mirror of
git://slackware.nl/current.git
synced 2024-12-27 09:59:16 +01:00
1e755d579a
Several ELF objects were found to have rpaths pointing into /tmp, a world writable directory. This could have allowed a local attacker to launch denial of service attacks or execute arbitrary code when the affected binaries are run by placing crafted ELF objects in the /tmp rpath location. All rpaths with an embedded /tmp path have been scrubbed from the binaries, and makepkg has gained a lint feature to detect these so that they won't creep back in. a/kernel-firmware-20241001_95bfe08-noarch-1.txz: Upgraded. a/kernel-generic-6.10.12-x86_64-1.txz: Upgraded. a/pkgtools-15.1-noarch-12.txz: Rebuilt. makepkg: when looking for ELF objects with --remove-rpaths or --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part of the directory or filename. Also warn about /tmp rpaths after the package is built. ap/cups-2.4.11-x86_64-1.txz: Upgraded. ap/cups-browsed-2.0.1-x86_64-2.txz: Rebuilt. Mitigate security issue that could lead to a denial of service or the execution of arbitrary code. Rebuilt with --with-browseremoteprotocols=none to disable incoming connections, since this daemon has been shown to be insecure. If you actually use cups-browsed, be sure to install the new /etc/cups/cups-browsed.conf.new containing this line: BrowseRemoteProtocols none For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-47176 (* Security fix *) d/kernel-headers-6.10.12-x86-1.txz: Upgraded. d/llvm-18.1.8-x86_64-3.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) d/luajit-2.1.1727621189-x86_64-1.txz: Upgraded. d/ruby-3.3.5-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) k/kernel-source-6.10.12-noarch-1.txz: Upgraded. kde/kimageformats-5.116.0-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/kio-extras-23.08.5-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/krita-5.2.5-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. kde/libindi-2.1.0-x86_64-1.txz: Upgraded. l/cryfs-0.10.3-x86_64-13.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/espeak-ng-1.51.1-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/ffmpeg-7.1-x86_64-1.txz: Upgraded. l/gegl-0.4.48-x86_64-3.txz: Rebuilt. Recompiled against openexr-3.3.0. l/gst-plugins-bad-free-1.24.8-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. l/imagemagick-7.1.1_38-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. l/libgsf-1.14.53-x86_64-1.txz: Upgraded. l/librsvg-2.58.5-x86_64-1.txz: Upgraded. l/libvncserver-0.9.14-x86_64-3.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/mozjs128-128.3.0esr-x86_64-1.txz: Upgraded. l/netpbm-11.08.00-x86_64-1.txz: Upgraded. l/opencv-4.10.0-x86_64-3.txz: Rebuilt. Recompiled against openexr-3.3.0. l/openexr-3.3.0-x86_64-1.txz: Upgraded. Shared library .so-version bump. l/python-glad2-2.0.8-x86_64-1.txz: Upgraded. l/python-pyproject-hooks-1.2.0-x86_64-1.txz: Upgraded. l/spirv-llvm-translator-18.1.4-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) l/woff2-20231106_0f4d304-x86_64-2.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) n/openobex-1.7.2-x86_64-6.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) x/marisa-0.2.6-x86_64-11.txz: Rebuilt. Remove rpaths from binaries. (* Security fix *) xap/gimp-2.10.38-x86_64-2.txz: Rebuilt. Recompiled against openexr-3.3.0. xap/mozilla-firefox-128.3.0esr-x86_64-1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/128.3.0/releasenotes/ https://www.mozilla.org/security/advisories/mfsa2024-47 https://www.cve.org/CVERecord?id=CVE-2024-9392 https://www.cve.org/CVERecord?id=CVE-2024-9393 https://www.cve.org/CVERecord?id=CVE-2024-9394 https://www.cve.org/CVERecord?id=CVE-2024-8900 https://www.cve.org/CVERecord?id=CVE-2024-9396 https://www.cve.org/CVERecord?id=CVE-2024-9397 https://www.cve.org/CVERecord?id=CVE-2024-9398 https://www.cve.org/CVERecord?id=CVE-2024-9399 https://www.cve.org/CVERecord?id=CVE-2024-9400 https://www.cve.org/CVERecord?id=CVE-2024-9401 https://www.cve.org/CVERecord?id=CVE-2024-9402 (* Security fix *) xap/xlockmore-5.80-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/kernel-generic-6.11.1-x86_64-1.txz: Upgraded. testing/packages/kernel-headers-6.11.1-x86-1.txz: Upgraded. testing/packages/kernel-source-6.11.1-noarch-1.txz: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt.
128 lines
4.1 KiB
Bash
Executable file
128 lines
4.1 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Copyright 2008, 2009, 2010, 2011, 2018, 2020 Patrick J. Volkerding, Sebeka, Minnesota, USA
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use of this script, with or without modification, is
|
|
# permitted provided that the following conditions are met:
|
|
#
|
|
# 1. Redistributions of this script must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
|
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
cd $(dirname $0) ; CWD=$(pwd)
|
|
|
|
PKGNAM=libgsf
|
|
VERSION=${VERSION:-$(echo libgsf-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
|
|
BUILD=${BUILD:-1}
|
|
|
|
NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
|
|
|
|
# Automatically determine the architecture we're building on:
|
|
if [ -z "$ARCH" ]; then
|
|
case "$( uname -m )" in
|
|
i?86) export ARCH=i686 ;;
|
|
arm*) export ARCH=arm ;;
|
|
# Unless $ARCH is already set, use uname -m for all other archs:
|
|
*) export ARCH=$( uname -m ) ;;
|
|
esac
|
|
fi
|
|
|
|
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
|
|
# the name of the created package would be, and then exit. This information
|
|
# could be useful to other scripts.
|
|
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
|
|
echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
|
|
exit 0
|
|
fi
|
|
|
|
TMP=${TMP:-/tmp}
|
|
PKG=$TMP/package-libgsf
|
|
|
|
if [ "$ARCH" = "i686" ]; then
|
|
SLKCFLAGS="-O2 -march=pentium4 -mtune=generic"
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "x86_64" ]; then
|
|
SLKCFLAGS="-O2 -march=x86-64 -mtune=generic -fPIC"
|
|
LIBDIRSUFFIX="64"
|
|
else
|
|
SLKCFLAGS="-O2"
|
|
LIBDIRSUFFIX=""
|
|
fi
|
|
|
|
rm -rf $PKG
|
|
mkdir -p $TMP $PKG
|
|
cd $TMP
|
|
rm -rf libgsf-$VERSION
|
|
tar xvf $CWD/libgsf-$VERSION.tar.?z || exit 1
|
|
cd libgsf-$VERSION || exit 1
|
|
chown -R root:root .
|
|
find . \
|
|
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
|
|
-exec chmod 755 {} \+ -o \
|
|
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
|
|
-exec chmod 644 {} \+
|
|
|
|
if [ ! -r configure ]; then
|
|
NOCONFIGURE=1 ./autogen.sh
|
|
fi
|
|
|
|
CFLAGS="$SLKCFLAGS" \
|
|
./configure \
|
|
--prefix=/usr \
|
|
--libdir=/usr/lib${LIBDIRSUFFIX} \
|
|
--sysconfdir=/etc \
|
|
--localstatedir=/var/lib \
|
|
--enable-gtk-doc \
|
|
--with-html-dir=/usr/share/gtk-doc/html \
|
|
--mandir=/usr/man \
|
|
--disable-static \
|
|
--enable-introspection \
|
|
--with-bz2 \
|
|
--build=$ARCH-slackware-linux || exit 1
|
|
|
|
make $NUMJOBS || make || exit 1
|
|
make install DESTDIR=$PKG || exit 1
|
|
|
|
# Don't ship .la files:
|
|
rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la
|
|
|
|
# In the remote chance that any man page was installed, and to the
|
|
# requested directory too, then let's gzip it. Probably send the error
|
|
# output from this one to /dev/null, because gzip won't find anything.
|
|
( cd $PKG/usr/man
|
|
find . -type f -exec gzip -9 {} \+
|
|
for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
|
|
)
|
|
|
|
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
|
|
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
|
|
|
|
mkdir -p $PKG/usr/doc/libgsf-$VERSION
|
|
cp -a \
|
|
AUTHORS BUGS COPYING* HACKING NEWS README* TODO \
|
|
$PKG/usr/doc/libgsf-$VERSION
|
|
|
|
# If there's a ChangeLog, installing at least part of the recent history
|
|
# is useful, but don't let it get totally out of control:
|
|
if [ -r ChangeLog ]; then
|
|
DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION)
|
|
cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
|
|
touch -r ChangeLog $DOCSDIR/ChangeLog
|
|
fi
|
|
|
|
mkdir -p $PKG/install
|
|
cat $CWD/slack-desc > $PKG/install/slack-desc
|
|
|
|
cd $PKG
|
|
/sbin/makepkg -l y -c n $TMP/libgsf-$VERSION-$ARCH-$BUILD.txz
|