Commit Graph

193 Commits

Author SHA1 Message Date
Franz Pletz
3ba99f83a7
glibc: enable stackprotection hardening
Enables previously manually disabled stackprotector and stackguard
randomization.

From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511811:

    If glibc is built with the --enable-stackguard-randomization option,
    each application gets a random canary value (at runtime) from /dev/urandom.
    If --enable-stackguard-randomization is absent, applications get a static
    canary value of "0xff0a0000". This is very unfortunate, because the
    attacker may be able to bypass the stack protection mechanism, by placing
    those 4 bytes in the canary word, before the actual canary check is
    performed (for example in memcpy-based buffer overflows).
2016-09-12 02:36:11 +02:00
Tuomas Tynkkynen
73f1ade407 glibc_multi: Reference dev outputs of glibc 2016-08-30 15:18:51 +03:00
Tuomas Tynkkynen
040fadf345 glibc_multi: Fix unnoticed output shuffle 2016-08-29 14:49:53 +03:00
Tuomas Tynkkynen
e065baafba glibc: Make one exception for output order
Usages like '${stdenv.cc.libc}/lib/ld-linux-x86-64.so.2' are much more
common than the bin output.
2016-08-29 14:49:52 +03:00
Tuomas Tynkkynen
a17216af4c treewide: Shuffle outputs
Make either 'bin' or 'out' the first output.
2016-08-29 14:49:51 +03:00
Robin Gloster
e17bc25943
Merge remote-tracking branch 'upstream/master' into staging 2016-08-29 00:24:47 +00:00
Tuomas Tynkkynen
d1c7eb8098 glibc: Uncomment 'meta.platforms' 2016-08-28 18:04:09 +03:00
obadz
24a9183f90 Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
2016-08-22 01:19:35 +01:00
obadz
b092538811 Revert "glibc: add patch to fix segfault in forkpty"
This reverts commit 1747d28e5a.

Was fixed upstream in glibc 2.24
2016-08-20 22:39:05 +01:00
obadz
3e03db11b7 glibc: fixup, that should have been $bin not $out 2016-08-19 15:23:56 +01:00
obadz
a7bfa77787 glibc: remove sln from bin, not sbin 2016-08-19 15:20:46 +01:00
obadz
9744c7768d glibc: 2.23 -> 2.24
- Removed patches that were merged upstream
- Removed --localdir from configureFlags as according to
  https://sourceware.org/bugzilla/show_bug.cgi?id=14259
  it was unused before
2016-08-19 15:05:41 +01:00
Robin Gloster
1747d28e5a glibc: add patch to fix segfault in forkpty 2016-08-16 07:52:03 +00:00
Robin Gloster
5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
Vladimír Čunát
91c1317272 glibc: fixup retaining bootstrap-tools reference
https://github.com/NixOS/nixpkgs/pull/15867#issuecomment-227949096
2016-06-23 12:11:21 +02:00
Eric Litak
251c97adee fix brace warnings in glibc 2016-05-31 16:28:05 -07:00
Eric Litak
e8ca9dca53 manual strip broke crossDrv. no clue why it was ever added; should be automatic 2016-05-31 16:27:24 -07:00
Eric Litak
44ae9a3c0a reorganize crossDrv hooks 2016-05-31 16:27:24 -07:00
Eric Litak
0265285b96 moving builder.sh hooks into nix 2016-05-31 09:33:32 -07:00
Franz Pletz
f8d481754c
Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-05-18 17:10:02 +02:00
Scott R. Parish
64f5845418 glibc: patch 2.23 for CVE-2016-3075, CVE-2016-1234, CVE-2016-3706
This addresses the following security advisories:

+ CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r
+ CVE-2016-1234: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect
                 NAME_MAX limit assumption
+ CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion

Patches cherry-picked from glibc's release/2.23/master branch.

The "glob-simplify-interface.patch" was a dependency for
"cve-2016-1234.patch".
2016-05-13 23:47:17 -07:00
Robin Gloster
d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Robin Gloster
f60c9df0ba Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-28 15:16:29 +00:00
Vladimír Čunát
09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Franz Pletz
034b2ec2ed glibc: stackprotector is already disabled in default.nix
This overwrites the hardeningDisable attribute and removes disabling the
fortify flag.
2016-03-05 19:47:04 +01:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Eelco Dolstra
d5bb6a1f9c glibc: Enable separate debug symbols
The importance of glibc makes it worthwhile to provide debug
symbols. However, this revealed an issue with separateDebugInfo: it
was indiscriminately adding --build-id to all ld invocations, while in
fact it should only do that for final links. Glibc also uses non-final
("relocatable") links, leading to subsequent failure to apply a build
ID ("Cannot create .note.gnu.build-id section, --build-id
ignored"). So now ld-wrapper.sh only passes --build-id for final
links.
2016-02-28 02:57:37 +01:00
Robin Gloster
83bf03e1a3 glibc: disable stackprotector hardening 2016-02-27 08:20:53 +00:00
Robin Gloster
3477e662e6 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-27 00:08:08 +00:00
Vladimír Čunát
59617de6d7 glibc: 2.22 -> 2.23
The two patches were included upstream.
(Even the one from guix, except for a whitespace difference.)
2016-02-21 10:31:14 +01:00
Robin Gloster
bc21db3692 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-19 21:16:14 +00:00
Eelco Dolstra
1ab14aad7a glibc: Drop hurd support
This hasn't been maintained since 2012.

Also, renamed glibc's kernelHeaders argument to linuxHeaders.
2016-02-18 21:11:15 +01:00
Eelco Dolstra
f98a5946b7 glibc: 2.21 -> 2.22 2016-02-18 20:54:52 +01:00
Nathan Zadoks
fc48bf5a2c glibc: fix cve-2015-7547.patch so it applies cleanly 2016-02-16 17:23:35 +01:00
Nathan Zadoks
b5aa8a4e64 glibc: patch CVE-2015-7547
The glibc DNS client side resolver is vulnerable to a stack-based buffer
overflow when the getaddrinfo() library function is used. Software using
this function may be exploited with attacker-controlled domain names,
attacker-controlled DNS servers, or through a man-in-the-middle attack.
https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
2016-02-16 16:15:07 +01:00
Robin Gloster
f6d3b7a2ae switch hardening flags 2016-01-30 16:36:57 +00:00
Franz Pletz
954e9903ad Use a hardened stdenv by default 2016-01-30 16:36:57 +00:00
Vladimír Čunát
f9f6f41bff Merge branch 'master' into closure-size
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
2015-12-31 09:53:02 +01:00
Vladimír Čunát
244f985461 glibc-multi: fix with multiple outputs 2015-12-05 17:40:37 +01:00
Vladimír Čunát
fb3c062e54 glibc-info: fix #11476 build with multiple outputs 2015-12-05 08:59:30 +01:00
Eelco Dolstra
6a766f47c2 glibc: Fix assertion failure when using incompatible locale data
Borrowed from

  http://git.savannah.gnu.org/cgit/guix.git/plain/gnu/packages/patches/glibc-locale-incompatibility.patch

https://github.com/NixOS/nix/issues/599

We may also want to apply

  http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/glibc-versioned-locpath.patch

but we'll need to ditch locale-archive first. (Apparently
locale-archive is not very useful anymore anyway.)
2015-12-02 11:27:39 +01:00
Vladimír Čunát
333d69a5f0 Merge staging into closure-size
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
2015-11-20 14:32:58 +01:00
Nikolay Amiantov
8db98ceb01 glibc_multi: fix ldd for 64-bit ELFs 2015-10-07 16:46:26 +03:00
Nikolay Amiantov
1283e3da5d glibc_multi: fix ldd for 64-bit ELFs 2015-10-07 15:44:12 +03:00
Vladimír Čunát
5227fb1dd5 Merge commit staging+systemd into closure-size
Many non-conflict problems weren't (fully) resolved in this commit yet.
2015-10-03 13:33:37 +02:00
Vladimír Čunát
1fbbeff0c1 glibc: apply four security fixes from upstream
Fixes CVE-2014-8121, CVE-2015-1781 and two unnumbered problems (apparently).
All these commits should be contained in the 2.22 release,
but we don't want that yet due to unresolved locale incompatibilites.
2015-08-18 20:58:39 +02:00
Vladimír Čunát
eb4a88d8fd glibc-locales: check that all we build is supported
Until now, if e.g. the user passed "en_US.UTF-8" instead of "en_US.UTF-8/UTF-8",
the locales would be generated without failing but wouldn't work well.
Now we guard against such mistakes. Real life examples:
https://github.com/fish-shell/fish-shell/issues/1927
2015-07-31 15:39:52 +02:00
Vladimír Čunát
f83d12a382 Merge 'master' into staging 2015-05-24 20:39:58 +02:00
Marco Schlumpp
a88c5a8037 glibc: fixed a warning caused by nix-locale-archive.patch
If a function shouldn't accept any parameters, use "(void)" instead of "()".
Close #7843. Vcunat purged unimportant changes from this commit.
2015-05-15 11:14:50 +02:00