Commit graph

269 commits

Author SHA1 Message Date
Vladimír Čunát
a139613983
glibc: maintenance 2.26-75 -> 2.26-115 2017-12-20 15:31:13 +01:00
Orivej Desh
035b589245 glibc: support obsolete "compat" in nsswitch.conf
Fixes #31700. See https://bugs.archlinux.org/task/54592.
2017-11-17 06:37:25 +00:00
Ilya Kolpakov
e4afe8fc6c glibc: comments on bin not being the first output
The glibc package does not respect a standard convention to put the
executables in the first output which should be as clear as possible
to anyone seeking to use such executables (e.g. `ldd`). This commit
adds a detailed comment a the top of `common.nix` explaining the
deviation from the convention and how to reference the binaries.
2017-11-06 16:47:30 +01:00
Vladimír Čunát
9bb67d5c1e
glibc: 2.25-49 -> 2.26-75
Security: the NEWS claims a couple more CVEs are fixed than what we
patched, though perhaps nothing critical.

I personally don't find DNS fragmentation attacks that interesting
anymore, as it's just about weaker improvements for cases that choose
not to use DNSSEC.

Largest expected caveat: upstream bumped the minimal supportable kernel
to 3.2.0.  That's the oldest kernel still supported upstream, released
in Jan 2012, but most notably RHEL 6 and derivates still use a heavily
patched 2.6.32 kernel and those systems are still supported and in use
(production support is scheduled to last till the end of 2020!).
2017-11-05 19:10:42 +01:00
John Ericson
8bfb247224 glibc: Grab the right linux headers when build != host
In #28519 / 791ce593ce I made linux
headers be intended to be used from the stage stage, as it would be if
it were a library containing headers and code. I forgot to update glibc,
however, so it was incorrectly using headers for the build platform, not
host platform.

This fixes that, basically reverting a small portion of changes I made a
few months ago in 25edc476fd and its
parent.

No native hashes are changed.
2017-09-20 20:57:41 -04:00
Vladimír Čunát
0c660ad42f
Merge #28906: glibc: 2.25 -> 2.25-49 (upstream patches) 2017-09-07 08:19:40 +02:00
Orivej Desh
7803d69b78 nixos: update glibc locales link 2017-09-03 18:00:35 +00:00
Vladimír Čunát
bdfc989bba
glibc: remove a fixup; not needed since glibc-2.22 2017-09-02 17:22:37 +02:00
Vladimír Čunát
0f91a1dbd7
glibc: remove patch with blowfish support 2017-09-02 17:22:37 +02:00
Vladimír Čunát
51cf42ad0d
glibc: 2.25 -> 2.25-49
Various fixes within, e.g. mutexes deadlocking sometimes.
https://sourceware.org/git/?p=glibc.git;a=blob;f=NEWS;h=f7057710f14d6c
2017-09-02 17:22:36 +02:00
Tuomas Tynkkynen
f9b2d7b4dd Revert "binutils: 2.28 -> 2.29"
This reverts commit 733e20fee4.

Downgrading to 2.28.1, 2.29 is too buggy.
2017-08-17 18:37:04 +03:00
Tim Steinbach
733e20fee4
binutils: 2.28 -> 2.29
Binutils 2.29 no longer allows .semver symbols, which is why
we need to patch glibc to avoid them
2017-07-29 13:23:59 -04:00
rnhmjoj
8fcc92fc69
glibc: fix unaligned __tls_get_addr issue 2017-07-06 13:51:50 +02:00
Franz Pletz
7cfd1c8c1b
glibc: fix i686 build 2017-06-26 02:19:08 +02:00
Franz Pletz
2296bf394e
glibc: patch CVE-2017-1000366 (stack clash) 2017-06-22 00:44:35 +02:00
John Ericson
25edc476fd glibc: Simplify derivation further
No native hashes should be changed with this commit
default.nix's cross hash should also not be changed
2017-05-20 22:17:28 -04:00
John Ericson
7e096024d7 glibc: Fix for cross 2017-05-19 18:44:24 -04:00
John Ericson
8328e3d3a6 glibc: Remove hack around long-fixed bug
https://sourceware.org/bugzilla/show_bug.cgi?id=411 was solved in 2012.
2017-04-25 21:43:15 -04:00
Vladimír Čunát
e47ac55a21
glibc: apply the i686 patch only on i686
... to reduce rebuilding. /cc #23177.
2017-04-10 11:18:50 +02:00
Vladimír Čunát
c30b12b9a5
glibc: fix i686 crashes via an upstream patch
Fixes #23177.
2017-04-10 11:13:00 +02:00
Vladimír Čunát
4b7215368a
glibc: fixup libm.a
Now it's not an actual archive but a linker script, and the absolute
paths in there were broken due to moving *.a into $static.
Let's fix this up in all *.a in case there are more in future.
2017-02-21 14:19:07 +01:00
Vladimír Čunát
09d02f72f6
Re-revert "Merge: glibc: 2.24 -> 2.25"
This reverts commit 55cc7700e9.
I hope most problems have been solved.  /cc #22874.
2017-02-20 21:16:41 +01:00
Vladimír Čunát
55cc7700e9
Revert "Merge: glibc: 2.24 -> 2.25"
This reverts commit 1daf2e26d2, reversing
changes made to c0c50dfcb7.

It seems this is what has been causing all the reliability problems
on Hydra.  I'm currently unable to find why it happens, so I'm forced
to revert the update for now.  Discussion: #22874.
2017-02-16 18:16:06 +01:00
Vladimír Čunát
1daf2e26d2
Merge: glibc: 2.24 -> 2.25 2017-02-13 22:14:15 +01:00
Vladimír Čunát
a01f8a4c38
glibc: security 2.24 -> 2.25
https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html

Stripping was failing on libm.a; I don't know why.
2017-02-11 22:14:49 +01:00
Tuomas Tynkkynen
41fd1ed903 glibc: Check that 'cross.float' is defined
Because if we define it, then gcc compilation fails because it doesn't
support --with-float for aarch64.
2017-01-24 22:13:47 +02:00
Franz Pletz
3ba99f83a7
glibc: enable stackprotection hardening
Enables previously manually disabled stackprotector and stackguard
randomization.

From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511811:

    If glibc is built with the --enable-stackguard-randomization option,
    each application gets a random canary value (at runtime) from /dev/urandom.
    If --enable-stackguard-randomization is absent, applications get a static
    canary value of "0xff0a0000". This is very unfortunate, because the
    attacker may be able to bypass the stack protection mechanism, by placing
    those 4 bytes in the canary word, before the actual canary check is
    performed (for example in memcpy-based buffer overflows).
2016-09-12 02:36:11 +02:00
Tuomas Tynkkynen
73f1ade407 glibc_multi: Reference dev outputs of glibc 2016-08-30 15:18:51 +03:00
Tuomas Tynkkynen
040fadf345 glibc_multi: Fix unnoticed output shuffle 2016-08-29 14:49:53 +03:00
Tuomas Tynkkynen
e065baafba glibc: Make one exception for output order
Usages like '${stdenv.cc.libc}/lib/ld-linux-x86-64.so.2' are much more
common than the bin output.
2016-08-29 14:49:52 +03:00
Tuomas Tynkkynen
a17216af4c treewide: Shuffle outputs
Make either 'bin' or 'out' the first output.
2016-08-29 14:49:51 +03:00
Robin Gloster
e17bc25943
Merge remote-tracking branch 'upstream/master' into staging 2016-08-29 00:24:47 +00:00
Tuomas Tynkkynen
d1c7eb8098 glibc: Uncomment 'meta.platforms' 2016-08-28 18:04:09 +03:00
obadz
24a9183f90 Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
2016-08-22 01:19:35 +01:00
obadz
b092538811 Revert "glibc: add patch to fix segfault in forkpty"
This reverts commit 1747d28e5a.

Was fixed upstream in glibc 2.24
2016-08-20 22:39:05 +01:00
obadz
3e03db11b7 glibc: fixup, that should have been $bin not $out 2016-08-19 15:23:56 +01:00
obadz
a7bfa77787 glibc: remove sln from bin, not sbin 2016-08-19 15:20:46 +01:00
obadz
9744c7768d glibc: 2.23 -> 2.24
- Removed patches that were merged upstream
- Removed --localdir from configureFlags as according to
  https://sourceware.org/bugzilla/show_bug.cgi?id=14259
  it was unused before
2016-08-19 15:05:41 +01:00
Robin Gloster
1747d28e5a glibc: add patch to fix segfault in forkpty 2016-08-16 07:52:03 +00:00
Robin Gloster
5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
Vladimír Čunát
91c1317272 glibc: fixup retaining bootstrap-tools reference
https://github.com/NixOS/nixpkgs/pull/15867#issuecomment-227949096
2016-06-23 12:11:21 +02:00
Eric Litak
251c97adee fix brace warnings in glibc 2016-05-31 16:28:05 -07:00
Eric Litak
e8ca9dca53 manual strip broke crossDrv. no clue why it was ever added; should be automatic 2016-05-31 16:27:24 -07:00
Eric Litak
44ae9a3c0a reorganize crossDrv hooks 2016-05-31 16:27:24 -07:00
Eric Litak
0265285b96 moving builder.sh hooks into nix 2016-05-31 09:33:32 -07:00
Franz Pletz
f8d481754c
Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-05-18 17:10:02 +02:00
Scott R. Parish
64f5845418 glibc: patch 2.23 for CVE-2016-3075, CVE-2016-1234, CVE-2016-3706
This addresses the following security advisories:

+ CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r
+ CVE-2016-1234: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect
                 NAME_MAX limit assumption
+ CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion

Patches cherry-picked from glibc's release/2.23/master branch.

The "glob-simplify-interface.patch" was a dependency for
"cve-2016-1234.patch".
2016-05-13 23:47:17 -07:00
Robin Gloster
d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Robin Gloster
f60c9df0ba Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-28 15:16:29 +00:00
Vladimír Čunát
09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Franz Pletz
034b2ec2ed glibc: stackprotector is already disabled in default.nix
This overwrites the hardeningDisable attribute and removes disabling the
fortify flag.
2016-03-05 19:47:04 +01:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Eelco Dolstra
d5bb6a1f9c glibc: Enable separate debug symbols
The importance of glibc makes it worthwhile to provide debug
symbols. However, this revealed an issue with separateDebugInfo: it
was indiscriminately adding --build-id to all ld invocations, while in
fact it should only do that for final links. Glibc also uses non-final
("relocatable") links, leading to subsequent failure to apply a build
ID ("Cannot create .note.gnu.build-id section, --build-id
ignored"). So now ld-wrapper.sh only passes --build-id for final
links.
2016-02-28 02:57:37 +01:00
Robin Gloster
83bf03e1a3 glibc: disable stackprotector hardening 2016-02-27 08:20:53 +00:00
Robin Gloster
3477e662e6 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-27 00:08:08 +00:00
Vladimír Čunát
59617de6d7 glibc: 2.22 -> 2.23
The two patches were included upstream.
(Even the one from guix, except for a whitespace difference.)
2016-02-21 10:31:14 +01:00
Robin Gloster
bc21db3692 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-02-19 21:16:14 +00:00
Eelco Dolstra
1ab14aad7a glibc: Drop hurd support
This hasn't been maintained since 2012.

Also, renamed glibc's kernelHeaders argument to linuxHeaders.
2016-02-18 21:11:15 +01:00
Eelco Dolstra
f98a5946b7 glibc: 2.21 -> 2.22 2016-02-18 20:54:52 +01:00
Nathan Zadoks
fc48bf5a2c glibc: fix cve-2015-7547.patch so it applies cleanly 2016-02-16 17:23:35 +01:00
Nathan Zadoks
b5aa8a4e64 glibc: patch CVE-2015-7547
The glibc DNS client side resolver is vulnerable to a stack-based buffer
overflow when the getaddrinfo() library function is used. Software using
this function may be exploited with attacker-controlled domain names,
attacker-controlled DNS servers, or through a man-in-the-middle attack.
https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
2016-02-16 16:15:07 +01:00
Robin Gloster
f6d3b7a2ae switch hardening flags 2016-01-30 16:36:57 +00:00
Franz Pletz
954e9903ad Use a hardened stdenv by default 2016-01-30 16:36:57 +00:00
Vladimír Čunát
f9f6f41bff Merge branch 'master' into closure-size
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
2015-12-31 09:53:02 +01:00
Vladimír Čunát
244f985461 glibc-multi: fix with multiple outputs 2015-12-05 17:40:37 +01:00
Vladimír Čunát
fb3c062e54 glibc-info: fix #11476 build with multiple outputs 2015-12-05 08:59:30 +01:00
Eelco Dolstra
6a766f47c2 glibc: Fix assertion failure when using incompatible locale data
Borrowed from

  http://git.savannah.gnu.org/cgit/guix.git/plain/gnu/packages/patches/glibc-locale-incompatibility.patch

https://github.com/NixOS/nix/issues/599

We may also want to apply

  http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/glibc-versioned-locpath.patch

but we'll need to ditch locale-archive first. (Apparently
locale-archive is not very useful anymore anyway.)
2015-12-02 11:27:39 +01:00
Vladimír Čunát
333d69a5f0 Merge staging into closure-size
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
2015-11-20 14:32:58 +01:00
Nikolay Amiantov
8db98ceb01 glibc_multi: fix ldd for 64-bit ELFs 2015-10-07 16:46:26 +03:00
Nikolay Amiantov
1283e3da5d glibc_multi: fix ldd for 64-bit ELFs 2015-10-07 15:44:12 +03:00
Vladimír Čunát
5227fb1dd5 Merge commit staging+systemd into closure-size
Many non-conflict problems weren't (fully) resolved in this commit yet.
2015-10-03 13:33:37 +02:00
Vladimír Čunát
1fbbeff0c1 glibc: apply four security fixes from upstream
Fixes CVE-2014-8121, CVE-2015-1781 and two unnumbered problems (apparently).
All these commits should be contained in the 2.22 release,
but we don't want that yet due to unresolved locale incompatibilites.
2015-08-18 20:58:39 +02:00
Vladimír Čunát
eb4a88d8fd glibc-locales: check that all we build is supported
Until now, if e.g. the user passed "en_US.UTF-8" instead of "en_US.UTF-8/UTF-8",
the locales would be generated without failing but wouldn't work well.
Now we guard against such mistakes. Real life examples:
https://github.com/fish-shell/fish-shell/issues/1927
2015-07-31 15:39:52 +02:00
Vladimír Čunát
f83d12a382 Merge 'master' into staging 2015-05-24 20:39:58 +02:00
Marco Schlumpp
a88c5a8037 glibc: fixed a warning caused by nix-locale-archive.patch
If a function shouldn't accept any parameters, use "(void)" instead of "()".
Close #7843. Vcunat purged unimportant changes from this commit.
2015-05-15 11:14:50 +02:00
Eric Seidel
662a6b1ca6 remove all references to stdenv.cc.cc.is{GNU,Clang}
use the new `stdenv.cc.is{GNU,Clang}` instead, which will always be
defined.
2015-05-11 14:44:50 -07:00
Vladimír Čunát
375bc8def7 Merge staging into closure-size 2015-05-05 11:49:03 +02:00
Lluís Batlle i Rossell
51b1297c8a glibc: fix libgcc_s.so
It used to be a symlink, but now it is a link script. It's crucial to get
proper linking, specially on amrv5tel, where libgcc contains lot of code
related to the limited instruction set of the platform.

Without this fix, g++ shared lib linking was broken, because a "-lgcc" was
not propagated wherever "-lgcc_s" was required. The g++ spec only mentions
"-lgcc_s" and the "-lgcc" is introduced with the libgcc_s.so link script,
only available in the glibc path after this fix.

As a reminder, we put libgcc* in the glibc output to avoid having a
runtime dependency on the gcc path only because of the everywhere linked
libgcc. This problem was specially visible in platforms like armv5tel,
where most programs end up linked to libgcc. Platforms with a more rich
instruction set may rarely end up requiring a link to libgcc.
2015-04-29 10:09:07 +02:00
Vladimír Čunát
a56da607b1 glibcLocales: fix evaluation and build with outputs 2015-04-21 09:02:41 +02:00
Vladimír Čunát
d484c392aa stdenv multiple-outputs: change propagation rules
Now development stuff is propagated from the first output,
and userEnvPkgs from the one with binaries.

Also don't move *.la files (yet). It causes problems, and they're small.
2015-04-18 19:30:28 +02:00
Vladimír Čunát
bf414c9d4f Merge 'staging' into closure-size
- there were many easy merge conflicts
- cc-wrapper needed nontrivial changes

Many other problems might've been created by interaction of the branches,
but stdenv and a few other packages build fine now.
2015-04-18 11:22:20 +02:00
Vladimír Čunát
596bf235b6 glibc: security fix CVE-2014-8121, fixes #7207 2015-04-09 20:42:35 +02:00
Vladimír Čunát
54fc2db1b8 glibc: update 2.20 -> 2.21, including security fixes
Fixes #6578.
https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html

- I had to disable one warning-error type.
- One of our patches needed modification - it seemed that just the context
  changed without affecting the purpose of the patch.
2015-03-03 11:31:01 +01:00
Vladimír Čunát
3d9e9f6571 glibc: fix -lgcc_s linking
https://github.com/NixOS/nixpkgs/commit/65221567c12eb20d12#commitcomment-9515597
2015-02-22 20:01:03 +01:00
Ambroz Bizjak
e191e227d2 glibc: Disable copying libgcc when cross compiling.
It seems this is only needed for native bootstrapping.
2015-02-05 21:25:40 +01:00
Peter Simons
ec6b82a0c2 Merge branch 'master' into staging. 2015-01-19 18:41:17 +01:00
Michael Raskin
c163baca3b Clean up glibcLocales environment handling -- manual merge of patch by wmertens (except Haskell part) 2015-01-19 11:06:11 +03:00
Eric Seidel
f3c6827373 rename all occurrences of stdenv.cc.gcc to stdenv.cc.cc 2015-01-14 20:27:55 -08:00
Shea Levy
16fe4be790 Add isGNU attribute to gccs 2015-01-14 20:26:57 -08:00
Ludovic Courtès
41b53577a8 unmaintain a bunch of packages 2015-01-13 22:33:49 +01:00
John Wiegley
28b6fb61e6 Change occurrences of gcc to the more general cc
This is done for the sake of Yosemite, which does not have gcc, and yet
this change is also compatible with Linux.
2014-12-26 11:06:21 -06:00
Emery Hemingway
be2060f1e7 glibc_multi: fix package name (close #5284)
"multi" should be between the "glibc" and the version
2014-12-10 18:31:31 +01:00
Vladimír Čunát
975a822778 glibc: improve nscd version check after e316672dcb 2014-11-11 11:06:57 +01:00
Eelco Dolstra
65221567c1 glibc: Include a copy of libgcc_s.so.1
This prevents failures like "libgcc_s.so.1 must be installed for
pthread_cancel to work" that occur because Glibc assumes libgcc_s.so.1
to be in Glibc's libdir.

This solution is pretty hacky, because the libgcc_s.so.1 from
bootstrap-tools might be too old. So if we update GCC, programs might
end up using an outdated libgcc_s.so.1. Ideally, we would build
libgcc_s.so.1 *before* Glibc, which might not be impossible...

Fixes #3548.
2014-11-11 10:23:26 +01:00
Eelco Dolstra
dac591aae6 glibc: Update to 2.20 2014-10-29 17:54:47 +01:00
Eelco Dolstra
1b55b07eeb glibc/2.19 -> glibc
We only have one version of Glibc so no need for a separate directory.
2014-10-29 13:42:59 +01:00
Vladimír Čunát
e316672dcb glibc: put back the nscd check, by $out instead of date
I don't know why they feel they need to check the compatibility by build date,
so I would keep check against $out, which is a better nix equivalent.

Also, expression refactoring (put comments out of hash-changing bash).
2014-09-13 14:06:27 +02:00
Alexander Kjeldaas
dd673de2a7 glibc: make compilation more pure
Remove datetime from nscd.
2014-09-13 13:53:43 +02:00
Vladimír Čunát
8da52a642a Merge branch 'staging' into v/modular
Conflicts (easy):
	pkgs/development/interpreters/perl/5.10/setup-hook.sh
	pkgs/development/interpreters/perl/5.8/setup-hook.sh
	pkgs/development/libraries/gtk+/2.x.nix
2014-08-31 12:23:18 +02:00