From 8b24908a76ac20bb12503c7a32ee4d3cea245a74 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Fri, 9 Feb 2024 22:52:40 +0100 Subject: [PATCH 1/5] glibc: 2.38-44 -> 2.39-5 Announcement: https://lists.gnu.org/archive/html/info-gnu/2024-01/msg00017.html This release seems relatively harmless in terms of potential fallout. Most notably is the removal of `crypt(3)` in favor of libxcrypt which we've done already and compatibility from ISO C2X. Also decided to drop the old *.gz approach in favor of inlining the patch with the changes from the release branch directly: it's relatively small in contrast to certain lockfiles in this repo and having a textual version makes reviews & diffs easier. See also https://github.com/NixOS/nixpkgs/pull/258972#discussion_r1454962456 for more context. --- ...l-usage-of-BASH-or-BASH-in-installed.patch | 36 +- .../libraries/glibc/2.38-master.patch.gz | Bin 55343 -> 0 bytes .../libraries/glibc/2.39-master.patch | 566 ++++++++++++++++++ pkgs/development/libraries/glibc/common.nix | 25 +- pkgs/development/libraries/glibc/default.nix | 3 +- .../glibc/local-qsort-memory-corruption.patch | 14 - 6 files changed, 594 insertions(+), 50 deletions(-) delete mode 100644 pkgs/development/libraries/glibc/2.38-master.patch.gz create mode 100644 pkgs/development/libraries/glibc/2.39-master.patch delete mode 100644 pkgs/development/libraries/glibc/local-qsort-memory-corruption.patch diff --git a/pkgs/development/libraries/glibc/0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch b/pkgs/development/libraries/glibc/0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch index b7658b59fb1e..100bf31c3b00 100644 --- a/pkgs/development/libraries/glibc/0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch +++ b/pkgs/development/libraries/glibc/0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch @@ -1,4 +1,4 @@ -From cdd0c4b168fe228de97778556cea5c0f936e0e79 Mon Sep 17 00:00:00 2001 +From e207c3dbcff1d3d09c60eec99b6fec2a698b01bd Mon Sep 17 00:00:00 2001 From: Bernardo Meurer Date: Fri, 22 Jul 2022 22:11:07 -0700 Subject: [PATCH] Revert "Remove all usage of @BASH@ or ${BASH} in installed @@ -22,10 +22,10 @@ Co-authored-by: Maximilian Bosch 8 files changed, 15 insertions(+), 10 deletions(-) diff --git a/debug/Makefile b/debug/Makefile -index 52f9a7852c..22e4ae5461 100644 +index 3903cc97a3..b041acca71 100644 --- a/debug/Makefile +++ b/debug/Makefile -@@ -265,8 +265,9 @@ $(objpfx)pcprofiledump: $(objpfx)pcprofiledump.o +@@ -343,8 +343,9 @@ $(objpfx)pcprofiledump: $(objpfx)pcprofiledump.o $(objpfx)xtrace: xtrace.sh rm -f $@.new @@ -38,20 +38,20 @@ index 52f9a7852c..22e4ae5461 100644 && rm -f $@ && mv $@.new $@ && chmod +x $@ diff --git a/debug/xtrace.sh b/debug/xtrace.sh -index 3d1f2af43a..eb2ba7ad4a 100755 +index 77ec1d84df..5614404a71 100755 --- a/debug/xtrace.sh +++ b/debug/xtrace.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#! @BASH@ - # Copyright (C) 1999-2023 Free Software Foundation, Inc. + # Copyright (C) 1999-2024 Free Software Foundation, Inc. # This file is part of the GNU C Library. diff --git a/elf/Makefile b/elf/Makefile -index 0d19964d42..ee8ee1cd41 100644 +index 5d78b659ce..a2145d7b64 100644 --- a/elf/Makefile +++ b/elf/Makefile -@@ -250,7 +250,8 @@ $(objpfx)sotruss-lib.so: $(common-objpfx)libc.so $(objpfx)ld.so \ +@@ -249,7 +249,8 @@ $(objpfx)sotruss-lib.so: $(common-objpfx)libc.so $(objpfx)ld.so \ $(common-objpfx)libc_nonshared.a $(objpfx)sotruss: sotruss.sh $(common-objpfx)config.make @@ -61,7 +61,7 @@ index 0d19964d42..ee8ee1cd41 100644 -e 's%@TEXTDOMAINDIR@%$(localedir)%g' \ -e 's%@PREFIX@%$(prefix)%g' \ -e 's|@PKGVERSION@|$(PKGVERSION)|g' \ -@@ -1396,6 +1397,7 @@ ldd-rewrite = -e 's%@RTLD@%$(rtlddir)/$(rtld-installed-name)%g' \ +@@ -1392,6 +1393,7 @@ ldd-rewrite = -e 's%@RTLD@%$(rtlddir)/$(rtld-installed-name)%g' \ -e 's%@VERSION@%$(version)%g' \ -e 's|@PKGVERSION@|$(PKGVERSION)|g' \ -e 's|@REPORT_BUGS_TO@|$(REPORT_BUGS_TO)|g' \ @@ -70,30 +70,30 @@ index 0d19964d42..ee8ee1cd41 100644 ifeq ($(ldd-rewrite-script),no) diff --git a/elf/ldd.bash.in b/elf/ldd.bash.in -index e45dec5894..e09428506e 100644 +index d6b640df66..46111670cd 100644 --- a/elf/ldd.bash.in +++ b/elf/ldd.bash.in @@ -1,4 +1,4 @@ -#!/bin/bash +#! @BASH@ - # Copyright (C) 1996-2023 Free Software Foundation, Inc. + # Copyright (C) 1996-2024 Free Software Foundation, Inc. # This file is part of the GNU C Library. diff --git a/elf/sotruss.sh b/elf/sotruss.sh -index 874a6bed3f..7cc154561e 100755 +index ac1a83984e..2bf17c518e 100755 --- a/elf/sotruss.sh +++ b/elf/sotruss.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#! @BASH@ - # Copyright (C) 2011-2023 Free Software Foundation, Inc. + # Copyright (C) 2011-2024 Free Software Foundation, Inc. # This file is part of the GNU C Library. diff --git a/malloc/Makefile b/malloc/Makefile -index dfb51d344c..574b5e9579 100644 +index c83ade5f10..8dd9174b79 100644 --- a/malloc/Makefile +++ b/malloc/Makefile -@@ -306,8 +306,9 @@ $(objpfx)mtrace: mtrace.pl +@@ -312,8 +312,9 @@ $(objpfx)mtrace: mtrace.pl $(objpfx)memusage: memusage.sh rm -f $@.new @@ -106,17 +106,17 @@ index dfb51d344c..574b5e9579 100644 && rm -f $@ && mv $@.new $@ && chmod +x $@ diff --git a/malloc/memusage.sh b/malloc/memusage.sh -index b1f5848b74..329e36ef8a 100755 +index d2d9d17ea8..2e7efc9049 100755 --- a/malloc/memusage.sh +++ b/malloc/memusage.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#! @BASH@ - # Copyright (C) 1999-2023 Free Software Foundation, Inc. + # Copyright (C) 1999-2024 Free Software Foundation, Inc. # This file is part of the GNU C Library. diff --git a/timezone/Makefile b/timezone/Makefile -index 0306c0bca9..de9bbcc815 100644 +index d7acb387ba..c8e203ea3a 100644 --- a/timezone/Makefile +++ b/timezone/Makefile @@ -132,7 +132,8 @@ $(testdata)/XT5: testdata/gen-XT5.sh @@ -130,5 +130,5 @@ index 0306c0bca9..de9bbcc815 100644 -e '/PKGVERSION=/s|=.*|="$(PKGVERSION)"|' \ -e '/REPORT_BUGS_TO=/s|=.*|="$(REPORT_BUGS_TO)"|' \ -- -2.38.4 +2.42.0 diff --git a/pkgs/development/libraries/glibc/2.38-master.patch.gz b/pkgs/development/libraries/glibc/2.38-master.patch.gz deleted file mode 100644 index a07e4f8e1d507dbc33fa97d05ba0ea343fc03d4d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 55343 zcmV)3K+C@$iwFP!000021Dsh|bK5u)e%G()t*zQfmMHPi?PKhfos4UojBB0jPUVFK zf}n^AMXGq%)}->^rvXqRMUk?yE?WoC-RSe{CQPH%il^YtCX^C`ja+YPm=4p~&}9a* zruxkAbklJRHeqzgS~pqhNAVoq2T{yP2>)Yz#bUVdUgU@Cn7KYl`!rfzwQfnu<^b?H zV{nr#!2m;_o0GXQ0#i3F=<24fw^~R6N$LjNnZx~R9Y@a$(j?VlMuIg-eL!LO&K(}` zbOSFOmy#%pDFZKxQ|@t!yHO|w$(P?l_^?=j!*HL0Vf5hs@dhZWyCUCExWD6MF6@pW zFC-S5Bo!1=kdt{HT9@#@81MwbD20H;O9m{AvZW90DL9*yCBVZZWyFQZgU6fCzuF&f z{!lxez7+JHzoJkS;cOsFc(??z6)q3NowDG5VN09(ERHv@=JXqC>&4MZI79?(Wau6> zb$4Q6tV}u`O-;+4&1Ped5IPx-$7435CYy9xEth*9Xxb9F$Ur%JQ1)@3f>XcV;-Sl4 z!L!T}osGzF*za58*^p6pN<0jxJ{}HRnx-|$ZFRfdM%mZbpqazo7`pg6f$M8&@&l(V zOc;BJ=7oCEhnJbI8Y6{`zBP1nhMFnD=+=`X{qAH~Z-phP8u zt3JTlpare&KY2)l%w=#9aP(r*_pe$|ETW=3I$T5LD~l@<1Q8XB!itfO`gcc0&oIyo zc#gOWE|VnCmfz0S9XuYWPvSEuZQ$znmIj!IX%>ef-Xw;z&MGIFcFu*)p392VYIPgQ zw3B4yQ)34XPvlRmwckjbtw>0Hjvf>%{cpRKYqD}1L1HvF_4#NA68aV-UZ>-^ ztRyU6tY$0>2@P2)%OCLf=Ho2{Y)R+_=sHVEW%LxS*mg@$EgrulKtdP%&6>r}Jc;52 zeDbW&!A5TG+VD<)o#OGft{b=S6i_ilhX}s1IO-v3mY{Q!EJ#I3^AP^Rb>?bOmgcHq z$tq2sNszHzqt5~fumq@&-00~zax;o3B94v%7hcFlAjzSL1a+1YJi-GlAs*7NuxHL*&@yK; zhsT($PykZK1U_Oik@cFu#k#cIU**e1przpqVNwY>rGZpnYm>NaoeVGy25z898+hnp zu?l=?+{^)tx>e({CFnIG+!_%y%J3EGUyVaiEAp!H zUkR*kdtrW%IBIYPpCXW11;adH+Z&d4a<~Nn(`{iiT!H7uXi1p99x)@vb8ej#j3q4g!VU4$ zEBx6L@$89E^+Z?%^a>_%TH*66Ax$wGw;i!Bz5E5$%B9;CToSdPgH0X*m!*ggiHd=g z@LjzfO@l4T34YHhE56THPxXI|5c32fl{nN$(M!f`eWrHXg=>3?p(hHjAuwBKh}!xG z3N9V?z4(Yd0Y?;s^0un&(nf_2btEE;g(dgOlAEWe-xu@aq_?M%Zk_x#rFDd|7#iB> z8@Rdx)9k>%M4&yd16?rAPcm&=;-^`6618dn1hI9TxG+;#Da`YJ%DmG}JK3z0O*(2$ zW7s-ymdCVgty~p(EO`1%Vsk)P)n#iU*s1E>=!h_)CH$!bh!QTv{

}nlb|vK!jB%-2L{OxBRlXg#yi^|=niJO3 z`%I)TNs@?iETm^v8VnBgzPJE$U+tPo&KU|l-nOm=flrsx0FGt7r35S&lTO2{i>o#UB4PPaZl^0r%lv*`BxaB zH_=;WExpl1Kde>9Fq`Pd!&-W)iGEhEf1_^=vtFUmkr}Bj%{nlEa;cu!S4&{M*F}$~ zY;$=vSH}s3*D!39Qe9rsiKmG)!d__ymbzUK9jpi2Z#K4AJN096M|!zu+TH_+qDU$v z*nE=|k~Gd}D(-b`j}f$tC2&^$R9=b>k>P8M8 zp4aRoG<-qUXc<{D5jmePeTKE6a#dZ!;2^q}QF|vR*?Jwt;#M+OpeCcXs$EsouCL|& zdKu)*)pQs6CX;x39f~r5QgxO4m4!fJ>hqLQSuZt8mCH%Ha!A5yUyb}K?~Tc^gxO)# zo(*(+XI57oMMZA?p^8xW_QA@n;2|s)e>5jh-RzG*a!M}M;bKW^%rmk#V>Udu))-tD z$Fu4Y6)`zfR;5)lbvL=@|9EH!N1Zfve!W0Z18?77Xa_^(FU_|X*!}eLqYn{9L)A{2 zYPFx}&BZ+FHq4VHj~&dB2Q%cs{8%$P?uLQC0RRC1|D;+?Z=)~}J-5GtW21&{2q_6o zFO^m+t+eW;dq>7Lsa3!cA4xC!-*-F)V!)KDl`2&t*o-|h_M3T+P2xriX0+f%3s$t@ zL>or5;X@lXwBbS%i6`+uN)y10%)%`?k>gylqLE4E={Toq9A7IGGA%q+m`b0IBQ-GDf)3h$d z3C&U>g4XtO(!5)XeNMa87Z;e>)_CLUqddI*M5-E{)cy`wb9el3-w8p2I1D%UJLZL3 z5^uL5kK-Uo0)I`tV8_=qPRJ&?-}qlriTx^s7J#5kO#KBTnOI&@_Tc=KSn3sA9o5W% zYMU@t=p2t>27k3(g^P=L;jb!(U?d#1Jd=6jD(6*}RjH3(R8>8{yf~R;bqc?ocoCCI zWJ{DEL6xpm7jQH1LPQnj^u9GEVZQ(a`LvT7@~HDXz7xjUh6Jyh-YucG^1v)f=)UPZcs`!!UyB}2MIj36D zLJeh#mXs**&-*Tjf{hDDY5ndV@>(m$+~gvKS^ftA0RR6|00000|NpF8ZFAeW5&mrb z3Uqvv+OZ^)lqgF{FLR2|zG#}*9=|k`HXRxyL5Z~_>PX7AKIFgm*#$_ElIVrsv z3lLZ=cAs4=*tqixli!EIwq|m^YK^C{A7t&t3d0-eeIs86ccr&nX6$g6qzGe}lh|LD zqt}6&JcjNvUUsIXjs^&M(%FXimgW(Y(_|8_b+v~iz000Uy19zO5W+JN7s(0>`%Ypx zWv1*moeoL)ifOIlHFY9Ebz_yJX+hBbMS^ zC)&Z=W`UaX?uOV~VvahFhb}{rQE!^;MZdk*mjxmMl; zELU^RP}zmr9$k5(GqFeW3{`FVRJQq){Og>*Ct7ToG`vlr}##vG~qaJ{~mo3#=%KW@jig2BLc>~^~s+T9~};8;QC{+p!?a8>rUG!8al-K;KNQ7b>kn>8w+6s$J)NkNL>nT1L3~scZ=WwG{ z&8j2^=v&F+8pBw-e3Ewx+FfCIwP(XDM_S$fAnFDYgt_PUx;;y&L7iFkdYV=BG8ST& zJO}>ABfW1GHs{T+T3=K&omf1CI?@Dfym*+)nV0HY3NGO`UFg?eNucp!oR&1>bj&o9 zEH9hDy}y#7Cg6wptb?bbdY0Z(k$%q)iyRLb?T-g4t9&c;$KEsI>QAxv%bvCZEL*?q5$J5`&cc*%uJL|zrLq;d2it;EGfTyc*9wgY z$*x7&({kWLgxubsqg-oXJt0E%$`v`Pzu?qqx5v5DxY#UDq`G2Q>Nr|?5rIHTv=AnH z_`~oYC*Ik~HGGJ_H)zfMju}nkMGoje@B_Sp?Y!d*;AJM33qYd+(N@xe1s0noS%2c7 zabO6_rFrne(mY^vy-`C{DJvNWGEZi40N4uS>p_8dshUbkX5D*Lt)D^xE@4JoU2Y?!D-00cPCDStR51@<6gv#GExFA(dsobW>RUrwhi9(L2UfS#M=4>wx0caSVrX*{0f zV()k#;M(f87-646S&OSA%J~GuDg2y}F=bPX=D=F5BB6$R$UrE~b!2=aE5A+px=e6R zlW{6%RDrAk;IaO|Td_)(d>R98K!KtZp*x00HKPP>9a(DG4QDTxVJJyML&; zO662sEd41YsXRA;Z&OKz#m=qxE3Wd~Fy9h9%Lqd|MeC-iCSX0c04bzirzYJR_Ith( zQ>>4)sQcW|*CV7*J~uu|7UrBuOjs1i4}JhJbF`c`b$^$+_&mD)aDHI=i%k$ z@a+1_+rk?WaME;Jmeii<`@f^Q#kx?3LmT4sPKE21h(e={nKWjQtDdHJh+!!@hf}0tE;K z2n?gPSbcx$xRu(mk2N!ECq91cvBA5XQTQcTR*)$#8<3gZKyBcGM{&oa~A6Xl|*2a&C2KAgu?QA(3hv8`PwX<#dW zr#K1nso?)=G1=rKxZ^CV%6*lD%4n;NFVz>Aiu+kM7Uo)g1s4;ZDE?{FZH9W>xstZ%CXq^k;w$~{O(6GcQp64UF} zD(NDzepL`}(;Cv^1@i$iLOO}q0r^fS`V}Vgze27gXI7Ag$mR6TKxAm5Oil0CqNBei zZmwYASpusz^#-u*69A-cCq%0DlJhG<-JT}3YAl!Af2&?s|U={db{;P>6gc8@IE?evd2VZYby%kGgM4cs!`dX~tE_#>HyS+20`{x&Xd+Yjye zZ{rz^^~R~Y$x;Vh;fW01IQ=(HR|j2Nmb-QA4tgL-VL)JC0)j9w=kV<~);UJ8Q06P9@OO4M>vHiPR``omvEnSxUN0{X%!KPnS-1wLIY^CET($ao(!9FqWUEl^|6fnp{TBcL|NpFIAY3GLrB2+24PJ$~qyWwVO;<+UozU zvMb93t88O;b?WK-cJSG-rVzFu7T{e!<8Ge3wUgil8h@QW)Z;XYSYT`C4KTa#YzpV3!(c6vo8alVT`cSv;usK>YfY_@K5KtS_cL(sBE+hFL|4#vdI>FQ!>f zOxHzDdP?|;CikN-`2KT;m$yK@>USIVEx&|b?QNsPhMzJ! z+aqvxw%mf`VUZNZ6rx$wwISQP2}(a<9vm2Gyf*`lg~@2@+R*kMuDVK-sfXdj+yg;a zgtM}RCKw#wy1qxd4SM)cEcgl{>-9!8Ea4^kS3Py0s-&d{L2IWV@_Mwf{Mz7=V;)X- zM;a5&>k`z>QH>iU_R^#*u&e-olZko$iJi{GRA+wuCmc`z9oqp8kktI>9K_#!lltP5 zge9}~Ui;o`19%MU@)ubw@>L=4)bDpN)8(=*3w>Qt>G+WpVjhJdp}CN8n9x)(8q7(U zM?sn@Iprdb8A-?i)B)MOGD_&*w!xs;V(~_%3HT|nptV z2{i8|ak;Z=x0p;sm<-i=C&gfxId;L?R*^5JLOG8vLe={#UzEJY|2N>iSMoP{J$@;qSA0_f2mpcl-AM~C6OaTE#gSn2yJNZvV; zXuIMictzcSY`1J!RkP@f0J$_7;WefQG3ShKZp#BOUV@2`>+KI7km3_8H6A|bWI~~1 z5`^`~Cl{6MKb~(7BjGM214>0_gol zYrxVuO_T@}C%!*V7|$u^q9-Qo=%j7KItX+nG{&;J{?um7CR^WJy&K%#T)w1eZU+9N z`uu3pJQMQuE z$4FhRR-`nNA|*MxXFTBw7Fu#t2Hjou3Z$FdqB+%QuD7LYG%e8JW>{&(%pGP|v+7qv zacj>;|H5>0?b?vGk|XV(*V*o+j$U=-nq_r5Kl6q|Om5k;{Dx;{kh9Tf)S|<3AriON z*3Z?>sOoI97hYAIkZQiUYq8|Fs%-xy;&-0sDe|vr-L9%g#4I2(f<+j_0n9B(ru>T( zpwZ_^8qlEspDN&busTrv>{fy%wbO#;wXUAOjUH6Jou~-^0RRC1|3ZWec`2cQgpvRN z00960tX$u3+cpq>-u?=84~5gYg(XFnlwt)2qysh#-B9%1pk&JR;z)#k)bW46`|c=8 zR-DXU`Vu1|MUltTQFr%!XQrkg38Q727wI~MIS!W#G6cb8rodci3(Sj+fjPDY=6Q2q zPS^wUgh4Rh)gqV+O@eu$O|V|eIf~%AT0QVp94*2mO2{H4ew^we&KKE5dN2%mmKqG* z|ECt%0jv`A|DD!>QQuw#Mwd>E`h66jAMDKicOn_Kzjr6oBoERsU;0HHFS2D8s~{+n zR4uhi{4Dl;oo9X;1uy0__&0uX&9&@E&OONs3$X8 zeiUw>a5(5m8)P>+Bhm7f!L4?um=#r#=MCjy7hKoh^iUp@<-;B`$+_B>fv!+c>!e8ID4o`Gp57^^&-5w>$`=U-j`>$AAh!pj5yG>O z7U{lX&3WV9^RH>^_oI@-2pPTc?5n}uXZL8LHwiD|s)e;5^%cHuZ{u8FH#Rdl0PG## z5shfZQ^yTB{Prv@jgvr&H(Lj@y(U^IyRXZIN&~?i;!3*)^6VC4V%$n38 z!%0~-)ou&;_OPJ22VO(bh`(A&lptj|{|hFpmP}lDJdM z-b?m=G%?QzV+Vj!21i+Z2olk+rWd^<6czq>GxhE5hkN?Kc({7sGcrs4(8?bEBDRh` zLsnH$&}YQV$dr3Xk`ycirkXwjfUIscS(qDPxWRJsc>|lm*bS*khz$3^0c|CUYAm=z zlKcG%R;!KR9ZPFiX9f@|%$aVva%5fmdYPJ2uQh!|t*Z_vA`6Zy-PCm_rJ`rJ^QWHY zP1FCYKAI?2Z%+^utk;K%8G5t=Moe?G*q)LK2-Zha?xX(t!2m2YBYkYQn~uItAZ>sV zpg6BzyMp9{z-`+HhFI7}yIAjMd+d|+XHEcfZviR%aFGE11pom5{{q$;_yPbCQ?Lz< zpt0%P#3E234XOYMMv@|EK@c$E0u^h({iaD~bb$?nxEGN;p}TbvA%d{R8gE>{Gynhq z0RR8Y9cgbH$Mv&>{)ml%IHXA`yUSaQUC6SMsFf)}lGCPvLF{QSL~>a!Wl6F1-}{ca z_Ml8rM%w^^67KBG?3*|5J|^>Y=4F8Y`b7+%J^c0E`0tZn-<(e_{?+8jkuP7Y@;qt} zuNWIaCs{=^yyoIW)_o|^>iRxPjX)4W#x|O%#*w4+rHveI&(mtW{`wY*D@(%`5y+2A zUwowto2j8)kY;b?K20uBq!NuXm4H(%(TRpgFaPlczj4ghfj3A2W-M0%zI;kNYc}&> z!%GlJFu0X|xt_ysSYo}w4rKgGL1!ZIoCnBHUZ^#x92ADBgV=!b2}#a8>I`os724#U z6ePc)060g=0O2Axn8I%3K{i|_@I{VGXD`x-^uW!?wyH9_HPLQVk?h8X z1iP^{xo&(rV%^x3RHH;vO{nq7W6AX6zg<%5#uMmt1~r zf^9{#8&4wHRJr)kWY|(%*c4k)F-4_0$7jv+0-TaXfGrBY72u^IytjqIo5PBkbGT8M zxlq=)c$({%lVQpDL*u0ys2(h;DO0OfWA#+NP}g%+qprrH1r-?7FA6!jH^gN5PH))7 zM1$?cXe>mBS)n=RTQ{OJ)#+&J`<YmiCbf!-KRq z@R14NuhY8>0imfWR#V+V#)}8FCY(YJl`Qv=7D0mrE#s|<9G8oQ@DGc070uC90jHJB zaeqLM2%)H3!zV$)lG!W@k<(%=jr`YIleR*5B8j)zW%U`$aYSeGNCNfuKt;LwZ*1P9!Viu&Lr z2M%~a0Mj&rLCvF^+(B2X+otePrEhO0J+QJ}Av-kJ5^pJRtVMQ7HgwUT4-rS61R(jL z85ND0K7dbBHJ0W1_m}*90?!TVuoivEKANV}ugzesnZh!*X`;TcR*LQ|iu9^g@Jcg@ z8T6V1ATfP+0DrfmFgtz}&B+>x?VBPpss$1Wxr)qOFr+=X9a&zV01%+8cRkOjN(~SRN)8#*)6>YxdAs((eqOW-PHpMIOFXICu@A2ZcufHmCA{azSni`sI2_ zQCOHMfUX(5-E7)z%6CnCV|PQk;Afn)tEzT=mTFOfBXa@Z$FJYmsa#t%D>9k4yepck zN2>|4EvZXbU#zq9qu(aS<98QEK|3i215+O5p}R3)DeaVc1aecrYyo7pncMmz&Cus^ z*UI2?QPjskdI?@aojoMHNUa%ARHs)O@L_+mG*c#btdJC8t?6YllapW`M)onChM?4e z*eP%qN8t5bM%b~8U?&gEvfj;RU zLgvAOE=hri(R9i^JFsrHRs+N?%*zHH)pE4=yfWACD)8r{jy$ljAoBm&d2$ z$>p!-M;E`Ip1e^d;WGIJd+KKB`V@?pjhy^daCL~hXpr>3vLeZ7e4)0*yM}>uTVh?~ zF(~)2L1CQ@oJiqAmIQ3GwKWPio{GVUx^kAS5ZJ(6WukZt{+19|%<>rYHSyL|u%y=c zHC!x+P)3IFH1*63VWhIe#SkuxdnS)HKAU-YuGXUW32idZ(V03St4Lk5mg?ugIX>%T zhqtHaM~Cq53)tFD5Em9&Q?9`o+LGD9}?Rf8Gsw1t$g~MpjOI{n$ z5;Hc@LWZYI;K-Hzq+@Gvf@RglAKtduu>jZ>8^;$P-a1+LEU|gO(H$?#qUEZFV_L5~ z9z*s+6lr%f#PPqHmT`7kqTV3(vt4={N`{lXoccdg<-NHD(3 z5e)0E)))xe+XJ9=2j@rQ11!RASandAT%)YrEKpCok!o6A_LR1!rZvSZS(ZW{vAjGp zttJR#iP81#VYiE1x1KX<;kFH(QX-%D4x~hL-+KOB97Wr0I$b=AUbpE!{V)hI*{qgi z6GWf|@(48KSvhu6G{GulStCPPQiv+Wk<{RG8rIw6F;!EpmsQ0LeG%0L#!bw{D%qOg z3*a^I^7C%4*@6ffQiZJ94mT~ zS`?r~yva+ZB2r8Cil^4`bF^d0oi-_0FRrqkYWpCu9C}N5{g(1UGH(%!Vk`p|cB)Dk zgLFw1i}}60AyhW7r(iU(E4d@h2RFtsIe5(xm*$#mU=7x%FJf$VDlbRz=^EqPPKi!d z8<6vpt2ggW-pXaU$vnWQQ?RqkFjd!!osQ#&UONaoHkK9X_)!@5oNhdfI^8(x54+AF z+Ad5rUj?S!+wb<)hN+%MR9gV;yBR7r6yb=0YY)e#p3X%HKTxW$&M}JfD0_agT3q1c z<(+g{|8_RCFe@^(!YD{lz^XS@Txo7yE(!1{!VtQY6srImJ6Tlvx<+afA*1`fG>Wfu z`Rx2GJ{E85+TZ8qAO-F!iWY?9Mv&h-s*OppdQ|vPSt);9WviBiM9bx>GGT(^4SoOO zdI=gdZ$MbR$@dJ~J3>iRxjxkHmIQB6;lT?-Dx=^{MR28v6*ePhfxe>+b)z^!jzWC) zln~@+e8{MkX4i3?1Xv0azkA_jY>Ja*r-5CEPiw@Xp)d>8pSJejp%A(I&xVD zGB2ap3s&h;#L`OCppaeu>~9~BX@@~S4xAvihnV%FT#KUg49d(CM7{r5N zSd7OUAN>Q<_wbKQ4C%XmFc{i>%;#>mhk@VebPD<0G@QdN=|3sPl2f%Ek*m#a6-DIX zK-e?@YDqf9f=0T4q7bGjA@+~9-R*YYi=5qk{0pCq-fXxhs=yPlA7N=4zdJdR@AZf8 z6&c7Ym3RyybdUr@Jb$vk3R4d?EECi8dhUBs$p05C%}WjvL>3?mvO5^6S+K1+-X3-` zAu_@*pSYLXAB21F(HfQ9YPoS4Es*kuuzkEg8Q1!euBdF+`pd5Mn=JLY*X{%L-70ui z2h8s6g|_eeal7x>+Xl~eI)edK&!+$AZE40QnXk&aH8Pr5U^Ec1OE!1Ugi#5nd=dL2 ztI!8cwv5HQz$1m{szS~knJ;owijE~=rpE8C6Lv=xdu&-;aacN^Mg`#!hOd^_)ZIf% zW{D^=Q@xz>$&2@8VIx_>Yu&bUE~AQl%#thsvW6WF;5MPl9Is{ZU3A_&;$3ckT&cBK ztV`LL-vhYQwcVb9JMuDCqYvEJ3b!cMiX$P2v)v#1M{|OQ$L&gY9em`u@ci0RLd}_4 za-L{B0xyv{5C6WVS~sFLENfxewciqw8Ce2Mx3V{*LQ!z0&u#!~qi00O>2;)9Gk`6y z+wp7JTIPiaN=JoK1`VX#mJ{%3NxySRS9m5YQnFqnsiM2Ql}UOz zE~rS++%IPGurYE*si;*~yHc0sNd%xKIN3}@j#fJ=0r})$WkHbvoMn$?KA5|{54wXq z6Mj34R+Lnx;#JL^oL!zz4o;4L8BgAw!OBey4LQ2_nQ(NlAl&UGHp!~N>HyBks%}i% zGJlres+6f8R&?rs4ni-&2{BV9S^Z!n(WsDK1d_R^C|zd$^pjHj8A?Wv0kQOP%+q^h zJjd9pI9WBtZ*xm^B#{YAVg}%DK+KlcQ|XMVNxe&s_%m8!een!s)0>Y;@DY<~t};ry zv7RB?UQ=a>XBcmlidncF6snHow(uo$XIBsB5MfC*nw<9lGTI9Gcn&Izal(?5KNwxq zQ?}5{!9oY?-EhMj1V<*zVT*elc+=o|N`f*ujp!@O8$eTs)i9UOuWVX3#10M#3)pm< zWM+s-sX+vlcYpo+<%3rLUicjwwNX>x<@QMq3?%4?lQ6C&lyScAC4p>BzQTt0|M0$A=VvWU$}2z?p6M^7|UgQ^E>WW zLO7getkyJzZvZP%3fjp9!?DP_m?z^bJdayN0d(ElJss2{3y{mI@Msx<@4G=!|9Vb^ z)ZsF-jUkW63^;%nO6(f@^-CIbRMV(g5{8Nv zA%|96gF?@-=Fs(015TFjA)T004k@M#FATs=PlUc-AdHEwO-Ra07Eu>qPMK7!UOGPa zwDDi~=)U8R75867gQCP3C(CSwmCd=S&2l+o$|Q?Kx@X(EQ7iDKgOC8hu(@{yaa zuqIks6WWZp0@fw-uplC+dhl#ILdYUCshRI%cvR`+(dd>N^i%nSOJf=hgym;? zQodTkWL%iF3LLWZ>Sytn84~3gFyj@deIfrx<~HMXrGRsJT|u(S772=?J3BxcWL+(l zsI2bCPDR+-sLJ&Ipw_Ze5h?fhS=2lnXNO<`l1J7}6L|HJ8d!+2lRty7gMC=>sfegU zID95xXa{&%1cw)zCTWM;BrD>oa}i6ZW2OkZmVUr-A=ny6gl^{Fz>QL<-%Is_e>EzP z@~=b$pMK34<%7zm-@2FUGdL)iPz=8pFyX)A@~%NKZE@2@ga2=EqdW^5ht)0H(LOum z#qdm8`t8v-KrE3NfVWO?YT`jRDcoUhVZ1BZGo``EfR8iS4H6v}Aw?Sg6 z=8cB8kUjmI;5EEQBCbNmLZ}D4RtLgE8YCl*iAGXu+Wcya^eRgG(I|?EKtcn0X&lIx zFXH3`JFdE0;%ND1nLo-im7gimU&IZ~%yv#nRL^4=2Az8!D0bOPrWjkr($vG($GGpf z4-=&{X*Wa+btvV02p%her%%ARsRfo{&YL^6duDC-N`AXop(EnM-M)}JK?+Z~+YCvb z-pX{sp-3idAo5rRs}#bs?6w)rRUjXyGf~wHQ20nD#UV=oC3U965I_-v$f9W`c7zHN zWj2H~O^{}2Hl}EIkZ`3Hm|G%xQ!zul^gb9ZOJk7-La)VXN_hsF|FK`PAo!Iam=pdM zioPoOrrMs8i^3=c0+gK6)QA`RH>C54;i}f}-OH$y!iJtgWLoAYY)NWzlB2v%t)0i* zrIra?fT1h%E%diHDj!->J*$-?D`xe&^}S*LL3rDB#WSSzFXOU5S6b@x-Zs->Uwk6# zC%f*@9kfF~-rI|Uuoru7XBbsl?n^V|Ecm6TsCW)~+!mhmA;NS*?oQchg#Woby11PD zc65IH^Y2z|CEADMl-VE2`#oTT)FY+pfm;X~M_m!;mlg3T8bcKA0bJ6(s5cl$H#@qG zmO&!BUdgW$!6wQfNeV62144R4B~gfI=t4Rwnx4e-gc!D!0Gq-VWp|TlH2(m1pax%5 zAAy{0CB-lu(s2+99oFX^r;TuRoDP?zE(4ZbB_gUm2Vrg+fD+$GLG7gAhcw_+engNF z?R!PL4ulT6DO);n4Ljn=cv(S;l~0PCZ(PeazQ#5YxvE1VReBkb&%(bGlc@LMe4=TL zh60=i+dFcF8>Ai*)K$Pf85e*nBME{5AimdgyG|H(JUfgdyWfdyuV*`s>o@_><0$TT zbR@xrH?#hReaft#K-tI@lrPq~>R4`jzdP7>RhcVC#t(?1W&0N19RE+(aeG5#YPTE{ zfc>gx(Fz-LO3y8Jfe$F8Bx7f?gRv_1t>d5x;l{hOYNY&N`)WeLAV`;zn9cyKK*^$d zQ&c(@y_vW43||m6YNc_^m3h~LsW z?fdT961>H}Qd9%Z0O^CRugZgE*-8gc!SU^ZySEp2?Lia|VyCxR3#^JsA8v(J@dAeh za(pIxw{MZzil!{UYCY9O7;Ul>P=y2Q#Wls%)^pa@UF(+HM^2{UiW~!!d&t4z41+rx{6|NB87ScwuH#;VC+{s2ML?zMc8O_NH$XYV_BRz5lePqH) z@t#<8UK&2JsDKV&@-pk)_~PB!+3ES^(Hnd}OaIq|rPp=+VI2DXeh7c;ZZGVFq1y|+ z&;_dEbliS#;Q5{5f0wZQ2LJ&7|J0p3Z^AGXh5t&0R0-4)`O)0?A~CQaA$4QuSotYt z7AF2XIZgtG0X3qc>YQ9BvFtCg@5wzEm{gTAsn#{SX#WT-lKvZ6?h@hcWyri>X+5ru z!e2Ru!^Zix>_OfI$ReEfa5tkNT3xR;pWo&1pH7N?!CrrFecI)K`^ItpF;k7Wil zsrf?7*D#yBcgmk3^mt{=Ebf3%+89`P_9ht@IgxR-iA;{-hYuq8b|^aKv!c#8inSTu3c z4dh><(O!#&wF#DCAwaAYB&i`Kvd;y}1twKxRQtY@$w&8Gu#mtH@YLsIAE(0!00960 z%w1b^+qM#Zj(-K4zSyxYykFF$Q)gnI@u}TpDz}+AZH5DqpreE$HKG*TGwpxxUI5;t z#5$hyaQt9f5D5~%?gCise&2tqTE^2=tDD(#fNFV3CUZZx1BAABJdvaVlj~LLyX+)_=T)W zL7HJ7>PKC~|2n_9`gsKZ%=sT&3aAh7@rhJZ^VH`jMCypA!^}_ChVyb%g^Kv4NC=V( zdh@F6SHpO(9Lqs4zPrsBX$oq@M$N_;L|N38f_@d{tv(#$$5MS?t;@iyHun1&XYVc* zuxa1=G&Gg?7(S8bM?fhPIAFAUtzvR1(0R=U&jrIP?FenNBiz6j+N{v4)g3O-H;SpH z`^8v~!OZZQf;kuX{et&1BN*`Hjo)-z8o$20nZNSgotiCsSheNs)NOS{=WNrSydjw@ zA)+*i=P+;!1Vz!Vf;Cf)f);GF6J}A7474b_dxsc$ns~!Sh6pR&5n=MTeOz~=Ax92K zY+t$xIo_6-$6U5o_13NwJ`A(X>;D+vJ7#FQ6QwU>LCURJ=XP0@9;H>O&$-4rIXoNW=EGwKl&urnn?3fM*MIw!_|Z`AMK!$^pTRW2rZ4G!QUmR$ zX==*Qk1QBy;iRD>oMfa5rYYf1Y;nJAT;z4bPaq63ub9na$5+ zl7qq_b*gDoe@!#_Wm;~FqV21_wPU}TBNKXUgpf5yr-rUg5RG)eO;k|LLm<-%Ii_uNFr#!w<8fZ-o*TwW_r$(~5)J#jWJm zp^$KRC)IG3(>0u`zuogYp07hP5C>GYhu-pywLq9Aek4uLg*{syg=QY*xtm2!VtGO6 zTUlTyAaT(S?>Y6)RCNHE$3cnaa{;x_e9M;6Wa7AaAT2Mq(!K>4-pNWnEG0TM+&rGb z?*aYhOS<^o_?VG=UI695zwDFELctZcUv|B&906Wk4<+tmRcC@uW&s!8n1gqVa zo9BEc57r)0Y?yHm3R-4WXs@gT^{OxW{-5zZ_p3Bw?jVIE~(klKm+v>anarE1%- zy_$Lc%=UKn__D}n#+!;G?6)QNHFk8RxKLN?>K++bKFM^`G0#n&ItO4E*`%(zH)Ca7 z0pTBsZ3e9^(Hn-*Esc|(zRZecwZd(j{(5o{wPx<8p>4W(7UUv<9Z2q4zK!gEuo=m1 z$Mz^))Z8&U(Bx@WjB%*Q==478)49Y9poYlICzC|DnVn~8==Dub|2{T2{W3B)-pGQL z7yfZcm3#he^dHA~b>kAJNT;P(87~UXI27w!^l4Ef$_x1LrTHMsFXZ6nbM%7;v4;{> zU=T<#{;{C^wO-U0I;?xZe|$e}yBU(4AhXnY{D}8f2n~&!FHZhe{;~#&RN28=lNb@U zF-^vpBq9j7{P_G{rd!rJ&C)Yg*Z?xq4knhv{qOZd%EIbsWK8 ze;K`R&~c2)USO_^ev`(lK6nT9l+&H33~T>dtxdcRU4@bm(*eAWUeVbJs_zLFy`a#3 z9>(TK(y_t_)^Nhh?Ho2)o*&vU8w=C+a$$K+B272-Q}fB3T54ry&m4OOlDyZBD7+^+ z6v<>Og0zdq^`7jR2m)?v65B)Xr0cJ5Q6>9~%D8&U3gQO>dyQM{bw%g_@_w;7f#-}7 z&9iPIZ+EKs;={^i|$KK&>c2-HI*o-tI};y>(AY$5HGLgx9@n6qi9qBtvJe9f4;N;O>Om`I19C}>1fucOE_ zJTYgIp(~-*)vzLyNRE^zj^Y*%m{am^iw?X<({Hx54#G9yHc*vCyiY zFsVY5L(CN{>U1qvg1hq$g{Oh%?}1625%BSCQ6-`V)|fV4xfE88zM1 zQPLPM8&TdG!Bc=~AV@MLYA9koTP&1|mhVs^9i6fyNejL01bp+oUuI5rxn z0VM>sC72hRer`$)Uc4xPh&6I;VVGI5ST0HhU3mQa)fro0P#w5siSrT5o9_DhBV|A~ z1ZkaUN)5@zloOnoC$dHH0J4lJgy>~cm#TQi3G4N>Sd#~vgkemfSIShQTa34N%}8+n zGm|0m>ydLx25lh!3kwYvZzk9pSmK-mM0enT;h${-n<-h$5|$d6Ym_i<v|Bx0CCZ$Yn$ zwolc>(L$uOi`xF^HkSWE-Ge6Xe*00960!d066g@LX%rD>c%S(Q6n46CZy2+-g)gq zvPz5TB{9<4yP6&CelxT44fo`>MDc@cXqt5+-r=q7@USSz0wihj7Rmp@L34Pab9Q#~ zn@CH8eP5LmH~Bp}CPW^1ok`(RR5IEFc}>q(oZc90U~4P29Gu_K8Fo{RL>PPg#R(bd zl&!BRBr9jKaUUuGaX^m0UI(gji}}weI~Lat$4_gRY`rfqf8|Q*Yf_&uyq%o7b>c!V zDcLxHiYlVmRT>>i%vB`X;`Ykm_A0x&e#k!F+}=Fgu%2x8Wl_5Gybr?8PbayELKYcg zOc-#jGKD)cmTzU%5XPt|Trf(iI&3{Yrx!0hm-ZxB=uPCfCn=B?MsX6wj^7P1&JH}`Hl4Q#tBf7g zb{rauHqymB(lG$|qyXD9DGHr{1v}1@e6dpK1e*kJ`vkQ=8BlyQBoEm&yU%n{Guob{ zi+Dch5B@)A(`=C@V0=8TVx^PENgPe*c|MP)vsseH8Z32Pz^BFJA2^$AC~!C|A{9-G zX`=Pt!-7+C9Z3fIz2w>CJWaF>$`J-;^+FBr1$WGRT4OV;HF}MX>Yai|L}~HypqhwL zFP`@MZGAQx)tdu|{2AUdjI)lQ-A{luY6KGE(EfKK{di-R*gm|)8nn3|6lK2F!(RBh z7kbgObQs~Os}q8lpH9PN#|aV#8}4?eHUZI3jb4e)2s!FJ3J=DV@nk}=!F=tbxjul=45+V`z`^M zu4}F^zvGCa)^K5o{n^H0NNr4#j`PFN4_ulF^-@tj z6S?3HjV60I=sBk}4^(1{Re+` zObnB#>i-C117&?l};D0{{U3 z|D;_@Pr^VDKJzc?g%rfZ5)3hwgGLV~dg9=*A+Wq=ifLaa z$VS7Lt(4dihJ~@P%2P49oikk$(XezeFy?3q8a8nto%c?Vxi1j~qzpaEiYr=_%#{jr zk5cVG3al@TvxB;(O{R6)p08TEt8S9a>8E!GW=HeY9UfD3I(_5+rDXS=UeCQH5bxdn<1G<=`R4*O{dO_ZJ-2%6_&P5Z z5hO;?21ljntJ~C~jQV&<#^Xg|RFd&PmS}&5FqL(i9&4w&UHZGl{3_qrw|% zS(=RqyF3{NbOgiEz*l5QyK7=CyvDYI-JEhr+7|1f9OyyPJcI%HHbW58_2cMv>_!OegC9$G(@e>9*>*-PWc_^Om$PX(5KITC-Ot;83rueQJQob+7{& z*7_Ek7S$<8_sm~Pkcg>1wURJdz;Bk9I|7>wt`Kj;(Y_>pYb#1WL$0!jL1rE3#@pdG zorz2bxy{TBM!7W){nEA$<|B>67!`j;LlF+J50OM1k)L)`ziWwd)sgEZ7y-Ou&dibV zYn3StNCB4%l#k@!HRt)sZ*`WWKuE5>J=&*xGTEWG8zZlzJu2ZB9ww(`N%pKD-o0I8 zyg;d3JE>nqoL}=3nrw2tQ}JVzvyx$S9yF-hmu&h~UQip1>f9dIyXvppl+|jxUG0y- z9@82Ox$Z~f3lWz?Uk&nt%E&mU=ul`=BQfTJugjjBQ6P>$tCU&rfSLel2`Cge_3pZ6 zhF9@^hG#3^qPgSn5j_v2B3ITaLdswvCcfN$_CvKl)LmOo8&?p1_P_93uofdoz?7!s zp$(~!5L5xF4^@N~ya`tEF7ldMh(Dh*-(1dR&zjp)UlMHZo;{b@xqdUFosp1GM}PLp zk>UwCQamk3w8{Dxs><&~HHBo{bz{DiV}q&VU*gjg{qUWBQ*N0Eq{P5p}zjcGvZ6#aLy4Tr_~JG-Jbx{ zw&%8L=WV`O^NIinDB4!eRG?zG6%LR@`l2#Gj9^EGi21o~{9(|jUadKK;d2V~s~N_N zb<}6+gCX5Us#cdhy;7sH^7fMhLPi(+I|p3(=e6{&Q>LflH z9t!K;St*p-AwB_Ob>+X*0y2QRxd|L^Ra=|Ma(Fc|g7+&3d`eJOFmY-r_e5G%#uMgS zCSNohB}XmkmeC*7krmJ~@+_8v;(qk2Hd8Su{+U8 z$WRh6WZmUm(CO9+2DbEQGVox@$%b+;aAw0q2f%e(vKx&cICgI3X$j@AZ6G$66jK!~ zRUc0Nk=R*TxhMXZ)wMbPgRTICN=_+N2aKFQEeZv5t6Xsp>4qm(EKZ6-(AmLR!JP*l zkKDO=74`VD%sI9=EY8E`gL-VR?qA)-*0mJ^<77UYQg;aoGcs?h>vjY`AAR`=4x91V zeb=p6_}8LY!huagw`jZ?_ShShfqDGXRj{kd{+HCqCfAV@A?1WLE9G7PchYDM*B z6dE&%xgde@Y6CEv0w zQn(NDBzQUrwWYQ=39arqQqae6$fa_Wa2a&q#ct(B?)Gf^-nyhH$7795N z>NXp}@P6zz%Tmmq?@p60zM?QCizD#cDW*) zc61vRU8!gyyu275D1*e$Gwn|54R^J|aC|K>3XiY7fx|AZ^{z7o9A3ityFtA-A{Zlw zU96h}>PM11`FaLcjX_We9@mMi#HA3J1fS4%q9b$tr{50!@MN#)4FCE_9a{mPwnAoV~eClhlc=(4@$y69z&6m z%MaIG-uXP{ZptZX)$r@`P9-mZ>iE+p#BHw+?CRq3@!jV{c6Ef_0PmnL!pr}4cE(3{ zZGnGRni;X67CB9AKsSUeC50z)p^3j$XD7Cc3Zo&yLTY1Es~sowc_dh6n4)yH)gdU) zgp#k=n%#4_Nysy&+_x}9-rG?bSCibeVn834ZWsgmNbKW}sh zL_ZkCYUQq!^0{^~dLrTY=8~c$W^}X@WoUdu=aXCww7Is-4YDS=)vxUWs)P80eX(|} zNBWL-_#NB}(vz@_lvP!$u?S7CafEK0nQ@B5ZWBe?U?*7^aJNEFub^wcnzYa}C{&z< zX(Nz+P~GfX+VP;9^XYpYL?JPEse&5brZWznp)Njl)qpi|x3Xr#TwX7R3j~;>T<8sp z0SL!SDwaXdvgJl8F3f$V>7n8up{mBqW{fuOobMocCpj%fxg8wfxu8BzQ?(S$l_m?m z82C=|;WeMQdxmx_?^B=Ta?_#yI6FN*KEF6Ry|Aw3{rCO^00960yj|;W+E^CBTsGi}eq#!@o84ihEs_fh~?BQ1kspM1>oEgE+9^<;-Jr8$G4LkZw=?b#M zP12&-+(e2fEhvA4M4;M%k|a@XPzB5e6RVAY;(E8RB`B)ZEFb5o>}`oOPgn`upSopW zNV2mMJLp99Rc#d72@E%Ud|bz1m(@!aEA44T#(a%hK@_p=loB;F`RUVG2e(&KpsHTS zNw}TE9+rP;I>*k{dzj0w|MTLF0h!SMtBapSze!EBZy}tmaqNt*N(6-s~S)}aUENcIfEbmBWW2agd2u^BgVcj{( z9s}*%BA2Jk?6R1`M2859LT6(E44^29anZl7CE}fuTd#FAv{q{Y=P=KJbug$8HQvNZ zOYnhFQyJ|6Ehb{FFo`HrR1#{un4&TOJyJ9~VwWPdHZbE~liZFSZi_CiglZs-5HE@0 zbDJ$$l|$CZYXeHb6J1qDc~K=BvGZ)07ZqaLl`gNY)%!s8L|37$QCq$w0$g#;MqPoQ zh(~!&$#q+jS!s@X#Z2>rn(v3I6eP&1$%jJNbWrZWI_nh3SZ0X!>+b4t09bBq70lZB zA!-bW`7R9Ey%Aqv-0)B{p*gf`hTFvw=E@D`?u-<;2y!UX?seNa2~Nnl{^WD_M7cS@ zf$$x?k(w=61nHR@CJR)YqJtSC4gi>Yy)&#WSA-$q}mr&g^Tn*dSwzugM~(BrcM=jEB*k#N1r7gROkx z$Z!({O``gx2b=MHoxz~2O!|04#7n+%!)*zH!j`Xo`slKS0vaqd(tq)&$uDKUym{WW2R}$Vz2;sy`_N>fJlMqVT|=$-*q;y)t^E zW>uC7ZM^NUGstM@r!$q8O_&8$T1MeOe^2_*#MAO8nN$Z_WKy z?7xhC7yizDcjmi^?*=>HOe#OVoJ_;u+K(8HW|xx?AI>i)(KDAR(I8H- zgX)7$ao#oQwbOVKO>kvjLkFe_US`u7Ugpy|UgGIBbf*zEl19*IHkZ$$X-nYoF7 zpvO?uo#W38e-iu&rm$f|7xBgXVs;T;B-j4#PrKIp+q#CGg8hs-NL_2G&F=4ef1-MT z@28EGQk}7{Go8Mvk|T4nzaV0hK@MQ3jYax(z5L3o9JxKf76C2sS=r{s3`=4dpqQjv z_FyNxcBK}*Ljxp+^e-QH`}&E1IpP{jCp^QHL%0GU;w6K)0kl;2S1zIz)Zi58r9x5m zvQ$Ff4gFT+zl>;M1RnkN{GjLJl7OY+`4Qd6HR2t-7=j*@W{QW?&;#lNox&;5C-mT6 zG>zcKOCYfar1kME40=Gi1K!Yk>Kl5re&7v-srjSLMA%giTC1`w7S@KAG&kt>hvRY79|lz>rC8T+C&l~7mW!-&!JnB4Nr~ zD1W!f$oLhSRghf)htyNXh1i9d`+JWxua0TVlRqzd!4mlcD9-V2| z>2x}dy6Jj+yCZQv;&BdjchrXD0#30kd%tjcz!8CPD<{E2hC*c(X2ep#*i>=f5;Xm7 zo@|x~TiiJ2a&70hP@#?IbyGW8imK$FumYpoEZr^<--7F%d`^)&CgxZh%eCqN0~OAl zd>bldu$rqc^Uvu~TYA|Pc3!FYNOa4IAJp$TvY=Sbog?yXWS`3_{b=ZVgLZF>zy{rR zZ+O_?QH0+yx6)*fN6KjQ=C^Nv~-b2Nm1?;*Tl}S-!I0~ObAq*v0 zsJ2q{#Liw51%0`*$d!J1pRbmoyPD1zk&RlQU{#1IYp}*avJn8K z5Msyx8Nz=AQAQi=a1-Io-bKGnA`?nJN@*T~d=>|H8xxer-?Q&qR@>!ff#NM{Mhyh7 zqM)8T3WAKl&C;q^VIop==tRwu5Yt1&3|1uz5z=*e-5BF}aaLGMtL^9w&#labYw^U? z7KcBd3g7z*Ywqb~?9_IUTWpu#rEM>Dy>LAh^rk#wZ16fCSz!T&Ja9cJ|ow8g+s zq+oNZCkUfMjOmy@^A6=$pl#wA=)Aw~5Zi)!En#2EkCA`D$HK>yAFnV#Td_2yhZP!? z3z$u=vd>gsRpegyIX!B%bnsM{b@JUo+v^=X8s_NFqSYOYICiVe?_S6NF~S9Hek%@1 z*N;~Vh7}M{f#O_JrMUBL?t4>W_V*N(>1WM4Ij&R*YuNP8YrJ-?gUs@t=ddH5X>=ao zR-!hWf9zSMsDZ3o1+vuYYgT$$*9Hw$ad3dL==&kh!Ym2C_>2s}q#a`*QVa1RMhBA? zM#NfN3Sm+EMTonq#ojfFON_IT8K(j1DWB{odD)U&<=QGoptj>Gp67X5f+S z+WJ;+Dsx4#j<$NjL&^aAOr!&kA8FxCvF=jMOVsBJR z22`vlIc|zKiTopy%kaV=I3*jEM$&#S9zja6kQSo>$iPL2erS>)-vKLxunKOVLYLBo z7_8(a1@9xvZ$+^eCDVy95ow=ZbpZb&e4z^b#&mDYuIvHQRDQTsD_vcDa%EsPHprtu zQnSVrT}m_3&gKuR5ai5oL9E060YVUT%&?;bsK@%mLGvU{vPJYSV;HrP^Hd+o^hwUb z5$2-oo_0FpBpCP4#zB8vpA@L3kzxvB3|o?sW|aMN(8fdG`jx@+ z@_o^9SOdz0u!P#rR5RqSVt{dLYA(_nUA<~xRX{b4ZE3X~KWRpxzD^+Td6vmH9Au@g=@ZO78>D20`Zmg%VL({Kku!&Hv#_G?F_uJ7T}`eH zQ%f-0(7?0NA;9GUx1#N8`lgd}47xLKJm?LBWaI@wbk_Bv(J1K8M#*f@ADy0!yHR%> zj{aXv{r-8kcitV=W9m!xAc2}*-k<}_4dGcLjwFkFb^9FyiF3vP2f+kf3e2~`ItRU= z>%o!}lYs0-67RiXDp_AGa% zn9Q&Td-CYI05tjs0%4&=S90!BXMO}a)b7!f;4Z1YNjh-UR55>!#(b?Y2J>)l*viD< z&`aW9EC*wUyu?v+{PX*FuixDK{^8w!Ujc{z>h(KgDyt;>EI_Zm2{Jfmo!?Hb)|kxE zxrpe-_cAygTIGMNUEgopMht#l{|fD;uo7F4lvtLUCV;nQPg!lW2G%!0wxrsC8w*j= zA$!>0KJp{)bhhPWE9MtjKklR>dAvIw`SAtV*6~GI$Ezwy(=q234y!b)(n+~0Cd)7z zCvhBSNf=$$CsL^Z%E57}k#ieAn-cGeY?TE;oW&Q*D7uWwUZ)x@x93!&*VJ@|9Bg{j z;AB?6q8xH=QeKz5N<-Wbw4zMd-7AdREmwiJR1OWQoVrYR4x$pU2`VAbRr1m|G&A}t zut3-&lVp&A8R*2+A~1;!$3XG+B`?G4%~pYV-x((?1wV&jai}NMx%n@zsrU##N2GTc zI^CcDH|z4D3j_L(6``=2Pjvt%>EJF+UwCaPYg;hsl z7xv1Z0N81aw(FwJ*E>YR2pR&-Mo$XT`hfX%%wN?>7KN)M4T7i~$KfQ&E|;eTY2718 zGP0-eD>&yvV zkmq8hAms=neHXpn?Ak}|HMvr;-&0Jw;qA8mV{l7v@x3#Zr#Ifo-(LDJQ~TM<#L2@V zIl7_OKYDMy`KQ?;zx{IitNK8SGmIgLdc=a(=N^@!@1pB4`#LV!Ab_A&TCW;;ct5}u|a{3oE8tyUF79G``&$+eOw^(>o2p};`8Fu zbe{h{owIKQ75X^KsV>b2i||0*j)mdtoQ|n51RqOU{i(^#D)NN|rf*@=d7y?wHI6Oy z4bZpcQRD9_jTdZ6_nt$U(9mICJ*)+1u<|-*M9m}T%@_IIZ2CcUs(~HljTUQ!?0LUo z_TTm`)B6&cN2pd4yS=gFCsiUd$cRnhG=mJYA0!lq?r|`ww9)-69aWk&4MzF*y)&92 zwtrpOt;IfKzPHsH!*f5$%~PF`a3Jrfx5d|%N5J3mFFv*@&1c^9a>&>bPjIh$kJsUt zRRTS0o#%|g)BQu}w=R8whN=~%v68Cxb@?%gg&)a}3oiezd3D2cdw;(@+ZHRi%{TtC z^CNa$nPLCuK5A?2{d`bd*5kqseP1B2%B>VXRxsPm5?e2b?>M}PJ%^5)qmM=pFktk(Y#Se?lnus$8%i)lfVVpc0CiIDzsZ3YjGtsQ(pCs5d&`h57g1#A zD!*d=%ONHQJ0(#;2eXHTer+sj%H!aGZ!aKZ*@sJw_Qvk(X` zfJ%~VWU*tJ*s8w46_IMpNw~?N zhex(8YHL6Qu?9MTD@KPsVuXgQe2P<`e0mOATO%qUjxdECM&tOSvn44zBq; zzT6N_4#8W8&4|d!+{qE%5F;@jZ3C{; zxin2{E!riRy}Iq6gDGjaO1-@qc!`t8K72s5pCnRA#nT<^W?w$gou%;75oEkG4gc?` z;vWD20RR8QU3+iawif@p`xHbmTsXDmhb;M(+W}eTq{hwMAa>RTXd&pC2z71Ol-lMF z`|djrQkG;XZL{p&0BbT*q{Ks>!$Y3O?+KYClQQvtY58%NI;%@i)j3;+Ia8@Q>OL&J z{!z=Y@dR^dJi#0q-#mxL|JX9DW#DKWxFgTEMA z;P1-7UU$+ROnUZ#3`7{Yi2$ag0W&TefxuDfsjp$y?Q!Zr-dOf{5ZFO?{B_JaI=qjS zTq%LVfjE5xD4fusaAyA`?$S6g-A@^!>IC<7aco1bKyvH=b<%jECm0ID12wP%Q;K)3&>#AQ%oUZ_pb? z_OKL%wX^+Dewj+ouoit^sEU80{hVLe)`+gz%s+K&EW)9Tg);_ z5*HSIgzM+jxoHEqs=+A4~_+E>1?5MI3ehG z0tcj{bX2AbN99!V3F>>rFuo+};hU|I@a_?7wLx)@GF>_PukEzm)go@ zBD+#1|K&}Bx7yU0A~yEvGgo!Vd@;#aT;9V}c{k-9{!Jo_a#d z*%9&N9*mt3IW>~DidOaC8~gp7zq<}66|^|h54>;~S^a@Ov_}Igvh#tY?zNJ>t z1PWcW#1AtyXZJGUWYMr%qxd#e3P^tWBWNn+LkJVU!(?yc(=7o@1odG$5bvGWb%689 znR7i~Tux8*6(gkvgd;RwXOY2#7NBN3wpdZZMCMUqN^;AN68{rRt{DdwyWxNVWS!haDBkXq70KVh0ltmO@S}Eb@qgRB#gj>Y z@qqMKI)Vk8T$OZ%FD$H&(xPe<7UWTtE>K`Orgi66_kBpFJg;1$FEnk->qRcely=*M zZ71~lqk&mu#BxjK$#N;1bxn33G})}nu_4Wu;_VL#F`Qc&@ft`O2Zm2qzUA6=m|)n> zVfls#@|MN>3Lt6AR{komj2 ztNAoNH&4^wM|97TPt(_KlaTK8oqbhtpwbUI@SlMS0$HeQ>oQky(D&?KWQXlGY?7|m z?*`$Zk}E6vDDY=RJ!d;&b2j}#b9SvBQ{h>r4!5^%d`CAtNs7T&FJ5fjq*XG~tkJQm zO22FP$(NSk{!X3Qyd{>-iE^Z>&=FBF1I4LvsOYr_yz?2OYE}QsK^o7V{i{X+t!GI7&J-YF@HdgM+VtqLx5n@mXezE@tYFBw20CH{fa} zt5`9=nyTx6!01WZ0%#vmOGsO@^iR7zj%+vdg7G+__0Y{Zr6UQj zeJqu+NAL|s>xO(R!WdJ;PzRqfWuT|usQM)JtO1(gJ*9Wua+-W}z(Lh_r&~TqkNvQ- z*wMSqHdGpClI3oN6MB@cTGSB&Rlk`nU%kFwij(<`c!O|y^X1JkO*@_pDR~B6HzFJf zs)l&YxlRz#gu3{3dUg5=+MN76yO=F+a3E*1<$StWh_lyM;zV4YTrFp(*B2*O;_~|H z^7UehSz^ObQ=DmAMfHs0sK^m0N&vhZucW5K4a~W6a^y^3THSUzP4@RqD=Dp+e^i0K z$DDl)2+u-xsNu=91Fri5lbw_!6o?llTNp^AdKR&TE21@5Yu^&@9$ zC_Rr^)=);h@Cr}oxB8E~H)BeN-oOEh_$yb+d;uz4pet%zkXgj(Y3NW6htU>gDP({w zLMKY)9*KawK;UDIpAvst#uu#lX!a%Ge_x6}+KI1X^Zv}TU6h+}n331wR!6nZ!L&Ls z<&q=Y;dwQBJ!l?lt~nlpk8@C$nYR!HVWL4yGJqReP*Ccs1=Y$$pQ8H6s7EO;Ue*2W z4$g!4*c_xBs}FbrXKX4EpyyM{Q4dP!`#nLM&Ha*9@sYnxuV!aAqM<6#i`U9wI?#Ts z>j(=M*-K_2_zLee$X-zly8OuQ@SwFF9aq#U!l7z+Snn*BSF`y!JjP^xuJY62z2$TL ziQl#gc<#St-XA^ZRgD!_Q#;W0q~osjqZ~V}IJ&&F%l)9=o}+|F#WyS+5Hc+>_zM64 z|No>NYj4{|>~s7pgdq#$+EOH0cC2&>W~^yZEZu^--7su`AtPE@pu{!s`C6(d(UVl6J*!;b#(&0C-6u?#GQGFE(w1y zHgt7-i>s6s^RDJ2sCqiw1+F~ip#z?qnR${LJqg9`h2iJk#ccc(Y zkn&wMy7)2}Gue~0bXwhk5I@+TIwY9oIK?roaC5Gwz>flUKXmy9Z%T%dVguf7W#%D>D0LWyvJ) zRa2^0&D6{gh!&5v&t2QiVKky^} z`-L+Os8|)PX*uMlf*0cstXeb2P-YmFzpqbi335R%)M6i$nzZbrZ1vl4CCRx-=avWT zZ3~~dC6JJt0O}EFjMASn^1o!Xc7Aqh{ER`6=5Y}Q^I;Irvv@d) z^Q4HPA_$V;C`blHn9h^IU~K%1({iy`=JnFKsO~^Vcn2c%L#?j;Sc77d<#;B=^T}qS zZ#cwE-(h$hs?aMhh_%B}EXZSYb&+eAlf#H=Y!8PccXdTJVqpLu2cvE)yB1F7s4T5l zHo3b)Bcp>LVyS%Bbn?a6d&HMP=}O!0 z*C1BNzw#gW-8bPPOA2J>UU8;a6>f!h!uBBo%5n+_qi$^E0p*gbwRf6cd#42IBhG$N zk#|)=GMyIVo5K)^=?t*%2;Gr9a8!?$! zIk+9G+n6Y%`ov@@+B;NjD%P_z?w_pZq$kV~fLFvAdq$)ZQn<2lsjAekR7E!+BfV3_ zL>KwrQEGwU2sL3t<-dy_-x{+ND+IC3)3pfSLWW|5KH5?U9cDZx|P_=RqFDgCvRD?)9s>mX1F8QyY3mMYe$LJ}7*DoDRcilxIaN z0j}{H8+{v>D2tffdt>R{^Hj?sp#HJ&^TDfB;(Q=IYnT`lwl751pNB79rlq&MjXb;a z|Am=gt+8woUfsZwVo+D*e6eCrWIUwwuz19Ez%aX{MkmDkH3)BcwJhi5wO8$(IQuS4 z4`dCi!#aLd_sQu4A8fA%)c|8Ku)t+mUjuJ<+3x7+wisbn_#UKW1#*t7vI9!q(LkBVGCnx_%-jM-NXVgItybHwq}A3!NL$ zw8E_kk}WJvA?vOU452qT;EZ#UEdgmF6x;X=g)SVxryU&qpj+a>*FcaI_W%F@0RR8O zZ?iToo3R-MP6tS?0BQvm*Pvy1B?_uKaC20_eMJ=waG9g20A(O*2Te@{u%|i6h-cjT zj0ow|(X!2TvrE4V|NV#+CUI}?^n1)X(3z+22(;W5^_itDIskV z)K;ow8Dj$y*py3>hkSf@W_FkL4eY#@mk@04#bdmCcFx%u9P)9NV>22vE>K=kg+o*> z!D@Egd6j{?<j_5`OUlBfCRKtit&K=}{uKMm%b-b}BY;;a4 z(8^oD$Xh_pEor67iKUVzo3t8YfNsxIbT~BIcS%;-zr_%x(`h;>wEw|o6z1P(3*sM^ z;;;*fE$3hd?&FN;aL8}qQ$`Uuw2m!CqrAT$q91}_?o1(}D!C=rN0$G{^8c4Ce*&kT zNYdjbj_|<(yvwPptlG4|scsYUpJ|KP8V*xPB^hdv_vmD~vL_2$`(~Q#7h_NS05TA2 zv|pr9{fWU|{7Dr86a^^DW0iv=;-YU}1O0b%dojH3TbILu`EYeRxYvrw1563}#3LEH z{&s;VkL#~2Ig7C0#l9MES4b`Da0Hf3Qr;rCnp9>8d?1J8_i>bj*{RI*TJe9V&N_@+_usNS6gy2Ql2PD z4&~*A-=g+8{W5zLK-P7IR`(q?uE}&B)C$!@^un2BNECJ??oYfQnkE~f@zKWcOZrG7 z;LDyXvZ9x<;Wg?`{o}ZuieC1$qJWonGo)Gs1Vi3*w*Hus)E`}zYX!$hh9LrE(CkHW zEtZa$=7?#Im?j^lNzyH5#yOc3iqEXNS?~&gbTW252q*acu8%^eabPW1E_+ekh;&am z!(;OAB3VC*$p!Wau_*^>oiEz6hv9^a1>8D@M?szNRG?8AS@oSrkrmK6wQd;fpK>{> zv5@RKR>f-ayn3VCWq)<})9jvZyZWCE&O{2gO$58bQb(%+I=<2F)atd%kn8*u zKFt+rg7j1gPx@x|2Dby4nT1e{lqykmiUI&=Gr~J;gMEet1^^nM_}g91^2^@UwblQ1 z_0V8OQY!`U;f`glFR+;0;0=|OM5T!;J!-f5m6ehD_PH~vcV2-erV5%sC?Q4)X(sx$s;^2R&yB8vVDkZDq&jog_G>Hm@4-IB zi)1y0+ddz=`uS+2=k8+q>9w<(EjQVEeW;eKH_~i$TAfkL)?f2Xv-Lzlkvcy4e@ZR@ z00030|EyixZreBzeNMiD4T>Ue60b#Cl$9XZP1AN!G)RHA+m}Tl=;l~JV7sxMv?%)T z%enBPNU7UJUTjzr$)Q9I$?=(U#M2j8^|olNczUt*nxR=wt~UKj5|}9aNARNK;`%3N z?Hy9FF0_>9*mFgPQgua}sz=Up_mcZ6K7bK{QJ_ahOYkn9M3`kx&C z;bzu))KO%`Xjlt?X@?!hLc4ZmBSM-!W|XQt8VM^3WN(Lp89MK5Iyytyf#!H#)s>aG zCA)}1$?O5%zxu!n(MRehTYFj9g+~T9Wo%5gUS#*$Zs&u9OPDWA@=w$O zmYTj3P?{Zz2S+;&H$@UdDm{#17;lehlLJiw?JC@h6L*Z?E-$;pQJ9yei3Uc2Mf?;s zf}mgv2RsIVV>0`k>%4)mCF0@`O9VUG>u(lA2Xr&EuH~I_)e6D{Zzr&!V;X1|tL`r` zOH|X_3Kpfa;I%&Rd87R`?(qA@e8Ud)Neoo~EGy{e+LF&QS*yU0=GsZ2|B3c7>4tKQi_MQ!`1D>G~B^VPRn(xAEFb4M0*(%>YoiR zxs8)z=iq2FI6l~{0xaOd=;p@)XNLAJG;2ZUY~!YDh?s)#E8y6k9~~P z&(G!u=bm$x0PN5(b__cPU)!^74TsHHL>CybwPCTt>5MqU%-uCU z^%|RjpKi(}rB|4!Hw>@=5~rGZtvT+(B7Z#(1G##V2z*I0;pHEY!s1YJ^W%e}HND=1 zw7-yB*!;xZsAU%pH`fCqiFZO_&z=dt67w#Y&wnRQV$oh_0yy^c9{wE1B+ptDG`HH1 zzg3w0m#e^;iDTCl53D31%^g8B3Xl+BnG}{AS~h0o`s={6s%jPU6U6{Lkj*ffzUQp`6|2h1rzj_g^c>*Q{y}>;Jf^#o6XcL?TL# zN71oLIy7PpOc=)~lm%f)(tiV%B@7>K=8!9OH8%sf67{@Xpb{^NMp}6)4e(Y6wmoNH zY?R8RNXkTu{k`|~-Aw}_Y-q~T2v}M!l;DceI7&b74Vb8>a?X{CI5Fb|VXL$33XWsa znPU()F5k>}UMjqCmtakIH?Xe5zrF}#Y-V8KVRMpKu%svOjtHl7cIph#CfNaq;do{x zWENWqRK;ilyG+HuM$$Dc6KNiLQca>sUdV}_q|!Y2G}cuVk7YGdYAo|{holP|qt6U( z5pE^B2YCls)b%8tlv_wYuhjse(rvSVJ{A; zJv*Mb_Nif+uH5BAC`vXvI>Yvk`LhMT~1LSgd#~t2iz*-l_SmqD1wpwp0r+AG{0w ztRCwm6Q7^zX7du(`nk{7NBU0ap(FV*=B|u~JB4>}k(8N_1a0_%t)DE$*9@VIXRq*@ zgg{Mg^P&LLl*Nbqc-X6UfrkB#@D;*T1MCGuvfAL*3gaz}CGvLq?Rrs&6N__;$=zl7 zSiu7E6TY=S6mr%n&%01vWBA)NqA1j|-IfcS)OJ>+RT)X1sf1^7#zsPp#3*5D0!NB6 zjb=$K3w@~VMs6RB$c)!$zs2FZre&g4!Ica{87H9XjKgL2Jw*pSt#|04m8@?9l!jl* zkbUQkZ!WK=H`kN9hkQE8^YK@7J>TXNFofheW|EkTw2J@?g2ouuWCy-C>GX!?^G)W@ z@NMSL@YMXFFy*qI&#R@0lDeC@o4cFR4z?yVKl>Ig`vw*+SeGW>5JEhE$nQO$v2%(6 z92rkMWp_aFZ7@NTVkLGshsep(0~GQ0f^e`L|D};mBtnZAeN@6?Pak<69!B&)#{C8I zRn3af2Lf2&S0v;ky))|T_&86Uo%UZH1^H=rDh2-@*5E&fHRxt3R;!qBz!{dc-untH zhryYpSoeJe2EDHbhE;vAt=6nqH4|x?sVve(G?OYqvQTXK0{{U3|IA%kbK6D|eztza ztSTE@B@xEp1{G~dvADLX6x*dE`{1}(17M(FO_5w4a#D`}`*!yn07%fHBGqPJbl{i^ zGd*ATeBB)tr5C4uAz@b#4G};4#Qs&ukr1v?0 zz8|b1xmz(_iqXq|PqMiKXtPowqBXON9ak6!bMSs}@e>&zkO6#C6>ZAl7&~RS-u^B3WdjWSr(zlM8>l;m4)DCRwjYx1|rSMfJc!h)_`lb@8t5;PbET4iC(rz)s#FAfVl)q|r9=a4( z%EMm}ZvZD{QRk{KI(UDF9jmkvRLG9`;_Bn5Tq^VtZ0b-8eQqkGMwrWIr|kGn%)U&k z;wwnM#>7!^LJ<*TTg~&vE^PjvPi0<}m6DaVBx*dmrs5YscSA(nI>VeT!t!&Jm_`VV zL@czsd?xd5ZgQUP*y?U5@-#GB?;SRSODMnC8NdaqeKYAm1zEFbPWO zWn92t0F*sm_;%G^ObF?|matw>JNRKn7n~b?;aJ>?LN4dsvE2cbfi4E?IOJv#bF+vM zm5rqMv>sj5MzYsD9pf?6a(h(j6!DlouI9NQmMFQ$p(C#HV9sHzL3M&^&=+sLUT38c zbe>*!xD0t1wQ>b3cg?=>*GvL^o#OV|%YnBczW|azZNKnSx@gKAfOeSszU$|)>&h%i zrOZG;z$f;iAkTRc2$0SXchRifG94$1l1%tP#*>G;X!0N>aS#}@z21W!?>ES{^BdeZ zu9AS*dWgyv$~RDZO2X|i-XBj6zIy>;;2dd++Ite0IsoMTquR^l7DIW--sVHt$#Q|L zQi3lA#q3jhdory;S=$t$+#)wWqRK#k)ZrDm?lv=*q*Cn}ua}rkQoQJZ$Bj?Ya;3p~ ziFw--qe{$sxO}i>9WG(Ub?2TEG-QU&@xEf<18nMfZvgu6ks6+#PR`HYy&7I!oV*$w ztyR5g(A2xmj^}i)k|Mnf55>dTdrcRDTZ(nJsU~A?!gjVb$U6o@w*!iwf7( zo3V#==Z`T#T6C1-2Ou;au<7W#SVrp3CP{Z>ia zvx_}WE1wfGYbs5a;>fxvj_e+a;b$-3K&d12|UF;*q-Rf8Z1Ay z!tzsxs(P9$f;xK~>yPcQZ?pcMltxoiXB>wE1o3<~Ec_>@(eN~)1TXkoA$&R_A7elv zG#U5J*_RfcjbxdMbJ9ATX;M_MCKV;AXYHYmrML82^cIKMExqQI2Dzn!OM`U9z4ke* zi8;l-TC`lkP=!UF2B2gmVdfWHN-yzCHy18opgfQ~O`<%1Ttp%~x*)I|F*in2rW>zC zBs!hsOJei4F)(TqEo_RQmJ(7lmEE}t70=wFRVu*(>HkeAk+R@EC>($y!%`%E z>hdIw!r1pSKPbFJxT$dCu-GC~N1dI+aY_#QFnpCPxIa?|S6r)5qtMOiHrUgor(j#A zr(o^u9`J?xTZWJ#MsimasRu`pBB|FEM9M^0(iX)!fK+o7@ECyNJrNlWd&MR*olRoK z)ZrLvx3jETkPn2a%2`Qlf>XJ#Qgw9dehnQ_nAVa`hlWWk2?k6|6(TlVM z3uOXA*>hTQw9sT}9Kb0)=XROuu!ppx9(L3`_`DB#xQR-K3}mSll8d{<>Rs>Xv^BrG#j%vQRA1yWI&gy|&@ z^ieZS3<V4bs*e|S+=Mry01?td|M`lS5Q3Y$nTz?PVg9q{gBgzRyMACB(@8{ zG?gNaLCE@P>4_u^<1ljLB#wC$`yxt$G?skrAV;GIQhBTV<#IfiIef}FG2_2+*VrAn z4|Qg#o8bXZoaCV^lAs&Ibd}P^FkMd&dZc6%bSPj=;q3bD<>1xz#b5|J=FcY=mnu%l zt~zl=o#7XE_t~?C8>_xQxPmACIXpePSbw00545ICcOh@yU0$7>pPgK8dH@vGlk3y7 ztNQNh?bE@J*RMNnTloPa8H6In?KcuU4O3obNm)i&oCG|GU63YW>^`CVNcw)-_t#@B zn&k`Po@hO|UIFb%l_t0vBauXf{mapHuMui7<$SMg)YtqqL%5j18pUskTQ!!4q5oh9 zQtOdYpOG+7o`lOW9@rS$zREI+bz2c&xp5$>iBVA;7(*=nOZfGOe&CsDZAhfhbJ|o} z2NG1#|6p%zy+-nYn1bdGTs$z5;TnPHRBNFd=6v23(YLQb)0T64GKf}SJ>K|g)7)vt zT~Vpj;DKf{H9_iBW07?t#wuRA9F?^y-WWP-P%zc5npG)4pfb(E=RnO4Y*$6k zigGf5FO~!;Fq}AyzdpEBn~2W%s8Wv=1(B?keE{C1Y(=I!b+jd@9Olmdv6KZ}Es|jt zi<=}wxdvWoj z5fnVNW(c7-h= zcPMz7rqO|6aBB)W#-7B2Gzd1c+_>B;6rGVz{%BGy6c7Q)RmnTJ2#}5j5=)rQs=I0= zZ{*w%YM|Sn32rygZ4)g7e+A%d%`{l`FN={~reuj&yJoT|dKsv6Nb+$&7ne~CQ_vOd zIk^6=nvm<)ZE!!194t-RL{TM&R%mETf)+={&;y@QiS9ka$xX1KmWyjzPHnBu)c;v zGAS$e1V-!!*|tY_t%&{rk_qF*$wWW-1y)QK@w2fMSY{ zW>cF@?~viOMDwYRnu~qPCnH1NS0W)G$DY8|0TmxS=+6{mo+$QBTC*OVzty8N#S;+> z7(qRuX8`+oaunX%t~5!9u%h z=MU-rzWW>g53X)OKNIcfVVT&p%hUIr ze}K^=yxSV5shq(g$&TFL64&j+N*K}-Xbt0$*KfUZi&@ZZUg)F1O{3j|M$vUC4}ASG z)$gzNY~`^(Q-rR*)j56ZM$9sCBO7h&F1EjIf$CP!|5LT-0`GgdQ4xn%aOyvbAX$Zc0VmgOF-T)=8FP0(mm@igVkz( z8T6G%U%|oLkQeKiM z1VyS;S&J`#L?FUVXr+F9=eCP6j@rBg?BKOMJG(nOGiOfK+I`o%6|Ee4Uc#|?5nCSN zqys9E5k<=rbLa+0Z{1TW?7L(R*r-`O6`pe8yT^I(rXGaTqBwI$(TxU%0s~KBfd~r- zsu}@PNx-Ne5zw~A%sr>Xj8+>KW^K-Y!J3Qmr4sdUdar+@kcIBx$U5L#dv4b*`i=-% zFj|8n`W7aJ8C2}9>8svvcn5l91vZh55Hc_UD`NqMdZ)6UbqyY}#aa9o5q5j`lw8hk zrnld(lgs%zH%x87q z?Zj!nR34Pj100qX3Z=v(PIoFl!646SgYeCsv2yv9Fy+rMv6^;L{ffZwqH5l8jC)a%8&8kSs=t}_Our%}4V9EZhlZNqCD5W>qqbzWocZDV(TNlS#M#I-N1fjg?Ov4 z#h$(#`GAaT^cmj%KKLYwRE;dNhMq@Awel7MfNfHlg~gmFAmi) zi>z-p;aFdIySItCxa?2@5()xY5y`;>_k$T|!LeItU~7Y*h7HQ#tAuxlAXX^zV#WE$ ztIfn{wZqR(JZybA0Ik5U=!wHmnxz(R+qV*rUYFU<@=ksBVxx4nA#TPjc=>K8?vo2E zS^K6PFls}9R< zmzKHQcSm6md-LHiPm3T{qcn&MnJbnY&$(vr(Fj37-EaEQ! z00960yj^Qg9LEyy^Dk9h!&6J3A6Fw?K8>aMP?t~#YxMV&H~Ajp7mlI>734iUr2>H*UFv#5)^Pb349 z6?fX(XO1Bv|5_?j|I(Sj?xd9#2wN ziQ6`D+?V&UM_mGr>_fL7zTr;<_xnV{su`(POHl-o~zPe ze;UW2av9Slp$%Ix_gzcM%7wrpi6=ozxCP4}g6p#E!Kq=T-f%HT+S; zPJ$XU@GVVYN{Msqmdt;M7#$D#)5TztsO_z-cxRx7@n|$1G{vY?axzpN;Ld#tw{!Z> z&RDQLVzR&q6YE9J>7B6aVcH2wac}I8=SPTc6 z7hxE@h$5vY2fuuxGE0X_)rciSTMbX3)T+>%UBTKRWM1(9^7O)9!XY0lA)6|ir!lhJ zk&OK&O*DIw;P6Zz7k{~+qvDxXp5GjtM?W2$lV`N9^z&Jy+ltPPk1vic8H|G6I0rKh z)EewCLoiq}&MqU0_kpx%iVyQDw8&<(Q8RRa{xm@lf^uYvl6Z9V;smSyJC8DbLx*#< zdas2aTmNychbe5 z_fNSF84UXz!ZI8T*uwai38fVq81VQT{b9+jvV5;Mqv*c!7e%7}*PWN!i22$!YmRsA zBsZnpfo_xgFn}fJ$I-7LZAEsN`>h-@r@cqG=lbD8vE(3!cY`&48G)Bdx$$Lj6j2gFY1_r;Aj{k!byq3ks|$DGqGBM_Y9 z=I#Lo^zIjBVYPApk@4T%8D0;D@idONw)*`k#Um~TNpmNuRCW7F=AZaPSlZWcVT*gIYy zZA+BxB$~m`55Qlt8+DEL8F|BI6k`wFFxVo9vIP_(;foa5q8iI{3}HEuoQ!{)A#!M~ zi}1=0`u*vfGn((^LrKa(qHN1Fhoqhl_DCRM$1NSXY(PpEEpbc0 z(THm|O$+P9#pjK!it)l8{*Y-?fWqL-K{8Np=uB46Ht!hl$e}}6j2n6D9O5Y-e*ObG z2UI-{D$SeuvFn+MPW9&_DJWxjnlyk&VoQkwRB&{9%x5zq7uf>Px7O?J#}+HC@90i{ z5G*J(rYQu29DIjpI?(nNu}uLGc|1z%2ucwwllXd=Bz-kmj0dB*KT57gQ#ICF{?1TM z`zo0#^-mZ%$FD|{r;VHkFb^>F6``2$r&q}0lLQ1X=v>p;IDE$9=@}x2iJDEuli6@K zN%RaKC-GpseXaVV`DEUI+TwYVbEekxI?XJ67y>BaDde2u%B^QT^_+JeMX(H}v*}1} ze?|n$HlQ%K1qt&BN4@{EyI7BF&c;_?#7pUU)*oF3$IQf;=8h!&W;aLV|Kn$5L}wza(M z?MHbT$rC?&L8Zg;Hz{!?x4v2ozPZaeJ2ni7B)?$H0PaEnTCq1Uzs_$+)RtDxerW?7 zb^*JGO?q@|?K6QsE?@99t=%wihr9UQ9!eS1wqZ^4s3F7%tjhuYD*6GPf$I9V)irRx zvu7`*yf=#?SIsv(EdA3eC7`u_K;C7UE!^p#jJx0_=U7Ub@{!lIN7EIp!@FFdpn6|Oq)-@(&JnU`c3HhN72MEi1(|-y`woYYIn4rG z_rvDpobfd0h;R|t+tUjMgklfE%}&RA`PvepcJZ&rgL5m}H5m)YgeW-*@FpPyvsCaB zra2-A8nB%WyS|G7JrK594wFZs8HPM#fJc0H$-@(9&WdkCEB!G;+=pN7RuKy;GtT*~ zl8r3=EsyKSp%rF>A=sZu!#fF567-|jrERJXKx**M+ z#uAyDn=dkBURdbeFM=O#C|3qt?dys}a9ntr((Uwot5`GkDM`b{;z4*tO6U0x6@u0! zl7Zpw57`ZSXT}Qsml0B*U5$C#1;?aoids=Q4U7j|1n-J~;#H+ezHn$v?+BSlZ0xZh zky8gB2w;q0OsR&-;T@zKydjA~+6cuJX{B(XfPSCPVJ*zc!pvs>-2F0JhGq@EwktCP zw(>_oSeC`Ci|%?)WCeQ*mfwDI{tb;Ddci>V;ua>(>l+pERWEO0dg+wDVe>HzC*8@I z&>eQVqtV~s66{O=@r+kI8PVrQ({=qlPZl90wO|UgP%#KB)UhKamH!M{2F69Zy{A@c za-9lEYjuR8pRAFGfBW=R&j@L^1kHQdF~2j;W}mC@vQoQZ-wwKC;vT@Lg}=3!n7V$>C{DK^Z6`sy=>*Lxjs5t75;d~>J?!gSbi4z^N_mqm0h~u_f@HSmnBNBz zDrOQ=%BEz(%2q{g&(NjbPjwlnaHbJJj{$v_?!)Z11|tVK{(v-_^s{Sr?k+*Xrwfv# zr$0p}htanO7e`?iDEr3Q(J%_k60d%s;#=exWKr~b#G<&%S%l{gPB%91%6YL=bWDme zm8>i8D_XO(@h&T_aXZy-7D2FGWVLHC6W0=~Rb2{==1n?YU3FCBk;0iJqyoLb8N=6&fGECs=p~Xz+zu zt@s{xIw{5bGN@E^%3ytHULk^Mu|ZJoeNy~(c&X3oKc7UD&GO$@MgWmtd1q?eVKDqYLn~3u>^V_BUxl z7rz%j9K1O?Gk`$jR zHt(X{<{K>Tr~_$YkpZ^(3SAWl=_14d#2Hr04?s`?L_musM2LUS z_}QNEWT)kjy>LNl$w%XOJn#844uRQ)CdByL=R3jcj1WN%38n_#jd_|mpSNXmv1OWO zl$o#vJn7YdM#)B9)l0E93*Z#!drULPs)J@Zg`Tj-B+(!f$o}h1{_7n#!gj5xk(V$H z3fDy$0&$Higrt!wOsGl`Yd2D-4tO}255MKx12hmnKIz2HHKIVq3r(aNy@Z7FwK(Eo z$ELywXZ0aP+pBs}PnEIWh_gEFfTSNPX=PwX3zX4U^|B$q!xXn{aEPE@S@1>0!x zFOc>?*P{FI3Jy?t!yO~2M^AsIulsU4Fdd!t4Mw#Zmq4_C4NDe@eT!KC6QT+g8cR>B zsg?ZkVwx{WADr&OX&Pj?A-qyo$oPA+Mo5RZxfWBQ(WSUIp6uvzF`|*lS_RI9GzfLr zhz5VwfX2aM|NgLPj`k@>e|6W?5A|}D4QR-DNjyWo(;gJRr3nSMV7S!-qDXYz~gaUwlYSXw$6SCt*HJvLi zuCIEyp1ZYNhZBP16al|6ViJUFy6r--Fy@FQAr~g9YJbI73 z488yW0RR7_T}^M(KoC9qU+k?!i6hR1R;nOKNRdFI5(k8W+k|4_tgAR}74hfUdGoQm zj#H9yijvr4dw0Au^XBc0VpP_V?Ll*a+VxVj+YFGCG7}O~4r&YuIa+5vuQsUoLT!pr zkR}pdYz!)o*GX zp6t_c;7CA|V2YvNc8uZ(s%WD|z$~DGmVpQ^QlPWwS8UJOoW7fruR3 zxHT-ePu69yqvD!7>nJsy(R1jk(x*aHcRJ}L>qj~Oy`hVTk z-bV_QsPR{rmOV{1)>Mk_cCM)aZC`bY|LTDEa6!xz)z2Cf&PIQopzcHS7Q^n3?_=wt z1VypTF+(B>)#AC&V^borAoF#-T!fI7SQET#dEbqYOrRexfz+0z@A?gUUu0|L+!O7s z;fe=n9CF{?=$r4pPy2)p+udk+xn)c592*VnRa@V0cjZ7p!#O`%!Ys0a8Q+!cFR1cfrc$eu>%_1X7I(*RF$M~4pW52O1Bo! zT9Wn6a@w`Li;kd4ibpb&E<+-m2!yZw= zA&{3tU+CU)Hue+`7gs&t-HwxVa58zw1I1Jz@(4NIsdxCrbBFJJ4@d5989Yghw`fYu{SbVPPMS=bF8Nut)DEcyM*bS zV|4=T>fMP$p@E4*!bTlms-7GIK$Zko3AZ?6&qhU1p_}%ha||1bvw=JX*;e-N9xD*c zJM-4iJJ*&O(p&O`TWZg6_lub_(g<$3y4?VO)4Gz_p@hu9msUj}%>p*95Z8jQqM8pJ z0o7}G`q)RbZQt2QRH;Xd_+L8!w^T^lz9r4V2Mk^scfZhlRJJBnrCO|=5PQ200960yj|&U+c*~g?!Q89(bisDh7O;RV_$KiJxMpDMBg7RVsa zo}R~3b22Z*7Y;CYxo&hXWmrqgr^K}K#2=Y0uj_E_^8N9(t79}ZJ5Di`CmeoNv@7uP z2F-N7L5UnCy`b;{3Nn=N{cwj~{D}u>Q?)`F$6)`;|7=R&y`gDa!nFY4JiTDppt-UndERlW_cx16x3j|9b~ zs0L9Y6|0BDsD;_mf28XNWd$WLyq-ki{Pjw$vO33vA5@PfW$$Kf=r8GVOQIC})7miM zq{0!7niHw~ame>}nfX#?cA=|CIfrPSJ88H?7lE=T^r!isjg@8@*;zB(4y6%GTOKG# z7*6zVOR0Hl9Ep`8_jiKsGO=w+wMSYhPW6FyoCT(rS$s=(WqqyQ5*V)Elp+-n@W>CT z3P2(iTSv?#7+P0gNTd>C@zMu)Sq7euSbL?FjU^{^^*D-gEA-bve0|j!=EtR>qKZ(P zTk2~45~`l)M`%CQmahXFqZBi1G|GjXKDl!8KnxH{d9PSC&5pyP_?BWldQ?2SgmPDU zu-SD>(^!@C&zo1QdQTJ*C+(718(&0?fxxI2hU|-xDq!63uryIQv};lx&&B$VK?M{y z0c_9Ax$Ri*!}l$P`CNe6sYVKz$j-Weu6$#oV8qEnZMTcZO?38_3ZiwBxZlf0VcPBX zqHOH+y(Fr^NvW-(uxHlYCJzHbpKAAM7eXjkAaE?K43n;NWj!73X=qO)dm0D%1_!12 zbZlM64FoLTVp7Uz8cv^%lW-EzQ3~7yCYJgNBpKol=2rfBn12K62(346-^aA#B%9kJ z+Od2DVtTyT#fN3MYuIlrV*zc7t47rliauD;1_1y!LhH-|*8rb16Fq0A_*V9=P-UjjYGz_BaX^P+QM|M4p z@aFt_8aHf3wovyhnZ{Ej-&<&9mf}}7%kXPHo8wn9yM;EJQ8R6Z%~q=gAM<96zcX_Y z|3SB)s6EGz3_nu*2xpV|B%7qTH%#J5avK2C&FwcCiJAbN%Il`}cXchqE>Q=gNqR}w zyw=}2YBFZrHQHD|Vele52h-`hRsvg2CUV%w4C6;CrJR6RmJiIzk%|5kVB%qz@+SbWVBlNY|V)*wytvJnyq6g{Y{PTDQ z?sdup_CMvV`Y~RnnpC{e*dGe1M1dUz?KpTF6JdldeR@IY*+>#VDsB+db)*ruObnq1 zmv~yES>(bL!(>D=n1;xOYw;|G3vXc_U6{Y%2$K^|LU$5+7q97;wgB~e*o=Ge(tL3X z9+3gGP@C(4m_yGm<#*866quXi560uzAA}&yMZ;t;i2XWguKa8{kAu06Yzc)0w#TE+ z^Z4K>{mgDf=HW|AHy`p`yE-!44R5Epuv~8-|B_8MS?2+nV#6}=BD9e^&$&JgYafg== zh1A69g%n7*3i+0h<*)N}Pw<(|cU-Pxy(>M?!Sk+Fb+Y^iqUYc5)`umbP1AGlKd+HH zRw-sGn9Uexab+=HHR)&-y$L2b*U~CLp%a!jif%dagSws9%TViFuB_KB<8ygBe~fA1 zAig{T^>)1RWrIh-g73H%ffoPt;Ug+@e*5oFzkjfr&<~F@6&N%!E^aLn%wU?4|Af|V zE3?YIz^fD?1QcFBs`bC5oOA^fk%i>`XS@p*=#iq}IE=r9Qq!qg*d3Pz+szI*I5tfr z%N2R*%XUngx||y{7|})tx{EWZyw58!7{i#~$t9F|DwkfN0b1$I%VVXAo>7Tu=T+p! zupHTjxa3baHx%^@GUsfKpA@1a^CCX2Pg_nWI0ea~2S+EP% zgddp+XzeA_VCx7~GuZ7mZdHnw)ctCE)e=V)*;7)$TZ>%jtXG(O5XC{%B<2R2Sl(EV zbw`*OUrov4$Y}v#Ss>)8QdW_3863vw z%Bzib4CAxkg%yV?S`#RyD9wL_K&|0+uj3CDJlZ*u5PL?^oKZU&RqNGhNt$TeX1X#~ zfbyy-kY2~q8)Expt=x)NQw8Mh+*=gZo+e|fwgcQ|r`msQ(5ZVf+f`8?3L&esGDug+ z=+QX-3~7X}fRCv8gyTh-8O)573|aLP!fE9Y$+PVa$Cn<{P&e@mbl%@~iETl>mas3? z+X`>aAP1IiuNDL=%`8pj=E(}F7BHLK$v$)1RGE9>`*f?_*1=OwzvFsV+jHC(jD|V- zIX};m!SSi>g$xjbThQjW;`nTRd$nLh0l^a}uO(HAJ8uB*>}QI~@++)5Ij&TR!m#O` z*Lb)U4zhx$DTf{LN~7~2*6_0ObPW}v2C|L{6rN)3lPA5btAmEBJUB43=#nA#RC+)( zW3shnOy(A6Ea^Qjnpzl<0&$(9)N@2ZfxT;%NsN3?EMv=;p7P25KChamPr0^}Bd}x~ z&eL>#$H7Lrk7^VYPxPv$(5a_DeXDmTYe{<+e5Yld^RPCirka!5SiEWyR-2n5v|%o8 ze>4vLakra}qM_d(N6vThVizi@Pm5hBz?ky>kO6b>2kixLIHo&Nm9jqsD(}gzgJ(3E zuFr%$;S*3Mf-&keR5j$?piBhM0D_*goGI`Tt7t;A40h=KB7q~EtYn0@$nHmIk*NV& zEIJ1-c12|eNkyoLVP&uoyu8Cj=Es^o*^Lrf2qBuI;i>>ZA&zr7yqobG2N7^1S*Z%< zuEJ9Sg@u~?y^igy4tODqs-|xW8PZLiUJ|EqZ|p|NDC>=)el+aGsh?toaM$iZhUVlRx(eQPstuye@SVC!;^C$Wcn>$#rNZH+ z00000|NpFAZBN255dJI8Oq>QWY`i$o4=V6MLnJ{Hjm9iv>l8Bv8H0q#kGFTd8=YWc zqTk3Gt}nM<*Y>&Rss01GX>~vJYajbSF%Uf&2cYmw5H!^$JMocez&5&0Ml)UFLoO~D zE*J@38n5SDMq4#GaUP>d20cgnjHAyy7m0GuJW3e;$!CMoxWZ7BavLz7GLNo?jP3To zpbO&U(sV*Hj(_%HqMJyy zC=UJZsDJfPHk@{~iKjt!6s$X}V$qGd8_aFk(->T}RSO0*gLUmUV=+B$4DLYJT^DD6LW z2PFDwu>?C`cm}yf4x~2A4N%qQAfP4gyb;}RQlgYYPH1QwQLlfyW>LMihW@DcI1-y; zC^pnGw1kfbLl6|QI4>}h_5$%bc@9Z4xQ3}Jj@;uyEQWgn=MGu`N<+ecv!ehRf>;Ih zPfr_8>KqxiEpnUO%28}5muh9eZ;M4Iaz96 zGFffKYjl<7(hm3Sxd@I>1R%4Ps9jY(ho{P+a`0RR8gU1@V0 zM|1uxR(`}rw%-Cs0NneaY?UC2l$k&zi=ZUSwhFZ;iPs<&#sVVgIQi}AV`gsxkev^C zRkk23dgtir>FJs2ep=+xnZ@}y_5=hhrt&ESluk4lzla)(5{7YP7_lSZ5yT*L>7YkO z(h--W*JdFJJq}B|pJuTTbJ!4wY&`51nWrNxDqiP#VY@sffve)~nr2i!`Xv_A$_=;c4mypquwaBQ>NdhlMjYs#LU-F!@>t-x3xIefx}7O_{EbB(!NQ)r^$)pNxnCkYHhKFmFphJn&4( z^?!+C9LI!@d8FK~R(${pSkG7M!-FhcFT?oo)>=Fs9su2; zt{R%B>80W*Os1bENk4e}+Eoz?I8OV#q(UjLv4rUz4CnD}3U(^Ih~EYweR~D+pORM& zZ$H}J9!9sIqn4N)`e&Hw=;d@CuV5g*_w!!{fABA_W*C5z4$|e#ODXdhdu|y<6#GdK zB?vHYB|)IWE<$%LTaO~sfW3*Hn1PCyYVWhSSQ2o+C=gks0qY?9HOtZU?sHbz9oS_r zVdi4ItJFfm{zyE_NlYh794qh=Kk(qYWvZG6JGMBAgV0XmKr@~0RuuXId44dk{LpmW zAn}5oQ0Q$!p?Cj(q0k=)6ngJ-*;)b3NvaZLg|0I&cRG1RWMMqVsG+Q8C$SAmx&@t= z@|9NUNWOoWs zfe0P<}2wEeT;MJ`ESH9{LIpAdSH9PS`nt2y%mg9R;{(&h7r9 zhVI1SVSL_`tXG6wPjHu<=2#x*AWv+IcK5a|;J3c6p$xl{)Yee3o5ZAQ`F216A@KF* zs^WLM%}B2s=rwPIl1=@CvSn0Ww7m4^4@EuyBj@9v7n9-f@wcIJgh?}IWwtM`%kE3BLIl+vG{{B$-3Wi2=EL1Ov7sd*v%!?Yqjj8rcQRnLhn z%~fG3w_`I(tRm-4i;1w!I4B=$>ShmTtzT?x~v5ZAs!yOX)0`O@kt7Xz7tOG_1f4U05mH!N4{X zErPQBmQ>!AS4#;*%a8ezg3^fM2TdQD@D{UX(YjrkMEGRV%;pWn@zmOMMSOZ06lCk^aS;S|${SilD|7aAs014|e7EkbVj)?~3-DxH=h z#SD>mccr$xJ%2yByn@Mab^Yn6oKW$+`rG9C)8)xT#i?H8XCt$T&v{JPo59W}pA4o6 z_M_w5hHd&F0EXqcFdIxabnF0(+91;H*m0ub6f5+nu%~-mE8ok1y_%&UxEWgA^X3u1 zZYv=7I{c@}BYszk{s>#IZ1Y6o|6tC7~bsfn&Fu zK2MibwSb@w;Bs^=)1uNQ6z$HL{|6&x z5(KwAh$&Grpcb9uVYt1&yx}7rwZGDfT(cMggIQ)r!|_iXsX+$U>DBPv$z*)?^NG^w zcRGDf*;mFtU!A;F`ie{cJ}rOw3BF)V<8btDIR4LWmm&yuEvfM`7=W{BA_|DOd4H#M zAO243K0ML7f0xahO!D!bWNEU3l`{2LCHr=_);8+MVvbHUdpOzn10I~5UtfJvI(XtP zB0?u(|AosZ6f_w>^PQfOEqaQ(PxX|7Ym1?N_V6WJJ$qQHOzJTyXgqxBl>e#j^XL@R z+6HQ^L9K6~)*IBu25O^0ZEm188`RbYYO6tQZ=kjt)XoNKM^Ya=$#1nm(qOXIAZc(` zZ;&+DX*5V0JTx054aQjwk_NZz21$cOIbWWd>(B7TFI%Pa1CIm~ZxhZ6@iy745N{LB z3h_3{tPpP#%nI=~xvUUx6Uz@gLQn8nty8oLWrd4M$@MxW-xA$b$g|`~b>tr1YaCBuhWEQP zn&SN^-UE~4CrhS<}6*&-32BWdlcZm z7{tS%vvirc$Dlf}Gu@x3tNjZ8sPI)NwMZaN5BTbdJQKv-|CH~vZxLpF&PW607pIx> zN4!kw@&?_1il3mx%Xqb3ig_)iA72jg{c`D5>lvOLQd`~2oqQjm6AMs-@uA+5#x}V@70V0sxP6bZ2 z#CQ>za_;P~iNm0R0={@9-La}x6Of1gz@HQxv&(`<+AVz7m8xSWvv-_1hGzFe3mzu&XL?9 z>3X_H;`^wK-b^m9PDU5QH+@;S?Bre!mlVclPGl>Rb}@5MdE_zyowXJMwC z`!|ou_nG)Qn8Vjs{_?Ky(%5iKVR*V0T7ju1x@Uxz69$HECzk7IM(F8gpxU+`CzjWC zO@ZgCv#gA5Mqg!Ig%`L+=-Zw>7-)%|xVq|UUMsX2zg9su<41H-YngN{VVOmGnEHfm z0|_glsVEfca37cO-}0=Rk2sBaDadH?DK?PYhnH>!{FhrbYQ?GmVLQ$$1PNAMH{rP@*}SM+~ylX z>J>p%Vp?{&U<`|>>q@<=yr;Dcs=|eh^uV0b-ISJ^4*NgKUl@C&%Ox0H<@I_c?~-|8 zEC+T$gQWQ)JUO8re%0)PGLY&oZ+^qrL)a4bpsZAELDS(~sedKgWG$ulTY8U31UI4} zyQ>UYpX1P@PN%iEJPwp0AiYPt15SaN_ksQrmK$j7c%gKFBh$Hrazg(-0zVdO%aL6F z3Ns?NMnocAVn8v1(}=x3%5KImOwU1c%j>Y*k(k%nI!hQNc0#HKNjqR}g$K zyJ^?OgTSCrT8rG1s{(Ney8yR4MbbkhhtbW8ywcd5NV> z#_z8#NAJh^gev<&rn!$RF37|!cCe*dI|qum?FHSO=fCOkWXVJVCU#j~#$agXU4CZPq^hOb(_?faqMv^MhB3Tq>OL>GM)My?;=2U#18cyRE8 z@+T+gS!uVbzLKrcVIhwk<10OD6_pX(af zKG!wr=336GK85}^+Nr|N{Q#t++Io1}(p<23>uv1=rP}sTYkR0y3Kdk<2WsPqCOT%Q zs@DUn!caAWVuWX-H{_|*CoD$ZO7!u-W)96IcNYF51@L zV(j-KdFVd%{?TR<9Y{8mGDs1C0XJ?`HDML&Xd3M@0!Dmvcq9~T2yZbFEHT6yCK zeB%jv?JMc^r|H?HwH4p1+P4-2)kCPBH;MH#OaRm5BeGQ1zY;2J<&I9 z_r3+1nuLa<>bv$$+of;XFHqs<7kQ-T%Pl)_+;E4Veqix%v z?nF*v?8p&)7mn!pXzOjGt#9dDOSg9Kk?9$_i^1CV4n3-N#^c_gKV7~V#8rcT{ldX=^WOa{r>uI{4N8;e|Y##Dkw40QXOXYaCx99JbV`aoz zQzo#xuKz$#u~B*L+JU-{+`D8uoQ9*bZ`SI-f z$BXyZ%JBS?@^N@|H9Wum^nx~$usShbCq-6cL>q>y;C5ra!hIAK@$Tg6_(ynW`1)*g zcKr!Ea(Z@seli{_rx#bsP`MmlU7sDl9}TaROW0dnj86s}RwX#jylvxp&T$kw3Kfdt zl|P;3i48x&m`+|?&S3Qb!#J9f3aImAp!~6UD z0UG6CP9M&=r0nozo(ix4@XuD!G)3h8(z9rmg!9@n5eZUzD&imxAKG5Yf86*gIp5N6 zdk3Y20Lng0i(d=`)RKWC?=IeSrd{QERSP~>zL_e|!J2rUzhCww1`5I*HyADw%TT*L z`qady-bKvFgKu#5CHSP)l)VFTnn!b&aCtDN4W*R87E(5@2eFsx$l9i#d&<@I=*?s_ z{P`0HF60o7L@D4J3wk8_??%O(z`9xUgFF-Oa2vRaygi%^u3RZo?^rAE5lhupowKvY zJJ}9eSvvbkS7MhCFMvQctcOAUB4Y>AQvPzKQ)7wPlzx{Xj%5c+`EF5bDHYUH7W^h5 z1ARETIy?O|Ir-`ATIu9D(3#-iV1LolH)Wr`Vp=i&3fpbj7vZ~&M;Fz*N3mrmkU=rf zFoS7NBMyB;U`laQO1l<#6&qB_zgftU)_uXb7H~P^<&DeK26(2Hl~0hW2|TfVP%_4O zV%%DEl(z}bJ!)I`B4QlZNzu&e&0TSfKz*$sV))e)iXw6AM^s1oipv+a@~o?Li$tN6 zzzLBhfnd#LUQ;2!rN#&bluxC^QAyE7Tv|m5f)T};C!I?aXB;KAl?7VsDbEw_xy-&P zY$1??nz(>y?j7WKT%6#X1*I58m4&S`tknlPKPb&(wedvA!Z98tl}};)l@JJly-}&R zU3yf!$h%uKZr!UQBx=eJvG{-w`I!$vMRZ}NGUWtj0#0%HHROUiNZaECA-&Qh%<2A_ zPBE;Ap9+qvlHbiG0a@OUmat?l2jR>7io&pB-?2>3v9!ocG{e{3&@uGb_9NTXRWq?- zTlH1D@VOZL$3PjaVNv|&Y_LkxS@!DY4i@U>)dYqE>8hgHcr{_>XdZb`#Di=1ZSyFP zr;k=&z)Xx`fu}swI9DDFT|jkcnroJzIxgn;8yK0GX{dBPH#{31DODS|`1M=mCJNeq z9SjCJFoM$DbC)khXl(WJdilICMeybe436>H+wsZU4?VDaC^m*=hOWc8o?pgbdW6!W zWAyP-(RJH}VfdV1O^e&miBwtWMzVs2<}nn&y@_p#`#2;WjE^+c<+~HrRmy+v(l5W$ z@!xk~TEYVT-BNfybbujUWpVhRd<(xYlT1X*d`O%KQ+cSCZCOd6xdnOinuyMY(LAnt z!qmEOv{!D@ooFkWe^iDbCUuIe?gc)Y( z_3>-IP7^K?y;?E+qoMbMDGRey_I#jjoA|>3!-xbtMo~J*&(-*BGP*2lcxcn07@>sj ztn*n^I#b?s`E04WX~H_>1VP}MYOE)Yt{aYF`o0y0dKkhZFR-@<-4}uOgMp)|mJ^$f zXY3GkPa$uHhIl)vAHr{-sV$!UHD&N@XBF@aC-t-XtnZ7* zZ4>KtwZs@s2WEw$eX^EqG zi4i-#nuLJ{v(mP`z)GCZ{2Pn2cVy~En!a^$UWLKN#o7AYuKa2LcaM?2IOEz@wj!yk zG@XQ&q_X&0uv|au)1xib?X=oRrS29ZA{IvZ=YIhJ0RR8IozH87Fcinn{uk2IU~MpJ zH1;;wWzaF$X_ql#Okk%;>;C_}m!DR2wd}{G(n{is{pS05N_aVaw!!wZne&i$T>(9x zXRPhr$LF==C9@Pj#Lx70&EO{+QzsI~bTp>U!{Fb$U}C(1m_xkJcQ2s(jYki05qu*8 zzv8hUj_6x&Ly!elVVd4OSN6v?vCo#<)LzsC-}lE4c;3Zy*<{;ZmDr~hu&Z_Nif4^E z$kuU?(^lo8qMgu^R=mh-I24TnE>@jT6w_rXb#a-4k$r?z8m6yk6zx`UkQ)y2pK$P> z=#^fem!}(h#ka#@JJ&ery&1U0pQ}ye&$$>`NJz=*rp(J$|2h{dvr(w|oKVqD0{AbN z%q|&QoJGpHtL+kWn`CS?xA;?XKAEAhv6MvWcPw{`YgXYK!9^>{?8Ub!+0CACo5NHF z_2#gQdXQK|JQ>yAy=SIol}bE>s8CHPPL5*AaGf8XoX%q$8UPg7^@dme!ZZ* zD3sOcSTIcI^j*_(xwx?@G&4Znl|Xs z>=L3Ex(Pi3Hq7}%uwl-FuwjOjL=ps<45}invoxuyLRN_=(kPU5>WL^W{U}YVLOqU@ zl1b$KE>eO)2%~+Jf5C&~(~-=0j44h7uSkRRBgiLaSTFbq9<`DEWXsL@lb4%b-XTc+ zvl*Qp<19=Ou(Ko>XV5GVwS(sbKIueZ2Y@xz*$^MBOT3{wE@xr&6Jc*3v3pz>>>sxS-?hzEFt45X?HA^fs~r&=hC198sE z%UfAE2Mzsx)j;3Js@mM&#*PotHJu1y+~R%16?)@6aS$xFL1E?`y*oWQIziGpdUc$` ze@`*a9G5E$MjY&}VMXUU?40qCKD6kDZ1*eVC#&;8;^{gb0}#B=sMnyj_mO|Pw&C+a z!xRqo6FzRM5>>KLMJ!_p>@>@i2$YJlIF>;Y`atechBm#Z-n|1Yh{$@sH!?$P#LcIg zGy1R?fgMH)IHQtL5)_pbcVy|x6;^Q-E=BfX6_IVE7+F{?ud{s)!jW&433+_p^f4kPa&0GlnT4@((=Z?VkDkAd>Q z@988g+fdtR&0(SzPST=7O%5HmTL6rfb+P27gjc_rx;C5njluYI7RAqX0SioMqit*0 zz4{qUlOIS7MG2E6iiJo;8O5ONda>}*Ov*o&_X3vizo4u@5)9&rPmw8Mp9E*qVhY5^ zn2?<-Hm6dg1d+sCj!*MjwagjG&yZpo><;m@NgyEL7tOvbQFXNF)-}dGF7&DGW=oWL z$eKMU2#f zh5^;Dt}vG^^aa1tG%B|aC-SHT=-1pRirp4QY0h)vClO)!ejKN&$}%YtbS*Evh?aKRAE`EIuk1P9yY3Un%H<8CvjQ|CFA;Gtt=#0ZTR~)F{(UL+#ACS)bRtx zmFTJK(;Cbu<&8LboxeSLm!G`)kpcAdKFm%suK2%HeHg3=Vj}yusN*eH9PhY(%VIyr zb*u`%MEzaDMnqIey|(?`c$HVp#%)|dQH0`%{-Rl9$fj^rIM3^q5kR*{Mu>>3WGhD| z`)#|-)pA#(C4$VF7dgzxPu&chzvv!5r>b+zKR+@Ts}^|1b9l!lrZIq_EB7URk}2l6 z&hQ@A;~dbJ01w*XrgwL3GBHzHSHAH+*16^Nb$n6^?d)N*vg_UwSOK}hv=~>8xl9&4 z7ETGTEZ<>yY&ViY9Ue5LqL7f&hr~CmfK889W}-xjQe;I zn`P1M1jP{V5O80~N2va%;_h*4<-H#|>-1L|1GO#^&n>i+IFvGF1vI|Ga?=>d1bGRi5epP= z3|3GV!}Ysfxko<6h4QMf0)YrpF(^IXk1Ejavn0r*ABQ5v-L$9Vx_q2Zo3bB_HMll> zu<{fLTwhga$0!0ni$LKU^1((yg*_04 z!fc7oF>Z4Ca#2>M+!M!Oox5DUUgxmPCWqv!!xZ#nZ_8sF2*qXAuU#Y)7s-T3gr5Gx zS*r(?X&uYbR2Z+KLs)ti6}XViuZ!~XYPncmHzqWUQj9hB?Y61VkixG&-NDuDmRgf* zI7KTkH?p-xI)d!s;hEf1hKKL7r#rZ+mJ3&xW7^rD!zQ$>?t5LAcIF_0)KuZ- z6bjH>?4s@VuF-Ul-u)Z)B;UL}e*Ja+{`+^YUcWs$JKUt+!vM$qGn3-52gz`VWpgf@ zgRXdeF>aP)50UE!AI-CZ1A*~Z_*GjTyNCsXmaaQWtu|`eBrNVG=@^4+vkflNvPgu$ zFvrvnl@Ouyt1X0O-|G>Uy+>yzA|$YMp_jonk%BrD$b+F1aXoKGu#eT*7*`{W)sIfN zSHBui4r#noHMf?Gal_ahz1)u`;UpAme)2&Qo)bPjw*)t>OSJ14g$9eFF3IVZhh^~@ z-5i$HY0a=Z^X6h%*DuUv1FC|`^)}g|Uz5GpPm+;9jNl|4McyNa$fi)}i_~04O62d) zcJiER$#ed|U32tK9PEpOXX@p|d4`VFYXvz`Ab!Qn`fAUh@tHLoT*@YI8@)51k)@$o z7zb_~ppntA=)zsa=z)jdFue!_y2oT-!_Kfxx zBOR?x3HS)fhs?HRWqpM(c8CU`=V#8Y2F5nf4^u+PLFNPeRMLMK+(Gs;_&I15*UQ}5 z(=$#3UM=9ZQIx5-piIxKt!7Wp&d@^Cr?0M?KUmX*^9$lOP=BaJ4eP{em?m_a@(DWt ztD}(@)wtK&_v8oup>=NTa_G7_Wds&>fQOqPsmkk_Q5@T4D`$g&8z_?4>5KMqOpaJ& zxL3gBF#8kLZPDWi3q;GDUTv5%u5<0cV+8_OFm+RuROfQCZ3gZe{hpP~wIlmoMF23& zW@zM|(H3Pc`>8e^%3INDrnJ-JP+Y5?zQOX{yJPX%)+uQ)lck-A9v3qUYCxp8f<_MU zGOW=i6TSZ*nip)^54ST#5?$U9Vcx7!=KlZy0RR62S)_?D9=Ryjg$qH;d|;CgT)1fy z8>ZR>LR0}M?}PfFpwNT496J7qC*Xjo0o0GlLkcI<5PQ*sCy4v`7T@Yq9MiC1eZImQrI& z_?A-8mJVEP6gUR zDJGPEVxbvCb3+g>xZgR!2}bqk@) z*5+jl4L;gvR~M&jYtD66C=g>*tj}Geoaa1YrSafJRgLs07n*V^1O)w<0)D9wGCu}S znx23sm9kjRlUi`VsW)-lk+lzT~k;J$;h~;|0M%Q<>0tD?g)gkr|sN`mh<9OPxCQQ8!uTZCS z@u;pQ8ays6yMmI_Z~bmg^%MSBeIHsI$DD=18*>_4J8hQ7Fdf$}6V4VI#;E4kD%SM~ z?5EVCgr=gIDmhO?p;D=6!WgB}{GDl%jku=lO)X_VH;^ zcG*{cAO~@B58WY90JaoSZJ$g)I;zLH?<92J9gDHvefQR1=GK$rIO^m;NBtK70RR82 zUBOa=Fc3Y*uc*#=a0(6~ZL#CjPw)pE4-GK%fYzy6$AkZFcC!fyP$-2S>5yzT+0DL} zC5xmrUqXG&dCZeQxv;U*)`MSWqcKVgsHkAe(Vb9#O2f0D4K?z#!G~9~CfuPhG~rIz zlx%hy?x5-g58|a#y;ubz8L4`z3kNPn*9%w6rYz0n-#P~pQa=uPPIpf0TnYN}3%(WK z9*TPlXknyy_Nls0%c}IEq3A+JlkM7NfZE^+e>27gvT}25Fm17R+p49-hZ25_{K-I} zyIsho^7gh0YF6!DZ-8ph-FVK4)fg3eP$yJiuqP=L&7hc79FoK?gQ8?-zUeVL+)En; zg|H^|LIdz^+Ec`_O%v?T7-+Rwc%-3WlO(NQWgyRcT{z(FJKcdjWP5~XIp$x!Q~r

=8YyL6P zg=xf01@#_o0y@$*(zb=vHnU)CEIaMt|33f#0RR6>Nl7y`F-l3aG)YcOvoudjGcisE zwua43lP!Qrz|z9PAj#aw)G~>j<}aejtEUIrdtnZ=Dvhk>uL*dj+61~)4R%HpsIo3j zPA<+&i3WAsl^isbHDTH~E%ZzjG@Me4vQu+XD>W62^$jibElrfHK^Jo&jc4eWLe9=Y z7tO;I#2os_$pi*rF<2#+0%CMS!6!dGq_O~%KZE_9z2jZngB*RWK^x3VK%$^-V?Hn< zN2-HqMHNg$k6$jnJYz;oMJ`K{j0<}8fjZ4Ui2qOa>b1F0~DQP%j88=62 o6rwa75dxqB5Yim<^a}wm0R#{KD_}M+6|l4(0XWgH>tVVA0B8`7J^%m! diff --git a/pkgs/development/libraries/glibc/2.39-master.patch b/pkgs/development/libraries/glibc/2.39-master.patch new file mode 100644 index 000000000000..3e0815573f5e --- /dev/null +++ b/pkgs/development/libraries/glibc/2.39-master.patch @@ -0,0 +1,566 @@ +commit 6d1e3fb07b45e2e31e469b16cf21b24bccf8914c +Author: Andreas K. Hüttel +Date: Wed Jan 31 02:12:43 2024 +0100 + + Replace advisories directory + + Signed-off-by: Andreas K. Hüttel + +diff --git a/ADVISORIES b/ADVISORIES +new file mode 100644 +index 0000000000..d4e33f2df3 +--- /dev/null ++++ b/ADVISORIES +@@ -0,0 +1,2 @@ ++For the GNU C Library Security Advisories, see the git master branch: ++https://sourceware.org/git/?p=glibc.git;a=tree;f=advisories;hb=HEAD +diff --git a/advisories/GLIBC-SA-2023-0001 b/advisories/GLIBC-SA-2023-0001 +deleted file mode 100644 +index 3d19c91b6a..0000000000 +--- a/advisories/GLIBC-SA-2023-0001 ++++ /dev/null +@@ -1,14 +0,0 @@ +-printf: incorrect output for integers with thousands separator and width field +- +-When the printf family of functions is called with a format specifier +-that uses an (enable grouping) and a minimum width +-specifier, the resulting output could be larger than reasonably expected +-by a caller that computed a tight bound on the buffer size. The +-resulting larger than expected output could result in a buffer overflow +-in the printf family of functions. +- +-CVE-Id: CVE-2023-25139 +-Public-Date: 2023-02-02 +-Vulnerable-Commit: e88b9f0e5cc50cab57a299dc7efe1a4eb385161d (2.37) +-Fix-Commit: c980549cc6a1c03c23cc2fe3e7b0fe626a0364b0 (2.38) +-Fix-Commit: 07b9521fc6369d000216b96562ff7c0ed32a16c4 (2.37-4) +diff --git a/advisories/GLIBC-SA-2023-0002 b/advisories/GLIBC-SA-2023-0002 +deleted file mode 100644 +index 5122669a64..0000000000 +--- a/advisories/GLIBC-SA-2023-0002 ++++ /dev/null +@@ -1,15 +0,0 @@ +-getaddrinfo: Stack read overflow in no-aaaa mode +- +-If the system is configured in no-aaaa mode via /etc/resolv.conf, +-getaddrinfo is called for the AF_UNSPEC address family, and a DNS +-response is received over TCP that is larger than 2048 bytes, +-getaddrinfo may potentially disclose stack contents via the returned +-address data, or crash. +- +-CVE-Id: CVE-2023-4527 +-Public-Date: 2023-09-12 +-Vulnerable-Commit: f282cdbe7f436c75864e5640a409a10485e9abb2 (2.36) +-Fix-Commit: bd77dd7e73e3530203be1c52c8a29d08270cb25d (2.39) +-Fix-Commit: 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (2.36-113) +-Fix-Commit: b7529346025a130fee483d42178b5c118da971bb (2.37-38) +-Fix-Commit: b25508dd774b617f99419bdc3cf2ace4560cd2d6 (2.38-19) +diff --git a/advisories/GLIBC-SA-2023-0003 b/advisories/GLIBC-SA-2023-0003 +deleted file mode 100644 +index d3aef80348..0000000000 +--- a/advisories/GLIBC-SA-2023-0003 ++++ /dev/null +@@ -1,15 +0,0 @@ +-getaddrinfo: Potential use-after-free +- +-When an NSS plugin only implements the _gethostbyname2_r and +-_getcanonname_r callbacks, getaddrinfo could use memory that was freed +-during buffer resizing, potentially causing a crash or read or write to +-arbitrary memory. +- +-CVE-Id: CVE-2023-4806 +-Public-Date: 2023-09-12 +-Fix-Commit: 973fe93a5675c42798b2161c6f29c01b0e243994 (2.39) +-Fix-Commit: e09ee267c03e3150c2c9ba28625ab130705a485e (2.34-420) +-Fix-Commit: e3ccb230a961b4797510e6a1f5f21fd9021853e7 (2.35-270) +-Fix-Commit: a9728f798ec7f05454c95637ee6581afaa9b487d (2.36-115) +-Fix-Commit: 6529a7466c935f36e9006b854d6f4e1d4876f942 (2.37-39) +-Fix-Commit: 00ae4f10b504bc4564e9f22f00907093f1ab9338 (2.38-20) +diff --git a/advisories/GLIBC-SA-2023-0004 b/advisories/GLIBC-SA-2023-0004 +deleted file mode 100644 +index 5286a7aa54..0000000000 +--- a/advisories/GLIBC-SA-2023-0004 ++++ /dev/null +@@ -1,16 +0,0 @@ +-tunables: local privilege escalation through buffer overflow +- +-If a tunable of the form NAME=NAME=VAL is passed in the environment of a +-setuid program and NAME is valid, it may result in a buffer overflow, +-which could be exploited to achieve escalated privileges. This flaw was +-introduced in glibc 2.34. +- +-CVE-Id: CVE-2023-4911 +-Public-Date: 2023-10-03 +-Vulnerable-Commit: 2ed18c5b534d9e92fc006202a5af0df6b72e7aca (2.34) +-Fix-Commit: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa (2.39) +-Fix-Commit: dcc367f148bc92e7f3778a125f7a416b093964d9 (2.34-423) +-Fix-Commit: c84018a05aec80f5ee6f682db0da1130b0196aef (2.35-274) +-Fix-Commit: 22955ad85186ee05834e47e665056148ca07699c (2.36-118) +-Fix-Commit: b4e23c75aea756b4bddc4abcf27a1c6dca8b6bd3 (2.37-45) +-Fix-Commit: 750a45a783906a19591fb8ff6b7841470f1f5701 (2.38-27) +diff --git a/advisories/GLIBC-SA-2023-0005 b/advisories/GLIBC-SA-2023-0005 +deleted file mode 100644 +index cc4eb90b82..0000000000 +--- a/advisories/GLIBC-SA-2023-0005 ++++ /dev/null +@@ -1,18 +0,0 @@ +-getaddrinfo: DoS due to memory leak +- +-The fix for CVE-2023-4806 introduced a memory leak when an application +-calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED +-flags set. +- +-CVE-Id: CVE-2023-5156 +-Public-Date: 2023-09-25 +-Vulnerable-Commit: e09ee267c03e3150c2c9ba28625ab130705a485e (2.34-420) +-Vulnerable-Commit: e3ccb230a961b4797510e6a1f5f21fd9021853e7 (2.35-270) +-Vulnerable-Commit: a9728f798ec7f05454c95637ee6581afaa9b487d (2.36-115) +-Vulnerable-Commit: 6529a7466c935f36e9006b854d6f4e1d4876f942 (2.37-39) +-Vulnerable-Commit: 00ae4f10b504bc4564e9f22f00907093f1ab9338 (2.38-20) +-Fix-Commit: 8006457ab7e1cd556b919f477348a96fe88f2e49 (2.34-421) +-Fix-Commit: 17092c0311f954e6f3c010f73ce3a78c24ac279a (2.35-272) +-Fix-Commit: 856bac55f98dc840e7c27cfa82262b933385de90 (2.36-116) +-Fix-Commit: 4473d1b87d04b25cdd0e0354814eeaa421328268 (2.37-42) +-Fix-Commit: 5ee59ca371b99984232d7584fe2b1a758b4421d3 (2.38-24) +diff --git a/advisories/GLIBC-SA-2024-0001 b/advisories/GLIBC-SA-2024-0001 +deleted file mode 100644 +index 28931c75ae..0000000000 +--- a/advisories/GLIBC-SA-2024-0001 ++++ /dev/null +@@ -1,15 +0,0 @@ +-syslog: Heap buffer overflow in __vsyslog_internal +- +-__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER +-containing a long program name failed to update the required buffer +-size, leading to the allocation and overflow of a too-small buffer on +-the heap. +- +-CVE-Id: CVE-2023-6246 +-Public-Date: 2024-01-30 +-Vulnerable-Commit: 52a5be0df411ef3ff45c10c7c308cb92993d15b1 (2.37) +-Fix-Commit: 6bd0e4efcc78f3c0115e5ea9739a1642807450da (2.39) +-Fix-Commit: 23514c72b780f3da097ecf33a793b7ba9c2070d2 (2.38-42) +-Fix-Commit: 97a4292aa4a2642e251472b878d0ec4c46a0e59a (2.37-57) +-Vulnerable-Commit: b0e7888d1fa2dbd2d9e1645ec8c796abf78880b9 (2.36-16) +-Fix-Commit: d1a83b6767f68b3cb5b4b4ea2617254acd040c82 (2.36-126) +diff --git a/advisories/GLIBC-SA-2024-0002 b/advisories/GLIBC-SA-2024-0002 +deleted file mode 100644 +index 940bfcf2fc..0000000000 +--- a/advisories/GLIBC-SA-2024-0002 ++++ /dev/null +@@ -1,15 +0,0 @@ +-syslog: Heap buffer overflow in __vsyslog_internal +- +-__vsyslog_internal used the return value of snprintf/vsnprintf to +-calculate buffer sizes for memory allocation. If these functions (for +-any reason) failed and returned -1, the resulting buffer would be too +-small to hold output. +- +-CVE-Id: CVE-2023-6779 +-Public-Date: 2024-01-30 +-Vulnerable-Commit: 52a5be0df411ef3ff45c10c7c308cb92993d15b1 (2.37) +-Fix-Commit: 7e5a0c286da33159d47d0122007aac016f3e02cd (2.39) +-Fix-Commit: d0338312aace5bbfef85e03055e1212dd0e49578 (2.38-43) +-Fix-Commit: 67062eccd9a65d7fda9976a56aeaaf6c25a80214 (2.37-58) +-Vulnerable-Commit: b0e7888d1fa2dbd2d9e1645ec8c796abf78880b9 (2.36-16) +-Fix-Commit: 2bc9d7c002bdac38b5c2a3f11b78e309d7765b83 (2.36-127) +diff --git a/advisories/GLIBC-SA-2024-0003 b/advisories/GLIBC-SA-2024-0003 +deleted file mode 100644 +index b43a5150ab..0000000000 +--- a/advisories/GLIBC-SA-2024-0003 ++++ /dev/null +@@ -1,13 +0,0 @@ +-syslog: Integer overflow in __vsyslog_internal +- +-__vsyslog_internal calculated a buffer size by adding two integers, but +-did not first check if the addition would overflow. +- +-CVE-Id: CVE-2023-6780 +-Public-Date: 2024-01-30 +-Vulnerable-Commit: 52a5be0df411ef3ff45c10c7c308cb92993d15b1 (2.37) +-Fix-Commit: ddf542da94caf97ff43cc2875c88749880b7259b (2.39) +-Fix-Commit: d37c2b20a4787463d192b32041c3406c2bd91de0 (2.38-44) +-Fix-Commit: 2b58cba076e912961ceaa5fa58588e4b10f791c0 (2.37-59) +-Vulnerable-Commit: b0e7888d1fa2dbd2d9e1645ec8c796abf78880b9 (2.36-16) +-Fix-Commit: b9b7d6a27aa0632f334352fa400771115b3c69b7 (2.36-128) +diff --git a/advisories/README b/advisories/README +deleted file mode 100644 +index 94e68b1350..0000000000 +--- a/advisories/README ++++ /dev/null +@@ -1,73 +0,0 @@ +-GNU C Library Security Advisory Format +-====================================== +- +-Security advisories in this directory follow a simple git commit log +-format, with a heading and free-format description augmented with tags +-to allow parsing key information. References to code changes are +-specific to the glibc repository and follow a specific format: +- +- Tag-name: (release-version) +- +-The indicates a specific commit in the repository. The +-release-version indicates the publicly consumable release in which this +-commit is known to exist. The release-version is derived from the +-git-describe format, (i.e. stripped out from glibc-2.34.NNN-gxxxx) and +-is of the form 2.34-NNN. If the -NNN suffix is absent, it means that +-the change is in that release tarball, otherwise the change is on the +-release/2.YY/master branch and not in any released tarball. +- +-The following tags are currently being used: +- +-CVE-Id: +-This is the CVE-Id assigned under the CVE Program +-(https://www.cve.org/). +- +-Public-Date: +-The date this issue became publicly known. +- +-Vulnerable-Commit: +-The commit that introduced this vulnerability. There could be multiple +-entries, one for each release branch in the glibc repository; the +-release-version portion of this tag should tell you which branch this is +-on. +- +-Fix-Commit: +-The commit that fixed this vulnerability. There could be multiple +-entries for each release branch in the glibc repository, indicating that +-all of those commits contributed to fixing that issue in each of those +-branches. +- +-Adding an Advisory +------------------- +- +-An advisory for a CVE needs to be added on the master branch in two steps: +- +-1. Add the text of the advisory without any Fix-Commit tags along with +- the fix for the CVE. Add the Vulnerable-Commit tag, if applicable. +- The advisories directory does not exist in release branches, so keep +- the advisory text commit distinct from the code changes, to ease +- backports. Ask for the GLIBC-SA advisory number from the security +- team. +- +-2. Finish all backports on release branches and then back on the msater +- branch, add all commit refs to the advisory using the Fix-Commit +- tags. Don't bother adding the release-version subscript since the +- next step will overwrite it. +- +-3. Run the process-advisories.sh script in the scripts directory on the +- advisory: +- +- scripts/process-advisories.sh update GLIBC-SA-YYYY-NNNN +- +- (replace YYYY-NNNN with the actual advisory number). +- +-4. Verify the updated advisory and push the result. +- +-Getting a NEWS snippet from advisories +--------------------------------------- +- +-Run: +- +- scripts/process-advisories.sh news +- +-and copy the content into the NEWS file. + +commit 63295e4fda1f6dab4bf7442706fe303bf283036c +Author: Adhemerval Zanella +Date: Mon Feb 5 16:10:24 2024 +0000 + + arm: Remove wrong ldr from _dl_start_user (BZ 31339) + + The commit 49d877a80b29d3002887b084eec6676d9f5fec18 (arm: Remove + _dl_skip_args usage) removed the _SKIP_ARGS literal, which was + previously loader to r4 on loader _start. However, the cleanup did not + remove the following 'ldr r4, [sl, r4]' on _dl_start_user, used to check + to skip the arguments after ld self-relocations. + + In my testing, the kernel initially set r4 to 0, which makes the + ldr instruction just read the _GLOBAL_OFFSET_TABLE_. However, since r4 + is a callee-saved register; a different runtime might not zero + initialize it and thus trigger an invalid memory access. + + Checked on arm-linux-gnu. + + Reported-by: Adrian Ratiu + Reviewed-by: Szabolcs Nagy + (cherry picked from commit 1e25112dc0cb2515d27d8d178b1ecce778a9d37a) + +diff --git a/sysdeps/arm/dl-machine.h b/sysdeps/arm/dl-machine.h +index b857bbc868..dd1a0f6b6e 100644 +--- a/sysdeps/arm/dl-machine.h ++++ b/sysdeps/arm/dl-machine.h +@@ -139,7 +139,6 @@ _start:\n\ + _dl_start_user:\n\ + adr r6, .L_GET_GOT\n\ + add sl, sl, r6\n\ +- ldr r4, [sl, r4]\n\ + @ save the entry point in another register\n\ + mov r6, r0\n\ + @ get the original arg count\n\ + +commit 312e159626b67fe11f39e83e222cf4348a3962f3 +Author: Adhemerval Zanella +Date: Thu Feb 1 14:29:53 2024 -0300 + + mips: FIx clone3 implementation (BZ 31325) + + For o32 we need to setup a minimal stack frame to allow cprestore + on __thread_start_clone3 (which instruct the linker to save the + gp for PIC). Also, there is no guarantee by kABI that $8 will be + preserved after syscall execution, so we need to save it on the + provided stack. + + Checked on mipsel-linux-gnu. + + Reported-by: Khem Raj + Tested-by: Khem Raj + (cherry picked from commit bbd248ac0d75efdef8fe61ea69b1fb25fb95b6e7) + +diff --git a/sysdeps/unix/sysv/linux/mips/clone3.S b/sysdeps/unix/sysv/linux/mips/clone3.S +index e9fec2fa47..481b8ae963 100644 +--- a/sysdeps/unix/sysv/linux/mips/clone3.S ++++ b/sysdeps/unix/sysv/linux/mips/clone3.S +@@ -37,11 +37,6 @@ + + .text + .set nomips16 +-#if _MIPS_SIM == _ABIO32 +-# define EXTRA_LOCALS 1 +-#else +-# define EXTRA_LOCALS 0 +-#endif + #define FRAMESZ ((NARGSAVE*SZREG)+ALSZ)&ALMASK + GPOFF= FRAMESZ-(1*SZREG) + NESTED(__clone3, SZREG, sp) +@@ -68,8 +63,31 @@ NESTED(__clone3, SZREG, sp) + beqz a0, L(error) /* No NULL cl_args pointer. */ + beqz a2, L(error) /* No NULL function pointer. */ + ++#if _MIPS_SIM == _ABIO32 ++ /* Both stack and stack_size on clone_args are defined as uint64_t, and ++ there is no need to handle values larger than to 32 bits for o32. */ ++# if __BYTE_ORDER == __BIG_ENDIAN ++# define CL_STACKPOINTER_OFFSET 44 ++# define CL_STACKSIZE_OFFSET 52 ++# else ++# define CL_STACKPOINTER_OFFSET 40 ++# define CL_STACKSIZE_OFFSET 48 ++# endif ++ ++ /* For o32 we need to setup a minimal stack frame to allow cprestore ++ on __thread_start_clone3. Also there is no guarantee by kABI that ++ $8 will be preserved after syscall execution (so we need to save it ++ on the provided stack). */ ++ lw t0, CL_STACKPOINTER_OFFSET(a0) /* Load the stack pointer. */ ++ lw t1, CL_STACKSIZE_OFFSET(a0) /* Load the stack_size. */ ++ addiu t1, -32 /* Update the stack size. */ ++ addu t2, t1, t0 /* Calculate the thread stack. */ ++ sw a3, 0(t2) /* Save argument pointer. */ ++ sw t1, CL_STACKSIZE_OFFSET(a0) /* Save the new stack size. */ ++#else + move $8, a3 /* a3 is set to 0/1 for syscall success/error + while a4/$8 is returned unmodified. */ ++#endif + + /* Do the system call, the kernel expects: + v0: system call number +@@ -125,7 +143,11 @@ L(thread_start_clone3): + + /* Restore the arg for user's function. */ + move t9, a2 /* Function pointer. */ ++#if _MIPS_SIM == _ABIO32 ++ PTR_L a0, 0(sp) ++#else + move a0, $8 /* Argument pointer. */ ++#endif + + /* Call the user's function. */ + jal t9 + +commit d0724994de40934c552f1f68de89053848a44927 +Author: Xi Ruoyao +Date: Thu Feb 22 21:26:55 2024 +0100 + + math: Update mips64 ulps + + Signed-off-by: Andreas K. Hüttel + (cherry picked from commit e2a65ecc4b30a797df7dc6529f09b712aa256029) + +diff --git a/sysdeps/mips/mips64/libm-test-ulps b/sysdeps/mips/mips64/libm-test-ulps +index 78969745b2..933aba4735 100644 +--- a/sysdeps/mips/mips64/libm-test-ulps ++++ b/sysdeps/mips/mips64/libm-test-ulps +@@ -1066,17 +1066,17 @@ double: 1 + ldouble: 1 + + Function: "j0": +-double: 2 ++double: 3 + float: 9 + ldouble: 2 + + Function: "j0_downward": +-double: 5 ++double: 6 + float: 9 + ldouble: 9 + + Function: "j0_towardzero": +-double: 6 ++double: 7 + float: 9 + ldouble: 9 + +@@ -1146,6 +1146,7 @@ float: 6 + ldouble: 8 + + Function: "log": ++double: 1 + float: 1 + ldouble: 1 + + +commit e0910f1d3278f05439fb434ee528fc9be1b6bd5e +Author: Stefan Liebler +Date: Thu Feb 22 15:03:27 2024 +0100 + + S390: Do not clobber r7 in clone [BZ #31402] + + Starting with commit e57d8fc97b90127de4ed3e3a9cdf663667580935 + "S390: Always use svc 0" + clone clobbers the call-saved register r7 in error case: + function or stack is NULL. + + This patch restores the saved registers also in the error case. + Furthermore the existing test misc/tst-clone is extended to check + all error cases and that clone does not clobber registers in this + error case. + + (cherry picked from commit 02782fd12849b6673cb5c2728cb750e8ec295aa3) + +diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/clone.S b/sysdeps/unix/sysv/linux/s390/s390-32/clone.S +index 4c882ef2ee..a7a863242c 100644 +--- a/sysdeps/unix/sysv/linux/s390/s390-32/clone.S ++++ b/sysdeps/unix/sysv/linux/s390/s390-32/clone.S +@@ -53,6 +53,7 @@ ENTRY(__clone) + br %r14 + error: + lhi %r2,-EINVAL ++ lm %r6,%r7,24(%r15) /* Load registers. */ + j SYSCALL_ERROR_LABEL + PSEUDO_END (__clone) + +diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/clone.S b/sysdeps/unix/sysv/linux/s390/s390-64/clone.S +index 4eb104be71..c552a6b8de 100644 +--- a/sysdeps/unix/sysv/linux/s390/s390-64/clone.S ++++ b/sysdeps/unix/sysv/linux/s390/s390-64/clone.S +@@ -54,6 +54,7 @@ ENTRY(__clone) + br %r14 + error: + lghi %r2,-EINVAL ++ lmg %r6,%r7,48(%r15) /* Restore registers. */ + jg SYSCALL_ERROR_LABEL + PSEUDO_END (__clone) + +diff --git a/sysdeps/unix/sysv/linux/tst-clone.c b/sysdeps/unix/sysv/linux/tst-clone.c +index 470676ab2b..2bc7124983 100644 +--- a/sysdeps/unix/sysv/linux/tst-clone.c ++++ b/sysdeps/unix/sysv/linux/tst-clone.c +@@ -16,12 +16,16 @@ + License along with the GNU C Library; if not, see + . */ + +-/* BZ #2386 */ ++/* BZ #2386, BZ #31402 */ + #include + #include + #include + #include + #include ++#include /* For _STACK_GROWS_{UP,DOWN}. */ ++#include ++ ++volatile unsigned v = 0xdeadbeef; + + int child_fn(void *arg) + { +@@ -30,22 +34,67 @@ int child_fn(void *arg) + } + + static int +-do_test (void) ++__attribute__((noinline)) ++do_clone (int (*fn)(void *), void *stack) + { + int result; ++ unsigned int a = v; ++ unsigned int b = v; ++ unsigned int c = v; ++ unsigned int d = v; ++ unsigned int e = v; ++ unsigned int f = v; ++ unsigned int g = v; ++ unsigned int h = v; ++ unsigned int i = v; ++ unsigned int j = v; ++ unsigned int k = v; ++ unsigned int l = v; ++ unsigned int m = v; ++ unsigned int n = v; ++ unsigned int o = v; ++ ++ result = clone (fn, stack, 0, NULL); ++ ++ /* Check that clone does not clobber call-saved registers. */ ++ TEST_VERIFY (a == v && b == v && c == v && d == v && e == v && f == v ++ && g == v && h == v && i == v && j == v && k == v && l == v ++ && m == v && n == v && o == v); ++ ++ return result; ++} ++ ++static void ++__attribute__((noinline)) ++do_test_single (int (*fn)(void *), void *stack) ++{ ++ printf ("%s (fn=%p, stack=%p)\n", __FUNCTION__, fn, stack); ++ errno = 0; ++ ++ int result = do_clone (fn, stack); ++ ++ TEST_COMPARE (errno, EINVAL); ++ TEST_COMPARE (result, -1); ++} + +- result = clone (child_fn, NULL, 0, NULL); ++static int ++do_test (void) ++{ ++ char st[128 * 1024] __attribute__ ((aligned)); ++ void *stack = NULL; ++#if _STACK_GROWS_DOWN ++ stack = st + sizeof (st); ++#elif _STACK_GROWS_UP ++ stack = st; ++#else ++# error "Define either _STACK_GROWS_DOWN or _STACK_GROWS_UP" ++#endif + +- if (errno != EINVAL || result != -1) +- { +- printf ("FAIL: clone()=%d (wanted -1) errno=%d (wanted %d)\n", +- result, errno, EINVAL); +- return 1; +- } ++ do_test_single (child_fn, NULL); ++ do_test_single (NULL, stack); ++ do_test_single (NULL, NULL); + +- puts ("All OK"); + return 0; + } + +-#define TEST_FUNCTION do_test () +-#include "../test-skeleton.c" ++#include diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 826d1e9c8389..4d6fb5a54b39 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -36,16 +36,15 @@ , withLinuxHeaders ? false , profilingLibraries ? false , withGd ? false -, withLibcrypt ? false , extraBuildInputs ? [] , extraNativeBuildInputs ? [] , ... } @ args: let - version = "2.38"; - patchSuffix = "-44"; - sha256 = "sha256-+4KZiZiyspllRnvBtp0VLpwwfSzzAcnq+0VVt3DvP9I="; + version = "2.39"; + patchSuffix = "-5"; + sha256 = "sha256-93vUfPgXDFc2Wue/hmlsEYrbOxINMlnGTFAtPcHi2SY="; in assert withLinuxHeaders -> linuxHeaders != null; @@ -59,14 +58,14 @@ stdenv.mkDerivation ({ patches = [ /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. - $ git fetch --all -p && git checkout origin/release/2.38/master && git describe - glibc-2.38-44-gd37c2b20a4 - $ git show --minimal --reverse glibc-2.38.. | gzip -9n --rsyncable - > 2.38-master.patch.gz + $ git fetch --all -p && git checkout origin/release/2.39/master && git describe + glibc-2.39-5-ge0910f1d32 + $ git show --minimal --reverse glibc-2.39.. > 2.39-master.patch To compare the archive contents zdiff can be used. - $ zdiff -u 2.38-master.patch.gz ../nixpkgs/pkgs/development/libraries/glibc/2.38-master.patch.gz + $ diff -u 2.39-master.patch ../nixpkgs/pkgs/development/libraries/glibc/2.39-master.patch */ - ./2.38-master.patch.gz + ./2.39-master.patch /* Allow NixOS and Nix to handle the locale-archive. */ ./nix-locale-archive.patch @@ -96,11 +95,6 @@ stdenv.mkDerivation ({ & https://github.com/NixOS/nixpkgs/pull/188492#issuecomment-1233802991 */ ./reenable_DT_HASH.patch - - /* Retrieved from https://salsa.debian.org/glibc-team/glibc/-/commit/662dbc4f9287139a0d9c91df328a5ba6cc6abee1#0f3c6d67cb8cf5bb35c421c20f828fea97b68edf - Qualys advisory: https://www.qualys.com/2024/01/30/qsort.txt - */ - ./local-qsort-memory-corruption.patch ] /* NVCC does not support ARM intrinsics. Since is pulled in by almost every HPC piece of software, without this patch CUDA compilation on ARM @@ -177,8 +171,7 @@ stdenv.mkDerivation ({ # so the glibc does not depend on its compiler store path "libc_cv_as_needed=no" ] - ++ lib.optional withGd "--with-gd" - ++ lib.optional withLibcrypt "--enable-crypt"; + ++ lib.optional withGd "--with-gd"; makeFlags = (args.makeFlags or []) ++ [ "OBJCOPY=${stdenv.cc.targetPrefix}objcopy" diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index be3bee081e73..3f7331461fea 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -2,7 +2,6 @@ , withLinuxHeaders ? true , profilingLibraries ? false , withGd ? false -, withLibcrypt? false , pkgsBuildBuild , libgcc }: @@ -16,7 +15,7 @@ let in (callPackage ./common.nix { inherit stdenv; } { - inherit withLinuxHeaders withGd profilingLibraries withLibcrypt; + inherit withLinuxHeaders withGd profilingLibraries; pname = "glibc" + lib.optionalString withGd "-gd" + lib.optionalString (stdenv.cc.isGNU && libgcc==null) "-nolibgcc"; }).overrideAttrs(previousAttrs: { diff --git a/pkgs/development/libraries/glibc/local-qsort-memory-corruption.patch b/pkgs/development/libraries/glibc/local-qsort-memory-corruption.patch deleted file mode 100644 index f7e25c72a61c..000000000000 --- a/pkgs/development/libraries/glibc/local-qsort-memory-corruption.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -rup a/stdlib/qsort.c b/stdlib/qsort.c ---- a/stdlib/qsort.c 2023-07-31 10:54:16.000000000 -0700 -+++ b/stdlib/qsort.c 2024-01-15 09:08:25.596167959 -0800 -@@ -224,7 +224,8 @@ _quicksort (void *const pbase, size_t to - while ((run_ptr += size) <= end_ptr) - { - tmp_ptr = run_ptr - size; -- while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0) -+ while (tmp_ptr != base_ptr -+ && (*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0) - tmp_ptr -= size; - - tmp_ptr += size; - From 1c003da73c7ca9e997a85781261ecd379eb4dd9a Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Tue, 27 Feb 2024 23:44:38 +0100 Subject: [PATCH 2/5] _389ds-base: mark as broken Doesn't build with glibc 2.39. There's a potential fix documented in https://github.com/389ds/389-ds-base/issues/5332, but the package is too old for the patch to apply, so I'll mark it as broken for now and leave it to the maintainer to update & fix. --- pkgs/servers/ldap/389/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/servers/ldap/389/default.nix b/pkgs/servers/ldap/389/default.nix index 18aeea04cb62..ce61f9676e18 100644 --- a/pkgs/servers/ldap/389/default.nix +++ b/pkgs/servers/ldap/389/default.nix @@ -141,5 +141,9 @@ stdenv.mkDerivation rec { license = licenses.gpl3Plus; platforms = platforms.linux; maintainers = [ maintainers.ners ]; + # https://hydra.nixos.org/build/249763145, doesn't build since glibc 2.39. + # Potential fix is documented in https://github.com/389ds/389-ds-base/issues/5332, + # but it doesn't apply here. + broken = true; }; } From 2dcdf602729e7923ec59b2e1ce67a0cb3f0d5c7a Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 2 Mar 2024 18:47:01 +0100 Subject: [PATCH 3/5] swift: fix build w/ glibc-2.39 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Failing Hydra build: https://hydra.nixos.org/build/249763077/nixlog/12 The problem is that glibc commit 64b1a44183a3094672ed304532bedb9acc707554 marked the `FILE*` argument of a few functions including `fread` & `ferror` as non-null. The applied patch ("Android: add better nullability checks for nullability annotations added in NDK 26") is targeted for the Android platform, but fixes said issue as well: the handle returned from `fopen` is of type `Optional` and the `guard` expression unwraps that now (and throws an exception if `nil` is returned). The previous `nil`-check didn't modify the type of `fp`, but only raised the exception and moved on with `Optional`. It's a little sad that the patch needs to be applied at so many places, but I guess that's what you get with language-level package managers 🤷 Also, seems good-enough to me given that it's actually temporary, the patch is already upstream and will probably be obsolete at one of the next Swift updates. --- .../compilers/swift/sourcekit-lsp/default.nix | 7 +++- .../compilers/swift/swift-driver/default.nix | 6 +++- .../patches/force-unwrap-file-handles.patch | 33 ------------------- .../compilers/swift/swift-format/default.nix | 7 +++- .../patches/force-unwrap-file-handles.patch | 33 ------------------- .../compilers/swift/swiftpm/default.nix | 15 +++++++-- .../patches/force-unwrap-file-handles.patch | 33 ------------------- 7 files changed, 30 insertions(+), 104 deletions(-) delete mode 100644 pkgs/development/compilers/swift/swift-driver/patches/force-unwrap-file-handles.patch delete mode 100644 pkgs/development/compilers/swift/swift-format/patches/force-unwrap-file-handles.patch delete mode 100644 pkgs/development/compilers/swift/swiftpm/patches/force-unwrap-file-handles.patch diff --git a/pkgs/development/compilers/swift/sourcekit-lsp/default.nix b/pkgs/development/compilers/swift/sourcekit-lsp/default.nix index caba3e3441f3..74e687594c16 100644 --- a/pkgs/development/compilers/swift/sourcekit-lsp/default.nix +++ b/pkgs/development/compilers/swift/sourcekit-lsp/default.nix @@ -1,6 +1,7 @@ { lib , stdenv , callPackage +, fetchpatch , pkg-config , swift , swiftpm @@ -41,7 +42,11 @@ stdenv.mkDerivation { patch -p1 -d .build/checkouts/indexstore-db -i ${./patches/indexstore-db-macos-target.patch} swiftpmMakeMutable swift-tools-support-core - patch -p1 -d .build/checkouts/swift-tools-support-core -i ${./patches/force-unwrap-file-handles.patch} + patch -p1 -d .build/checkouts/swift-tools-support-core -i ${fetchpatch { + url = "https://github.com/apple/swift-tools-support-core/commit/990afca47e75cce136d2f59e464577e68a164035.patch"; + hash = "sha256-PLzWsp+syiUBHhEFS8+WyUcSae5p0Lhk7SSRdNvfouE="; + includes = [ "Sources/TSCBasic/FileSystem.swift" ]; + }} # This toggles a section specific to Xcode XCTest, which doesn't work on # Darwin, where we also use swift-corelibs-xctest. diff --git a/pkgs/development/compilers/swift/swift-driver/default.nix b/pkgs/development/compilers/swift/swift-driver/default.nix index d69a4da0eb3e..3245fa1d8787 100644 --- a/pkgs/development/compilers/swift/swift-driver/default.nix +++ b/pkgs/development/compilers/swift/swift-driver/default.nix @@ -54,7 +54,11 @@ stdenv.mkDerivation { configurePhase = generated.configure + '' swiftpmMakeMutable swift-tools-support-core - patch -p1 -d .build/checkouts/swift-tools-support-core -i ${./patches/force-unwrap-file-handles.patch} + patch -p1 -d .build/checkouts/swift-tools-support-core -i ${fetchpatch { + url = "https://github.com/apple/swift-tools-support-core/commit/990afca47e75cce136d2f59e464577e68a164035.patch"; + hash = "sha256-PLzWsp+syiUBHhEFS8+WyUcSae5p0Lhk7SSRdNvfouE="; + includes = [ "Sources/TSCBasic/FileSystem.swift" ]; + }} ''; # TODO: Tests depend on indexstore-db being provided by an existing Swift diff --git a/pkgs/development/compilers/swift/swift-driver/patches/force-unwrap-file-handles.patch b/pkgs/development/compilers/swift/swift-driver/patches/force-unwrap-file-handles.patch deleted file mode 100644 index a2f2d38c37c8..000000000000 --- a/pkgs/development/compilers/swift/swift-driver/patches/force-unwrap-file-handles.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 8d9ab4b6ed24a97e8af0cc338a52aacdcf438b8c Mon Sep 17 00:00:00 2001 -From: Pavel Sobolev -Date: Tue, 21 Nov 2023 20:53:33 +0300 -Subject: [PATCH] Force-unwrap file handles. - ---- - Sources/TSCBasic/FileSystem.swift | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Sources/TSCBasic/FileSystem.swift b/Sources/TSCBasic/FileSystem.swift -index 3a63bdf..a1f3d9d 100644 ---- a/Sources/TSCBasic/FileSystem.swift -+++ b/Sources/TSCBasic/FileSystem.swift -@@ -425,7 +425,7 @@ private class LocalFileSystem: FileSystem { - if fp == nil { - throw FileSystemError(errno: errno, path) - } -- defer { fclose(fp) } -+ defer { fclose(fp!) } - - // Read the data one block at a time. - let data = BufferedOutputByteStream() -@@ -455,7 +455,7 @@ private class LocalFileSystem: FileSystem { - if fp == nil { - throw FileSystemError(errno: errno, path) - } -- defer { fclose(fp) } -+ defer { fclose(fp!) } - - // Write the data in one chunk. - var contents = bytes.contents --- -2.42.0 diff --git a/pkgs/development/compilers/swift/swift-format/default.nix b/pkgs/development/compilers/swift/swift-format/default.nix index 2f7e630e6804..a3d939b85cbd 100644 --- a/pkgs/development/compilers/swift/swift-format/default.nix +++ b/pkgs/development/compilers/swift/swift-format/default.nix @@ -1,5 +1,6 @@ { lib , stdenv +, fetchpatch , callPackage , swift , swiftpm @@ -21,7 +22,11 @@ stdenv.mkDerivation { configurePhase = generated.configure + '' swiftpmMakeMutable swift-tools-support-core - patch -p1 -d .build/checkouts/swift-tools-support-core -i ${./patches/force-unwrap-file-handles.patch} + patch -p1 -d .build/checkouts/swift-tools-support-core -i ${fetchpatch { + url = "https://github.com/apple/swift-tools-support-core/commit/990afca47e75cce136d2f59e464577e68a164035.patch"; + hash = "sha256-PLzWsp+syiUBHhEFS8+WyUcSae5p0Lhk7SSRdNvfouE="; + includes = [ "Sources/TSCBasic/FileSystem.swift" ]; + }} ''; # We only install the swift-format binary, so don't need the other products. diff --git a/pkgs/development/compilers/swift/swift-format/patches/force-unwrap-file-handles.patch b/pkgs/development/compilers/swift/swift-format/patches/force-unwrap-file-handles.patch deleted file mode 100644 index a2f2d38c37c8..000000000000 --- a/pkgs/development/compilers/swift/swift-format/patches/force-unwrap-file-handles.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 8d9ab4b6ed24a97e8af0cc338a52aacdcf438b8c Mon Sep 17 00:00:00 2001 -From: Pavel Sobolev -Date: Tue, 21 Nov 2023 20:53:33 +0300 -Subject: [PATCH] Force-unwrap file handles. - ---- - Sources/TSCBasic/FileSystem.swift | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Sources/TSCBasic/FileSystem.swift b/Sources/TSCBasic/FileSystem.swift -index 3a63bdf..a1f3d9d 100644 ---- a/Sources/TSCBasic/FileSystem.swift -+++ b/Sources/TSCBasic/FileSystem.swift -@@ -425,7 +425,7 @@ private class LocalFileSystem: FileSystem { - if fp == nil { - throw FileSystemError(errno: errno, path) - } -- defer { fclose(fp) } -+ defer { fclose(fp!) } - - // Read the data one block at a time. - let data = BufferedOutputByteStream() -@@ -455,7 +455,7 @@ private class LocalFileSystem: FileSystem { - if fp == nil { - throw FileSystemError(errno: errno, path) - } -- defer { fclose(fp) } -+ defer { fclose(fp!) } - - // Write the data in one chunk. - var contents = bytes.contents --- -2.42.0 diff --git a/pkgs/development/compilers/swift/swiftpm/default.nix b/pkgs/development/compilers/swift/swiftpm/default.nix index 4a7a4ab63cce..2f3cb9530cfe 100644 --- a/pkgs/development/compilers/swift/swiftpm/default.nix +++ b/pkgs/development/compilers/swift/swiftpm/default.nix @@ -1,6 +1,7 @@ { lib , stdenv , callPackage +, fetchpatch , cmake , ninja , git @@ -195,12 +196,22 @@ let ''; }; + # Part of this patch fixes for glibc 2.39: glibc patch 64b1a44183a3094672ed304532bedb9acc707554 + # marks the `FILE*` argument to a few functions including `ferror` & `fread` as non-null. However + # the code passes an `Optional` to these functions. + # This patch uses a `guard` which effectively unwraps the type (or throws an exception). + swift-tools-support-core-glibc-fix = fetchpatch { + url = "https://github.com/apple/swift-tools-support-core/commit/990afca47e75cce136d2f59e464577e68a164035.patch"; + hash = "sha256-PLzWsp+syiUBHhEFS8+WyUcSae5p0Lhk7SSRdNvfouE="; + includes = [ "Sources/TSCBasic/FileSystem.swift" ]; + }; + swift-tools-support-core = mkBootstrapDerivation { name = "swift-tools-support-core"; src = generated.sources.swift-tools-support-core; patches = [ - ./patches/force-unwrap-file-handles.patch + swift-tools-support-core-glibc-fix ]; buildInputs = [ @@ -389,7 +400,7 @@ in stdenv.mkDerivation (commonAttrs // { swiftpmMakeMutable swift-tools-support-core substituteInPlace .build/checkouts/swift-tools-support-core/Sources/TSCTestSupport/XCTestCasePerf.swift \ --replace 'canImport(Darwin)' 'false' - patch -p1 -d .build/checkouts/swift-tools-support-core -i ${./patches/force-unwrap-file-handles.patch} + patch -p1 -d .build/checkouts/swift-tools-support-core -i ${swift-tools-support-core-glibc-fix} # Prevent a warning about SDK directories we don't have. swiftpmMakeMutable swift-driver diff --git a/pkgs/development/compilers/swift/swiftpm/patches/force-unwrap-file-handles.patch b/pkgs/development/compilers/swift/swiftpm/patches/force-unwrap-file-handles.patch deleted file mode 100644 index a2f2d38c37c8..000000000000 --- a/pkgs/development/compilers/swift/swiftpm/patches/force-unwrap-file-handles.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 8d9ab4b6ed24a97e8af0cc338a52aacdcf438b8c Mon Sep 17 00:00:00 2001 -From: Pavel Sobolev -Date: Tue, 21 Nov 2023 20:53:33 +0300 -Subject: [PATCH] Force-unwrap file handles. - ---- - Sources/TSCBasic/FileSystem.swift | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Sources/TSCBasic/FileSystem.swift b/Sources/TSCBasic/FileSystem.swift -index 3a63bdf..a1f3d9d 100644 ---- a/Sources/TSCBasic/FileSystem.swift -+++ b/Sources/TSCBasic/FileSystem.swift -@@ -425,7 +425,7 @@ private class LocalFileSystem: FileSystem { - if fp == nil { - throw FileSystemError(errno: errno, path) - } -- defer { fclose(fp) } -+ defer { fclose(fp!) } - - // Read the data one block at a time. - let data = BufferedOutputByteStream() -@@ -455,7 +455,7 @@ private class LocalFileSystem: FileSystem { - if fp == nil { - throw FileSystemError(errno: errno, path) - } -- defer { fclose(fp) } -+ defer { fclose(fp!) } - - // Write the data in one chunk. - var contents = bytes.contents --- -2.42.0 From 02e833b2dcd328713572aeb24a5054711e566190 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Fri, 22 Mar 2024 22:24:45 +0100 Subject: [PATCH 4/5] dolphin-emu: fix build w/ glibc-2.39 Failing Hydra build: https://hydra.nixos.org/build/252105318 --- pkgs/applications/emulators/dolphin-emu/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/applications/emulators/dolphin-emu/default.nix b/pkgs/applications/emulators/dolphin-emu/default.nix index f81fce6a5aa8..b2a9bbb7bbc4 100644 --- a/pkgs/applications/emulators/dolphin-emu/default.nix +++ b/pkgs/applications/emulators/dolphin-emu/default.nix @@ -1,6 +1,7 @@ { lib , stdenv , fetchFromGitHub +, fetchpatch , cmake , pkg-config , wrapQtAppsHook @@ -71,6 +72,12 @@ stdenv.mkDerivation rec { patches = [ # Remove when merged https://github.com/dolphin-emu/dolphin/pull/12070 ./find-minizip-ng.patch + + # fix buidl w/ glibc-2.39 + (fetchpatch { + url = "https://github.com/dolphin-emu/dolphin/commit/3da2e15e6b95f02f66df461e87c8b896e450fdab.patch"; + hash = "sha256-+8yGF412wQUYbyEuYWd41pgOgEbhCaezexxcI5CNehc="; + }) ]; strictDeps = true; From 91d85fb0e654a1d187e39fd2460df78fb09628ce Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Fri, 22 Mar 2024 22:55:27 +0100 Subject: [PATCH 5/5] cataclysm-dda: fix build w/ glibc-2.39 Failing Hydra build: https://hydra.nixos.org/build/252068803 --- pkgs/games/cataclysm-dda/glibc-2.39.diff | 28 ++++++++++++++++++++++++ pkgs/games/cataclysm-dda/stable.nix | 3 +++ 2 files changed, 31 insertions(+) create mode 100644 pkgs/games/cataclysm-dda/glibc-2.39.diff diff --git a/pkgs/games/cataclysm-dda/glibc-2.39.diff b/pkgs/games/cataclysm-dda/glibc-2.39.diff new file mode 100644 index 000000000000..edc79ce76d79 --- /dev/null +++ b/pkgs/games/cataclysm-dda/glibc-2.39.diff @@ -0,0 +1,28 @@ +diff --git a/src/debug.cpp b/src/debug.cpp +index fa63a3b..1e8f554 100644 +--- a/src/debug.cpp ++++ b/src/debug.cpp +@@ -1494,6 +1494,14 @@ std::string game_info::operating_system() + } + + #if !defined(__CYGWIN__) && !defined (__ANDROID__) && ( defined (__linux__) || defined(unix) || defined(__unix__) || defined(__unix) || ( defined(__APPLE__) && defined(__MACH__) ) || defined(BSD) ) // linux; unix; MacOs; BSD ++ // ++class FILEDeleter ++{ ++ public: ++ void operator()( FILE *f ) const noexcept { ++ pclose( f ); ++ } ++}; + /** Execute a command with the shell by using `popen()`. + * @param command The full command to execute. + * @note The output buffer is limited to 512 characters. +@@ -1504,7 +1512,7 @@ static std::string shell_exec( const std::string &command ) + std::vector buffer( 512 ); + std::string output; + try { +- std::unique_ptr pipe( popen( command.c_str(), "r" ), pclose ); ++ std::unique_ptr pipe( popen( command.c_str(), "r" ) ); + if( pipe ) { + while( fgets( buffer.data(), buffer.size(), pipe.get() ) != nullptr ) { + output += buffer.data(); diff --git a/pkgs/games/cataclysm-dda/stable.nix b/pkgs/games/cataclysm-dda/stable.nix index 90eab89a8349..5c3ccb4bf287 100644 --- a/pkgs/games/cataclysm-dda/stable.nix +++ b/pkgs/games/cataclysm-dda/stable.nix @@ -43,6 +43,9 @@ let url = "https://sources.debian.org/data/main/c/cataclysm-dda/0.G-4/debian/patches/gcc13-keyword-requires.patch"; hash = "sha256-8yvHh0YKC7AC/qzia7AZAfMewMC0RiSepMXpOkMXRd8="; }) + # Fix build w/ glibc-2.39 + # From https://github.com/BrettDong/Cataclysm-DDA/commit/9b206e2dc969ad79345596e03c3980bd155d2f48 + ./glibc-2.39.diff ]; makeFlags = common.makeFlags ++ [