slackware-current/source/a/pkgtools/scripts/makepkg

511 lines
18 KiB
Text
Raw Normal View History

#!/bin/bash
# Copyright 1994, 1998, 2008 Patrick Volkerding, Moorhead, Minnesota USA
# Copyright 2003 Slackware Linux, Inc. Concord, CA USA
# Copyright 2009, 2015, 2017, 2018, 2019, 2024 Patrick J. Volkerding, Sebeka, MN, USA
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# Fri Sep 27 19:50:49 UTC 2024
# Warn about the presence of rpaths in ELF objects so that the packager can
# decide what to do about them, if anything. They could be removed by adding
# something to the SlackBuild to do it, or with one of these new options:
# --remove-rpaths (remove all rpaths from ELF objects. It's possible this could
# break some things)
# --remove-tmp-rpaths (remove rpaths from any ELF object containing an rpath
# that references the /tmp directory. This is likely safe to do and prevents
# evil object attacks in /tmp)
#
# Mon 2 Jul 15:32:14 UTC 2018
# Sort file lists and support SOURCE_DATE_EPOCH, for reproducibility.
#
# Mon May 21 18:31:20 UTC 2018
# Add --compress option, usually used to change the preset compression level
# or block size.
#
# Tue Feb 13 00:46:12 UTC 2018
# Use recent tar, and support storing POSIX ACLs and extended attributes.
#
# Tue Dec 12 21:55:59 UTC 2017
# If possible, use multiple compression threads.
#
# Wed Sep 23 18:36:43 UTC 2015
# Support spaces in file/directory names. <alphageek>
#
# Sun Apr 5 21:23:26 CDT 2009
# Support .tgz, .tbz, .tlz, and .txz packages. <volkerdi>
#
# Fri Nov 26 13:53:36 GMT 2004
# Patched to chmod 755 the package's root directory if needed, then restore
# previous permissions after the package has been created. <sw>
#
# Wed Mar 18 15:32:33 CST 1998
# Patched to avoid possible symlink attacks in /tmp.
CWD=$(pwd)
umask 022
make_install_script() {
TAB="$(echo -e "\t")"
COUNT=1
while :; do
LINE="$(sed -n "$COUNT p" $1)"
if [ "$LINE" = "" ]; then
break
fi
LINKGOESIN="$(echo "$LINE" | cut -f 1 -d "$TAB")"
LINKGOESIN="$(dirname "$LINKGOESIN")"
LINKNAMEIS="$(echo "$LINE" | cut -f 1 -d "$TAB")"
LINKNAMEIS="$(basename "$LINKNAMEIS")"
LINKPOINTSTO="$(echo "$LINE" | cut -f 2 -d "$TAB")"
echo "( cd $LINKGOESIN ; rm -rf $LINKNAMEIS )"
echo "( cd $LINKGOESIN ; ln -sf $LINKPOINTSTO $LINKNAMEIS )"
COUNT=$(expr $COUNT + 1)
done
}
usage() {
cat << EOF
Usage: makepkg package_name.tgz
(or: package_name.tbz, package_name.tlz, package_name.txz)
Makes a Slackware compatible package containing the contents of the current
and all subdirectories. If symbolic links exist, they will be removed and
an installation script will be made to recreate them later. This script will
be called "install/doinst.sh". You may add any of your own ash-compatible
shell scripts to this file and rebuild the package if you wish.
options: -l, --linkadd y|n (moves symlinks into doinst.sh: recommended)
-p, --prepend (prepend rather than append symlinks to an existing
doinst.sh. Useful to link libraries needed by programs in
the doinst.sh script)
-c, --chown y|n (resets all permissions to root:root 755 - not
generally recommended)
--threads <number> For xz/plzip compressed packages, set the max
number of threads to be used for compression. Only has an
effect on large packages. For plzip, the default is equal to
the number of CPU threads available on the machine. For xz,
the default is equal to 2 (due to commonly occuring memory
related failures when using many threads with multi-threaded
xz compression).
--compress <option> Supply a custom option to the compressor.
This will be used in place of the default, which is: -9
--acls Support storing POSIX ACLs in the package. The resulting
package will not be compatible with pkgtools version < 15.0.
--xattrs Support storing extended attributes in the package. The
resulting package will not be compatible with pkgtools
version < 15.0.
--remove-rpaths (remove all rpaths from ELF objects)
--remove-tmp-rpaths (remove rpaths from ELF objects if we find one
that contains '/tmp')
If these options are not set, makepkg will prompt if appropriate.
EOF
}
TMP=/tmp # This can be a hole, but I'm going to be careful about file
# creation in there, so don't panic. :^)
# Set maximum number of threads to use. By default, this will be the number
# of CPU threads:
THREADS="$(nproc)"
# Set default compression option.
COMPRESS_OPTION="-9"
# Parse options
unset ACLS XATTRS
while [ 0 ]; do
if [ "$1" = "--linkadd" -o "$1" = "-l" ]; then
if [ "$2" = "y" ]; then
LINKADD=y
elif [ "$2" = "n" ]; then
LINKADD=n
else
usage
exit 2
fi
shift 2
elif [ "$1" = "--chown" -o "$1" = "-c" ]; then
if [ "$2" = "y" ]; then
CHOWN=y
elif [ "$2" = "n" ]; then
CHOWN=n
else
usage
exit 2
fi
shift 2
elif [ "$1" = "-p" -o "$1" = "--prepend" ]; then
PREPEND=y
shift 1
elif [ "$1" = "-threads" -o "$1" = "--threads" ]; then
THREADS="$2"
shift 2
XZ_THREADS_FORCED=yes
elif [ "$1" = "-compress" -o "$1" = "--compress" ]; then
COMPRESS_OPTION="$2"
shift 2
elif [ "$1" = "--acls" ]; then
ACLS="--acls"
shift 1
elif [ "$1" = "--xattrs" ]; then
XATTRS="--xattrs"
shift 1
elif [ "$1" = "--remove-tmp-rpaths" ]; then
REMOVE_TMP_RPATHS="true"
shift 1
elif [ "$1" = "--remove-rpaths" ]; then
REMOVE_RPATHS="true"
shift 1
elif [ "$1" = "-h" -o "$1" = "-H" -o "$1" = "--help" -o $# = 0 ]; then
usage
exit 0
else
break
fi
done
unset MTIME
if [ -n "${SOURCE_DATE_EPOCH}" ]; then
MTIME="--clamp-mtime --mtime=@${SOURCE_DATE_EPOCH}"
fi
PACKAGE_NAME="$1"
TARGET_NAME="$(dirname $PACKAGE_NAME)"
PACKAGE_NAME="$(basename $PACKAGE_NAME)"
# Identify package extension and compression type to use:
if [ ! "$(basename $PACKAGE_NAME .tgz)" = "$PACKAGE_NAME" ]; then
EXTENSION="tgz"
COMPEXT="gz"
COMPRESSOR="gzip ${COMPRESS_OPTION} -cn"
if ! which gzip 1> /dev/null 2> /dev/null ; then
echo "ERROR: gzip compression utility not found in \$PATH."
exit 3
fi
elif [ ! "$(basename $PACKAGE_NAME .tar.gz)" = "$PACKAGE_NAME" ]; then
EXTENSION="tar.gz"
COMPRESSOR="gzip ${COMPRESS_OPTION} -cn"
if ! which gzip 1> /dev/null 2> /dev/null ; then
echo "ERROR: gzip compression utility not found in \$PATH."
exit 3
fi
elif [ ! "$(basename $PACKAGE_NAME .tbz)" = "$PACKAGE_NAME" ]; then
EXTENSION="tbz"
if which lbzip2 1> /dev/null 2> /dev/null ; then
COMPRESSOR="lbzip2 ${COMPRESS_OPTION} -c"
else
if which bzip2 1> /dev/null 2> /dev/null ; then
COMPRESSOR="bzip2 ${COMPRESS_OPTION} -c"
else
echo "ERROR: bzip2 compression utility not found in \$PATH."
exit 3
fi
fi
elif [ ! "$(basename $PACKAGE_NAME .tar.bz2)" = "$PACKAGE_NAME" ]; then
EXTENSION="tar.bz2"
if which lbzip2 1> /dev/null 2> /dev/null ; then
COMPRESSOR="lbzip2 ${COMPRESS_OPTION} -c"
else
if which bzip2 1> /dev/null 2> /dev/null ; then
COMPRESSOR="bzip2 ${COMPRESS_OPTION} -c"
else
echo "ERROR: bzip2 compression utility not found in \$PATH."
exit 3
fi
fi
elif [ ! "$(basename $PACKAGE_NAME .tlz)" = "$PACKAGE_NAME" ]; then
EXTENSION="tlz"
if which plzip 1> /dev/null 2> /dev/null ; then
COMPRESSOR="plzip ${COMPRESS_OPTION} --threads=${THREADS} -c"
else
echo "WARNING: plzip compression utility not found in \$PATH."
echo "WARNING: package will not support multithreaded decompression."
if which lzip 1> /dev/null 2> /dev/null ; then
COMPRESSOR="lzip ${COMPRESS_OPTION} -c"
else
echo "ERROR: lzip compression utility not found in \$PATH."
exit 3
fi
fi
elif [ ! "$(basename $PACKAGE_NAME .tar.lz)" = "$PACKAGE_NAME" ]; then
EXTENSION="tar.lz"
if which plzip 1> /dev/null 2> /dev/null ; then
COMPRESSOR="plzip ${COMPRESS_OPTION} --threads=${THREADS} -c"
else
echo "WARNING: plzip compression utility not found in \$PATH."
echo "WARNING: package will not support multithreaded decompression."
if which lzip 1> /dev/null 2> /dev/null ; then
COMPRESSOR="lzip ${COMPRESS_OPTION} -c"
else
echo "ERROR: lzip compression utility not found in \$PATH."
exit 3
fi
fi
elif [ ! "$(basename $PACKAGE_NAME .tar.lzma)" = "$PACKAGE_NAME" ]; then
EXTENSION="tar.lzma"
COMPRESSOR="lzma ${COMPRESS_OPTION} -c"
if ! which lzma 1> /dev/null 2> /dev/null ; then
echo "ERROR: lzma compression utility not found in \$PATH."
exit 3
fi
elif [ ! "$(basename $PACKAGE_NAME .txz)" = "$PACKAGE_NAME" ]; then
EXTENSION="txz"
if [ ! "$XZ_THREADS_FORCED" = "yes" ]; then
if [[ "$(uname -m)" =~ (x86_64|aarch64|riscv64) ]]; then
# Allow xz to determine how many threads to use:
COMPRESSOR="xz ${COMPRESS_OPTION} --threads=0 -c"
else
# Default to 2 threads on 32-bit platforms:
COMPRESSOR="xz ${COMPRESS_OPTION} --threads=2 -c"
fi
else
COMPRESSOR="xz ${COMPRESS_OPTION} --threads=${THREADS} -c"
fi
if ! which xz 1> /dev/null 2> /dev/null ; then
echo "ERROR: xz compression utility not found in \$PATH."
exit 3
fi
elif [ ! "$(basename $PACKAGE_NAME .tar.xz)" = "$PACKAGE_NAME" ]; then
EXTENSION="tar.xz"
if [ ! "$XZ_THREADS_FORCED" = "yes" ]; then
if [[ "$(uname -m)" =~ (x86_64|aarch64|riscv64) ]]; then
# Allow xz to determine how many threads to use:
COMPRESSOR="xz ${COMPRESS_OPTION} --threads=0 -c"
else
# Default to 2 threads on 32-bit platforms:
COMPRESSOR="xz ${COMPRESS_OPTION} --threads=2 -c"
fi
else
COMPRESSOR="xz ${COMPRESS_OPTION} --threads=${THREADS} -c"
fi
if ! which xz 1> /dev/null 2> /dev/null ; then
echo "ERROR: xz compression utility not found in \$PATH."
exit 3
fi
else
EXTENSION="$(echo $PACKAGE_NAME | rev | cut -f 1 -d . | rev)"
echo "ERROR: Package extension .$EXTENSION is not supported."
exit 1
fi
TAR_NAME="$(basename $PACKAGE_NAME .$EXTENSION)"
# Sanity check -- we can't make the package in the current directory:
if [ "$CWD" = "$TARGET_NAME" -o "." = "$TARGET_NAME" ]; then
echo "ERROR: Can't make output package in current directory."
exit 2
fi
echo
echo "Slackware package maker, version 3.14159265."
echo
echo "Searching for symbolic links:"
# Get rid of possible pre-existing trouble:
INST=$(mktemp $TMP/makepkg.XXXXXX)
# Escape some characters in symlink names:
find . -type l -printf "%p\t%l\n" | LC_COLLATE=C sort | sed 's,^\./,,; s,[ "#$&\x27()*;<>?[\\`{|~],\\&,g;' | tee $INST
if [ ! "$(cat $INST)" = "" ]; then
echo
echo "Making symbolic link creation script:"
make_install_script $INST | tee doinst.sh
fi
echo
if [ ! "$(cat $INST)" = "" ]; then
if [ -r install/doinst.sh ]; then
echo "Unless your existing installation script already contains the code"
echo "to create these links, you should append these lines to your existing"
echo "install script. Now's your chance. :^)"
echo
echo "Would you like to add this stuff to the existing install script and"
echo -n "remove the symbolic links ([y]es, [n]o)? "
else
echo "It is recommended that you make these lines your new installation script."
echo
echo "Would you like to make this stuff the install script for this package"
echo -n "and remove the symbolic links ([y]es, [n]o)? "
fi
if [ ! "$LINKADD" ]; then
read LINKADD;
echo
else
echo $LINKADD
echo
fi
if [ "$LINKADD" = "y" ]; then
if [ -r install/doinst.sh ]; then
UPDATE="t"
if [ "$PREPEND" = "y" ]; then
touch install/doinst.sh
mv install/doinst.sh install/doinst.sh.shipped
cat doinst.sh > install/doinst.sh
echo "" >> install/doinst.sh
cat install/doinst.sh.shipped >> install/doinst.sh
rm -f install/doinst.sh.shipped
else
cat doinst.sh >> install/doinst.sh
fi
else
mkdir -p install
cat doinst.sh > install/doinst.sh
fi
echo
echo "Removing symbolic links:"
find . -type l -exec rm -v {} \;
echo
if [ "$UPDATE" = "t" ]; then
if [ "$PREPEND" = "y" ]; then
echo "Updating your ./install/doinst.sh (prepending symlinks)..."
else
echo "Updating your ./install/doinst.sh..."
fi
else
echo "Creating your new ./install/doinst.sh..."
fi
fi
else
echo "No symbolic links were found, so we won't make an installation script."
echo "You can make your own later in ./install/doinst.sh and rebuild the"
echo "package if you like."
fi
rm -f doinst.sh $INST
echo
echo "This next step is optional - you can set the directories in your package"
echo "to some sane permissions. If any of the directories in your package have"
echo "special permissions, then DO NOT reset them here!"
echo
echo "Would you like to reset all directory permissions to 755 (drwxr-xr-x) and"
echo -n "directory ownerships to root.root ([y]es, [n]o)? "
if [ ! "$CHOWN" ]; then
read CHOWN;
echo
else
echo $CHOWN
echo
fi
if [ "$CHOWN" = "y" ]; then
find . -type d -exec chmod -v 755 {} \;
find . -type d -exec chown -v root:root {} \;
fi
# Ensure that the 'root' of the package is chmod 755 because
# the / of your filesystem will inherit these permissions.
# If it's anything tighter than 755 then bad things happen such as users
# not being able to login, users already logged in can no longer run commands
# and so on.
OLDROOTPERMS="$(find -name . -printf "%m\n")"
if [ $OLDROOTPERMS -ne 755 ]; then
echo "WARNING: $PWD is chmod $OLDROOTPERMS"
echo " temporarily changing to chmod 755"
chmod 755 .
fi
# Detect/warn/remove rpaths from ELF objects:
Tue Oct 1 18:01:38 UTC 2024 Several ELF objects were found to have rpaths pointing into /tmp, a world writable directory. This could have allowed a local attacker to launch denial of service attacks or execute arbitrary code when the affected binaries are run by placing crafted ELF objects in the /tmp rpath location. All rpaths with an embedded /tmp path have been scrubbed from the binaries, and makepkg has gained a lint feature to detect these so that they won't creep back in. a/kernel-firmware-20241001_95bfe08-noarch-1.txz: Upgraded. a/kernel-generic-6.10.12-x86_64-1.txz: Upgraded. a/pkgtools-15.1-noarch-12.txz: Rebuilt. makepkg: when looking for ELF objects with --remove-rpaths or --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part of the directory or filename. Also warn about /tmp rpaths after the package is built. ap/cups-2.4.11-x86_64-1.txz: Upgraded. ap/cups-browsed-2.0.1-x86_64-2.txz: Rebuilt. Mitigate security issue that could lead to a denial of service or the execution of arbitrary code. Rebuilt with --with-browseremoteprotocols=none to disable incoming connections, since this daemon has been shown to be insecure. If you actually use cups-browsed, be sure to install the new /etc/cups/cups-browsed.conf.new containing this line: BrowseRemoteProtocols none For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-47176 (* Security fix *) d/kernel-headers-6.10.12-x86-1.txz: Upgraded. d/llvm-18.1.8-x86_64-3.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) d/luajit-2.1.1727621189-x86_64-1.txz: Upgraded. d/ruby-3.3.5-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) k/kernel-source-6.10.12-noarch-1.txz: Upgraded. kde/kimageformats-5.116.0-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/kio-extras-23.08.5-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/krita-5.2.5-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/libindi-2.1.0-x86_64-1.txz: Upgraded. l/cryfs-0.10.3-x86_64-13.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/espeak-ng-1.51.1-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/ffmpeg-7.1-x86_64-1.txz: Upgraded. l/gegl-0.4.48-x86_64-3.txz: Rebuilt. Recompiled against openexr-3.3.0. l/gst-plugins-bad-free-1.24.8-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. l/imagemagick-7.1.1_38-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. l/libgsf-1.14.53-x86_64-1.txz: Upgraded. l/librsvg-2.58.5-x86_64-1.txz: Upgraded. l/libvncserver-0.9.14-x86_64-3.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/mozjs128-128.3.0esr-x86_64-1.txz: Upgraded. l/netpbm-11.08.00-x86_64-1.txz: Upgraded. l/opencv-4.10.0-x86_64-3.txz: Rebuilt. Recompiled against openexr-3.3.0. l/openexr-3.3.0-x86_64-1.txz: Upgraded. Shared library .so-version bump. l/python-glad2-2.0.8-x86_64-1.txz: Upgraded. l/python-pyproject-hooks-1.2.0-x86_64-1.txz: Upgraded. l/spirv-llvm-translator-18.1.4-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/woff2-20231106_0f4d304-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) n/openobex-1.7.2-x86_64-6.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) x/marisa-0.2.6-x86_64-11.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) xap/gimp-2.10.38-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. xap/mozilla-firefox-128.3.0esr-x86_64-1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/128.3.0/releasenotes/ https://www.mozilla.org/security/advisories/mfsa2024-47 https://www.cve.org/CVERecord?id=CVE-2024-9392 https://www.cve.org/CVERecord?id=CVE-2024-9393 https://www.cve.org/CVERecord?id=CVE-2024-9394 https://www.cve.org/CVERecord?id=CVE-2024-8900 https://www.cve.org/CVERecord?id=CVE-2024-9396 https://www.cve.org/CVERecord?id=CVE-2024-9397 https://www.cve.org/CVERecord?id=CVE-2024-9398 https://www.cve.org/CVERecord?id=CVE-2024-9399 https://www.cve.org/CVERecord?id=CVE-2024-9400 https://www.cve.org/CVERecord?id=CVE-2024-9401 https://www.cve.org/CVERecord?id=CVE-2024-9402 (* Security fix *) xap/xlockmore-5.80-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/kernel-generic-6.11.1-x86_64-1.txz: Upgraded. testing/packages/kernel-headers-6.11.1-x86-1.txz: Upgraded. testing/packages/kernel-source-6.11.1-noarch-1.txz: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt.
2024-10-01 20:01:38 +02:00
for ELFOBJ in $(find . -type f | xargs file | grep ' ELF ' | cut -f 1 -d :) ; do
if objdump -p "$ELFOBJ" 2>/dev/null | grep -q R.*PATH ; then
if [ "$REMOVE_RPATHS" = "true" ]; then
echo "Removing rpath from: $ELFOBJ"
patchelf --remove-rpath "$ELFOBJ"
elif [ "$REMOVE_TMP_RPATHS" = "true" ]; then
if objdump -p "$ELFOBJ" 2>/dev/null | grep -q R.*PATH.*/tmp ; then
echo "Removing /tmp rpath from: $ELFOBJ"
patchelf --remove-rpath "$ELFOBJ"
fi
else # just warn:
if objdump -p "$ELFOBJ" 2>/dev/null | grep -q R.*PATH.*/tmp ; then
echo "WARNING: */tmp* rpath found in $ELFOBJ: $(objdump -p "$ELFOBJ" 2>/dev/null | grep R.*PATH)"
Tue Oct 1 18:01:38 UTC 2024 Several ELF objects were found to have rpaths pointing into /tmp, a world writable directory. This could have allowed a local attacker to launch denial of service attacks or execute arbitrary code when the affected binaries are run by placing crafted ELF objects in the /tmp rpath location. All rpaths with an embedded /tmp path have been scrubbed from the binaries, and makepkg has gained a lint feature to detect these so that they won't creep back in. a/kernel-firmware-20241001_95bfe08-noarch-1.txz: Upgraded. a/kernel-generic-6.10.12-x86_64-1.txz: Upgraded. a/pkgtools-15.1-noarch-12.txz: Rebuilt. makepkg: when looking for ELF objects with --remove-rpaths or --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part of the directory or filename. Also warn about /tmp rpaths after the package is built. ap/cups-2.4.11-x86_64-1.txz: Upgraded. ap/cups-browsed-2.0.1-x86_64-2.txz: Rebuilt. Mitigate security issue that could lead to a denial of service or the execution of arbitrary code. Rebuilt with --with-browseremoteprotocols=none to disable incoming connections, since this daemon has been shown to be insecure. If you actually use cups-browsed, be sure to install the new /etc/cups/cups-browsed.conf.new containing this line: BrowseRemoteProtocols none For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-47176 (* Security fix *) d/kernel-headers-6.10.12-x86-1.txz: Upgraded. d/llvm-18.1.8-x86_64-3.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) d/luajit-2.1.1727621189-x86_64-1.txz: Upgraded. d/ruby-3.3.5-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) k/kernel-source-6.10.12-noarch-1.txz: Upgraded. kde/kimageformats-5.116.0-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/kio-extras-23.08.5-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/krita-5.2.5-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/libindi-2.1.0-x86_64-1.txz: Upgraded. l/cryfs-0.10.3-x86_64-13.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/espeak-ng-1.51.1-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/ffmpeg-7.1-x86_64-1.txz: Upgraded. l/gegl-0.4.48-x86_64-3.txz: Rebuilt. Recompiled against openexr-3.3.0. l/gst-plugins-bad-free-1.24.8-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. l/imagemagick-7.1.1_38-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. l/libgsf-1.14.53-x86_64-1.txz: Upgraded. l/librsvg-2.58.5-x86_64-1.txz: Upgraded. l/libvncserver-0.9.14-x86_64-3.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/mozjs128-128.3.0esr-x86_64-1.txz: Upgraded. l/netpbm-11.08.00-x86_64-1.txz: Upgraded. l/opencv-4.10.0-x86_64-3.txz: Rebuilt. Recompiled against openexr-3.3.0. l/openexr-3.3.0-x86_64-1.txz: Upgraded. Shared library .so-version bump. l/python-glad2-2.0.8-x86_64-1.txz: Upgraded. l/python-pyproject-hooks-1.2.0-x86_64-1.txz: Upgraded. l/spirv-llvm-translator-18.1.4-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/woff2-20231106_0f4d304-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) n/openobex-1.7.2-x86_64-6.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) x/marisa-0.2.6-x86_64-11.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) xap/gimp-2.10.38-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. xap/mozilla-firefox-128.3.0esr-x86_64-1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/128.3.0/releasenotes/ https://www.mozilla.org/security/advisories/mfsa2024-47 https://www.cve.org/CVERecord?id=CVE-2024-9392 https://www.cve.org/CVERecord?id=CVE-2024-9393 https://www.cve.org/CVERecord?id=CVE-2024-9394 https://www.cve.org/CVERecord?id=CVE-2024-8900 https://www.cve.org/CVERecord?id=CVE-2024-9396 https://www.cve.org/CVERecord?id=CVE-2024-9397 https://www.cve.org/CVERecord?id=CVE-2024-9398 https://www.cve.org/CVERecord?id=CVE-2024-9399 https://www.cve.org/CVERecord?id=CVE-2024-9400 https://www.cve.org/CVERecord?id=CVE-2024-9401 https://www.cve.org/CVERecord?id=CVE-2024-9402 (* Security fix *) xap/xlockmore-5.80-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/kernel-generic-6.11.1-x86_64-1.txz: Upgraded. testing/packages/kernel-headers-6.11.1-x86-1.txz: Upgraded. testing/packages/kernel-source-6.11.1-noarch-1.txz: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt.
2024-10-01 20:01:38 +02:00
# This is important, so we'll notify again after the package is built:
NOTIFY_INSECURE_RPATH=" WARNING: */tmp* rpath found in $ELFOBJ: $(objdump -p "$ELFOBJ" 2>/dev/null | grep R.*PATH)"
else
echo "WARNING: rpath found in $ELFOBJ: $(objdump -p "$ELFOBJ" 2>/dev/null | grep R.*PATH)"
fi
fi
fi
done
echo
echo "Creating Slackware package: ${TARGET_NAME}/${TAR_NAME}.${EXTENSION}"
echo
rm -f ${TARGET_NAME}/${TAR_NAME}.${EXTENSION}
# HISTORICAL NOTE 2/2018:
# In the interest of maximizing portability of this script, we'll use find
# and sed to create a filelist compatible with tar-1.13, and then use a
# more modern tar version to create the archive.
#
# Other (but possibly less portable) ways to achieve the same result:
#
# Use the tar --transform and --show-transformed-names options:
# tar --transform "s,^\./\(.\),\1," --show-transformed-names $ACLS $XATTRS -cvf - . | $COMPRESSOR > ${TARGET_NAME}/${TAR_NAME}.${EXTENSION}
#
# Use cpio:
# find ./ | sed '2,$s,^\./,,' | cpio --quiet -ovHustar > ${TARGET_NAME}/${TAR_NAME}.tar
# Create the package:
find ./ | LC_COLLATE=C sort | sed '2,$s,^\./,,' | tar --no-recursion $ACLS $XATTRS $MTIME -T - -cvf - | $COMPRESSOR > ${TARGET_NAME}/${TAR_NAME}.${EXTENSION}
ERRCODE=$?
if [ ! $ERRCODE = 0 ]; then
echo "ERROR: $COMPRESSOR returned error code $ERRCODE -- makepkg failed."
exit 1
fi
# Warn of zero-length files:
find . -type f -size 0c | cut -b3- | sed "s/^/WARNING: zero length file /g"
# Warn of corrupt or empty gzip files:
find . -type f -name '*.gz' | while read file ; do
if ! gzip -t $file 1> /dev/null 2> /dev/null ; then
echo "WARNING: gzip test failed on $(echo $file | cut -b3-)"
else
if [ "$(gzip -l $file | tail -n 1 | tr -s ' ' | cut -f 3 -d ' ')" -eq 0 ]; then
echo "WARNING: $(echo $file | cut -b3-) is an empty gzipped file"
fi
fi
done
# Some more handy warnings:
if [ -d usr/share/man ]; then
echo "WARNING: /usr/share/man (with possibly not gzipped man pages) detected"
fi
if [ -d usr/share/info ]; then
echo "WARNING: /usr/share/info (with possibly not gzipped info pages) detected"
fi
if find . | grep site_perl 1> /dev/null ; then
echo "WARNING: site_perl directory detected (this is fine for a local package build)"
fi
# Restore the old permissions if they previously weren't chmod 755
if [ $OLDROOTPERMS -ne 755 ]; then
echo
echo "Restoring permissions of $PWD to chmod $OLDROOTPERMS"
chmod $OLDROOTPERMS .
fi
echo
echo "Slackware package ${TARGET_NAME}/${TAR_NAME}.${EXTENSION} created."
Tue Oct 1 18:01:38 UTC 2024 Several ELF objects were found to have rpaths pointing into /tmp, a world writable directory. This could have allowed a local attacker to launch denial of service attacks or execute arbitrary code when the affected binaries are run by placing crafted ELF objects in the /tmp rpath location. All rpaths with an embedded /tmp path have been scrubbed from the binaries, and makepkg has gained a lint feature to detect these so that they won't creep back in. a/kernel-firmware-20241001_95bfe08-noarch-1.txz: Upgraded. a/kernel-generic-6.10.12-x86_64-1.txz: Upgraded. a/pkgtools-15.1-noarch-12.txz: Rebuilt. makepkg: when looking for ELF objects with --remove-rpaths or --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part of the directory or filename. Also warn about /tmp rpaths after the package is built. ap/cups-2.4.11-x86_64-1.txz: Upgraded. ap/cups-browsed-2.0.1-x86_64-2.txz: Rebuilt. Mitigate security issue that could lead to a denial of service or the execution of arbitrary code. Rebuilt with --with-browseremoteprotocols=none to disable incoming connections, since this daemon has been shown to be insecure. If you actually use cups-browsed, be sure to install the new /etc/cups/cups-browsed.conf.new containing this line: BrowseRemoteProtocols none For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-47176 (* Security fix *) d/kernel-headers-6.10.12-x86-1.txz: Upgraded. d/llvm-18.1.8-x86_64-3.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) d/luajit-2.1.1727621189-x86_64-1.txz: Upgraded. d/ruby-3.3.5-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) k/kernel-source-6.10.12-noarch-1.txz: Upgraded. kde/kimageformats-5.116.0-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/kio-extras-23.08.5-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/krita-5.2.5-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/libindi-2.1.0-x86_64-1.txz: Upgraded. l/cryfs-0.10.3-x86_64-13.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/espeak-ng-1.51.1-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/ffmpeg-7.1-x86_64-1.txz: Upgraded. l/gegl-0.4.48-x86_64-3.txz: Rebuilt. Recompiled against openexr-3.3.0. l/gst-plugins-bad-free-1.24.8-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. l/imagemagick-7.1.1_38-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. l/libgsf-1.14.53-x86_64-1.txz: Upgraded. l/librsvg-2.58.5-x86_64-1.txz: Upgraded. l/libvncserver-0.9.14-x86_64-3.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/mozjs128-128.3.0esr-x86_64-1.txz: Upgraded. l/netpbm-11.08.00-x86_64-1.txz: Upgraded. l/opencv-4.10.0-x86_64-3.txz: Rebuilt. Recompiled against openexr-3.3.0. l/openexr-3.3.0-x86_64-1.txz: Upgraded. Shared library .so-version bump. l/python-glad2-2.0.8-x86_64-1.txz: Upgraded. l/python-pyproject-hooks-1.2.0-x86_64-1.txz: Upgraded. l/spirv-llvm-translator-18.1.4-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/woff2-20231106_0f4d304-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) n/openobex-1.7.2-x86_64-6.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) x/marisa-0.2.6-x86_64-11.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) xap/gimp-2.10.38-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. xap/mozilla-firefox-128.3.0esr-x86_64-1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/128.3.0/releasenotes/ https://www.mozilla.org/security/advisories/mfsa2024-47 https://www.cve.org/CVERecord?id=CVE-2024-9392 https://www.cve.org/CVERecord?id=CVE-2024-9393 https://www.cve.org/CVERecord?id=CVE-2024-9394 https://www.cve.org/CVERecord?id=CVE-2024-8900 https://www.cve.org/CVERecord?id=CVE-2024-9396 https://www.cve.org/CVERecord?id=CVE-2024-9397 https://www.cve.org/CVERecord?id=CVE-2024-9398 https://www.cve.org/CVERecord?id=CVE-2024-9399 https://www.cve.org/CVERecord?id=CVE-2024-9400 https://www.cve.org/CVERecord?id=CVE-2024-9401 https://www.cve.org/CVERecord?id=CVE-2024-9402 (* Security fix *) xap/xlockmore-5.80-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/kernel-generic-6.11.1-x86_64-1.txz: Upgraded. testing/packages/kernel-headers-6.11.1-x86-1.txz: Upgraded. testing/packages/kernel-source-6.11.1-noarch-1.txz: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt.
2024-10-01 20:01:38 +02:00
if [ ! -z "$NOTIFY_INSECURE_RPATH" ]; then
echo "WARNING: detected at least one insecure /tmp rpath:"
echo $NOTIFY_INSECURE_RPATH
fi
echo