diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2022-08-17 20:41:53 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2022-08-18 07:00:13 +0200 |
commit | 353496a7b2d983d3facb95253b0b22dd7ae224e6 (patch) | |
tree | 9a12695b4e7d71b11ad84218bdedf7214ad116d0 /source/l | |
parent | acedcf0daaa711f242744ca6577aeb42717a44d5 (diff) | |
download | current-353496a7b2d983d3facb95253b0b22dd7ae224e6.tar.gz current-353496a7b2d983d3facb95253b0b22dd7ae224e6.tar.xz |
Wed Aug 17 20:41:53 UTC 202220220817204153
a/aaa_glibc-solibs-2.36-x86_64-2.txz: Rebuilt.
a/kernel-generic-5.19.2-x86_64-1.txz: Upgraded.
a/kernel-huge-5.19.2-x86_64-1.txz: Upgraded.
a/kernel-modules-5.19.2-x86_64-1.txz: Upgraded.
ap/vim-9.0.0223-x86_64-1.txz: Upgraded.
Fix use after free, out-of-bounds read, and heap based buffer overflow.
Thanks to marav for the heads-up.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2819
(* Security fix *)
d/kernel-headers-5.19.2-x86-1.txz: Upgraded.
k/kernel-source-5.19.2-noarch-1.txz: Upgraded.
l/glibc-2.36-x86_64-2.txz: Rebuilt.
Rebuilt with a patch from Arch to reenable DT_HASH in shared objects since
the change broke Steam games that use EPIC's EAC. I'm not exactly 100% on
board with this approach, but since DT_GNU_HASH remains and is still used,
I guess I'll go along with it for now. Hopefully EAC will be patched and we
can back this out.
Thanks to Swaggajackin for the notice and for providing links to the glibc
bug discussion as well as the patch.
If anything else needs a rebuild after this, let me know in the LQ thread.
l/glibc-i18n-2.36-x86_64-2.txz: Rebuilt.
l/glibc-profile-2.36-x86_64-2.txz: Rebuilt.
xap/vim-gvim-9.0.0223-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source/l')
-rwxr-xr-x | source/l/glibc/glibc.SlackBuild | 2 | ||||
-rw-r--r-- | source/l/glibc/patches/reenable_DT_HASH.patch | 145 |
2 files changed, 146 insertions, 1 deletions
diff --git a/source/l/glibc/glibc.SlackBuild b/source/l/glibc/glibc.SlackBuild index f1eb962f8..551276a55 100755 --- a/source/l/glibc/glibc.SlackBuild +++ b/source/l/glibc/glibc.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=glibc VERSION=${VERSION:-$(echo glibc-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} CHECKOUT=${CHECKOUT:-""} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # I was considering disabling NSCD, but MoZes talked me out of it. :) #DISABLE_NSCD=" --disable-nscd " diff --git a/source/l/glibc/patches/reenable_DT_HASH.patch b/source/l/glibc/patches/reenable_DT_HASH.patch new file mode 100644 index 000000000..f828b011b --- /dev/null +++ b/source/l/glibc/patches/reenable_DT_HASH.patch @@ -0,0 +1,145 @@ +From e47de5cb2d4dbecb58f569ed241e8e95c568f03c Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Fri, 29 Apr 2022 16:37:51 +0200 +Subject: [PATCH] Do not use --hash-style=both for building glibc shared + objects + +The comment indicates that --hash-style=both was used to maintain +compatibility with static dlopen, but we had many internal ABI +changes since then, so this compatiblity does not add value anymore. + +Reviewed-by: Carlos O'Donell <carlos@redhat.com> +--- + Makeconfig | 9 +++++++++ + Makerules | 7 +++++++ + config.make.in | 1 + + configure | 28 ++++++++++++++++++++++++++++ + configure.ac | 16 ++++++++++++++++ + 5 files changed, 61 insertions(+) + +diff --git b/Makeconfig a/Makeconfig +index 760f14e92f..0aa5fb0099 100644 +--- b/Makeconfig ++++ a/Makeconfig +@@ -362,6 +362,15 @@ relro-LDFLAGS = -Wl,-z,relro + LDFLAGS.so += $(relro-LDFLAGS) + LDFLAGS-rtld += $(relro-LDFLAGS) + ++ifeq (yes,$(have-hash-style)) ++# For the time being we unconditionally use 'both'. At some time we ++# should declare statically linked code as 'out of luck' and compile ++# with --hash-style=gnu only. ++hashstyle-LDFLAGS = -Wl,--hash-style=both ++LDFLAGS.so += $(hashstyle-LDFLAGS) ++LDFLAGS-rtld += $(hashstyle-LDFLAGS) ++endif ++ + ifeq (no,$(build-pie-default)) + pie-default = $(no-pie-ccflag) + else # build-pie-default +diff --git b/Makerules a/Makerules +index 354528b8c7..428464f092 100644 +--- b/Makerules ++++ a/Makerules +@@ -557,6 +557,13 @@ $(common-objpfx)shlib.lds: $(common-objpfx)config.make $(..)Makerules + -Wl,--verbose 2>/dev/null | \ + sed > $@T \ + -e '/^=========/,/^=========/!d;/^=========/d' \ ++ $(if $(filter yes,$(have-hash-style)), \ ++ -e 's/^.*\.gnu\.hash[ ]*:.*$$/ .note.ABI-tag : { *(.note.ABI-tag) } &/' \ ++ -e '/^[ ]*\.hash[ ]*:.*$$/{h;d;}' \ ++ -e '/DATA_SEGMENT_ALIGN/{H;g}' \ ++ , \ ++ -e 's/^.*\.hash[ ]*:.*$$/ .note.ABI-tag : { *(.note.ABI-tag) } &/' \ ++ ) \ + -e 's/^.*\*(\.dynbss).*$$/& \ + PROVIDE(__start___libc_freeres_ptrs = .); \ + *(__libc_freeres_ptrs) \ +diff --git b/config.make.in a/config.make.in +index fff4c78dd0..bf728c71c0 100644 +--- b/config.make.in ++++ a/config.make.in +@@ -70,6 +70,7 @@ have-libcap = @have_libcap@ + have-cc-with-libunwind = @libc_cv_cc_with_libunwind@ + fno-unit-at-a-time = @fno_unit_at_a_time@ + bind-now = @bindnow@ ++have-hash-style = @libc_cv_hashstyle@ + use-default-link = @use_default_link@ + have-cxx-thread_local = @libc_cv_cxx_thread_local@ + have-loop-to-function = @libc_cv_cc_loop_to_function@ +diff --git b/configure a/configure +index 716dc041b6..5a730dc5fc 100755 +--- b/configure ++++ a/configure +@@ -622,6 +622,7 @@ libc_cv_cc_nofma + libc_cv_mtls_dialect_gnu2 + fno_unit_at_a_time + libc_cv_has_glob_dat ++libc_cv_hashstyle + libc_cv_fpie + libc_cv_z_execstack + ASFLAGS_config +@@ -6193,6 +6194,33 @@ $as_echo "$libc_cv_fpie" >&6; } + + + ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --hash-style option" >&5 ++$as_echo_n "checking for --hash-style option... " >&6; } ++if ${libc_cv_hashstyle+:} false; then : ++ $as_echo_n "(cached) " >&6 ++else ++ cat > conftest.c <<EOF ++int _start (void) { return 42; } ++EOF ++if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp ++ -fPIC -shared -o conftest.so conftest.c ++ -Wl,--hash-style=both -nostdlib 1>&5' ++ { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; } ++then ++ libc_cv_hashstyle=yes ++else ++ libc_cv_hashstyle=no ++fi ++rm -f conftest* ++fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_hashstyle" >&5 ++$as_echo "$libc_cv_hashstyle" >&6; } ++ ++ + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GLOB_DAT reloc" >&5 + $as_echo_n "checking for GLOB_DAT reloc... " >&6; } + if ${libc_cv_has_glob_dat+:} false; then : +diff --git b/configure.ac a/configure.ac +index d08ad4d64e..a045f6608e 100644 +--- b/configure.ac ++++ a/configure.ac +@@ -1360,6 +1360,22 @@ LIBC_TRY_CC_OPTION([-fpie], [libc_cv_fpie=yes], [libc_cv_fpie=no]) + + AC_SUBST(libc_cv_fpie) + ++AC_CACHE_CHECK(for --hash-style option, ++ libc_cv_hashstyle, [dnl ++cat > conftest.c <<EOF ++int _start (void) { return 42; } ++EOF ++if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp ++ -fPIC -shared -o conftest.so conftest.c ++ -Wl,--hash-style=both -nostdlib 1>&AS_MESSAGE_LOG_FD]) ++then ++ libc_cv_hashstyle=yes ++else ++ libc_cv_hashstyle=no ++fi ++rm -f conftest*]) ++AC_SUBST(libc_cv_hashstyle) ++ + AC_CACHE_CHECK(for GLOB_DAT reloc, + libc_cv_has_glob_dat, [dnl + cat > conftest.c <<EOF +-- +2.37.1 + |