Merge pull request #2167 from flatcar/buildbot/weekly-portage-stable-…

…package-updates-2024-07-29

Weekly portage-stable package updates 2024-07-29

.github/workflows/portage-stable-packages-list

@@ -563,6 +563,7 @@ sys-firmware/ipxe
 sys-firmware/seabios-bin
 sys-firmware/sgabios
 
+sys-fs/btrfs-progs
 sys-fs/cryptsetup
 sys-fs/dosfstools
 sys-fs/e2fsprogs

changelog/security/2024-07-29-weekly-updates.md

@@ -0,0 +1,2 @@
+- curl ([CVE-2024-6197](https://nvd.nist.gov/vuln/detail/CVE-2024-6197), [CVE-2024-6874](https://nvd.nist.gov/vuln/detail/CVE-2024-6874))
+- podman ([CVE-2024-3727](https://nvd.nist.gov/vuln/detail/CVE-2024-3727))

changelog/updates/2024-07-29-weekly-updates.md

@@ -0,0 +1,19 @@
+- btrfs-progs ([6.9.2](https://github.com/kdave/btrfs-progs/blob/v6.9.2/CHANGES))
+- c-ares ([1.29.0](https://github.com/c-ares/c-ares/releases/tag/cares-1_29_0))
+- cryptsetup ([2.7.2](https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.7.2/docs/v2.7.2-ReleaseNotes) (includes [2.7.1](https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.7.1/docs/v2.7.1-ReleaseNotes) and [2.7.0](https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.7.0/docs/v2.7.0-ReleaseNotes)))
+- curl ([8.9.0](https://curl.se/ch/8.9.0.html))
+- e2fsprogs ([1.47.1](https://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.47.1))
+- ethtool ([6.9](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v6.9))
+- findutils ([4.10.0](https://git.savannah.gnu.org/cgit/findutils.git/tree/NEWS?h=v4.10.0))
+- gcc ([13.3.1_p20240614](https://gcc.gnu.org/gcc-13/changes.html))
+- hwdata ([0.383](https://github.com/vcrhonek/hwdata/compare/v0.382...v0.383))
+- libksba ([1.6.7](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=blob;f=NEWS;h=3d2d5a47688bb6214efaf02f5ab29f6e64433a97;hb=b14e68b97df754b2bb7a90bb904d143d8e896afb))
+- pciutils ([3.13.0](https://github.com/pciutils/pciutils/blob/v3.13.0/ChangeLog))
+- sysext-podman: podman ([5.0.3](https://github.com/containers/podman/releases/tag/v5.0.3))
+- sysext-python: setuptools ([70.3.0](https://github.com/pypa/setuptools/blob/v70.3.0/NEWS.rst))
+- strace ([6.9](https://github.com/strace/strace/releases/tag/v6.9))
+- tpm2-tools ([5.7](https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7))
+- tpm2-tss ([4.1.3](https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.3))
+- util-linux ([2.39.4](https://github.com/util-linux/util-linux/blob/v2.39.4/Documentation/releases/v2.39.4-ReleaseNotes))
+- xfsprogs ([6.8.0](https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.8.0))
+- xz-utils ([5.6.2](https://github.com/tukaani-project/xz/releases/tag/v5.6.2))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -7,20 +7,19 @@
 # Gentoo upstream package stabilisation
 # (the following packages are "unstable" upstream; we're stabilising these)
 
-# Catalyst 4 is not stable yet, but earlier versions are masked now.
-dev-util/catalyst ~amd64 ~arm64
-
 # Handled by automation
 =app-containers/containerd-1.7.20 ~amd64 ~arm64 # DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on 2024-07-19 08:17:43
 
-# Handled by automation?
-=app-containers/cri-tools-1.27.0 ~amd64 ~arm64
+# Keep versions on both arches in sync.
+=app-containers/cri-tools-1.27.0 ~arm64
+
+# Needed to address CVE-2024-3727
+=app-containers/podman-5.0.3 ~amd64 ~arm64
 
 # These seem to be the versions we initially got, but the
 # modifications made to the ebuilds were clobbered, so these are here
 # to keep using the same version. Can be dropped when these or newer
 # get stabilized in Gentoo.
-=app-containers/podman-5.0.2 ~amd64 ~arm64
 =app-containers/runc-1.1.13 ~amd64 ~arm64
 
 # Seems to be the only available ebuild in portage-stable right now.
@@ -43,7 +42,7 @@ dev-util/catalyst ~amd64 ~arm64
 =app-emulation/open-vmdk-1.0 *
 
 # Keep versions on both arches in sync.
-=dev-cpp/abseil-cpp-20230125.3-r3 ~arm64
+=dev-cpp/abseil-cpp-20230125.3-r4 ~arm64
 
 # Needed by arm64-native SDK.
 =dev-embedded/u-boot-tools-2021.04_rc2 ~arm64
@@ -67,7 +66,6 @@ dev-util/catalyst ~amd64 ~arm64
 =dev-libs/luksmeta-9-r1 **
 
 # Keep versions on both arches in sync.
-=dev-libs/libp11-0.4.12-r6 ~arm64
 =dev-libs/protobuf-23.3-r4 ~arm64
 
 # These seem to be the versions we initially got, but the
@@ -76,9 +74,8 @@ dev-util/catalyst ~amd64 ~arm64
 # get stabilized in Gentoo.
 =dev-libs/yajl-2.1.0-r5 ~amd64 ~arm64
 
-# Keep versions on both arches in sync.
-=dev-python/lxml-5.2.1 ~arm64
-=dev-util/pahole-1.26 ~arm64
+# Catalyst 4 is not stable yet, but earlier versions are masked now.
+dev-util/catalyst ~amd64 ~arm64
 
 # Needed for the MIT License
 =net-analyzer/netperf-2.7.0_p20210121 ~amd64 ~arm64
@@ -94,20 +91,19 @@ dev-util/catalyst ~amd64 ~arm64
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
 
+# Needed to address CVE-2024-6197 and CVE-2024-6874.
+=net-misc/curl-8.9.0 ~amd64 ~arm64
+
 # Keep versions on both arches in sync.
 =sys-apps/kexec-tools-2.0.28 ~arm64
-
-sys-apps/zram-generator ~amd64 ~arm64
+=sys-apps/zram-generator-1.1.2 ~arm64
 
 # Upgrade to latest version for secureboot
 =sys-boot/mokutil-0.6.0 ~amd64
 
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
-# Keep versions on both arches in sync.
-=sys-firmware/edk2-aarch64-18.02 **
-
 # Accept unstable host Rust compilers.
 =virtual/rust-1.80.0 ~amd64 ~arm64
 

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -73,9 +73,6 @@ sys-apps/portage -xattr -rsync-verify
 # Enable -M and -Z flags; -M is used by mayday
 sys-process/lsof rpc selinux
 
-# Disable zstd to avoid adding it to prod images until something needs it
-sys-fs/btrfs-progs -zstd
-
 # Enable SELinux for all targets
 coreos-base/coreos          selinux
 sys-apps/dbus               selinux

sdk_container/src/third_party/portage-stable/app-arch/lz4/Manifest

@@ -1 +1,2 @@
+DIST lz4-1.10.0.tar.gz 387114 BLAKE2B c87a939b748b0449e4f1869579ebc109704aa89e8699b6029217f6786c351d1b0329580dd3a955fe509efb113f29aecbafc83084d65d153f5d43610f4840a819 SHA512 8c4ceb217e6dc8e7e0beba99adc736aca8963867bcf9f970d621978ba11ce92855912f8b66138037a1d2ae171e8e17beb7be99281fea840106aa60373c455b28
 DIST lz4-1.9.4.tar.gz 354063 BLAKE2B 2289cdce36acd35283bf2f02ef4d6d8f4805563be6d5a3492f3d6ea7975fb6bd14e1ac2e505df9747776edf8bcf0da7ba4ae7084b150e3ec08a52a9885f92ad5 SHA512 043a9acb2417624019d73db140d83b80f1d7c43a6fd5be839193d68df8fd0b3f610d7ed4d628c2a9184f7cde9a0fd1ba9d075d8251298e3eb4b3a77f52736684

sdk_container/src/third_party/portage-stable/app-arch/lz4/files/1.10.0-fix-freestanding-test.patch

@@ -0,0 +1,42 @@
+
+From: https://github.com/lz4/lz4/pull/1468
+
+commit 63267a77d863f63826d8b13ddb8c190d3a4c01c5
+Author: Holger Hoffstätte <holger@applied-asynchrony.com>
+Date:   Mon Jul 22 22:11:19 2024 +0200
+
+    Fix stack alignment of _start() in freestanding test
+
+    When the freestanding test is built with any kind of optimization
+    that enables vectorized loops, special care must be taken to align
+    the stack for _start() at a 16-byte boundary.
+
+diff --git a/tests/freestanding.c b/tests/freestanding.c
+index 6109aa7..96de9d3 100644
+--- a/tests/freestanding.c
++++ b/tests/freestanding.c
+@@ -225,7 +225,7 @@ EXTERN_C int memcmp(const void *s1, const void *s2, size_t n) {
+
+
+ //
+-EXTERN_C void _start(void) {
++EXTERN_C void __attribute__((force_align_arg_pointer)) _start(void) {
+     test();
+     MY_exit(0);
+ }
+
+Disable the stack protector to allow building with clang.
+See https://bugs.gentoo.org/936480
+
+diff -up lz4-1.10.0/build/meson/meson/tests/meson.build lz4-1.10.0/build/meson/meson/tests/meson.build
+--- lz4-1.10.0/build/meson/meson/tests/meson.build	2024-07-21 19:29:49.000000000 +0200
++++ lz4-1.10.0/build/meson/meson/tests/meson.build	2024-07-23 01:26:40.561113031 +0200
+@@ -47,7 +47,7 @@ test_exes = {
+   },
+   'freestanding': {
+     'sources': files(lz4_source_root / 'tests/freestanding.c'),
+-    'c_args': ['-ffreestanding', '-Wno-unused-parameter', '-Wno-declaration-after-statement'],
++    'c_args': ['-ffreestanding', '-fno-stack-protector', '-Wno-unused-parameter', '-Wno-declaration-after-statement'],
+     'link_args': ['-nostdlib'],
+     'build': cc.get_id() in ['gcc', 'clang'] and
+       host_machine.system() == 'linux' and host_machine.cpu_family() == 'x86_64',

sdk_container/src/third_party/portage-stable/app-arch/lz4/lz4-1.10.0-r1.ebuild

@@ -0,0 +1,38 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit meson-multilib
+
+DESCRIPTION="Extremely Fast Compression algorithm"
+HOMEPAGE="https://github.com/lz4/lz4"
+SRC_URI="https://github.com/lz4/lz4/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD-2 GPL-2"
+SLOT="0/1.10.0-meson"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="static-libs test"
+RESTRICT="!test? ( test )"
+
+EMESON_SOURCE=${S}/build/meson
+
+PATCHES=(
+	"${FILESDIR}/${PV}-fix-freestanding-test.patch"
+)
+
+multilib_src_configure() {
+	local emesonargs=(
+		-Dtests=$(usex test true false)
+		-Ddefault_library=$(usex static-libs both shared)
+	)
+	# with -Dprograms=false, the test suite is only rudimentary,
+	# so build them for testing non-native ABI as well
+	if multilib_is_native_abi || use test; then
+		emesonargs+=(
+			-Dprograms=true
+		)
+	fi
+
+	meson_src_configure
+}

sdk_container/src/third_party/portage-stable/app-arch/lz4/lz4-1.10.0.ebuild

@@ -0,0 +1,25 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit cmake-multilib
+
+DESCRIPTION="Extremely Fast Compression algorithm"
+HOMEPAGE="https://github.com/lz4/lz4"
+SRC_URI="https://github.com/lz4/lz4/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD-2 GPL-2"
+SLOT="0/1.10.0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="static-libs"
+
+CMAKE_USE_DIR=${S}/build/cmake
+
+multilib_src_configure() {
+	local mycmakeargs=(
+		-DBUILD_STATIC_LIBS=$(usex static-libs)
+	)
+
+	cmake_src_configure
+}

sdk_container/src/third_party/portage-stable/app-arch/unzip/unzip-6.0_p27-r1.ebuild

@@ -65,14 +65,15 @@ src_configure() {
 		i?86*-*linux*)       TARGET="linux_asm" ;;
 		*linux*)             TARGET="linux_noasm" ;;
 		*-darwin*)           TARGET="macosx" ;;
-		*-solaris*)          TARGET="generic" ;;
+		*-solaris*)          TARGET="linux_noasm" ;;
 		*) die "Unknown target; please update the ebuild to handle ${CHOST}" ;;
 	esac
 
 	# Needed for Clang 16
 	append-flags -std=gnu89
 
 	[[ ${CHOST} == *linux* ]] && append-cppflags -DNO_LCHMOD
+	[[ ${CHOST} == *-solaris* ]] && append-cppflags -DNO_LCHMOD -DBSD4_4
 	use bzip2 && append-cppflags -DUSE_BZIP2
 	use unicode && append-cppflags -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DUSE_ICONV_MAPPING
 

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.7-r1.ebuild

@@ -35,7 +35,7 @@ else
 	"
 
 	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 	fi
 
 	S="${WORKDIR}/${MY_P}"

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.2-r1.ebuild

@@ -35,7 +35,7 @@ else
 	"
 
 	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+		KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 	fi
 
 	S="${WORKDIR}/${MY_P}"

sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest

@@ -1 +1,2 @@
+DIST runc-1.1.12.tar.gz 2522196 BLAKE2B 14fe8d5f82d5b4d7f6b4bb9111c5d258e74f6a44aeb51fc87c69104e95b9bf24a3d503f4cc5dedb40d542fbd4b6e27273f456bda4fcf3bc298eb93ae292d9663 SHA512 92e8ac54a77d7ebcc76b5a9cc08d9a064211f12e9d26f064070cc203a5afb11c3af28d8f556f297513f797a2933d50bf10a8f22e307724041d66aa8c5ca1d9d3
 DIST runc-1.1.13.tar.gz 2532849 BLAKE2B f3d3171ffce2bb833bfb5cc21d0dc034fd7e38c47ee098cc1fc75c06fd4dfae21dfe25c2e69a1ca93b29d36e8799727ea41725eee8aca3a059c14dab6c8a435f SHA512 644bf9e6359bf49bbdec667c0f7c69ded78c7eacfc2d1b730d52fdcf7348571c6406b8e5790811fe3662a458c878e4225c3559885f0d95f8905273e7e40e55ad

sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.13.ebuild

@@ -10,13 +10,14 @@ RUNC_COMMIT=58aa9203c123022138b22cf96540c284876a7910
 CONFIG_CHECK="~USER_NS"
 
 DESCRIPTION="runc container cli tools"
-HOMEPAGE="http://github.com/opencontainers/runc/"
+HOMEPAGE="https://github.com/opencontainers/runc/"
 MY_PV="${PV/_/-}"
 SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/${PN}-${MY_PV}"
 
 LICENSE="Apache-2.0 BSD-2 BSD MIT"
 SLOT="0"
-KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
 IUSE="apparmor hardened +kmem +seccomp selinux test"
 
 DEPEND="seccomp? ( sys-libs/libseccomp )"
@@ -38,8 +39,6 @@ BDEPEND="
 # majority of tests pass
 RESTRICT+=" test"
 
-S="${WORKDIR}/${PN}-${MY_PV}"
-
 src_compile() {
 	# Taken from app-containers/docker-1.7.0-r1
 	CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"

sdk_container/src/third_party/portage-stable/app-crypt/libb2/libb2-0.98.1-r3.ebuild

@@ -3,7 +3,7 @@
 
 EAPI=7
 
-inherit autotools multilib-minimal toolchain-funcs
+inherit autotools multilib-minimal toolchain-funcs flag-o-matic
 
 DESCRIPTION="C library providing BLAKE2b, BLAKE2s, BLAKE2bp, BLAKE2sp"
 HOMEPAGE="https://github.com/BLAKE2/libb2"
@@ -40,6 +40,8 @@ src_prepare() {
 	sed -i -e 's/ == / = /' configure.ac || die
 	# https://github.com/BLAKE2/libb2/pull/28
 	echo 'libb2_la_LDFLAGS = -no-undefined' >> src/Makefile.am || die
+	# make memset_s available
+	[[ ${CHOST} == *-solaris* ]] && append-cppflags -D__STDC_WANT_LIB_EXT1__=1
 	eautoreconf  # upstream doesn't make releases
 }
 

sdk_container/src/third_party/portage-stable/app-crypt/pinentry/pinentry-1.3.0-r3.ebuild

@@ -13,7 +13,7 @@ SRC_URI+=" verify-sig? ( mirror://gnupg/${PN}/${P}.tar.bz2.sig )"
 
 LICENSE="GPL-2"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha ~amd64 arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 IUSE="caps efl emacs gtk keyring ncurses qt5 qt6 wayland X"
 
 DEPEND="

sdk_container/src/third_party/portage-stable/app-crypt/tpm2-tools/tpm2-tools-5.7.ebuild

@@ -12,7 +12,7 @@ SRC_URI="https://github.com/tpm2-software/tpm2-tools/releases/download/${PV}/${P
 
 LICENSE="BSD"
 SLOT="0"
-KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86"
+KEYWORDS="amd64 arm arm64 ppc64 x86"
 IUSE="+fapi test"
 
 RESTRICT="!test? ( test )"

sdk_container/src/third_party/portage-stable/app-crypt/tpm2-tss/tpm2-tss-4.1.3.ebuild

@@ -11,7 +11,7 @@ SRC_URI="https://github.com/tpm2-software/${PN}/releases/download/${PV}/${P}.tar
 
 LICENSE="BSD-2"
 SLOT="0/4"
-KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
+KEYWORDS="amd64 arm arm64 ~loong ppc64 ~riscv x86"
 IUSE="doc +fapi +openssl mbedtls +policy static-libs test"
 RESTRICT="!test? ( test )"