glibc: Update to version 2.23

Requires Linux kernel 3.2 now.

Security related changes:

* An out-of-bounds value in a broken-out struct tm argument to strftime no
  longer causes a crash.  Reported by Adam Nielsen.  (CVE-2015-8776)

* The LD_POINTER_GUARD environment variable can no longer be used to disable
  the pointer guard feature.  It is always enabled.  Previously,
  LD_POINTER_GUARD could be used to disable security hardening in binaries
  running in privileged AT_SECURE mode.  Reported by Hector Marco-Gisbert.
  (CVE-2015-8777)

* An integer overflow in hcreate and hcreate_r could lead to an
  out-of-bounds memory access.  Reported by Szabolcs Nagy.  (CVE-2015-8778)

* The catopen function no longer has unbounded stack usage.  Reported by
  Max.  (CVE-2015-8779)

* The nan, nanf and nanl functions no longer have unbounded stack usage
  depending on the length of the string passed as an argument to the
  functions.  Reported by Joseph Myers.  (CVE-2014-9761)

* A stack-based buffer overflow was found in libresolv when invoked from
  libnss_dns, allowing specially crafted DNS responses to seize control
  of execution flow in the DNS client.  The buffer overflow occurs in
  the functions send_dg (send datagram) and send_vc (send TCP) for the
  NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
  family.  The use of AF_UNSPEC triggers the low-level resolver code to
  send out two parallel queries for A and AAAA.  A mismanagement of the
  buffers used for those queries could result in the response of a query
  writing beyond the alloca allocated buffer created by
  _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
  the overflow.  Thanks to the Google Security Team and Red Hat for
  reporting the security impact of this issue, and Robert Holiday of
  Ciena for reporting the related bug 18665. (CVE-2015-7547)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/glibc/glibc.nm b/glibc/glibc.nm
index f55bf5f8f38d5e26918f85beb873e271d3695921..c0af6945e79ae547063f7c7dfdfdea9bb0c4eb30 100644 (file)
--- a/glibc/glibc.nm
+++ b/glibc/glibc.nm
@@ -4,7 +4,7 @@
 ###############################################################################
 
 name       = glibc
-version    = 2.22
+version    = 2.23
 release    = 1
 
 maintainer = Michael Tremer <michael.tremer@ipfire.org>
@@ -28,16 +28,18 @@ sources    = %{thisapp}.tar.xz
 
 build
        # Optimize glibc for kernel
-       OPTIMIZED_KERNEL = 2.6.32
+       OPTIMIZED_KERNEL = 3.2
 
        requires
                audit-devel
                autoconf
                automake
+               gcc >= 4.7
                gettext
                kernel-headers >= %{OPTIMIZED_KERNEL}
                libcap-devel
                libselinux-devel
+               libstdc++-static
                texinfo
        end
 
@@ -67,12 +69,11 @@ build
                # program interpreter to /bin/bash in case another /bin/sh is installed.
                sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in
 
-               # We don't install pt_chown(1) on the final system, so why install it to
-               # $(TOOLS_DIR):
+               # We don't install pt_chown(1) on the final system
                sed -e "/^install.*pt_chown/d" -i login/Makefile
 
                # Build nscd with -fstack-protector-all, instead of -fstack-protector:
-               sed -e "s/fstack-protector/&-all/" -i nscd/Makefile
+               sed -e "s/fstack-protector/&-strong/" -i nscd/Makefile
 
                # Use gnu hash style
                sed -i Makeconfig \
@@ -186,6 +187,10 @@ packages
                        provides += ld-linux.so.3(GLIBC_2.4)
                        provides += ld-linux.so.3(GLIBC_PRIVATE)
                end
+
+               conflicts
+                       kernel < %{OPTIMIZED_KERNEL}
+               end
        end
 
        package glibc-common

diff --git a/glibc/patches/glibc-fedora-pt_chown.patch b/glibc/patches/glibc-fedora-pt_chown.patch
deleted file mode 100644 (file)
index f64f449..0000000
--- a/glibc/patches/glibc-fedora-pt_chown.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From ee3d4021aaaeacff7cf2addcdaa48859fffba2aa Mon Sep 17 00:00:00 2001
-From: Andreas Schwab <schwab@redhat.com>
-Date: Thu, 3 Feb 2011 15:45:02 +0100
-Subject: [PATCH] Replace setuid by file capabilities
-
-* login/programs/pt_chown.c (main): Check for valid file
-descriptor instead of privileges.  Be careful to drop all
-capabilities when not needed.
-
----
- ChangeLog                 |    6 ++++++
- login/programs/pt_chown.c |   14 +++++++++-----
- 3 files changed, 16 insertions(+), 6 deletions(-)
-
---- a/login/programs/pt_chown.c
-+++ b/login/programs/pt_chown.c
-@@ -28,6 +28,7 @@
- #include <string.h>
- #include <sys/stat.h>
- #include <unistd.h>
-+#include <fcntl.h>
- #ifdef HAVE_LIBCAP
- # include <sys/capability.h>
- # include <sys/prctl.h>
-@@ -142,7 +143,7 @@ main (int argc, char *argv[])
-   uid_t uid = getuid ();
-   int remaining;
- 
--  if (argc == 1 && euid == 0)
-+  if (argc == 1 && fcntl (PTY_FILENO, F_GETFD) == 0)
-     {
- #ifdef HAVE_LIBCAP
-   /* Drop privileges.  */
-@@ -175,6 +176,13 @@ main (int argc, char *argv[])
- 
-   /* We aren't going to be using privileges, so drop them right now. */
-   setuid (uid);
-+#ifdef HAVE_LIBCAP
-+  cap_t caps = cap_init ();
-+  if (caps == NULL)
-+    error (1, errno, "cap_init");
-+  cap_set_proc (caps);
-+  cap_free (caps);
-+#endif
- 
-   /* Set locale via LC_ALL.  */
-   setlocale (LC_ALL, "");
-@@ -194,9 +202,5 @@ main (int argc, char *argv[])
-       return EXIT_FAILURE;
-     }
- 
--  /* Check if we are properly installed.  */
--  if (euid != 0)
--    error (FAIL_EXEC, 0, gettext ("needs to be installed setuid `root'"));
--
-   return EXIT_SUCCESS;
- }