Commit Graph

163 Commits

Author SHA1 Message Date
Jörg Thalheim
5de6b3ecd7
Merge pull request #182281 from helsinki-systems/feat/glibc-sec
glibc: improve configure options
2022-07-27 22:09:44 +01:00
Bernardo Meurer
272fc53af1 glibc: 2.34-210 -> 2.35-163 2022-07-22 22:31:14 -07:00
ajs124
1487fabf60 glibc: enable Intel CET on x86 2022-07-21 00:32:03 +02:00
ajs124
8f3c8aee8a glibc: explicitly enable stack-protector
should be detected automatically
2022-07-21 00:32:03 +02:00
ajs124
34b92568d1 glibc: remove obsolete configure option
see https://sourceware.org/bugzilla/show_bug.cgi?id=27872
2022-07-21 00:32:03 +02:00
github-actions[bot]
1767ba1baa
Merge master into staging-next 2022-05-29 18:01:10 +00:00
Artturin
513b7f1010 glibc_multi: match output ordering of glibc
glibc has an exception in that 'out' is the default output instead of 'bin'

it should be matched here for consistency
2022-05-29 19:54:32 +03:00
sternenseemann
dd0b96be19
Merge pull request #173893 from trofi/fix-glibc-for-gnat6
glibc: apply pending PR29162 to unbreak gnat6
2022-05-23 20:17:48 +02:00
Sergei Trofimovich
3c211fb591 glibc: apply pending PR29162 to unbreak gnat6
commit e938c0274 "Don't add access size hints to fortifiable functions"
converted a few '__attr_access ((...))' into '__fortified_attr_access (...)'
calls.

But one of conversions had double parentheses of '__fortified_attr_access (...)'.

Noticed as a gnat6 build failure:

    /<<NIX>>-glibc-2.34-210-dev/include/bits/string_fortified.h:110:50: error: macro "__fortified_attr_access" requires 3 arguments, but only 1 given

The change fixes parentheses.
2022-05-23 18:40:49 +01:00
Artturin
0f9ee45a6d glibc: enable strictDeps
verified by building and diffing 'glibc' and 'glibcInfo'
2022-05-22 16:40:40 +03:00
Maximilian Bosch
5a3e803bf3
glibc: 2.34-115 -> 2.34-210 2022-05-06 10:28:53 +02:00
Anders Kaseorg
a20e363e6b
glibc: Fix segfault in getpwuid when stat fails (#167932)
Fixes #167785 using this patch submitted upstream:

https://sourceware.org/bugzilla/show_bug.cgi?id=28752
https://patchwork.sourceware.org/project/glibc/patch/20220314175316.3239120-2-sam@gentoo.org/

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2022-04-10 07:11:57 +02:00
Maximilian Bosch
748faeb623
glibc: don't hide symbol __nss_files_fopen
I realized that `libredirect` doesn't wrap `__nss_files_fopen` anymore
which subsequently broke the `checkPhase` of `pkgs.openssh`[1] which was
implemented in 85c63a515d.

The reason for that is what `libc_hidden_{def,proto}` are used for, to
quote `libc-symbols.h`[2]:

    The following macros are used for PLT bypassing within libc.so
    (and if needed other libraries similarly).

This basically means that these symbols are altered in a way so that
they cannot be wrapped by `libredirect` even though it re-defines
`__nss_files_fopen` while being loaded at first with `LD_PRELOAD`.

The problem was caused by a change in 2.34[3] where the `files`-module
for NSS isn't loaded from `libnss_files.so.2` anymore, but the relevant
symbols are directly obtained from `libc.so.6` since a lot of glibc's
APIs were merged into `libc.so.6` before.

As this would effectively break `libredirect` whenever it tries to wrap
C APIs that interact with NSS (e.g. to use `getpwnam(3)`), I decided to
undo this change for `__nss_files_fopen`.

[1] https://hydra.nixos.org/build/160688523
[2] https://sourceware.org/git/?p=glibc.git;a=blob;f=include/libc-symbols.h;h=d41ecf4384d07f9108698dba1d4e9e6a7a9b975f;hb=ae37d06c7d127817ba43850f0f898b793d42aea7
[3] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f9c8b11ed7726b858cd7b7cea0d3d7c5233d78cf;hp=6212bb67f4695962748a5981e1b9fea105af74f6
2022-02-27 10:26:53 +01:00
Maximilian Bosch
1b8aa881ea
glibc: revert /bin/bash usage
Rather than `$BASH`, `glibc` now hardcodes `/bin/bash` as
interpreter[1] in several scripts (including `ldd`).

This is a problem because relevant programs such as `ldd(1)` won't work
properly without this since we set `BASH` to `/bin/sh` to avoid
dependencies to the bootstrap tools for `bash` as runtime-dependency (since
NixOS doesn't have `/bin/bash`).

Considering that this was only done as an "improvement" to their
build-system and not because they wanted to use some bashisms here (the
variable was always called `BASH` and we still used `/bin/sh` anyways),
I'd consider this to be relatively safe.

[1] 5188a9d0265cc6f7235a8af1d31ab02e4a24853d
2022-02-27 10:25:35 +01:00
Maximilian Bosch
97acaf6d65
glibc: 2.33-108 -> 2.34-115
Announcement: https://sourceware.org/pipermail/libc-alpha/2021-August/129718.html
2022-02-27 10:25:33 +01:00
TredwellGit
f02dc53800 glibc: 2.33-108 -> 2.33-117 2022-02-04 08:01:11 +00:00
TredwellGit
00caaf1e9a glibc: 2.33-78 -> 2.33-108 2022-01-28 09:18:36 +00:00
Vladimír Čunát
13ab7d097f
glibc: 2.33-71 -> 2.33-78 (security)
https://www.openwall.com/lists/oss-security/2022/01/24/4
2022-01-25 11:25:18 +01:00
TredwellGit
8dd2546e75 glibc: 2.33-62 -> 2.33-71
https://sourceware.org/bugzilla/show_bug.cgi?id=22542
https://nvd.nist.gov/vuln/detail/CVE-2022-23219

https://sourceware.org/bugzilla/show_bug.cgi?id=28768
https://nvd.nist.gov/vuln/detail/CVE-2022-23218
2022-01-19 04:14:10 +00:00
TredwellGit
afcb6d3e10 glibc: 2.33-59 -> 2.33-62 2021-12-26 14:03:10 +00:00
TredwellGit
98ab93d191 glibc: 2.33-56 -> 2.33-59 2021-11-28 08:17:25 +00:00
Ryan Burns
2175b157ac treewide: refactor isi686 && isx86_64 -> isx86 2021-11-20 17:50:41 -08:00
github-actions[bot]
eeb7e66e97
Merge master into staging-next 2021-11-06 18:01:01 +00:00
Maximilian Bosch
ac971cdc54
Merge pull request #144417 from sternenseemann/glibc-always-ldd
glibc: include ldd and other scripts in cross-builds
2021-11-06 13:40:04 +01:00
github-actions[bot]
ac4cb43546
Merge staging-next into staging 2021-11-05 00:02:01 +00:00
Maximilian Bosch
b8ab5de781
Merge pull request #142799 from Ma27/glibc-mtrace
mtrace: init at 2.33-50
2021-11-04 23:01:02 +01:00
sternenseemann
e9b9bea261 glibc: include ldd and other scripts in cross-builds
Since the script interpreters are not patched (anymore?), no reference
to any shell is generated by the scripts in glibc's `bin` output:

```
$ nix-store --query --references /nix/store/nmfj3a2k2kr2lypndn37x6qbd8537f9b-glibc-riscv64-unknown-linux-gnu-2.33-50-bin
/nix/store/afgfd3vl3x5zx89awn3fjayn83yl9vcy-glibc-riscv64-unknown-linux-gnu-2.33-50
/nix/store/nmfj3a2k2kr2lypndn37x6qbd8537f9b-glibc-riscv64-unknown-linux-gnu-2.33-50-bin
```

This means that it's safe to include the scripts in glibc's bin output
even in cross builds. One interesting improvement for the future could
be to split these scripts into a separate derivation and properly patch
their script interpreter (currently they are using impure /bin/sh).
2021-11-04 13:05:59 +01:00
Maximilian Bosch
02bce71cab
mtrace: init at 2.33-50
`mtrace(1)` is a small Perl script that interprets and provides
human-readable output for `malloc(3)` traces.

Even though this is actually part of `glibc` itself I decided to place
this into its own package. The main reason for this is that this script
has a runtime dependency on Perl which would complicate `stdenv`
bootstrapping since we'd have to compile another Perl that doesn't depend on
the bootstrap tools that is used as runtime dependency for the
stage2 glibc.

Since this is only a dev/debugging tool, splitting this up seemed like a
reasonable choice to me.

On a leaking C program, this can be used like this:

    $ env MALLOC_TRACE=$(pwd)/trace ./a.out
    $ ./result/bin/mtrace ./trace

    Memory not freed:
    -----------------
               Address     Size     Caller
    0x0000000001875690      0x4  at 0x401151

Closes #141924
2021-10-25 01:01:29 +02:00
TredwellGit
2f0a0cb974 glibc: 2.33-55 -> 2.33-56 2021-10-18 23:34:22 +00:00
Yuka
ba06497904
glibcLocales: support building on musl (#141971) 2021-10-18 08:53:36 +02:00
TredwellGit
7c30fc6cd2 glibc: 2.33-50 -> 2.33-55 2021-10-07 09:29:14 +00:00
Jörg Thalheim
a65e3b66cb
Merge pull request #137601 from fzakaria/faridzakaria/glibc-netbase
glibc: allow environment variable for /etc/ files (i.e. /etc/protocols)
2021-09-21 08:07:02 +01:00
Farid Zakaria
4687d7523b glibc: add dependency on netbase /etc/protocols
Add an explicit dependency on netbase for /etc/protocols

Certain functions in glibc look for files present in /etc such as getprotobyname which reads /etc/protocols.
If you are using Nix over a Linux installation, this file may not be present, and therefore it will cause errors.

- add netbase as a new package in nixpks
- add a dependency in glibc on it using postPatchPhase and substitute
the path

Fixes #124401
2021-09-19 19:37:56 -07:00
TredwellGit
22b6677be5 glibc: 2.33-49 -> 2.33-50 2021-08-26 05:15:49 +00:00
TredwellGit
e78c292010 glibc: 2.33-47 -> 2.33-49
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
2021-08-19 03:33:29 +00:00
TredwellGit
c2d4ce2808
Pick #130412: glibc: 2.33-45 -> 2.33-47 (security)
Includes CVE-2021-35942.
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
2021-07-17 21:01:27 +02:00
Bernardo Meurer
acdcb8566a
glibc: 2.32-46 -> 2.33-45 2021-07-06 16:02:15 +02:00
misuzu
33f09f4713 glibc: use --enable-static-pie only on supported platforms
glibc fails to build for armv7l without this change.
2021-07-02 18:08:26 +03:00
TredwellGit
e58564267b glibc: 2.32-46 -> 2.32-48
https://sourceware.org/bugzilla/show_bug.cgi?id=27896
https://nvd.nist.gov/vuln/detail/CVE-2021-33574
2021-06-10 23:22:45 +00:00
github-actions[bot]
a1f68141f3
Merge staging-next into staging 2021-06-06 18:30:36 +00:00
Andrew Childs
e57b58bd0e glibc: fix build vs host tool confusion
Fixes cross compilation from aarch64-linux -> armv7l-linux
2021-06-04 21:44:23 +09:00
Jörg Thalheim
5551a78578
Merge pull request #123989 from Mic92/static-pie
glibc: allow to build position-independent static executable
2021-05-25 06:32:25 +01:00
Jörg Thalheim
61c74e1aee
glibc: allow to build position-independent static executable
This enables ALSR on static executables, which makes them harder to
exploit by providing a crt suitable for static PIEs.

Does this break existing binaries? Likely not. Static-pie is only
used if explicitly enabled.
2021-05-22 13:33:49 +02:00
Jonathan Ringer
a459e51174 glibc: restore version passthru
downstream packages use the major.minor version
to determine ABI compatibility and paths which
do not depend on patch version
2021-05-18 12:54:43 -07:00
John Ericson
77e97ac4ca glibc: Use pname and version 2021-05-10 20:56:33 +00:00
TredwellGit
ba793bcaa8 glibc: 2.32-40 -> 2.32-46 2021-04-14 07:13:15 +00:00
TredwellGit
6fb325e389 glibc: 2.32-39 -> 2.32-40 2021-03-30 19:10:03 +00:00
TredwellGit
9e06efd3c8 glibc: 2.32-37 -> 2.32-39
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
https://nvd.nist.gov/vuln/detail/CVE-2021-27645
2021-03-09 02:48:09 +00:00
TredwellGit
1ef3b900c6 glibc: 2.32-35 -> 2.32-37 2021-01-29 07:50:56 +00:00
Jan Tojnar
01ee4ea574
Merge branch 'master' into staging-next 2021-01-24 00:09:45 +01:00