From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 31 Mar 2016 12:59:10 +0000 (+0100)
Subject: glibc: Update to version 2.23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee62c3f9f4642d6cb2f62a60608639da733a7efd;p=people%2Famarx%2Fipfire-3.x.git

glibc: Update to version 2.23

Requires Linux kernel 3.2 now.

Security related changes:

* An out-of-bounds value in a broken-out struct tm argument to strftime no
  longer causes a crash.  Reported by Adam Nielsen.  (CVE-2015-8776)

* The LD_POINTER_GUARD environment variable can no longer be used to disable
  the pointer guard feature.  It is always enabled.  Previously,
  LD_POINTER_GUARD could be used to disable security hardening in binaries
  running in privileged AT_SECURE mode.  Reported by Hector Marco-Gisbert.
  (CVE-2015-8777)

* An integer overflow in hcreate and hcreate_r could lead to an
  out-of-bounds memory access.  Reported by Szabolcs Nagy.  (CVE-2015-8778)

* The catopen function no longer has unbounded stack usage.  Reported by
  Max.  (CVE-2015-8779)

* The nan, nanf and nanl functions no longer have unbounded stack usage
  depending on the length of the string passed as an argument to the
  functions.  Reported by Joseph Myers.  (CVE-2014-9761)

* A stack-based buffer overflow was found in libresolv when invoked from
  libnss_dns, allowing specially crafted DNS responses to seize control
  of execution flow in the DNS client.  The buffer overflow occurs in
  the functions send_dg (send datagram) and send_vc (send TCP) for the
  NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
  family.  The use of AF_UNSPEC triggers the low-level resolver code to
  send out two parallel queries for A and AAAA.  A mismanagement of the
  buffers used for those queries could result in the response of a query
  writing beyond the alloca allocated buffer created by
  _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
  the overflow.  Thanks to the Google Security Team and Red Hat for
  reporting the security impact of this issue, and Robert Holiday of
  Ciena for reporting the related bug 18665. (CVE-2015-7547)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/glibc/glibc.nm b/glibc/glibc.nm
index f55bf5f8f..c0af6945e 100644
--- a/glibc/glibc.nm
+++ b/glibc/glibc.nm
@@ -4,7 +4,7 @@
 ###############################################################################
 
 name       = glibc
-version    = 2.22
+version    = 2.23
 release    = 1
 
 maintainer = Michael Tremer <michael.tremer@ipfire.org>
@@ -28,16 +28,18 @@ sources    = %{thisapp}.tar.xz
 
 build
 	# Optimize glibc for kernel
-	OPTIMIZED_KERNEL = 2.6.32
+	OPTIMIZED_KERNEL = 3.2
 
 	requires
 		audit-devel
 		autoconf
 		automake
+		gcc >= 4.7
 		gettext
 		kernel-headers >= %{OPTIMIZED_KERNEL}
 		libcap-devel
 		libselinux-devel
+		libstdc++-static
 		texinfo
 	end
 
@@ -67,12 +69,11 @@ build
 		# program interpreter to /bin/bash in case another /bin/sh is installed.
 		sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in
 
-		# We don't install pt_chown(1) on the final system, so why install it to
-		# $(TOOLS_DIR):
+		# We don't install pt_chown(1) on the final system
 		sed -e "/^install.*pt_chown/d" -i login/Makefile
 
 		# Build nscd with -fstack-protector-all, instead of -fstack-protector:
-		sed -e "s/fstack-protector/&-all/" -i nscd/Makefile
+		sed -e "s/fstack-protector/&-strong/" -i nscd/Makefile
 
 		# Use gnu hash style
 		sed -i Makeconfig \
@@ -186,6 +187,10 @@ packages
 			provides += ld-linux.so.3(GLIBC_2.4)
 			provides += ld-linux.so.3(GLIBC_PRIVATE)
 		end
+
+		conflicts
+			kernel < %{OPTIMIZED_KERNEL}
+		end
 	end
 
 	package glibc-common
diff --git a/glibc/patches/glibc-fedora-pt_chown.patch b/glibc/patches/glibc-fedora-pt_chown.patch
deleted file mode 100644
index f64f44992..000000000
--- a/glibc/patches/glibc-fedora-pt_chown.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From ee3d4021aaaeacff7cf2addcdaa48859fffba2aa Mon Sep 17 00:00:00 2001
-From: Andreas Schwab <schwab@redhat.com>
-Date: Thu, 3 Feb 2011 15:45:02 +0100
-Subject: [PATCH] Replace setuid by file capabilities
-
-* login/programs/pt_chown.c (main): Check for valid file
-descriptor instead of privileges.  Be careful to drop all
-capabilities when not needed.
-
----
- ChangeLog                 |    6 ++++++
- login/programs/pt_chown.c |   14 +++++++++-----
- 3 files changed, 16 insertions(+), 6 deletions(-)
-
---- a/login/programs/pt_chown.c
-+++ b/login/programs/pt_chown.c
-@@ -28,6 +28,7 @@
- #include <string.h>
- #include <sys/stat.h>
- #include <unistd.h>
-+#include <fcntl.h>
- #ifdef HAVE_LIBCAP
- # include <sys/capability.h>
- # include <sys/prctl.h>
-@@ -142,7 +143,7 @@ main (int argc, char *argv[])
-   uid_t uid = getuid ();
-   int remaining;
- 
--  if (argc == 1 && euid == 0)
-+  if (argc == 1 && fcntl (PTY_FILENO, F_GETFD) == 0)
-     {
- #ifdef HAVE_LIBCAP
-   /* Drop privileges.  */
-@@ -175,6 +176,13 @@ main (int argc, char *argv[])
- 
-   /* We aren't going to be using privileges, so drop them right now. */
-   setuid (uid);
-+#ifdef HAVE_LIBCAP
-+  cap_t caps = cap_init ();
-+  if (caps == NULL)
-+    error (1, errno, "cap_init");
-+  cap_set_proc (caps);
-+  cap_free (caps);
-+#endif
- 
-   /* Set locale via LC_ALL.  */
-   setlocale (LC_ALL, "");
-@@ -194,9 +202,5 @@ main (int argc, char *argv[])
-       return EXIT_FAILURE;
-     }
- 
--  /* Check if we are properly installed.  */
--  if (euid != 0)
--    error (FAIL_EXEC, 0, gettext ("needs to be installed setuid `root'"));
--
-   return EXIT_SUCCESS;
- }