commit: 40e9148878625744846c752e0bcb33278455fe1e Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> AuthorDate: Sat Mar 14 08:19:02 2015 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Sat Mar 14 08:19:02 2015 +0000 URL: https://gitweb.gentoo.org/proj/toolchain.git/commit/?id=40e91488
glibc: move old versions from main tree sys-libs/glibc/Manifest | 18 ++ .../glibc/files/2.10/glibc-2.10-gentoo-chk_fail.c | 315 +++++++++++++++++++++ .../glibc-2.10-hardened-configure-picdefault.patch | 30 ++ .../glibc-2.10-hardened-inittls-nosysenter.patch | 274 ++++++++++++++++++ .../2.10/glibc-2.10-hardened-ssp-compat.patch | 168 +++++++++++ .../glibc/files/2.11/glibc-2.11-hardened-pie.patch | 40 +++ .../glibc/files/2.12/glibc-2.12-hardened-pie.patch | 39 +++ sys-libs/glibc/glibc-2.10.1-r1.ebuild | 203 +++++++++++++ sys-libs/glibc/glibc-2.11.3.ebuild | 206 ++++++++++++++ sys-libs/glibc/glibc-2.12.1-r3.ebuild | 220 ++++++++++++++ sys-libs/glibc/glibc-2.12.2.ebuild | 220 ++++++++++++++ sys-libs/glibc/glibc-2.14.ebuild | 242 ++++++++++++++++ sys-libs/glibc/glibc-2.9_p20081201-r3.ebuild | 193 +++++++++++++ 13 files changed, 2168 insertions(+) diff --git a/sys-libs/glibc/Manifest b/sys-libs/glibc/Manifest index 146a59c..2447207 100644 --- a/sys-libs/glibc/Manifest +++ b/sys-libs/glibc/Manifest @@ -1,3 +1,13 @@ +DIST glibc-2.10.1-patches-7.tar.bz2 113612 SHA256 6c94493e08c13072c94c967f55b659e6c950ec470c9677c43cfab10e24a88370 SHA512 6f1d575273ee354e6b9fb85d1a25b660e52fc77ed50bbe0a2c25f60d4ad11ed4560b27358d1b7a5412d5f1fafac2dd83b7ce5b1420205ef2d4906e4c99b610ba WHIRLPOOL 70efe90ab258bf15cf6c0b2ec826aacf25d4cab0d0e09b8883ecfdc34bdc54072bcd3330dd622b8f12ee6a1c74928ecd022e844a351717b53397f056b376992a +DIST glibc-2.10.1.tar.bz2 16106243 SHA256 cbad3e637eab613184405a87a2bf08a41991a0e512a3ced60d120effc73de667 SHA512 3933f69884862b38999b25af60b66c3d887bb022a26bf72e69ca17f2733e37017329d085b4ebca56dfad265906748b83535ccc41df034a867d76a62025c86df2 WHIRLPOOL afffcf139b78643822e6c89f6d6748161bd8c9043e5337d7b057fcedc4ba4e07572c6548c0288bd1bac10bdb63bf69c5eee1047750511ed814c150179ec34f8c +DIST glibc-2.11.3-patches-3.tar.bz2 112513 SHA256 e3b3a256151d86fec9a2625f29ea1486a3e770a0df8e5a803f4914da50e582e7 SHA512 a6f980c91e4fa40ec466cabdc666ccdf78b017f16d2e454d6b3bdbdbe32ad4ae316b9f8f5865ea8f0aeb5081319793fa569029f5aca536f40ce82dc1df629b67 WHIRLPOOL 58b10e2aa5691ada1f504ca192329cef8ac0babb98d21bc54436c7b0218979703aa3f525611b8016a11dbf9551b3bc443e5a17c49481518709322c01fda0b5b1 +DIST glibc-2.11.3.tar.bz2 15667797 SHA256 9c10538262c13018910721b8160e6caf65ba38ca2750c5710bd220e44d696afa SHA512 aaf344a50f40c08811da17434579f93856b129ee751eded66ac2136ce42d7cb58bfc3d4249c1b3ffc5154715d95cb5fd6b12bc6b83eb99be6718403af0184109 WHIRLPOOL d74d7266ae03bd7a6caf2edb3c2e15e242557a35fee91f7a141f0f612cfffb5c42f45bbf3291cbff26a14ee6d29c8ac87e7653d9e8556b16b7893e4cc6c01bf5 +DIST glibc-2.12.1-patches-8.tar.bz2 112063 SHA256 564fe8d9dbf80763c32eca13129ecc69aa276eb8364fe15b400d0cf0cbbf7085 SHA512 688f27a6d049007d51377210c64d94e341b6e8ccfe94b4dd93b57f3a2eec852c87fb8282b67895ac4a86c269514ed58592994dcf0dea7238f1d22157f99f6443 WHIRLPOOL 2a88d6a2ce9fae1106a4753809202815f6ccb8d5e7ace4b77bebcf709f8619e63985f6ecef75f3ffbaefa24d080746d2523bc23b0c0a5f08a160f0b23bfbf7ce +DIST glibc-2.12.1.tar.bz2 15667516 SHA256 759f115c52bc12c5bb453af559dcd456d32138250b7cc96e47804e3d0ec97407 SHA512 e01eaf0c93b20549e159adf7e838458216245c6781d225de908804b275a967712d4f4dfe5b5aefc3e16b75a8593f2aba2f7bc287c89a6c39c9e929cd228766d1 WHIRLPOOL 99061d40d4e1291f3f15c4f25df0a0c7eecf27127a9aeba0c724b636992648b2ff8879b11653081c821f28a82a54dfe4375fc992af1a8de988867965604bbec4 +DIST glibc-2.12.2-patches-4.tar.bz2 109270 SHA256 23362824e7ffbcc34c05f82e6f51b30cb502e648efbe7bc6a644cb8384f57330 SHA512 1776dda77964beff33be1a1cb88c410ff6fa4bdb36a1439ee1acb9698dc97c2621b1e44b06632f1b4d34c29dd707d9193e67a54af506e067a219457dcc6b3d04 WHIRLPOOL 7afe99cd94d916dfc993f084ef56d75fbbb1043319b66cecdf621dda263be122c1a0c21962c47235503989a46aba01bd2006fb9fb67ba0aa0c2692aed3be01e1 +DIST glibc-2.12.2.tar.bz2 15667759 SHA256 22f8eb3c49b9eb5e88fc249daf8670899adef24eb1f74708fb150a6502fa1216 SHA512 8197ece913e572ce3f7dfa0a33d520418aea2d8b85ccda3100118bca9f650e21fb7a8d14b1b4a5587a252c07e70c6fe85f84605a0be9dec649e92d6028979c40 WHIRLPOOL a2585b83e8ba70dd4fe3a6a47b6b5b86ba92d2dadfd50178d98c7e48ed8d5a906b630e79869b8eed44db7eb333af68d20914e3682cf87035d295d7375120d32d +DIST glibc-2.14-patches-7.tar.bz2 105702 SHA256 f213848ae57ca7c3bcd0ac87bf04ef638b9c8191a8124394771d758a861bf009 SHA512 ef0c3cfe3b9935ea071fa96084b0fcbaa3865fe12e8c04d312f698dfe0395a8036716f1f9999777bb77eff314c423a056cf6483a9e6dd58b1919ee2fddb153ae WHIRLPOOL 3ed0b83b19b0729e550c959f5c299a639d93f04d285b24bc8ddf2f790cd5a376ed2eac44acb51a357a02f3906a470ef8783e98e8fd3a0e181fec95cca1deb649 +DIST glibc-2.14.tar.bz2 15630590 SHA256 8404b54651d42133d9a2ab17d30d698e53c5f250b2ad8e5f3d9a208ea7c75d6c SHA512 4647b9999e56d88c669832b58555d4e53a22737d5c1963ae62e89958d9880193d1ad8f37cd4b05464cab79f7a244772eb1484d55788ec4828ff98dac30c8fa80 WHIRLPOOL 3aa97d56fa28bd45fb9a41925f41fe0d74020553ca4aa92293cbc47de2bc8a88b7dcbf368c77f0872d18ab6ba91bdf2b199a0520d946115f821dd4a4728ef2b8 DIST glibc-2.3.6-patches-1.19.tar.bz2 216069 SHA256 8aa924347c50bd721cc1dd8dc7b0c986136689346d4d78eaea4d9f15a4db2dea SHA512 4fc2ed654ecc1021596d5737a0b2b74cec4c42393f49a8a50f30bdcb1a7f3e58876a6ad384dd8d8ed6ee9b3ca0fce034c1e2c85db2a998db4737a93c572b8e16 WHIRLPOOL 56058d0b11fef5f3845e50cc17cd4acb03cb6e5c59930582fd905f9b3bf17fa566fa6a4c5870e274a8e30a947d767113a2033eda1ca5c785ba8c98aa259c30e1 DIST glibc-2.3.6.tar.bz2 14014977 SHA256 e73ff5eddea95d09238b41d3c9c4d9ccddcf99fcc93d04956599c91c704f4a8e SHA512 e92c15b33c80cbbfee83289840de904f5d795f375daf60dd10bb9cbc3701f3c13f35c46063a4359cd662742a9ced5aca62d20eceb580d29c8e02fb5e3845348b WHIRLPOOL e4c0ff5b368ab63aa4662fc0d7563b8276046212e429ba1db3e2f98406a9229264edce9fbda622742205f01c99d429337fa7e6c04ea3c0670b9e4f34068ec9a6 DIST glibc-2.4-patches-1.19.tar.bz2 132880 SHA256 9ec4cd3df3b8e7f294b3c93138d2f0fd7e8213b4981cfcc9cb58c25f934a23fa SHA512 749b6b3430a6351afc676c590e4ede5baa010865168896478df1cd781c785facd19b4b4a772252ccad70fdcea167df2ccf6c06e3f8bd827e7f5282275ab640bd WHIRLPOOL 366d7c47027ace9513720a9902f10265e177280d26de3fa6651130fd6f3f12dd6d566589340b3338426a9eff1290dd59664bc0c0ab6fd8c89503c6fd123e2073 @@ -11,7 +21,11 @@ DIST glibc-2.7.tar.bz2 15976860 SHA256 4224a522ac4ee0fd89eb337e7505e280dfb05e2fe DIST glibc-2.8-20080602.tar.bz2 16235726 SHA256 142eaba19eb85121206ee034fd828ca5dcd1bf2bfa940fef92c37457c06a6d48 SHA512 4c3acfa53844020fe8a6158a3fd3bd9c8423f335eae6e5cc3ebff89b33bccca8c642016b02170faeb8921b072b845921346fa57664f8448dfc967947601c999e WHIRLPOOL 9f5ad676db308f24fab6f611c00341ca6e0d7b2c6ebd165e1d0251607cf93512c04459c905ec05d98111828f605d2a5afa63db099620b8c3f6d8d36cdca786b2 DIST glibc-2.8-patches-6.tar.bz2 103171 SHA256 dc335095de83ff4ff405c9aaf5b3ee3d82148888c73b31081ae1c706510973c2 SHA512 2cdfd14cd64341e3f4a535c1d576a2a92b49cfe85a790de3acd4b82337fe4b8fecfaa6b0950a909cfb8d45a004da2ed4974d2468e33eb0cf89acfe34fbd414c9 WHIRLPOOL f893b1dded80b2b61e04c069fee5cff808fa20a5d75f72f34137c82c69dd2640a3fb6222955ad792c5e6008a761ac72e91737357abdcadf723aedaaf013ac5cc DIST glibc-2.8-ports-20080602.tar.bz2 469234 SHA256 1f3665e80b5832f7d281c109bc2f5412521cc9ccc3bd7b499fd493ff5eb9aa9b SHA512 1357c27140f227846b9fb408aeb7fd032797ea582ead525ca1ad28e67421b5f7413cbffaf006394357b84cfb6d9315c292ccb00bff07a8ecfc4e166ceaf7f56d WHIRLPOOL 2553934c6f529c2a41c1f736873c3ccbe62dfc17ba281eaccb85e62a2d1a57a8c712d0fa96d5f1414fb57cd39120caeab4241b1279f1cf5930f864c5ad2959cc +DIST glibc-2.9-20081201.tar.bz2 16430489 SHA256 6f8e515775e20ed48610860d10315adda418a3649b3465f36ee5cd467364a8f6 SHA512 bdd3f5b61f741f09da21020ceef95e8e4f22574d11f8f2341f573ab2225baaf68698446ec26cbc4a63a21a8a400eaf5820fce4bd89c3e1dcf52172a62df561f4 WHIRLPOOL 37e4875e450e8a4067f657b4d71be184844cd45c0d7dbd9242e8f998aab4e15c732fc64ba148c5782078873182d4b132c911da9242b0513eea96a2338aa04722 +DIST glibc-2.9-patches-8.tar.bz2 106638 SHA256 5f1f8b569ac02c2f538bebd64d137bccb442ddfcb28b3ef17b86134edd8e3f6c SHA512 f5070bf45c28bcf455f53bee85414e6efa1da3cdbc51425a1bc67fb92ff793d1416d5743a48e69080e636d80e41463c5897d437190d496c0b34f7dcf158e8d9c WHIRLPOOL f15b98a7bd6a8cbfaa9c6e1ad7204de875876bf1640c2a008532537cf65b811b42c45446dba846f6e572e9d763cb6afbe878920a51f772c7367cc7a6f615f4b7 +DIST glibc-2.9-ports-20081201.tar.bz2 487663 SHA256 19bb6e89855171d7ae01aef92054dfe4524521fbc13c67bfaa3ee81944210744 SHA512 8bc400fe1f8213908c96fa8c1060a360c4ed83fdb21ba6ffb7b6dc0232216ea23217d0c165336603a8969cca89e8b3edc7d32a38516f2c27114368682d06e6b6 WHIRLPOOL 917d6b77a3d999cb7eca7c9b8bb8d6838a109c609ef8bd3aabb3afa04755c142e4dde352c5c62561a8b39581295eb48b23192b52d1d9f1916454c4cf39db702d DIST glibc-infopages-2.3.6.tar.bz2 1298413 SHA256 651701bb5d8431401fa0f2252ad1cd37f69dc3a2aa28e4ce3405b4417b5e2c22 SHA512 62cd706e22dcf948e2eb3dd24b3a5700f0dc50c6bcdb55b11028187f317b0497795112a5cfb5fce158b9add913e67bfe49844cbaa2251a5af307db897bc49983 WHIRLPOOL a3b4850d85733a5cb035950b07595caeade02eb541fe108a6fbb2af1f930e9c01b322249d1b74ae343f3f6d5f2ffc03ae32cba1fa28c01100ec2c10e91909eb6 +DIST glibc-libidn-2.10.1.tar.bz2 102248 SHA256 0fa72d1dd06a30642d3bb20a659f4ed0f4af54a205d7102896b68169b38676dc SHA512 cc2f74ce50d344b2052cd9b292101e15fe1f27389f74a98cfdf969392e78fc192809c1daa6fe4695851e72535e48d2e8000ab7c776483657e3990e81195886a3 WHIRLPOOL 00b6212b157f4861c860548cdc2841779f744919dbe8123f09fd5918c0c4b1ee110a34e15a933bf74a740860d52d2a5866341eea3b81569877dd2b591ab027e6 DIST glibc-libidn-2.3.6.tar.bz2 101041 SHA256 99a20232c1ad994e8a6dcd15c34e413eed94e7dd558bed7b832649dce09fb4f2 SHA512 1febf922702ae9e48c4654145712ee5fe1f31dc835d21928fe6537bed6dec2a3cf19066d28693b8afae0b93982ec2f72a3a0f98fcc0ee981dff222d761caead4 WHIRLPOOL f8deb0ea94771665f41b99e87d0623e376f8cf0479759dc4d26af8f017a20c45ec7269b331de376c21f328df02c344be2db0c2ebab201f4df2d952a41dc73052 DIST glibc-libidn-2.4.tar.bz2 102305 SHA256 2f29ec2b2b2f75f787a1eed8fdea20aff212dc3bad97651ca376914c49181977 SHA512 c6dcf0db2bcb736d1df7ca69a8da1870f2ec0a2ce491f3eeb3e0fd8ce98b009f0dbe88f96f17421875a120e8984966764260e38ee356d852a11544516a8b5284 WHIRLPOOL d944f12e8943e7e064c92ba3b7e72164647a2bef875844f201561690eda79dd6a051f26eaec555be6ec943ab728a5e955d15a0488a16af2f6e0e3277c89b140e DIST glibc-libidn-2.5.1.tar.bz2 102290 SHA256 800e2b35443ffff200970df6d35a7afc2eb6e75c88a8074391867545e46d9f2e SHA512 f84d56163fdc21fc9e5c760865fb7dde41134c930de0dc6b7cbb80df61a74ab2a044ca07ae864c95f510a636d6e93ea9fe63be20213773bf34952d95d89ba95e WHIRLPOOL 154f6e81eaa54d3df5a4f64f063f3f5d5503380cbbd669e34fc8efb751476a27c1863e238946079317129344a90c78a3f15382782b14a91fc0524f349cb70e3f @@ -21,6 +35,10 @@ DIST glibc-linuxthreads-2.3.6.tar.bz2 243534 SHA256 6c3bc4a247d1e5308fb14f819568 DIST glibc-linuxthreads-2.5.tar.bz2 242445 SHA256 ee27aeba6124a8b351c720eb898917f0f8874d9a384cc2f17aa111a3d679bd2c SHA512 e6231590d976762f22c1668f20ec5f5288c2aa45dfcc246c8b628207948ecd009f4e7fb999fbf63d3fb590f0a20b2ade819ddacdf391ec2cf8562d7556335b66 WHIRLPOOL c3f943dc39b9a271fdd32b98a875a308f14532e810c8ffa6b6994c7723d8dd57fa22c17fdc6173f659d440958c15d3b2763210376be6802c4feefcd397a5d6db DIST glibc-linuxthreads-20060605.tar.bz2 247200 SHA256 1d15e236926fff6daa81e6af34e7903206b67f849f828ca976ab077b4677fb52 SHA512 dadff68163f75debf65ea06e4f537d880560245cc6e193b81d668ab54739829b14c29c86cbf0126699a4d36198305dd94c525c416c490cb0c20635b82ee04460 WHIRLPOOL 6d46d0d3e00d84f9481aaa3f9d6645a4d8946bd82b9e1d899305d8000a6e445515f85526672179d11020899737e6a55be22fe3146bc19821ed75941c0da82260 DIST glibc-manpages-2.3.6-1.tar.bz2 22216 SHA256 2ba9c7fff2f02f888160dbadd013356fe4a6e9f3d71ac583f5ba6a1d73cb2ab6 SHA512 c4d19f00f03bdcec09c438406ae246ec70479294c1cd096c080889169b30ad5bd715f015a3c8278ec6373562450dc91fdd1f079609d754089b51043fbc8e57ed WHIRLPOOL 31b4e59300975ddd55b69fe32d4de2067ae7e0caaa6554d928be09bffbe872e399c89473b0051265745a0c8539a1b5115ded637c4a27f0e6262e16cc0324769f +DIST glibc-ports-2.10.1.tar.bz2 584860 SHA256 b1f1ec9720036a3a33598b8478eef102535444a083d5b5813a6981ed74ab4071 SHA512 9319fa98b159f904f263ceb1f073db14caf6af61c7fb723d8e5c210a061d2e1ffd634d87912c07f748e9a309be6062fb0799c06638fcc54f1219e4494143fae9 WHIRLPOOL d94ae024811887d0a46800161d29be371d53827690b80df35a58a38e4a78811784e096335b0cfcd7587c26e392158765a182a91c9252e5b304d12901b2e41a73 +DIST glibc-ports-2.11.tar.bz2 599606 SHA256 38d212b1a22ed121c97f2827e7357e3e077084635ebc197246993d328b1b6589 SHA512 55254f538919bcc6e5046ca699ebf6c2d5ff039b4d3d0254361d3185f735b3a6561c6518cf99d25702659e10de7950b445b36d0ba8bb3fae0558ee6edaff41ac WHIRLPOOL 1516a97ac2c7bf06975a1364ab0097e3d90054facd4f5c86e1aa4d6d58e94c6ae7e6c13e998604ee766207ee80a4653fca585cc127057f5540019f691e5ba29c +DIST glibc-ports-2.12.1.tar.bz2 621800 SHA256 3986c166d08c30b83c9cc7d972651550b548386d5a02e4e4c985d9832de83110 SHA512 d7dad77d9d495df2d0605e915e0db0c170d3d5d1e83509a3e48d51f32f6c08cbe133c49dd1f09ee559a503af25756c38dd83725f336ba0ec7d96a15f29ac33cb WHIRLPOOL 561ba89d6ef8702867126a36f657254f3fea1b1ba25acc9140da831fc76ced740fa55c4b4d8d3fbe4be86399e9ff0b9e2a3cd5f160738a3889a3554496ceaca2 +DIST glibc-ports-2.14.tar.bz2 631253 SHA256 580a656a55a17ba3db80ab0a9321332cd1f0aaddd7fad76004b524303fb6632d SHA512 843a8daee3210fca86956718bff71f21f6532b7ca3077b4a1964f6d797df0a3dba42a29108715410ae232a48809f166cb051303a567fe16b0c05b9f71aef6225 WHIRLPOOL 156c43e90bb47d939e0852c583d6382021440c5b4c0b3705f60d4ad953866ab92ba1d502e010e7ff2b3a031795393f776dea3cfed317daf426d0360346ff9064 DIST glibc-ports-2.4.tar.bz2 381472 SHA256 2fbbcaad8a9f8560485c398a9066959fe2713c8bc7e653ec476fb56fed21d19a SHA512 c6a37e56aa384cf3f6b74c8a2ccb50fd2f6f494fe65543e18153998ea4bc7fd44806284f263bd14098158680c996f0e45100827b3180a8a791d13d4ace46c294 WHIRLPOOL 2a1558556b0f9ad1ccb47a1f513a7d70d644cef53a382b917db56140f7e9ebbe1f41bb24143c461158fb3047b2b5a60fbb6091f9858619d6acef5c7fb88422fa DIST glibc-ports-2.5.tar.bz2 409372 SHA256 80c38a005325e7539012bd665fb8e06af9ee9bfc74efb236ebff121265bfd463 SHA512 e9a0630bab9dc262c6bdd1696a79e060b39d55bbc0c6a6e9e3b36fe315aa11c22d008f722efa546fa5ec443c224933bb8b64f90acaf1f9dd886e5126f1a81c0e WHIRLPOOL af1a0f1bc46435a24c9020194a6fdd7067245ada85159f7b3e24e55b7cc88129570834dba532495e40f1646067e93aac1bd60de2d6f2cec9f9ecef2f64c66755 DIST glibc-ports-2.6.1.tar.bz2 431292 SHA256 d094028bc6d6691f56b4efeff7cd7e1c7ca10733e0cb5efc36e8fb08d8324bf1 SHA512 10821599e095a38c10b9e3b757b9919ab29b536eb9a275ca1050aeb63a08d4a429e7e1821f184e8add2d870cff49d9d4f7b445f5337ecb9964dcd92405b53f6c WHIRLPOOL c1813db493da4d7fc22b319bb70e33db59ce055c30de5f860921c08968e6b558794121ac1ba0fbab199e31c532d82a915490c030b056ffadd3bdde2eaee80cce diff --git a/sys-libs/glibc/files/2.10/glibc-2.10-gentoo-chk_fail.c b/sys-libs/glibc/files/2.10/glibc-2.10-gentoo-chk_fail.c new file mode 100644 index 0000000..37711e8 --- /dev/null +++ b/sys-libs/glibc/files/2.10/glibc-2.10-gentoo-chk_fail.c @@ -0,0 +1,315 @@ +/* Copyright (C) 2004, 2005 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, write to the Free + Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA + 02111-1307 USA. */ + +/* Copyright (C) 2006-2008 Gentoo Foundation Inc. + * License terms as above. + * + * Hardened Gentoo SSP and FORTIFY handler + * + * An SSP failure handler that does not use functions from the rest of + * glibc; it uses the INTERNAL_SYSCALL methods directly. This ensures + * no possibility of recursion into the handler. + * + * Direct all bug reports to http://bugs.gentoo.org/ + * + * Re-written from the glibc-2.3 Hardened Gentoo SSP handler + * by Kevin F. Quinn - <kevquinn[@]gentoo.org> + * + * The following people contributed to the glibc-2.3 Hardened + * Gentoo SSP and FORTIFY handler, from which this implementation draws much: + * + * Ned Ludd - <solar[@]gentoo.org> + * Alexander Gabert - <pappy[@]gentoo.org> + * The PaX Team - <pageexec[@]freemail.hu> + * Peter S. Mazinger - <ps.m[@]gmx.net> + * Yoann Vandoorselaere - <yoann[@]prelude-ids.org> + * Robert Connolly - <robert[@]linuxfromscratch.org> + * Cory Visi <cory[@]visi.name> + * Mike Frysinger <vapier[@]gentoo.org> + * Magnus Granberg <zorry[@]ume.nu> + */ + +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <unistd.h> +#include <signal.h> + +#include <sys/types.h> + +#include <sysdep-cancel.h> +#include <sys/syscall.h> +#include <bp-checks.h> + +#include <kernel-features.h> + +#include <alloca.h> +/* from sysdeps */ +#include <socketcall.h> +/* for the stuff in bits/socket.h */ +#include <sys/socket.h> +#include <sys/un.h> + +/* Sanity check on SYSCALL macro names - force compilation + * failure if the names used here do not exist + */ +#if !defined __NR_socketcall && !defined __NR_socket +# error Cannot do syscall socket or socketcall +#endif +#if !defined __NR_socketcall && !defined __NR_connect +# error Cannot do syscall connect or socketcall +#endif +#ifndef __NR_write +# error Cannot do syscall write +#endif +#ifndef __NR_close +# error Cannot do syscall close +#endif +#ifndef __NR_getpid +# error Cannot do syscall getpid +#endif +#ifndef __NR_kill +# error Cannot do syscall kill +#endif +#ifndef __NR_exit +# error Cannot do syscall exit +#endif +#ifdef SSP_SMASH_DUMPS_CORE +# define ENABLE_SSP_SMASH_DUMPS_CORE 1 +# if !defined _KERNEL_NSIG && !defined _NSIG +# error No _NSIG or _KERNEL_NSIG for rt_sigaction +# endif +# if !defined __NR_sigaction && !defined __NR_rt_sigaction +# error Cannot do syscall sigaction or rt_sigaction +# endif +/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size + * of the _kernel_ sigset_t which is not the same as the user sigset_t. + * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for + * some reason. + */ +# ifdef _KERNEL_NSIG +# define _SSP_NSIG _KERNEL_NSIG +# else +# define _SSP_NSIG _NSIG +# endif +#else +# define _SSP_NSIG 0 +# define ENABLE_SSP_SMASH_DUMPS_CORE 0 +#endif + +/* Define DO_SIGACTION - default to newer rt signal interface but + * fallback to old as needed. + */ +#ifdef __NR_rt_sigaction +# define DO_SIGACTION(signum, act, oldact) \ + INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8) +#else +# define DO_SIGACTION(signum, act, oldact) \ + INLINE_SYSCALL(sigaction, 3, signum, act, oldact) +#endif + +/* Define DO_SOCKET/DO_CONNECT functions to deal with socketcall vs socket/connect */ +#if defined(__NR_socket) && defined(__NR_connect) +# define USE_OLD_SOCKETCALL 0 +#else +# define USE_OLD_SOCKETCALL 1 +#endif + +/* stub out the __NR_'s so we can let gcc optimize away dead code */ +#ifndef __NR_socketcall +# define __NR_socketcall 0 +#endif +#ifndef __NR_socket +# define __NR_socket 0 +#endif +#ifndef __NR_connect +# define __NR_connect 0 +#endif +#define DO_SOCKET(result, domain, type, protocol) \ + do { \ + if (USE_OLD_SOCKETCALL) { \ + socketargs[0] = domain; \ + socketargs[1] = type; \ + socketargs[2] = protocol; \ + socketargs[3] = 0; \ + result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs); \ + } else \ + result = INLINE_SYSCALL(socket, 3, domain, type, protocol); \ + } while (0) +#define DO_CONNECT(result, sockfd, serv_addr, addrlen) \ + do { \ + if (USE_OLD_SOCKETCALL) { \ + socketargs[0] = sockfd; \ + socketargs[1] = (unsigned long int)serv_addr; \ + socketargs[2] = addrlen; \ + socketargs[3] = 0; \ + result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs); \ + } else \ + result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen); \ + } while (0) + +#ifndef _PATH_LOG +# define _PATH_LOG "/dev/log" +#endif + +static const char path_log[] = _PATH_LOG; + +/* For building glibc with SSP switched on, define __progname to a + * constant if building for the run-time loader, to avoid pulling + * in more of libc.so into ld.so + */ +#ifdef IS_IN_rtld +static char *__progname = "<rtld>"; +#else +extern char *__progname; +#endif + +/* Common handler code, used by chk_fail + * Inlined to ensure no self-references to the handler within itself. + * Data static to avoid putting more than necessary on the stack, + * to aid core debugging. + */ +__attribute__ ((__noreturn__ , __always_inline__)) +static inline void +__hardened_gentoo_chk_fail(char func[], int damaged) +{ +#define MESSAGE_BUFSIZ 256 + static pid_t pid; + static int plen, i; + static char message[MESSAGE_BUFSIZ]; + static const char msg_ssa[] = ": buffer overflow attack"; + static const char msg_inf[] = " in function "; + static const char msg_ssd[] = "*** buffer overflow detected ***: "; + static const char msg_terminated[] = " - terminated\n"; + static const char msg_report[] = "Report to http://bugs.gentoo.org/\n";; + static const char msg_unknown[] = "<unknown>"; + static int log_socket, connect_result; + static struct sockaddr_un sock; + static unsigned long int socketargs[4]; + + /* Build socket address + */ + sock.sun_family = AF_UNIX; + i = 0; + while ((path_log[i] != '\0') && (i<(sizeof(sock.sun_path)-1))) { + sock.sun_path[i] = path_log[i]; + i++; + } + sock.sun_path[i] = '\0'; + + /* Try SOCK_DGRAM connection to syslog */ + connect_result = -1; + DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0); + if (log_socket != -1) + DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock)); + if (connect_result == -1) { + if (log_socket != -1) + INLINE_SYSCALL(close, 1, log_socket); + /* Try SOCK_STREAM connection to syslog */ + DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0); + if (log_socket != -1) + DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock)); + } + + /* Build message. Messages are generated both in the old style and new style, + * so that log watchers that are configured for the old-style message continue + * to work. + */ +#define strconcat(str) \ + {i=0; while ((str[i] != '\0') && ((i+plen)<(MESSAGE_BUFSIZ-1))) \ + {\ + message[plen+i]=str[i];\ + i++;\ + }\ + plen+=i;} + + /* R.Henderson post-gcc-4 style message */ + plen = 0; + strconcat(msg_ssd); + if (__progname != (char *)0) + strconcat(__progname) + else + strconcat(msg_unknown); + strconcat(msg_terminated); + + /* Write out error message to STDERR, to syslog if open */ + INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen); + if (connect_result != -1) + INLINE_SYSCALL(write, 3, log_socket, message, plen); + + /* Dr. Etoh pre-gcc-4 style message */ + plen = 0; + if (__progname != (char *)0) + strconcat(__progname) + else + strconcat(msg_unknown); + strconcat(msg_ssa); + strconcat(msg_inf); + if (func != NULL) + strconcat(func) + else + strconcat(msg_unknown); + strconcat(msg_terminated); + /* Write out error message to STDERR, to syslog if open */ + INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen); + if (connect_result != -1) + INLINE_SYSCALL(write, 3, log_socket, message, plen); + + /* Direct reports to bugs.gentoo.org */ + plen=0; + strconcat(msg_report); + message[plen++]='\0'; + + /* Write out error message to STDERR, to syslog if open */ + INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen); + if (connect_result != -1) + INLINE_SYSCALL(write, 3, log_socket, message, plen); + + if (log_socket != -1) + INLINE_SYSCALL(close, 1, log_socket); + + /* Suicide */ + pid = INLINE_SYSCALL(getpid, 0); + + if (ENABLE_SSP_SMASH_DUMPS_CORE) { + static struct sigaction default_abort_act; + /* Remove any user-supplied handler for SIGABRT, before using it */ + default_abort_act.sa_handler = SIG_DFL; + default_abort_act.sa_sigaction = NULL; + __sigfillset(&default_abort_act.sa_mask); + default_abort_act.sa_flags = 0; + if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0) + INLINE_SYSCALL(kill, 2, pid, SIGABRT); + } + + /* Note; actions cannot be added to SIGKILL */ + INLINE_SYSCALL(kill, 2, pid, SIGKILL); + + /* In case the kill didn't work, exit anyway + * The loop prevents gcc thinking this routine returns + */ + while (1) + INLINE_SYSCALL(exit, 0); +} + +__attribute__ ((__noreturn__)) +void __chk_fail(void) +{ + __hardened_gentoo_chk_fail(NULL, 0); +} + diff --git a/sys-libs/glibc/files/2.10/glibc-2.10-hardened-configure-picdefault.patch b/sys-libs/glibc/files/2.10/glibc-2.10-hardened-configure-picdefault.patch new file mode 100644 index 0000000..e75ccc7 --- /dev/null +++ b/sys-libs/glibc/files/2.10/glibc-2.10-hardened-configure-picdefault.patch @@ -0,0 +1,30 @@ +Prevent default-fPIE from confusing configure into thinking +PIC code is default. This causes glibc to build both PIC and +non-PIC code as normal, which on the hardened compiler generates +PIC and PIE. + +Patch by Kevin F. Quinn <[email protected]> +Fixed for glibc 2.10 by Magnus Granberg <[email protected]> + +--- configure.in ++++ configure.in +@@ -2145,7 +2145,7 @@ + # error PIC is default. + #endif + EOF +-if eval "${CC-cc} -S conftest.c 2>&AS_MESSAGE_LOG_FD 1>&AS_MESSAGE_LOG_FD"; then ++if eval "${CC-cc} -fno-PIE -S conftest.c 2>&AS_MESSAGE_LOG_FD 1>&AS_MESSAGE_LOG_FD"; then + libc_cv_pic_default=no + fi + rm -f conftest.*]) +--- configure ++++ configure +@@ -7698,7 +7698,7 @@ + # error PIC is default. + #endif + EOF +-if eval "${CC-cc} -S conftest.c 2>&5 1>&5"; then ++if eval "${CC-cc} -fno-PIE -S conftest.c 2>&5 1>&5"; then + libc_cv_pic_default=no + fi + rm -f conftest.* diff --git a/sys-libs/glibc/files/2.10/glibc-2.10-hardened-inittls-nosysenter.patch b/sys-libs/glibc/files/2.10/glibc-2.10-hardened-inittls-nosysenter.patch new file mode 100644 index 0000000..cb6d8e3 --- /dev/null +++ b/sys-libs/glibc/files/2.10/glibc-2.10-hardened-inittls-nosysenter.patch @@ -0,0 +1,274 @@ +When building glibc PIE (which is not something upstream support), +several modifications are necessary to the glibc build process. + +First, any syscalls in PIEs must be of the PIC variant, otherwise +textrels ensue. Then, any syscalls made before the initialisation +of the TLS will fail on i386, as the sysenter variant on i386 uses +the TLS, giving rise to a chicken-and-egg situation. This patch +defines a PIC syscall variant that doesn't use sysenter, even when the sysenter +version is normally used, and uses the non-sysenter version for the brk +syscall that is performed by the TLS initialisation. Further, the TLS +initialisation is moved in this case prior to the initialisation of +dl_osversion, as that requires further syscalls. + +csu/libc-start.c: Move initial TLS initialization to before the +initialisation of dl_osversion, when INTERNAL_SYSCALL_NOSYSENTER is defined + +csu/libc-tls.c: Use the no-sysenter version of sbrk when +INTERNAL_SYSCALL_NOSYSENTER is defined. + +misc/sbrk.c: Define a no-sysenter version of sbrk, using the no-sysenter +version of brk - if INTERNAL_SYSCALL_NOSYSENTER is defined. + +misc/brk.c: Define a no-sysenter version of brk if +INTERNAL_SYSCALL_NOSYSENTER is defined. + +sysdeps/unix/sysv/linux/i386/sysdep.h: Define INTERNAL_SYSCALL_NOSYSENTER +Make INTERNAL_SYSCALL always use the PIC variant, even if not SHARED. + +Patch by Kevin F. Quinn <[email protected]> +Fixed for 2.10 by Magnus Granberg <[email protected]> + +--- csu/libc-start.c ++++ csu/libc-start.c +@@ -28,6 +28,7 @@ + extern int __libc_multiple_libcs; + + #include <tls.h> ++#include <sysdep.h> + #ifndef SHARED + # include <dl-osinfo.h> + extern void __pthread_initialize_minimal (void); +@@ -129,6 +130,11 @@ + # endif + _dl_aux_init (auxvec); + # endif ++# ifdef INTERNAL_SYSCALL_NOSYSENTER ++ /* Do the initial TLS initialization before _dl_osversion, ++ since the latter uses the uname syscall. */ ++ __pthread_initialize_minimal (); ++# endif + # ifdef DL_SYSDEP_OSCHECK + if (!__libc_multiple_libcs) + { +@@ -138,10 +144,12 @@ + } + # endif + ++# ifndef INTERNAL_SYSCALL_NOSYSENTER + /* Initialize the thread library at least a bit since the libgcc + functions are using thread functions if these are available and + we need to setup errno. */ + __pthread_initialize_minimal (); ++# endif + + /* Set up the stack checker's canary. */ + uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (); +--- csu/libc-tls.c ++++ csu/libc-tls.c +@@ -23,6 +23,7 @@ + #include <unistd.h> + #include <stdio.h> + #include <sys/param.h> ++#include <sysdep.h> + + + #ifdef SHARED +@@ -29,6 +30,9 @@ + #error makefile bug, this file is for static only + #endif + ++#ifdef INTERNAL_SYSCALL_NOSYSENTER ++extern void *__sbrk_nosysenter (intptr_t __delta); ++#endif + extern ElfW(Phdr) *_dl_phdr; + extern size_t _dl_phnum; + +@@ -141,14 +145,26 @@ + + The initialized value of _dl_tls_static_size is provided by dl-open.c + to request some surplus that permits dynamic loading of modules with +- IE-model TLS. */ ++ IE-model TLS. ++ ++ Where the normal sbrk would use a syscall that needs the TLS (i386) ++ use the special non-sysenter version instead. */ + #if TLS_TCB_AT_TP + tcb_offset = roundup (memsz + GL(dl_tls_static_size), tcbalign); ++# ifdef INTERNAL_SYSCALL_NOSYSENTER ++ tlsblock = __sbrk_nosysenter (tcb_offset + tcbsize + max_align); ++# else + tlsblock = __sbrk (tcb_offset + tcbsize + max_align); ++# endif + #elif TLS_DTV_AT_TP + tcb_offset = roundup (tcbsize, align ?: 1); ++# ifdef INTERNAL_SYSCALL_NOSYSENTER ++ tlsblock = __sbrk_nosysenter (tcb_offset + memsz + max_align ++ + TLS_PRE_TCB_SIZE + GL(dl_tls_static_size)); ++# else + tlsblock = __sbrk (tcb_offset + memsz + max_align + + TLS_PRE_TCB_SIZE + GL(dl_tls_static_size)); ++# endif + tlsblock += TLS_PRE_TCB_SIZE; + #else + /* In case a model with a different layout for the TCB and DTV +--- misc/sbrk.c ++++ misc/sbrk.c +@@ -18,6 +18,7 @@ + #include <errno.h> + #include <stdint.h> + #include <unistd.h> ++#include <sysdep.h> + + /* Defined in brk.c. */ + extern void *__curbrk; +@@ -29,6 +30,35 @@ + /* Extend the process's data space by INCREMENT. + If INCREMENT is negative, shrink data space by - INCREMENT. + Return start of new space allocated, or -1 for errors. */ ++#ifdef INTERNAL_SYSCALL_NOSYSENTER ++/* This version is used by csu/libc-tls.c whem initialising the TLS ++ if the SYSENTER version requires the TLS (which it does on i386). ++ Obviously using the TLS before it is initialised is broken. */ ++extern int __brk_nosysenter (void *addr); ++void * ++__sbrk_nosysenter (intptr_t increment) ++{ ++ void *oldbrk; ++ ++ /* If this is not part of the dynamic library or the library is used ++ via dynamic loading in a statically linked program update ++ __curbrk from the kernel's brk value. That way two separate ++ instances of __brk and __sbrk can share the heap, returning ++ interleaved pieces of it. */ ++ if (__curbrk == NULL || __libc_multiple_libcs) ++ if (__brk_nosysenter (0) < 0) /* Initialize the break. */ ++ return (void *) -1; ++ ++ if (increment == 0) ++ return __curbrk; ++ ++ oldbrk = __curbrk; ++ if (__brk_nosysenter (oldbrk + increment) < 0) ++ return (void *) -1; ++ ++ return oldbrk; ++} ++#endif + void * + __sbrk (intptr_t increment) + { +--- sysdeps/unix/sysv/linux/i386/brk.c ++++ sysdeps/unix/sysv/linux/i386/brk.c +@@ -31,6 +31,30 @@ + linker. */ + weak_alias (__curbrk, ___brk_addr) + ++#ifdef INTERNAL_SYSCALL_NOSYSENTER ++/* This version is used by csu/libc-tls.c whem initialising the TLS ++ * if the SYSENTER version requires the TLS (which it does on i386). ++ * Obviously using the TLS before it is initialised is broken. */ ++int ++__brk_nosysenter (void *addr) ++{ ++ void *__unbounded newbrk; ++ ++ INTERNAL_SYSCALL_DECL (err); ++ newbrk = (void *__unbounded) INTERNAL_SYSCALL_NOSYSENTER (brk, err, 1, ++ __ptrvalue (addr)); ++ ++ __curbrk = newbrk; ++ ++ if (newbrk < addr) ++ { ++ __set_errno (ENOMEM); ++ return -1; ++ } ++ ++ return 0; ++} ++#endif + int + __brk (void *addr) + { +--- sysdeps/unix/sysv/linux/i386/sysdep.h ++++ sysdeps/unix/sysv/linux/i386/sysdep.h +@@ -187,7 +187,7 @@ + /* The original calling convention for system calls on Linux/i386 is + to use int $0x80. */ + #ifdef I386_USE_SYSENTER +-# ifdef SHARED ++# if defined SHARED || defined __PIC__ + # define ENTER_KERNEL call *%gs:SYSINFO_OFFSET + # else + # define ENTER_KERNEL call *_dl_sysinfo +@@ -358,7 +358,7 @@ + possible to use more than four parameters. */ + #undef INTERNAL_SYSCALL + #ifdef I386_USE_SYSENTER +-# ifdef SHARED ++# if defined SHARED || defined __PIC__ + # define INTERNAL_SYSCALL(name, err, nr, args...) \ + ({ \ + register unsigned int resultvar; \ +@@ -384,6 +384,18 @@ + : "0" (name), "i" (offsetof (tcbhead_t, sysinfo)) \ + ASMFMT_##nr(args) : "memory", "cc"); \ + (int) resultvar; }) ++# define INTERNAL_SYSCALL_NOSYSENTER(name, err, nr, args...) \ ++ ({ \ ++ register unsigned int resultvar; \ ++ EXTRAVAR_##nr \ ++ asm volatile ( \ ++ LOADARGS_NOSYSENTER_##nr \ ++ "movl %1, %%eax\n\t" \ ++ "int $0x80\n\t" \ ++ RESTOREARGS_NOSYSENTER_##nr \ ++ : "=a" (resultvar) \ ++ : "i" (__NR_##name) ASMFMT_##nr(args) : "memory", "cc"); \ ++ (int) resultvar; }) + # else + # define INTERNAL_SYSCALL(name, err, nr, args...) \ + ({ \ +@@ -447,12 +459,20 @@ + + #define LOADARGS_0 + #ifdef __PIC__ +-# if defined I386_USE_SYSENTER && defined SHARED ++# if defined I386_USE_SYSENTER && ( defined SHARED || defined __PIC__ ) + # define LOADARGS_1 \ + "bpushl .L__X'%k3, %k3\n\t" + # define LOADARGS_5 \ + "movl %%ebx, %4\n\t" \ + "movl %3, %%ebx\n\t" ++# define LOADARGS_NOSYSENTER_1 \ ++ "bpushl .L__X'%k2, %k2\n\t" ++# define LOADARGS_NOSYSENTER_2 LOADARGS_NOSYSENTER_1 ++# define LOADARGS_NOSYSENTER_3 LOADARGS_3 ++# define LOADARGS_NOSYSENTER_4 LOADARGS_3 ++# define LOADARGS_NOSYSENTER_5 \ ++ "movl %%ebx, %3\n\t" \ ++ "movl %2, %%ebx\n\t" + # else + # define LOADARGS_1 \ + "bpushl .L__X'%k2, %k2\n\t" +@@ -474,11 +495,18 @@ + + #define RESTOREARGS_0 + #ifdef __PIC__ +-# if defined I386_USE_SYSENTER && defined SHARED ++# if defined I386_USE_SYSENTER && ( defined SHARED || defined __PIC__ ) + # define RESTOREARGS_1 \ + "bpopl .L__X'%k3, %k3\n\t" + # define RESTOREARGS_5 \ + "movl %4, %%ebx" ++# define RESTOREARGS_NOSYSENTER_1 \ ++ "bpopl .L__X'%k2, %k2\n\t" ++# define RESTOREARGS_NOSYSENTER_2 RESTOREARGS_NOSYSENTER_1 ++# define RESTOREARGS_NOSYSENTER_3 RESTOREARGS_3 ++# define RESTOREARGS_NOSYSENTER_4 RESTOREARGS_3 ++# define RESTOREARGS_NOSYSENTER_5 \ ++ "movl %3, %%ebx" + # else + # define RESTOREARGS_1 \ + "bpopl .L__X'%k2, %k2\n\t" diff --git a/sys-libs/glibc/files/2.10/glibc-2.10-hardened-ssp-compat.patch b/sys-libs/glibc/files/2.10/glibc-2.10-hardened-ssp-compat.patch new file mode 100644 index 0000000..a1c9eef --- /dev/null +++ b/sys-libs/glibc/files/2.10/glibc-2.10-hardened-ssp-compat.patch @@ -0,0 +1,168 @@ +Add backwards compat support for gcc-3.x ssp ... older ssp versions +used __guard and __stack_smash_handler symbols while gcc-4.1 and newer +uses __stack_chk_guard and __stack_chk_fail. + +--- config.h.in ++++ config.h.in +@@ -42,6 +42,9 @@ + assembler instructions per line. Default is `;' */ + #undef ASM_LINE_SEP + ++/* Define if we want to enable support for old ssp symbols */ ++#undef ENABLE_OLD_SSP_COMPAT ++ + /* Define if not using ELF, but `.init' and `.fini' sections are available. */ + #undef HAVE_INITFINI + +--- configure ++++ configure +@@ -1378,6 +1378,9 @@ Optional Features: + --enable-kernel=VERSION compile for compatibility with kernel not older than + VERSION + --enable-all-warnings enable all useful warnings gcc can issue ++ --disable-old-ssp-compat ++ enable support for older ssp symbols ++ [default=no] + --enable-multi-arch enable single DSO with optimizations for multiple + architectures + --enable-experimental-malloc +@@ -6462,6 +6465,20 @@ fi + $as_echo "$libc_cv_ssp" >&6; } + + ++# Check whether --enable-old-ssp-compat or --disable-old-ssp-compat was given. ++if test "${enable_old_ssp_compat+set}" = set; then ++ enableval="$enable_old_ssp_compat" ++ enable_old_ssp_compat=$enableval ++else ++ enable_old_ssp_compat=no ++fi; ++if test "x$enable_old_ssp_compat" = "xyes"; then ++ cat >>confdefs.h <<\_ACEOF ++#define ENABLE_OLD_SSP_COMPAT 1 ++_ACEOF ++ ++fi ++ + { $as_echo "$as_me:$LINENO: checking for -fgnu89-inline" >&5 + $as_echo_n "checking for -fgnu89-inline... " >&6; } + if test "${libc_cv_gnu89_inline+set}" = set; then +--- configure.in ++++ configure.in +@@ -1641,6 +1641,15 @@ fi + rm -f conftest*]) + AC_SUBST(libc_cv_ssp) + ++AC_ARG_ENABLE([old-ssp-compat], ++ AC_HELP_STRING([--enable-old-ssp-compat], ++ [enable support for older ssp symbols @<:@default=no@:>@]), ++ [enable_old_ssp_compat=$enableval], ++ [enable_old_ssp_compat=no]) ++if test "x$enable_old_ssp_compat" = "xyes"; then ++ AC_DEFINE(ENABLE_OLD_SSP_COMPAT) ++fi ++ + AC_CACHE_CHECK(for -fgnu89-inline, libc_cv_gnu89_inline, [dnl + cat > conftest.c <<EOF + int foo; +--- csu/libc-start.c ++++ csu/libc-start.c +@@ -37,6 +37,9 @@ extern void __pthread_initialize_minimal + uintptr_t __stack_chk_guard attribute_relro; + # endif + #endif ++#ifdef ENABLE_OLD_SSP_COMPAT ++uintptr_t __guard attribute_relro; ++#endif + + #ifdef HAVE_PTR_NTHREADS + /* We need atomic operations. */ +@@ -141,6 +145,9 @@ LIBC_START_MAIN (int (*main) (int, char + + /* Set up the stack checker's canary. */ + uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (_dl_random); ++#ifdef ENABLE_OLD_SSP_COMPAT ++ __guard = stack_chk_guard; ++#endif + # ifdef THREAD_SET_STACK_GUARD + THREAD_SET_STACK_GUARD (stack_chk_guard); + # else +--- csu/Versions ++++ csu/Versions +@@ -17,6 +17,12 @@ libc { + # New special glibc functions. + gnu_get_libc_release; gnu_get_libc_version; + } ++ GLIBC_2.3.2 { ++%ifdef ENABLE_OLD_SSP_COMPAT ++ # global objects and functions for the old propolice patch in gcc ++ __guard; ++%endif ++ } + GLIBC_PRIVATE { + %if HAVE___THREAD + # This version is for the TLS symbol, GLIBC_2.0 is the old object symbol. +--- debug/Versions ++++ debug/Versions +@@ -10,6 +10,12 @@ libc { + # These are to support some gcc features. + __cyg_profile_func_enter; __cyg_profile_func_exit; + } ++%ifdef ENABLE_OLD_SSP_COMPAT ++ GLIBC_2.3.2 { ++ # backwards ssp compat support; alias to __stack_chk_fail ++ __stack_smash_handler; ++ } ++%endif + GLIBC_2.3.4 { + __chk_fail; + __memcpy_chk; __memmove_chk; __mempcpy_chk; __memset_chk; __stpcpy_chk; +--- elf/rtld.c ++++ elf/rtld.c +@@ -89,6 +89,9 @@ INTDEF(_dl_argv) + in thread local area. */ + uintptr_t __stack_chk_guard attribute_relro; + #endif ++#ifdef ENABLE_OLD_SSP_COMPAT ++uintptr_t __guard attribute_relro; ++#endif + + /* Only exported for architectures that don't store the pointer guard + value in thread local area. */ +@@ -1817,6 +1821,9 @@ ERROR: ld.so: object '%s' cannot be load + + /* Set up the stack checker's canary. */ + uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (_dl_random); ++#ifdef ENABLE_OLD_SSP_COMPAT ++ __guard = stack_chk_guard; ++#endif + #ifdef THREAD_SET_STACK_GUARD + THREAD_SET_STACK_GUARD (stack_chk_guard); + #else +--- elf/Versions ++++ elf/Versions +@@ -43,6 +43,12 @@ ld { + # runtime interface to TLS + __tls_get_addr; + } ++%ifdef ENABLE_OLD_SSP_COMPAT ++ GLIBC_2.3.2 { ++ # backwards ssp compat support ++ __guard; ++ } ++%endif + GLIBC_2.4 { + # stack canary + __stack_chk_guard; +--- Versions.def ++++ Versions.def +@@ -109,6 +109,9 @@ ld { + GLIBC_2.0 + GLIBC_2.1 + GLIBC_2.3 ++%ifdef ENABLE_OLD_SSP_COMPAT ++ GLIBC_2.3.2 ++%endif + GLIBC_2.4 + GLIBC_PRIVATE + } diff --git a/sys-libs/glibc/files/2.11/glibc-2.11-hardened-pie.patch b/sys-libs/glibc/files/2.11/glibc-2.11-hardened-pie.patch new file mode 100644 index 0000000..df7292f --- /dev/null +++ b/sys-libs/glibc/files/2.11/glibc-2.11-hardened-pie.patch @@ -0,0 +1,40 @@ +http://bugs.gentoo.org/292139 + +2009-11-08 Magnus Granberg <[email protected]> + + * Makeconfig (+link): Set to +link-pie. + (+link-static): Change $(static-start-installed-name) to + S$(static-start-installed-name). + (+prector): Set to +prectorS. + (+postctor): Set to +postctorS. + +--- libc/Makeconfig ++++ libc/Makeconfig +@@ -447,11 +447,12 @@ + $(common-objpfx)libc% $(+postinit),$^) \ + $(link-extra-libs) $(link-libc) $(+postctorS) $(+postinit) + endif +++link = $(+link-pie) + # Command for statically linking programs with the C library. + ifndef +link-static + +link-static = $(CC) -nostdlib -nostartfiles -static -o $@ \ + $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ +- $(addprefix $(csu-objpfx),$(static-start-installed-name)) \ ++ $(addprefix $(csu-objpfx),S$(static-start-installed-name)) \ + $(+preinit) $(+prector) \ + $(filter-out $(addprefix $(csu-objpfx),start.o \ + $(start-installed-name))\ +@@ -549,11 +550,10 @@ + ifeq ($(elf),yes) + +preinit = $(addprefix $(csu-objpfx),crti.o) + +postinit = $(addprefix $(csu-objpfx),crtn.o) +-+prector = `$(CC) --print-file-name=crtbegin.o` +-+postctor = `$(CC) --print-file-name=crtend.o` +-# Variants of the two previous definitions for linking PIE programs. + +prectorS = `$(CC) --print-file-name=crtbeginS.o` + +postctorS = `$(CC) --print-file-name=crtendS.o` +++prector = $(+prectorS) +++postctor = $(+postctorS) + +interp = $(addprefix $(elf-objpfx),interp.os) + endif + csu-objpfx = $(common-objpfx)csu/ diff --git a/sys-libs/glibc/files/2.12/glibc-2.12-hardened-pie.patch b/sys-libs/glibc/files/2.12/glibc-2.12-hardened-pie.patch new file mode 100644 index 0000000..3315171 --- /dev/null +++ b/sys-libs/glibc/files/2.12/glibc-2.12-hardened-pie.patch @@ -0,0 +1,39 @@ +2010-08-11 Magnus Granberg <[email protected]> + + #332331 + * Makeconfig (+link): Set to +link-pie. + (+link-static): Change $(static-start-installed-name) to + S$(static-start-installed-name). + (+prector): Set to +prectorS. + (+postctor): Set to +postctorS. + +--- libc/Makeconfig ++++ libc/Makeconfig +@@ -447,11 +447,12 @@ + $(common-objpfx)libc% $(+postinit),$^) \ + $(link-extra-libs) $(link-libc) $(+postctorS) $(+postinit) + endif +++link = $(+link-pie) + # Command for statically linking programs with the C library. + ifndef +link-static + +link-static = $(CC) -nostdlib -nostartfiles -static -o $@ \ + $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ +- $(addprefix $(csu-objpfx),$(static-start-installed-name)) \ ++ $(addprefix $(csu-objpfx),S$(static-start-installed-name)) \ + $(+preinit) $(+prector) \ + $(filter-out $(addprefix $(csu-objpfx),start.o \ + $(start-installed-name))\ +@@ -549,11 +550,10 @@ + ifeq ($(elf),yes) + +preinit = $(addprefix $(csu-objpfx),crti.o) + +postinit = $(addprefix $(csu-objpfx),crtn.o) +-+prector = `$(CC) $(sysdep-LDFLAGS) --print-file-name=crtbegin.o` +-+postctor = `$(CC) $(sysdep-LDFLAGS) --print-file-name=crtend.o` +-# Variants of the two previous definitions for linking PIE programs. + +prectorS = `$(CC) $(sysdep-LDFLAGS) --print-file-name=crtbeginS.o` + +postctorS = `$(CC) $(sysdep-LDFLAGS) --print-file-name=crtendS.o` +++prector = $(+prectorS) +++postctor = $(+postctorS) + +interp = $(addprefix $(elf-objpfx),interp.os) + endif + csu-objpfx = $(common-objpfx)csu/ diff --git a/sys-libs/glibc/glibc-2.10.1-r1.ebuild b/sys-libs/glibc/glibc-2.10.1-r1.ebuild new file mode 100644 index 0000000..75b7080 --- /dev/null +++ b/sys-libs/glibc/glibc-2.10.1-r1.ebuild @@ -0,0 +1,203 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.10.1-r1.ebuild,v 1.30 2014/03/14 09:11:35 vapier Exp $ + +inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing + +DESCRIPTION="GNU libc6 (also called glibc2) C library" +HOMEPAGE="http://www.gnu.org/software/libc/libc.html"; + +LICENSE="LGPL-2.1+ BSD HPND inner-net" +KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" +RESTRICT="strip" # strip ourself #46186 +EMULTILIB_PKG="true" + +# Configuration variables +if [[ ${PV} == *_p* ]] ; then +RELEASE_VER=${PV%_p*} +BRANCH_UPDATE="" +SNAP_VER=${PV#*_p} +LIBIDN_VER="" +else +RELEASE_VER=${PV} +BRANCH_UPDATE="" +SNAP_VER="" +LIBIDN_VER=${RELEASE_VER} +fi +PATCH_VER="7" # Gentoo patchset +PORTS_VER=${RELEASE_VER} # version of glibc ports addon +LT_VER="" # version of linuxthreads addon +NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.9"} # min kernel version nptl requires +#LT_KERN_VER=${LT_KERN_VER:-"2.4.1"} # min kernel version linuxthreads requires + +IUSE="debug gd hardened multilib selinux profile vanilla crosscompile_opts_headers-only ${LT_VER:+glibc-compat20 nptl linuxthreads}" +S=${WORKDIR}/glibc-${RELEASE_VER}${SNAP_VER:+-${SNAP_VER}} + +# Here's how the cross-compile logic breaks down ... +# CTARGET - machine that will target the binaries +# CHOST - machine that will host the binaries +# CBUILD - machine that will build the binaries +# If CTARGET != CHOST, it means you want a libc for cross-compiling. +# If CHOST != CBUILD, it means you want to cross-compile the libc. +# CBUILD = CHOST = CTARGET - native build/install +# CBUILD != (CHOST = CTARGET) - cross-compile a native build +# (CBUILD = CHOST) != CTARGET - libc for cross-compiler +# CBUILD != CHOST != CTARGET - cross-compile a libc for a cross-compiler +# For install paths: +# CHOST = CTARGET - install into / +# CHOST != CTARGET - install into /usr/CTARGET/ + +export CBUILD=${CBUILD:-${CHOST}} +export CTARGET=${CTARGET:-${CHOST}} +if [[ ${CTARGET} == ${CHOST} ]] ; then + if [[ ${CATEGORY} == cross-* ]] ; then + export CTARGET=${CATEGORY#cross-} + fi +fi + +[[ ${CTARGET} == hppa* ]] && NPTL_KERN_VER=${NPTL_KERN_VER/2.6.9/2.6.20} + +is_crosscompile() { + [[ ${CHOST} != ${CTARGET} ]] +} + +# Why SLOT 2.2 you ask yourself while sippin your tea ? +# Everyone knows 2.2 > 0, duh. +SLOT="2.2" + +# General: We need a new-enough binutils for as-needed +# arch: we need to make sure our binutils/gcc supports TLS +DEPEND=">=sys-devel/gcc-3.4.4 + arm? ( >=sys-devel/binutils-2.16.90 >=sys-devel/gcc-4.1.0 ) + ppc? ( >=sys-devel/gcc-4.1.0 ) + ppc64? ( >=sys-devel/gcc-4.1.0 ) + >=sys-devel/binutils-2.15.94 + ${LT_VER:+nptl? (} >=sys-kernel/linux-headers-${NPTL_KERN_VER} ${LT_VER:+)} + >=app-misc/pax-utils-0.1.10 + virtual/os-headers + !<sys-apps/sandbox-1.2.18.1-r2 + !<sys-apps/portage-2.1.2 + selinux? ( sys-libs/libselinux )" +RDEPEND="!sys-kernel/ps3-sources + selinux? ( sys-libs/libselinux )" + +if [[ ${CATEGORY} == cross-* ]] ; then + DEPEND="${DEPEND} !crosscompile_opts_headers-only? ( ${CATEGORY}/gcc )" + [[ ${CATEGORY} == *-linux* ]] && DEPEND="${DEPEND} ${CATEGORY}/linux-headers" +else + DEPEND="${DEPEND} >=sys-libs/timezone-data-2007c" + RDEPEND="${RDEPEND} sys-libs/timezone-data" +fi + +SRC_URI=$( + upstream_uris() { + echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1 + } + gentoo_uris() { + local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI" + devspace=${devspace//HTTP/http://dev.gentoo.org/} + echo mirror://gentoo/$1 ${devspace//URI/$1} + } + + TARNAME=${PN} + if [[ -n ${SNAP_VER} ]] ; then + TARNAME="${PN}-${RELEASE_VER}" + [[ -n ${PORTS_VER} ]] && PORTS_VER=${SNAP_VER} + upstream_uris ${TARNAME}-${SNAP_VER}.tar.bz2 + else + upstream_uris ${TARNAME}-${RELEASE_VER}.tar.bz2 + fi + [[ -n ${LIBIDN_VER} ]] && upstream_uris glibc-libidn-${LIBIDN_VER}.tar.bz2 + [[ -n ${PORTS_VER} ]] && upstream_uris ${TARNAME}-ports-${PORTS_VER}.tar.bz2 + [[ -n ${LT_VER} ]] && upstream_uris ${TARNAME}-linuxthreads-${LT_VER}.tar.bz2 + [[ -n ${BRANCH_UPDATE} ]] && gentoo_uris glibc-${RELEASE_VER}-branch-update-${BRANCH_UPDATE}.patch.bz2 + [[ -n ${PATCH_VER} ]] && gentoo_uris glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.bz2 +) + +# eblit-include [--skip] <function> [version] +eblit-include() { + local skipable=false + [[ $1 == "--skip" ]] && skipable=true && shift + [[ $1 == pkg_* ]] && skipable=true + + local e v func=$1 ver=$2 + [[ -z ${func} ]] && die "Usage: eblit-include <function> [version]" + for v in ${ver:+-}${ver} -${PVR} -${PV} "" ; do + e="${FILESDIR}/eblits/${func}${v}.eblit" + if [[ -e ${e} ]] ; then + source "${e}" + return 0 + fi + done + ${skipable} && return 0 + die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/" +} + +# eblit-run-maybe <function> +# run the specified function if it is defined +eblit-run-maybe() { + [[ $(type -t "$@") == "function" ]] && "$@" +} + +# eblit-run <function> [version] +# aka: src_unpack() { eblit-run src_unpack ; } +eblit-run() { + eblit-include --skip common "${*:2}" + eblit-include "$@" + eblit-run-maybe eblit-$1-pre + eblit-${PN}-$1 + eblit-run-maybe eblit-$1-post +} + +src_unpack() { eblit-run src_unpack ; } +src_compile() { eblit-run src_compile ; } +src_test() { eblit-run src_test ; } +src_install() { eblit-run src_install ; } + +# FILESDIR might not be available during binpkg install +for x in setup {pre,post}inst ; do + e="${FILESDIR}/eblits/pkg_${x}.eblit" + if [[ -e ${e} ]] ; then + . "${e}" + eval "pkg_${x}() { eblit-run pkg_${x} ; }" + fi +done + +eblit-src_unpack-post() { + if use hardened ; then + cd "${S}" + einfo "Patching to get working PIE binaries on PIE (hardened) platforms" + gcc-specs-pie && epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-configure-picdefault.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-inittls-nosysenter.patch + + einfo "Patching Glibc to support older SSP __guard" + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-ssp-compat.patch + + einfo "Installing Hardened Gentoo SSP and FORTIFY_SOURCE handler" + cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ + debug/stack_chk_fail.c || die + cp -f "${FILESDIR}"/2.10/glibc-2.10-gentoo-chk_fail.c \ + debug/chk_fail.c || die + + if use debug ; then + # When using Hardened Gentoo stack handler, have smashes dump core for + # analysis - debug only, as core could be an information leak + # (paranoia). + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug stack handler" + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug fortify handler" + fi + + # Build nscd with ssp-all + sed -i \ + -e 's:-fstack-protector$:-fstack-protector-all:' \ + nscd/Makefile \ + || die "Failed to ensure nscd builds with ssp-all" + fi +} diff --git a/sys-libs/glibc/glibc-2.11.3.ebuild b/sys-libs/glibc/glibc-2.11.3.ebuild new file mode 100644 index 0000000..21fe3b6 --- /dev/null +++ b/sys-libs/glibc/glibc-2.11.3.ebuild @@ -0,0 +1,206 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.11.3.ebuild,v 1.22 2014/03/14 09:11:35 vapier Exp $ + +inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing + +DESCRIPTION="GNU libc6 (also called glibc2) C library" +HOMEPAGE="http://www.gnu.org/software/libc/libc.html"; + +LICENSE="LGPL-2.1+ BSD HPND inner-net" +KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 sh sparc x86" +RESTRICT="strip" # strip ourself #46186 +EMULTILIB_PKG="true" + +# Configuration variables +if [[ ${PV} == *_p* ]] ; then +RELEASE_VER=${PV%_p*} +BRANCH_UPDATE="" +SNAP_VER=${PV#*_p} +else +RELEASE_VER=${PV} +BRANCH_UPDATE="" +SNAP_VER="" +fi +LIBIDN_VER="" # it's integrated into the main tarball now +PATCH_VER="3" # Gentoo patchset +PORTS_VER=${RELEASE_VER%.?} # version of glibc ports addon +LT_VER="" # version of linuxthreads addon +NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.9"} # min kernel version nptl requires +#LT_KERN_VER=${LT_KERN_VER:-"2.4.1"} # min kernel version linuxthreads requires + +IUSE="debug gd hardened multilib selinux profile vanilla crosscompile_opts_headers-only ${LT_VER:+glibc-compat20 nptl linuxthreads}" +S=${WORKDIR}/glibc-${RELEASE_VER}${SNAP_VER:+-${SNAP_VER}} + +# Here's how the cross-compile logic breaks down ... +# CTARGET - machine that will target the binaries +# CHOST - machine that will host the binaries +# CBUILD - machine that will build the binaries +# If CTARGET != CHOST, it means you want a libc for cross-compiling. +# If CHOST != CBUILD, it means you want to cross-compile the libc. +# CBUILD = CHOST = CTARGET - native build/install +# CBUILD != (CHOST = CTARGET) - cross-compile a native build +# (CBUILD = CHOST) != CTARGET - libc for cross-compiler +# CBUILD != CHOST != CTARGET - cross-compile a libc for a cross-compiler +# For install paths: +# CHOST = CTARGET - install into / +# CHOST != CTARGET - install into /usr/CTARGET/ + +export CBUILD=${CBUILD:-${CHOST}} +export CTARGET=${CTARGET:-${CHOST}} +if [[ ${CTARGET} == ${CHOST} ]] ; then + if [[ ${CATEGORY} == cross-* ]] ; then + export CTARGET=${CATEGORY#cross-} + fi +fi + +[[ ${CTARGET} == hppa* ]] && NPTL_KERN_VER=${NPTL_KERN_VER/2.6.9/2.6.20} + +is_crosscompile() { + [[ ${CHOST} != ${CTARGET} ]] +} + +# Why SLOT 2.2 you ask yourself while sippin your tea ? +# Everyone knows 2.2 > 0, duh. +SLOT="2.2" + +# General: We need a new-enough binutils for as-needed +# arch: we need to make sure our binutils/gcc supports TLS +DEPEND=">=sys-devel/gcc-3.4.4 + arm? ( >=sys-devel/binutils-2.16.90 >=sys-devel/gcc-4.1.0 ) + x86? ( >=sys-devel/gcc-4.3 ) + amd64? ( >=sys-devel/binutils-2.19 >=sys-devel/gcc-4.3 ) + ppc? ( >=sys-devel/gcc-4.1.0 ) + ppc64? ( >=sys-devel/gcc-4.1.0 ) + >=sys-devel/binutils-2.15.94 + ${LT_VER:+nptl? (} >=sys-kernel/linux-headers-${NPTL_KERN_VER} ${LT_VER:+)} + >=app-misc/pax-utils-0.1.10 + virtual/os-headers + !<sys-apps/sandbox-1.2.18.1-r2 + !<sys-apps/portage-2.1.2 + selinux? ( sys-libs/libselinux )" +RDEPEND="!sys-kernel/ps3-sources + selinux? ( sys-libs/libselinux )" + +if [[ ${CATEGORY} == cross-* ]] ; then + DEPEND="${DEPEND} !crosscompile_opts_headers-only? ( ${CATEGORY}/gcc )" + [[ ${CATEGORY} == *-linux* ]] && DEPEND="${DEPEND} ${CATEGORY}/linux-headers" +else + DEPEND="${DEPEND} !vanilla? ( >=sys-libs/timezone-data-2007c )" + RDEPEND="${RDEPEND} + vanilla? ( !sys-libs/timezone-data ) + !vanilla? ( sys-libs/timezone-data )" +fi + +SRC_URI=$( + upstream_uris() { + echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1 + } + gentoo_uris() { + local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI" + devspace=${devspace//HTTP/http://dev.gentoo.org/} + echo mirror://gentoo/$1 ${devspace//URI/$1} + } + + TARNAME=${PN} + if [[ -n ${SNAP_VER} ]] ; then + TARNAME="${PN}-${RELEASE_VER}" + [[ -n ${PORTS_VER} ]] && PORTS_VER=${SNAP_VER} + upstream_uris ${TARNAME}-${SNAP_VER}.tar.bz2 + else + upstream_uris ${TARNAME}-${RELEASE_VER}.tar.bz2 + fi + [[ -n ${LIBIDN_VER} ]] && upstream_uris glibc-libidn-${LIBIDN_VER}.tar.bz2 + [[ -n ${PORTS_VER} ]] && upstream_uris ${TARNAME}-ports-${PORTS_VER}.tar.bz2 + [[ -n ${LT_VER} ]] && upstream_uris ${TARNAME}-linuxthreads-${LT_VER}.tar.bz2 + [[ -n ${BRANCH_UPDATE} ]] && gentoo_uris glibc-${RELEASE_VER}-branch-update-${BRANCH_UPDATE}.patch.bz2 + [[ -n ${PATCH_VER} ]] && gentoo_uris glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.bz2 +) + +# eblit-include [--skip] <function> [version] +eblit-include() { + local skipable=false + [[ $1 == "--skip" ]] && skipable=true && shift + [[ $1 == pkg_* ]] && skipable=true + + local e v func=$1 ver=$2 + [[ -z ${func} ]] && die "Usage: eblit-include <function> [version]" + for v in ${ver:+-}${ver} -${PVR} -${PV} "" ; do + e="${FILESDIR}/eblits/${func}${v}.eblit" + if [[ -e ${e} ]] ; then + source "${e}" + return 0 + fi + done + ${skipable} && return 0 + die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/" +} + +# eblit-run-maybe <function> +# run the specified function if it is defined +eblit-run-maybe() { + [[ $(type -t "$@") == "function" ]] && "$@" +} + +# eblit-run <function> [version] +# aka: src_unpack() { eblit-run src_unpack ; } +eblit-run() { + eblit-include --skip common "${*:2}" + eblit-include "$@" + eblit-run-maybe eblit-$1-pre + eblit-${PN}-$1 + eblit-run-maybe eblit-$1-post +} + +src_unpack() { eblit-run src_unpack ; } +src_compile() { eblit-run src_compile ; } +src_test() { eblit-run src_test ; } +src_install() { eblit-run src_install ; } + +# FILESDIR might not be available during binpkg install +for x in setup {pre,post}inst ; do + e="${FILESDIR}/eblits/pkg_${x}.eblit" + if [[ -e ${e} ]] ; then + . "${e}" + eval "pkg_${x}() { eblit-run pkg_${x} ; }" + fi +done + +eblit-src_unpack-post() { + if use hardened ; then + cd "${S}" + einfo "Patching to get working PIE binaries on PIE (hardened) platforms" + gcc-specs-pie && epatch "${FILESDIR}"/2.11/glibc-2.11-hardened-pie.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-configure-picdefault.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-inittls-nosysenter.patch + + einfo "Patching Glibc to support older SSP __guard" + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-ssp-compat.patch + + einfo "Installing Hardened Gentoo SSP and FORTIFY_SOURCE handler" + cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ + debug/stack_chk_fail.c || die + cp -f "${FILESDIR}"/2.10/glibc-2.10-gentoo-chk_fail.c \ + debug/chk_fail.c || die + + if use debug ; then + # When using Hardened Gentoo stack handler, have smashes dump core for + # analysis - debug only, as core could be an information leak + # (paranoia). + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug stack handler" + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug fortify handler" + fi + + # Build nscd with ssp-all + sed -i \ + -e 's:-fstack-protector$:-fstack-protector-all:' \ + nscd/Makefile \ + || die "Failed to ensure nscd builds with ssp-all" + fi +} diff --git a/sys-libs/glibc/glibc-2.12.1-r3.ebuild b/sys-libs/glibc/glibc-2.12.1-r3.ebuild new file mode 100644 index 0000000..366ce7c --- /dev/null +++ b/sys-libs/glibc/glibc-2.12.1-r3.ebuild @@ -0,0 +1,220 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.12.1-r3.ebuild,v 1.19 2014/03/14 09:11:35 vapier Exp $ + +inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing + +DESCRIPTION="GNU libc6 (also called glibc2) C library" +HOMEPAGE="http://www.gnu.org/software/libc/libc.html"; + +LICENSE="LGPL-2.1+ BSD HPND inner-net" +KEYWORDS="~amd64 ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +RESTRICT="strip" # strip ourself #46186 +EMULTILIB_PKG="true" + +# Configuration variables +if [[ ${PV} == *_p* ]] ; then +RELEASE_VER=${PV%_p*} +BRANCH_UPDATE="" +SNAP_VER=${PV#*_p} +else +RELEASE_VER=${PV} +BRANCH_UPDATE="" +SNAP_VER="" +fi +LIBIDN_VER="" # it's integrated into the main tarball now +PATCH_VER="8" # Gentoo patchset +PORTS_VER=${RELEASE_VER} # version of glibc ports addon +LT_VER="" # version of linuxthreads addon +NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.9"} # min kernel version nptl requires +#LT_KERN_VER=${LT_KERN_VER:-"2.4.1"} # min kernel version linuxthreads requires + +IUSE="debug gd hardened multilib selinux profile vanilla crosscompile_opts_headers-only ${LT_VER:+glibc-compat20 nptl linuxthreads}" +S=${WORKDIR}/glibc-${RELEASE_VER}${SNAP_VER:+-${SNAP_VER}} + +# Here's how the cross-compile logic breaks down ... +# CTARGET - machine that will target the binaries +# CHOST - machine that will host the binaries +# CBUILD - machine that will build the binaries +# If CTARGET != CHOST, it means you want a libc for cross-compiling. +# If CHOST != CBUILD, it means you want to cross-compile the libc. +# CBUILD = CHOST = CTARGET - native build/install +# CBUILD != (CHOST = CTARGET) - cross-compile a native build +# (CBUILD = CHOST) != CTARGET - libc for cross-compiler +# CBUILD != CHOST != CTARGET - cross-compile a libc for a cross-compiler +# For install paths: +# CHOST = CTARGET - install into / +# CHOST != CTARGET - install into /usr/CTARGET/ + +export CBUILD=${CBUILD:-${CHOST}} +export CTARGET=${CTARGET:-${CHOST}} +if [[ ${CTARGET} == ${CHOST} ]] ; then + if [[ ${CATEGORY} == cross-* ]] ; then + export CTARGET=${CATEGORY#cross-} + fi +fi + +[[ ${CTARGET} == hppa* ]] && NPTL_KERN_VER=${NPTL_KERN_VER/2.6.9/2.6.20} + +is_crosscompile() { + [[ ${CHOST} != ${CTARGET} ]] +} + +# Why SLOT 2.2 you ask yourself while sippin your tea ? +# Everyone knows 2.2 > 0, duh. +SLOT="2.2" + +# General: We need a new-enough binutils for as-needed +# arch: we need to make sure our binutils/gcc supports TLS +DEPEND=">=sys-devel/gcc-3.4.4 + arm? ( >=sys-devel/binutils-2.16.90 >=sys-devel/gcc-4.1.0 ) + x86? ( >=sys-devel/gcc-4.3 ) + amd64? ( >=sys-devel/binutils-2.19 >=sys-devel/gcc-4.3 ) + ppc? ( >=sys-devel/gcc-4.1.0 ) + ppc64? ( >=sys-devel/gcc-4.1.0 ) + >=sys-devel/binutils-2.15.94 + ${LT_VER:+nptl? (} >=sys-kernel/linux-headers-${NPTL_KERN_VER} ${LT_VER:+)} + >=app-misc/pax-utils-0.1.10 + virtual/os-headers + !<sys-apps/sandbox-1.2.18.1-r2 + !<sys-apps/portage-2.1.2 + selinux? ( sys-libs/libselinux )" +RDEPEND="!sys-kernel/ps3-sources + selinux? ( sys-libs/libselinux )" + +if [[ ${CATEGORY} == cross-* ]] ; then + DEPEND="${DEPEND} !crosscompile_opts_headers-only? ( ${CATEGORY}/gcc )" + [[ ${CATEGORY} == *-linux* ]] && DEPEND="${DEPEND} ${CATEGORY}/linux-headers" +else + DEPEND="${DEPEND} !vanilla? ( >=sys-libs/timezone-data-2007c )" + RDEPEND="${RDEPEND} + vanilla? ( !sys-libs/timezone-data ) + !vanilla? ( sys-libs/timezone-data )" +fi + +SRC_URI=$( + upstream_uris() { + echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1 + } + gentoo_uris() { + local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI" + devspace=${devspace//HTTP/http://dev.gentoo.org/} + echo mirror://gentoo/$1 ${devspace//URI/$1} + } + + TARNAME=${PN} + if [[ -n ${SNAP_VER} ]] ; then + TARNAME="${PN}-${RELEASE_VER}" + [[ -n ${PORTS_VER} ]] && PORTS_VER=${SNAP_VER} + upstream_uris ${TARNAME}-${SNAP_VER}.tar.bz2 + else + upstream_uris ${TARNAME}-${RELEASE_VER}.tar.bz2 + fi + [[ -n ${LIBIDN_VER} ]] && upstream_uris glibc-libidn-${LIBIDN_VER}.tar.bz2 + [[ -n ${PORTS_VER} ]] && upstream_uris ${TARNAME}-ports-${PORTS_VER}.tar.bz2 + [[ -n ${LT_VER} ]] && upstream_uris ${TARNAME}-linuxthreads-${LT_VER}.tar.bz2 + [[ -n ${BRANCH_UPDATE} ]] && gentoo_uris glibc-${RELEASE_VER}-branch-update-${BRANCH_UPDATE}.patch.bz2 + [[ -n ${PATCH_VER} ]] && gentoo_uris glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.bz2 +) + +# eblit-include [--skip] <function> [version] +eblit-include() { + local skipable=false + [[ $1 == "--skip" ]] && skipable=true && shift + [[ $1 == pkg_* ]] && skipable=true + + local e v func=$1 ver=$2 + [[ -z ${func} ]] && die "Usage: eblit-include <function> [version]" + for v in ${ver:+-}${ver} -${PVR} -${PV} "" ; do + e="${FILESDIR}/eblits/${func}${v}.eblit" + if [[ -e ${e} ]] ; then + source "${e}" + return 0 + fi + done + ${skipable} && return 0 + die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/" +} + +# eblit-run-maybe <function> +# run the specified function if it is defined +eblit-run-maybe() { + [[ $(type -t "$@") == "function" ]] && "$@" +} + +# eblit-run <function> [version] +# aka: src_unpack() { eblit-run src_unpack ; } +eblit-run() { + eblit-include --skip common "${*:2}" + eblit-include "$@" + eblit-run-maybe eblit-$1-pre + eblit-${PN}-$1 + eblit-run-maybe eblit-$1-post +} + +src_unpack() { eblit-run src_unpack ; } +src_compile() { eblit-run src_compile ; } +src_test() { eblit-run src_test ; } +src_install() { eblit-run src_install ; } + +# FILESDIR might not be available during binpkg install +for x in setup {pre,post}inst ; do + e="${FILESDIR}/eblits/pkg_${x}.eblit" + if [[ -e ${e} ]] ; then + . "${e}" + eval "pkg_${x}() { eblit-run pkg_${x} ; }" + fi +done + +pkg_setup() { + eblit-run pkg_setup + + # Static binary sanity check #332927 + if [[ ${ROOT} == "/" ]] && \ + has_version "<${CATEGORY}/${P}" && \ + built_with_use sys-apps/coreutils static + then + eerror "Please rebuild coreutils with USE=-static, then install" + eerror "glibc, then you may rebuild coreutils with USE=static." + die "Avoiding system meltdown #332927" + fi +} + +eblit-src_unpack-post() { + if use hardened ; then + cd "${S}" + einfo "Patching to get working PIE binaries on PIE (hardened) platforms" + gcc-specs-pie && epatch "${FILESDIR}"/2.12/glibc-2.12-hardened-pie.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-configure-picdefault.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-inittls-nosysenter.patch + + einfo "Patching Glibc to support older SSP __guard" + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-ssp-compat.patch + + einfo "Installing Hardened Gentoo SSP and FORTIFY_SOURCE handler" + cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ + debug/stack_chk_fail.c || die + cp -f "${FILESDIR}"/2.10/glibc-2.10-gentoo-chk_fail.c \ + debug/chk_fail.c || die + + if use debug ; then + # When using Hardened Gentoo stack handler, have smashes dump core for + # analysis - debug only, as core could be an information leak + # (paranoia). + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug stack handler" + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug fortify handler" + fi + + # Build nscd with ssp-all + sed -i \ + -e 's:-fstack-protector$:-fstack-protector-all:' \ + nscd/Makefile \ + || die "Failed to ensure nscd builds with ssp-all" + fi +} diff --git a/sys-libs/glibc/glibc-2.12.2.ebuild b/sys-libs/glibc/glibc-2.12.2.ebuild new file mode 100644 index 0000000..6f00618 --- /dev/null +++ b/sys-libs/glibc/glibc-2.12.2.ebuild @@ -0,0 +1,220 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.12.2.ebuild,v 1.25 2014/03/14 09:11:35 vapier Exp $ + +inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing + +DESCRIPTION="GNU libc6 (also called glibc2) C library" +HOMEPAGE="http://www.gnu.org/software/libc/libc.html"; + +LICENSE="LGPL-2.1+ BSD HPND inner-net" +KEYWORDS="amd64 arm hppa ia64 ~mips ppc ppc64 s390 ~sh sparc x86" +RESTRICT="strip" # strip ourself #46186 +EMULTILIB_PKG="true" + +# Configuration variables +if [[ ${PV} == *_p* ]] ; then +RELEASE_VER=${PV%_p*} +BRANCH_UPDATE="" +SNAP_VER=${PV#*_p} +else +RELEASE_VER=${PV} +BRANCH_UPDATE="" +SNAP_VER="" +fi +LIBIDN_VER="" # it's integrated into the main tarball now +PATCH_VER="4" # Gentoo patchset +PORTS_VER="2.12.1" # version of glibc ports addon +LT_VER="" # version of linuxthreads addon +NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.9"} # min kernel version nptl requires +#LT_KERN_VER=${LT_KERN_VER:-"2.4.1"} # min kernel version linuxthreads requires + +IUSE="debug gd hardened multilib selinux profile vanilla crosscompile_opts_headers-only ${LT_VER:+glibc-compat20 nptl linuxthreads}" +S=${WORKDIR}/glibc-${RELEASE_VER}${SNAP_VER:+-${SNAP_VER}} + +# Here's how the cross-compile logic breaks down ... +# CTARGET - machine that will target the binaries +# CHOST - machine that will host the binaries +# CBUILD - machine that will build the binaries +# If CTARGET != CHOST, it means you want a libc for cross-compiling. +# If CHOST != CBUILD, it means you want to cross-compile the libc. +# CBUILD = CHOST = CTARGET - native build/install +# CBUILD != (CHOST = CTARGET) - cross-compile a native build +# (CBUILD = CHOST) != CTARGET - libc for cross-compiler +# CBUILD != CHOST != CTARGET - cross-compile a libc for a cross-compiler +# For install paths: +# CHOST = CTARGET - install into / +# CHOST != CTARGET - install into /usr/CTARGET/ + +export CBUILD=${CBUILD:-${CHOST}} +export CTARGET=${CTARGET:-${CHOST}} +if [[ ${CTARGET} == ${CHOST} ]] ; then + if [[ ${CATEGORY} == cross-* ]] ; then + export CTARGET=${CATEGORY#cross-} + fi +fi + +[[ ${CTARGET} == hppa* ]] && NPTL_KERN_VER=${NPTL_KERN_VER/2.6.9/2.6.20} + +is_crosscompile() { + [[ ${CHOST} != ${CTARGET} ]] +} + +# Why SLOT 2.2 you ask yourself while sippin your tea ? +# Everyone knows 2.2 > 0, duh. +SLOT="2.2" + +# General: We need a new-enough binutils for as-needed +# arch: we need to make sure our binutils/gcc supports TLS +DEPEND=">=sys-devel/gcc-3.4.4 + arm? ( >=sys-devel/binutils-2.16.90 >=sys-devel/gcc-4.1.0 ) + x86? ( >=sys-devel/gcc-4.3 ) + amd64? ( >=sys-devel/binutils-2.19 >=sys-devel/gcc-4.3 ) + ppc? ( >=sys-devel/gcc-4.1.0 ) + ppc64? ( >=sys-devel/gcc-4.1.0 ) + >=sys-devel/binutils-2.15.94 + ${LT_VER:+nptl? (} >=sys-kernel/linux-headers-${NPTL_KERN_VER} ${LT_VER:+)} + >=app-misc/pax-utils-0.1.10 + virtual/os-headers + !<sys-apps/sandbox-1.2.18.1-r2 + !<sys-apps/portage-2.1.2 + selinux? ( sys-libs/libselinux )" +RDEPEND="!sys-kernel/ps3-sources + selinux? ( sys-libs/libselinux )" + +if [[ ${CATEGORY} == cross-* ]] ; then + DEPEND="${DEPEND} !crosscompile_opts_headers-only? ( ${CATEGORY}/gcc )" + [[ ${CATEGORY} == *-linux* ]] && DEPEND="${DEPEND} ${CATEGORY}/linux-headers" +else + DEPEND="${DEPEND} !vanilla? ( >=sys-libs/timezone-data-2007c )" + RDEPEND="${RDEPEND} + vanilla? ( !sys-libs/timezone-data ) + !vanilla? ( sys-libs/timezone-data )" +fi + +SRC_URI=$( + upstream_uris() { + echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1 + } + gentoo_uris() { + local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI" + devspace=${devspace//HTTP/http://dev.gentoo.org/} + echo mirror://gentoo/$1 ${devspace//URI/$1} + } + + TARNAME=${PN} + if [[ -n ${SNAP_VER} ]] ; then + TARNAME="${PN}-${RELEASE_VER}" + [[ -n ${PORTS_VER} ]] && PORTS_VER=${SNAP_VER} + upstream_uris ${TARNAME}-${SNAP_VER}.tar.bz2 + else + upstream_uris ${TARNAME}-${RELEASE_VER}.tar.bz2 + fi + [[ -n ${LIBIDN_VER} ]] && upstream_uris glibc-libidn-${LIBIDN_VER}.tar.bz2 + [[ -n ${PORTS_VER} ]] && upstream_uris ${TARNAME}-ports-${PORTS_VER}.tar.bz2 + [[ -n ${LT_VER} ]] && upstream_uris ${TARNAME}-linuxthreads-${LT_VER}.tar.bz2 + [[ -n ${BRANCH_UPDATE} ]] && gentoo_uris glibc-${RELEASE_VER}-branch-update-${BRANCH_UPDATE}.patch.bz2 + [[ -n ${PATCH_VER} ]] && gentoo_uris glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.bz2 +) + +# eblit-include [--skip] <function> [version] +eblit-include() { + local skipable=false + [[ $1 == "--skip" ]] && skipable=true && shift + [[ $1 == pkg_* ]] && skipable=true + + local e v func=$1 ver=$2 + [[ -z ${func} ]] && die "Usage: eblit-include <function> [version]" + for v in ${ver:+-}${ver} -${PVR} -${PV} "" ; do + e="${FILESDIR}/eblits/${func}${v}.eblit" + if [[ -e ${e} ]] ; then + source "${e}" + return 0 + fi + done + ${skipable} && return 0 + die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/" +} + +# eblit-run-maybe <function> +# run the specified function if it is defined +eblit-run-maybe() { + [[ $(type -t "$@") == "function" ]] && "$@" +} + +# eblit-run <function> [version] +# aka: src_unpack() { eblit-run src_unpack ; } +eblit-run() { + eblit-include --skip common "${*:2}" + eblit-include "$@" + eblit-run-maybe eblit-$1-pre + eblit-${PN}-$1 + eblit-run-maybe eblit-$1-post +} + +src_unpack() { eblit-run src_unpack ; } +src_compile() { eblit-run src_compile ; } +src_test() { eblit-run src_test ; } +src_install() { eblit-run src_install ; } + +# FILESDIR might not be available during binpkg install +for x in setup {pre,post}inst ; do + e="${FILESDIR}/eblits/pkg_${x}.eblit" + if [[ -e ${e} ]] ; then + . "${e}" + eval "pkg_${x}() { eblit-run pkg_${x} ; }" + fi +done + +pkg_setup() { + eblit-run pkg_setup + + # Static binary sanity check #332927 + if [[ ${ROOT} == "/" ]] && \ + has_version "<${CATEGORY}/${P}" && \ + built_with_use sys-apps/coreutils static + then + eerror "Please rebuild coreutils with USE=-static, then install" + eerror "glibc, then you may rebuild coreutils with USE=static." + die "Avoiding system meltdown #332927" + fi +} + +eblit-src_unpack-post() { + if use hardened ; then + cd "${S}" + einfo "Patching to get working PIE binaries on PIE (hardened) platforms" + gcc-specs-pie && epatch "${FILESDIR}"/2.12/glibc-2.12-hardened-pie.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-configure-picdefault.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-inittls-nosysenter.patch + + einfo "Patching Glibc to support older SSP __guard" + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-ssp-compat.patch + + einfo "Installing Hardened Gentoo SSP and FORTIFY_SOURCE handler" + cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ + debug/stack_chk_fail.c || die + cp -f "${FILESDIR}"/2.10/glibc-2.10-gentoo-chk_fail.c \ + debug/chk_fail.c || die + + if use debug ; then + # When using Hardened Gentoo stack handler, have smashes dump core for + # analysis - debug only, as core could be an information leak + # (paranoia). + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug stack handler" + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug fortify handler" + fi + + # Build nscd with ssp-all + sed -i \ + -e 's:-fstack-protector$:-fstack-protector-all:' \ + nscd/Makefile \ + || die "Failed to ensure nscd builds with ssp-all" + fi +} diff --git a/sys-libs/glibc/glibc-2.14.ebuild b/sys-libs/glibc/glibc-2.14.ebuild new file mode 100644 index 0000000..cf6a1b6 --- /dev/null +++ b/sys-libs/glibc/glibc-2.14.ebuild @@ -0,0 +1,242 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.14.ebuild,v 1.25 2014/03/14 09:11:35 vapier Exp $ + +inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing + +DESCRIPTION="GNU libc6 (also called glibc2) C library" +HOMEPAGE="http://www.gnu.org/software/libc/libc.html"; + +LICENSE="LGPL-2.1+ BSD HPND inner-net" +KEYWORDS="~amd64 ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +RESTRICT="strip" # strip ourself #46186 +EMULTILIB_PKG="true" + +# Configuration variables +RELEASE_VER="" +BRANCH_UPDATE="" +SNAP_VER="" +case ${PV} in +9999*) + EGIT_REPO_URIS=( "git://sourceware.org/git/glibc.git" "git://sourceware.org/git/glibc-ports.git" ) + EGIT_SOURCEDIRS=( "${S}" "${S}/ports" ) + inherit git-2 + ;; +*_p*) + RELEASE_VER=${PV%_p*} + SNAP_VER=${PV#*_p} + ;; +*) + RELEASE_VER=${PV} + ;; +esac +LIBIDN_VER="" # it's integrated into the main tarball now +PATCH_VER="7" # Gentoo patchset +PORTS_VER=${RELEASE_VER} # version of glibc ports addon +LT_VER="" # version of linuxthreads addon +NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.9"} # min kernel version nptl requires +#LT_KERN_VER=${LT_KERN_VER:-"2.4.1"} # min kernel version linuxthreads requires + +IUSE="debug gd hardened multilib selinux profile vanilla crosscompile_opts_headers-only ${LT_VER:+glibc-compat20 nptl linuxthreads}" +[[ -n ${RELEASE_VER} ]] && S=${WORKDIR}/glibc-${RELEASE_VER}${SNAP_VER:+-${SNAP_VER}} + +# Here's how the cross-compile logic breaks down ... +# CTARGET - machine that will target the binaries +# CHOST - machine that will host the binaries +# CBUILD - machine that will build the binaries +# If CTARGET != CHOST, it means you want a libc for cross-compiling. +# If CHOST != CBUILD, it means you want to cross-compile the libc. +# CBUILD = CHOST = CTARGET - native build/install +# CBUILD != (CHOST = CTARGET) - cross-compile a native build +# (CBUILD = CHOST) != CTARGET - libc for cross-compiler +# CBUILD != CHOST != CTARGET - cross-compile a libc for a cross-compiler +# For install paths: +# CHOST = CTARGET - install into / +# CHOST != CTARGET - install into /usr/CTARGET/ + +export CBUILD=${CBUILD:-${CHOST}} +export CTARGET=${CTARGET:-${CHOST}} +if [[ ${CTARGET} == ${CHOST} ]] ; then + if [[ ${CATEGORY} == cross-* ]] ; then + export CTARGET=${CATEGORY#cross-} + fi +fi + +[[ ${CTARGET} == hppa* ]] && NPTL_KERN_VER=${NPTL_KERN_VER/2.6.9/2.6.20} + +is_crosscompile() { + [[ ${CHOST} != ${CTARGET} ]] +} + +# Why SLOT 2.2 you ask yourself while sippin your tea ? +# Everyone knows 2.2 > 0, duh. +SLOT="2.2" + +# General: We need a new-enough binutils for as-needed +# arch: we need to make sure our binutils/gcc supports TLS +DEPEND=">=sys-devel/gcc-3.4.4 + arm? ( >=sys-devel/binutils-2.16.90 >=sys-devel/gcc-4.1.0 ) + x86? ( >=sys-devel/gcc-4.3 ) + amd64? ( >=sys-devel/binutils-2.19 >=sys-devel/gcc-4.3 ) + ppc? ( >=sys-devel/gcc-4.1.0 ) + ppc64? ( >=sys-devel/gcc-4.1.0 ) + >=sys-devel/binutils-2.15.94 + ${LT_VER:+nptl? (} >=sys-kernel/linux-headers-${NPTL_KERN_VER} ${LT_VER:+)} + >=app-misc/pax-utils-0.1.10 + virtual/os-headers + !<sys-apps/sandbox-1.2.18.1-r2 + !<sys-apps/portage-2.1.2 + !<sys-devel/patch-2.6 + selinux? ( sys-libs/libselinux )" +RDEPEND="!sys-kernel/ps3-sources + selinux? ( sys-libs/libselinux )" + +if [[ ${CATEGORY} == cross-* ]] ; then + DEPEND="${DEPEND} !crosscompile_opts_headers-only? ( ${CATEGORY}/gcc )" + [[ ${CATEGORY} == *-linux* ]] && DEPEND="${DEPEND} ${CATEGORY}/linux-headers" +else + DEPEND="${DEPEND} !vanilla? ( >=sys-libs/timezone-data-2007c )" + RDEPEND="${RDEPEND} + vanilla? ( !sys-libs/timezone-data ) + !vanilla? ( sys-libs/timezone-data )" +fi + +SRC_URI=$( + upstream_uris() { + echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1 + } + gentoo_uris() { + local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI" + devspace=${devspace//HTTP/http://dev.gentoo.org/} + echo mirror://gentoo/$1 ${devspace//URI/$1} + } + + TARNAME=${PN} + if [[ -n ${SNAP_VER} ]] ; then + TARNAME="${PN}-${RELEASE_VER}" + [[ -n ${PORTS_VER} ]] && PORTS_VER=${SNAP_VER} + upstream_uris ${TARNAME}-${SNAP_VER}.tar.bz2 + elif [[ -z ${EGIT_REPO_URIS} ]] ; then + upstream_uris ${TARNAME}-${RELEASE_VER}.tar.bz2 + fi + [[ -n ${LIBIDN_VER} ]] && upstream_uris glibc-libidn-${LIBIDN_VER}.tar.bz2 + [[ -n ${PORTS_VER} ]] && upstream_uris ${TARNAME}-ports-${PORTS_VER}.tar.bz2 + [[ -n ${LT_VER} ]] && upstream_uris ${TARNAME}-linuxthreads-${LT_VER}.tar.bz2 + [[ -n ${BRANCH_UPDATE} ]] && gentoo_uris glibc-${RELEASE_VER}-branch-update-${BRANCH_UPDATE}.patch.bz2 + [[ -n ${PATCH_VER} ]] && gentoo_uris glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.bz2 +) + +# eblit-include [--skip] <function> [version] +eblit-include() { + local skipable=false + [[ $1 == "--skip" ]] && skipable=true && shift + [[ $1 == pkg_* ]] && skipable=true + + local e v func=$1 ver=$2 + [[ -z ${func} ]] && die "Usage: eblit-include <function> [version]" + for v in ${ver:+-}${ver} -${PVR} -${PV} "" ; do + e="${FILESDIR}/eblits/${func}${v}.eblit" + if [[ -e ${e} ]] ; then + source "${e}" + return 0 + fi + done + ${skipable} && return 0 + die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/" +} + +# eblit-run-maybe <function> +# run the specified function if it is defined +eblit-run-maybe() { + [[ $(type -t "$@") == "function" ]] && "$@" +} + +# eblit-run <function> [version] +# aka: src_unpack() { eblit-run src_unpack ; } +eblit-run() { + eblit-include --skip common "${*:2}" + eblit-include "$@" + eblit-run-maybe eblit-$1-pre + eblit-${PN}-$1 + eblit-run-maybe eblit-$1-post +} + +src_unpack() { eblit-run src_unpack ; } +src_compile() { eblit-run src_compile ; } +src_test() { eblit-run src_test ; } +src_install() { eblit-run src_install ; } + +# FILESDIR might not be available during binpkg install +for x in setup {pre,post}inst ; do + e="${FILESDIR}/eblits/pkg_${x}.eblit" + if [[ -e ${e} ]] ; then + . "${e}" + eval "pkg_${x}() { eblit-run pkg_${x} ; }" + fi +done + +pkg_setup() { + eblit-run pkg_setup + + # Static binary sanity check #332927 + if [[ ${ROOT} == "/" ]] && \ + has_version "<${CATEGORY}/${P}" && \ + built_with_use sys-apps/coreutils static + then + eerror "Please rebuild coreutils with USE=-static, then install" + eerror "glibc, then you may rebuild coreutils with USE=static." + die "Avoiding system meltdown #332927" + fi +} + +eblit-src_unpack-post() { + if use hardened ; then + cd "${S}" + einfo "Patching to get working PIE binaries on PIE (hardened) platforms" + gcc-specs-pie && epatch "${FILESDIR}"/2.12/glibc-2.12-hardened-pie.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-configure-picdefault.patch + epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-inittls-nosysenter.patch + + einfo "Installing Hardened Gentoo SSP and FORTIFY_SOURCE handler" + cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ + debug/stack_chk_fail.c || die + cp -f "${FILESDIR}"/2.10/glibc-2.10-gentoo-chk_fail.c \ + debug/chk_fail.c || die + + if use debug ; then + # When using Hardened Gentoo stack handler, have smashes dump core for + # analysis - debug only, as core could be an information leak + # (paranoia). + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug stack handler" + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug fortify handler" + fi + + # Build nscd with ssp-all + sed -i \ + -e 's:-fstack-protector$:-fstack-protector-all:' \ + nscd/Makefile \ + || die "Failed to ensure nscd builds with ssp-all" + fi +} + +eblit-pkg_preinst-post() { + if [[ ${CTARGET} == arm* ]] ; then + # Backwards compat support for renaming hardfp ldsos #417287 + local oldso='/lib/ld-linux.so.3' + local nldso='/lib/ld-linux-armhf.so.3' + if [[ -e ${D}${nldso} ]] ; then + if scanelf -qRyi "${ROOT}$(alt_prefix)"/*bin/ | grep -s "^${oldso}" ; then + ewarn "Symlinking old ldso (${oldso}) to new ldso (${nldso})." + ewarn "Please rebuild all packages using this old ldso as compat" + ewarn "support will be dropped in the future." + ln -s "${nldso##*/}" "${D}$(alt_prefix)${oldso}" + fi + fi + fi +} diff --git a/sys-libs/glibc/glibc-2.9_p20081201-r3.ebuild b/sys-libs/glibc/glibc-2.9_p20081201-r3.ebuild new file mode 100644 index 0000000..4619bfb --- /dev/null +++ b/sys-libs/glibc/glibc-2.9_p20081201-r3.ebuild @@ -0,0 +1,193 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.9_p20081201-r3.ebuild,v 1.23 2014/03/14 09:11:35 vapier Exp $ + +inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing + +DESCRIPTION="GNU libc6 (also called glibc2) C library" +HOMEPAGE="http://www.gnu.org/software/libc/libc.html"; + +LICENSE="LGPL-2.1+ BSD HPND inner-net" +KEYWORDS="alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +RESTRICT="strip" # strip ourself #46186 +EMULTILIB_PKG="true" + +# Configuration variables +if [[ ${PV} == *_p* ]] ; then +RELEASE_VER=${PV%_p*} +BRANCH_UPDATE="" +SNAP_VER=${PV#*_p} +else +RELEASE_VER=${PV} +BRANCH_UPDATE="" +SNAP_VER="" +fi +PATCH_VER="8" # Gentoo patchset +PORTS_VER=${RELEASE_VER} # version of glibc ports addon +LIBIDN_VER="" # version of libidn addon +LT_VER="" # version of linuxthreads addon +NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.9"} # min kernel version nptl requires +#LT_KERN_VER=${LT_KERN_VER:-"2.4.1"} # min kernel version linuxthreads requires + +IUSE="debug gd hardened multilib selinux profile vanilla crosscompile_opts_headers-only ${LT_VER:+glibc-compat20 nptl linuxthreads}" +S=${WORKDIR}/glibc-${RELEASE_VER}${SNAP_VER+-${SNAP_VER}} + +# Here's how the cross-compile logic breaks down ... +# CTARGET - machine that will target the binaries +# CHOST - machine that will host the binaries +# CBUILD - machine that will build the binaries +# If CTARGET != CHOST, it means you want a libc for cross-compiling. +# If CHOST != CBUILD, it means you want to cross-compile the libc. +# CBUILD = CHOST = CTARGET - native build/install +# CBUILD != (CHOST = CTARGET) - cross-compile a native build +# (CBUILD = CHOST) != CTARGET - libc for cross-compiler +# CBUILD != CHOST != CTARGET - cross-compile a libc for a cross-compiler +# For install paths: +# CHOST = CTARGET - install into / +# CHOST != CTARGET - install into /usr/CTARGET/ + +export CBUILD=${CBUILD:-${CHOST}} +export CTARGET=${CTARGET:-${CHOST}} +if [[ ${CTARGET} == ${CHOST} ]] ; then + if [[ ${CATEGORY} == cross-* ]] ; then + export CTARGET=${CATEGORY#cross-} + fi +fi + +[[ ${CTARGET} == hppa* ]] && NPTL_KERN_VER=${NPTL_KERN_VER/2.6.9/2.6.20} + +is_crosscompile() { + [[ ${CHOST} != ${CTARGET} ]] +} + +# Why SLOT 2.2 you ask yourself while sippin your tea ? +# Everyone knows 2.2 > 0, duh. +SLOT="2.2" + +# General: We need a new-enough binutils for as-needed +# arch: we need to make sure our binutils/gcc supports TLS +DEPEND=">=sys-devel/gcc-3.4.4 + arm? ( >=sys-devel/binutils-2.16.90 >=sys-devel/gcc-4.1.0 ) + ppc? ( >=sys-devel/gcc-4.1.0 ) + ppc64? ( >=sys-devel/gcc-4.1.0 ) + >=sys-devel/binutils-2.15.94 + ${LT_VER:+nptl? (} >=sys-kernel/linux-headers-${NPTL_KERN_VER} ${LT_VER:+)} + >=app-misc/pax-utils-0.1.10 + virtual/os-headers + !<sys-apps/sandbox-1.2.18.1-r2 + !<sys-apps/portage-2.1.2 + selinux? ( sys-libs/libselinux )" +RDEPEND="!sys-kernel/ps3-sources + selinux? ( sys-libs/libselinux )" + +if [[ ${CATEGORY} == cross-* ]] ; then + DEPEND="${DEPEND} !crosscompile_opts_headers-only? ( ${CATEGORY}/gcc )" + [[ ${CATEGORY} == *-linux* ]] && DEPEND="${DEPEND} ${CATEGORY}/linux-headers" +else + DEPEND="${DEPEND} >=sys-libs/timezone-data-2007c" + RDEPEND="${RDEPEND} sys-libs/timezone-data" +fi + +SRC_URI=$( + upstream_uris() { + echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1 + } + gentoo_uris() { + local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI" + devspace=${devspace//HTTP/http://dev.gentoo.org/} + echo mirror://gentoo/$1 ${devspace//URI/$1} + } + + TARNAME=${PN} + if [[ -n ${SNAP_VER} ]] ; then + TARNAME="${PN}-${RELEASE_VER}" + [[ -n ${PORTS_VER} ]] && PORTS_VER=${SNAP_VER} + upstream_uris ${TARNAME}-${SNAP_VER}.tar.bz2 + else + upstream_uris ${TARNAME}-${RELEASE_VER}.tar.bz2 + fi + [[ -n ${LIBIDN_VER} ]] && upstream_uris glibc-libidn-${LIBIDN_VER}.tar.bz2 + [[ -n ${PORTS_VER} ]] && upstream_uris ${TARNAME}-ports-${PORTS_VER}.tar.bz2 + [[ -n ${LT_VER} ]] && upstream_uris ${TARNAME}-linuxthreads-${LT_VER}.tar.bz2 + [[ -n ${BRANCH_UPDATE} ]] && gentoo_uris glibc-${RELEASE_VER}-branch-update-${BRANCH_UPDATE}.patch.bz2 + [[ -n ${PATCH_VER} ]] && gentoo_uris glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.bz2 +) + +# eblit-include [--skip] <function> [version] +eblit-include() { + local skipable=false + [[ $1 == "--skip" ]] && skipable=true && shift + [[ $1 == pkg_* ]] && skipable=true + + local e v func=$1 ver=$2 + [[ -z ${func} ]] && die "Usage: eblit-include <function> [version]" + for v in ${ver:+-}${ver} -${PVR} -${PV} "" ; do + e="${FILESDIR}/eblits/${func}${v}.eblit" + if [[ -e ${e} ]] ; then + source "${e}" + return 0 + fi + done + ${skipable} && return 0 + die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/" +} + +# eblit-run-maybe <function> +# run the specified function if it is defined +eblit-run-maybe() { + [[ $(type -t "$@") == "function" ]] && "$@" +} + +# eblit-run <function> [version] +# aka: src_unpack() { eblit-run src_unpack ; } +eblit-run() { + eblit-include --skip common "${*:2}" + eblit-include "$@" + eblit-run-maybe eblit-$1-pre + eblit-${PN}-$1 + eblit-run-maybe eblit-$1-post +} + +src_unpack() { eblit-run src_unpack ; } +src_compile() { eblit-run src_compile ; } +src_test() { eblit-run src_test ; } +src_install() { eblit-run src_install ; } + +# FILESDIR might not be available during binpkg install +for x in setup {pre,post}inst ; do + e="${FILESDIR}/eblits/pkg_${x}.eblit" + if [[ -e ${e} ]] ; then + . "${e}" + eval "pkg_${x}() { eblit-run pkg_${x} ; }" + fi +done + +eblit-src_unpack-post() { + if use hardened ; then + cd "${S}" + einfo "Patching to get working PIE binaries on PIE (hardened) platforms" + gcc-specs-pie && epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch + epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-configure-picdefault.patch + epatch "${FILESDIR}"/2.7/glibc-2.7-hardened-inittls-nosysenter.patch + + einfo "Installing Hardened Gentoo SSP handler" + cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ + debug/stack_chk_fail.c || die + + if use debug ; then + # When using Hardened Gentoo stack handler, have smashes dump core for + # analysis - debug only, as core could be an information leak + # (paranoia). + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug stack handler" + fi + + # Build nscd with ssp-all + sed -i \ + -e 's:-fstack-protector$:-fstack-protector-all:' \ + nscd/Makefile \ + || die "Failed to ensure nscd builds with ssp-all" + fi +}
