Merge #247401: glibc: 2.37-39 -> 2.38-23

...into staging

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -26,6 +26,8 @@
   - `root` and `wheel` are not given the ability to set (or preserve)
     arbitrary environment variables.
 
+- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
+
 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
 
 ## New Services {#sec-release-23.11-new-services}

pkgs/applications/audio/mamba/default.nix

@@ -37,5 +37,8 @@ stdenv.mkDerivation rec {
     license = licenses.bsd0;
     maintainers = with maintainers; [ magnetophon orivej ];
     platforms = platforms.linux;
+    # 2023-08-19, `-Werror=format-security` fails for xputty
+    # reported as https://github.com/brummer10/libxputty/issues/12
+    broken = true;
   };
 }

pkgs/applications/radio/direwolf/default.nix

@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
     sha256 = "0xmz64m02knbrpasfij4rrq53ksxna5idxwgabcw4n2b1ig7pyx5";
   };
 
+  patches = [ ./fix-strlcpy-usage.patch ];
+
   nativeBuildInputs = [ cmake ];
 
   strictDeps = true;

pkgs/applications/radio/direwolf/fix-strlcpy-usage.patch

@@ -0,0 +1,89 @@
+strlcpy is now part of glibc, so there's absolutely no reason for a custom implementation, especially
+one with printf debugging. Hence, removing all of that.
+
+See also https://hydra.nixos.org/build/230546596
+See glibc commit 454a20c8756c9c1d55419153255fc7692b3d2199
+
+diff --git a/external/misc/strlcpy.c b/external/misc/strlcpy.c
+index ff18800..b1cb443 100644
+--- a/external/misc/strlcpy.c
++++ b/external/misc/strlcpy.c
+@@ -56,65 +56,3 @@
+ 
+ #include "textcolor.h"
+ 
+-/*
+- * Copy src to string dst of size siz.  At most siz-1 characters
+- * will be copied.  Always NUL terminates (unless siz == 0).
+- * Returns strlen(src); if retval >= siz, truncation occurred.
+- */
+-
+-#if DEBUG_STRL
+-size_t strlcpy_debug(char *__restrict__ dst, const char *__restrict__ src, size_t siz, const char *file, const char *func, int line)
+-#else
+-size_t strlcpy_debug(char *__restrict__ dst, const char *__restrict__ src, size_t siz)
+-#endif
+-{
+-	char *d = dst;
+-	const char *s = src;
+-	size_t n = siz;
+-	size_t retval;
+-
+-#if DEBUG_STRL
+-	if (dst == NULL) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("ERROR: strlcpy dst is NULL.  (%s %s %d)\n", file, func, line);
+-		return (0);
+-	}
+-	if (src == NULL) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("ERROR: strlcpy src is NULL.  (%s %s %d)\n", file, func, line);
+-		return (0);
+-	}
+-	if (siz == 1 || siz == 4) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("Suspicious strlcpy siz.  Is it using sizeof a pointer variable?  (%s %s %d)\n", file, func, line);
+-	}
+-#endif
+-
+-	/* Copy as many bytes as will fit */
+-	if (n != 0 && --n != 0) {
+-		do {
+-			if ((*d++ = *s++) == 0)
+-				break;
+-		} while (--n != 0);
+-	}
+-
+-	/* Not enough room in dst, add NUL and traverse rest of src */
+-	if (n == 0) {
+-		if (siz != 0)
+-			*d = '\0';		/* NUL-terminate dst */
+-		while (*s++)
+-			;
+-	}
+-
+-	retval = s - src - 1;	/* count does not include NUL */
+-
+-#if DEBUG_STRL
+-	if (retval >= siz) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("WARNING: strlcpy result length %d exceeds maximum length %d.  (%s %s %d)\n",
+-				(int)retval, (int)(siz-1), file, func, line);
+-	}
+-#endif
+-	return (retval);
+-}
+-
+diff --git a/src/direwolf.h b/src/direwolf.h
+index efc329b..22eb748 100644
+--- a/src/direwolf.h
++++ b/src/direwolf.h
+@@ -294,7 +294,7 @@ char *strcasestr(const char *S, const char *FIND);
+ #define HAVE_STRLCPY 1
+ 
+ 
+-#define DEBUG_STRL 1
++#define DEBUG_STRL 0
+ 
+ #if DEBUG_STRL
+ 

pkgs/applications/science/misc/root/default.nix

@@ -2,6 +2,7 @@
 , lib
 , callPackage
 , fetchurl
+, fetchpatch
 , makeWrapper
 , cmake
 , coreutils
@@ -109,6 +110,18 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./sw_vers.patch
+    # glibc >=2.38 already has strlcat implemented.
+    # merged upstream, remove on next package bump.
+    (fetchpatch {
+      url = "https://github.com/root-project/root/commit/8fb0e35446ed67c9d56639b4708c8f05459b7f84.patch";
+      hash = "sha256-7EabmYanqlQsYSQsi+S9eWs1v1pY6MncopL420Y3D4w=";
+    })
+  ] ++ lib.optionals (python.pkgs.pythonAtLeast "3.11") [
+    # Fix build against Python 3.11
+    (fetchpatch {
+      url = "https://github.com/root-project/root/commit/484deb056dacf768aba4954073b41105c431bffc.patch";
+      hash = "sha256-4qur2e3SxMIPgOg4IjlvuULR2BObuP7xdvs+LmNT2/s=";
+    })
   ];
 
   preConfigure = ''

pkgs/applications/virtualization/kvmtool/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation {
     sha256 = "sha256-wpc5DfHnui0lBVH4uOq6a7pXVUZStjNLRvauu6QpRvE=";
   };
 
+  patches = [ ./strlcpy-glibc-2.38-fix.patch ];
+
   buildInputs = lib.optionals stdenv.hostPlatform.isAarch64 [ dtc ];
 
   enableParallelBuilding = true;

pkgs/applications/virtualization/kvmtool/strlcpy-glibc-2.38-fix.patch

@@ -0,0 +1,25 @@
+Manually tell the compiler that strlcpy exists. The `try-build` function seems
+somewhat broken, i.e. any code that I try to pass to it doesn't link because of an
+"undefined reference to main" error (and some more quoting issues with newlines being
+swalloed).
+
+Because both musl and glibc seemt o support strlcpy nowadays, I decided to just skip the
+possibly broken feature-check and hardcode that it exists.
+
+diff --git a/Makefile b/Makefile
+index ed2414b..37be9cd 100644
+--- a/Makefile
++++ b/Makefile
+@@ -239,10 +239,8 @@ endif
+ # On a given system, some libs may link statically, some may not; so, check
+ # both and only build those that link!
+ 
+-ifeq ($(call try-build,$(SOURCE_STRLCPY),$(CFLAGS),$(LDFLAGS)),y)
+-	CFLAGS_DYNOPT	+= -DHAVE_STRLCPY
+-	CFLAGS_STATOPT	+= -DHAVE_STRLCPY
+-endif
++CFLAGS_DYNOPT	+= -DHAVE_STRLCPY
++CFLAGS_STATOPT	+= -DHAVE_STRLCPY
+ 
+ ifeq ($(call try-build,$(SOURCE_BFD),$(CFLAGS),$(LDFLAGS) -lbfd -static),y)
+ 	CFLAGS_STATOPT	+= -DCONFIG_HAS_BFD

pkgs/development/compilers/swift/foundation/default.nix

@@ -5,6 +5,7 @@
 
 { lib
 , stdenv
+, fetchpatch
 , callPackage
 , cmake
 , ninja
@@ -23,6 +24,15 @@ in stdenv.mkDerivation {
   inherit (sources) version;
   src = sources.swift-corelibs-foundation;
 
+  patches = [
+    # from https://github.com/apple/swift-corelibs-foundation/pull/4811
+    # fix build with glibc >=2.38
+    (fetchpatch {
+      url = "https://github.com/apple/swift-corelibs-foundation/commit/47260803a108c6e0d639adcebeed3ac6a76e8bcd.patch";
+      hash = "sha256-1JUSQW86IHKkBZqxvpk0P8zcSKntzOTNlMoGBfgeT4c=";
+    })
+  ];
+
   outputs = [ "out" "dev" ];
 
   nativeBuildInputs = [ cmake ninja swift ];

pkgs/development/libraries/glibc/common.nix

@@ -43,9 +43,9 @@
 } @ args:
 
 let
-  version = "2.37";
-  patchSuffix = "-39";
-  sha256 = "sha256-Ilfv8RGhgV109GhW2q9AsBnB5VMVbGnUi6DL/Bu5GkM=";
+  version = "2.38";
+  patchSuffix = "-23";
+  sha256 = "sha256-+4KZiZiyspllRnvBtp0VLpwwfSzzAcnq+0VVt3DvP9I=";
 in
 
 assert withLinuxHeaders -> linuxHeaders != null;
@@ -59,14 +59,14 @@ stdenv.mkDerivation ({
   patches =
     [
       /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping.
-          $ git fetch --all -p && git checkout origin/release/2.37/master && git describe
-          glibc-2.37-39-g6529a7466c
-          $ git show --minimal --reverse glibc-2.37.. | gzip -9n --rsyncable - > 2.37-master.patch.gz
+          $ git fetch --all -p && git checkout origin/release/2.38/master && git describe
+          glibc-2.38-23-g0e1ef6779a
+          $ git show --minimal --reverse glibc-2.38.. | gzip -9n --rsyncable - > 2.38-master.patch.gz
 
          To compare the archive contents zdiff can be used.
-          $ zdiff -u 2.37-master.patch.gz ../nixpkgs/pkgs/development/libraries/glibc/2.37-master.patch.gz
+          $ zdiff -u 2.38-master.patch.gz ../nixpkgs/pkgs/development/libraries/glibc/2.38-master.patch.gz
        */
-      ./2.37-master.patch.gz
+      ./2.38-master.patch.gz
 
       /* Allow NixOS and Nix to handle the locale-archive. */
       ./nix-locale-archive.patch
@@ -89,10 +89,11 @@ stdenv.mkDerivation ({
 
       ./0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch
 
-      /* Patch derived from archlinux (at the time of adding they're at 2.37),
-         https://github.com/archlinux/svntogit-packages/blob/packages/glibc/trunk/reenable_DT_HASH.patch
+      /* Patch derived from archlinux,
+         https://gitlab.archlinux.org/archlinux/packaging/packages/glibc/-/blob/e54d98e2d1aae4930ecad9404ef12234922d9dfd/reenable_DT_HASH.patch
 
-        See https://github.com/NixOS/nixpkgs/pull/188492#issuecomment-1233802991 for context.
+         See also https://github.com/ValveSoftware/Proton/issues/6051
+         & https://github.com/NixOS/nixpkgs/pull/188492#issuecomment-1233802991
       */
       ./reenable_DT_HASH.patch
     ]
@@ -135,6 +136,7 @@ stdenv.mkDerivation ({
       "--enable-bind-now"
       (lib.withFeatureAs withLinuxHeaders "headers" "${linuxHeaders}/include")
       (lib.enableFeature profilingLibraries "profile")
+      "--enable-fortify-source"
     ] ++ lib.optionals (stdenv.hostPlatform.isx86 || stdenv.hostPlatform.isAarch64) [
       # This feature is currently supported on
       # i386, x86_64 and x32 with binutils 2.29 or later,
@@ -159,7 +161,7 @@ stdenv.mkDerivation ({
       "libc_cv_as_needed=no"
     ]
     ++ lib.optional withGd "--with-gd"
-    ++ lib.optional (!withLibcrypt) "--disable-crypt";
+    ++ lib.optional withLibcrypt "--enable-crypt";
 
   makeFlags = (args.makeFlags or []) ++ [
     "OBJCOPY=${stdenv.cc.targetPrefix}objcopy"

pkgs/development/libraries/glibc/reenable_DT_HASH.patch

@@ -1,145 +1,28 @@
-From e47de5cb2d4dbecb58f569ed241e8e95c568f03c Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Fri, 29 Apr 2022 16:37:51 +0200
-Subject: [PATCH] Do not use --hash-style=both for building glibc shared
- objects
+From 31915e55f9c34f6137ab1c5ac002375a2d5d4589 Mon Sep 17 00:00:00 2001
+From: Frederik Schwan <frederik.schwan@linux.com>
+Date: Fri, 4 Aug 2023 15:19:57 +0200
+Subject: [PATCH] force --hash-style=both to keep compatibility with old niche
+ software
 
-The comment indicates that --hash-style=both was used to maintain
-compatibility with static dlopen, but we had many internal ABI
-changes since then, so this compatiblity does not add value anymore.
-
-Reviewed-by: Carlos O'Donell <carlos@redhat.com>
 ---
- Makeconfig     |  9 +++++++++
- Makerules      |  7 +++++++
- config.make.in |  1 +
- configure      | 28 ++++++++++++++++++++++++++++
- configure.ac   | 16 ++++++++++++++++
- 5 files changed, 61 insertions(+)
+ Makeconfig | 4 ++++
+ 1 file changed, 4 insertions(+)
 
-diff --git b/Makeconfig a/Makeconfig
-index 760f14e92f..0aa5fb0099 100644
---- b/Makeconfig
-+++ a/Makeconfig
-@@ -362,6 +362,15 @@ relro-LDFLAGS = -Wl,-z,relro
+diff --git a/Makeconfig b/Makeconfig
+index 77d7fd14df..2ae67c4beb 100644
+--- a/Makeconfig
++++ b/Makeconfig
+@@ -378,6 +378,10 @@ relro-LDFLAGS = -Wl,-z,relro
  LDFLAGS.so += $(relro-LDFLAGS)
  LDFLAGS-rtld += $(relro-LDFLAGS)
  
-+ifeq (yes,$(have-hash-style))
-+# For the time being we unconditionally use 'both'.  At some time we
-+# should declare statically linked code as 'out of luck' and compile
-+# with --hash-style=gnu only.
 +hashstyle-LDFLAGS = -Wl,--hash-style=both
 +LDFLAGS.so += $(hashstyle-LDFLAGS)
 +LDFLAGS-rtld += $(hashstyle-LDFLAGS)
-+endif
 +
- ifeq (no,$(build-pie-default))
- pie-default = $(no-pie-ccflag)
- else # build-pie-default
-diff --git b/Makerules a/Makerules
-index 354528b8c7..428464f092 100644
---- b/Makerules
-+++ a/Makerules
-@@ -557,6 +557,13 @@ $(common-objpfx)shlib.lds: $(common-objpfx)config.make $(..)Makerules
- 		  -Wl,--verbose 2>/dev/null | \
- 	  sed > $@T \
- 	      -e '/^=========/,/^=========/!d;/^=========/d' \
-+	      $(if $(filter yes,$(have-hash-style)), \
-+		   -e 's/^.*\.gnu\.hash[ 	]*:.*$$/  .note.ABI-tag : { *(.note.ABI-tag) } &/' \
-+		   -e '/^[ 	]*\.hash[ 	]*:.*$$/{h;d;}' \
-+		   -e '/DATA_SEGMENT_ALIGN/{H;g}' \
-+		, \
-+		   -e 's/^.*\.hash[ 	]*:.*$$/  .note.ABI-tag : { *(.note.ABI-tag) } &/' \
-+	       ) \
- 	      -e 's/^.*\*(\.dynbss).*$$/& \
- 		 PROVIDE(__start___libc_freeres_ptrs = .); \
- 		 *(__libc_freeres_ptrs) \
-diff --git b/config.make.in a/config.make.in
-index fff4c78dd0..bf728c71c0 100644
---- b/config.make.in
-+++ a/config.make.in
-@@ -70,6 +70,7 @@ have-libcap = @have_libcap@
- have-cc-with-libunwind = @libc_cv_cc_with_libunwind@
- fno-unit-at-a-time = @fno_unit_at_a_time@
- bind-now = @bindnow@
-+have-hash-style = @libc_cv_hashstyle@
- use-default-link = @use_default_link@
- have-cxx-thread_local = @libc_cv_cxx_thread_local@
- have-loop-to-function = @libc_cv_cc_loop_to_function@
-diff --git b/configure a/configure
-index 716dc041b6..5a730dc5fc 100755
---- b/configure
-+++ a/configure
-@@ -622,6 +622,7 @@ libc_cv_cc_nofma
- libc_cv_mtls_dialect_gnu2
- fno_unit_at_a_time
- libc_cv_has_glob_dat
-+libc_cv_hashstyle
- libc_cv_fpie
- libc_cv_z_execstack
- ASFLAGS_config
-@@ -6193,6 +6194,33 @@ $as_echo "$libc_cv_fpie" >&6; }
- 
- 
- 
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --hash-style option" >&5
-+$as_echo_n "checking for --hash-style option... " >&6; }
-+if ${libc_cv_hashstyle+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  cat > conftest.c <<EOF
-+int _start (void) { return 42; }
-+EOF
-+if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
-+			    -fPIC -shared -o conftest.so conftest.c
-+			    -Wl,--hash-style=both -nostdlib 1>&5'
-+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; }
-+then
-+  libc_cv_hashstyle=yes
-+else
-+  libc_cv_hashstyle=no
-+fi
-+rm -f conftest*
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_hashstyle" >&5
-+$as_echo "$libc_cv_hashstyle" >&6; }
-+
-+
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GLOB_DAT reloc" >&5
- $as_echo_n "checking for GLOB_DAT reloc... " >&6; }
- if ${libc_cv_has_glob_dat+:} false; then :
-diff --git b/configure.ac a/configure.ac
-index d08ad4d64e..a045f6608e 100644
---- b/configure.ac
-+++ a/configure.ac
-@@ -1360,6 +1360,22 @@ LIBC_TRY_CC_OPTION([-fpie], [libc_cv_fpie=yes], [libc_cv_fpie=no])
- 
- AC_SUBST(libc_cv_fpie)
- 
-+AC_CACHE_CHECK(for --hash-style option,
-+	       libc_cv_hashstyle, [dnl
-+cat > conftest.c <<EOF
-+int _start (void) { return 42; }
-+EOF
-+if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
-+			    -fPIC -shared -o conftest.so conftest.c
-+			    -Wl,--hash-style=both -nostdlib 1>&AS_MESSAGE_LOG_FD])
-+then
-+  libc_cv_hashstyle=yes
-+else
-+  libc_cv_hashstyle=no
-+fi
-+rm -f conftest*])
-+AC_SUBST(libc_cv_hashstyle)
-+
- AC_CACHE_CHECK(for GLOB_DAT reloc,
- 	       libc_cv_has_glob_dat, [dnl
- cat > conftest.c <<EOF
+ # Linker options to enable and disable DT_RELR.
+ ifeq ($(have-dt-relr),yes)
+ dt-relr-ldflag = -Wl,-z,pack-relative-relocs
 -- 
-2.37.1
+2.41.0
 

pkgs/development/libraries/libredwg/default.nix

@@ -34,6 +34,8 @@ stdenv.mkDerivation rec {
   in ''
     # avoid git dependency
     cp ${printVersion} build-aux/git-version-gen
+    # failing to build otherwise since glibc-2.38
+    sed '1i#include <string.h>' -i programs/dwg2SVG.c
   '';
 
   preConfigure = lib.optionalString (stdenv.isDarwin && enablePython) ''

pkgs/development/libraries/rapidjson/default.nix

@@ -29,6 +29,8 @@ stdenv.mkDerivation rec {
       url = "https://git.alpinelinux.org/aports/plain/community/rapidjson/do-not-include-gtest-src-dir.patch?id=9e5eefc7a5fcf5938a8dc8a3be8c75e9e6809909";
       hash = "sha256-BjSZEwfCXA/9V+kxQ/2JPWbc26jQn35CfN8+8NW24s4=";
     })
+    # One of these three tests reports memcpy overlap after update to glibc-2.38
+    ./test-skip-valgrind.diff
   ];
 
   postPatch = ''

pkgs/development/libraries/rapidjson/test-skip-valgrind.diff

@@ -0,0 +1,7 @@
+--- a/test/unittest/CMakeLists.txt
++++ b/test/unittest/CMakeLists.txt
+@@ -82,3 +81,0 @@
+-    add_test(NAME valgrind_unittest
+-        COMMAND valgrind --leak-check=full --error-exitcode=1 ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/unittest --gtest_filter=-SIMD.*
+-        WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/bin)
+

pkgs/servers/brickd/default.nix

@@ -30,10 +30,11 @@ stdenv.mkDerivation {
   '';
 
   buildPhase = ''
-    export
     # build the brickd binary
     mkdir src/daemonlib
     cp -r ${daemonlib}/* src/daemonlib
+    substituteInPlace src/daemonlib/utils.{c,h} \
+      --replace "_GNU_SOURCE" "__GLIBC__"
     cd src/brickd
     make
 

pkgs/tools/admin/rset/default.nix

@@ -44,5 +44,10 @@ stdenv.mkDerivation rec {
     license = licenses.isc;
     platforms = platforms.unix;
     maintainers = with maintainers; [ cstrahan ];
+    # 2023-08-19, fails to compile with glibc-2.38 because of strlcpy.
+    # At the time of writing, this was 4 minors behind already and
+    # the `paths.patch` didn't apply anymore, so this is now considered
+    # broken until somebody cares enough to fix and upgrade this.
+    broken = true;
   };
 }