The glibc package does not respect a standard convention to put the
executables in the first output which should be as clear as possible
to anyone seeking to use such executables (e.g. `ldd`). This commit
adds a detailed comment a the top of `common.nix` explaining the
deviation from the convention and how to reference the binaries.
Security: the NEWS claims a couple more CVEs are fixed than what we
patched, though perhaps nothing critical.
I personally don't find DNS fragmentation attacks that interesting
anymore, as it's just about weaker improvements for cases that choose
not to use DNSSEC.
Largest expected caveat: upstream bumped the minimal supportable kernel
to 3.2.0. That's the oldest kernel still supported upstream, released
in Jan 2012, but most notably RHEL 6 and derivates still use a heavily
patched 2.6.32 kernel and those systems are still supported and in use
(production support is scheduled to last till the end of 2020!).
In #28519 / 791ce593ce I made linux
headers be intended to be used from the stage stage, as it would be if
it were a library containing headers and code. I forgot to update glibc,
however, so it was incorrectly using headers for the build platform, not
host platform.
This fixes that, basically reverting a small portion of changes I made a
few months ago in 25edc476fd and its
parent.
No native hashes are changed.
Now it's not an actual archive but a linker script, and the absolute
paths in there were broken due to moving *.a into $static.
Let's fix this up in all *.a in case there are more in future.
This reverts commit 1daf2e26d2, reversing
changes made to c0c50dfcb7.
It seems this is what has been causing all the reliability problems
on Hydra. I'm currently unable to find why it happens, so I'm forced
to revert the update for now. Discussion: #22874.
Enables previously manually disabled stackprotector and stackguard
randomization.
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511811:
If glibc is built with the --enable-stackguard-randomization option,
each application gets a random canary value (at runtime) from /dev/urandom.
If --enable-stackguard-randomization is absent, applications get a static
canary value of "0xff0a0000". This is very unfortunate, because the
attacker may be able to bypass the stack protection mechanism, by placing
those 4 bytes in the canary word, before the actual canary check is
performed (for example in memcpy-based buffer overflows).
This addresses the following security advisories:
+ CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r
+ CVE-2016-1234: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect
NAME_MAX limit assumption
+ CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion
Patches cherry-picked from glibc's release/2.23/master branch.
The "glob-simplify-interface.patch" was a dependency for
"cve-2016-1234.patch".
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow
The importance of glibc makes it worthwhile to provide debug
symbols. However, this revealed an issue with separateDebugInfo: it
was indiscriminately adding --build-id to all ld invocations, while in
fact it should only do that for final links. Glibc also uses non-final
("relocatable") links, leading to subsequent failure to apply a build
ID ("Cannot create .note.gnu.build-id section, --build-id
ignored"). So now ld-wrapper.sh only passes --build-id for final
links.
The glibc DNS client side resolver is vulnerable to a stack-based buffer
overflow when the getaddrinfo() library function is used. Software using
this function may be exploited with attacker-controlled domain names,
attacker-controlled DNS servers, or through a man-in-the-middle attack.
https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
Fixes CVE-2014-8121, CVE-2015-1781 and two unnumbered problems (apparently).
All these commits should be contained in the 2.22 release,
but we don't want that yet due to unresolved locale incompatibilites.
Until now, if e.g. the user passed "en_US.UTF-8" instead of "en_US.UTF-8/UTF-8",
the locales would be generated without failing but wouldn't work well.
Now we guard against such mistakes. Real life examples:
https://github.com/fish-shell/fish-shell/issues/1927
It used to be a symlink, but now it is a link script. It's crucial to get
proper linking, specially on amrv5tel, where libgcc contains lot of code
related to the limited instruction set of the platform.
Without this fix, g++ shared lib linking was broken, because a "-lgcc" was
not propagated wherever "-lgcc_s" was required. The g++ spec only mentions
"-lgcc_s" and the "-lgcc" is introduced with the libgcc_s.so link script,
only available in the glibc path after this fix.
As a reminder, we put libgcc* in the glibc output to avoid having a
runtime dependency on the gcc path only because of the everywhere linked
libgcc. This problem was specially visible in platforms like armv5tel,
where most programs end up linked to libgcc. Platforms with a more rich
instruction set may rarely end up requiring a link to libgcc.
Now development stuff is propagated from the first output,
and userEnvPkgs from the one with binaries.
Also don't move *.la files (yet). It causes problems, and they're small.
- there were many easy merge conflicts
- cc-wrapper needed nontrivial changes
Many other problems might've been created by interaction of the branches,
but stdenv and a few other packages build fine now.
This prevents failures like "libgcc_s.so.1 must be installed for
pthread_cancel to work" that occur because Glibc assumes libgcc_s.so.1
to be in Glibc's libdir.
This solution is pretty hacky, because the libgcc_s.so.1 from
bootstrap-tools might be too old. So if we update GCC, programs might
end up using an outdated libgcc_s.so.1. Ideally, we would build
libgcc_s.so.1 *before* Glibc, which might not be impossible...
Fixes#3548.