diff --git a/base/patch/glibc-2.39-fhs-1.patch b/base/patch/glibc-2.39-fhs-1.patch new file mode 100644 index 0000000..4ac8d10 --- /dev/null +++ b/base/patch/glibc-2.39-fhs-1.patch @@ -0,0 +1,72 @@ +Submitted By: Armin K. +Date: 2013-02-11 +Initial Package Version: 2.17 +Upstream Status: Not Applicable +Origin: Self +Description: This patch removes references to /var/db directory which is not part + of FHS and replaces them with more suitable directories in /var + hierarchy - /var/cache/nscd for nscd and /var/lib/nss_db for nss_db. + +--- a/Makeconfig 2012-12-25 04:02:13.000000000 +0100 ++++ b/Makeconfig 2013-02-11 01:32:32.500667439 +0100 +@@ -250,7 +250,7 @@ + + # Directory for the database files and Makefile for nss_db. + ifndef vardbdir +-vardbdir = $(localstatedir)/db ++vardbdir = $(localstatedir)/lib/nss_db + endif + inst_vardbdir = $(install_root)$(vardbdir) + +--- a/nscd/nscd.h 2012-12-25 04:02:13.000000000 +0100 ++++ b/nscd/nscd.h 2013-02-11 01:32:32.500667439 +0100 +@@ -112,11 +112,11 @@ + + + /* Paths of the file for the persistent storage. */ +-#define _PATH_NSCD_PASSWD_DB "/var/db/nscd/passwd" +-#define _PATH_NSCD_GROUP_DB "/var/db/nscd/group" +-#define _PATH_NSCD_HOSTS_DB "/var/db/nscd/hosts" +-#define _PATH_NSCD_SERVICES_DB "/var/db/nscd/services" +-#define _PATH_NSCD_NETGROUP_DB "/var/db/nscd/netgroup" ++#define _PATH_NSCD_PASSWD_DB "/var/cache/nscd/passwd" ++#define _PATH_NSCD_GROUP_DB "/var/cache/nscd/group" ++#define _PATH_NSCD_HOSTS_DB "/var/cache/nscd/hosts" ++#define _PATH_NSCD_SERVICES_DB "/var/cache/nscd/services" ++#define _PATH_NSCD_NETGROUP_DB "/var/cache/nscd/netgroup" + + /* Path used when not using persistent storage. */ + #define _PATH_NSCD_XYZ_DB_TMP "/var/run/nscd/dbXXXXXX" +--- a/nss/db-Makefile 2012-12-25 04:02:13.000000000 +0100 ++++ b/nss/db-Makefile 2013-02-11 01:32:32.500667439 +0100 +@@ -22,7 +22,7 @@ + /etc/rpc /etc/services /etc/shadow /etc/gshadow \ + /etc/netgroup) + +-VAR_DB = /var/db ++VAR_DB = /var/lib/nss_db + + AWK = awk + MAKEDB = makedb --quiet +--- a/sysdeps/generic/paths.h 2012-12-25 04:02:13.000000000 +0100 ++++ b/sysdeps/generic/paths.h 2013-02-11 01:32:32.500667439 +0100 +@@ -68,7 +68,7 @@ + /* Provide trailing slash, since mostly used for building pathnames. */ + #define _PATH_DEV "/dev/" + #define _PATH_TMP "/tmp/" +-#define _PATH_VARDB "/var/db/" ++#define _PATH_VARDB "/var/lib/nss_db/" + #define _PATH_VARRUN "/var/run/" + #define _PATH_VARTMP "/var/tmp/" + +--- a/sysdeps/unix/sysv/linux/paths.h 2012-12-25 04:02:13.000000000 +0100 ++++ b/sysdeps/unix/sysv/linux/paths.h 2013-02-11 01:32:32.504000831 +0100 +@@ -68,7 +68,7 @@ + /* Provide trailing slash, since mostly used for building pathnames. */ + #define _PATH_DEV "/dev/" + #define _PATH_TMP "/tmp/" +-#define _PATH_VARDB "/var/db/" ++#define _PATH_VARDB "/var/lib/nss_db/" + #define _PATH_VARRUN "/var/run/" + #define _PATH_VARTMP "/var/tmp/" + diff --git a/base/patch/glibc-2.39-upstream_fix-2.patch b/base/patch/glibc-2.39-upstream_fix-2.patch new file mode 100644 index 0000000..ae5926e --- /dev/null +++ b/base/patch/glibc-2.39-upstream_fix-2.patch @@ -0,0 +1,227 @@ +Submitted By: Xi Ruoyao +Date: 2024-05-02 +Initial Package Version: 2.39 +Upstream Status: Committed +Origin: Upstream +Description: Fix a bug in iconv() that can crash the system and/or allow + remote access through a buffer overflow. + See comments included below for details. + Change from glibc-2.39-upstream_fix-1.patch: fix some + broken UTF-8 literals in the added test case. + +From 31da30f23cddd36db29d5b6a1c7619361b271fb4 Mon Sep 17 00:00:00 2001 +From: Charles Fol +Date: Thu, 28 Mar 2024 12:25:38 -0300 +Subject: [PATCH] iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing + escape sequence (CVE-2024-2961) + +ISO-2022-CN-EXT uses escape sequences to indicate character set changes +(as specified by RFC 1922). While the SOdesignation has the expected +bounds checks, neither SS2designation nor SS3designation have its; +allowing a write overflow of 1, 2, or 3 bytes with fixed values: +'$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'. + +Checked on aarch64-linux-gnu. + +Co-authored-by: Adhemerval Zanella +Reviewed-by: Carlos O'Donell +Tested-by: Carlos O'Donell + +(cherry picked from commit f9dc609e06b1136bb0408be9605ce7973a767ada) +--- + iconvdata/Makefile | 5 +- + iconvdata/iso-2022-cn-ext.c | 12 +++ + iconvdata/tst-iconv-iso-2022-cn-ext.c | 128 ++++++++++++++++++++++++++ + 3 files changed, 144 insertions(+), 1 deletion(-) + create mode 100644 iconvdata/tst-iconv-iso-2022-cn-ext.c + +diff --git a/iconvdata/Makefile b/iconvdata/Makefile +index ea019ce5c0..7196a8744b 100644 +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -75,7 +75,8 @@ ifeq (yes,$(build-shared)) + tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ + bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ +- bug-iconv13 bug-iconv14 bug-iconv15 ++ bug-iconv13 bug-iconv14 bug-iconv15 \ ++ tst-iconv-iso-2022-cn-ext + ifeq ($(have-thread-library),yes) + tests += bug-iconv3 + endif +@@ -330,6 +331,8 @@ $(objpfx)bug-iconv14.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) + $(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) ++$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ ++ $(addprefix $(objpfx),$(modules.so)) + + $(objpfx)iconv-test.out: run-iconv-test.sh \ + $(addprefix $(objpfx), $(gconv-modules)) \ +diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c +index b34c8a36f4..cce29b1969 100644 +--- a/iconvdata/iso-2022-cn-ext.c ++++ b/iconvdata/iso-2022-cn-ext.c +@@ -574,6 +574,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); + { \ + const char *escseq; \ + \ ++ if (outptr + 4 > outend) \ ++ { \ ++ result = __GCONV_FULL_OUTPUT; \ ++ break; \ ++ } \ ++ \ + assert (used == CNS11643_2_set); /* XXX */ \ + escseq = "*H"; \ + *outptr++ = ESC; \ +@@ -587,6 +593,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); + { \ + const char *escseq; \ + \ ++ if (outptr + 4 > outend) \ ++ { \ ++ result = __GCONV_FULL_OUTPUT; \ ++ break; \ ++ } \ ++ \ + assert ((used >> 5) >= 3 && (used >> 5) <= 7); \ + escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2; \ + *outptr++ = ESC; \ +diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c +new file mode 100644 +index 0000000000..96a8765fd5 +--- /dev/null ++++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c +@@ -0,0 +1,128 @@ ++/* Verify ISO-2022-CN-EXT does not write out of the bounds. ++ Copyright (C) 2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* The test sets up a two memory page buffer with the second page marked ++ PROT_NONE to trigger a fault if the conversion writes beyond the exact ++ expected amount. Then we carry out various conversions and precisely ++ place the start of the output buffer in order to trigger a SIGSEGV if the ++ process writes anywhere between 1 and page sized bytes more (only one ++ PROT_NONE page is setup as a canary) than expected. These tests exercise ++ all three of the cases in ISO-2022-CN-EXT where the converter must switch ++ character sets and may run out of buffer space while doing the ++ operation. */ ++ ++static int ++do_test (void) ++{ ++ iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8"); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ char *ntf; ++ size_t ntfsize; ++ char *outbufbase; ++ { ++ int pgz = getpagesize (); ++ TEST_VERIFY_EXIT (pgz > 0); ++ ntfsize = 2 * pgz; ++ ++ ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE ++ | MAP_ANONYMOUS, -1); ++ xmprotect (ntf + pgz, pgz, PROT_NONE); ++ ++ outbufbase = ntf + pgz; ++ } ++ ++ /* Check if SOdesignation escape sequence does not trigger an OOB write. */ ++ { ++ char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2"; ++ ++ for (int i = 0; i < 9; i++) ++ { ++ char *inp = inbuf; ++ size_t inleft = sizeof (inbuf) - 1; ++ ++ char *outp = outbufbase - i; ++ size_t outleft = i; ++ ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) ++ == (size_t) -1); ++ TEST_COMPARE (errno, E2BIG); ++ ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); ++ } ++ } ++ ++ /* Same as before for SS2designation. */ ++ { ++ char inbuf[] = "㴽 \xe3\xb4\xbd"; ++ ++ for (int i = 0; i < 14; i++) ++ { ++ char *inp = inbuf; ++ size_t inleft = sizeof (inbuf) - 1; ++ ++ char *outp = outbufbase - i; ++ size_t outleft = i; ++ ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) ++ == (size_t) -1); ++ TEST_COMPARE (errno, E2BIG); ++ ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); ++ } ++ } ++ ++ /* Same as before for SS3designation. */ ++ { ++ char inbuf[] = "劄 \xe5\x8a\x84"; ++ ++ for (int i = 0; i < 14; i++) ++ { ++ char *inp = inbuf; ++ size_t inleft = sizeof (inbuf) - 1; ++ ++ char *outp = outbufbase - i; ++ size_t outleft = i; ++ ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) ++ == (size_t) -1); ++ TEST_COMPARE (errno, E2BIG); ++ ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); ++ } ++ } ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) != -1); ++ ++ xmunmap (ntf, ntfsize); ++ ++ return 0; ++} ++ ++#include +-- +2.45.0 + diff --git a/base/src/glibc.ecmp b/base/src/glibc.ecmp new file mode 100644 index 0000000..1da4b27 --- /dev/null +++ b/base/src/glibc.ecmp @@ -0,0 +1,43 @@ +[info] +name = glibc +version = 2.39 +type = src +license = GPL2 +url = https://ftp.gnu.org/gnu/$NAME/$NAME-$VERSION.tar.xz +sha256 = f77bd47cf8170c57365ae7bf86696c118adb3b120d3259c64c502d3dc1e2d926 + +[description] +The GNU C Library - The project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more. + +[download] +curl -L $URL --output $NAME-$VERSION.tar.xz +tar xf $NAME-$VERSION.tar.xz + +[install] +# Patch 1 - Some of the Glibc programs use the non-FHS compliant /var/db directory to store their runtime data. Apply the following patch to make such programs store their runtime data in the FHS-compliant locations: +cp $SOVIET_REPOS_DIR/OUR/base/patch/$NAME-$VERSION-fhs-1.patch +patch -Np1 -i $NAME-$VERSION-fhs-1.patch +# Patch 2 - $ix a security vulnerability: +cp $SOVIET_REPOS_DIR/OUR/base/patch/$NAME-$VERSION-upstream_fix-2.patch +patch -Np1 -i $NAME-$VERSION-upstream_fix-2.patch + +mkdir build +cd build +../configure \ +--prefix=/usr \ +--disable-werror \ +--enable-kernel=4.14 \ +--enable-stack-protector=strong \ +--with-headers=/usr/include \ +--disable-nscd \ +--enable-cet +make $MAKE_FLAGS +# Fix the Makefile to skip an outdated sanity check that fails with a modern Glibc configuration: +sed '/test-installation/s@$(PERL)@echo not running@' -i ../Makefile +make DESTDIR=$BUILD_ROOT install +# Fix a hardcoded path to the executable loader in the ldd script: +sed '/RTLDLIST=/s@/usr@@g' -i /usr/bin/ldd +# add all the locales +echo 'Installing Locales...' +make DESTDIR=$BUILD_ROOT localedata/install-locales +localedef -i C -f UTF-8 C.UTF-8