Weekly portage-stable package updates 2023-10-16

build_packages

@@ -272,10 +272,13 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then
   # lvm2[udev] -> virtual/udev -> systemd[cryptsetup] -> cryptsetup -> lvm2
   # lvm2[systemd] -> systemd[cryptsetup] -> cryptsetup -> lvm2
   # systemd[cryptsetup] -> cryptsetup[udev] -> virtual/udev -> systemd
+  # curl[http2] -> nghttp2[systemd] -> systemd[curl] -> curl
   break_dep_loop sys-apps/util-linux udev,systemd,cryptsetup \
                  sys-fs/cryptsetup udev \
                  sys-fs/lvm2 udev,systemd \
-                 sys-apps/systemd cryptsetup
+                 sys-apps/systemd cryptsetup,curl \
+                 net-misc/curl http2 \
+                 net-libs/nghttp2 systemd
 fi
 
 export KBUILD_BUILD_USER="${BUILD_USER:-build}"

changelog/security/2023-10-16-weekly-updates.md

@@ -0,0 +1 @@
+- nghttp2 ([CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487))

changelog/updates/2023-10-16-weekly-updates.md

@@ -0,0 +1,2 @@
+- nghttp2 ([1.57.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0) (includes [1.52.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0), [1.53.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.53.0), [1.54.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.54.0), [1.55.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.55.0), [1.55.1](https://github.com/nghttp2/nghttp2/releases/tag/v1.55.1) and [1.56.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.56.0)))
+- sqlite ([3.43.2](https://www.sqlite.org/releaselog/3_43_2.html))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -4,9 +4,6 @@
 #
 # Keywords for all packages used by Flatcar.
 
-# Keep versions on both arches in sync.
-=app-arch/pigz-2.8 ~amd64
-
 # Seems to be the only available ebuild in portage-stable right now.
 =app-crypt/adcli-0.9.2 ~amd64 ~arm64
 
@@ -27,7 +24,7 @@
 =app-misc/pax-utils-1.3.7 ~amd64
 
 # Required for addressing CVE-2022-3715.
-=app-shells/bash-5.2_p15-r5 ~amd64 ~arm64
+=app-shells/bash-5.2_p15-r7 ~amd64 ~arm64
 
 # No keyword for arm64 yet.
 =coreos-devel/fero-client-0.1.1 **
@@ -60,7 +57,6 @@
 =net-misc/openssh-9.4_p1 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
-=net-misc/whois-5.5.18-r1 ~amd64
 =net-nds/openldap-2.6.4-r1 ~amd64
 =sec-policy/selinux-base-2.20200818-r3 ~arm64
 =sec-policy/selinux-base-policy-2.20200818-r3 ~arm64

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -101,10 +101,6 @@ sys-kernel/coreos-firmware -savedconfig
 # Make kmod support kernel modules compressed via lzma(xz)
 sys-apps/kmod lzma
 
-# net-libs/nghttp2 should be built with -cxx to avoid issues with boost 1.65.
-# configure script is not able to check if Boost:ASIO library exists.
-net-libs/nghttp2 -cxx
-
 # These (qmanifest and qtegrity) are new tools and they pull even more dependencies.
 app-portage/portage-utils -qmanifest -qtegrity
 

sdk_container/src/third_party/portage-stable/app-arch/pigz/Manifest

@@ -1,3 +1,2 @@
-DIST pigz-2.7.tar.gz 108102 BLAKE2B d391522fd6f8eb6918d671fb1c9517034941f3ae8e05ffcd7bece141e6dae110cde1560bad02bd2bcca2f868cdba2a8a16b5606ad6637d40d5ced5ec9bfffcc8 SHA512 9f9f61de4a0307fc057dc4e31a98bd8d706d9e709ecde0be02a871534fddf6a1fe1321158aa72708603aaaece43f83d2423b127f7689b6219b23aea4f989e8f5
 DIST pigz-2.8.tar.gz 121304 BLAKE2B 9f1ae8b5e0dd9d9b1f17bcdbc41d8a9d50fd9b9ba7c50eb0bc1b738105d05cc396d9ce8e01f58f6b2fa7247a7c7e9926c602a613b1bb3e3a117c8f5c919ce640 SHA512 ae3d9d593e1645d65f9ab77aa828600c9af4bb30d0a073da7ae3dd805e65b87efaf6a0efb980f2d0168e475ae506eba194547d6479956dabb9d88293a9078a7f
 DIST pigz-2.8.tar.gz.asc 235 BLAKE2B eb204079597d3e958da3672ba7f92481848bb7824da12b9306ff180add107175bed7bdd435dbc270170769a489c34a033d6ff547e8203cf1d71df6564381b43d SHA512 cb1dbca21d8fed25049693de02abf7489f61407d85f9a52d566c14e0194c6c393aed3edd2fd716d0ecedf7eeead6ae89d0cecc236caacd98740d14bd71e078db

sdk_container/src/third_party/portage-stable/app-arch/pigz/pigz-2.8.ebuild

@@ -15,7 +15,7 @@ SRC_URI="
 
 LICENSE="ZLIB"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 arm arm64 ~hppa ~ia64 ~loong ~mips ~ppc ppc64 ~riscv ~s390 sparc ~x86 ~amd64-linux ~ppc-macos"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~ppc-macos"
 IUSE="static test"
 RESTRICT="!test? ( test )"
 

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/metadata.xml

@@ -9,6 +9,7 @@
 		<flag name="extra-filters">Build additional filters that are not
 			used in any of the default xz presets. This includes delta
 			and BCJ coders, additional match finders and SHA256 checks.</flag>
+		<flag name="pgo">Optimize the build using Profile Guided Optimization (PGO)</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:tukaani:xz</remote-id>

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.4.ebuild

@@ -6,7 +6,7 @@
 
 EAPI=8
 
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
+inherit flag-o-matic libtool multilib multilib-minimal preserve-libs usr-ldscript
 
 if [[ ${PV} == 9999 ]] ; then
 	# Per tukaani.org, git.tukaani.org is a mirror of github and
@@ -47,7 +47,7 @@ HOMEPAGE="https://tukaani.org/xz/"
 # See top-level COPYING file as it outlines the various pieces and their licenses.
 LICENSE="public-domain LGPL-2.1+ GPL-2+"
 SLOT="0"
-IUSE="doc +extra-filters nls static-libs"
+IUSE="doc +extra-filters pgo nls static-libs"
 
 if [[ ${PV} != 9999 ]] ; then
 	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
@@ -103,6 +103,26 @@ multilib_src_configure() {
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
 
+multilib_src_compile() {
+	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
+	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
+	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+
+	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
+
+	if use pgo ; then
+		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
+
+		if tc-is-clang; then
+			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
+		fi
+
+		emake clean
+		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
+	fi
+}
+
 multilib_src_install() {
 	default
 

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild

@@ -47,7 +47,7 @@ HOMEPAGE="https://tukaani.org/xz/"
 # See top-level COPYING file as it outlines the various pieces and their licenses.
 LICENSE="public-domain LGPL-2.1+ GPL-2+"
 SLOT="0"
-IUSE="doc +extra-filters nls static-libs"
+IUSE="doc +extra-filters pgo nls static-libs"
 
 if [[ ${PV} != 9999 ]] ; then
 	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
@@ -100,13 +100,29 @@ multilib_src_configure() {
 		myconf+=( --disable-path-for-script )
 	fi
 
-	# ifunc is incompatible w/ asan
-	# https://github.com/tukaani-project/xz/issues/62#issuecomment-1719489932
-	is-flagq -fsanitize=address && myconf+=( --disable-ifunc )
-
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
 
+multilib_src_compile() {
+	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
+	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
+	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+
+	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
+
+	if use pgo ; then
+		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
+
+		if tc-is-clang; then
+			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
+		fi
+
+		emake clean
+		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
+	fi
+}
+
 multilib_src_install() {
 	default
 

sdk_container/src/third_party/portage-stable/app-misc/pax-utils/pax-utils-1.3.5.ebuild

@@ -6,12 +6,12 @@ EAPI=8
 # Note: if bumping pax-utils because of syscall changes in glibc, please
 # revbump glibc and update the dependency in its ebuild for the affected
 # versions.
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
 
 inherit meson python-single-r1
 
 DESCRIPTION="ELF utils that can check files for security relevant properties"
-HOMEPAGE="https://wiki.gentoo.org/index.php?title=Project:Hardened/PaX_Utilities"
+HOMEPAGE="https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities"
 
 if [[ ${PV} == 9999 ]]; then
 	EGIT_REPO_URI="https://anongit.gentoo.org/git/proj/pax-utils.git"

sdk_container/src/third_party/portage-stable/app-misc/pax-utils/pax-utils-1.3.7.ebuild

@@ -6,12 +6,12 @@ EAPI=8
 # Note: if bumping pax-utils because of syscall changes in glibc, please
 # revbump glibc and update the dependency in its ebuild for the affected
 # versions.
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
 
 inherit meson python-single-r1
 
 DESCRIPTION="ELF utils that can check files for security relevant properties"
-HOMEPAGE="https://wiki.gentoo.org/index.php?title=Project:Hardened/PaX_Utilities"
+HOMEPAGE="https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities"
 
 if [[ ${PV} == 9999 ]]; then
 	EGIT_REPO_URI="https://anongit.gentoo.org/git/proj/pax-utils.git"

sdk_container/src/third_party/portage-stable/app-misc/pax-utils/pax-utils-9999.ebuild

@@ -6,12 +6,12 @@ EAPI=8
 # Note: if bumping pax-utils because of syscall changes in glibc, please
 # revbump glibc and update the dependency in its ebuild for the affected
 # versions.
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
 
 inherit meson python-single-r1
 
 DESCRIPTION="ELF utils that can check files for security relevant properties"
-HOMEPAGE="https://wiki.gentoo.org/index.php?title=Project:Hardened/PaX_Utilities"
+HOMEPAGE="https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities"
 
 if [[ ${PV} == 9999 ]]; then
 	EGIT_REPO_URI="https://anongit.gentoo.org/git/proj/pax-utils.git"