commit: 8a9088a028b5c95c944c75d55797852c4d92c722 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Wed Oct 4 12:08:15 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Oct 4 12:09:55 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a9088a0
media-libs/libvpx: allow _FORTIFY_SOURCE Upstream have been disabling this for years, since 2011(!), for a (IMO) misguided attempt to preserve ABI which isn't really possible w/ glibc and its use of symbol versioning anyway in a backwards direction. Fedora have also been patching this out for a while: https://src.fedoraproject.org/rpms/libvpx/blob/rawhide/f/libvpx-1.7.0-leave-fortify-source-on.patch This feels especially important given libvpx had an RCE vulnerability only last week. Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/libvpx-1.13.1-allow-fortify-source.patch | 17 +++ media-libs/libvpx/libvpx-1.13.1-r1.ebuild | 142 +++++++++++++++++++++ 2 files changed, 159 insertions(+) diff --git a/media-libs/libvpx/files/libvpx-1.13.1-allow-fortify-source.patch b/media-libs/libvpx/files/libvpx-1.13.1-allow-fortify-source.patch new file mode 100644 index 000000000000..5928c4e46723 --- /dev/null +++ b/media-libs/libvpx/files/libvpx-1.13.1-allow-fortify-source.patch @@ -0,0 +1,17 @@ +This was originally added for ABI reasons in a case which barely works / doesn't +work at all for glibc anyway, see https://github.com/webmproject/libvpx/commit/b73a3693e581583e9ec676f4396d0c3d173e2462. + +We want fortification and we definitely don't want it explicitly turned off. +--- a/build/make/configure.sh ++++ b/build/make/configure.sh +@@ -1495,10 +1495,6 @@ EOF + # shared objects + enabled gcc && enabled pic && check_add_cflags -fPIC + +- # Work around longjmp interception on glibc >= 2.11, to improve binary +- # compatibility. See http://code.google.com/p/webm/issues/detail?id=166 +- enabled linux && check_add_cflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0 +- + # Check for strip utility variant + ${STRIP} -V 2>/dev/null | grep GNU >/dev/null && enable_feature gnu_strip + diff --git a/media-libs/libvpx/libvpx-1.13.1-r1.ebuild b/media-libs/libvpx/libvpx-1.13.1-r1.ebuild new file mode 100644 index 000000000000..3ac3d45d048a --- /dev/null +++ b/media-libs/libvpx/libvpx-1.13.1-r1.ebuild @@ -0,0 +1,142 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit edo toolchain-funcs multilib-minimal + +# To create a new testdata tarball: +# 1. Unpack source tarball or checkout git tag +# 2. mkdir libvpx-testdata +# 3. export LIBVPX_TEST_DATA_PATH=libvpx-testdata +# 4. ./configure --enable-unit-tests --enable-vp9-highbitdepth +# 5. make testdata +# 6. tar -caf libvpx-testdata-${MY_PV}.tar.xz libvpx-testdata + +LIBVPX_TESTDATA_VER=1.13.1 + +DESCRIPTION="WebM VP8 and VP9 Codec SDK" +HOMEPAGE="https://www.webmproject.org"; +SRC_URI=" + https://github.com/webmproject/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz + test? ( https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${PN}-testdata-${LIBVPX_TESTDATA_VER}.tar.xz ) +" + +LICENSE="BSD" +SLOT="0/8" +KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~loong ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" +IUSE="cpu_flags_ppc_vsx3 doc +highbitdepth postproc static-libs test +threads" +REQUIRED_USE="test? ( threads )" +RESTRICT="!test? ( test )" + +BDEPEND=" + dev-lang/perl + abi_x86_32? ( dev-lang/yasm ) + abi_x86_64? ( dev-lang/yasm ) + abi_x86_x32? ( dev-lang/yasm ) + doc? ( + app-doc/doxygen + dev-lang/php + ) +" + +PATCHES=( + # bug #501010 + "${FILESDIR}/${PN}-1.3.0-sparc-configure.patch" + "${FILESDIR}/${PN}-1.13.1-allow-fortify-source.patch" +) + +src_configure() { + # bug #384585, bug #465988 + # copied from php-pear-r1.eclass + addpredict /usr/share/snmp/mibs/.index + addpredict /var/lib/net-snmp/ + addpredict /var/lib/net-snmp/mib_indexes + addpredict /session_mm_cli0.sem + multilib-minimal_src_configure +} + +multilib_src_configure() { + # bug #357487 + unset CODECS + # bug #905986 + unset DIST_DIR + + # bug #498364: sse doesn't work without sse2 enabled, + local myconfargs=( + --prefix="${EPREFIX}"/usr + --libdir="${EPREFIX}"/usr/$(get_libdir) + --enable-pic + --enable-vp8 + --enable-vp9 + --enable-shared + --disable-optimizations + $(use_enable postproc) + $(use_enable static-libs static) + $(use_enable test unit-tests) + $(use_enable threads multithread) + $(use_enable highbitdepth vp9-highbitdepth) + ) + + # let the build system decide which AS to use (it honours $AS but + # then feeds it with yasm flags without checking...), bug #345161 + tc-export AS + case "${CHOST}" in + i?86*) export AS=yasm;; + x86_64*) export AS=yasm;; + esac + + # libvpx is fragile: both for tests at runtime. + # We force using the generic target unless we know things work to + # avoid runtime breakage on exotic arches. + if [[ ${ABI} == amd64 ]] ; then + myconfargs+=( --force-target=x86_64-linux-gcc ) + elif [[ ${ABI} == x86 ]] ; then + myconfargs+=( --force-target=x86-linux-gcc ) + elif [[ ${ABI} == arm64 ]] ; then + myconfargs+=( --force-target=arm64-linux-gcc ) + elif [[ ${ABI} == arm ]] && [[ ${CHOST} == *armv7* ]] ; then + myconfargs+=( --force-target=armv7-linux-gcc ) + elif [[ ${ABI} == ppc64 ]] && [[ $(tc-endian) != big ]] && use cpu_flags_ppc_vsx3; then + # only enable this target for at least power9 CPU running little-endian + myconfargs+=( --force-target=ppc64le-linux-gcc ) + else + myconfargs+=( --force-target=generic-gnu ) + fi + + # powerpc toolchain is not recognized anymore, bug #694368 + #[[ ${CHOST} == powerpc-* ]] && myconfargs+=( --force-target=generic-gnu ) + + # Build with correct toolchain. + tc-export CC CXX AR NM + # Link with gcc by default, the build system should override this if needed. + export LD="${CC}" + + if multilib_is_native_abi; then + myconfargs+=( $(use_enable doc install-docs) $(use_enable doc docs) ) + else + # Not needed for multilib and will be overwritten anyway. + myconfargs+=( --disable-examples --disable-install-docs --disable-docs ) + fi + + edo "${S}"/configure "${myconfargs[@]}" +} + +multilib_src_compile() { + # Build verbose by default and do not build examples that will not be installed + # Disable stripping of debug info, bug #752057 + # (only works as long as upstream does not use non-gnu strip) + emake verbose=yes GEN_EXAMPLES= HAVE_GNU_STRIP=no +} + +multilib_src_test() { + local -x LD_LIBRARY_PATH="${BUILD_DIR}" + local -x LIBVPX_TEST_DATA_PATH="${WORKDIR}/${PN}-testdata" + emake verbose=yes GEN_EXAMPLES= test +} + +multilib_src_install() { + emake verbose=yes GEN_EXAMPLES= DESTDIR="${D}" install + + multilib_is_native_abi && use doc && dodoc -r docs/html +}
