This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".
The branch, master has been updated via bf86a0e10d65377dea53319d98f75e06b368a093 (commit) via 2784768aec536b195bd63b6b23491908b368afb2 (commit) via 01ee5a63b600818dd1a20be8261a8df0165322af (commit) via 9a7312a166815b9d961af7f5b85a251afe4426f8 (commit) via fc484c6f639f75ff7af9dfb349455c133a51473a (commit) via 7942b2679a2c3859b8c7b67e5a34a584a133bbeb (commit) from 93e1e52703d68c05eb8175076e9038a2abdf96a8 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit bf86a0e10d65377dea53319d98f75e06b368a093 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 21 18:13:50 2023 +0000
glibc: Make this package confirm to FHS/Hardening
This patch changes many things about glibc in one go. Sorry.
We move glibc out of /lib so that we no longer install any files where they should not be according to our FHS.
We also enable SSP-all and ensure that everything is properly hardened.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2784768aec536b195bd63b6b23491908b368afb2 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 21 18:11:30 2023 +0000
glibc: Disable building NSCD
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 01ee5a63b600818dd1a20be8261a8df0165322af Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 13 16:25:55 2023 +0000
libvirt: Fix compiling virt-shell-login with GCC 12
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9a7312a166815b9d961af7f5b85a251afe4426f8 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 13 16:41:23 2023 +0100
graphviz: Proper harden some binaries
Use some additional compiler flags, to proper harden them.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fc484c6f639f75ff7af9dfb349455c133a51473a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 13 15:35:33 2023 +0000
jsoncpp: Disable building object failes
We do not need those and they fail the hardening check.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7942b2679a2c3859b8c7b67e5a34a584a133bbeb Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 13 15:16:27 2023 +0000
libunwind: Update to 1.6.2
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: glibc/glibc.nm | 152 +++++++++++------------------ graphviz/graphviz.nm | 28 +++++- jsoncpp/jsoncpp.nm | 7 +- libunwind/libunwind.nm | 13 +-- libvirt/libvirt.nm | 2 +- libvirt/patches/virt-shell-login-fix.patch | 11 +++ 6 files changed, 108 insertions(+), 105 deletions(-) create mode 100644 libvirt/patches/virt-shell-login-fix.patch
Difference in files: diff --git a/glibc/glibc.nm b/glibc/glibc.nm index 70c5ae415..a58a826c8 100644 --- a/glibc/glibc.nm +++ b/glibc/glibc.nm @@ -5,7 +5,7 @@
name = glibc version = 2.37 -release = 2 +release = 4
maintainer = Michael Tremer michael.tremer@ipfire.org groups = System/Base @@ -27,6 +27,9 @@ source_dl = https://ftp.gnu.org/gnu/glibc/ sources = %{thisapp}.tar.xz
build + # Build in a separate directory + DIR_BUILD = %{DIR_SRC}/glibc-build + # Optimize glibc for kernel OPTIMIZED_KERNEL = 5.10
@@ -45,113 +48,86 @@ build texinfo end
- # Build glibc with custom cflags - GLIBC_FLAGS = -O2 -g -DNDEBUG -pipe - - if "%{DISTRO_ARCH}" == "x86_64" - GLIBC_FLAGS += -mtune=generic - end - - export CFLAGS = %{GLIBC_FLAGS} - export CXXFLAGS = %{GLIBC_FLAGS} - - prepare_cmds - # In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is - # unknown whether this is a bash bug or a Glibc problem. Disable - # installation of this locale in order to avoid the problem. - sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED - - # The ldd shell script contains Bash-specific syntax. Change its default - # program interpreter to /bin/bash in case another /bin/sh is installed. - sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in - - # We don't install pt_chown(1) on the final system - sed -e "/^install.*pt_chown/d" -i login/Makefile - - # Build nscd with -fstack-protector-all, instead of -fstack-protector: - sed -e "s/fstack-protector/&-strong/" -i nscd/Makefile - - # Use gnu hash style - sed -i Makeconfig \ - -e "s/-Wl,--hash-style=both/-Wl,--hash-style=gnu -Wl,-O1/" - - # http://sourceware.org/ml/libc-ports/2011-09/msg00018.html - sed -e "s/PIC/SHARED/g" -i sysdeps/arm/{set,__long}jmp.S - end + # Disable LTO + LTO_CFLAGS =
configure_options = \ --build=%{DISTRO_BUILDTARGET} \ --prefix=/usr \ + --libdir=%{libdir} \ --libexecdir=%{libdir}/glibc \ - --disable-profile \ - --enable-add-ons \ + --sbindir=%{sbindir} \ + --enable-multi-arch \ --enable-kernel=%{OPTIMIZED_KERNEL} \ + --enable-add-ons \ --disable-werror \ + --disable-profile \ --disable-crypt \ - --enable-stack-protector=strong \ + --enable-stack-protector=all \ --enable-bind-now \ - --enable-obsolete-rpc \ --with-bugurl=https://bugtracker.ipfire.org \ - --enable-lock-elision \ - --enable-cet + --disable-build-nscd \ + --disable-nscd
- build - mkdir -p %{DIR_SRC}/glibc-build - cd %{DIR_SRC}/glibc-build - - CFLAGS="${CFLAGS} -fno-asynchronous-unwind-tables" \ - ../%{thisapp}/configure \ - %{configure_options} + if "%{DISTRO_ARCH}" == "aarch64" + configure_options += \ + --enable-memory-tagging + end
- make PARALLELMFLAGS=%{PARALLELISMFLAGS} \ - CFLAGS="%{CFLAGS}" CXXFLAGS="%{CXXFLAGS}" + if "%{DISTRO_ARCH}" == "x86_64" + configure_options += \ + --enable-cet end
install - cd %{DIR_SRC}/glibc-build - make install install_root=%{BUILDROOT} + # Install everything + make install install_root=%{BUILDROOT} \ + rtlddir=%{libdir} rootsbindir=%{sbindir} slibdir=%{libdir} + + if [ "%{DISTRO_ARCH}" = "aarch64" ]; then + # On aarch64, we did link various binaries against + # an incorrect linker in /lib. In order to migrate + # away from this, we are creating a symlink which + # can hopefully go after we drop the bootstrap repositories. + mkdir -pv %{BUILDROOT}%{prefix}/lib + ln -svf --relative \ + %{BUILDROOT}%{libdir}/ld-linux-aarch64.so.1 \ + %{BUILDROOT}%{prefix}/lib/ld-linux-aarch64.so.1 + fi
# Locales mkdir -pv %{BUILDROOT}/usr/lib/locale # This would install all locales that are supported make localedata/install-locales install_root=%{BUILDROOT}
- # Configuration - cp -vf %{DIR_SOURCE}/{ld.so.conf,nsswitch.conf} %{BUILDROOT}/etc - mkdir -pv %{BUILDROOT}/etc/{default,ld.so.conf.d} - - # Remove unused binaries - rm -vf %{BUILDROOT}/sbin/sln \ - %{BUILDROOT}/usr/bin/rpcinfo + # Install runtime linker configuration + install -v -m 644 %{DIR_SOURCE}/ld.so.conf %{BUILDROOT}%{sysconfdir} + mkdir -pv %{BUILDROOT}%{sysconfdir}/ld.so.conf.d
# Don't distribute linker cache - rm -vf %{BUILDROOT}/etc/ld.so.cache + rm -vf %{BUILDROOT}%{sysconfdir}/ld.so.cache + + # Install nsswitch.conf + install -v -m 644 %{DIR_SOURCE}/nsswitch.conf %{BUILDROOT}%{sysconfdir} + + # Remove unused statically linked binaries + rm -vf %{BUILDROOT}%{sbindir}/sln
# Include /usr/lib/gconv/gconv-modules.cache > %{BUILDROOT}%{libdir}/gconv/gconv-modules.cache chmod 644 %{BUILDROOT}%{libdir}/gconv/gconv-modules.cache
- strip -g %{BUILDROOT}%{libdir}/*.o - - # Move some libs to correct place - mv -v %{BUILDROOT}/%{lib}/lib{memusage,pcprofile}.so %{BUILDROOT}%{libdir} - - # Fix library permissions. - chmod 755 %{BUILDROOT}%{libdir}/lib*.so* - - # rquota.x and rquota.h are now provided by quota - rm -vf %{BUILDROOT}%{includedir}/rpcsvc/rquota.[hx] - end - - keep_libraries - %{libdir}/libc_nonshared.a - %{libdir}/libmvec_nonshared.a - %{libdir}/libpthread_nonshared.a + # Strip any object files + strip --strip-debug %{BUILDROOT}%{libdir}/*.o end end
packages package glibc + if "%{DISTRO_ARCH}" == "aarch64" + provides += /lib/ld-linux-aarch64.so.1 + end + requires tzdata end @@ -185,34 +161,20 @@ packages files += %{libdir}/*.[ao] end
- package nscd - summary = A Name Service Caching Daemon (nscd). - description - Nscd caches name service lookups and can dramatically improve - performance with NIS+, and may help with DNS as well. - end - group = System/Daemons - - files - /usr/sbin/nscd - end - end - package %{name}-utils - summary = Development utilities from GNU C library. + summary = Development utilities from GNU C library description The glibc-utils package contains memusage, a memory usage profiler, mtrace, a memory leak tracer and xtrace, a function call tracer which can be helpful during program debugging. end - group = Development/Tools
files - /usr/bin/memusage - /usr/bin/memusagestat - /usr/bin/mtrace - /usr/bin/pcprofiledump - /usr/bin/xtrace + %{bindir}/memusage + %{bindir}/memusagestat + %{bindir}/mtrace + %{bindir}/pcprofiledump + %{bindir}/xtrace %{libdir}/libmemusage.so %{libdir}/libpcprofile.so end diff --git a/graphviz/graphviz.nm b/graphviz/graphviz.nm index 625c554b2..c5147c5f5 100644 --- a/graphviz/graphviz.nm +++ b/graphviz/graphviz.nm @@ -5,7 +5,7 @@
name = graphviz version = 7.0.4 -release = 1 +release = 2
groups = Development/Tools url = https://gitlab.com/graphviz/graphviz @@ -42,6 +42,32 @@ build ./autogen.sh end
+ configure_options += \ + --enable-debug + + configure_cmds + # Add some additional C compiler flags to proper harden liblab_gamut. + sed -i '/^CFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \ + lib/edgepaint/Makefile + + # Add some additional C and C++ compiler flags to proper harden + # the "dot" binaries. + sed -i '/^CFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \ + cmd/dot/Makefile + sed -i '/^CXXFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \ + cmd/dot/Makefile + + # Add some additional C compiler flags to proper harden the + # "gvpr" binaries. + sed -i '/^CFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \ + cmd/gvpr/Makefile + + # Add some additional C compiler flags to proper harden the + # tools. + sed -i '/^CFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \ + cmd/tools/Makefile + end + test make check end diff --git a/jsoncpp/jsoncpp.nm b/jsoncpp/jsoncpp.nm index 5ff2f5c28..a983c3cca 100644 --- a/jsoncpp/jsoncpp.nm +++ b/jsoncpp/jsoncpp.nm @@ -5,7 +5,7 @@
name = jsoncpp version = 1.9.5 -release = 1 +release = 2
groups = System/Libraries url = https://github.com/open-source-parsers/jsoncpp @@ -30,7 +30,10 @@ build end
build - %{cmake} .. + %{cmake} .. \ + -DBUILD_OBJECT_LIBS:BOOL=OFF \ + -DBUILD_STATIC_LIBS:BOOL=OFF + make %{PARALLELISMFLAGS} end end diff --git a/libunwind/libunwind.nm b/libunwind/libunwind.nm index 707feb22a..73ca35390 100644 --- a/libunwind/libunwind.nm +++ b/libunwind/libunwind.nm @@ -4,8 +4,8 @@ ###############################################################################
name = libunwind -version = 1.4.0 -release = 2 +version = 1.6.2 +release = 1
groups = Development/Debuggers url = https://savannah.nongnu.org/projects/libunwind @@ -16,14 +16,15 @@ description Libunwind provides a C ABI to determine the call-chain of a program. end
-source_dl = https://download.savannah.gnu.org/releases/libunwind/ +source_dl = https://github.com/libunwind/libunwind/releases/download/v%%7Bversion%7D/
build - CFLAGS += -fcommon - + # We are building this without setjmp since the library fails + # the hardening check. configure_options += \ --disable-static \ - --enable-shared + --enable-shared \ + --disable-setjmp
test make check LD_LIBRARY_PATH=%{DIR_APP}/src/.libs || : diff --git a/libvirt/libvirt.nm b/libvirt/libvirt.nm index 2fca99bf4..0014ab38f 100644 --- a/libvirt/libvirt.nm +++ b/libvirt/libvirt.nm @@ -5,7 +5,7 @@
name = libvirt version = 8.10.0 -release = 3 +release = 4
maintainer = Jonatan Schlag jonatan.schlag@ipfire.org groups = Applications/Virtualization diff --git a/libvirt/patches/virt-shell-login-fix.patch b/libvirt/patches/virt-shell-login-fix.patch new file mode 100644 index 000000000..906b36e4a --- /dev/null +++ b/libvirt/patches/virt-shell-login-fix.patch @@ -0,0 +1,11 @@ +--- libvirt-8.10.0/tools/meson.build.bak 2023-03-13 15:59:02.530260456 +0000 ++++ libvirt-8.10.0/tools/meson.build 2023-03-13 15:59:59.730481605 +0000 +@@ -98,6 +98,8 @@ + ], + install: true, + install_dir: bindir, ++ # Fix for GCC 12 to not omit __stack_chk_fail ++ c_args: ['-fno-builtin-exit', '-D__noreturn__='], + ) + + executable(
hooks/post-receive -- IPFire 3.x development tree