nixpkgs/pkgs/os-specific/linux/musl/default.nix
Martin Weinelt 138abad757
musl: patch CVE-2020-28928
Destination buffer overflow in wcsnrtombs.

Fixes: CVE-2020-28928
2020-11-21 00:40:40 +01:00

136 lines
4.5 KiB
Nix

{ stdenv, lib, fetchurl
, linuxHeaders ? null
, useBSDCompatHeaders ? true
}:
let
cdefs_h = fetchurl {
url = "http://git.alpinelinux.org/cgit/aports/plain/main/libc-dev/sys-cdefs.h";
sha256 = "16l3dqnfq0f20rzbkhc38v74nqcsh9n3f343bpczqq8b1rz6vfrh";
};
queue_h = fetchurl {
url = "http://git.alpinelinux.org/cgit/aports/plain/main/libc-dev/sys-queue.h";
sha256 = "12qm82id7zys92a1qh2l1qf2wqgq6jr4qlbjmqyfffz3s3nhfd61";
};
tree_h = fetchurl {
url = "http://git.alpinelinux.org/cgit/aports/plain/main/libc-dev/sys-tree.h";
sha256 = "14igk6k00bnpfw660qhswagyhvr0gfqg4q55dxvaaq7ikfkrir71";
};
# iconv tool, implemented by musl author.
# Original: http://git.etalabs.net/cgit/noxcuse/plain/src/iconv.c?id=02d288d89683e99fd18fe9f54d4e731a6c474a4f
# We use copy from Alpine which fixes error messages, see:
# https://git.alpinelinux.org/aports/commit/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f
iconv_c = fetchurl {
name = "iconv.c";
url = "https://git.alpinelinux.org/aports/plain/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f";
sha256 = "1mzxnc2ncq8lw9x6n7p00fvfklc9p3wfv28m68j0dfz5l8q2k6pp";
};
arch = if stdenv.hostPlatform.isx86_64
then "x86_64"
else if stdenv.hostPlatform.isx86_32
then "i386"
else null;
in
stdenv.mkDerivation rec {
pname = "musl";
version = "1.2.0";
src = fetchurl {
url = "https://www.musl-libc.org/releases/${pname}-${version}.tar.gz";
sha256 = "1s6lix02k1ijm4nmhzpmwzk5w6xfkhn70nvvk8zjs51r24cpppn6";
};
enableParallelBuilding = true;
# Disable auto-adding stack protector flags,
# so musl can selectively disable as needed
hardeningDisable = [ "stackprotector" ];
# Leave these, be friendlier to debuggers/perf tools
# Don't force them on, but don't force off either
postPatch = ''
substituteInPlace configure \
--replace -fno-unwind-tables "" \
--replace -fno-asynchronous-unwind-tables ""
'';
patches = [
# Minor touchup to build system making dynamic linker symlink relative
(fetchurl {
url = "https://raw.githubusercontent.com/openwrt/openwrt/87606e25afac6776d1bbc67ed284434ec5a832b4/toolchain/musl/patches/300-relative.patch";
sha256 = "0hfadrycb60sm6hb6by4ycgaqc9sgrhh42k39v8xpmcvdzxrsq2n";
})
# wcsnrtombs destination buffer overflow, remove >= 1.2.2
(fetchurl {
name = "CVE-2020-28928.patch";
url = "https://www.openwall.com/lists/oss-security/2020/11/20/4/1";
sha256 = "077n2p165504nz9di6n8y5421591r3lsbcxgih8z26l6mvkhcs2h";
})
];
CFLAGS = [ "-fstack-protector-strong" ]
++ lib.optional stdenv.hostPlatform.isPower "-mlong-double-64";
configureFlags = [
"--enable-shared"
"--enable-static"
"--enable-debug"
"--enable-wrapper=all"
"--syslibdir=${placeholder "out"}/lib"
];
outputs = [ "out" "dev" ];
dontDisableStatic = true;
separateDebugInfo = true;
NIX_DONT_SET_RPATH = true;
postInstall = ''
# Not sure why, but link in all but scsi directory as that's what uclibc/glibc do.
# Apparently glibc provides scsi itself?
(cd $dev/include && ln -s $(ls -d ${linuxHeaders}/include/* | grep -v "scsi$") .)
# Strip debug out of the static library
$STRIP -S $out/lib/libc.a
mkdir -p $out/bin
# Create 'ldd' symlink, builtin
ln -rs $out/lib/libc.so $out/bin/ldd
# (impure) cc wrapper around musl for interactive usuage
for i in musl-gcc musl-clang ld.musl-clang; do
moveToOutput bin/$i $dev
done
moveToOutput lib/musl-gcc.specs $dev
substituteInPlace $dev/bin/musl-gcc \
--replace $out/lib/musl-gcc.specs $dev/lib/musl-gcc.specs
# provide 'iconv' utility, using just-built headers, libc/ldso
$CC ${iconv_c} -o $out/bin/iconv \
-I$dev/include \
-L$out/lib -Wl,-rpath=$out/lib \
-lc \
-B $out/lib \
-Wl,-dynamic-linker=$(ls $out/lib/ld-*)
'' + lib.optionalString (arch != null) ''
# Create 'libc.musl-$arch' symlink
ln -rs $out/lib/libc.so $out/lib/libc.musl-${arch}.so.1
'' + lib.optionalString useBSDCompatHeaders ''
install -D ${queue_h} $dev/include/sys/queue.h
install -D ${cdefs_h} $dev/include/sys/cdefs.h
install -D ${tree_h} $dev/include/sys/tree.h
'';
passthru.linuxHeaders = linuxHeaders;
meta = with lib; {
description = "An efficient, small, quality libc implementation";
homepage = "http://www.musl-libc.org";
license = licenses.mit;
platforms = platforms.linux;
maintainers = with maintainers; [ thoughtpolice dtzWill ];
};
}