1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-04 19:45:54 +00:00
Commit graph

207 commits

Author SHA1 Message Date
rnhmjoj 8fcc92fc69
glibc: fix unaligned __tls_get_addr issue 2017-07-06 13:51:50 +02:00
Franz Pletz 7cfd1c8c1b
glibc: fix i686 build 2017-06-26 02:19:08 +02:00
Franz Pletz 2296bf394e
glibc: patch CVE-2017-1000366 (stack clash) 2017-06-22 00:44:35 +02:00
John Ericson 25edc476fd glibc: Simplify derivation further
No native hashes should be changed with this commit
default.nix's cross hash should also not be changed
2017-05-20 22:17:28 -04:00
John Ericson 7e096024d7 glibc: Fix for cross 2017-05-19 18:44:24 -04:00
John Ericson 8328e3d3a6 glibc: Remove hack around long-fixed bug
https://sourceware.org/bugzilla/show_bug.cgi?id=411 was solved in 2012.
2017-04-25 21:43:15 -04:00
Vladimír Čunát e47ac55a21
glibc: apply the i686 patch only on i686
... to reduce rebuilding. /cc #23177.
2017-04-10 11:18:50 +02:00
Vladimír Čunát c30b12b9a5
glibc: fix i686 crashes via an upstream patch
Fixes #23177.
2017-04-10 11:13:00 +02:00
Vladimír Čunát 4b7215368a
glibc: fixup libm.a
Now it's not an actual archive but a linker script, and the absolute
paths in there were broken due to moving *.a into $static.
Let's fix this up in all *.a in case there are more in future.
2017-02-21 14:19:07 +01:00
Vladimír Čunát 09d02f72f6
Re-revert "Merge: glibc: 2.24 -> 2.25"
This reverts commit 55cc7700e9.
I hope most problems have been solved.  /cc #22874.
2017-02-20 21:16:41 +01:00
Vladimír Čunát 55cc7700e9
Revert "Merge: glibc: 2.24 -> 2.25"
This reverts commit 1daf2e26d2, reversing
changes made to c0c50dfcb7.

It seems this is what has been causing all the reliability problems
on Hydra.  I'm currently unable to find why it happens, so I'm forced
to revert the update for now.  Discussion: #22874.
2017-02-16 18:16:06 +01:00
Vladimír Čunát 1daf2e26d2
Merge: glibc: 2.24 -> 2.25 2017-02-13 22:14:15 +01:00
Vladimír Čunát a01f8a4c38
glibc: security 2.24 -> 2.25
https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html

Stripping was failing on libm.a; I don't know why.
2017-02-11 22:14:49 +01:00
Tuomas Tynkkynen 41fd1ed903 glibc: Check that 'cross.float' is defined
Because if we define it, then gcc compilation fails because it doesn't
support --with-float for aarch64.
2017-01-24 22:13:47 +02:00
Franz Pletz 3ba99f83a7
glibc: enable stackprotection hardening
Enables previously manually disabled stackprotector and stackguard
randomization.

From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511811:

    If glibc is built with the --enable-stackguard-randomization option,
    each application gets a random canary value (at runtime) from /dev/urandom.
    If --enable-stackguard-randomization is absent, applications get a static
    canary value of "0xff0a0000". This is very unfortunate, because the
    attacker may be able to bypass the stack protection mechanism, by placing
    those 4 bytes in the canary word, before the actual canary check is
    performed (for example in memcpy-based buffer overflows).
2016-09-12 02:36:11 +02:00
Tuomas Tynkkynen 73f1ade407 glibc_multi: Reference dev outputs of glibc 2016-08-30 15:18:51 +03:00
Tuomas Tynkkynen 040fadf345 glibc_multi: Fix unnoticed output shuffle 2016-08-29 14:49:53 +03:00
Tuomas Tynkkynen e065baafba glibc: Make one exception for output order
Usages like '${stdenv.cc.libc}/lib/ld-linux-x86-64.so.2' are much more
common than the bin output.
2016-08-29 14:49:52 +03:00
Tuomas Tynkkynen a17216af4c treewide: Shuffle outputs
Make either 'bin' or 'out' the first output.
2016-08-29 14:49:51 +03:00
Robin Gloster e17bc25943
Merge remote-tracking branch 'upstream/master' into staging 2016-08-29 00:24:47 +00:00
Tuomas Tynkkynen d1c7eb8098 glibc: Uncomment 'meta.platforms' 2016-08-28 18:04:09 +03:00
obadz 24a9183f90 Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
2016-08-22 01:19:35 +01:00
obadz b092538811 Revert "glibc: add patch to fix segfault in forkpty"
This reverts commit 1747d28e5a.

Was fixed upstream in glibc 2.24
2016-08-20 22:39:05 +01:00
obadz 3e03db11b7 glibc: fixup, that should have been $bin not $out 2016-08-19 15:23:56 +01:00
obadz a7bfa77787 glibc: remove sln from bin, not sbin 2016-08-19 15:20:46 +01:00
obadz 9744c7768d glibc: 2.23 -> 2.24
- Removed patches that were merged upstream
- Removed --localdir from configureFlags as according to
  https://sourceware.org/bugzilla/show_bug.cgi?id=14259
  it was unused before
2016-08-19 15:05:41 +01:00
Robin Gloster 1747d28e5a glibc: add patch to fix segfault in forkpty 2016-08-16 07:52:03 +00:00
Robin Gloster 5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
Vladimír Čunát 91c1317272 glibc: fixup retaining bootstrap-tools reference
https://github.com/NixOS/nixpkgs/pull/15867#issuecomment-227949096
2016-06-23 12:11:21 +02:00
Eric Litak 251c97adee fix brace warnings in glibc 2016-05-31 16:28:05 -07:00
Eric Litak e8ca9dca53 manual strip broke crossDrv. no clue why it was ever added; should be automatic 2016-05-31 16:27:24 -07:00
Eric Litak 44ae9a3c0a reorganize crossDrv hooks 2016-05-31 16:27:24 -07:00
Eric Litak 0265285b96 moving builder.sh hooks into nix 2016-05-31 09:33:32 -07:00
Franz Pletz f8d481754c
Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-05-18 17:10:02 +02:00
Scott R. Parish 64f5845418 glibc: patch 2.23 for CVE-2016-3075, CVE-2016-1234, CVE-2016-3706
This addresses the following security advisories:

+ CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r
+ CVE-2016-1234: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect
                 NAME_MAX limit assumption
+ CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion

Patches cherry-picked from glibc's release/2.23/master branch.

The "glob-simplify-interface.patch" was a dependency for
"cve-2016-1234.patch".
2016-05-13 23:47:17 -07:00
Robin Gloster d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Vladimír Čunát ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Robin Gloster f60c9df0ba Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-28 15:16:29 +00:00
Vladimír Čunát 09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Franz Pletz 034b2ec2ed glibc: stackprotector is already disabled in default.nix
This overwrites the hardeningDisable attribute and removes disabling the
fortify flag.
2016-03-05 19:47:04 +01:00
Franz Pletz aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Eelco Dolstra d5bb6a1f9c glibc: Enable separate debug symbols
The importance of glibc makes it worthwhile to provide debug
symbols. However, this revealed an issue with separateDebugInfo: it
was indiscriminately adding --build-id to all ld invocations, while in
fact it should only do that for final links. Glibc also uses non-final
("relocatable") links, leading to subsequent failure to apply a build
ID ("Cannot create .note.gnu.build-id section, --build-id
ignored"). So now ld-wrapper.sh only passes --build-id for final
links.
2016-02-28 02:57:37 +01:00
Robin Gloster 83bf03e1a3 glibc: disable stackprotector hardening 2016-02-27 08:20:53 +00:00
Robin Gloster 3477e662e6 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-27 00:08:08 +00:00
Vladimír Čunát 59617de6d7 glibc: 2.22 -> 2.23
The two patches were included upstream.
(Even the one from guix, except for a whitespace difference.)
2016-02-21 10:31:14 +01:00
Robin Gloster bc21db3692 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-19 21:16:14 +00:00
Eelco Dolstra 1ab14aad7a glibc: Drop hurd support
This hasn't been maintained since 2012.

Also, renamed glibc's kernelHeaders argument to linuxHeaders.
2016-02-18 21:11:15 +01:00
Eelco Dolstra f98a5946b7 glibc: 2.21 -> 2.22 2016-02-18 20:54:52 +01:00
Nathan Zadoks fc48bf5a2c glibc: fix cve-2015-7547.patch so it applies cleanly 2016-02-16 17:23:35 +01:00
Nathan Zadoks b5aa8a4e64 glibc: patch CVE-2015-7547
The glibc DNS client side resolver is vulnerable to a stack-based buffer
overflow when the getaddrinfo() library function is used. Software using
this function may be exploited with attacker-controlled domain names,
attacker-controlled DNS servers, or through a man-in-the-middle attack.
https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
2016-02-16 16:15:07 +01:00