM_VERSION = $(RPM_VERSION_MAJOR).0.1 +RPM_VERSION_MAJOR = 4.14 +RPM_VERSION = $(RPM_VERSION_MAJOR).2.1 RPM_SOURCE = rpm-$(RPM_VERSION).tar.bz2 RPM_SITE = http://ftp.rpm.org/releases/rpm-$(RPM_VERSION_MAJOR).x RPM_DEPENDENCIES = host-pkgconf berkeleydb file popt zlib \ @@ -13,10 +13,6 @@ RPM_DEPENDENCIES = host-pkgconf berkeleydb file popt zlib \ RPM_LICENSE = GPL-2.0 or LGPL-2.0 (library only) RPM_LICENSE_FILES = COPYING -# 0001-configure-ac-use-link-instead-of-compile-for-gcc-flags-test.patch -# 0002-configure-ac-correct-stack-protector-check.patch -RPM_AUTORECONF = YES - RPM_CONF_OPTS = \ --disable-python \ --disable-rpath \ @@ -35,11 +31,11 @@ endif ifeq ($(BR2_PACKAGE_LIBNSS),y) RPM_DEPENDENCIES += libnss -RPM_CONF_OPTS += --without-beecrypt +RPM_CONF_OPTS += --with-crypto=nss RPM_CFLAGS += -I$(STAGING_DIR)/usr/include/nss -I$(STAGING_DIR)/usr/include/nspr else RPM_DEPENDENCIES += beecrypt -RPM_CONF_OPTS += --with-beecrypt +RPM_CONF_OPTS += --with-crypto=beecrypt RPM_CFLAGS += -I$(STAGING_DIR)/usr/include/beecrypt endif