[Buildroot] [git commit] package/openrc: bump to version 0.43.3

Thomas Petazzoni thomas.petazzoni at bootlin.com
Wed Jul 28 19:05:41 UTC 2021


commit: https://git.buildroot.net/buildroot/commit/?id=12c05e42c7b0f346ec4ff0fa8e79af532cdd783c
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

- Refresh second patch
- Drop sixth and seventh patches (already in version)
- Update indentation in hash file (two spaces)

https://github.com/OpenRC/openrc/blob/0.43.3/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
---
 ...Linux.in-change-run-lock-from-root-uucp-t.patch |   6 +-
 ...logger.h-fix-build-failure-against-gcc-10.patch |  52 -----
 .../openrc/0007-checkpath-fix-CVE-2018-21269.patch | 251 ---------------------
 package/openrc/openrc.hash                         |   4 +-
 package/openrc/openrc.mk                           |   5 +-
 5 files changed, 7 insertions(+), 311 deletions(-)

diff --git a/package/openrc/0002-sh-init.sh.Linux.in-change-run-lock-from-root-uucp-t.patch b/package/openrc/0002-sh-init.sh.Linux.in-change-run-lock-from-root-uucp-t.patch
index 66bbba42ba..457fbacb5b 100644
--- a/package/openrc/0002-sh-init.sh.Linux.in-change-run-lock-from-root-uucp-t.patch
+++ b/package/openrc/0002-sh-init.sh.Linux.in-change-run-lock-from-root-uucp-t.patch
@@ -12,6 +12,8 @@ reasons. However uucp does not exist on buildroot by default, and
 it makes more sense that 'daemon' group should own this directory.
 
 Signed-off-by: Michał Łyszczek <michal.lyszczek at bofc.pl>
+[Fabrice: update for 0.43.3]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
 ---
  sh/init.sh.Linux.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
@@ -21,9 +23,9 @@ index 222bbd3b..7f1a88db 100644
 --- a/sh/init.sh.Linux.in
 +++ b/sh/init.sh.Linux.in
 @@ -85,7 +85,7 @@ fi
+ fi
  
- [ -x /sbin/restorecon ] && /sbin/restorecon -rF /run
- checkpath -d $RC_SVCDIR
+ checkpath -d "$RC_SVCDIR"
 -checkpath -d -m 0775 -o root:uucp /run/lock
 +checkpath -d -m 0775 -o root:daemon /run/lock
  
diff --git a/package/openrc/0006-src-rc-rc-logger.h-fix-build-failure-against-gcc-10.patch b/package/openrc/0006-src-rc-rc-logger.h-fix-build-failure-against-gcc-10.patch
deleted file mode 100644
index 9fded3ca90..0000000000
--- a/package/openrc/0006-src-rc-rc-logger.h-fix-build-failure-against-gcc-10.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 375ef42393f3dc6edbaa2cb70c79b2366072db38 Mon Sep 17 00:00:00 2001
-From: Sergei Trofimovich <slyfox at gentoo.org>
-Date: Sun, 19 Jan 2020 15:24:20 +0000
-Subject: [PATCH] src/rc/rc-logger.h: fix build failure against gcc-10
-
-On gcc-10 (and gcc-9 -fno-common) build fails as:
-
-```
-cc  -L../librc -L../libeinfo -O2 -g -std=c99 -Wall -Wextra -Wimplicit -Wshadow \
-  -Wformat=2 -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn \
-  -Wmissing-format-attribute -Wnested-externs -Winline -Wwrite-strings \
-  -Wcast-align -Wcast-qual -Wpointer-arith -Wdeclaration-after-statement \
-  -Wsequence-point -Werror=implicit-function-declaration    \
-  -Wl,-rpath=/lib   -o openrc rc.o rc-logger.o rc-misc.o rc-plugin.o _usage.o -lutil -lrc -leinfo -Wl,-Bdynamic -ldl
-ld: rc-logger.o:/home/slyfox/dev/git/openrc/src/rc/rc-logger.h:16:
-  multiple definition of `rc_logger_pid'; rc.o:openrc/src/rc/rc-logger.h:16: first defined here
-ld: rc-logger.o:/home/slyfox/dev/git/openrc/src/rc/rc-logger.h:17:
-  multiple definition of `rc_logger_tty'; rc.o:openrc/src/rc/rc-logger.h:17: first defined here
-```
-
-gcc-10 will change the default from -fcommon to fno-common:
-https://gcc.gnu.org/PR85678.
-
-The error also happens if CFLAGS=-fno-common passed explicitly.
-
-This fixes #348.
-
-[Patch taken from upstream:
-https://github.com/OpenRC/openrc/commit/375ef42393f3dc6edbaa2cb70c79b2366072db38]
-Signed-off-by: Heiko Thiery <heiko.thiery at gmail.com>
----
- src/rc/rc-logger.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/rc/rc-logger.h b/src/rc/rc-logger.h
-index bf6e3e57..1da294b0 100644
---- a/src/rc/rc-logger.h
-+++ b/src/rc/rc-logger.h
-@@ -13,8 +13,8 @@
- #ifndef RC_LOGGER_H
- #define RC_LOGGER_H
- 
--pid_t rc_logger_pid;
--int rc_logger_tty;
-+extern pid_t rc_logger_pid;
-+extern int rc_logger_tty;
- extern bool rc_in_logger;
- 
- void rc_logger_open(const char *runlevel);
--- 
-2.20.1
-
diff --git a/package/openrc/0007-checkpath-fix-CVE-2018-21269.patch b/package/openrc/0007-checkpath-fix-CVE-2018-21269.patch
deleted file mode 100644
index 121f229864..0000000000
--- a/package/openrc/0007-checkpath-fix-CVE-2018-21269.patch
+++ /dev/null
@@ -1,251 +0,0 @@
-From b6fef599bf8493480664b766040fa9b0d4b1e335 Mon Sep 17 00:00:00 2001
-From: William Hubbs <w.d.hubbs at gmail.com>
-Date: Fri, 20 Nov 2020 09:15:59 -0600
-Subject: [PATCH] checkpath: fix CVE-2018-21269
-
-This walks the directory path to the file we are going to manipulate to make
-sure that when we create the file and change the ownership and permissions
-we are working on the same file.
-Also, all non-terminal symbolic links must be owned by root. This will
-keep a non-root user from making a symbolic link as described in the
-bug. If root creates the symbolic link, it is assumed to be trusted.
-
-On non-linux platforms, we no longer follow non-terminal symbolic links
-by default. If you need to do that, add the -s option on the checkpath
-command line, but keep in mind that this is not secure.
-
-This fixes #201.
-
-[Patch taken from upstream:
-https://github.com/OpenRC/openrc/commit/b6fef599bf8493480664b766040fa9b0d4b1e335]
-Signed-off-by: Heiko Thiery <heiko.thiery at gmail.com>
----
- man/openrc-run.8   |   6 +++
- src/rc/checkpath.c | 103 ++++++++++++++++++++++++++++++++++++++++++---
- 2 files changed, 102 insertions(+), 7 deletions(-)
-
-diff --git a/man/openrc-run.8 b/man/openrc-run.8
-index 1102daaa..ec4b88de 100644
---- a/man/openrc-run.8
-+++ b/man/openrc-run.8
-@@ -461,6 +461,7 @@ Mark the service as inactive.
- .Op Fl p , -pipe
- .Op Fl m , -mode Ar mode
- .Op Fl o , -owner Ar owner
-+.Op Fl s , -symlinks
- .Op Fl W , -writable
- .Op Fl q , -quiet
- .Ar path ...
-@@ -481,6 +482,11 @@ or with names, and are separated by a colon.
- The truncate options (-D and -F) cause the directory or file to be
- cleared of all contents.
- .Pp
-+If -s is not specified on a non-linux platform, checkpath will refuse to
-+allow non-terminal symbolic links to exist in the path. This is for
-+security reasons so that a non-root user can't create a symbolic link to
-+a root-owned file and take ownership of that file.
-+.Pp
- If -W is specified, checkpath checks to see if the first path given on
- the command line is writable.  This is different from how the test
- command in the shell works, because it also checks to make sure the file
-diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
-index 448c9cf8..ff54a892 100644
---- a/src/rc/checkpath.c
-+++ b/src/rc/checkpath.c
-@@ -16,6 +16,7 @@
-  *    except according to the terms contained in the LICENSE file.
-  */
- 
-+#define _GNU_SOURCE
- #include <sys/types.h>
- #include <sys/stat.h>
- 
-@@ -23,6 +24,7 @@
- #include <fcntl.h>
- #include <getopt.h>
- #include <grp.h>
-+#include <libgen.h>
- #include <pwd.h>
- #include <stdio.h>
- #include <stdlib.h>
-@@ -44,7 +46,7 @@ typedef enum {
- 
- const char *applet = NULL;
- const char *extraopts ="path1 [path2] [...]";
--const char *getoptstring = "dDfFpm:o:W" getoptstring_COMMON;
-+const char *getoptstring = "dDfFpm:o:sW" getoptstring_COMMON;
- const struct option longopts[] = {
- 	{ "directory",          0, NULL, 'd'},
- 	{ "directory-truncate", 0, NULL, 'D'},
-@@ -53,6 +55,7 @@ const struct option longopts[] = {
- 	{ "pipe",               0, NULL, 'p'},
- 	{ "mode",               1, NULL, 'm'},
- 	{ "owner",              1, NULL, 'o'},
-+	{ "symlinks",           0, NULL, 's'},
- 	{ "writable",           0, NULL, 'W'},
- 	longopts_COMMON
- };
-@@ -64,15 +67,92 @@ const char * const longopts_help[] = {
- 	"Create a named pipe (FIFO) if not exists",
- 	"Mode to check",
- 	"Owner to check (user:group)",
-+	"follow symbolic links (irrelivent on linux)",
- 	"Check whether the path is writable or not",
- 	longopts_help_COMMON
- };
- const char *usagestring = NULL;
- 
-+static int get_dirfd(char *path, bool symlinks) {
-+	char *ch;
-+	char *item;
-+	char *linkpath = NULL;
-+	char *path_dupe;
-+	char *str;
-+	int components = 0;
-+	int dirfd;
-+	int flags = 0;
-+	int new_dirfd;
-+	struct stat st;
-+	ssize_t linksize;
-+
-+	if (!path || *path != '/')
-+		eerrorx("%s: empty or relative path", applet);
-+	dirfd = openat(dirfd, "/", O_RDONLY);
-+	if (dirfd == -1)
-+		eerrorx("%s: unable to open the root directory: %s",
-+				applet, strerror(errno));
-+	path_dupe = xstrdup(path);
-+	ch = path_dupe;
-+	while (*ch) {
-+		if (*ch == '/')
-+			components++;
-+		ch++;
-+	}
-+	item = strtok(path_dupe, "/");
-+#ifdef O_PATH
-+	flags |= O_PATH;
-+#endif
-+	if (!symlinks)
-+		flags |= O_NOFOLLOW;
-+	flags |= O_RDONLY;
-+	while (dirfd > 0 && item && components > 1) {
-+		str = xstrdup(linkpath ? linkpath : item);
-+		new_dirfd = openat(dirfd, str, flags);
-+		if (new_dirfd == -1)
-+			eerrorx("%s: %s: could not open %s: %s", applet, path, str,
-+					strerror(errno));
-+		if (fstat(new_dirfd, &st) == -1)
-+			eerrorx("%s: %s: unable to stat %s: %s", applet, path, item,
-+					strerror(errno));
-+		if (S_ISLNK(st.st_mode) ) {
-+			if (st.st_uid != 0)
-+				eerrorx("%s: %s: synbolic link %s not owned by root",
-+						applet, path, str);
-+			linksize = st.st_size+1;
-+			if (linkpath)
-+				free(linkpath);
-+			linkpath = xmalloc(linksize);
-+			memset(linkpath, 0, linksize);
-+			if (readlinkat(new_dirfd, "", linkpath, linksize) != st.st_size)
-+				eerrorx("%s: symbolic link destination changed", applet);
-+			/*
-+			 * now follow the symlink.
-+			 */
-+			close(new_dirfd);
-+		} else {
-+			close(dirfd);
-+			dirfd = new_dirfd;
-+			free(linkpath);
-+			linkpath = NULL;
-+			item = strtok(NULL, "/");
-+			components--;
-+		}
-+	}
-+	free(path_dupe);
-+	if (linkpath) {
-+		free(linkpath);
-+		linkpath = NULL;
-+	}
-+	return dirfd;
-+}
-+
- static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
--	inode_t type, bool trunc, bool chowner, bool selinux_on)
-+	inode_t type, bool trunc, bool chowner, bool symlinks, bool selinux_on)
- {
- 	struct stat st;
-+	char *name = NULL;
-+	int dirfd;
- 	int fd;
- 	int flags;
- 	int r;
-@@ -93,14 +173,16 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
- #endif
- 	if (trunc)
- 		flags |= O_TRUNC;
--	readfd = open(path, readflags);
-+	xasprintf(&name, "%s", basename_c(path));
-+	dirfd = get_dirfd(path, symlinks);
-+	readfd = openat(dirfd, name, readflags);
- 	if (readfd == -1 || (type == inode_file && trunc)) {
- 		if (type == inode_file) {
- 			einfo("%s: creating file", path);
- 			if (!mode) /* 664 */
- 				mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
- 			u = umask(0);
--			fd = open(path, flags, mode);
-+			fd = openat(dirfd, name, flags, mode);
- 			umask(u);
- 			if (fd == -1) {
- 				eerror("%s: open: %s", applet, strerror(errno));
-@@ -122,7 +204,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
- 				    strerror (errno));
- 				return -1;
- 			}
--			readfd = open(path, readflags);
-+			readfd = openat(dirfd, name, readflags);
- 			if (readfd == -1) {
- 				eerror("%s: unable to open directory: %s", applet,
- 						strerror(errno));
-@@ -140,7 +222,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
- 				    strerror (errno));
- 				return -1;
- 			}
--			readfd = open(path, readflags);
-+			readfd = openat(dirfd, name, readflags);
- 			if (readfd == -1) {
- 				eerror("%s: unable to open fifo: %s", applet,
- 						strerror(errno));
-@@ -259,6 +341,7 @@ int main(int argc, char **argv)
- 	int retval = EXIT_SUCCESS;
- 	bool trunc = false;
- 	bool chowner = false;
-+	bool symlinks = false;
- 	bool writable = false;
- 	bool selinux_on = false;
- 
-@@ -293,6 +376,11 @@ int main(int argc, char **argv)
- 				eerrorx("%s: owner `%s' not found",
- 				    applet, optarg);
- 			break;
-+		case 's':
-+#ifndef O_PATH
-+			symlinks = true;
-+#endif
-+			break;
- 		case 'W':
- 			writable = true;
- 			break;
-@@ -320,7 +408,8 @@ int main(int argc, char **argv)
- 	while (optind < argc) {
- 		if (writable)
- 			exit(!is_writable(argv[optind]));
--		if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, selinux_on))
-+		if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner,
-+					symlinks, selinux_on))
- 			retval = EXIT_FAILURE;
- 		optind++;
- 	}
--- 
-2.20.1
-
diff --git a/package/openrc/openrc.hash b/package/openrc/openrc.hash
index bb5880806d..4fcfa9132f 100644
--- a/package/openrc/openrc.hash
+++ b/package/openrc/openrc.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256	91a01ca6d930a0688fb91338209985de57cac7aa2d37feddacb78fd3d95308e2	openrc-0.42.1.tar.gz
-sha256	96862463f4e77e2508e4fc2c83773fd24807cb699368b63fd93a5e2b466dd624	LICENSE
+sha256  968e81743a1de7a2348590b3b3286d6af5baf96da28fa1e6364e24f8203fc3b6  openrc-0.43.3.tar.gz
+sha256  96862463f4e77e2508e4fc2c83773fd24807cb699368b63fd93a5e2b466dd624  LICENSE
diff --git a/package/openrc/openrc.mk b/package/openrc/openrc.mk
index d9010a60be..1d4e70f712 100644
--- a/package/openrc/openrc.mk
+++ b/package/openrc/openrc.mk
@@ -4,15 +4,12 @@
 #
 ################################################################################
 
-OPENRC_VERSION = 0.42.1
+OPENRC_VERSION = 0.43.3
 OPENRC_SITE = $(call github,OpenRC,openrc,$(OPENRC_VERSION))
 OPENRC_LICENSE = BSD-2-Clause
 OPENRC_LICENSE_FILES = LICENSE
 OPENRC_CPE_ID_VENDOR = openrc_project
 
-# 0007-checkpath-fix-CVE-2018-21269.patch
-OPENRC_IGNORE_CVES += CVE-2018-21269
-
 OPENRC_DEPENDENCIES = ncurses
 
 # set LIBNAME so openrc puts files in proper directories and sets proper


More information about the buildroot mailing list