Weekly portage-stable package updates 2023-07-03

[github-actions]

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/910/cldsv

--

• app-arch/bzip2: [PROD] [DEV]

  • still at 1.0.8-r4
  • adds support for .exe

• app-crypt/rhash:

  • from 1.4.2 to 1.4.3
  • EAPI 8
  • became stable on arm64, so dropped accept keywords from overlay
  • release notes: https://github.com/rhash/RHash/releases/tag/v1.4.3

• app-editors/vim: [PROD] [DEV]

  • still at 9.0.1503
  • no updates

• app-editors/vim-core: [PROD] [DEV]

  • still at 9.0.1503
  • no updates

• app-emulation/qemu: [PROD] [DEV]

  • from 7.2.0-r3 to 7.2.3
  • added arm64 to accept keywords to have same version in both arches
  • release notes: https://wiki.qemu.org/ChangeLog/7.2

• app-portage/portage-utils

  • from 0.95 to 0.96-r1
  • include gcc[openmp] for portage-utils[openmp] in catalyst
  • release notes: https://github.com/gentoo/portage-utils/releases/tag/v0.96

• app-shells/bash: [PROD] [DEV]

  • from 5.2_p15-r3 to 5.2_p15-r5
  • still unstable, so updated accept keywords in overlay
  • started depending on bison instead of on any YACC implementation

• dev-db/sqlite: [PROD] [DEV]

  • still at 3.42.0
  • no changes

• devl-lang/lua: [PROD] [DEV]

  • from 5.3.6-r102 to 5.4.4-r103
  • release notes: https://www.lua.org/manual/5.4/readme.html#changes

• dev-lang/perl:

  • from 5.36.0-r2 to 5.36.1-r2
  • release notes: https://perldoc.perl.org/perl5361delta

• dev-lang/python: [DEV]

  • still at 3.10.12
  • became stable on amd64, so dropped accept keywords from overlay
  • dropped the hardened USE flag - it was unused in the ebuild
  • dropped a conflict blocker dep on ancient sys-apps/sandbox

• dev-libs/elfutils: [PROD] [DEV]

  • from 0.188 to 0.189-r1
  • still unstable on amd64, so added accept keywords to overlay
  • fixed lto builds
  • release notes: https://sourceware.org/pipermail/elfutils-devel/2023q1/006023.html

• dev-libs/glib: [PROD] [DEV]

  • from 2.76.2 to 2.76.3
  • bumped python compat to 3.{9..12}
  • release notes: https://gitlab.gnome.org/GNOME/glib/-/releases/2.76.3

• dev-libs/libassuan: [PROD] [DEV]

  • still at 2.5.5
  • no changes

• dev-libs/libgpg-error: [PROD] [DEV]

  • still at 1.47
  • no changes

• dev-libs/libksba: [PROD] [DEV]

  • still at 1.6.3
  • no changes

• dev-libs/libpcre2: [PROD] [DEV]

  • still at 10.42-r1
  • no changes

• dev-libs/nettle: [PROD] [DEV]

  • from 3.8.1 to 3.9.1
  • still unstable for arm64 so added accept keywords to overlay
  • added USE flags for ppc intrinsics
  • release notes: https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.9.1_release_20230601/ChangeLog

• dev-libs/oniguruma: [PROD] [DEV]

  • still at 6.9.8
  • updated keywords for other arches

• dev-python/cython:

  • from 0.29.34 to 0.29.35
  • bumped python compat to 3.{10..12}
  • made tests to run in parallel
  • release notes: https://github.com/cython/cython/blob/0.29.35/CHANGES.rst

• dev-python/docutils:

  • from 0.19 to 0.20.1
  • bumped python compat to 3.{10..12}
  • release notes: https://www.docutils.org/RELEASE-NOTES.html#release-0-20-unpublished

• dev-python/inflect:

  • still at 6.0.4
  • no changes

• dev-python/jaraco-functools:

  • still at 3.6.0
  • updated metadata

• dev-python/platformdirs:

  • still at 3.5.1
  • no changes

• dev-python/pydantic:

  • from 1.10.7 to 1.10.9
  • updated metadata
  • bumped python compat to python3.{10..12}
  • disabled native-extensions USE flag
  • restricted the cython dep to <3
  • excluded some more tests for python 3.12
  • release notes: https://github.com/pydantic/pydantic/releases/tag/v1.10.9

• dev-python/setuptools:

  • from 67.7.2 to 67.8.0
  • release notes: https://github.com/pypa/setuptools/blob/v67.8.0/CHANGES.rst
  • bumped python compat to python3.{10..12}

• dev-python/typing-extensions:

  • from 4.5.0 to 4.6.3
  • bumped python compat to python3.{10..12}
  • release notes: https://github.com/python/typing_extensions/blob/4.6.3/CHANGELOG.md

• dev-util/b2:

  • still at 4.9.6
  • no changes

• dev-util/bpftool: [PROD] [DEV]

  • still at 6.3
  • no changes

• dev-util/cmake:

  • still at 3.26.4-r1
  • no changes

• dev-util/gdbus-codegen:

  • from 2.76.2 to 2.76.3
  • bumped python compat to 3.{9..12}
  • release notes: https://gitlab.gnome.org/GNOME/glib/-/releases/2.76.3

• dev-util/glib-utils:

  • from 2.76.2 to 2.76.3
  • bumped python compat to 3.{9..12}
  • release notes: https://gitlab.gnome.org/GNOME/glib/-/releases/2.76.3

• dev-util/meson:

  • still at 1.1.1
  • added pypy3 to python compat

• dev-util/pahole [DEV]

  • still at 1.24_p20221024
  • bumped python compat to 3.{9..12}

• dev-util/perf:

  • from 5.19-r1 to 6.3
  • release notes: https://kernelnewbies.org/LinuxChanges#Linux_6.3.Tracing.2C_perf_and_BPF

• dev-util/pkgconf:

  • still at 1.8.1
  • updated SRC_URI to a new location

• dev-util/re2c:

  • still at 2.2
  • updated keywords for other arches

• dev-util/strace: [PROD] [DEV]

  • still at 6.3
  • no changes

• eclass/acct-group:

  • added better error messages

• eclass/acct-user:

  • added better error messages

• eclass/cmake:

  • set CMAKE_SYSROOT when building with SYSROOT
    • fixed llvm build
  • added a workaround for work directory creation

• eclass/distutils-r1:

  • bumped minimal version of various build packages:
    • flit-core to 3.9.0
    • setuptools to 67.7.2
  • added printing a version of dev-python/setuptools-rust when DISTUTILS_USE_SETUPTOOLS is setuptools (no package in Flatcar uses it at the moment)
  • added support for scikit-build-core backend

• eclass/elisp-common:

  • added the elisp-make-site-file function

• eclass/python-utils-r1:

  • updated pypy3 for 3.10
  • bumped minimum python versions (3.10 was bumped to 3.10.12)

• eclass/toolchain:

  • namespaced hardening functions
  • wired up --enable-host-bind-now for GCC 14

• licenses:

  • added license for HoMM2-Demo

• media-libs/libpng:

  • still at 1.6.39
  • no changes

• net-analyzer/nmap: [PROD] [DEV]

  • from 7.93-r3 to 7.94
  • bumped lua compat to 5.4, so updated lua masks in overlay profiles
  • bumped python compat to 3.{10..11}
  • added support for translations (we default to english only)
  • changed license to NPSL-0.95 only (used to be either NPSL-0.94 or NPSL-0.95)
  • added new USE flags: ndiff, nls and zenmap
    • ndiff and zenmap are for enabling some extra tools, but they use python, so we keep them disabled
    • nls is translation support, disabled
  • release notes: https://nmap.org/changelog.html#7.94

• net-libs/libpcap: [PROD] [DEV]

  • still at 1.10.4
  • updated keywords for other arches

• net-misc/curl: [PROD] [DEV]

  • still at 8.1.2
  • no changes

• net-misc/iputils: [PROD] [DEV]

  • still at 20221126-r1
  • dropped an obsolete comment

• net-misc/openssh (OVERLAY): [PROD] [DEV]

  • from 9.3_p1 to 9.3_p1-r2
  • simplified the ebuild by dropping all the high performance third party patches that we didn't even use

• profiles:

  • dropped some legacy arm32 flags from arm64 profiles
  • masked USE flags sslv2 sslv3 for net-libs/gnutls and dev-libs/openssl
    • this is masking support for old and insecure protocols
  • masked sslv3 in net-misc/curl
    • sslv3 requires openssl <3, and it's and old and insecure protocol
  • OSI-APPROVED group was split into OSI-APPROVED-FREE and OSI-APPROVED-NONFREE
    • NOSA and Watcom-1.0 licenses were moved from O-A to O-A-NONFREE
  • masked app-shells/bash-5.2_p15-r4 (we have r3, will be updated to r5)

• sys-apps/acl: [PROD] [DEV]

  • still at 2.3.1-r1
  • fixed lto builds

• sys-apps/coreutils: [PROD] [DEV]

  • still at 9.3-r2
  • no changes

• sys-apps/ethtool: [PROD] [DEV]

  • still at 6.3
  • no changes

• sys-apps/iproute2: [PROD] [DEV]

  • still at 6.3.0
  • no changes

• sys-apps/kbd: [DEV]

  • still at 2.5.1
  • no changes

• sys-apps/kexec-tools: [PROD] [DEV]

  • still at 2.0.24
  • added selinux USE flag, pulls in sec-policy/selinux-kdump, disabled

• sys-apps/less: [PROD] [DEV]

  • still at 633
  • no changes

• sys-apps/man-pages: [DEV]

  • still at 6.04
  • no changes

• sys-apps/net-tools: [PROD] [DEV]

  • still at 2.10
  • updated metadata

• sys-apps/nvme-cli: [PROD] [DEV]

  • still at 2.4-r2
  • no changes

• sys-apps/portage: [DEV]

  • still at 3.0.46
  • updated keywords for other arches

• sys-apps/sandbox: [DEV]

  • from 2.30-r1 to 2.32
  • still unstable for arm64 so updated accept keywords in overlay

• sys-apps/util-linux: [PROD] [DEV]

  • still at 2.38.1-r2
  • no changes

• sys-devel/autoconf:

  • still at 2.71-r6:2.71
  • updated keywords for other arches

• sys-devel/binutils: [PROD] [DEV]

  • from 2.39-r5 to 2.40-r5
  • dropped default-gold USE flag
  • added zstd USE flag, disabled for now
  • still unstable for arm64 so added keywords for arm64 to overlay
  • added some fixes for cet USE flag
  • fixed CVE-2022-38533, possibly CVE-2022-4285, CVE-2023-1579
  • release notes: https://lists.gnu.org/archive/html/info-gnu/2023-01/msg00003.html

• sys-devel/crossdev:

  • still at 20230321
  • no changes

• sys-devel/gcc: [PROD] [DEV]

  • still at 12.2.1_p20230428-r1
  • no changes

• sys-devel/gcc-config: [DEV]

  • from 2.10 to 2.11
  • release notes: https://gitweb.gentoo.org/proj/gcc-config.git/log/?h=v2.11

• sys-devel/gettext: [PROD] [DEV]

  • still at 0.21.1
  • no changes

• sys-fs/e2fsprogs: [PROD] [DEV]

  • from 1.47.0-r1 to 1.47.0-r2
  • added musl fixes

• sys-kernel/linux-headers: [PROD] [DEV]

  • still at 6.1
  • no changes

• sys-libs/binutils-libs: [PROD] [DEV]

  • from 2.39-r5 to 2.40-r5
  • added test IUSE flag
  • still unstable on arm64, so added keywords to overlay
  • dropped support for zstd (still available for binutils, though)
  • dropped some file provided by gdb
  • fixed CVE-2022-38533, possibly CVE-2022-4285, CVE-2023-1579
  • release notes: https://lists.gnu.org/archive/html/info-gnu/2023-01/msg00003.html

• sys-libs/ncurses: [PROD] [DEV]

  • from 6.3_p20220423 to 6.4_p20230527
  • moved from overlay to portage-stable
    • the modifications were upstreamed, so no point in keeping the package in overlay
  • still unstable and masked in profiles, so added accept keywords and unmasked it explicitly in overlay
    • Gentoo masked it because of issues with tmux and openrc (we have neither of those packages)
  • EAPI 8
  • added new USE flags split-usr, +stack-realign
    • split-usr is used for installing terminfo stuff into /etc
    • stack-realign adds -mstackrealign to CFLAGS for some compatibility with older binaries at the expense of a bit of performance
      • not relevant for us, done only for x86 ABI (we use amd64 or arm64)
  • dropped our symlink-usr USE flag
    • replaced by split-usr and minimal USE flags
  • changed a bit the set of minimal terminfos:
    • screen-16color, sun and xterm-xfree86 infos were dropped
    • screen.xterm-256color was added
  • dropped Flatcar modification adding addwrite /dev/ptmx to avoid sandbox failures
    • trying to see if it still affects us after the update
  • fixed CVE-2023-29491
    • closes update: ncurses Flatcar#1045

• sys-libs/readline: [PROD] [DEV]

  • still at 8.2_p1
  • dropped support for winnt

• virtual/libc: [DEV]

  • still at 1-r1
  • dropped cygwin support

• virtual/os-headers: [DEV]

  • still at 0-r2
  • dropped support for winnt

--

• changelog
• image diff

[krnowak]

CI passed.

@dongsupark: Could you help me here with the binutils CVE fixes? I'm not sure I got them right. Thanks!

[github-actions]

Build action triggered: https://github.com/flatcar/scripts/actions/runs/5482921333

[krnowak]

This PR also moves ncurses to portage-stable and updates openssh in overlay.

[dongsupark]

Could you help me here with the binutils CVE fixes? I'm not sure I got them right. Thanks!

Yes, it is already correct.
binutils 2.40 fixes all. CVE-2022-38533, CVE-2022-4285, CVE-2023-1579.

[krnowak]

Could you help me here with the binutils CVE fixes? I'm not sure I got them right. Thanks!

Yes, it is already correct. binutils 2.40 fixes all. CVE-2022-38533, CVE-2022-4285, CVE-2023-1579.

Cool, so looking at flatcar/Flatcar#1053, CVE-2023-1972 and CVE-2023-2222 are still to be fixed?

[dongsupark]

Cool, so looking at flatcar/Flatcar#1053, CVE-2023-1972 and CVE-2023-2222 are still to be fixed?

Oh, sorry. I missed one.
It is true that CVE-2023-1972 is not fixed yet.

However, CVE-2023-2222 is already fixed in binutils 2.40.
See also https://sourceware.org/bugzilla/show_bug.cgi?id=29936, https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09.

[krnowak]

Cool, so looking at flatcar/Flatcar#1053, CVE-2023-1972 and CVE-2023-2222 are still to be fixed?

Oh, sorry. I missed one. It is true that CVE-2023-1972 is not fixed yet.

However, CVE-2023-2222 is already fixed in binutils 2.40. See also https://sourceware.org/bugzilla/show_bug.cgi?id=29936, https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09.

Thanks, updated the changelog.