mirror of
git://slackware.nl/current.git
synced 2024-12-29 10:25:00 +01:00
4657194ae3
Several ELF objects were found to have rpaths pointing into /tmp, a world writable directory. This could have allowed a local attacker to launch denial of service attacks or execute arbitrary code when the affected binaries are run by placing crafted ELF objects in the /tmp rpath location. All rpaths with an embedded /tmp path have been scrubbed from the binaries, and makepkg has gained a lint feature to detect these so that they won't creep back in. extra/llvm-17.0.6-x86_64-2_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) patches/packages/cryfs-0.10.3-x86_64-5_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) patches/packages/cups-filters-1.28.17-x86_64-2_slack15.0.txz: Rebuilt. Mitigate security issue that could lead to a denial of service or the execution of arbitrary code. Rebuilt with --with-browseremoteprotocols=none to disable incoming connections, since this daemon has been shown to be insecure. If you actually use cups-browsed, be sure to install the new /etc/cups/cups-browsed.conf.new containing this line: BrowseRemoteProtocols none For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-47176 (* Security fix *) patches/packages/espeak-ng-1.50-x86_64-4_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) patches/packages/libvncserver-0.9.13-x86_64-4_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) patches/packages/marisa-0.2.6-x86_64-5_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) patches/packages/mlt-7.4.0-x86_64-2_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) patches/packages/mozilla-firefox-115.16.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/115.16.0/releasenotes/ https://www.mozilla.org/security/advisories/mfsa2024-48 https://www.cve.org/CVERecord?id=CVE-2024-9392 https://www.cve.org/CVERecord?id=CVE-2024-9393 https://www.cve.org/CVERecord?id=CVE-2024-9394 https://www.cve.org/CVERecord?id=CVE-2024-9401 (* Security fix *) patches/packages/openobex-1.7.2-x86_64-6_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) patches/packages/pkgtools-15.0-noarch-44_slack15.0.txz: Rebuilt. makepkg: when looking for ELF objects with --remove-rpaths or --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part of the directory or filename. Also warn about /tmp rpaths after the package is built. patches/packages/spirv-llvm-translator-13.0.0-x86_64-2_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) testing/packages/llvm-18.1.8-x86_64-2_slack15.0.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *)
319 lines
10 KiB
Bash
Executable file
319 lines
10 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Copyright 2017 Andrew Clemons, Wellington, New Zealand
|
|
# Copyright 2017, 2018, 2019, 2020, 2021, 2022, 2023 Patrick J. Volkerding, Sebeka, Minnesota, USA
|
|
# Copyright 2017 Stuart Winter
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use of this script, with or without modification, is
|
|
# permitted provided that the following conditions are met:
|
|
#
|
|
# 1. Redistributions of this script must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
|
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
cd $(dirname $0) ; CWD=$(pwd)
|
|
|
|
PKGNAM=rust
|
|
SRCNAM="${PKGNAM}c"
|
|
VERSION=${VERSION:-1.81.0}
|
|
BUILD=${BUILD:-1_slack15.0}
|
|
|
|
# Set this to YES to build with the system LLVM, or NO to use the bundled LLVM.
|
|
SYSTEM_LLVM=${SYSTEM_LLVM:-NO}
|
|
|
|
# Bootstrap variables (might not be kept updated for latest Rust):
|
|
RSTAGE0_VERSION=${RSTAGE0_VERSION:-1.80.1}
|
|
RSTAGE0_DIR=${RSTAGE0_DIR:-2024-08-08}
|
|
CSTAGE0_VERSION=${CSTAGE0_VERSION:-1.80.1}
|
|
CSTAGE0_DIR=${CSTAGE0_DIR:-$RSTAGE0_DIR}
|
|
|
|
# Automatically determine the architecture we're building on:
|
|
MARCH=$( uname -m )
|
|
if [ -z "$ARCH" ]; then
|
|
case "$MARCH" in
|
|
i?86) export ARCH=i686 ;;
|
|
armv7hl) export ARCH=$MARCH ;;
|
|
arm*) export ARCH=arm ;;
|
|
# Unless $ARCH is already set, use uname -m for all other archs:
|
|
*) export ARCH=$MARCH ;;
|
|
esac
|
|
fi
|
|
unset MARCH
|
|
|
|
# For compiling i686 under an x86_64 kernel:
|
|
if [ "$(uname -m)" = "x86_64" -a "$(file -L /usr/bin/gcc | grep 80386 | grep 32-bit)" != "" ]; then
|
|
ARCH=i686
|
|
fi
|
|
|
|
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
|
|
# the name of the created package would be, and then exit. This information
|
|
# could be useful to other scripts.
|
|
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
|
|
echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
|
|
exit 0
|
|
fi
|
|
|
|
# If the bootstrap binaries are present, use those. Otherwise bootstrap from
|
|
# installed compiler.
|
|
if /bin/ls *-unknown-linux-gnu.tar.?z 1> /dev/null 2> /dev/null ; then
|
|
LOCAL_BOOTSTRAP=no
|
|
else
|
|
LOCAL_BOOTSTRAP=yes
|
|
fi
|
|
|
|
# https://forge.rust-lang.org/platform-support.html
|
|
# Bootstrapping ARCH:
|
|
if [ "$ARCH" = "i586" ]; then
|
|
if [ "$LOCAL_BOOTSTRAP" = "yes" ] ; then
|
|
if rustc -Vv | grep host | grep i586 > /dev/null ; then
|
|
BARCH="$ARCH"
|
|
else
|
|
BARCH="i686"
|
|
if case "$( uname -m )" in i586) true ;; *) false ;; esac ; then
|
|
echo "rust must be bootstrapped from an i686 machine"
|
|
exit 1
|
|
fi
|
|
fi
|
|
else
|
|
# i586 must be built on a i686 machine, since the bootstrap compiler is i686
|
|
BARCH="i686"
|
|
if case "$( uname -m )" in i586) true ;; *) false ;; esac ; then
|
|
echo "rust must be bootstrapped from an i686 machine"
|
|
exit 1
|
|
fi
|
|
fi
|
|
TARCH="$ARCH"
|
|
elif [ "$ARCH" = "armv7hl" ]; then
|
|
BARCH="armv7"
|
|
TARCH="$BARCH"
|
|
else
|
|
BARCH="$ARCH"
|
|
TARCH="$ARCH"
|
|
fi
|
|
|
|
# Bootstrapping ABI:
|
|
if [ "$ARCH" = "armv7hl" ]; then
|
|
BABI="gnueabihf"
|
|
else
|
|
BABI="gnu"
|
|
fi
|
|
|
|
TMP=${TMP:-/tmp}
|
|
OUTPUT=${OUTPUT:-$TMP}
|
|
PKG=$TMP/package-$PKGNAM
|
|
|
|
# Not needed, as the build will automatically use as many jobs as there are
|
|
# threads.
|
|
#NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
|
|
|
|
if [ "$ARCH" = "i586" ]; then
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "i686" ]; then
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "x86_64" ]; then
|
|
LIBDIRSUFFIX="64"
|
|
elif [ "$ARCH" = "armv7hl" ]; then
|
|
LIBDIRSUFFIX=""
|
|
else
|
|
LIBDIRSUFFIX=""
|
|
fi
|
|
|
|
rm -rf $PKG
|
|
mkdir -p $TMP $PKG $OUTPUT
|
|
cd $TMP
|
|
rm -rf $SRCNAM-$VERSION-src
|
|
echo "Extracting $CWD/$SRCNAM-$VERSION-src.tar.?z..."
|
|
tar xf $CWD/$SRCNAM-$VERSION-src.tar.?z || exit 1
|
|
cd $SRCNAM-$VERSION-src || exit 1
|
|
|
|
# Link with -lffi in case of using system LLVM:
|
|
if [ "${SYSTEM_LLVM}" = "YES" ]; then
|
|
zcat $CWD/link_libffi.diff.gz | patch -p1 --verbose || exit 1
|
|
fi
|
|
|
|
cat $CWD/0004-compiler-Use-wasm-ld-for-wasm-targets.patch | patch -p1 --verbose || exit 1
|
|
|
|
if [ "$LOCAL_BOOTSTRAP" != "yes" ] ; then
|
|
# rust requires bootstrapping with the previous rust version.
|
|
# versions are defined in src/stage0.txt.
|
|
mkdir -p build/cache/$RSTAGE0_DIR
|
|
cp $CWD/$PKGNAM-std-$RSTAGE0_VERSION-$BARCH-unknown-linux-gnu.tar.?z \
|
|
$CWD/$SRCNAM-$RSTAGE0_VERSION-$BARCH-unknown-linux-gnu.tar.?z \
|
|
build/cache/$RSTAGE0_DIR
|
|
mkdir -p build/cache/$CSTAGE0_DIR
|
|
cp $CWD/cargo-$CSTAGE0_VERSION-$BARCH-unknown-linux-gnu.tar.?z build/cache/$CSTAGE0_DIR
|
|
fi
|
|
|
|
# Build configuration:
|
|
cat << EOF > config.toml
|
|
[llvm]
|
|
ccache = "/usr/bin/ccache"
|
|
link-shared = true
|
|
|
|
[build]
|
|
build = "$BARCH-unknown-linux-$BABI"
|
|
host = ["$TARCH-unknown-linux-$BABI"]
|
|
target = ["$TARCH-unknown-linux-$BABI"]
|
|
tools = ["analysis", "cargo", "clippy", "rls", "rustfmt", "src", "rust-analyzer", "rust-demangler"]
|
|
submodules = false
|
|
vendor = true
|
|
extended = true
|
|
profiler = true
|
|
sanitizers = true
|
|
# Do not query new versions of dependencies online.
|
|
locked-deps = true
|
|
|
|
[install]
|
|
prefix = "/usr"
|
|
docdir = "doc/rust-$VERSION"
|
|
libdir = "lib$LIBDIRSUFFIX"
|
|
mandir = "man"
|
|
|
|
[rust]
|
|
codegen-units = 0
|
|
channel = "stable"
|
|
rpath = false
|
|
codegen-tests = false
|
|
|
|
EOF
|
|
|
|
if [ "${SYSTEM_LLVM}" = "YES" ]; then
|
|
cat << EOF >> config.toml
|
|
# Add this stuff to build with the system LLVM:
|
|
[target.i586-unknown-linux-gnu]
|
|
llvm-config = "/usr/bin/llvm-config"
|
|
|
|
[target.i686-unknown-linux-gnu]
|
|
llvm-config = "/usr/bin/llvm-config"
|
|
|
|
[target.x86_64-unknown-linux-gnu]
|
|
llvm-config = "/usr/bin/llvm-config"
|
|
|
|
[target.armv7-unknown-linux-gnueabihf]
|
|
llvm-config = "/usr/bin/llvm-config"
|
|
EOF
|
|
fi
|
|
|
|
if [ "$LOCAL_BOOTSTRAP" = "yes" ] ; then
|
|
sed -i "s|^\(extended = true\)$|\1\nrustc = \"/usr/bin/rustc\"\ncargo = \"/usr/bin/cargo\"|" config.toml
|
|
fi
|
|
|
|
chown -R root:root .
|
|
find -L . \
|
|
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
|
|
-o -perm 511 \) -exec chmod 755 {} \+ -o \
|
|
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
|
|
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \+
|
|
|
|
export PKG_CONFIG_ALLOW_CROSS=1
|
|
|
|
if [ "$BARCH" = "i586" ] ; then
|
|
# when bootstrapping from i586 (rust already installed), also build a i686
|
|
# rustlib:
|
|
sed -i 's/^target =.*$/target = ["i686-unknown-linux-gnu"]/' config.toml
|
|
elif [ "$BARCH" = "i686" ] ; then
|
|
if [ "$TARCH" = "i586" ] ; then
|
|
# this will cause some messages like:
|
|
# warning: redundant linker flag specified for library `m`
|
|
# but will keep the build from falling over when doing the stage1 compiler
|
|
# linking for the i586 compiler. seems the correct flags don't get passed
|
|
# through and we end up failures like:
|
|
# error: linking with `clang` failed: exit code: 1
|
|
# /tmp/SBo/rustc-1.20.0-src/build/i686-unknown-linux-gnu/stage1-rustc/i586-unknown-linux-gnu/release/deps/librustc_llvm-4ab259c9aed547db.so: undefined reference to `xxx`
|
|
export RUSTFLAGS="$RUSTFLAGS -C link-args=-lrt -ldl -lcurses -lpthread -lz -lm"
|
|
fi
|
|
fi
|
|
|
|
# Fix path to the rust libraries in rust-analyzer:
|
|
if [ -r src/tools/rust-analyzer/crates/rust-analyzer/src/config.rs ]; then
|
|
if [ ! "$LIBDIRSUFFIX" = "" ]; then
|
|
sed -i "s,\"lib/rustlib,\"lib${LIBDIRSUFFIX}/rustlib,g" src/tools/rust-analyzer/crates/project-model/src/sysroot.rs
|
|
fi
|
|
fi
|
|
|
|
# Build and install:
|
|
python3 ./x.py build || exit 1
|
|
DESTDIR=$PKG python3 x.py install || exit 1
|
|
|
|
# In case the rls stub doesn't get installed by the 'install' target:
|
|
if [ ! -x $PKG/usr/bin/rls ]; then
|
|
install -m755 build/*-linux-gnu/stage1-tools-bin/rls $PKG/usr/bin/rls
|
|
fi
|
|
|
|
# Fix path to lldb_commands:
|
|
if [ -x $PKG/usr/bin/rust-lldb ]; then
|
|
if [ ! "$LIBDIRSUFFIX" = "" ]; then
|
|
sed -i "s,/lib/rustlib/,/lib$LIBDIRSUFFIX/rustlib/,g" $PKG/usr/bin/rust-lldb
|
|
fi
|
|
fi
|
|
|
|
# Eh, none of this is all that big. Might as well leave it around as a
|
|
# reference.
|
|
#rm -f $PKG/usr/lib$LIBDIRSUFFIX/rustlib/components
|
|
#rm -f $PKG/usr/lib$LIBDIRSUFFIX/rustlib/install.log
|
|
#rm -f $PKG/usr/lib$LIBDIRSUFFIX/rustlib/manifest-*
|
|
#rm -f $PKG/usr/lib$LIBDIRSUFFIX/rustlib/rust-installer-version
|
|
#rm -f $PKG/usr/lib$LIBDIRSUFFIX/rustlib/uninstall.sh
|
|
# Make sure the paths are correct, though:
|
|
sed -i "s,/tmp/package-rust/,/,g" $PKG/usr/lib$LIBDIRSUFFIX/rustlib/install.log $PKG/usr/lib$LIBDIRSUFFIX/rustlib/manifest-*
|
|
# And a little compression doesn't hurt either:
|
|
gzip -9 $PKG/usr/lib$LIBDIRSUFFIX/rustlib/manifest-*
|
|
|
|
# Move bash completions to the system location:
|
|
if [ -d $PKG/etc/bash_completion.d ]; then
|
|
mkdir -p $PKG/usr/share/bash-completion
|
|
mv $PKG/etc/bash_completion.d $PKG/usr/share/bash-completion/completions
|
|
rmdir $PKG/etc 2> /dev/null
|
|
fi
|
|
|
|
# Correct permissions on shared libraries:
|
|
find $PKG/usr/lib$LIBDIRSUFFIX -name "*.so" -exec chmod 755 "{}" \+
|
|
|
|
# Evidently there are a lot of duplicated libraries in this tree, so let's
|
|
# try to save some space:
|
|
( cd $PKG/usr/lib${LIBDIRSUFFIX}/rustlib/*-linux-gnu/lib && for file in *.so ; do if cmp -s $file ../../../$file ; then ln -sf ../../../$file .; fi; done )
|
|
|
|
# Strip ELF objects:
|
|
find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
|
|
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
|
|
|
|
# Get rid of possible .old files in these locations:
|
|
rm -f $PKG/usr/lib${LIBDIRSUFFIX}/*.old
|
|
rm -f $PKG/usr/bin/*.old
|
|
|
|
# Commented out (for now) since we disable rpaths in config.toml:
|
|
## Remove any compiled-in RPATHs:
|
|
#find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
|
|
# | cut -f 1 -d : | while read elfobject ; do
|
|
# patchelf --remove-rpath $elfobject || exit 1
|
|
#done
|
|
|
|
# Compress man pages:
|
|
find $PKG/usr/man -type f -exec gzip -9 {} \+
|
|
for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
|
|
|
|
# Add some documentation:
|
|
mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
|
|
cp -a *.md COPYRIGHT* COPYING* LICENSE* $PKG/usr/doc/$PKGNAM-$VERSION
|
|
# Include licenses from third party vendors:
|
|
mkdir $PKG/usr/doc/$PKGNAM-$VERSION/vendor
|
|
( cd vendor
|
|
tar cf - $(find . -maxdepth 2 | grep -e README -e LICENSE -e COPYING -e CHANGELOG -e PERFORMANCE -e UPGRADE ) | ( cd $PKG/usr/doc/$PKGNAM-$VERSION/vendor ; tar xf - )
|
|
)
|
|
|
|
mkdir -p $PKG/install
|
|
cat $CWD/slack-desc > $PKG/install/slack-desc
|
|
|
|
cd $PKG
|
|
/sbin/makepkg -l y -c n $OUTPUT/$PKGNAM-$VERSION-$ARCH-$BUILD.txz
|