Merge pull request #1177 from flatcar/buildbot/weekly-portage-stable-…

…package-updates-2023-09-25

Weekly portage-stable package updates 2023-09-25

changelog/security/2023-09-28-weekly-updates.md

@@ -0,0 +1,4 @@
+- curl ([CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039))
+- lua ([CVE-2022-33099](https://nvd.nist.gov/vuln/detail/CVE-2022-33099))
+- mit-krb5 ([CVE-2023-36054](https://nvd.nist.gov/vuln/detail/CVE-2023-36054))
+- procps ([CVE-2023-4016](https://nvd.nist.gov/vuln/detail/CVE-2023-4016))

changelog/updates/2023-09-28-weekly-updates.md

@@ -0,0 +1,8 @@
+- bind-tools ([9.16.42](https://bind9.readthedocs.io/en/v9.16.42/notes.html#notes-for-bind-9-16-42))
+- curl ([8.3.0](https://curl.se/changes.html#8_3_0))
+- gcc ([13.2](https://gcc.gnu.org/gcc-13/changes.html))
+- gzip ([1.13](https://savannah.gnu.org/news/?id=10501))
+- libgcrypt ([1.10.2](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=NEWS;h=c9a239615f8070427a96688b1be40a81e59e9b8a;hb=1c5cbacf3d88dded5063e959ee68678ff7d0fa56))
+- lua ([5.4.6](https://www.lua.org/manual/5.4/readme.html#changes))
+- mit-krb5 ([1.21.2](http://web.mit.edu/kerberos/krb5-1.21/))
+- procps ([4.0.4](https://gitlab.com/procps-ng/procps/-/releases/v4.0.4) (includes [4.0.3](https://gitlab.com/procps-ng/procps/-/releases/v4.0.3) and [4.0.0](https://gitlab.com/procps-ng/procps/-/releases/v4.0.0)))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -10,6 +10,9 @@
 # Needed by arm64-native SDK.
 =app-crypt/efitools-1.9.2 ~arm64
 
+# Needed to fix CVE-2023-36054.
+=app-crypt/mit-krb5-1.21.2 ~amd64 ~arm64
+
 # Needed to address CVE-2023-2609 and CVE-2023-2610.
 =app-editors/vim-9.0.1678 ~amd64 ~arm64
 =app-editors/vim-core-9.0.1678 ~amd64 ~arm64
@@ -39,9 +42,10 @@
 # Keep versions on both arches in sync.
 =dev-libs/ding-libs-0.6.1-r1 ~arm64
 =dev-libs/libdnet-1.16.2 ~arm64
-=dev-libs/libgcrypt-1.10.1-r3 ~arm64
+=dev-libs/libgcrypt-1.10.2 ~arm64
 =dev-python/lxml-4.9.3-r1 ~arm64
 =dev-util/bpftool-6.3 ~arm64
+=net-dns/bind-tools-9.16.42 ~arm64
 =net-firewall/conntrack-tools-1.4.6-r1 ~arm64
 
 # Required for addressing CVE-2023-0361.
@@ -51,8 +55,8 @@
 =net-libs/libnetfilter_cthelper-1.0.0-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.0-r1 ~arm64
 
-# Required for addressing CVE-2023-32001.
-=net-misc/curl-8.2.1 ~amd64 ~arm64
+# Required for addressing CVE-2023-38039.
+=net-misc/curl-8.3.0 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
 =net-nds/openldap-2.6.4-r1 ~amd64
@@ -70,6 +74,7 @@
 
 # Keep versions on both arches in sync.
 =sys-devel/automake-1.16.5-r1 ~arm64
+=sys-devel/gcc-13.2.1_p20230826 ~arm64
 =sys-firmware/edk2-aarch64-18.02 **
 
 # Needed for a cross-compilation fix.
@@ -90,5 +95,8 @@
 # ?
 =sys-power/acpid-2.0.33 ~amd64 ~arm64
 
+# Needed to fix CVE-2023-4016.
+=sys-process/procps-4.0.4 ~amd64 ~arm64
+
 # Accept unstable host Rust compilers.
 =virtual/rust-1.72.1 ~amd64 ~arm64

sdk_container/src/third_party/portage-stable/app-arch/gzip/gzip-1.13.ebuild

@@ -31,7 +31,7 @@ fi
 LICENSE="GPL-3+"
 SLOT="0"
 if [[ ${PV} != *_p* ]] ; then
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 fi
 IUSE="pic static"
 

sdk_container/src/third_party/portage-stable/app-arch/libarchive/Manifest

@@ -1,2 +1,4 @@
 DIST libarchive-3.7.1.tar.xz 5254260 BLAKE2B 1a6fa4f5027effea3df1cfcd2d99b8b126fe03d727412b0a4529d6b2157c2c29490bcce206d0f771256c5ed6dec9612608c2c54c4861647f4e2892e0f5548adb SHA512 24380b9aa24434dfe39929ec85ede33580291023b20b7cdf03990ce62578eaeb389f5ca5680245a84c7aad51574c85a1fa3fad5254ec5395eadac1cb2130a936
 DIST libarchive-3.7.1.tar.xz.asc 659 BLAKE2B 5e72732d2e5a4f5f04f3510b3d81a148f23dffa10a3ebe709e816388c5a6e68c08ee2bbe36d81141d5ffa94ed64df3e4ca05994cda651c09589fda69a6a95e90 SHA512 6f6f6e5780c609bd9c6c359c210656f26afb585bda46988687e19d1e55f4f3260ea80bf11bfba1213fb3a3e1514c5c096692b4b9e96ffbadf06f85eb1227250a
+DIST libarchive-3.7.2.tar.xz 5237056 BLAKE2B 7221db4811a965ee61d879a2603480363628a19995a351b572d099be9f35576d76f0b0822f9a5a47d9929bc094d4444fd8eafcb4a073e39bb3aa797d4b926ca5 SHA512 a21bebb27b808cb7d2ed13a70739904a1b7b55661d8dea83c9897a0129cf71e20c962f13666c571782ff0f4f753ca885619c2097d9e7691c2dee4e6e4b9a2971
+DIST libarchive-3.7.2.tar.xz.asc 659 BLAKE2B 7141baf007b89b7ee38ec817b648cef5efb4d694953fcd49f6ed2dc95cf4da2d9259262b9eb4f01ff5d4ecee1257b266a8c6687a8e8ef8790121048229f1ad22 SHA512 c2ce850088245d7723720737d74d1cc1819984d01b3f9e4ed96b0757f4c6d6d511b78792181a12400c563632d74edcd0c2c3a4b7527cba40ada7ef74488078fc

sdk_container/src/third_party/portage-stable/app-arch/libarchive/files/libarchive-3.7.2-32bit-test.patch

@@ -0,0 +1,29 @@
+From 3bd918d92f8c34ba12de9c6604d96f9e262a59fc Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.de>
+Date: Tue, 12 Sep 2023 08:54:47 +0200
+Subject: [PATCH] tests: fix zstd long option test for 32-bit architectures
+
+Fixes #1968
+---
+ libarchive/test/test_write_filter_zstd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/libarchive/test/test_write_filter_zstd.c b/libarchive/test/test_write_filter_zstd.c
+index 3cdbd812a..c9731f1b6 100644
+--- a/libarchive/test/test_write_filter_zstd.c
++++ b/libarchive/test/test_write_filter_zstd.c
+@@ -161,8 +161,12 @@ DEFINE_TEST(test_write_filter_zstd)
+ 	    archive_write_set_filter_option(a, NULL, "max-frame-size", "1048576"));
+ #endif
+ #if ZSTD_VERSION_NUMBER >= MINVER_LONG
+-	assertEqualIntA(a, ARCHIVE_OK,
+-	    archive_write_set_filter_option(a, NULL, "long", "27"));
++	if ((int)(sizeof(size_t) == 4))
++		assertEqualIntA(a, ARCHIVE_OK,
++		    archive_write_set_filter_option(a, NULL, "long", "26"));
++	else
++		assertEqualIntA(a, ARCHIVE_OK,
++		    archive_write_set_filter_option(a, NULL, "long", "27"));
+ 	assertEqualIntA(a, ARCHIVE_FAILED,
+ 	    archive_write_set_filter_option(a, NULL, "long", "-1")); /* negative */
+ #endif

sdk_container/src/third_party/portage-stable/app-arch/libarchive/libarchive-3.7.2.ebuild

@@ -0,0 +1,147 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit multilib-minimal toolchain-funcs verify-sig
+
+DESCRIPTION="Multi-format archive and compression library"
+HOMEPAGE="
+	https://www.libarchive.org/
+	https://github.com/libarchive/libarchive/
+"
+SRC_URI="
+	https://www.libarchive.de/downloads/${P}.tar.xz
+	verify-sig? ( https://www.libarchive.de/downloads/${P}.tar.xz.asc )
+"
+
+LICENSE="BSD BSD-2 BSD-4 public-domain"
+SLOT="0/13"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="acl blake2 +bzip2 +e2fsprogs expat +iconv lz4 +lzma lzo nettle static-libs xattr zstd"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/libarchive.org.asc
+
+RDEPEND="
+	sys-libs/zlib[${MULTILIB_USEDEP}]
+	acl? ( virtual/acl[${MULTILIB_USEDEP}] )
+	blake2? ( app-crypt/libb2[${MULTILIB_USEDEP}] )
+	bzip2? ( app-arch/bzip2[${MULTILIB_USEDEP}] )
+	expat? ( dev-libs/expat[${MULTILIB_USEDEP}] )
+	!expat? ( dev-libs/libxml2[${MULTILIB_USEDEP}] )
+	iconv? ( virtual/libiconv[${MULTILIB_USEDEP}] )
+	kernel_linux? (
+		xattr? ( sys-apps/attr[${MULTILIB_USEDEP}] )
+	)
+	dev-libs/openssl:0=[${MULTILIB_USEDEP}]
+	lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
+	lzma? ( >=app-arch/xz-utils-5.2.5-r1[${MULTILIB_USEDEP}] )
+	lzo? ( >=dev-libs/lzo-2[${MULTILIB_USEDEP}] )
+	nettle? ( dev-libs/nettle:0=[${MULTILIB_USEDEP}] )
+	zstd? ( app-arch/zstd[${MULTILIB_USEDEP}] )
+"
+DEPEND="${RDEPEND}
+	kernel_linux? (
+		virtual/os-headers
+		e2fsprogs? ( sys-fs/e2fsprogs[${MULTILIB_USEDEP}] )
+	)
+"
+BDEPEND="
+	verify-sig? ( >=sec-keys/openpgp-keys-libarchive-20221209 )
+	elibc_musl? ( sys-libs/queue-standalone )
+"
+
+# false positives (checks for libc-defined hash functions)
+QA_CONFIG_IMPL_DECL_SKIP=(
+	SHA256_Init SHA256_Update SHA256_Final
+	SHA384_Init SHA384_Update SHA384_Final
+	SHA512_Init SHA512_Update SHA512_Final
+)
+
+PATCHES=(
+	# https://github.com/libarchive/libarchive/issues/1968
+	"${FILESDIR}/${P}-32bit-test.patch"
+)
+
+multilib_src_configure() {
+	export ac_cv_header_ext2fs_ext2_fs_h=$(usex e2fsprogs) #354923
+
+	local myconf=(
+		$(use_enable acl)
+		$(use_enable static-libs static)
+		$(use_enable xattr)
+		$(use_with blake2 libb2)
+		$(use_with bzip2 bz2lib)
+		$(use_with expat)
+		$(use_with !expat xml2)
+		$(use_with iconv)
+		$(use_with lz4)
+		$(use_with lzma)
+		$(use_with lzo lzo2)
+		$(use_with nettle)
+		--with-zlib
+		$(use_with zstd)
+
+		# Windows-specific
+		--without-cng
+	)
+	if multilib_is_native_abi ; then
+		myconf+=(
+			--enable-bsdcat="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdcpio="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdtar="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdunzip="$(tc-is-static-only && echo static || echo shared)"
+		)
+	else
+		myconf+=(
+			--disable-bsdcat
+			--disable-bsdcpio
+			--disable-bsdtar
+			--disable-bsdunzip
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi ; then
+		emake
+	else
+		emake libarchive.la
+	fi
+}
+
+src_test() {
+	mkdir -p "${T}"/bin || die
+	# tests fail when lbzip2[symlink] is used in place of ref bunzip2
+	ln -s "${BROOT}/bin/bunzip2" "${T}"/bin || die
+	local -x PATH=${T}/bin:${PATH}
+	multilib-minimal_src_test
+}
+
+multilib_src_test() {
+	# sandbox is breaking long symlink behavior
+	local -x SANDBOX_ON=0
+	local -x LD_PRELOAD=
+	# some locales trigger different output that breaks tests
+	local -x LC_ALL=C
+	emake check
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi ; then
+		emake DESTDIR="${D}" install
+	else
+		local install_targets=(
+			install-includeHEADERS
+			install-libLTLIBRARIES
+			install-pkgconfigDATA
+		)
+		emake DESTDIR="${D}" "${install_targets[@]}"
+	fi
+
+	# Libs.private: should be used from libarchive.pc instead
+	find "${ED}" -type f -name "*.la" -delete || die
+	# https://github.com/libarchive/libarchive/issues/1766
+	sed -e '/Requires\.private/s:iconv::' \
+		-i "${ED}/usr/$(get_libdir)/pkgconfig/libarchive.pc" || die
+}

sdk_container/src/third_party/portage-stable/app-arch/tar/tar-1.35.ebuild

@@ -20,7 +20,7 @@ SRC_URI="
 LICENSE="GPL-3+"
 SLOT="0"
 if [[ -z "$(ver_cut 3)" || "$(ver_cut 3)" -lt 90 ]] ; then
-	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	KEYWORDS="~alpha amd64 ~arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 fi
 IUSE="acl minimal nls selinux xattr"
 

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild

@@ -6,7 +6,7 @@
 
 EAPI=8
 
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
+inherit flag-o-matic libtool multilib multilib-minimal preserve-libs usr-ldscript
 
 if [[ ${PV} == 9999 ]] ; then
 	# Per tukaani.org, git.tukaani.org is a mirror of github and
@@ -100,6 +100,10 @@ multilib_src_configure() {
 		myconf+=( --disable-path-for-script )
 	fi
 
+	# ifunc is incompatible w/ asan
+	# https://github.com/tukaani-project/xz/issues/62#issuecomment-1719489932
+	is-flagq -fsanitize=address && myconf+=( --disable-ifunc )
+
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
 

sdk_container/src/third_party/portage-stable/app-arch/zstd/Manifest

@@ -1,4 +1 @@
-DIST zstd-1.4.9.tar.gz 1834843 BLAKE2B 907f492bd023db9459bdc292a0bc4d1b6336d92dd7041eb2b36668589c20fcb98c411b85d78f92cd16d9b4a000d9c4125b5f966a5ca777034ae78210e639315b SHA512 f529db9c094f9ae26428bf1fdfcc91c6d783d400980e0f0d802d2cf13c2be2931465ef568907e03841ff76a369a1447e7371f8799d8526edb9a513ba5c6db133
-DIST zstd-1.5.2.tar.gz 1950967 BLAKE2B 9d474e9fdcf7e5eb09d1f606712b05ca3001e8f6f7451254d8dba3f429101048532fd9c84a5b9083ae90d0457e9e1b1d48256581a1697e7db19b09d73595f070 SHA512 e107508a41fca50845cc2494e64adaba93efb95a2fa486fc962510a8ba4b2180d93067cae9870f119e88e5e8b28a046bc2240b0b23cdd8933d1fb1a6a9668c1e
-DIST zstd-1.5.4.gh.tar.gz 2161536 BLAKE2B ffc5fcbbdf4ab04bc14b5037308bf4e879d4cbaaf863462ea1e8af3f1b86b935ee6036e49298c83ac42b00472c003e32c263c977f0ae7d64f31d9ae63c5c28cb SHA512 2896a6dd6b60cc251720356babcbab6018c874eb2149121b26e28041496fc355a9cb5fd1b39c91558fcfbafb789b3d721264a0f9b5734f893d5f3cdf97016394
 DIST zstd-1.5.5.tar.gz 2368543 BLAKE2B 7680e27a0adacfb809d9fc81e06d3f99bf74df30374d3b5cb2d58f667dd1b7d5c41697e608592709e17c0e32277f20a6d615edee409b5d7cdcb15da2799a2350 SHA512 99109ec0e07fa65c2101c9cb36be56b672bbd0ee69d265f924718e61f9192ae8385c8d9e4d0c318be9edfa6d849fd3d60e5f164fa120961449429ea3c5dab6b6