This addresses the following security advisories:
+ CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r
+ CVE-2016-1234: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect
NAME_MAX limit assumption
+ CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion
Patches cherry-picked from glibc's release/2.23/master branch.
The "glob-simplify-interface.patch" was a dependency for
"cve-2016-1234.patch".
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow
The importance of glibc makes it worthwhile to provide debug
symbols. However, this revealed an issue with separateDebugInfo: it
was indiscriminately adding --build-id to all ld invocations, while in
fact it should only do that for final links. Glibc also uses non-final
("relocatable") links, leading to subsequent failure to apply a build
ID ("Cannot create .note.gnu.build-id section, --build-id
ignored"). So now ld-wrapper.sh only passes --build-id for final
links.
The glibc DNS client side resolver is vulnerable to a stack-based buffer
overflow when the getaddrinfo() library function is used. Software using
this function may be exploited with attacker-controlled domain names,
attacker-controlled DNS servers, or through a man-in-the-middle attack.
https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
Fixes CVE-2014-8121, CVE-2015-1781 and two unnumbered problems (apparently).
All these commits should be contained in the 2.22 release,
but we don't want that yet due to unresolved locale incompatibilites.
Until now, if e.g. the user passed "en_US.UTF-8" instead of "en_US.UTF-8/UTF-8",
the locales would be generated without failing but wouldn't work well.
Now we guard against such mistakes. Real life examples:
https://github.com/fish-shell/fish-shell/issues/1927
It used to be a symlink, but now it is a link script. It's crucial to get
proper linking, specially on amrv5tel, where libgcc contains lot of code
related to the limited instruction set of the platform.
Without this fix, g++ shared lib linking was broken, because a "-lgcc" was
not propagated wherever "-lgcc_s" was required. The g++ spec only mentions
"-lgcc_s" and the "-lgcc" is introduced with the libgcc_s.so link script,
only available in the glibc path after this fix.
As a reminder, we put libgcc* in the glibc output to avoid having a
runtime dependency on the gcc path only because of the everywhere linked
libgcc. This problem was specially visible in platforms like armv5tel,
where most programs end up linked to libgcc. Platforms with a more rich
instruction set may rarely end up requiring a link to libgcc.
Now development stuff is propagated from the first output,
and userEnvPkgs from the one with binaries.
Also don't move *.la files (yet). It causes problems, and they're small.
- there were many easy merge conflicts
- cc-wrapper needed nontrivial changes
Many other problems might've been created by interaction of the branches,
but stdenv and a few other packages build fine now.
This prevents failures like "libgcc_s.so.1 must be installed for
pthread_cancel to work" that occur because Glibc assumes libgcc_s.so.1
to be in Glibc's libdir.
This solution is pretty hacky, because the libgcc_s.so.1 from
bootstrap-tools might be too old. So if we update GCC, programs might
end up using an outdated libgcc_s.so.1. Ideally, we would build
libgcc_s.so.1 *before* Glibc, which might not be impossible...
Fixes#3548.
I don't know why they feel they need to check the compatibility by build date,
so I would keep check against $out, which is a better nix equivalent.
Also, expression refactoring (put comments out of hash-changing bash).
It's to separate from other changes coming from master.
Conflicts:
pkgs/development/libraries/glibc/2.18/common.nix (taking both changes)
pkgs/development/libraries/ncurses/5_4.nix (deleted)
For instance, when connected to a VPN, Emacs would randomly crash
at startup:
emacs: ../sysdeps/posix/getaddrinfo.c:1467: rfc3484_sort: Assertion `src->results[i].native == -1 || src->results[i].native == a2_native' failed.
Conflicts:
pkgs/development/compilers/gcc/4.6/default.nix
pkgs/development/compilers/gcc/4.7/default.nix
The 4.7 had some weird parameters added in crossAttrs; I've removed
them, but I don't understand where they come from.
Using LD_LIBRARY_PATH, sets overrides of libs for all binaries run.
On mips64, the libz in the bootstrap-tools is a bit incompatible with
the libz binutils are built with (ld.so outputs a warning at every program run
that uses libz). binutils need to be dynamically linked to the libz they
have been linked to.
Glibc creates 'shlib.lds' using the gas program output, and it includes the
ld.so warning in case of using LD_LIBRARY_PATH. That breaks the glibc build.
As Makefile includes BUILD_LDFLAGS for the purpose of cross-rpcgen, I
use this instead of the intrusive LD_LIBRARY_PATH.
glibc 2.13 and 2.14 fail to build with our current stdenv unless the ssp is
disabled. For glibc 2.13, I've only disabled the ssp when it's being built with
a complete stdenv to avoid a stdenv rebuild
Patch submitted by Jack Cummings <jack@mudshark.org> to the nix-dev
mailing list in message <20120309092909.GG39859@ice9.mudshark.org>.
svn path=/nixpkgs/branches/stdenv-updates/; revision=33536
* Removed substitute, it's part of the generic builder now.
* stdenv-initial (Linux): use the real generic builder script. This
does require that sed is in the path of the builder of the initial
stdenv.
svn path=/nixpkgs/trunk/; revision=7498
* GCC 3.4.5.
* Updated several other stdenv packages.
* Modified the builders of several packages to use the generic
builder.
svn path=/nixpkgs/trunk/; revision=4336
this contains mostly Armijn's pure stdenv-linux.
* After unpacking the statically linked GCC, patch all store paths to
/nix/store/ffffffffffffffffffffffffffffffff. Ugly hack to prevent
undeclared references but it works.
* We don't need Glib's dynamic libraries in the first bootstrap stage;
delete them. Actually the downloaded Glibc binary is only needed
for building Glibc, since GCC needs a C compiler to build some
programs in `configure'. So static linking is fine for that. Maybe
it would be better to patch `configure' so that we don't need a
pre-built Glibc at all.
* Set the svn:executable property on `cp' and `patchelf'.
* In Glibc, revert to LinuxThreads. Maybe NPTL will work, but TLS
support is a problem.
* Delete most Glibc patches; they're no longer needed since the branch
updated it to 20050110.
* Some cleanups.
svn path=/nixpkgs/trunk/; revision=2258
supported locales. This is very useful as those are the default
locales on Red Hat and SuSE (>= 9.2). (When LANG is set to an
unsupported locale, some applications fall back on the C locale;
others (like Subversion) just barf.)
svn path=/nixpkgs/trunk/; revision=1977
libgcc of the gcc being built, not the gcc building it.
* Only include a directory in the rpath of an executable/library if it
is actually used. Before, the `/lib' directory of every build input
was added to the rpath, causing many unnecessary retained
dependencies. For instance, Perl has a `/lib' directory, but most
applications whose build process uses Perl don't actually link
against Perl. (Also added a test for this.)
* After building glibc, remove glibcbug, to prevent a retained
dependency on gcc.
* Add a newline after `building X' in GNU Make.
svn path=/nixpkgs/trunk/; revision=911
* Make builders unexecutable by removing the hash-bang line and
execute permission.
* Convert calls to `derivation' to `mkDerivation'.
* Remove `system' and `stdenv' attributes from calls to
`mkDerivation'. These transformations were all done automatically,
so it is quite possible I broke stuff.
* Put the `mkDerivation' function in stdenv/generic.
svn path=/nixpkgs/trunk/; revision=874
builders for typical Autoconf-style to be much shorten, e.g.,
. $stdenv/setup
genericBuild
The generic builder does lots of stuff automatically:
- Unpacks source archives specified by $src or $srcs (it knows about
gzip, bzip2, tar, zip, and unpacked source trees).
- Determines the source tree.
- Applies patches specified by $patches.
- Fixes libtool not to search for libraries in /lib etc.
- Runs `configure'.
- Runs `make'.
- Runs `make install'.
- Strips debug information from static libraries.
- Writes nested log information (in the format accepted by
`log2xml').
There are also lots of hooks and variables to customise the generic
builder. See `stdenv/generic/docs.txt'.
* Adapted the base packages (i.e., the ones used by stdenv) to use the
generic builder.
* We now use `curl' instead of `wget' to download files in `fetchurl'.
* Neither `curl' nor `wget' are part of stdenv. We shouldn't
encourage people to download stuff in builders (impure!).
* Updated some packages.
* `buildinputs' is now `buildInputs' (but the old name also works).
* `findInputs' in the setup script now prevents inputs from being
processed multiple times (which could happen, e.g., if an input was
a propagated input of several other inputs; this caused the size
variables like $PATH to blow up exponentially in the worst case).
* Patched GNU Make to write nested log information in the format
accepted by `log2xml'. Also, prior to writing the build command,
Make now writes a line `building X' to indicate what is being
built. This is unfortunately often obscured by the gigantic tool
invocations in many Makefiles. The actual build commands are marked
`unimportant' so that they don't clutter pages generated by
`log2html'.
svn path=/nixpkgs/trunk/; revision=845