Message ID | 20230911210917.1114974-1-romain.naour@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/2] package/{glibc, localedef}: bump to version 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675 | expand |
>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes: > Enable mathvec explicitely on aarch64(be) since it's now enabled by > default [1]. aarch64 mathvec requires at gcc-10 but Buildroot already > provide gcc-11 as minimum version. > Don't use --enable-fortify-source for now in order to keep original > behavior while doing the glibc version bump (and because some > architecture doesn't support well fortiry-source, i.e Microblaze). > Postpone this change to a follow up commit. > Keep the "deprecated" libcrypt enabled just in case if some > application are not yet ready to use an alternative such as libxcrypt. > Security related changes: > CVE-2023-25139: When the printf family of functions is called with a > format specifier that uses an <apostrophe> (enable grouping) and a > minimum width specifier, the resulting output could be larger than > reasonably expected by a caller that computed a tight bound on the > buffer size. The resulting larger than expected output could result > in a buffer overflow in the printf family of functions. It would have been handy to first bump to the 2.37.x version fixing this issue for easy backporting, but OK - I will do it separately. > See: > https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html > Runtime tested with Qemu on Gitlab-ci: > https://gitlab.com/kubu93/buildroot/-/pipelines/998435203 > https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/998926028 > [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=cd94326a1326c4e3f1ee7a8d0a161cc0bdcaf07e > Signed-off-by: Romain Naour <romain.naour@gmail.com> Committed, thanks.
Hello Peter, Le 29/09/2023 à 21:32, Peter Korsgaard a écrit : >>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes: > > > Enable mathvec explicitely on aarch64(be) since it's now enabled by > > default [1]. aarch64 mathvec requires at gcc-10 but Buildroot already > > provide gcc-11 as minimum version. > > > Don't use --enable-fortify-source for now in order to keep original > > behavior while doing the glibc version bump (and because some > > architecture doesn't support well fortiry-source, i.e Microblaze). > > Postpone this change to a follow up commit. > > > Keep the "deprecated" libcrypt enabled just in case if some > > application are not yet ready to use an alternative such as libxcrypt. > > > Security related changes: > > > CVE-2023-25139: When the printf family of functions is called with a > > format specifier that uses an <apostrophe> (enable grouping) and a > > minimum width specifier, the resulting output could be larger than > > reasonably expected by a caller that computed a tight bound on the > > buffer size. The resulting larger than expected output could result > > in a buffer overflow in the printf family of functions. > > It would have been handy to first bump to the 2.37.x version fixing this > issue for easy backporting, but OK - I will do it separately. Previous Glibc release are still maintained so we probably have to send patches directly for Buildroot stable release. Best regards, Romain > > > See: > > https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html > > > Runtime tested with Qemu on Gitlab-ci: > > https://gitlab.com/kubu93/buildroot/-/pipelines/998435203 > > https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/998926028 > > > [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=cd94326a1326c4e3f1ee7a8d0a161cc0bdcaf07e > > > Signed-off-by: Romain Naour <romain.naour@gmail.com> > > Committed, thanks. >
Am Fri, 29 Sep 2023 21:32:32 +0200 schrieb Peter Korsgaard: > > See: > > https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html > > > Runtime tested with Qemu on Gitlab-ci: > > https://gitlab.com/kubu93/buildroot/-/pipelines/998435203 > > https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/ 998926028 Hi, with this defconfig: BR2_x86_64=y BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y BR2_PACKAGE_DHCP=y this patch breaks building the dhcp package: Building dns library in /home/bernd/buildroot/br4/output/build/dhcp-4.4.3- P1/bind/bind-9.11.36/lib/dns ./gen: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found (required by ./gen) make[4]: *** [Makefile:601: include/dns/enumtype.h] Error 1 make[3]: *** [Makefile:595: include] Error 2 Please note that this build error only occurs when the target and the host system have the same arch. For example this defconfig builds fine: BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y BR2_PACKAGE_DHCP=y "git revert 34f8d874ee" fixes the problem. Some infos about my host system: $ cat /etc/debian_version 12.1 $ uname -a Linux buildroot 6.1.55-x64v3-xanmod1 #0~20230923.gbb709ca SMP PREEMPT_DYNAMIC Sat Sep 23 15:37:25 UTC x86_64 GNU/Linux Regards, Bernd
>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes: > Am Fri, 29 Sep 2023 21:32:32 +0200 schrieb Peter Korsgaard: >> > See: >> > https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html >> >> > Runtime tested with Qemu on Gitlab-ci: >> > https://gitlab.com/kubu93/buildroot/-/pipelines/998435203 >> > https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/ > 998926028 > Hi, > with this defconfig: > BR2_x86_64=y > BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y > BR2_PACKAGE_DHCP=y > this patch breaks building the dhcp package: > Building dns library in /home/bernd/buildroot/br4/output/build/dhcp-4.4.3- > P1/bind/bind-9.11.36/lib/dns > ./gen: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found > (required by ./gen) > make[4]: *** [Makefile:601: include/dns/enumtype.h] Error 1 > make[3]: *** [Makefile:595: include] Error 2 So gen is presumably built for the target, but the build system for some reason tries to execute it on the host - E.G. it was already a problem, but it only happened to work before as the glibc version on your build host matched better (was >=) than the 2.38.x version we use now. > Please note that this build error only occurs when the target and the host > system have the same arch. For example this defconfig builds fine: Ok, so I guess we somehow need to convince the dhcp build system to not execute ./gen, even if target looks compatible to the host. > BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y > BR2_PACKAGE_DHCP=y > "git revert 34f8d874ee" fixes the problem. > Some infos about my host system: > $ cat /etc/debian_version > 12.1 I believe Debian 12 uses glibc 2.36: https://packages.debian.org/search?keywords=libc6
Am Sat, 30 Sep 2023 22:59:20 +0200 schrieb Peter Korsgaard: > So gen is presumably built for the target, but the build system for some > reason tries to execute it on the host - E.G. it was already a problem, > but it only happened to work before as the glibc version on your build > host matched better (was >=) than the 2.38.x version we use now. Hi Peter, sent https://patchwork.ozlabs.org/project/buildroot/patch/ 20231002195159.3053254-1-bernd@kuhls.net/ Regards, Bernd
diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash index 453aadae11..4d2e9fbbd2 100644 --- a/package/glibc/glibc.hash +++ b/package/glibc/glibc.hash @@ -1,5 +1,5 @@ # Locally calculated (fetched from Github) -sha256 0f8bfad0b853a0c6e1dd1c3254a30b58d4c7050870fe2b0da90ad40f4d450ce2 glibc-2.37-2-g9f8513dc64119a424b312db97cef5d87d376defa.tar.gz +sha256 06d73b1804767f83885ab03641e2a7bf8d73f0a6cf8caee4032d8d1cc2e76cce glibc-2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675.tar.gz # Hashes for license files sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk index 79e6c76cb4..844bed5051 100644 --- a/package/glibc/glibc.mk +++ b/package/glibc/glibc.mk @@ -7,7 +7,7 @@ # Generate version string using: # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2- # When updating the version, please also update localedef -GLIBC_VERSION = 2.37-2-g9f8513dc64119a424b312db97cef5d87d376defa +GLIBC_VERSION = 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675 # Upstream doesn't officially provide an https download link. # There is one (https://sourceware.org/git/glibc.git) but it's not reliable, # sometimes the connection times out. So use an unofficial github mirror. @@ -148,6 +148,8 @@ define GLIBC_CONFIGURE_CMDS --disable-werror \ --without-gd \ --with-headers=$(STAGING_DIR)/usr/include \ + $(if $(BR2_aarch64)$(BR2_aarch64_be),--enable-mathvec) \ + --enable-crypt \ $(GLIBC_CONF_OPTS)) $(GLIBC_ADD_MISSING_STUB_H) endef diff --git a/package/localedef/0001-HACK-only-build-and-install-localedef.patch b/package/localedef/0001-HACK-only-build-and-install-localedef.patch index b289000c8a..49bbfd227c 100644 --- a/package/localedef/0001-HACK-only-build-and-install-localedef.patch +++ b/package/localedef/0001-HACK-only-build-and-install-localedef.patch @@ -1,4 +1,4 @@ -From 442e9a3f262c49cf61f9e7bdf12882f0a427666b Mon Sep 17 00:00:00 2001 +From bd5a87ea4a0cc0ba393a16bbeb166903e4085e8b Mon Sep 17 00:00:00 2001 From: Michael Olbrich <m.olbrich@pengutronix.de> Date: Mon, 21 May 2018 16:45:02 +0200 Subject: [PATCH] HACK: only build and install localedef @@ -7,16 +7,18 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> Upstream: https://git.pengutronix.de/cgit/ptxdist/plain/patches/localedef-glibc-2.27/0001-HACK-only-build-and-install-localedef.patch?id=47116f66f411d4dadfce42c2fdd6d41b351ccfd4 Signed-off-by: Peter Seiderer <ps.report@gmx.net> +[Romain: rebase on 2.38] +Signed-off-by: Romain Naour <romain.naour@gmail.com> --- Rules | 14 ++++++++++---- locale/Makefile | 6 +++--- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/Rules b/Rules -index b1137afe71..2aeac31922 100644 +index 279ae490ac..1321956be6 100644 --- a/Rules +++ b/Rules -@@ -216,10 +216,16 @@ binaries-shared-notests = $(filter-out $(binaries-pie) $(binaries-static), \ +@@ -221,10 +221,16 @@ binaries-shared-notests = $(filter-out $(binaries-pie) $(binaries-static), \ $(binaries-all-notests)) ifneq "$(strip $(binaries-shared-notests))" "" @@ -38,7 +40,7 @@ index b1137afe71..2aeac31922 100644 ifneq "$(strip $(binaries-shared-tests))" "" diff --git a/locale/Makefile b/locale/Makefile -index b7c60681fa..de4cf4003f 100644 +index d7036b0855..68afdddc7f 100644 --- a/locale/Makefile +++ b/locale/Makefile @@ -33,15 +33,15 @@ categories = ctype messages monetary numeric time paper name \ @@ -61,5 +63,5 @@ index b7c60681fa..de4cf4003f 100644 libBrokenLocale-routines = broken_cur_max -- -2.33.0 +2.41.0 diff --git a/package/localedef/0002-relax-dependency-on-GCC-to-4.8-and-binutils-to-2.24.patch b/package/localedef/0002-relax-dependency-on-GCC-to-4.8-and-binutils-to-2.24.patch index 94fccfa856..70d2b34bc1 100644 --- a/package/localedef/0002-relax-dependency-on-GCC-to-4.8-and-binutils-to-2.24.patch +++ b/package/localedef/0002-relax-dependency-on-GCC-to-4.8-and-binutils-to-2.24.patch @@ -1,4 +1,4 @@ -From 85412262460f6ba9f6e2cf8da74fc1904c54c854 Mon Sep 17 00:00:00 2001 +From add730a680075ed611797b9ea771bf977667a7de Mon Sep 17 00:00:00 2001 From: Matt Weber <matthew.weber@rockwellcollins.com> Date: Thu, 6 Feb 2020 14:36:21 -0600 Subject: [PATCH] relax dependency on GCC to 4.8 and binutils to 2.24 @@ -26,15 +26,17 @@ GCC 6.2+ Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> [yann.morin.1998@free.fr: update for 2.37] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> +[Romain: rebase on 2.38] +Signed-off-by: Romain Naour <romain.naour@gmail.com> --- - configure | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) + configure | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure -index 9619c10991..0c481d2339 100755 +index 4ef387146d..4c6f91117d 100755 --- a/configure +++ b/configure -@@ -4178,7 +4178,7 @@ $as_echo_n "checking version of $LD... " >&6; } +@@ -5293,7 +5293,7 @@ printf %s "checking version of $LD... " >&6; } ac_prog_version=`$LD --version 2>&1 | sed -n 's/^.*GNU ld.* \([0-9][0-9]*\.[0-9.]*\).*$/\1/p'` case $ac_prog_version in '') ac_prog_version="v. ?.??, bad"; ac_verc_fail=yes;; @@ -43,8 +45,8 @@ index 9619c10991..0c481d2339 100755 ac_prog_version="$ac_prog_version, ok"; ac_verc_fail=no;; *) ac_prog_version="$ac_prog_version, bad"; ac_verc_fail=yes;; -@@ -4589,7 +4589,7 @@ int - main () +@@ -5735,7 +5735,7 @@ int + main (void) { -#if !defined __GNUC__ || __GNUC__ < 6 || (__GNUC__ == 6 && __GNUC_MINOR__ < 2) @@ -53,4 +55,5 @@ index 9619c10991..0c481d2339 100755 #endif ; -- -2.33.0 +2.41.0 + diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk index 6f8b170516..650b319a25 100644 --- a/package/localedef/localedef.mk +++ b/package/localedef/localedef.mk @@ -7,7 +7,7 @@ # Use the same VERSION and SITE as target glibc # As in glibc.mk, generate version string using: # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2- -LOCALEDEF_VERSION = 2.37-2-g9f8513dc64119a424b312db97cef5d87d376defa +LOCALEDEF_VERSION = 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION)) HOST_LOCALEDEF_DL_SUBDIR = glibc
Enable mathvec explicitely on aarch64(be) since it's now enabled by default [1]. aarch64 mathvec requires at gcc-10 but Buildroot already provide gcc-11 as minimum version. Don't use --enable-fortify-source for now in order to keep original behavior while doing the glibc version bump (and because some architecture doesn't support well fortiry-source, i.e Microblaze). Postpone this change to a follow up commit. Keep the "deprecated" libcrypt enabled just in case if some application are not yet ready to use an alternative such as libxcrypt. Security related changes: CVE-2023-25139: When the printf family of functions is called with a format specifier that uses an <apostrophe> (enable grouping) and a minimum width specifier, the resulting output could be larger than reasonably expected by a caller that computed a tight bound on the buffer size. The resulting larger than expected output could result in a buffer overflow in the printf family of functions. See: https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html Runtime tested with Qemu on Gitlab-ci: https://gitlab.com/kubu93/buildroot/-/pipelines/998435203 https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/998926028 [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=cd94326a1326c4e3f1ee7a8d0a161cc0bdcaf07e Signed-off-by: Romain Naour <romain.naour@gmail.com> --- package/glibc/glibc.hash | 2 +- package/glibc/glibc.mk | 4 +++- ...ACK-only-build-and-install-localedef.patch | 12 +++++++----- ...y-on-GCC-to-4.8-and-binutils-to-2.24.patch | 19 +++++++++++-------- package/localedef/localedef.mk | 2 +- 5 files changed, 23 insertions(+), 16 deletions(-)