Merge pull request #2807 from flatcar/buildbot/weekly-portage-stable-package-updates-2025-04-07

Weekly portage-stable package updates 2025-04-07

Author: krnowak

changelog/security/2025-04-09-weekly-updates.md

@@ -0,0 +1,3 @@
+- curl ([curl-20250205](https://github.com/curl/curl/issues/16197))
+- iperf ([CVE-2024-53580](https://www.cve.org/CVERecord?id=CVE-2024-53580))
+- xz-utils ([CVE-2025-31115](https://www.cve.org/CVERecord?id=CVE-2025-31115))

changelog/updates/2025-04-09-weekly-updates.md

@@ -0,0 +1,9 @@
+- base, dev: curl ([8.13.0](https://curl.se/ch/8.13.0.html))
+- base, dev: libarchive ([3.7.9](https://github.com/libarchive/libarchive/releases/tag/v3.7.9))
+- containerd: runc ([1.2.5](https://github.com/opencontainers/runc/releases/tag/v1.2.5))
+- dev: iperf ([3.18](https://github.com/esnet/iperf/releases/tag/3.18))
+- dev: minicom ([2.10](https://salsa.debian.org/minicom-team/minicom/-/releases/2.10))
+- docker: docker-buildx ([0.20.1](https://github.com/docker/buildx/releases/tag/v0.20.1) (includes [0.20.0](https://github.com/docker/buildx/releases/tag/v0.20.0), [0.19.3](https://github.com/docker/buildx/releases/tag/v0.19.3), [0.19.2](https://github.com/docker/buildx/releases/tag/v0.19.2)))
+- sysext-podman: conmon ([2.1.11](https://github.com/containers/conmon/releases/tag/v2.1.11))
+- sysext-python: platformdirs ([4.3.7](https://github.com/tox-dev/platformdirs/releases/tag/4.3.7))
+- sysext-python: setuptools-scm ([8.2.1](https://github.com/pypa/setuptools-scm/blob/v8.2.1/CHANGELOG.md))

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-build/cmake/0001-fix-build-with-curl-8-13-0.patch

@@ -0,0 +1,36 @@
+https://bugs.gentoo.org/953060
+https://gitlab.kitware.com/cmake/cmake/-/issues/26754
+https://gitlab.kitware.com/cmake/cmake/-/merge_requests/10449
+
+From 1b0c92a3a1b782ff3e1c4499b6ab8db614d45bcd Mon Sep 17 00:00:00 2001
+From: Brad King <brad.king@kitware.com>
+Date: Mon, 10 Mar 2025 11:08:42 -0400
+Subject: [PATCH] cmCurl: Avoid using undocumented type for CURLOPT_NETRC
+ values
+
+Since upstream curl commit `2ec00372a1` (curl.h: change some enums to
+defines with L suffix, 2025-02-25), the `CURL_NETRC_*` constants are
+integer literals instead of `enum CURL_NETRC_OPTION`.  It turns out
+that `curl_easy_setopt` has always expected a `long` anyway, and
+that `CURL_NETRC_OPTION` is not documented for public use.
+
+Fixes: #26754
+---
+ Source/cmCurl.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/cmCurl.cxx b/Source/cmCurl.cxx
+index b9133ed7d47..0cf8a71a72d 100644
+--- a/Source/cmCurl.cxx
++++ b/Source/cmCurl.cxx
+@@ -170,7 +170,7 @@ std::string cmCurlSetNETRCOption(::CURL* curl, const std::string& netrc_level,
+                                  const std::string& netrc_file)
+ {
+   std::string e;
+-  CURL_NETRC_OPTION curl_netrc_level = CURL_NETRC_LAST;
++  long curl_netrc_level = CURL_NETRC_LAST;
+   ::CURLcode res;
+ 
+   if (!netrc_level.empty()) {
+-- 
+GitLab

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-build/cmake/README.md

@@ -0,0 +1,3 @@
+The `0001-fix-build-with-curl-8-13-0.patch` was taken from Gentoo -
+the patched cmake is 3.31.6-r1, so if we get updated to that version
+or later, we can drop the patch.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults

@@ -85,7 +85,7 @@ CONFIG_PROTECT="
 # Do not install default repos.conf, we always put repository configuration in /etc.
 INSTALL_MASK="
   /usr/lib*/*.la
-  /etc/init.d /etc/conf.d
+  /etc/init.d /etc/conf.d /etc/user/conf.d /etc/user/init.d
   /usr/lib/debug/.build-id
   /etc/acpi
   /usr/share/portage/config/repos.conf

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -58,6 +58,12 @@
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
 
+# Needed to address curl-20250205 (https://github.com/curl/curl/issues/16197)
+=net-misc/curl-8.13.0 ~amd64 ~arm64
+
+# Needed to address CVE-2024-53580.
+=net-misc/iperf-3.18 ~amd64 ~arm64
+
 # Needed to address CVE-2024-54661
 =net-misc/socat-1.8.0.3 ~amd64 ~arm64
 

sdk_container/src/third_party/portage-stable/app-arch/gzip/Manifest

@@ -1,2 +1,4 @@
 DIST gzip-1.13.tar.xz 838248 BLAKE2B f0e3b4c28bafcd3b59b65ac2d71218dc58d81b52c6921c1be038757c99e99184178c5d0e9674caa5099713b8b64e8c85cf061f4abfa20b73b478288f121fb05d SHA512 e3d4d4aa4b2e53fdad980620307257c91dfbbc40bcec9baa8d4e85e8327f55e2ece552c9baf209df7b66a07103ab92d4954ac53c86c57fbde5e1dd461143f94c
 DIST gzip-1.13.tar.xz.sig 833 BLAKE2B 42e38fa7b3a6b6d21a18308cf662844ed84e1a142a945f3f3142db0a14212c0e642de514abb1307ec12ee7bb9644472cc3aed40582d9c266ab24808acbca0215 SHA512 f95e016f61f4a67cb4cec6cede2510af6bb5567d72bbd3d70210a6d5cf3ee5fea8f0cbf8f7b612fa52f2ecfd9dba050d9cd4494075ce5ac4abac7b74eaa7ccbc
+DIST gzip-1.13_p20250405.tar.xz 892960 BLAKE2B a3b52fbc4db6594ebc98d0f49d04f18073036bd2b29ac1aedb77ce124f8ac232e502450763d260d9d836066d21106b4770561f67dbe833bf43ed9b6c12987389 SHA512 8c439fbb15924eb38e421b04919fc2013e5a814445c83b665e4538f34f9b4b8c73dfe1910aba8c38ef98ee4bd57f01082798e6056802a12aa95d0c82e4a08412
+DIST gzip-1.13_p20250405.tar.xz.sig 833 BLAKE2B b47479ee151f093e6fa81abfe9587c887994562bb19631da9b3506a020ec8ccbc34eb79df29f61e4e441b46fb3e7b5e603357d75edf5d13973ca52737967f897 SHA512 162488d2085664514f8893128fbe6227860e8c8e152a979196c311f68706781c058fdada3fe659e41059aaaf281f0539b035f358e5e633d59e9c5634edbefadb

sdk_container/src/third_party/portage-stable/app-arch/gzip/gzip-1.13_p20250405.ebuild

@@ -0,0 +1,96 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gzip.asc
+inherit eapi9-ver flag-o-matic verify-sig
+
+DESCRIPTION="Standard GNU compressor"
+HOMEPAGE="https://www.gnu.org/software/gzip/"
+if [[ ${PV} == *_p* ]] ; then
+	# Note: could put this in devspace, but if it's gone, we don't want
+	# it in tree anyway. It's just for testing.
+	MY_SNAPSHOT="$(ver_cut 1-2).56-e549"
+	SRC_URI="
+		https://meyering.net/gzip/gzip-${MY_SNAPSHOT}.tar.xz -> ${P}.tar.xz
+		verify-sig? (
+			https://meyering.net/gzip/gzip-${MY_SNAPSHOT}.tar.xz.sig -> ${P}.tar.xz.sig
+		)
+	"
+	S="${WORKDIR}"/${PN}-${MY_SNAPSHOT}
+else
+	SRC_URI="
+		mirror://gnu/gzip/${P}.tar.xz
+		verify-sig? (
+			mirror://gnu/gzip/${P}.tar.xz.sig
+		)
+	"
+fi
+
+LICENSE="GPL-3+"
+SLOT="0"
+if [[ ${PV} != *_p* ]] ; then
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+IUSE="pic static"
+
+BDEPEND="verify-sig? ( sec-keys/openpgp-keys-gzip )"
+RDEPEND="!app-arch/pigz[symlink(-)]"
+PDEPEND="
+	app-alternatives/gzip
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.3.8-install-symlinks.patch"
+)
+
+src_configure() {
+	use static && append-flags -static
+
+	# Avoid text relocation in gzip
+	use pic && export DEFS="NO_ASM"
+
+	# embeds the path to grep detected at build time into installed scripts;
+	# use the canonical USE="split-usr" agnostic path. bug #935721
+	export GREP="${EPREFIX}/bin/grep"
+
+	# bug #663928
+	econf --disable-gcc-warnings
+}
+
+src_install() {
+	default
+
+	docinto txt
+	dodoc algorithm.doc gzip.doc
+
+	# Avoid conflict with app-arch/ncompress
+	rm "${ED}"/usr/bin/uncompress || die
+
+	# keep most things in /usr, just the fun stuff in /
+	# also rename them to avoid conflict with app-alternatives/gzip
+	dodir /bin
+	local x
+	for x in gunzip gzip zcat; do
+		mv "${ED}/usr/bin/${x}" "${ED}/bin/${x}-reference" || die
+	done
+	mv "${ED}"/usr/share/man/man1/gzip{,-reference}.1 || die
+	rm "${ED}"/usr/share/man/man1/{gunzip,zcat}.1 || die
+}
+
+pkg_postinst() {
+	if ver_replacing -lt "1.12-r2"; then
+		ewarn "This package no longer installs 'uncompress'."
+		ewarn "Please use 'gzip -d' to decompress .Z files."
+	fi
+
+	# ensure to preserve the symlinks before app-alternatives/gzip
+	# is installed
+	local x
+	for x in gunzip gzip zcat; do
+		if [[ ! -h ${EROOT}/bin/${x} ]]; then
+			ln -s "${x}-reference" "${EROOT}/bin/${x}" || die
+		fi
+	done
+}

sdk_container/src/third_party/portage-stable/app-arch/libarchive/Manifest

@@ -1,2 +1,4 @@
 DIST libarchive-3.7.8.tar.xz 5493312 BLAKE2B ba058b2fa2afbfe53127d6ffd0a7ab00d9e8faf62340ae2eb8871a0ca232c2de482dbff2c4eedf2c45d944eb555123d765c462818158046bb72951f6421d9ea0 SHA512 a2b6c8c337e75bcce73126c30a3b564dc586df973780d9c7d5a9eed693dbe3779bf762b64c49c47203c2768c92a4a7d2dc8c0445b1dc398eafd2d58b0ba5aae6
 DIST libarchive-3.7.8.tar.xz.asc 659 BLAKE2B 2050214592b0add7cbd758b815c4289a8760bfb2e5b5db581afdbe741d348252b73f99919641cacd908b586cf4f8fc30a591d88b869bd607adc837251d8fbd4e SHA512 3f1d70318f5e2369fa59e94f91bf8473630a448ded11e2ff3502657380221b9e11e849dc98ba0806c3110c7267cee251f7d681db27751e2a45a948f6ad558404
+DIST libarchive-3.7.9.tar.xz 5494688 BLAKE2B 7bcfb3fe8ffd9452f3d71cdc738144069594030278572ebba0bb247ad74fd68ec19822f281364878228ee311976e216614d4764e56c5fb7f98801695ab7aa7f4 SHA512 d8918445e2536eb29c2d6a6c8cd3671a8525be1619009a2e7c3a9c2a821b51939172dfccc25bfd62fec2a17fb01796b4f522b0ba72b31e3de9b9658c44c46345
+DIST libarchive-3.7.9.tar.xz.asc 659 BLAKE2B 1de2d5af2422c8220983d7e5aa76fae1fcf12c008e7a99ec193b82145a03506fddabc7d5b89efce609e3b807511ebf719fce2f81f2150ccc0a57b4248ad3c5cb SHA512 e60bf9b6c8c58a6fd8977df0ccdd375e42db03f99623412897711dfcbfa4fb4a5b8707e8643c30e25e8b2946df58d1367f67c6ef99223a2739dabbce387f83c5

sdk_container/src/third_party/portage-stable/app-arch/libarchive/libarchive-3.7.9.ebuild

@@ -0,0 +1,173 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit libtool multilib-minimal toolchain-funcs verify-sig
+
+DESCRIPTION="Multi-format archive and compression library"
+HOMEPAGE="
+	https://www.libarchive.org/
+	https://github.com/libarchive/libarchive/
+"
+SRC_URI="
+	https://www.libarchive.de/downloads/${P}.tar.xz
+	verify-sig? ( https://www.libarchive.de/downloads/${P}.tar.xz.asc )
+"
+
+LICENSE="BSD BSD-2 BSD-4 public-domain"
+SLOT="0/13"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="
+	acl blake2 +bzip2 +e2fsprogs expat +iconv lz4 +lzma lzo nettle
+	static-libs test xattr +zstd
+"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	sys-libs/zlib:=[${MULTILIB_USEDEP}]
+	acl? ( virtual/acl:=[${MULTILIB_USEDEP}] )
+	blake2? ( app-crypt/libb2:=[${MULTILIB_USEDEP}] )
+	bzip2? ( app-arch/bzip2:=[${MULTILIB_USEDEP}] )
+	expat? ( dev-libs/expat:=[${MULTILIB_USEDEP}] )
+	!expat? ( dev-libs/libxml2:=[${MULTILIB_USEDEP}] )
+	iconv? ( virtual/libiconv:=[${MULTILIB_USEDEP}] )
+	dev-libs/openssl:=[${MULTILIB_USEDEP}]
+	lz4? ( >=app-arch/lz4-0_p131:=[${MULTILIB_USEDEP}] )
+	lzma? ( >=app-arch/xz-utils-5.2.5-r1:=[${MULTILIB_USEDEP}] )
+	lzo? ( >=dev-libs/lzo-2:=[${MULTILIB_USEDEP}] )
+	nettle? ( dev-libs/nettle:=[${MULTILIB_USEDEP}] )
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
+"
+DEPEND="${RDEPEND}
+	kernel_linux? (
+		virtual/os-headers
+		e2fsprogs? ( sys-fs/e2fsprogs[${MULTILIB_USEDEP}] )
+	)
+	test? (
+		app-arch/lrzip
+		app-arch/lz4
+		app-arch/lzip
+		app-arch/lzop
+		app-arch/xz-utils
+		app-arch/zstd
+		lzma? ( app-arch/xz-utils[extra-filters(+)] )
+	)
+"
+BDEPEND="
+	verify-sig? ( >=sec-keys/openpgp-keys-libarchive-20221209 )
+	elibc_musl? ( sys-libs/queue-standalone )
+"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/libarchive.org.asc
+
+# false positives (checks for libc-defined hash functions)
+QA_CONFIG_IMPL_DECL_SKIP=(
+	SHA256_Init SHA256_Update SHA256_Final
+	SHA384_Init SHA384_Update SHA384_Final
+	SHA512_Init SHA512_Update SHA512_Final
+)
+
+PATCHES=(
+	# https://github.com/libarchive/libarchive/issues/2069
+	# (we can simply update the command since we don't support old lrzip)
+	"${FILESDIR}/${PN}-3.7.2-lrzip.patch"
+)
+
+src_prepare() {
+	default
+
+	# Needed for flags to be respected w/ LTO
+	elibtoolize
+}
+
+multilib_src_configure() {
+	export ac_cv_header_ext2fs_ext2_fs_h=$(usex e2fsprogs) #354923
+
+	local myconf=(
+		$(use_enable acl)
+		$(use_enable static-libs static)
+		$(use_enable xattr)
+		$(use_with blake2 libb2)
+		$(use_with bzip2 bz2lib)
+		$(use_with expat)
+		$(use_with !expat xml2)
+		$(use_with iconv)
+		$(use_with lz4)
+		$(use_with lzma)
+		$(use_with lzo lzo2)
+		$(use_with nettle)
+		--with-zlib
+		$(use_with zstd)
+
+		# Windows-specific
+		--without-cng
+	)
+	if multilib_is_native_abi ; then
+		myconf+=(
+			--enable-bsdcat="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdcpio="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdtar="$(tc-is-static-only && echo static || echo shared)"
+			--enable-bsdunzip="$(tc-is-static-only && echo static || echo shared)"
+		)
+	else
+		myconf+=(
+			--disable-bsdcat
+			--disable-bsdcpio
+			--disable-bsdtar
+			--disable-bsdunzip
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi ; then
+		emake
+	else
+		emake libarchive.la
+	fi
+}
+
+src_test() {
+	mkdir -p "${T}"/bin || die
+	# tests fail when lbzip2[symlink] is used in place of ref bunzip2
+	ln -s "${BROOT}/bin/bunzip2" "${T}"/bin || die
+	# workaround lrzip broken on 32-bit arches with >= 10 threads
+	# https://bugs.gentoo.org/927766
+	cat > "${T}"/bin/lrzip <<-EOF || die
+		#!/bin/sh
+		exec "$(type -P lrzip)" -p1 "\${@}"
+	EOF
+	chmod +x "${T}/bin/lrzip" || die
+	local -x PATH=${T}/bin:${PATH}
+	multilib-minimal_src_test
+}
+
+multilib_src_test() {
+	# sandbox is breaking long symlink behavior
+	local -x SANDBOX_ON=0
+	local -x LD_PRELOAD=
+	# some locales trigger different output that breaks tests
+	local -x LC_ALL=C.UTF-8
+	emake check
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi ; then
+		emake DESTDIR="${D}" install
+	else
+		local install_targets=(
+			install-includeHEADERS
+			install-libLTLIBRARIES
+			install-pkgconfigDATA
+		)
+		emake DESTDIR="${D}" "${install_targets[@]}"
+	fi
+
+	# Libs.private: should be used from libarchive.pc instead
+	find "${ED}" -type f -name "*.la" -delete || die
+	# https://github.com/libarchive/libarchive/issues/1766
+	sed -e '/Requires\.private/s:iconv::' \
+		-i "${ED}/usr/$(get_libdir)/pkgconfig/libarchive.pc" || die
+}