mirror of
git://slackware.nl/current.git
synced 2025-02-14 08:48:37 +01:00
4657194ae3
Several ELF objects were found to have rpaths pointing into /tmp, a world
writable directory. This could have allowed a local attacker to launch denial
of service attacks or execute arbitrary code when the affected binaries are
run by placing crafted ELF objects in the /tmp rpath location. All rpaths with
an embedded /tmp path have been scrubbed from the binaries, and makepkg has
gained a lint feature to detect these so that they won't creep back in.
extra/llvm-17.0.6-x86_64-2_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/cryfs-0.10.3-x86_64-5_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/cups-filters-1.28.17-x86_64-2_slack15.0.txz: Rebuilt.
Mitigate security issue that could lead to a denial of service or
the execution of arbitrary code.
Rebuilt with --with-browseremoteprotocols=none to disable incoming
connections, since this daemon has been shown to be insecure. If you
actually use cups-browsed, be sure to install the new
/etc/cups/cups-browsed.conf.new containing this line:
BrowseRemoteProtocols none
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-47176
(* Security fix *)
patches/packages/espeak-ng-1.50-x86_64-4_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/libvncserver-0.9.13-x86_64-4_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/marisa-0.2.6-x86_64-5_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/mlt-7.4.0-x86_64-2_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/mozilla-firefox-115.16.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/115.16.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2024-48
https://www.cve.org/CVERecord?id=CVE-2024-9392
https://www.cve.org/CVERecord?id=CVE-2024-9393
https://www.cve.org/CVERecord?id=CVE-2024-9394
https://www.cve.org/CVERecord?id=CVE-2024-9401
(* Security fix *)
patches/packages/openobex-1.7.2-x86_64-6_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/pkgtools-15.0-noarch-44_slack15.0.txz: Rebuilt.
makepkg: when looking for ELF objects with --remove-rpaths or
--remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part
of the directory or filename.
Also warn about /tmp rpaths after the package is built.
patches/packages/spirv-llvm-translator-13.0.0-x86_64-2_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
testing/packages/llvm-18.1.8-x86_64-2_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
97 lines
4.1 KiB
Bash
Executable file
97 lines
4.1 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Copyright 2011, 2016, 2018, 2023 Patrick J. Volkerding, Sebeka, MN, USA
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use of this script, with or without modification, is
|
|
# permitted provided that the following conditions are met:
|
|
#
|
|
# 1. Redistributions of this script must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
|
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
cd $(dirname $0) ; CWD=$(pwd)
|
|
|
|
PKGNAM=kernel-firmware
|
|
ARCH=noarch
|
|
BUILD=${BUILD:-1}
|
|
# Compress the firmware blobs?
|
|
# Default is "none" for no compression.
|
|
# Other types known to be currently supported are "xz" and "zstd".
|
|
COMPRESSION=${COMPRESSION:-none}
|
|
|
|
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
|
|
# the name of the created package would be, and then exit. This information
|
|
# could be useful to other scripts.
|
|
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
|
|
# Internally, git considers the repo date to be the date the last committed
|
|
# patch was submitted. This is somewhat confusing, as it can lead to a newer
|
|
# git clone having a date older than the last one we used. To avoid this
|
|
# situation, we're going to deviate a little and use the date the HEAD
|
|
# patch or merge occured as the repo date, rather than the date of the
|
|
# patch itself.
|
|
#DATE="$(lynx -dump -width=256 https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=HEAD | grep " author " | head -n 1 | rev | cut -f 3 -d ' ' | rev | tr -d -)"
|
|
DATE="$(lynx -dump -width=256 https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=HEAD | grep " committer " | head -n 1 | rev | cut -f 3 -d ' ' | rev | tr -d -)"
|
|
HEADISAT="$(lynx -dump -width=256 https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=HEAD | grep " commit " | head -n 1 | cut -f 2 -d ] | cut -b 1-7)"
|
|
echo "$PKGNAM-${DATE}_${HEADISAT}-$ARCH-$BUILD.txz"
|
|
exit 0
|
|
fi
|
|
|
|
TMP=${TMP:-/tmp}
|
|
PKG=$TMP/package-$PKGNAM
|
|
|
|
rm -rf $PKG
|
|
mkdir -p $TMP $PKG
|
|
|
|
cd $PKG
|
|
git clone git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
|
|
# Better determine these the same way as above.
|
|
DATE="$(lynx -dump -width=256 https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=HEAD | grep " committer " | head -n 1 | rev | cut -f 3 -d ' ' | rev | tr -d -)"
|
|
HEADISAT="$(lynx -dump -width=256 https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=HEAD | grep " commit " | head -n 1 | cut -f 2 -d ] | cut -b 1-7)"
|
|
find . -name ".git*" -exec rm -rf "{}" \+
|
|
chown -R root:root .
|
|
mkdir -p lib/firmware
|
|
|
|
# Install the firmware from the download directory using "make $INSTALLTARGET":
|
|
case $COMPRESSION in
|
|
xz) INSTALLTARGET="install-xz" ;;
|
|
zstd) INSTALLTARGET="install-zst" ;;
|
|
*) INSTALLTARGET="install" ;;
|
|
esac
|
|
( cd linux-firmware
|
|
echo "Running make DESTDIR=$PKG ${INSTALLTARGET}..."
|
|
make DESTDIR=$PKG $INSTALLTARGET 2> /dev/null
|
|
)
|
|
rm -rf linux-firmware
|
|
|
|
# Remove sources for carl9170fw:
|
|
( cd $PKG/lib/firmware
|
|
if [ -d carl9170fw ]; then
|
|
mv carl9170fw/COPYRIGHT COPYRIGHT.carl9170fw
|
|
mv carl9170fw/GPL LICENSE.carl9170fw
|
|
rm -rf carl9170fw
|
|
fi
|
|
)
|
|
|
|
# Install documentation link:
|
|
mkdir -p $PKG/usr/doc
|
|
( cd $PKG/usr/doc
|
|
ln -sf /lib/firmware kernel-firmware-${DATE}_${HEADISAT}
|
|
)
|
|
|
|
mkdir -p $PKG/install
|
|
cat $CWD/slack-desc > $PKG/install/slack-desc
|
|
|
|
cd $PKG
|
|
/sbin/makepkg -l y -c n $TMP/$PKGNAM-${DATE}_${HEADISAT}-$ARCH-$BUILD.txz
|
|
|