Summary: | sys-libs/glibc-2.10.1 glibc-2.5-hardened-configure-picdefault.patch fails on hardened | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Matt <jackdachef> |
Component: | [OLD] Core system | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | kanelxake, kfm, nadim, NightNord, suertreus, toolchain, zioalex, zorry |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
output of the failed patch
Fixed for glibc 2.10 Fixed for glibc 2.10 emerge --info ssp-compat patch for __guard NOT TESTED |
Description
Matt
2009-05-18 11:19:07 UTC
Created attachment 191646 [details]
output of the failed patch
Created attachment 191653 [details, diff]
Fixed for glibc 2.10
Created attachment 191654 [details, diff]
Fixed for glibc 2.10
emerge --info please. Created attachment 191673 [details]
emerge --info
that did it ! Thanks a lot Magnus =) you guys are FAST ^^ should I set it to "FIXED" or wait for another (gentoo)dev to attend and do it ? (In reply to comment #6) > that did it ! > > Thanks a lot Magnus =) > > you guys are FAST ^^ > > should I set it to "FIXED" or wait for another (gentoo)dev to attend and do it > ? > yes if get commited. I tried the patch of Magnus too, but it fails again with: ... * Applying glibc-2.5-hardened-configure-picdefault.patch ... * Failed Patch: glibc-2.5-hardened-configure-picdefault.patch ! * ( /usr/local/portage/sys-libs/glibc/files/2.5/glibc-2.5-hardened-configure-picdefault.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/sys-libs/glibc-2.10.1-r1/temp/glibc-2.5-hardened-configure-picdefault.patch-10059.out in glibc-2.5-hardened-configure-picdefault.patch-10059.out I find: ***** glibc-2.5-hardened-configure-picdefault.patch ***** ========================================================= PATCH COMMAND: patch -p0 -g0 -E --no-backup-if-mismatch < /usr/local/portage/sys-libs/glibc/files/2.5/glibc-2.5-hardened-configure-picdefault.patch ========================================================= patching file configure.in Hunk #1 FAILED at 2145. 1 out of 1 hunk FAILED -- saving rejects to file configure.in.rej patching file configure Hunk #1 FAILED at 7698. 1 out of 1 hunk FAILED -- saving rejects to file configure.rej ========================================================= ,,, no it doesn't ;) (for me) Juergen, you are sure you changed the lines in the ebuild and added a folder called 2.10 in the files subdirectory with those 2 files in it ? cause it still reads glibc-2.5* but the new patches are called glibc-2.10* I've make an minimalistic ebuild-package for this patch (thanks to Magnus Granberg!), but it have to much files to post them into bugzilla. You can find ebuild into my overlay via git: git clone git://vcs.niifaq.ru/portage or via ftp wget -r ftp://ftp.niifaq.ru/pub/portage/sys-libs/glibc/ Links above are hosted on homeserver, so it could be inaccessible sometimes, so everybody welcome to rehost it on any more stable resource (such as github or google-code). I have to state, that upgrading my server to new glibc broke it's system. This message now appears everywhere: relocation error: screen: symbol __guard, version GLIBC_2.3.2 not defined in file libc.so.6 with link time reference So, maybe it would be wise to wait untill glibc would be properly patched by hardened team, I suppose this patch issue some kind of another funny hardened joke: it's acting as package.mask =) Gentoo patchset is missing the ssp-compat.patch that support the older __guard symbols for < gcc 4.1 We have mask glibc 2.10 in the hardened profile. Created attachment 192348 [details, diff]
ssp-compat patch for __guard NOT TESTED
This patch is NOT TESTED
@hardened: Please check these patches and apply if fine. I created an overlay /usr/local/portage/sys-libs/glibc/, copied there glibc-2.10.1.ebuild to glibc-2.10.1-r1.ebuild, created a /usr/local/portage/sys-libs/glibc/files/2.10 directory, put the two patches into that directory: root@mouse:/usr/local/portage/sys-libs/glibc(10)# ll /usr/local/portage/sys-libs/glibc/files/2.10/ total 16 -rw-r--r-- 1 root root 865 May 25 00:23 glibc-2.10-hardened-configure-picdefault.patch -rw-r--r-- 1 root root 8823 May 21 15:26 glibc-2.10-hardened-inittls-nosysenter.patch added two lines after the end of the other patch lines epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-inittls-nosysenter.patch after the other epatch lines: root@mouse:/root(5)# diff -C 3 /usr/local/portage/sys-libs/glibc/glibc-2.10.1-r1.ebuild /usr/local/portage/sys-libs/glibc/glibc-2.10.1.ebuild diff -C 3 /usr/local/portage/sys-libs/glibc/glibc-2.10.1-r1.ebuild /usr/local/portage/sys-libs/glibc/glibc-2.10.1.ebuild *** /usr/local/portage/sys-libs/glibc/glibc-2.10.1-r1.ebuild Mon May 25 02:01:10 2009 --- /usr/local/portage/sys-libs/glibc/glibc-2.10.1.ebuild Mon May 18 06:41:59 2009 *************** *** 186,195 **** cd "${S}" einfo "Patching to get working PIE binaries on PIE (hardened) platforms" gcc-specs-pie && epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch ! epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-configure-picdefault.patch ! epatch "${FILESDIR}"/2.7/glibc-2.7-hardened-inittls-nosysenter.patch ! epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-configure-picdefault.patch ! epatch "${FILESDIR}"/2.10/glibc-2.10-hardened-inittls-nosysenter.patch einfo "Installing Hardened Gentoo SSP handler" cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ --- 186,193 ---- cd "${S}" einfo "Patching to get working PIE binaries on PIE (hardened) platforms" gcc-specs-pie && epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch ! epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-configure-picdefault.patch ! epatch "${FILESDIR}"/2.7/glibc-2.7-hardened-inittls-nosysenter.patch einfo "Installing Hardened Gentoo SSP handler" cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ run 'ebuild glibc-2.10.1-r1.ebuild digest' in that directory. And then 'emerge -vD glibc' fails with the described error. Then I commented out the first two patch lines and now I can emerge glibc-2.10.1 on a hardened system. Thanks Two months fixed and still not in portage? What the hell? There is still an issue with _guard symbols. Fix was in blacklisting glibc. If you still want to use it, you may add a patch for youself and recompile the whole system to get rid of old symbols. I presume, that there is a lot of work with new glibc and hardened, so I suppose, that unmasking it at begining was an error. This bug's a serious issue for those who converted their make.profile to hardened from another profile, since it stamps down portage/revdep-rebuild/etc with it always trying to downgrade glibc then stopping itself so that it doesn't break the system. The solution is to simply add: <=sys-libs/glibc-2.9_p20081201-r2 To /etc/portage/package.mask, but that still doesn't fix revdep-rebuild wanting to re-emerge glibc to fix some dependencies. complaining will get you nowhere in bugzilla. if you want to actually help, test the hardened-ssp-compat patch. i didnt feel like updating it when i bumped glibc to 2.10. New patches are in main tree. The package.mask for glibc-2.10.1 is to remain in place per gengor. If a user wishses to test and finds a bug please open a new bug report with all avaliable data. that statement isnt terribly clear. does glibc-2.10.1 now cleanly unpack for hardened users ? (In reply to comment #21) > that statement isnt terribly clear. does glibc-2.10.1 now cleanly unpack for > hardened users ? > It does for me. (In reply to comment #21) > that statement isnt terribly clear. does glibc-2.10.1 now cleanly unpack for > hardened users ? > Yes 2.10.1 unpacks fine for hardened now. thanks for checking The following lines need to be removed from /var/cvsroot/gentoo-x86/profiles/hardened/linux/package.mask: # Patch fails, mask for now. Bug #270274. >=sys-libs/glibc-2.10 Because as it is now, doing an emerge --sync will still mask 2.10.1: !!! One of the following masked packages is required to complete your request: - sys-libs/glibc-2.10.1 (masked by: package.mask) /usr/portage/profiles/hardened/linux/package.mask: # Patch fails, mask for now. Bug #270274. (In reply to comment #25) > The following lines need to be removed from > /var/cvsroot/gentoo-x86/profiles/hardened/linux/package.mask: > # Patch fails, mask for now. Bug #270274. > >=sys-libs/glibc-2.10 > > Because as it is now, doing an emerge --sync will still mask 2.10.1: > !!! One of the following masked packages is required to complete your request: > - sys-libs/glibc-2.10.1 (masked by: package.mask) > /usr/portage/profiles/hardened/linux/package.mask: > # Patch fails, mask for now. Bug #270274. > Mask was dropped by SpanKY ~2hours ago (from the time of this writing). Will be gone on your next emerge --sync. |