Date: Monday, June 19, 2017 @ 21:51:14 Author: anthraxx Revision: 298992
archrelease: copy trunk to testing-i686, testing-x86_64 Added: glibc/repos/testing-i686/ glibc/repos/testing-i686/CVE-2017-1000366-rtld-LD_AUDIT.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_AUDIT.patch) glibc/repos/testing-i686/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch) glibc/repos/testing-i686/CVE-2017-1000366-rtld-LD_PRELOAD.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_PRELOAD.patch) glibc/repos/testing-i686/PKGBUILD (from rev 298991, glibc/trunk/PKGBUILD) glibc/repos/testing-i686/cvs-hwcap-AT_SECURE.patch (from rev 298991, glibc/trunk/cvs-hwcap-AT_SECURE.patch) glibc/repos/testing-i686/cvs-vectorized-strcspn-guards.patch (from rev 298991, glibc/trunk/cvs-vectorized-strcspn-guards.patch) glibc/repos/testing-i686/glibc.install (from rev 298991, glibc/trunk/glibc.install) glibc/repos/testing-i686/locale-gen (from rev 298991, glibc/trunk/locale-gen) glibc/repos/testing-i686/locale.gen.txt (from rev 298991, glibc/trunk/locale.gen.txt) glibc/repos/testing-x86_64/ glibc/repos/testing-x86_64/CVE-2017-1000366-rtld-LD_AUDIT.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_AUDIT.patch) glibc/repos/testing-x86_64/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch) glibc/repos/testing-x86_64/CVE-2017-1000366-rtld-LD_PRELOAD.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_PRELOAD.patch) glibc/repos/testing-x86_64/PKGBUILD (from rev 298991, glibc/trunk/PKGBUILD) glibc/repos/testing-x86_64/cvs-hwcap-AT_SECURE.patch (from rev 298991, glibc/trunk/cvs-hwcap-AT_SECURE.patch) glibc/repos/testing-x86_64/cvs-vectorized-strcspn-guards.patch (from rev 298991, glibc/trunk/cvs-vectorized-strcspn-guards.patch) glibc/repos/testing-x86_64/glibc.install (from rev 298991, glibc/trunk/glibc.install) glibc/repos/testing-x86_64/locale-gen (from rev 298991, glibc/trunk/locale-gen) glibc/repos/testing-x86_64/locale.gen.txt (from rev 298991, glibc/trunk/locale.gen.txt) ------------------------------------------------------------+ testing-i686/CVE-2017-1000366-rtld-LD_AUDIT.patch | 205 +++++++++++ testing-i686/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch | 33 + testing-i686/CVE-2017-1000366-rtld-LD_PRELOAD.patch | 111 +++++ testing-i686/PKGBUILD | 165 ++++++++ testing-i686/cvs-hwcap-AT_SECURE.patch | 28 + testing-i686/cvs-vectorized-strcspn-guards.patch | 21 + testing-i686/glibc.install | 5 testing-i686/locale-gen | 42 ++ testing-i686/locale.gen.txt | 23 + testing-x86_64/CVE-2017-1000366-rtld-LD_AUDIT.patch | 205 +++++++++++ testing-x86_64/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch | 33 + testing-x86_64/CVE-2017-1000366-rtld-LD_PRELOAD.patch | 111 +++++ testing-x86_64/PKGBUILD | 165 ++++++++ testing-x86_64/cvs-hwcap-AT_SECURE.patch | 28 + testing-x86_64/cvs-vectorized-strcspn-guards.patch | 21 + testing-x86_64/glibc.install | 5 testing-x86_64/locale-gen | 42 ++ testing-x86_64/locale.gen.txt | 23 + 18 files changed, 1266 insertions(+) Copied: glibc/repos/testing-i686/CVE-2017-1000366-rtld-LD_AUDIT.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_AUDIT.patch) =================================================================== --- testing-i686/CVE-2017-1000366-rtld-LD_AUDIT.patch (rev 0) +++ testing-i686/CVE-2017-1000366-rtld-LD_AUDIT.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,205 @@ +From ba67ba3275d47e0080f0e5f09d9f5102c000c97e Mon Sep 17 00:00:00 2001 +Message-Id: <ba67ba3275d47e0080f0e5f09d9f5102c000c97e.1495998948.git.fwei...@redhat.com> +In-Reply-To: <cover.1495998948.git.fwei...@redhat.com> +References: <cover.1495998948.git.fwei...@redhat.com> +From: Florian Weimer <fwei...@redhat.com> +Date: Sun, 28 May 2017 20:44:52 +0200 +Subject: [PATCH 3/3] rtld: Reject overly long LD_AUDIT path elements +To: libc-al...@sourceware.org + +Also only process the last LD_AUDIT entry. +--- + elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 95 insertions(+), 15 deletions(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 30f0cae..89d8573 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -116,13 +116,91 @@ dso_name_valid_for_suid (const char *p) + return *p != '\0'; + } + +-/* List of auditing DSOs. */ ++/* LD_AUDIT variable contents. Must be processed before the ++ audit_list below. */ ++const char *audit_list_string; ++ ++/* Cyclic list of auditing DSOs. audit_list->next is the first ++ element. */ + static struct audit_list + { + const char *name; + struct audit_list *next; + } *audit_list; + ++/* Iterator for audit_list_string followed by audit_list. */ ++struct audit_list_iter ++{ ++ /* Tail of audit_list_string still needing processing, or NULL. */ ++ const char *audit_list_tail; ++ ++ /* The list element returned in the previous iteration. NULL before ++ the first element. */ ++ struct audit_list *previous; ++ ++ /* Scratch buffer for returning a name which is part of ++ audit_list_string. */ ++ char fname[PATH_MAX]; ++}; ++ ++/* Initialize an audit list iterator. */ ++static void ++audit_list_iter_init (struct audit_list_iter *iter) ++{ ++ iter->audit_list_tail = audit_list_string; ++ iter->previous = NULL; ++} ++ ++/* Iterate through both audit_list_string and audit_list. */ ++static const char * ++audit_list_iter_next (struct audit_list_iter *iter) ++{ ++ if (iter->audit_list_tail != NULL) ++ { ++ /* First iterate over audit_list_string. */ ++ while (*iter->audit_list_tail != '\0') ++ { ++ /* Split audit list at colon. */ ++ size_t len = strcspn (iter->audit_list_tail, ":"); ++ if (len > 0 && len < PATH_MAX) ++ { ++ memcpy (iter->fname, iter->audit_list_tail, len); ++ iter->fname[len] = '\0'; ++ } ++ else ++ /* Do not return this name to the caller. */ ++ iter->fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ iter->audit_list_tail += len; ++ if (*iter->audit_list_tail == ':') ++ ++iter->audit_list_tail; ++ ++ /* If the name is valid, return it. */ ++ if (dso_name_valid_for_suid (iter->fname)) ++ return iter->fname; ++ /* Otherwise, wrap around and try the next name. */ ++ } ++ /* Fall through to the procesing of audit_list. */ ++ } ++ ++ if (iter->previous == NULL) ++ { ++ if (audit_list == NULL) ++ /* No pre-parsed audit list. */ ++ return NULL; ++ /* Start of audit list. The first list element is at ++ audit_list->next (cyclic list). */ ++ iter->previous = audit_list->next; ++ return iter->previous->name; ++ } ++ if (iter->previous == audit_list) ++ /* Cyclic list wrap-around. */ ++ return NULL; ++ iter->previous = iter->previous->next; ++ return iter->previous->name; ++} ++ + #ifndef HAVE_INLINED_SYSCALLS + /* Set nonzero during loading and initialization of executable and + libraries, cleared before the executable's entry point runs. This +@@ -1290,11 +1368,13 @@ of this helper program; chances are you did not intend to run this program.\n\ + GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid (); + + /* If we have auditing DSOs to load, do it now. */ +- if (__glibc_unlikely (audit_list != NULL)) ++ bool need_security_init = true; ++ if (__glibc_unlikely (audit_list != NULL) ++ || __glibc_unlikely (audit_list_string != NULL)) + { +- /* Iterate over all entries in the list. The order is important. */ + struct audit_ifaces *last_audit = NULL; +- struct audit_list *al = audit_list->next; ++ struct audit_list_iter al_iter; ++ audit_list_iter_init (&al_iter); + + /* Since we start using the auditing DSOs right away we need to + initialize the data structures now. */ +@@ -1305,9 +1385,14 @@ of this helper program; chances are you did not intend to run this program.\n\ + use different values (especially the pointer guard) and will + fail later on. */ + security_init (); ++ need_security_init = false; + +- do ++ while (true) + { ++ const char *name = audit_list_iter_next (&al_iter); ++ if (name == NULL) ++ break; ++ + int tls_idx = GL(dl_tls_max_dtv_idx); + + /* Now it is time to determine the layout of the static TLS +@@ -1316,7 +1401,7 @@ of this helper program; chances are you did not intend to run this program.\n\ + no DF_STATIC_TLS bit is set. The reason is that we know + glibc will use the static model. */ + struct dlmopen_args dlmargs; +- dlmargs.fname = al->name; ++ dlmargs.fname = name; + dlmargs.map = NULL; + + const char *objname; +@@ -1329,7 +1414,7 @@ of this helper program; chances are you did not intend to run this program.\n\ + not_loaded: + _dl_error_printf ("\ + ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", +- al->name, err_str); ++ name, err_str); + if (malloced) + free ((char *) err_str); + } +@@ -1433,10 +1518,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + goto not_loaded; + } + } +- +- al = al->next; + } +- while (al != audit_list->next); + + /* If we have any auditing modules, announce that we already + have two objects loaded. */ +@@ -1700,7 +1782,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + if (tcbp == NULL) + tcbp = init_tls (); + +- if (__glibc_likely (audit_list == NULL)) ++ if (__glibc_likely (need_security_init)) + /* Initialize security features. But only if we have not done it + earlier. */ + security_init (); +@@ -2331,9 +2413,7 @@ process_dl_audit (char *str) + char *p; + + while ((p = (strsep) (&str, ":")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! __libc_enable_secure, 1) +- || strchr (p, '/') == NULL)) ++ if (dso_name_valid_for_suid (p)) + { + /* This is using the local malloc, not the system malloc. The + memory can never be freed. */ +@@ -2397,7 +2477,7 @@ process_envvars (enum mode *modep) + break; + } + if (memcmp (envline, "AUDIT", 5) == 0) +- process_dl_audit (&envline[6]); ++ audit_list_string = &envline[6]; + break; + + case 7: +-- +2.9.4 + Copied: glibc/repos/testing-i686/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch) =================================================================== --- testing-i686/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch (rev 0) +++ testing-i686/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,33 @@ +From 4d009d39ac9ede0369e268554a181b428f177a80 Mon Sep 17 00:00:00 2001 +Message-Id: <4d009d39ac9ede0369e268554a181b428f177a80.1495998948.git.fwei...@redhat.com> +In-Reply-To: <cover.1495998948.git.fwei...@redhat.com> +References: <cover.1495998948.git.fwei...@redhat.com> +From: Florian Weimer <fwei...@redhat.com> +Date: Sun, 28 May 2017 20:37:40 +0200 +Subject: [PATCH 1/3] rtld: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 + programs +To: libc-al...@sourceware.org + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. +--- + elf/rtld.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 319ef06..824b6cf 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2419,7 +2419,8 @@ process_envvars (enum mode *modep) + + case 12: + /* The library search path. */ +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0) ++ if (!__libc_enable_secure ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0) + { + library_path = &envline[13]; + break; +-- +2.9.4 + Copied: glibc/repos/testing-i686/CVE-2017-1000366-rtld-LD_PRELOAD.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_PRELOAD.patch) =================================================================== --- testing-i686/CVE-2017-1000366-rtld-LD_PRELOAD.patch (rev 0) +++ testing-i686/CVE-2017-1000366-rtld-LD_PRELOAD.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,111 @@ +From 65ff0b7a085b85271ec8fde99f542281b495e3bc Mon Sep 17 00:00:00 2001 +Message-Id: <65ff0b7a085b85271ec8fde99f542281b495e3bc.1495998948.git.fwei...@redhat.com> +In-Reply-To: <cover.1495998948.git.fwei...@redhat.com> +References: <cover.1495998948.git.fwei...@redhat.com> +From: Florian Weimer <fwei...@redhat.com> +Date: Sun, 28 May 2017 20:57:40 +0200 +Subject: [PATCH 2/3] rtld: Reject overly long LD_PRELOAD path elements +To: libc-al...@sourceware.org + +--- + elf/rtld.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 53 insertions(+), 16 deletions(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 824b6cf..30f0cae 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -99,6 +99,22 @@ uintptr_t __pointer_chk_guard_local + strong_alias (__pointer_chk_guard_local, __pointer_chk_guard) + #endif + ++/* Check that AT_SECURE=0, or that the passed name does not contain ++ directories and is not overly long. Reject empty names ++ unconditionally. */ ++static bool ++dso_name_valid_for_suid (const char *p) ++{ ++ if (__glibc_unlikely (__libc_enable_secure)) ++ { ++ /* Ignore pathnames with directories for AT_SECURE=1 ++ programs, and also skip overlong names. */ ++ size_t len = strlen (p); ++ if (len >= NAME_MAX || memchr (p, '/', len) != NULL) ++ return false; ++ } ++ return *p != '\0'; ++} + + /* List of auditing DSOs. */ + static struct audit_list +@@ -716,6 +732,42 @@ static const char *preloadlist attribute_relro; + /* Nonzero if information about versions has to be printed. */ + static int version_info attribute_relro; + ++/* The LD_PRELOAD environment variable gives list of libraries ++ separated by white space or colons that are loaded before the ++ executable's dependencies and prepended to the global scope list. ++ (If the binary is running setuid all elements containing a '/' are ++ ignored since it is insecure.) Return the number of preloads ++ performed. */ ++unsigned int ++handle_ld_preload (const char *preloadlist, struct link_map *main_map) ++{ ++ unsigned int npreloads = 0; ++ const char *p = preloadlist; ++ char fname[PATH_MAX]; ++ ++ while (*p != '\0') ++ { ++ /* Split preload list at space/colon. */ ++ size_t len = strcspn (p, " :"); ++ if (len > 0 && len < PATH_MAX) ++ { ++ memcpy (fname, p, len); ++ fname[len] = '\0'; ++ } ++ else ++ fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ p += len; ++ if (*p == ' ' || *p == ':') ++ ++p; ++ ++ if (dso_name_valid_for_suid (fname)) ++ npreloads += do_preload (fname, main_map, "LD_PRELOAD"); ++ } ++ return npreloads; ++} ++ + static void + dl_main (const ElfW(Phdr) *phdr, + ElfW(Word) phnum, +@@ -1462,23 +1514,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + + if (__glibc_unlikely (preloadlist != NULL)) + { +- /* The LD_PRELOAD environment variable gives list of libraries +- separated by white space or colons that are loaded before the +- executable's dependencies and prepended to the global scope +- list. If the binary is running setuid all elements +- containing a '/' are ignored since it is insecure. */ +- char *list = strdupa (preloadlist); +- char *p; +- + HP_TIMING_NOW (start); +- +- /* Prevent optimizing strsep. Speed is not important here. */ +- while ((p = (strsep) (&list, " :")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! __libc_enable_secure, 1) +- || strchr (p, '/') == NULL)) +- npreloads += do_preload (p, main_map, "LD_PRELOAD"); +- ++ npreloads += handle_ld_preload (preloadlist, main_map); + HP_TIMING_NOW (stop); + HP_TIMING_DIFF (diff, start, stop); + HP_TIMING_ACCUM_NT (load_time, diff); +-- +2.9.4 + Copied: glibc/repos/testing-i686/PKGBUILD (from rev 298991, glibc/trunk/PKGBUILD) =================================================================== --- testing-i686/PKGBUILD (rev 0) +++ testing-i686/PKGBUILD 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,165 @@ +# $Id$ +# Maintainer: Allan McRae <al...@archlinux.org> + +# toolchain build order: linux-api-headers->glibc->binutils->gcc->binutils->glibc +# NOTE: valgrind requires rebuilt with each major glibc version + +pkgname=glibc +pkgver=2.25 +pkgrel=4 +_commit=ccb4fd7a657b0fbc4890c98f4586d58a135fc583 +pkgdesc='GNU C Library' +arch=(i686 x86_64) +url='http://www.gnu.org/software/libc' +license=(GPL LGPL) +groups=(base) +depends=('linux-api-headers>=4.10' tzdata filesystem) +makedepends=('gcc>=6' git gd) +optdepends=('gd: for memusagestat') +backup=(etc/gai.conf + etc/locale.gen + etc/nscd.conf) +options=(!strip staticlibs) +install=glibc.install +source=(git+https://sourceware.org/git/glibc.git#commit=${_commit} + locale.gen.txt + locale-gen + CVE-2017-1000366-rtld-LD_AUDIT.patch + CVE-2017-1000366-rtld-LD_PRELOAD.patch + CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch + cvs-vectorized-strcspn-guards.patch + cvs-hwcap-AT_SECURE.patch) +md5sums=('SKIP' + '07ac979b6ab5eeb778d55f041529d623' + '476e9113489f93b348b21e144b6a8fcf' + '519c6eda90310964d12c7c744ce09333' + 'ed0cf195055a66d0b6f6b409c08c3199' + 'ff9ff81f713bb1b062280e669a646114' + 'e78157b48300b2436b3d90059ef02976' + 'bd31ebc2514ad79cbabd25b611c0b2a1') + +prepare() { + mkdir glibc-build + cd ${pkgname} + patch -p1 < "${srcdir}/CVE-2017-1000366-rtld-LD_AUDIT.patch" + patch -p1 < "${srcdir}/CVE-2017-1000366-rtld-LD_PRELOAD.patch" + patch -p1 < "${srcdir}/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch" + patch -p1 < "${srcdir}/cvs-vectorized-strcspn-guards.patch" + patch -p1 < "${srcdir}/cvs-hwcap-AT_SECURE.patch" +} + +build() { + cd glibc-build + + if [[ ${CARCH} = "i686" ]]; then + # Hack to fix NPTL issues with Xen, only required on 32bit platforms + export CFLAGS="${CFLAGS} -mno-tls-direct-seg-refs" + fi + + echo "slibdir=/usr/lib" >> configparms + echo "rtlddir=/usr/lib" >> configparms + echo "sbindir=/usr/bin" >> configparms + echo "rootsbindir=/usr/bin" >> configparms + + # remove fortify for building libraries + CPPFLAGS=${CPPFLAGS/-D_FORTIFY_SOURCE=2/} + + ../${pkgname}/configure \ + --prefix=/usr \ + --libdir=/usr/lib \ + --libexecdir=/usr/lib \ + --with-headers=/usr/include \ + --with-bugurl=https://bugs.archlinux.org/ \ + --enable-add-ons \ + --enable-obsolete-rpc \ + --enable-kernel=2.6.32 \ + --enable-bind-now \ + --disable-profile \ + --enable-stackguard-randomization \ + --enable-stack-protector=strong \ + --enable-lock-elision \ + --enable-multi-arch \ + --disable-werror + + # build libraries with fortify disabled + echo "build-programs=no" >> configparms + make + + # re-enable fortify for programs + sed -i "/build-programs=/s#no#yes#" configparms + + echo "CC += -D_FORTIFY_SOURCE=2" >> configparms + echo "CXX += -D_FORTIFY_SOURCE=2" >> configparms + make +} + +check() { + cd glibc-build + + # remove fortify in preparation to run test-suite + sed -i '/FORTIFY/d' configparms + + # some failures are "expected" + make check || true +} + +package() { + cd glibc-build + + install -dm755 ${pkgdir}/etc + touch ${pkgdir}/etc/ld.so.conf + + make install_root=${pkgdir} install + + rm -f ${pkgdir}/etc/ld.so.{cache,conf} + + install -dm755 ${pkgdir}/usr/lib/{locale,systemd/system,tmpfiles.d} + + install -m644 ${srcdir}/${pkgname}/nscd/nscd.conf ${pkgdir}/etc/nscd.conf + install -m644 ${srcdir}/${pkgname}/nscd/nscd.service ${pkgdir}/usr/lib/systemd/system + install -m644 ${srcdir}/${pkgname}/nscd/nscd.tmpfiles ${pkgdir}/usr/lib/tmpfiles.d/nscd.conf + + install -m644 ${srcdir}/${pkgname}/posix/gai.conf ${pkgdir}/etc/gai.conf + + install -m755 ${srcdir}/locale-gen ${pkgdir}/usr/bin + + # create /etc/locale.gen + install -m644 ${srcdir}/locale.gen.txt ${pkgdir}/etc/locale.gen + sed -e '1,3d' -e 's|/| |g' -e 's|\\| |g' -e 's|^|#|g' \ + ${srcdir}/glibc/localedata/SUPPORTED >> ${pkgdir}/etc/locale.gen + + # Do not strip the following files for improved debugging support + # ("improved" as in not breaking gdb and valgrind...): + # ld-${pkgver}.so + # libc-${pkgver}.so + # libpthread-${pkgver}.so + # libthread_db-1.0.so + + cd $pkgdir + strip $STRIP_BINARIES usr/bin/{gencat,getconf,getent,iconv,iconvconfig} \ + usr/bin/{ldconfig,locale,localedef,nscd,makedb} \ + usr/bin/{pcprofiledump,pldd,rpcgen,sln,sprof} \ + usr/lib/getconf/* + if [[ $CARCH = "i686" ]]; then + strip $STRIP_BINARIES usr/bin/lddlibc4 + fi + + strip $STRIP_STATIC usr/lib/lib{anl,BrokenLocale,c{,_nonshared},crypt}.a \ + usr/lib/lib{dl,g,ieee,mcheck,nsl,pthread{,_nonshared}}.a \ + usr/lib/lib{resolv,rpcsvc,rt,util}.a + + strip $STRIP_SHARED usr/lib/lib{anl,BrokenLocale,cidn,crypt}-${pkgver}.so \ + usr/lib/libnss_{compat,db,dns,files,hesiod,nis,nisplus}-*.so \ + usr/lib/lib{dl,m,nsl,resolv,rt,util}-${pkgver}.so \ + usr/lib/lib{memusage,pcprofile,SegFault}.so \ + usr/lib/{audit,gconv}/*.so || true + + if [[ $CARCH = "x86_64" ]]; then + strip $STRIP_STATIC usr/lib/lib{m-${pkgver},mvec{,_nonshared}}.a + strip $STRIP_SHARED usr/lib/libmvec-*.so + fi + + if [[ $CARCH = "i686" ]]; then + strip $STRIP_STATIC usr/lib/libm.a + fi +} Copied: glibc/repos/testing-i686/cvs-hwcap-AT_SECURE.patch (from rev 298991, glibc/trunk/cvs-hwcap-AT_SECURE.patch) =================================================================== --- testing-i686/cvs-hwcap-AT_SECURE.patch (rev 0) +++ testing-i686/cvs-hwcap-AT_SECURE.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,28 @@ +2017-03-07 Siddhesh Poyarekar <siddh...@sourceware.org> + + [BZ #21209] + * elf/rtld.c (process_envvars): Ignore LD_HWCAP_MASK for + AT_SECURE processes. + +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2404,7 +2404,8 @@ process_envvars (enum mode *modep) + + case 10: + /* Mask for the important hardware capabilities. */ +- if (memcmp (envline, "HWCAP_MASK", 10) == 0) ++ if (!__libc_enable_secure ++ && memcmp (envline, "HWCAP_MASK", 10) == 0) + GLRO(dl_hwcap_mask) = __strtoul_internal (&envline[11], NULL, + 0, 0); + break; +--- a/sysdeps/generic/unsecvars.h ++++ b/sysdeps/generic/unsecvars.h +@@ -16,6 +16,7 @@ + "LD_DEBUG\0" \ + "LD_DEBUG_OUTPUT\0" \ + "LD_DYNAMIC_WEAK\0" \ ++ "LD_HWCAP_MASK\0" \ + "LD_LIBRARY_PATH\0" \ + "LD_ORIGIN_PATH\0" \ + "LD_PRELOAD\0" \ Copied: glibc/repos/testing-i686/cvs-vectorized-strcspn-guards.patch (from rev 298991, glibc/trunk/cvs-vectorized-strcspn-guards.patch) =================================================================== --- testing-i686/cvs-vectorized-strcspn-guards.patch (rev 0) +++ testing-i686/cvs-vectorized-strcspn-guards.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,21 @@ +2017-06-14 Florian Weimer <fwei...@redhat.com> + + * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard. + * sysdeps/i386/i686/multiarch/varshift.c: Likewise. + +--- a/sysdeps/i386/i686/multiarch/strcspn-c.c ++++ b/sysdeps/i386/i686/multiarch/strcspn-c.c +@@ -1,2 +1,4 @@ +-#define __strcspn_sse2 __strcspn_ia32 +-#include <sysdeps/x86_64/multiarch/strcspn-c.c> ++#if IS_IN (libc) ++# define __strcspn_sse2 __strcspn_ia32 ++# include <sysdeps/x86_64/multiarch/strcspn-c.c> ++#endif +--- a/sysdeps/i386/i686/multiarch/varshift.c ++++ b/sysdeps/i386/i686/multiarch/varshift.c +@@ -1 +1,3 @@ +-#include <sysdeps/x86_64/multiarch/varshift.c> ++#if IS_IN (libc) ++# include <sysdeps/x86_64/multiarch/varshift.c> ++#endif Copied: glibc/repos/testing-i686/glibc.install (from rev 298991, glibc/trunk/glibc.install) =================================================================== --- testing-i686/glibc.install (rev 0) +++ testing-i686/glibc.install 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,5 @@ +post_upgrade() { + locale-gen + + ldconfig -r . +} Copied: glibc/repos/testing-i686/locale-gen (from rev 298991, glibc/trunk/locale-gen) =================================================================== --- testing-i686/locale-gen (rev 0) +++ testing-i686/locale-gen 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +LOCALEGEN=/etc/locale.gen +LOCALES=/usr/share/i18n/locales +if [ -n "$POSIXLY_CORRECT" ]; then + unset POSIXLY_CORRECT +fi + + +[ -f $LOCALEGEN -a -s $LOCALEGEN ] || exit 0; + +# Remove all old locale dir and locale-archive before generating new +# locale data. +rm -rf /usr/lib/locale/* || true + +umask 022 + +is_entry_ok() { + if [ -n "$locale" -a -n "$charset" ] ; then + true + else + echo "error: Bad entry '$locale $charset'" + false + fi +} + +echo "Generating locales..." +while read locale charset; do \ + case $locale in \#*) continue;; "") continue;; esac; \ + is_entry_ok || continue + echo -n " `echo $locale | sed 's/\([^.\@]*\).*/\1/'`"; \ + echo -n ".$charset"; \ + echo -n `echo $locale | sed 's/\([^\@]*\)\(\@.*\)*/\2/'`; \ + echo -n '...'; \ + if [ -f $LOCALES/$locale ]; then input=$locale; else \ + input=`echo $locale | sed 's/\([^.]*\)[^@]*\(.*\)/\1\2/'`; fi; \ + localedef -i $input -c -f $charset -A /usr/share/locale/locale.alias $locale; \ + echo ' done'; \ +done < $LOCALEGEN +echo "Generation complete." Copied: glibc/repos/testing-i686/locale.gen.txt (from rev 298991, glibc/trunk/locale.gen.txt) =================================================================== --- testing-i686/locale.gen.txt (rev 0) +++ testing-i686/locale.gen.txt 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,23 @@ +# Configuration file for locale-gen +# +# lists of locales that are to be generated by the locale-gen command. +# +# Each line is of the form: +# +# <locale> <charset> +# +# where <locale> is one of the locales given in /usr/share/i18n/locales +# and <charset> is one of the character sets listed in /usr/share/i18n/charmaps +# +# Examples: +# en_US ISO-8859-1 +# en_US.UTF-8 UTF-8 +# de_DE ISO-8859-1 +# de_DE@euro ISO-8859-15 +# +# The locale-gen command will generate all the locales, +# placing them in /usr/lib/locale. +# +# A list of supported locales is included in this file. +# Uncomment the ones you need. +# Copied: glibc/repos/testing-x86_64/CVE-2017-1000366-rtld-LD_AUDIT.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_AUDIT.patch) =================================================================== --- testing-x86_64/CVE-2017-1000366-rtld-LD_AUDIT.patch (rev 0) +++ testing-x86_64/CVE-2017-1000366-rtld-LD_AUDIT.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,205 @@ +From ba67ba3275d47e0080f0e5f09d9f5102c000c97e Mon Sep 17 00:00:00 2001 +Message-Id: <ba67ba3275d47e0080f0e5f09d9f5102c000c97e.1495998948.git.fwei...@redhat.com> +In-Reply-To: <cover.1495998948.git.fwei...@redhat.com> +References: <cover.1495998948.git.fwei...@redhat.com> +From: Florian Weimer <fwei...@redhat.com> +Date: Sun, 28 May 2017 20:44:52 +0200 +Subject: [PATCH 3/3] rtld: Reject overly long LD_AUDIT path elements +To: libc-al...@sourceware.org + +Also only process the last LD_AUDIT entry. +--- + elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 95 insertions(+), 15 deletions(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 30f0cae..89d8573 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -116,13 +116,91 @@ dso_name_valid_for_suid (const char *p) + return *p != '\0'; + } + +-/* List of auditing DSOs. */ ++/* LD_AUDIT variable contents. Must be processed before the ++ audit_list below. */ ++const char *audit_list_string; ++ ++/* Cyclic list of auditing DSOs. audit_list->next is the first ++ element. */ + static struct audit_list + { + const char *name; + struct audit_list *next; + } *audit_list; + ++/* Iterator for audit_list_string followed by audit_list. */ ++struct audit_list_iter ++{ ++ /* Tail of audit_list_string still needing processing, or NULL. */ ++ const char *audit_list_tail; ++ ++ /* The list element returned in the previous iteration. NULL before ++ the first element. */ ++ struct audit_list *previous; ++ ++ /* Scratch buffer for returning a name which is part of ++ audit_list_string. */ ++ char fname[PATH_MAX]; ++}; ++ ++/* Initialize an audit list iterator. */ ++static void ++audit_list_iter_init (struct audit_list_iter *iter) ++{ ++ iter->audit_list_tail = audit_list_string; ++ iter->previous = NULL; ++} ++ ++/* Iterate through both audit_list_string and audit_list. */ ++static const char * ++audit_list_iter_next (struct audit_list_iter *iter) ++{ ++ if (iter->audit_list_tail != NULL) ++ { ++ /* First iterate over audit_list_string. */ ++ while (*iter->audit_list_tail != '\0') ++ { ++ /* Split audit list at colon. */ ++ size_t len = strcspn (iter->audit_list_tail, ":"); ++ if (len > 0 && len < PATH_MAX) ++ { ++ memcpy (iter->fname, iter->audit_list_tail, len); ++ iter->fname[len] = '\0'; ++ } ++ else ++ /* Do not return this name to the caller. */ ++ iter->fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ iter->audit_list_tail += len; ++ if (*iter->audit_list_tail == ':') ++ ++iter->audit_list_tail; ++ ++ /* If the name is valid, return it. */ ++ if (dso_name_valid_for_suid (iter->fname)) ++ return iter->fname; ++ /* Otherwise, wrap around and try the next name. */ ++ } ++ /* Fall through to the procesing of audit_list. */ ++ } ++ ++ if (iter->previous == NULL) ++ { ++ if (audit_list == NULL) ++ /* No pre-parsed audit list. */ ++ return NULL; ++ /* Start of audit list. The first list element is at ++ audit_list->next (cyclic list). */ ++ iter->previous = audit_list->next; ++ return iter->previous->name; ++ } ++ if (iter->previous == audit_list) ++ /* Cyclic list wrap-around. */ ++ return NULL; ++ iter->previous = iter->previous->next; ++ return iter->previous->name; ++} ++ + #ifndef HAVE_INLINED_SYSCALLS + /* Set nonzero during loading and initialization of executable and + libraries, cleared before the executable's entry point runs. This +@@ -1290,11 +1368,13 @@ of this helper program; chances are you did not intend to run this program.\n\ + GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid (); + + /* If we have auditing DSOs to load, do it now. */ +- if (__glibc_unlikely (audit_list != NULL)) ++ bool need_security_init = true; ++ if (__glibc_unlikely (audit_list != NULL) ++ || __glibc_unlikely (audit_list_string != NULL)) + { +- /* Iterate over all entries in the list. The order is important. */ + struct audit_ifaces *last_audit = NULL; +- struct audit_list *al = audit_list->next; ++ struct audit_list_iter al_iter; ++ audit_list_iter_init (&al_iter); + + /* Since we start using the auditing DSOs right away we need to + initialize the data structures now. */ +@@ -1305,9 +1385,14 @@ of this helper program; chances are you did not intend to run this program.\n\ + use different values (especially the pointer guard) and will + fail later on. */ + security_init (); ++ need_security_init = false; + +- do ++ while (true) + { ++ const char *name = audit_list_iter_next (&al_iter); ++ if (name == NULL) ++ break; ++ + int tls_idx = GL(dl_tls_max_dtv_idx); + + /* Now it is time to determine the layout of the static TLS +@@ -1316,7 +1401,7 @@ of this helper program; chances are you did not intend to run this program.\n\ + no DF_STATIC_TLS bit is set. The reason is that we know + glibc will use the static model. */ + struct dlmopen_args dlmargs; +- dlmargs.fname = al->name; ++ dlmargs.fname = name; + dlmargs.map = NULL; + + const char *objname; +@@ -1329,7 +1414,7 @@ of this helper program; chances are you did not intend to run this program.\n\ + not_loaded: + _dl_error_printf ("\ + ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", +- al->name, err_str); ++ name, err_str); + if (malloced) + free ((char *) err_str); + } +@@ -1433,10 +1518,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + goto not_loaded; + } + } +- +- al = al->next; + } +- while (al != audit_list->next); + + /* If we have any auditing modules, announce that we already + have two objects loaded. */ +@@ -1700,7 +1782,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + if (tcbp == NULL) + tcbp = init_tls (); + +- if (__glibc_likely (audit_list == NULL)) ++ if (__glibc_likely (need_security_init)) + /* Initialize security features. But only if we have not done it + earlier. */ + security_init (); +@@ -2331,9 +2413,7 @@ process_dl_audit (char *str) + char *p; + + while ((p = (strsep) (&str, ":")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! __libc_enable_secure, 1) +- || strchr (p, '/') == NULL)) ++ if (dso_name_valid_for_suid (p)) + { + /* This is using the local malloc, not the system malloc. The + memory can never be freed. */ +@@ -2397,7 +2477,7 @@ process_envvars (enum mode *modep) + break; + } + if (memcmp (envline, "AUDIT", 5) == 0) +- process_dl_audit (&envline[6]); ++ audit_list_string = &envline[6]; + break; + + case 7: +-- +2.9.4 + Copied: glibc/repos/testing-x86_64/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch) =================================================================== --- testing-x86_64/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch (rev 0) +++ testing-x86_64/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,33 @@ +From 4d009d39ac9ede0369e268554a181b428f177a80 Mon Sep 17 00:00:00 2001 +Message-Id: <4d009d39ac9ede0369e268554a181b428f177a80.1495998948.git.fwei...@redhat.com> +In-Reply-To: <cover.1495998948.git.fwei...@redhat.com> +References: <cover.1495998948.git.fwei...@redhat.com> +From: Florian Weimer <fwei...@redhat.com> +Date: Sun, 28 May 2017 20:37:40 +0200 +Subject: [PATCH 1/3] rtld: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 + programs +To: libc-al...@sourceware.org + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. +--- + elf/rtld.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 319ef06..824b6cf 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2419,7 +2419,8 @@ process_envvars (enum mode *modep) + + case 12: + /* The library search path. */ +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0) ++ if (!__libc_enable_secure ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0) + { + library_path = &envline[13]; + break; +-- +2.9.4 + Copied: glibc/repos/testing-x86_64/CVE-2017-1000366-rtld-LD_PRELOAD.patch (from rev 298991, glibc/trunk/CVE-2017-1000366-rtld-LD_PRELOAD.patch) =================================================================== --- testing-x86_64/CVE-2017-1000366-rtld-LD_PRELOAD.patch (rev 0) +++ testing-x86_64/CVE-2017-1000366-rtld-LD_PRELOAD.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,111 @@ +From 65ff0b7a085b85271ec8fde99f542281b495e3bc Mon Sep 17 00:00:00 2001 +Message-Id: <65ff0b7a085b85271ec8fde99f542281b495e3bc.1495998948.git.fwei...@redhat.com> +In-Reply-To: <cover.1495998948.git.fwei...@redhat.com> +References: <cover.1495998948.git.fwei...@redhat.com> +From: Florian Weimer <fwei...@redhat.com> +Date: Sun, 28 May 2017 20:57:40 +0200 +Subject: [PATCH 2/3] rtld: Reject overly long LD_PRELOAD path elements +To: libc-al...@sourceware.org + +--- + elf/rtld.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 53 insertions(+), 16 deletions(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 824b6cf..30f0cae 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -99,6 +99,22 @@ uintptr_t __pointer_chk_guard_local + strong_alias (__pointer_chk_guard_local, __pointer_chk_guard) + #endif + ++/* Check that AT_SECURE=0, or that the passed name does not contain ++ directories and is not overly long. Reject empty names ++ unconditionally. */ ++static bool ++dso_name_valid_for_suid (const char *p) ++{ ++ if (__glibc_unlikely (__libc_enable_secure)) ++ { ++ /* Ignore pathnames with directories for AT_SECURE=1 ++ programs, and also skip overlong names. */ ++ size_t len = strlen (p); ++ if (len >= NAME_MAX || memchr (p, '/', len) != NULL) ++ return false; ++ } ++ return *p != '\0'; ++} + + /* List of auditing DSOs. */ + static struct audit_list +@@ -716,6 +732,42 @@ static const char *preloadlist attribute_relro; + /* Nonzero if information about versions has to be printed. */ + static int version_info attribute_relro; + ++/* The LD_PRELOAD environment variable gives list of libraries ++ separated by white space or colons that are loaded before the ++ executable's dependencies and prepended to the global scope list. ++ (If the binary is running setuid all elements containing a '/' are ++ ignored since it is insecure.) Return the number of preloads ++ performed. */ ++unsigned int ++handle_ld_preload (const char *preloadlist, struct link_map *main_map) ++{ ++ unsigned int npreloads = 0; ++ const char *p = preloadlist; ++ char fname[PATH_MAX]; ++ ++ while (*p != '\0') ++ { ++ /* Split preload list at space/colon. */ ++ size_t len = strcspn (p, " :"); ++ if (len > 0 && len < PATH_MAX) ++ { ++ memcpy (fname, p, len); ++ fname[len] = '\0'; ++ } ++ else ++ fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ p += len; ++ if (*p == ' ' || *p == ':') ++ ++p; ++ ++ if (dso_name_valid_for_suid (fname)) ++ npreloads += do_preload (fname, main_map, "LD_PRELOAD"); ++ } ++ return npreloads; ++} ++ + static void + dl_main (const ElfW(Phdr) *phdr, + ElfW(Word) phnum, +@@ -1462,23 +1514,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + + if (__glibc_unlikely (preloadlist != NULL)) + { +- /* The LD_PRELOAD environment variable gives list of libraries +- separated by white space or colons that are loaded before the +- executable's dependencies and prepended to the global scope +- list. If the binary is running setuid all elements +- containing a '/' are ignored since it is insecure. */ +- char *list = strdupa (preloadlist); +- char *p; +- + HP_TIMING_NOW (start); +- +- /* Prevent optimizing strsep. Speed is not important here. */ +- while ((p = (strsep) (&list, " :")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! __libc_enable_secure, 1) +- || strchr (p, '/') == NULL)) +- npreloads += do_preload (p, main_map, "LD_PRELOAD"); +- ++ npreloads += handle_ld_preload (preloadlist, main_map); + HP_TIMING_NOW (stop); + HP_TIMING_DIFF (diff, start, stop); + HP_TIMING_ACCUM_NT (load_time, diff); +-- +2.9.4 + Copied: glibc/repos/testing-x86_64/PKGBUILD (from rev 298991, glibc/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,165 @@ +# $Id$ +# Maintainer: Allan McRae <al...@archlinux.org> + +# toolchain build order: linux-api-headers->glibc->binutils->gcc->binutils->glibc +# NOTE: valgrind requires rebuilt with each major glibc version + +pkgname=glibc +pkgver=2.25 +pkgrel=4 +_commit=ccb4fd7a657b0fbc4890c98f4586d58a135fc583 +pkgdesc='GNU C Library' +arch=(i686 x86_64) +url='http://www.gnu.org/software/libc' +license=(GPL LGPL) +groups=(base) +depends=('linux-api-headers>=4.10' tzdata filesystem) +makedepends=('gcc>=6' git gd) +optdepends=('gd: for memusagestat') +backup=(etc/gai.conf + etc/locale.gen + etc/nscd.conf) +options=(!strip staticlibs) +install=glibc.install +source=(git+https://sourceware.org/git/glibc.git#commit=${_commit} + locale.gen.txt + locale-gen + CVE-2017-1000366-rtld-LD_AUDIT.patch + CVE-2017-1000366-rtld-LD_PRELOAD.patch + CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch + cvs-vectorized-strcspn-guards.patch + cvs-hwcap-AT_SECURE.patch) +md5sums=('SKIP' + '07ac979b6ab5eeb778d55f041529d623' + '476e9113489f93b348b21e144b6a8fcf' + '519c6eda90310964d12c7c744ce09333' + 'ed0cf195055a66d0b6f6b409c08c3199' + 'ff9ff81f713bb1b062280e669a646114' + 'e78157b48300b2436b3d90059ef02976' + 'bd31ebc2514ad79cbabd25b611c0b2a1') + +prepare() { + mkdir glibc-build + cd ${pkgname} + patch -p1 < "${srcdir}/CVE-2017-1000366-rtld-LD_AUDIT.patch" + patch -p1 < "${srcdir}/CVE-2017-1000366-rtld-LD_PRELOAD.patch" + patch -p1 < "${srcdir}/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch" + patch -p1 < "${srcdir}/cvs-vectorized-strcspn-guards.patch" + patch -p1 < "${srcdir}/cvs-hwcap-AT_SECURE.patch" +} + +build() { + cd glibc-build + + if [[ ${CARCH} = "i686" ]]; then + # Hack to fix NPTL issues with Xen, only required on 32bit platforms + export CFLAGS="${CFLAGS} -mno-tls-direct-seg-refs" + fi + + echo "slibdir=/usr/lib" >> configparms + echo "rtlddir=/usr/lib" >> configparms + echo "sbindir=/usr/bin" >> configparms + echo "rootsbindir=/usr/bin" >> configparms + + # remove fortify for building libraries + CPPFLAGS=${CPPFLAGS/-D_FORTIFY_SOURCE=2/} + + ../${pkgname}/configure \ + --prefix=/usr \ + --libdir=/usr/lib \ + --libexecdir=/usr/lib \ + --with-headers=/usr/include \ + --with-bugurl=https://bugs.archlinux.org/ \ + --enable-add-ons \ + --enable-obsolete-rpc \ + --enable-kernel=2.6.32 \ + --enable-bind-now \ + --disable-profile \ + --enable-stackguard-randomization \ + --enable-stack-protector=strong \ + --enable-lock-elision \ + --enable-multi-arch \ + --disable-werror + + # build libraries with fortify disabled + echo "build-programs=no" >> configparms + make + + # re-enable fortify for programs + sed -i "/build-programs=/s#no#yes#" configparms + + echo "CC += -D_FORTIFY_SOURCE=2" >> configparms + echo "CXX += -D_FORTIFY_SOURCE=2" >> configparms + make +} + +check() { + cd glibc-build + + # remove fortify in preparation to run test-suite + sed -i '/FORTIFY/d' configparms + + # some failures are "expected" + make check || true +} + +package() { + cd glibc-build + + install -dm755 ${pkgdir}/etc + touch ${pkgdir}/etc/ld.so.conf + + make install_root=${pkgdir} install + + rm -f ${pkgdir}/etc/ld.so.{cache,conf} + + install -dm755 ${pkgdir}/usr/lib/{locale,systemd/system,tmpfiles.d} + + install -m644 ${srcdir}/${pkgname}/nscd/nscd.conf ${pkgdir}/etc/nscd.conf + install -m644 ${srcdir}/${pkgname}/nscd/nscd.service ${pkgdir}/usr/lib/systemd/system + install -m644 ${srcdir}/${pkgname}/nscd/nscd.tmpfiles ${pkgdir}/usr/lib/tmpfiles.d/nscd.conf + + install -m644 ${srcdir}/${pkgname}/posix/gai.conf ${pkgdir}/etc/gai.conf + + install -m755 ${srcdir}/locale-gen ${pkgdir}/usr/bin + + # create /etc/locale.gen + install -m644 ${srcdir}/locale.gen.txt ${pkgdir}/etc/locale.gen + sed -e '1,3d' -e 's|/| |g' -e 's|\\| |g' -e 's|^|#|g' \ + ${srcdir}/glibc/localedata/SUPPORTED >> ${pkgdir}/etc/locale.gen + + # Do not strip the following files for improved debugging support + # ("improved" as in not breaking gdb and valgrind...): + # ld-${pkgver}.so + # libc-${pkgver}.so + # libpthread-${pkgver}.so + # libthread_db-1.0.so + + cd $pkgdir + strip $STRIP_BINARIES usr/bin/{gencat,getconf,getent,iconv,iconvconfig} \ + usr/bin/{ldconfig,locale,localedef,nscd,makedb} \ + usr/bin/{pcprofiledump,pldd,rpcgen,sln,sprof} \ + usr/lib/getconf/* + if [[ $CARCH = "i686" ]]; then + strip $STRIP_BINARIES usr/bin/lddlibc4 + fi + + strip $STRIP_STATIC usr/lib/lib{anl,BrokenLocale,c{,_nonshared},crypt}.a \ + usr/lib/lib{dl,g,ieee,mcheck,nsl,pthread{,_nonshared}}.a \ + usr/lib/lib{resolv,rpcsvc,rt,util}.a + + strip $STRIP_SHARED usr/lib/lib{anl,BrokenLocale,cidn,crypt}-${pkgver}.so \ + usr/lib/libnss_{compat,db,dns,files,hesiod,nis,nisplus}-*.so \ + usr/lib/lib{dl,m,nsl,resolv,rt,util}-${pkgver}.so \ + usr/lib/lib{memusage,pcprofile,SegFault}.so \ + usr/lib/{audit,gconv}/*.so || true + + if [[ $CARCH = "x86_64" ]]; then + strip $STRIP_STATIC usr/lib/lib{m-${pkgver},mvec{,_nonshared}}.a + strip $STRIP_SHARED usr/lib/libmvec-*.so + fi + + if [[ $CARCH = "i686" ]]; then + strip $STRIP_STATIC usr/lib/libm.a + fi +} Copied: glibc/repos/testing-x86_64/cvs-hwcap-AT_SECURE.patch (from rev 298991, glibc/trunk/cvs-hwcap-AT_SECURE.patch) =================================================================== --- testing-x86_64/cvs-hwcap-AT_SECURE.patch (rev 0) +++ testing-x86_64/cvs-hwcap-AT_SECURE.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,28 @@ +2017-03-07 Siddhesh Poyarekar <siddh...@sourceware.org> + + [BZ #21209] + * elf/rtld.c (process_envvars): Ignore LD_HWCAP_MASK for + AT_SECURE processes. + +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2404,7 +2404,8 @@ process_envvars (enum mode *modep) + + case 10: + /* Mask for the important hardware capabilities. */ +- if (memcmp (envline, "HWCAP_MASK", 10) == 0) ++ if (!__libc_enable_secure ++ && memcmp (envline, "HWCAP_MASK", 10) == 0) + GLRO(dl_hwcap_mask) = __strtoul_internal (&envline[11], NULL, + 0, 0); + break; +--- a/sysdeps/generic/unsecvars.h ++++ b/sysdeps/generic/unsecvars.h +@@ -16,6 +16,7 @@ + "LD_DEBUG\0" \ + "LD_DEBUG_OUTPUT\0" \ + "LD_DYNAMIC_WEAK\0" \ ++ "LD_HWCAP_MASK\0" \ + "LD_LIBRARY_PATH\0" \ + "LD_ORIGIN_PATH\0" \ + "LD_PRELOAD\0" \ Copied: glibc/repos/testing-x86_64/cvs-vectorized-strcspn-guards.patch (from rev 298991, glibc/trunk/cvs-vectorized-strcspn-guards.patch) =================================================================== --- testing-x86_64/cvs-vectorized-strcspn-guards.patch (rev 0) +++ testing-x86_64/cvs-vectorized-strcspn-guards.patch 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,21 @@ +2017-06-14 Florian Weimer <fwei...@redhat.com> + + * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard. + * sysdeps/i386/i686/multiarch/varshift.c: Likewise. + +--- a/sysdeps/i386/i686/multiarch/strcspn-c.c ++++ b/sysdeps/i386/i686/multiarch/strcspn-c.c +@@ -1,2 +1,4 @@ +-#define __strcspn_sse2 __strcspn_ia32 +-#include <sysdeps/x86_64/multiarch/strcspn-c.c> ++#if IS_IN (libc) ++# define __strcspn_sse2 __strcspn_ia32 ++# include <sysdeps/x86_64/multiarch/strcspn-c.c> ++#endif +--- a/sysdeps/i386/i686/multiarch/varshift.c ++++ b/sysdeps/i386/i686/multiarch/varshift.c +@@ -1 +1,3 @@ +-#include <sysdeps/x86_64/multiarch/varshift.c> ++#if IS_IN (libc) ++# include <sysdeps/x86_64/multiarch/varshift.c> ++#endif Copied: glibc/repos/testing-x86_64/glibc.install (from rev 298991, glibc/trunk/glibc.install) =================================================================== --- testing-x86_64/glibc.install (rev 0) +++ testing-x86_64/glibc.install 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,5 @@ +post_upgrade() { + locale-gen + + ldconfig -r . +} Copied: glibc/repos/testing-x86_64/locale-gen (from rev 298991, glibc/trunk/locale-gen) =================================================================== --- testing-x86_64/locale-gen (rev 0) +++ testing-x86_64/locale-gen 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +LOCALEGEN=/etc/locale.gen +LOCALES=/usr/share/i18n/locales +if [ -n "$POSIXLY_CORRECT" ]; then + unset POSIXLY_CORRECT +fi + + +[ -f $LOCALEGEN -a -s $LOCALEGEN ] || exit 0; + +# Remove all old locale dir and locale-archive before generating new +# locale data. +rm -rf /usr/lib/locale/* || true + +umask 022 + +is_entry_ok() { + if [ -n "$locale" -a -n "$charset" ] ; then + true + else + echo "error: Bad entry '$locale $charset'" + false + fi +} + +echo "Generating locales..." +while read locale charset; do \ + case $locale in \#*) continue;; "") continue;; esac; \ + is_entry_ok || continue + echo -n " `echo $locale | sed 's/\([^.\@]*\).*/\1/'`"; \ + echo -n ".$charset"; \ + echo -n `echo $locale | sed 's/\([^\@]*\)\(\@.*\)*/\2/'`; \ + echo -n '...'; \ + if [ -f $LOCALES/$locale ]; then input=$locale; else \ + input=`echo $locale | sed 's/\([^.]*\)[^@]*\(.*\)/\1\2/'`; fi; \ + localedef -i $input -c -f $charset -A /usr/share/locale/locale.alias $locale; \ + echo ' done'; \ +done < $LOCALEGEN +echo "Generation complete." Copied: glibc/repos/testing-x86_64/locale.gen.txt (from rev 298991, glibc/trunk/locale.gen.txt) =================================================================== --- testing-x86_64/locale.gen.txt (rev 0) +++ testing-x86_64/locale.gen.txt 2017-06-19 21:51:14 UTC (rev 298992) @@ -0,0 +1,23 @@ +# Configuration file for locale-gen +# +# lists of locales that are to be generated by the locale-gen command. +# +# Each line is of the form: +# +# <locale> <charset> +# +# where <locale> is one of the locales given in /usr/share/i18n/locales +# and <charset> is one of the character sets listed in /usr/share/i18n/charmaps +# +# Examples: +# en_US ISO-8859-1 +# en_US.UTF-8 UTF-8 +# de_DE ISO-8859-1 +# de_DE@euro ISO-8859-15 +# +# The locale-gen command will generate all the locales, +# placing them in /usr/lib/locale. +# +# A list of supported locales is included in this file. +# Uncomment the ones you need. +#