Merge pull request #2580 from flatcar/buildbot/weekly-portage-stable-…

…package-updates-2025-01-13

Weekly portage-stable package updates 2025-01-13

.github/workflows/portage-stable-packages-list

@@ -229,7 +229,6 @@ dev-libs/elfutils
 dev-libs/expat
 dev-libs/glib
 dev-libs/gmp
-dev-libs/gobject-introspection
 dev-libs/gobject-introspection-common
 dev-libs/inih
 dev-libs/jansson
@@ -314,6 +313,7 @@ dev-python/hatchling
 dev-python/hatch-vcs
 dev-python/idna
 dev-python/installer
+dev-python/jaraco-collections
 dev-python/jaraco-context
 dev-python/jaraco-functools
 dev-python/jaraco-text
@@ -395,6 +395,7 @@ eclass/desktop.eclass
 eclass/dist-kernel-utils.eclass
 eclass/distutils-r1.eclass
 eclass/eapi8-dosym.eclass
+eclass/eapi9-pipestatus.eclass
 eclass/edo.eclass
 eclass/edos2unix.eclass
 eclass/elisp-common.eclass
@@ -548,6 +549,7 @@ net-nds/rpcbind
 net-vpn/wireguard-tools
 
 perl-core/File-Temp
+perl-core/Getopt-Long
 
 profiles
 

changelog/security/2025-01-weekly-updates.md

@@ -0,0 +1,2 @@
+- containers-storage, podman ([CVE-2024-9676](https://nvd.nist.gov/vuln/detail/CVE-2024-9676))
+- curl ([CVE-2024-11053](https://nvd.nist.gov/vuln/detail/CVE-2024-11053), [CVE-2024-9681](https://nvd.nist.gov/vuln/detail/CVE-2024-9681))

changelog/updates/2025-01-22-weekly-updates.md

@@ -0,0 +1,38 @@
+- SDK: qemu ([8.2.7](https://lists.gnu.org/archive/html/qemu-devel/2024-09/msg03900.html))
+- azure, dev, gce, sysext-python: python ([3.11.11_p1](https://www.python.org/downloads/release/python-31111/))
+- base, dev: audit ([4.0.2](https://github.com/linux-audit/audit-userspace/releases/tag/v4.0.2))
+- base, dev: bpftool ([7.5.0](https://github.com/libbpf/bpftool/releases/tag/v7.5.0))
+- base, dev: btrfs-progs ([6.12](https://raw.githubusercontent.com/kdave/btrfs-progs/refs/tags/v6.12/CHANGES))
+- base, dev: c-ares ([1.34.3](https://github.com/c-ares/c-ares/releases/tag/v1.34.3) (includes [1.34.2](https://github.com/c-ares/c-ares/releases/tag/v1.34.2), [1.34.1](https://github.com/c-ares/c-ares/releases/tag/v1.34.1), [1.34.0](https://github.com/c-ares/c-ares/releases/tag/v1.34.0)))
+- base, dev: ethtool ([6.10](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v6.10))
+- base, dev: glib ([2.80.5](https://gitlab.gnome.org/GNOME/glib/-/releases/2.80.5) (includes [2.80.4](https://gitlab.gnome.org/GNOME/glib/-/releases/2.80.4), [2.80.3](https://gitlab.gnome.org/GNOME/glib/-/releases/2.80.3), [2.80.2](https://gitlab.gnome.org/GNOME/glib/-/releases/2.80.2), [2.80.1](https://gitlab.gnome.org/GNOME/glib/-/releases/2.80.1), [2.80.0](https://gitlab.gnome.org/GNOME/glib/-/releases/2.80.0)))
+- base, dev: gnupg ([2.4.6](https://lists.gnupg.org/pipermail/gnupg-announce/2024q4/000486.html))
+- base, dev: hwdata ([0.390](https://github.com/vcrhonek/hwdata/releases/tag/v0.390))
+- base, dev: intel-microcode ([20241112](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112) (includes [20241029](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241029)))
+- base, dev: iproute2 ([6.12.0](https://lore.kernel.org/netdev/[email protected]/))
+- base, dev: kexec-tools ([2.0.30](https://github.com/horms/kexec-tools/commits/v2.0.30/))
+- base, dev: libcap ([2.71](https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.oq9dsdhihxp5))
+- base, dev: libgpg-error ([1.51](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=blob;f=NEWS;h=75f2b2d220de4e4f53252d3367950ecb2ab85079;hb=b0bb9266010d84b30fa2dc6a2127b7e40dc03660))
+- base, dev: libnvme ([1.11.1](https://github.com/linux-nvme/libnvme/releases/tag/v1.11.1) (includes [1.11](https://github.com/linux-nvme/libnvme/releases/tag/v1.11)))
+- base, dev: libxml2 ([2.12.9](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.9))
+- base, dev: lsof ([4.99.4](https://github.com/lsof-org/lsof/releases/tag/4.99.4))
+- base, dev: npth ([1.8](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=npth.git;a=blob;f=NEWS;h=0f8d78958d8059de95e363a977051995e05dc691;hb=64905e765aad9de6054ef70a97fc30bd992ce999))
+- base, dev: nvme-cli ([2.11](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.11))
+- base, dev: openldap ([2.6.8](https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6_8/CHANGES) (includes [2.6.7](https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6_7/CHANGES)))
+- base, dev: strace ([6.12](https://github.com/strace/strace/releases/tag/v6.12) (includes [6.11](https://github.com/strace/strace/releases/tag/v6.11), [6.10](https://github.com/strace/strace/releases/tag/v6.10)))
+- base, dev: usbutils ([018](https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usbutils.git/tree/NEWS?h=v018))
+- base, dev: xfsprogs ([6.11.0](https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.11.0))
+- dev: bash-completion ([2.15.0](https://github.com/scop/bash-completion/releases/tag/2.15.0))
+- dev: binutils ([2.43](https://lists.gnu.org/archive/html/info-gnu/2024-08/msg00001.html))
+- docker: docker-buildx ([0.14.0](https://github.com/docker/buildx/releases/tag/v0.14.0) (includes [0.13.0](https://github.com/docker/buildx/releases/tag/v0.13.0), [0.12.0](https://github.com/docker/buildx/releases/tag/v0.12.0), [0.11.0](https://github.com/docker/buildx/releases/tag/v0.11.0)))
+- gce: six ([1.17.0](https://github.com/benjaminp/six/blob/1.17.0/CHANGES))
+- sysext-podman: containers-storage ([1.55.1](https://github.com/containers/storage/releases/tag/v1.55.1))
+- sysext-podman: gpgme ([1.24.1](https://dev.gnupg.org/T7440) (includes [1.24.0](https://dev.gnupg.org/T7376)))
+- sysext-podman: podman ([5.3.0](https://github.com/containers/podman/releases/tag/v5.3.0))
+- sysext-python: charset-normalizer ([3.4.1](https://github.com/jawah/charset_normalizer/releases/tag/3.4.1))
+- sysext-python: pip ([24.3.1](https://github.com/pypa/pip/blob/24.3.1/NEWS.rst) (includes [24.3](https://github.com/pypa/pip/blob/24.3/NEWS.rst))
+- sysext-python: setuptools ([75.6.0](https://github.com/pypa/setuptools/blob/v75.6.0/NEWS.rst) (includes [75.5.0](https://github.com/pypa/setuptools/blob/75.5.0/NEWS.rst), [75.4.0](https://github.com/pypa/setuptools/blob/75.4.0/NEWS.rst), [75.3.0](https://github.com/pypa/setuptools/blob/75.3.0/NEWS.rst), [75.2.0](https://github.com/pypa/setuptools/blob/75.2.0/NEWS.rst), [75.1.1](https://github.com/pypa/setuptools/blob/75.1.1/NEWS.rst), [75.1.0](https://github.com/pypa/setuptools/blob/75.1.0/NEWS.rst), [75.0.0](https://github.com/pypa/setuptools/blob/75.0.0/NEWS.rst)))
+- sysext-python: urllib3 ([2.3.0](https://github.com/urllib3/urllib3/releases/tag/2.3.0))
+- sysext-python: wheel ([0.45.1](https://github.com/pypa/wheel/releases/tag/0.45.1) (includes [0.45.0](https://github.com/pypa/wheel/releases/tag/0.45.0)))
+- sysext-zfs: zfs ([2.2.7](https://github.com/openzfs/zfs/releases/tag/zfs-2.2.7) (includes [2.2.6](https://github.com/openzfs/zfs/releases/tag/zfs-2.2.6)))
+- vmware: libltdl ([2.5.4](https://savannah.gnu.org/news/?id=10693) (includes [2.5.3](https://savannah.gnu.org/news/?id=10676), [2.5.2](https://savannah.gnu.org/news/?id=10669), [2.5.1](https://savannah.gnu.org/news/?id=10660), [2.5.0](https://savannah.gnu.org/news/?id=10631)))

sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild

@@ -28,7 +28,7 @@ DEPEND="
 	app-text/mandoc
 	coreos-base/hard-host-depends
 	coreos-base/coreos-sb-keys
-	dev-libs/gobject-introspection
+	dev-libs/gobject-introspection-common
 	dev-python/setuptools
 	dev-python/six
 	dev-util/catalyst

sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/glib

@@ -0,0 +1,7 @@
+# Do not install gobject-introspection binaries in production images.
+if [[ $(cros_target) != "cros_host" ]] ; then
+	glib_mask="/usr/bin/gi-* /usr/lib*/libgirepository-2.0*"
+	PKG_INSTALL_MASK+=" ${glib_mask}"
+	INSTALL_MASK+=" ${glib_mask}"
+	unset glib_mask
+fi

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults

@@ -8,7 +8,7 @@ USE_EXPAND="${USE_EXPAND} TESTS"
 # For now this is only informational and set by coreos-go.eclass
 USE_EXPAND="${USE_EXPAND} GO_VERSION"
 
-USE="${USE} -cracklib -introspection -cups -tcpd -berkdb"
+USE="${USE} -cracklib -cups -tcpd -berkdb"
 
 # Use Python 3 as the default version
 USE="${USE} -python_single_target_python2_7 python_single_target_python3_11"

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -7,34 +7,16 @@
 # Gentoo upstream package stabilisation
 # (the following packages are "unstable" upstream; we're stabilising these)
 
-# Needed by updated app-containers/containers-common
-=app-containers/aardvark-dns-1.12.2-r1 ~amd64 ~arm64
-
 # Handled by automation
 =app-containers/containerd-1.7.23 ~amd64 ~arm64 # DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on 2024-10-18 08:06:10
 
-# Needed to address CVE-2024-9341.
-=app-containers/containers-common-0.60.4 ~amd64 ~arm64
-
-# Needed to address CVE-2024-3727.
-=app-containers/containers-image-5.32.2 ~amd64 ~arm64
-
-# Needed by updated app-containers/containers-common
-=app-containers/containers-storage-1.55.0 ~amd64 ~arm64
-
 # Keep versions on both arches in sync.
 =app-containers/cri-tools-1.27.0 ~arm64
 
-# Needed by updated app-containers/containers-common
-=app-containers/crun-1.17 ~amd64 ~arm64
-
 # Accept unstable for Docker and its CLI.
 =app-containers/docker-27.3.1 ~amd64 ~arm64
 =app-containers/docker-cli-27.3.1 ~amd64 ~arm64
 
-# Needed by updated app-containers/containers-common
-=app-containers/netavark-1.12.2-r1 ~amd64 ~arm64
-
 # These seem to be the versions we initially got, but the
 # modifications made to the ebuilds were clobbered, so these are here
 # to keep using the same version. Can be dropped when these or newer
@@ -57,7 +39,7 @@
 =app-crypt/p11-kit-0.25.5 ~amd64 ~arm64
 
 # Needed in SDK for Secure Boot.
-=app-emulation/virt-firmware-24.7 ~amd64 ~arm64
+=app-emulation/virt-firmware-24.7 ~amd64
 
 # Needed by arm64-native SDK.
 =app-emulation/open-vmdk-1.0 *
@@ -81,7 +63,7 @@
 =dev-libs/luksmeta-9-r1 **
 
 # Keep versions on both arches in sync.
-=dev-util/bpftool-7.4.0 ~arm64
+=dev-util/bpftool-7.5.0 ~arm64
 
 # Catalyst 4 is not stable yet, but earlier versions are masked now.
 =dev-util/catalyst-4.0.0 ~amd64 ~arm64
@@ -91,30 +73,25 @@
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
 
-# Needed by updated app-containers/containers-common
-=net-misc/passt-2024.09.06 ~amd64 ~arm64
+# Needed to address CVE-2024-11053 and CVE-2024-9681
+=net-misc/curl-8.11.1-r2 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
-=net-nds/openldap-2.6.6-r2 ~amd64
+=net-nds/openldap-2.6.8 ~amd64
 
 # Package has not been stabilised yet.
 =sys-apps/azure-vm-utils-0.4.0 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
-=sys-apps/kexec-tools-2.0.29-r1 ~arm64
-=sys-apps/util-linux-2.40.2 ~arm64
 =sys-apps/zram-generator-1.1.2-r1 ~arm64
 =sys-auth/sssd-2.9.5 ~arm64
 =sys-boot/mokutil-0.7.2 **
 
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
-# Keep versions on both arches in sync.
-=sys-devel/binutils-config-5.5.2 ~arm64
-
 # Needed in SDK for Secure Boot on arm64. Also addresses CVE-2024-1298.
-=sys-firmware/edk2-bin-202408 ~amd64 ~arm64
+=sys-firmware/edk2-bin-202408 ~amd64
 
-# Needed by updated app-containers/containers-common
-=sys-fs/fuse-overlayfs-1.14 ~amd64 ~arm64
+# Keep versions on both arches in sync.
+=sys-process/audit-4.0.2-r1 ~arm64

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask

@@ -17,3 +17,9 @@
 
 # Update engine needs updating to use a newer version of protobuf.
 >=dev-libs/protobuf-22.0
+
+# Pulls in LLVM and clang.
+>=sys-block/thin-provisioning-tools-1.0.14
+
+# Pulls in python into production.
+>=sys-auth/sssd-2.9.6

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided

@@ -10,3 +10,7 @@ sys-fs/udev-init-scripts-35
 # A dependency of dev-libs/libtracefs. It's apparently for docs, that
 # we don't even include anywhere.
 dev-util/source-highlight-3.1.9-r2
+
+# Pulled in by bpftool[-clang], We never provided co-re in bpftool and
+# for now continue to do so.
+sys-devel/bpf-toolchain-14.2.0_p1

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -112,9 +112,6 @@ net-firewall/iptables nftables
 # Install `perl` with a minimal set of dependencies
 dev-lang/perl minimal
 
-# Remove support for GObject introspection
-sys-auth/polkit -introspection
-
 # enables ELF support to e.g. allow tc to handle BPF filters.
 sys-apps/iproute2 elf
 

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask

@@ -25,8 +25,3 @@ sys-fs/btrfs-progs man
 # put anywhere. Thus avoid pulling more dependencies than necessary
 # for throw-away things.
 dev-python/pillow jpeg
-
-# bpftool ebuild started to bdepend on sys-devel/clang unconditionally
-# in order to build co-re support. We can try avoiding it by masking
-# the USE flag that currently gets enabled by default.
-dev-util/bpftool llvm_slot_18

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask

@@ -21,3 +21,6 @@ python_single_target_python3_13
 # We don't care about i10n, takes too much space, pulls in too many
 # extra dependencies.
 nls
+
+# We don't care about GObject introspection.
+introspection

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use

@@ -50,3 +50,10 @@ sys-fs/fuse -suid
 
 # skip dependency for this sysext package
 net-misc/chrony -readline
+
+# Do not pull llvm into prod (use binutils-libs instead).
+#
+# Disable co-re (we never had it enabled, but now it's forced by the
+# ebuild; this will pull sys-devel/bpf-toolchain, which we put into
+# package.provided in SDK).
+dev-util/bpftool -llvm -clang

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/make.defaults

@@ -18,7 +18,6 @@ INSTALL_MASK="${INSTALL_MASK}
   /usr/share/eselect
   /usr/share/gdb
   /usr/share/gettext
-  /usr/share/gobject-introspection-1.0
   /usr/share/pkgconfig
   /usr/share/readline
   /usr/src

sdk_container/src/third_party/portage-stable/app-arch/bzip2/bzip2-1.0.8-r5.ebuild

@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # XXX: atm, libbz2.a is always PIC :(, so it is always built quickly
@@ -70,7 +70,8 @@ multilib_src_compile() {
 
 multilib_src_test() {
 	cp "${S}"/sample* "${BUILD_DIR}" || die
-	bemake -f "${S}"/Makefile check
+	ln -s libbz2.so.1.0 libbz2.so.1 || die
+	LD_LIBRARY_PATH=".:${LD_LIBRARY_PATH}" bemake -f "${S}"/Makefile check
 }
 
 multilib_src_install() {

sdk_container/src/third_party/portage-stable/app-arch/lbzip2/lbzip2-2.5_p20181227-r2.ebuild → sdk_container/src/third_party/portage-stable/app-arch/lbzip2/lbzip2-2.5_p20181227-r3.ebuild

@@ -3,7 +3,7 @@
 
 EAPI=8
 
-inherit autotools flag-o-matic
+inherit autotools flag-o-matic toolchain-funcs
 
 DESCRIPTION="Parallel bzip2 utility"
 HOMEPAGE="https://github.com/kjn/lbzip2/"
@@ -29,6 +29,10 @@ src_prepare() {
 src_configure() {
 	use static && append-ldflags -static
 
+	# fix clang miscompilation: #910438
+	# see also: https://github.com/llvm/llvm-project/issues/87189
+	tc-is-clang && test-flag-CC -mno-avx512f && append-cflags -mno-avx512f
+
 	local myeconfargs=(
 		$(use_enable debug tracing)
 	)

sdk_container/src/third_party/portage-stable/app-arch/libarchive/Manifest

@@ -1,4 +1,2 @@
-DIST libarchive-3.7.6.tar.xz 5458552 BLAKE2B 3251dc4d59867d1c9b43e78ac7735c27670e819a1aba4f4a76372b8509e2427ff24e379f6102a4cc3c92b965d182c8939bb6df4c82d4d1141cdd1db13bf039a2 SHA512 3ca90d665772418b9ac444044511989e81e785a13db3c101851390ba7c2ba0793c799cedb9df990e900ab78c98207f70ecee7e21829578555dde99424950ae2a
-DIST libarchive-3.7.6.tar.xz.asc 659 BLAKE2B 9f6a621dd4aa20f06dff71225723e60a6cee1f2a54ff07d2d19670153105f2f75d6439320f49eb46c28a4416828af7dc4f0d827e46ec9aeb5b703f06eb329d77 SHA512 2840b13f910f47d34daeed9680beb4b3cdde2d7de26ab8453756261c51fb7a39b727454f370b0ee60f8e1646c65544331a22558cbe8faf79a201b1d1346b37c1
 DIST libarchive-3.7.7.tar.xz 5480580 BLAKE2B e118c693f7a78e86ab868fc6c2c77beba539cf5c7d5999e270cdceb225e9f85c68c938ec6ce3a33f75b2a44a6f7debe2c280d2573c1bcf05806300e8dce1a4f0 SHA512 2524f71f4c2ebc254a1927279be3394e820d0a0c6dec7ef835a862aa08c35756edaa4208bcdc710dd092872b59c200b555b78670372e2830822e278ff1ec4e4a
 DIST libarchive-3.7.7.tar.xz.asc 659 BLAKE2B 066d97312ded566e2c96ffc4603477fc829bcf17dcc057249dad51a0abea7aa5559691c0c25b581212168f8442db028a2dcc34148c648e973450fcb9dd5e35af SHA512 9f532df76bc381b40d7454a7bbbab85e34a646167ee7ca197fae45c713002e32f40e2b2871bc4a0d7149df19e69e2079efd9ab2f22eccf959b203604293d6094