Merge pull request #1049 from flatcar/buildbot/weekly-portage-stable-…

…package-updates-2023-08-07 Weekly portage-stable package updates 2023-08-07
flatcar · Aug 11, 2023 · 4605b27 · 4605b27
2 parents 3169d49 + af2a000
commit 4605b27
Show file tree

Hide file tree

Showing 329 changed files with 14,375 additions and 2,097 deletions.
diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
@@ -122,6 +122,8 @@ app-text/docbook-xsl-stylesheets
 app-text/manpager
 app-text/sgml-common
 
+sec-keys/openpgp-keys-gentoo-release
+
 dev-cpp/gtest
 
 dev-db/sqlite
@@ -197,7 +199,6 @@ dev-python/nspektr
 dev-python/ordered-set
 dev-python/packaging
 dev-python/platformdirs
-dev-python/pydantic
 dev-python/pydecomp
 dev-python/pygments
 dev-python/pyparsing

diff --git a/changelog/security/2023-08-09-weekly-updates.md b/changelog/security/2023-08-09-weekly-updates.md
@@ -0,0 +1,4 @@
+- libarchive ([libarchive-20230729](https://github.com/libarchive/libarchive/releases/tag/v3.7.1))
+- vim ([CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609), [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610))
+- qemu ([CVE-2023-0330](https://nvd.nist.gov/vuln/detail/CVE-2023-0330), [CVE-2023-2861](https://nvd.nist.gov/vuln/detail/CVE-2023-2861))
+- curl ([CVE-2023-32001](https://nvd.nist.gov/vuln/detail/CVE-2023-32001))
diff --git a/changelog/updates/2023-08-09-weekly-updates.md b/changelog/updates/2023-08-09-weekly-updates.md
@@ -0,0 +1,10 @@
+- libarchive ([3.7.1](https://github.com/libarchive/libarchive/releases/tag/v3.7.1) (includes [3.7.0](https://github.com/libarchive/libarchive/releases/tag/v3.7.0)))
+- libmd ([1.1.0](https://git.hadrons.org/cgit/libmd.git/log/?h=1.1.0))
+- vim ([9.0.1677](https://github.com/vim/vim/commits/v9.0.1677))
+- SDK: qemu ([8.0.3](https://wiki.qemu.org/ChangeLog/8.0))
+- libassuan ([2.5.6](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libassuan.git;a=blob;f=NEWS;h=e52bb5dd36ac93ea227e53e89f82af9ccf38f339;hb=6b50ee6bcdd6aa81bd7cc3fb2379864c3ed479b8))
+- libksba ([1.6.4](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=blob;f=NEWS;h=f640523209c1c9ce9855040e53914a79d24d6a67;hb=557999424ebd13e70d6fc17e648a5dd2a06f440b))
+- libuv ([1.46.0](https://github.com/libuv/libuv/releases/tag/v1.46.0) (includes [1.45.0](https://github.com/libuv/libuv/releases/tag/v1.45.0)))
+- curl ([8.2.1](https://curl.se/changes.html#8_2_1) (includes [8.2.0](https://curl.se/changes.html#8_2_0)))
+- portage ([3.0.49](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.49))
+- intel microcode ([20230613](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230613))
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -9,10 +9,15 @@
 
 # Needed by arm64-native SDK.
 =app-crypt/efitools-1.9.2 ~arm64
+
+# Needed to address CVE-2023-2609 and CVE-2023-2610.
+=app-editors/vim-9.0.1677 ~amd64 ~arm64
+=app-editors/vim-core-9.0.1677 ~amd64 ~arm64
+
+# Needed by arm64-native SDK.
 =app-emulation/open-vmdk-1.0 *
 
 # Keep versions on both arches in sync.
-=app-emulation/qemu-7.2.3 ~arm64
 =app-misc/pax-utils-1.3.7 ~amd64
 
 # Required for addressing CVE-2022-3715.
@@ -37,27 +42,25 @@
 =dev-libs/libgcrypt-1.10.1-r3 ~arm64
 =dev-python/lxml-4.9.2-r1 ~arm64
 =dev-util/bpftool-6.3 ~arm64
-
-# Keep versions on both arches in sync.
 =net-firewall/conntrack-tools-1.4.6-r1 ~arm64
+=net-firewall/ipset-7.17-r1 ~arm64
 
 # Required for addressing CVE-2023-0361.
-=net-libs/gnutls-3.8.0 ~amd64 ~arm64
+=net-libs/gnutls-3.8.0 ~arm64
 
 # Keep versions on both arches in sync.
 =net-libs/libnetfilter_cthelper-1.0.0-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.0-r1 ~arm64
 
-# Required for addressing CVE-2023-28319, CVE-2023-28320, CVE-2023-28321 and CVE-2023-28322.
-=net-misc/curl-8.1.2 ~amd64 ~arm64
+# Required for addressing CVE-2023-32001.
+=net-misc/curl-8.2.1 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
 =sec-policy/selinux-base-2.20200818-r3 ~arm64
 =sec-policy/selinux-base-policy-2.20200818-r3 ~arm64
 =sec-policy/selinux-unconfined-2.20200818-r2 ~arm64
 =sec-policy/selinux-virt-2.20200818-r2 ~arm64
 =sys-apps/checkpolicy-3.1 ~arm64
-=sys-apps/coreutils-9.3-r2 ~arm64
 =sys-apps/kexec-tools-2.0.24 ~arm64
 =sys-apps/policycoreutils-3.1-r4 ~arm64
 =sys-apps/semodule-utils-3.1 ~arm64
@@ -66,13 +69,13 @@
 =sys-cluster/ipvsadm-1.27-r1 **
 
 # Keep versions on both arches in sync.
+=sys-devel/automake-1.16.5-r1 ~arm64
 =sys-firmware/edk2-aarch64-18.02 **
 
 # FIPS support is still being tested.
 =sys-fs/cryptsetup-2.4.3-r1 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
-=sys-fs/multipath-tools-0.9.5 ~amd64
 =sys-libs/libselinux-3.1-r3 ~arm64
 =sys-libs/libsemanage-3.1-r2 ~arm64
 =sys-libs/libsepol-3.1 ~arm64

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -73,10 +73,6 @@ sys-apps/portage -xattr -rsync-verify
 # Enable -M and -Z flags; -M is used by mayday
 sys-process/lsof rpc selinux
 
-# can be removed with socat-2.0.0; this is the openssl/readline license
-# incompatibility 
-net-misc/socat -ssl
-
 # Prevent pulling in a ton of perl dependencies
 sys-apps/man-db -nls
 

diff --git a/...ogin/google-oslogin-20200910.00-r1.ebuild → ...ogin/google-oslogin-20200910.00-r2.ebuild b/...ogin/google-oslogin-20200910.00-r1.ebuild → ...ogin/google-oslogin-20200910.00-r2.ebuild
@@ -1,7 +1,7 @@
 # Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=6
+EAPI=8
 
 DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
 HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"

diff --git a/sdk_container/src/third_party/portage-stable/app-arch/libarchive/Manifest b/sdk_container/src/third_party/portage-stable/app-arch/libarchive/Manifest
@@ -1,2 +1,6 @@
 DIST libarchive-3.6.2.tar.xz 5213196 BLAKE2B 355b5d402e352dee802513485ce7e047af58d6de5b9bf6a49f3fd8d7b94117007598820ac979585c0da79747e8b63b70ab151131182368a11f97a047cf9029d4 SHA512 a12bb6839e13a0be1099f42c650fc90fbfe62d32ce38bcbb4794206d29b2c782ae1115124d0e5f6b9716514213af32b05e4a42eb196447674a5f9a2a32bee043
 DIST libarchive-3.6.2.tar.xz.asc 659 BLAKE2B a4b0035ab2bda4129cdf0c99266cd1e5f4772d90de6e348c75958bc803f369d6abea85d9730c6c9a216466b35697faad8d265fb2c285545887eafde27d828887 SHA512 403e5f7dec14d8b1cc01fad5a249e7b7618a7b45bcb3361ea80d67d76b591b12ce97f2c88b23d5486505dd3b34c1f1643e02235a3e5fc5150ee5735946092efe
+DIST libarchive-3.7.0.tar.xz 5243356 BLAKE2B 8fb72a0504038c71584c0416c1d747b7f5c82266518704353e7fdf794bd9f9e2dc22b8fa2538fa8d12a3b9776581077040371d25647fe72c02a4ec5f3bb8d950 SHA512 f69ff7fbec7e909b6a03dd5b01c47316f95a277907409c8fba3930bb90d02cd9a329921eada59ca1afc9a19e34de7eb34e9d535bbc8cd98fb586f723bd0fdba8
+DIST libarchive-3.7.0.tar.xz.asc 659 BLAKE2B 5bbd535ce100fbfb7ed46f8d7a6957ebb590c07124de4192ae0b777ad3b3950e6406f1ccda97dde5b6e792be00a039621de21665df9989073ebd0a905299eda1 SHA512 eda3a4347fb8d7f78c8e0a73f621a4a731d46cafc2f46ac59cebe39f3ebd29b1c3db21772c2027b30c5c507f5f732c3876e94f319e62156d2a3146e412cad84d
+DIST libarchive-3.7.1.tar.xz 5254260 BLAKE2B 1a6fa4f5027effea3df1cfcd2d99b8b126fe03d727412b0a4529d6b2157c2c29490bcce206d0f771256c5ed6dec9612608c2c54c4861647f4e2892e0f5548adb SHA512 24380b9aa24434dfe39929ec85ede33580291023b20b7cdf03990ce62578eaeb389f5ca5680245a84c7aad51574c85a1fa3fad5254ec5395eadac1cb2130a936
+DIST libarchive-3.7.1.tar.xz.asc 659 BLAKE2B 5e72732d2e5a4f5f04f3510b3d81a148f23dffa10a3ebe709e816388c5a6e68c08ee2bbe36d81141d5ffa94ed64df3e4ca05994cda651c09589fda69a6a95e90 SHA512 6f6f6e5780c609bd9c6c359c210656f26afb585bda46988687e19d1e55f4f3260ea80bf11bfba1213fb3a3e1514c5c096692b4b9e96ffbadf06f85eb1227250a
diff --git a/...third_party/portage-stable/app-arch/libarchive/files/libarchive-3.7.0-f_namemax-fix.patch b/...third_party/portage-stable/app-arch/libarchive/files/libarchive-3.7.0-f_namemax-fix.patch
@@ -0,0 +1,19 @@
+From: https://github.com/libarchive/libarchive/commit/bd074c2531e867078788fe8539376c31119e4e55.patch
+From: Wong Hoi Sing Edison <hswong3i@gmail.com>
+Date: Wed, 19 Jul 2023 16:59:32 +0800
+Subject: [PATCH] Replace `svfs.f_namelen` with `svfs.f_namemax` (#1924)
+
+The equivalent for `f_namelen` in struct statvfs is `f_namemax`.
+
+Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
+--- a/libarchive/archive_read_disk_posix.c
++++ b/libarchive/archive_read_disk_posix.c
+@@ -1866,7 +1866,7 @@ setup_current_filesystem(struct archive_read_disk *a)
+ #if defined(USE_READDIR_R)
+ 	/* Set maximum filename length. */
+ #if defined(HAVE_STATVFS)
+-	t->current_filesystem->name_max = svfs.f_namelen;
++	t->current_filesystem->name_max = svfs.f_namemax;
+ #else
+ 	t->current_filesystem->name_max = sfs.f_namelen;
+ #endif
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/libarchive/libarchive-3.7.0.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/libarchive/libarchive-3.7.0.ebuild
@@ -0,0 +1,149 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit multilib-minimal toolchain-funcs verify-sig
+
+DESCRIPTION="Multi-format archive and compression library"
+HOMEPAGE="
+	https://www.libarchive.org/
+	https://github.com/libarchive/libarchive/
+"
+SRC_URI="
+	https://www.libarchive.de/downloads/${P}.tar.xz
+	verify-sig? ( https://www.libarchive.de/downloads/${P}.tar.xz.asc )
+"
+
+LICENSE="BSD BSD-2 BSD-4 public-domain"
+SLOT="0/13"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="acl blake2 +bzip2 +e2fsprogs expat +iconv lz4 +lzma lzo nettle static-libs xattr zstd"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/libarchive.org.asc
+
+RDEPEND="
+	sys-libs/zlib[${MULTILIB_USEDEP}]
+	acl? ( virtual/acl[${MULTILIB_USEDEP}] )
+	blake2? ( app-crypt/libb2[${MULTILIB_USEDEP}] )
+	bzip2? ( app-arch/bzip2[${MULTILIB_USEDEP}] )
+	expat? ( dev-libs/expat[${MULTILIB_USEDEP}] )
+	!expat? ( dev-libs/libxml2[${MULTILIB_USEDEP}] )
+	iconv? ( virtual/libiconv[${MULTILIB_USEDEP}] )
+	kernel_linux? (
+		xattr? ( sys-apps/attr[${MULTILIB_USEDEP}] )
+	)
+	dev-libs/openssl:0=[${MULTILIB_USEDEP}]
+	lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
+	lzma? ( >=app-arch/xz-utils-5.2.5-r1[${MULTILIB_USEDEP}] )
+	lzo? ( >=dev-libs/lzo-2[${MULTILIB_USEDEP}] )
+	nettle? ( dev-libs/nettle:0=[${MULTILIB_USEDEP}] )
+	zstd? ( app-arch/zstd[${MULTILIB_USEDEP}] )
+"
+DEPEND="${RDEPEND}
+	kernel_linux? (
+		virtual/os-headers
+		e2fsprogs? ( sys-fs/e2fsprogs[${MULTILIB_USEDEP}] )
+	)
+"
+BDEPEND="
+	verify-sig? ( >=sec-keys/openpgp-keys-libarchive-20221209 )
+	elibc_musl? ( sys-libs/queue-standalone )
+"
+
+# Bug #910552 Only required for version 3.7.0
+PATCHES=(
+	"${FILESDIR}/${P}-f_namemax-fix.patch"
+)
+
+# false positives (checks for libc-defined hash functions)
+QA_CONFIG_IMPL_DECL_SKIP=(
+	SHA256_Init SHA256_Update SHA256_Final
+	SHA384_Init SHA384_Update SHA384_Final
+	SHA512_Init SHA512_Update SHA512_Final
+)
+
+multilib_src_configure() {
+	export ac_cv_header_ext2fs_ext2_fs_h=$(usex e2fsprogs) #354923
+
+	local myconf=(
+		$(use_enable acl)
+		$(use_enable static-libs static)
+		$(use_enable xattr)
+		$(use_with blake2 libb2)
+		$(use_with bzip2 bz2lib)
+		$(use_with expat)
+		$(use_with !expat xml2)
+		$(use_with iconv)
+		$(use_with lz4)
+		$(use_with lzma)
+		$(use_with lzo lzo2)
+		$(use_with nettle)
+		--with-zlib
+		$(use_with zstd)
+
+		# Windows-specific
+		--without-cng
+	)
+	if multilib_is_native_abi ; then
+		myconf+=(
+			--enable-bsdcat="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdcpio="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdtar="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdunzip="$(tc-is-static-only && echo static || echo shared)"
+		)
+	else
+		myconf+=(
+			--disable-bsdcat
+			--disable-bsdcpio
+			--disable-bsdtar
+			--disable-bsdunzip
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+	# TODO: figure out why we don't get one
+	mkdir -p unzip/test || die
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi ; then
+		emake
+	else
+		emake libarchive.la
+	fi
+}
+
+src_test() {
+	mkdir -p "${T}"/bin || die
+	# tests fail when lbzip2[symlink] is used in place of ref bunzip2
+	ln -s "${BROOT}/bin/bunzip2" "${T}"/bin || die
+	local -x PATH=${T}/bin:${PATH}
+	multilib-minimal_src_test
+}
+
+multilib_src_test() {
+	# sandbox is breaking long symlink behavior
+	local -x SANDBOX_ON=0
+	local -x LD_PRELOAD=
+	# some locales trigger different output that breaks tests
+	local -x LC_ALL=C
+	emake check
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi ; then
+		emake DESTDIR="${D}" install
+	else
+		local install_targets=(
+			install-includeHEADERS
+			install-libLTLIBRARIES
+			install-pkgconfigDATA
+		)
+		emake DESTDIR="${D}" "${install_targets[@]}"
+	fi
+
+	# Libs.private: should be used from libarchive.pc instead
+	find "${ED}" -type f -name "*.la" -delete || die
+	# https://github.com/libarchive/libarchive/issues/1766
+	sed -e '/Requires\.private/s:iconv::' \
+		-i "${ED}/usr/$(get_libdir)/pkgconfig/libarchive.pc" || die
+}