Removed rpms ============ - google-arimo-fonts - google-cousine-fonts - google-noto-fonts-doc - google-tinos-fonts Added rpms ========== - google-noto-sans-jp-bold-fonts - google-noto-sans-jp-fonts - google-noto-sans-jp-regular-fonts - google-noto-sans-kr-bold-fonts - google-noto-sans-kr-fonts - google-noto-sans-kr-regular-fonts - google-noto-sans-sc-bold-fonts - google-noto-sans-sc-fonts - google-noto-sans-sc-regular-fonts - google-noto-sans-tc-bold-fonts - google-noto-sans-tc-fonts - google-noto-sans-tc-regular-fonts - google-noto-serif-jp-bold-fonts - google-noto-serif-jp-fonts - google-noto-serif-jp-regular-fonts - google-noto-serif-kr-bold-fonts - google-noto-serif-kr-fonts - google-noto-serif-kr-regular-fonts - google-noto-serif-sc-bold-fonts - google-noto-serif-sc-fonts - google-noto-serif-sc-regular-fonts - google-noto-serif-tc-bold-fonts - google-noto-serif-tc-fonts - google-noto-serif-tc-regular-fonts - libtiff6 - noto-arimo-fonts - noto-cousine-fonts - noto-tinos-fonts Package Source Changes ====================== ImageMagick +- version update to 7.1.1.21 + https://github.com/ImageMagick/Website/blob/main/ChangeLog.md +- modified patches + [bsc#1217014][bsc#1216811] + % ImageMagick-s390x-disable-tests.patch (refreshed) +- deleted patches + - ImageMagick-correct-time-to-live.patch (upstreamed) +- added patches + https://github.com/ImageMagick/ImageMagick/commit/8f3c56fabc619c1672865257e5aafe33cbfaaf3e + https://github.com/ImageMagick/ImageMagick/commit/3a7b915d9a810ce742987b37c935f6ae8b36df10 + + ImageMagick-infinite-resource-time-limit.patch + curl + * [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass + * [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents + * Add curl-CVE-2023-46218.patch curl-CVE-2023-46219.patch + +- Security fixes: desktop-file-utils +- Add patches to support Desktop entry spec 1.5 (bsc#1216357): + * 0001-validate-support-SingleMainWindow-key-from-1.5.patch + * 0002-validate-Support-version-1.5.patch + e2fsprogs -- libext2fs-add-sanity-check-to-extent-manipulation.patch: libext2fs: add - sanity check to extent manipulation (bsc#1198446 CVE-2022-1304) +- libext2fs-add-sanity-check-to-extent-manipulation.patch: Merged upstream + in 1.46.6 +- References to old bugs fixed by updating to latest upstream version: + CVE-2015-0247 CVE-2015-1572 CVE-2019-5094 CVE-2019-5188 CVE-2022-1304 + bsc#1009532 bsc#1038194 bsc#1128383 bsc#1145716 bsc#1152101 bsc#1154295 + bsc#1160571 bsc#1160979 bsc#1170964 bsc#1183791 bsc#1198446 bsc#915402 + bsc#918346 bsc#960273 -- Add references from old package: - Autoreconf removed from the spec file, just without bsc reference - (bsc#1183791) - Fix po-remove-unnecessary-buggy-positional-parameter-spe.patch in 1.45.3 - (bsc#1170964) - Fix e2fsck-clarify-overflow-link-count-error-message.patch in 1.46.0 - (bsc#1160979) - Fix ext2fs-update-allocation-info-earlier-in-ext2fs_mkdi.patch in 1.46.0 - (bsc#1160979) - Fix ext2fs-implement-dir-entry-creation-in-htree-directo.patch in 1.46.0 - (bsc#1160979) - Fix tests-add-test-to-excercise-indexed-directories-with.patch in 1.46.0 - (bsc#1160979) - Fix tune2fs-update-dir-checksums-when-clearing-dir_index.patch in 1.46.0 - (bsc#1160979) - Fix e2fsck-abort-if-there-is-a-corrupted-directory-block.patch in 1.45.5 - (bsc#1160571 CVE-2019-5188) - Fix e2fsck-don-t-try-to-rehash-a-deleted-directory.patch in 1.45.5 - (bsc#1160571 CVE-2019-5188) - Fix resize2fs-Make-minimum-size-estimates-more-reliable.patch in 1.45.5 - (bsc#1154295) - Fix libsupport-add-checks-to-prevent-buffer-overrun-bugs.patch in 1.45.4 - (bsc#1152101 CVE-2019-5094) - Fix libext2fs-call-fsync-2-to-clear-stale-errors-for-a-n.patch in 1.44.3 - (bsc#1145716) - Fix e2fsck-check-and-fix-tails-of-all-bitmaps.patch in 1.45.1 (bsc#1128383) - Fix libext2fs-Fix-fsync-2-detection.patch in 1.44.0 (bsc#1038194) - Fix resize2fs-Fix-32-64-bit-overflow-when-multiplying-by-blocks-cl.patch - in 1.42.12 (bsc#1009532) - Fix libext2fs-fix-potential-buffer-overflow-in-closefs.patch - in 1.42.13 (bsc#918346 CVE-2015-1572) - Fix libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch - in 1.42.12 (bsc#915402 CVE-2015-0247) - Got specfile fix through Factory (bsc#960273) - Fix libext2fs-don-t-ignore-fsync-errors.patch in 1.43.4 (bsc#1038194) +- mke2fs-Drop-metadata_csum_seed-and-orphan_file-from-.patch: Update + mke2fs.conf to create filesystems only with features supported + by tools in SLE15-SP4/5 by default. + +- Update specfile to make sure regenerate_initrd_post macro is defined + +- Update to 1.47.0: + * Add support for the orphan_file feature, which speeds up workloads + that are deleting or truncating a large number files in parallel. + This compat feature was first supported in the v5.15 Linux kernel. + * The mke2fs program (via the mke2fs.conf file) now enables the + metadata_csum_seed and orphan_file features by default. + The metadata_csum_seed feature is an incompat feature which is + first supported in the Linux kernel starting in the 4.4 kernel. + * Mke2fs now supports the extended option "assume_storage_prezeroed" + which causes mke2fs to skip zeroing the journal and inode tables + and to mark the inode tables as zeroed. + * Add support to tune2fs and e2label to set the label and UUID for + a mounted file system using a ioctl, which is more reliable than + modifying the superblock via writing to the block device. + The kernel support for setting the label landed in v5.17, while + the support for adding the UUID landed in v6.0. If the ioctls + are not supported, tune2fs and e2label will fall back old + strategy of directly modifying the superblock. + * Allow tune2fs to disable the casefold feature after scanning all + of the directories do not have the Casefold flag set. + +- Replace transitional %usrmerged macro with regular version check (boo#1206798) + +- Refresh e2fsprogs.keyring based on currently provided keys. + +- Spec file cleanup: + + Drop remainders regarding -mini packages, which was not a thing + since Jan 2014. + + Split build of fuse2fs out into a sep build (_multibuild + enabled). + +- enabled fuse2fs build which enable to mount ext2/3/4 via FUSE + +- avoid empty preuninstall script + +- Update to 1.46.5: + * better handling for resizing to fs sizes which would exceed inode limits + * fix crash in e2fsck fastcommit handling + * fix possibly lost quota limits when e2fsck corrects quota files + * fix tune2fs to properly transfer quota limits when convertion quota files + * add support for handling of version 0 quota files in tune2fs + * teach libss to use libreadline.so.8 + * optimize resize2fs cpu usage for large filesystems + * teach libuuid to use getrandom() or getentropy() if available +- libss-add-newer-libreadline.so.8-to-dlopen-path.patch: Remove, merged upstream +- quota-Add-support-to-version-0-quota-format.patch: Remove, merged upstream +- quota-Fold-quota_read_all_dquots-into-quota_update_l.patch: Remove, merged upstream +- quota-Rename-quota_update_limits-to-quota_read_all_d.patch: Remove, merged upstream +- tune2fs-Fix-conversion-of-quota-files.patch: Remove, merged upstream +- e2fsck-Do-not-trash-user-limits-when-processing-orph.patch: Remove, merged upstream +- debugfs-Fix-headers-for-quota-commands.patch: Remove, merged upstream +- quota-Drop-dead-code.patch: Remove, merged upstream + +- Drop ProtectClock hardening, can cause issues if other device acceess is needed glibc -- dl-map-segment-align-munmap.patch: elf: Align argument of __munmap to - page size (bsc#1215891, BZ #28676) +- gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243) -- gai-merge-continue-actions.patch: Simplify allocations and fix merge and - continue actions (CVE-2023-4813, bsc#1215286, BZ #28931) +- dtors-reverse-ctor-order.patch: Remove, has been reverted -- gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243) +- Avoid use of SSE in i586 build -- nscd-netlink-cache-invalidation.patch: nscd: Fix netlink cache - invalidation if epoll is used (bsc#1212910, BZ #29415) +- Add systemd also to gshadow lookups (jsc#PED-5188) +- For SLE continue to use nsswitch.conf without systemd -- nss-files-hosts-v4mapped.patch: Restore lookup of IPv4 mapped addresses - in files database (bsc#1212819, BZ #25457) +- setxid-propagate-glibc-tunables.patch: Propagate GLIBC_TUNABLES in + setxid binaries +- tunables-string-parsing.patch: tunables: Terminate if end of input is + reached (CVE-2023-4911, bsc#1215501) + +- fstat-implementation.patch: io: Do not implement fstat with fstatat + +- getaddrinfo-memory-leak.patch: Fix leak in getaddrinfo introduced by the + fix for CVE-2023-4806 (CVE-2023-5156, bsc#1215714, BZ #30884) + +- getcanonname-use-after-free.patch: getaddrinfo: Fix use after free in + getcanonname (CVE-2023-4806, bsc#1215281, BZ #30843) +- Do not build any cross packages in SLES + +- no-aaaa-read-overflow.patch: Stack read overflow with large TCP + responses in no-aaaa mode (CVE-2023-4527, bsc#1215280, BZ #30842) + +- Add systemd to passwd, group and shadow lookups (jsc#PED-5188) + +- ppc64-flock-fob64.patch: io: Fix record locking contants for powerpc64 + with __USE_FILE_OFFSET64 (BZ #30804) +- libio-io-vtables.patch: libio: Fix oversized __io_vtables +- call-init-proxy-objects.patch: elf: Do not run constructors for proxy + objects +- dtors-reverse-ctor-order.patch: elf: Always call destructors in reverse + constructor order (BZ #30785) + +- intl-c-utf-8-like-c-locale.patch: intl: Treat C.UTF-8 locale like C + locale (BZ #16621) +- glibc-disable-gettext-for-c-utf8.patch: Removed + +- Add cross-ppc64le package + +- posix-memalign-fragmentation.patch: malloc: Enable merging of remainders + in memalign, remove bin scanning from memalign (BZ #30723) +- Limit build counter sync to i686 flavor, to reduce needs for rebuilds + +- Add cross-s390x package (bsc#1214460) + +- Require that elf/check-localplt does not fail +- glibc-2.3.90-langpackdir.diff: add hidden alias for __strcpy_chk +- cache-amd-legacy.patch: x86: Fix for cache computation on AMD legacy + cpus +- cache-intel-shared.patch: x86: Fix incorrect scope of setting + `shared_per_thread` (BZ# 30745) + +- Update to glibc 2.38 + * When C2X features are enabled and the base argument is 0 or 2, the + following functions support binary integers prefixed by 0b or 0B as + input + * PRIb*, PRIB* and SCNb* macros from C2X have been added to + . + * printf-family functions now support the wN format length modifiers for + arguments of type intN_t, int_leastN_t, uintN_t or uint_leastN_t + and the wfN format + length modifiers for arguments of type int_fastN_t or uint_fastN_t, as + specified in draft ISO C2X + * A new tunable, glibc.pthread.stack_hugetlb, can be used to disable + Transparent Huge Pages (THP) in stack allocation at pthread_create + * Vector math library libmvec support has been added to AArch64 + * The strlcpy and strlcat functions have been added + * CVE-2023-25139: When the printf family of functions is called with a + format specifier that uses an (enable grouping) and a + minimum width specifier, the resulting output could be larger than + reasonably expected by a caller that computed a tight bound on the + buffer size +- Enable build with _FORTIFY_SOURCE +- glibc-2.3.90-langpackdir.diff: avoid reference to __strcpy_chk +- iconv-error-verbosity.patch: iconv: restore verbosity with unrecognized + encoding names (BZ #30694) +- printf-grouping.patch, strftime-time64.patch, + getlogin-no-loginuid.patch, fix-locking-in-_IO_cleanup.patch, + gshadow-erange-rhandling.patch, system-sigchld-block.patch, + gmon-buffer-alloc.patch, check-pf-cancel-handler.patch, + powerpc64-fcntl-lock.patch, realloc-limit-chunk-reuse.patch, + dl-find-object-return.patch; Removed +- bsc#1211828 +- bsc#1212819 + +- gshadow-erange-rhandling.patch: gshadow: Matching sgetsgent, sgetsgent_r + ERANGE handling (BZ #30151) +- system-sigchld-block.patch: posix: Fix system blocks SIGCHLD erroneously + (BZ #30163) +- gmon-buffer-alloc.patch: gmon: Fix allocated buffer overflow + (CVE-2023-0687, bsc#1207975, BZ #29444) +- check-pf-cancel-handler.patch: __check_pf: Add a cancellation cleanup + handler (BZ #20975) +- powerpc64-fcntl-lock.patch: io: Fix F_GETLK, F_SETLK, and F_SETLKW for + powerpc64 +- realloc-limit-chunk-reuse.patch: realloc: Limit chunk reuse to only + growing requests (BZ #30579) +- dl-find-object-return.patch: elf: _dl_find_object may return 1 during + early startup (BZ #30515) -- remove-excessive-p-align-check.patch: elf: Remove excessive p_align - check on PT_LOAD segments (bsc#1211829, BZ #28688) -- segment-align.patch: elf: Properly align PT_LOAD segments (bsc#1211829, - BZ #28676) -- ld-so-always-use-map-copy.patch: ld.so: Always use MAP_COPY to map the - first segment (BZ #30452) +- Need to build with GCC 12 as minimum -- resolv-conf-lock.patch: resolv_conf: release lock on allocation failure - (bsc#1211828, BZ #30527) +- fix-locking-in-_IO_cleanup.patch: Update to final version -- ulp-prologue-into-asm-functions.patch: Add support for livepatches - in ASM written functions (bsc#1211726) +- ulp-prologue-into-asm-functions.patch: Add support for livepatches in + ASM written functions (bsc#1210777, bsc#1211726) -- amd-cacheinfo.patch: x86: Cache computation for AMD architecture - (bsc#1207957) - -- gmon-hash-table-size.patch: gmon: Fix allocated buffer overflow - (CVE-2023-0687, bsc#1207975, BZ #29444) - -- strncmp-avx2-boundary.patch: Fix avx2 strncmp offset compare condition - check (bsc#1208358, BZ #25933) - -- dlopen-filter-object.patch: elf: Allow dlopen of filter object to work - (bsc#1207571, BZ #16272) -- powerpc-tst-ucontext.patch: powerpc: Fix unrecognized instruction errors - with recent GCC - -- x86-shared-non-temporal-threshold.patch: Reversing calculation of - __x86_shared_non_temporal_threshold (bsc#1201942) +- Update to glibc 2.37 + * The getent tool now supports the --no-addrconfig option + * The dynamic linker no longer loads shared objects from the "tls" + subdirectories on the library search path or the subdirectory that + corresponds to the AT_PLATFORM system name, or employs the legacy AT_HWCAP + search mechanism, which was deprecated in version 2.33 +- printf-grouping.patch: Account for grouping in printf width (BZ #30068) +- strftime-time64.patch: Use 64-bit time_t interfaces in strftime and + strptime (BZ #30053) +- glibcextract-compile-c-snippet.patch, sys-mount-kernel-definition.patch, + sys-mount-usage.patch, nscd-netlink-cache-invalidation.patch, + syslog-large-messages.patch, dlmopen-libc-early-init.patch, + ldd-vdso-dependency.patch, syslog-extra-whitespace.patch, + errlist-edeadlock.patch, makeflags.patch, get-nscd-addresses.patch, + x86-64-avx2-string-functions.patch, nscd-aicache.patch, + dl-debug-bindings.patch, floatn.patch: Removed +- bsc#1207957 +- bsc#1208358 +- bsc#1212910 + +- Remove reference to obsolete %usrmerged macro (boo#1206798) + +- floatn.patch: Update _FloatN header support for C++ in GCC 13 + +- nscd: Convert to systemd-sysusers + +- dl-debug-bindings.patch: elf: Reinstate on DL_DEBUG_BINDINGS + _dl_lookup_symbol_x (bsc#1204710) + +- get-nscd-addresses.patch: get_nscd_addresses: Fix subscript typos (BZ + [#29605]) +- x86-64-avx2-string-functions.patch: check for required cpu features in + AVX2 string functions (BZ #29611) +- nscd-aicache.patch: nscd: Drop local address tuple variable (BZ #29607) + +- makeflags.patch: Makerules: fix MAKEFLAGS assignment for upcoming + make-4.4 (BZ# 29564) + +- errlist-edeadlock.patch: errlist: add missing entry for EDEADLOCK (BZ + [#29545]) + +- syslog-large-messages.patch: syslog: Fix large messages (CVE-2022-39046, + bsc#1203011, BZ #29536) +- dlmopen-libc-early-init.patch: elf: Call __libc_early_init for reused + namespaces (BZ #29528) +- ldd-vdso-dependency.patch: elf: Restore how vDSO dependency is printed + with LD_TRACE_LOADED_OBJECTS (BZ #29539) +- syslog-extra-whitespace.patch: syslog: Remove extra whitespace between + timestamp and message (BZ #29544) -- memcmp-power10.patch: powerpc: Optimized memcmp for power10 - (jsc#PED-987) - -- disable-check-consistency.patch: i386: Disable check_consistency for GCC - 5 and above (bsc#1201640, BZ #25788) +- nscd-netlink-cache-invalidation.patch: nscd: Fix netlink cache + invalidation if epoll is used (boo#1199964, BZ #29415) -- static-tls-surplus.patch: Remove tunables (bsc#1201560) +- glibcextract-compile-c-snippet.patch: glibcextract.py: Add + compile_c_snippet +- sys-mount-kernel-definition.patch: linux: Mimic kernel definition for + BLOCK_SIZE +- sys-mount-usage.patch: linux: Fix sys/mount.h usage with kernel headers + +- Update to glibc 2.36 + Major new features: + * Support for DT_RELR relative relocation format has been added to + glibc + * On Linux, the pidfd_open, pidfd_getfd, and pidfd_send_signal functions + have been added + * On Linux, the process_madvise function has been added + * On Linux, the process_mrelease function has been added + * The “no-aaaa” DNS stub resolver option has been added + * On Linux, the fsopen, fsmount, move_mount, fsconfig, fspick, open_tree, + and mount_setattr have been added + * localedef now accepts locale definition files encoded in UTF-8 + * Support for the mbrtoc8 and c8rtomb multibyte/UTF-8 character conversion + functions has been added per the ISO C2X N2653 and C++20 P0482R6 proposals + * The functions arc4random, arc4random_buf, and arc4random_uniform have been + added + Deprecated and removed features, and other changes affecting compatibility: + * Support for prelink will be removed in the next release + * The Linux kernel version check has been removed along with the + LD_ASSUME_KERNEL environment variable + * On Linux, The LD_LIBRARY_VERSION environment variable has been removed +- get-nprocs-sched-uninit-read.patch, get-nprocs-inaccurate.patch, + strcmp-rtm-fallback.path, pt-load-invalid-hole.patch, + localedef-ld-monetary.patch, nptl-spurious-eintr.patch, + strncpy-power9-vsx.patch, nptl-cleanup-async-restore.patch, + read-chk-cancel.patch, wcrtomb-fortify.patch, + nptl-cleanup-async-restore-2.patch: Removed +- CVE-2023-4813, bsc#1215286 +- bsc#1198751 +- bsc#1200334 + +- nptl-cleanup-async-restore-2.patch: nptl: Fix + ___pthread_unregister_cancel_restore asynchronous restore (bsc#1200093, + BZ #29214) + +- read-chk-cancel.patch: debug: make __read_chk a cancellation point + (bsc#1200682, BZ #29274) +- wcrtomb-fortify.patch: wcrtomb: Make behavior POSIX compliant + (bsc#1200688) -- static-tls-surplus.patch: rtld: Avoid using up static TLS surplus for - optimizations (bsc#1200855, BZ #25051) +- Set SUSE_ZNOW=0 - __strncpy_power9 (bsc#1200334, BZ #29197) + __strncpy_power9 (BZ #29197) +- nptl-cleanup-async-restore.patch: nptl: Fix __libc_cleanup_pop_restore + asynchronous restore (bsc#1200093, BZ #29214) + +- nptl-spurious-eintr.patch: nptl: Handle spurious EINTR when thread + cancellation is disabled (BZ #29029) + +- Follow the distro default gcc version to build the cross + bootstrap packages. + +- switched to https urls + +- get-nprocs-sched-uninit-read.patch: linux: __get_nprocs_sched: do not + feed CPU_COUNT_S with garbage (BZ #28850) +- get-nprocs-inaccurate.patch: linux: fix accuracy of get_nprocs and + get_nprocs_conf (BZ #28865) +- strcmp-rtm-fallback.path: x86: Fallback {str|wcs}cmp RTM in the ncmp + overflow case (BZ #28896) +- pt-load-invalid-hole.patch: elf: Check invalid hole in PT_LOAD segments + (BZ #28838) +- localedef-ld-monetary.patch: localedef: Update LC_MONETARY handling (BZ + [#28845]) + +- Update to glibc 2.35 + Major new features: + * Unicode 14.0.0 Support + * Bump r_version in the debugger interface to 2 + * Support for the C.UTF-8 locale has been added to glibc + * functions that round their results to a narrower type, and + corresponding macros, are added from TS 18661-1:2014, TS + 18661-3:2015 and draft ISO C2X + * functions for floating-point maximum and minimum, + corresponding to new operations in IEEE 754-2019, and corresponding + macros, are added from draft ISO C2X + * macros for single-precision float constants are added as a + GNU extension + * The __STDC_IEC_60559_BFP__ and __STDC_IEC_60559_COMPLEX__ macros are + predefined as specified in TS 18661-1:2014 + * The exp10 functions in now have a corresponding type-generic + macro in + * The ISO C2X macro _PRINTF_NAN_LEN_MAX has been added to + * printf-family functions now support the %b format for output of + integers in binary, as specified in draft ISO C2X, and the %B variant + of that format recommended by draft ISO C2X + * A new DSO sorting algorithm has been added in the dynamic linker that uses + topological sorting by depth-first search (DFS), solving performance issues + of the existing sorting algorithm when encountering particular circular + object dependency cases + * A new tunable, glibc.rtld.dynamic_sort, can be used to select between + the two DSO sorting algorithms + * ABI support for a new function '__memcmpeq'. '__memcmpeq' is meant + to be used by compilers for optimizing usage of 'memcmp' when its + return value is only used for its boolean status + * Support for automatically registering threads with the Linux rseq + system call has been added + * A symbolic link to the dynamic linker is now installed under + /usr/bin/ld.so (or more precisely, '${bindir}/ld.so') + * All programs and the testsuite in glibc are now built as position independent + executables (PIE) by default on toolchains and architectures that support it + * On Linux, a new tunable, glibc.malloc.hugetlb, can be used to + either make malloc issue madvise plus MADV_HUGEPAGE on mmap and sbrk + or to use huge pages directly with mmap calls with the MAP_HUGETLB + flags) + * The printf family of functions now handles the flagged %#m conversion + specifier, printing errno as an error constant (similar to strerrorname_np) + * The function _dl_find_object has been added + * On Linux, the epoll_pwait2 function has been added + * The function posix_spawn_file_actions_addtcsetpgrp_np has been added, + enabling posix_spawn and posix_spawnp to set the controlling terminal in + the new process in a race free manner + * Source fortification (_FORTIFY_SOURCE) level 3 is now available for + applications compiling with glibc and gcc 12 and later + Deprecated and removed features, and other changes affecting compatibility: + * On x86-64, the LD_PREFER_MAP_32BIT_EXEC environment variable support + has been removed since the first PT_LOAD segment is no longer executable + due to defaulting to -z separate-code + * The r_version update in the debugger interface makes the glibc binary + incompatible with GDB + * Intel MPX support (lazy PLT, ld.so profile, and LD_AUDIT) has been removed + * The catchsegv script and associated libSegFault.so shared object have + been removed + * Support for prelink will be removed in the next release; this includes + removal of the LD_TRACE_PRELINKING, and LD_USE_LOAD_BIAS, environment + variables and their functionality in the dynamic loader + Changes to build and runtime requirements: + * The audit module interface version LAV_CURRENT is increased to enable + proper bind-now support + * The audit interface on aarch64 is extended to support both the indirect + result location register (x8) and NEON Q register + Security related changes: + * CVE-2022-23219: Passing an overlong file name to the clnt_create + legacy function could result in a stack-based buffer overflow when + using the "unix" protocol + * CVE-2022-23218: Passing an overlong file name to the svcunix_create + legacy function could result in a stack-based buffer overflow + * CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath + function could result in a memory leak and potential access of + uninitialized memory + * CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd + function may result in an off-by-one buffer underflow and overflow + when the current working directory is longer than PATH_MAX and also + corresponds to the / directory through an unprivileged mount + namespace +- copy-and-spawn-sgid-double-close.patch, + fcntl-time-bits-64-redirect.patch, gaiconf-init-double-free.patch, + gconv-parseconfdir-memory-leak.patch, getcwd-attribute-access.patch, + glibc-c-utf8-locale.patch, iconv-charmap-close-output.patch, + ld-show-auxv-colon.patch, ldconfig-leak-empty-paths.patch, + librt-null-pointer.patch, pthread-kill-fail-after-exit.patch, + pthread-kill-race-thread-exit.patch, pthread-kill-return-esrch.patch, + pthread-kill-send-specific-thread.patch, + pthread-mutexattr-getrobust-np-type.patch, + setxid-deadlock-blocked-signals.patch, + sysconf-nprocessors-affinity.patch, x86-string-control-test.patch: + Removed. +- bsc#1194640 +- bsc#1194768 +- bsc#1194770 +- bsc#1197718 +- bsc#1211829 +- bsc#1215891 -- selinux-deprecated.patch: Disable warnings due to deprecated libselinux - symbols used by nss and nscd (bsc#1197718) -- systemtap-altmacro.patch: i386: Remove broken CAN_USE_REGISTER_ASM_EBP - (bsc#1197718, BZ #28771) - -- Add s390-add-z16-name.diff for bsc#1198751. - -- getcwd-erange.patch: getcwd: Set errno to ERANGE for size == 1 - (CVE-2021-3999, bsc#1194640, BZ #28769) - -- 0001-powerpc-Optimized-strcpy-for-POWER9.patch, - 0002-powerpc-Optimized-stpcpy-for-POWER9.patch, - 0003-powerpc-Optimized-rawmemchr-for-POWER9.patch, - 0004-powerpc64le-add-optimized-strlen-for-P9.patch, - 0005-powerpc-fix-ifunc-implementation-list-for-POWER9-str.patch, - 0006-powerpc-Add-optimized-strncpy-for-POWER9.patch, - 0007-powerpc-Add-optimized-stpncpy-for-POWER9.patch, - 0008-powerpc-Add-optimized-ilogb-for-POWER9.patch, - 0009-powerpc-Add-optimized-llogb-for-POWER9.patch, - 0010-powerpc-Add-optimized-strlen-for-POWER10.patch, - 0011-powerpc64le-Optimized-memmove-for-POWER10.patch, - 0012-powerpc64le-Optimize-memcpy-for-POWER10.patch, - 0013-powerpc64le-Optimize-memset-for-POWER10.patch, - 0014-powerpc64le-Fix-ifunc-selection-for-memset-memmove-b.patch, - 0015-powerpc-Add-optimized-rawmemchr-for-POWER10.patch: ppc64le ifunc - improvements (bsc#1194785, jsc#SLE-18195) - -- clnt-create-unix-overflow.patch: Buffer overflow in sunrpc clnt_create - for "unix" (CVE-2022-23219, bsc#1194768, BZ #22542) -- svcunix-create-overflow.patch: Buffer overflow in sunrpc svcunix_create - (CVE-2022-23218, bsc#1194770, BZ #28768) +- Enable building the cross packages in rings. +- Add ExtraBuildFlags for build flags that cannot be passed to configure. -- Enable livepatching on x86_64. -- 0001-s390x-Align-child-stack-while-clone.-BZ-27968.patch, - 0002-S390-Optimize-__memcpy_z196.patch, - 0003-S390-Optimize-__memset_z196.patch, - 0004-S390-Sync-HWCAP-names-with-kernel-by-adding-aliases-.patch, - 0005-S390-Add-new-hwcap-values.patch, - 0006-S390-Add-PCI_MIO-and-SIE-HWCAPs.patch: [15sp4 FEAT] GNU2007 - - GLIBC: Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869) +- glibc.rpmlintrc: Update for rpmlint2 -- mq-notify-use-after-free.patch: Use __pthread_attr_copy in mq_notify - (CVE-2021-33574, bsc#1186489, BZ #27896) +- ld-show-auxv-colon.patch: elf: Fix missing colon in LD_SHOW_AUXV output + (BZ #282539 +- x86-string-control-test.patch: x86-64: Use testl to check + __x86_string_control +- pthread-kill-fail-after-exit.patch: nptl: pthread_kill, pthread_cancel + should not fail after exit (BZ #19193) +- pthread-kill-race-thread-exit.patch: nptl: Fix race between pthread_kill + and thread exit (BZ #12889) +- getcwd-attribute-access.patch: posix: Fix attribute access mode on + getcwd (BZ #27476) +- pthread-kill-return-esrch.patch: nptl: pthread_kill needs to return + ESRCH for old programs (BZ #19193) +- pthread-mutexattr-getrobust-np-type.patch: nptl: Fix type of + pthread_mutexattr_getrobust_np, pthread_mutexattr_setrobust_np (BZ + [#28036]) +- setxid-deadlock-blocked-signals.patch: nptl: Avoid setxid deadlock with + blocked signals in thread exit (BZ #28361) +- pthread-kill-send-specific-thread.patch: nptl: pthread_kill must send + signals to a specific thread (BZ #28407) +- sysconf-nprocessors-affinity.patch: linux: Revert the use of + sched_getaffinity on get_nproc (BZ #28310) +- iconv-charmap-close-output.patch: renamed from + icon-charmap-close-output.patch + +- Don't create separate debuginfo packages for cross packages + +- ldconfig-leak-empty-paths.patch: ldconfig: avoid leak on empty paths in + config file +- gconv-parseconfdir-memory-leak.patch: gconv_parseconfdir: Fix memory leak +- gaiconf-init-double-free.patch: gaiconf_init: Avoid double-free in label + and precedence lists +- copy-and-spawn-sgid-double-close.patch: copy_and_spawn_sgid: Avoid + double calls to close() +- icon-charmap-close-output.patch: iconv_charmap: Close output file when + done +- fcntl-time-bits-64-redirect.patch: Linux: Fix fcntl, ioctl, prctl + redirects for _TIME_BITS=64 (BZ #28182) +- librt-null-pointer.patch: librt: fix NULL pointer dereference (BZ + [#28213]) + +- Add cross development packages for aarch64 and riscv64. + +- Update to glibc 2.34 + Major new features: + * When _DYNAMIC_STACK_SIZE_SOURCE or _GNU_SOURCE are defined, + PTHREAD_STACK_MIN is no longer constant and is redefined to + sysconf(_SC_THREAD_STACK_MIN) + * Add _SC_MINSIGSTKSZ and _SC_SIGSTKSZ + * The dynamic linker implements the --list-diagnostics option, printing + a dump of information related to IFUNC resolver operation and + glibc-hwcaps subdirectory selection + * On Linux, the function execveat has been added + * The ISO C2X function timespec_getres has been added + * The feature test macro __STDC_WANT_IEC_60559_EXT__, from draft ISO + C2X, is supported to enable declarations of functions defined in Annex F + of C2X + * Add support for 64-bit time_t on configurations like x86 where time_t + is traditionally 32-bit + * The main gconv-modules file in glibc now contains only a small set of + essential converter modules and the rest have been moved into a supplementary + configuration file gconv-modules-extra.conf in the gconv-modules.d directory + in the same GCONV_PATH + * On Linux, a new tunable, glibc.pthread.stack_cache_size, can be used + to configure the size of the thread stack cache + * The function _Fork has been added as an async-signal-safe fork replacement + since Austin Group issue 62 droped the async-signal-safe requirement for + fork (and it will be included in the future POSIX standard) + * On Linux, the close_range function has been added + * The function closefrom has been added + * The posix_spawn_file_actions_closefrom_np function has been added, enabling + posix_spawn and posix_spawnp to close all file descriptors great than or + equal to a giver integer + Deprecated and removed features, and other changes affecting compatibility: + * The function pthread_mutex_consistent_np has been deprecated + * The function pthread_mutexattr_getrobust_np has been deprecated + * The function pthread_mutexattr_setrobust_np has been deprecated + * The function pthread_yield has been deprecated + * The function inet_neta declared in has been deprecated + * Various rarely-used functions declared in and + have been deprecated + * The pthread cancellation handler is now installed with SA_RESTART and + pthread_cancel will always send the internal SIGCANCEL on a cancellation + request + * The symbols mallwatch and tr_break are now deprecated and no longer used in + mtrace + * The __morecore and __after_morecore_hook malloc hooks and the default + implementation __default_morecore have been removed from the API + * Debugging features in malloc such as the MALLOC_CHECK_ environment variable + (or the glibc.malloc.check tunable), mtrace() and mcheck() have now been + disabled by default in the main C library + * The deprecated functions malloc_get_state and malloc_set_state have been + moved from the core C library into libc_malloc_debug.so + * The deprecated memory allocation hooks __malloc_hook, __realloc_hook, + __memalign_hook and __free_hook are now removed from the API + Changes to build and runtime requirements: + * On Linux, the shm_open, sem_open, and related functions now expect the + file shared memory file system to be mounted at /dev/shm + Security related changes: + CVE-2021-27645: The nameserver caching daemon (nscd), when processing + a request for netgroup lookup, may crash due to a double-free, + potentially resulting in degraded service or Denial of Service on the + local system + CVE-2021-33574: The mq_notify function has a potential use-after-free + issue when using a notification type of SIGEV_THREAD and a thread + attribute with a non-default affinity mask + CVE-2021-35942: The wordexp function may overflow the positional + parameter number when processing the expansion resulting in a crash +- nss-database-check-reload.patch, nss-load-chroot.patch, + x86-isa-level.patch, nscd-netgroupcache.patch, + nss-database-lookup.patch, select-modify-timeout.patch, + nptl-db-libpthread-load-order.patch, rawmemchr-warning.patch, + tst-cpu-features-amx.patch, mq-notify-use-after-free.patch: Removed +- bsc#1181403 +- bsc#1184035 +- bsc#1187911 +- jsc#PED-987 -- wordexp-param-overflow.patch: wordexp: handle overflow in positional - parameter number (CVE-2021-35942, bsc#1187911, BZ #28011) +- Enable usrmerge in Factory always as it's default there +- Add conflict with pre-usrmerge filesystem package -- s390-memmove-ifunc-selector-arch13.patch: S390: Also check vector - support in memmove ifunc-selector (bsc#1184035, BZ #27511) +- mq-notify-use-after-free.patch: Use __pthread_attr_copy in mq_notify + (CVE-2021-33574, bsc#1186489, BZ #27896) +- Drop glibc-usrmerge-bootstrap-helper package -- Update glibc-2.31-HTM-vzeroupper.diff with a AVX-SSE transition - fix. +- tst-cpu-features-amx.patch: x86: tst-cpu-features-supports.c: Update AMX + check -- Add glibc-2.31-HTM-vzeroupper.diff to avoid VZEROUPPER in the - AVX2 accelerated string routines which cause HTM transaction - aborts. Instead use EVEX or SSE. (bsc#1181403) +- rawmemchr-warning.patch: string: Work around GCC PR 98512 in rawmemchr +- nptl-db-libpthread-load-order.patch: nptl_db: Support different + libpthread/ld.so load orders (bsc#1184214, BZ #27744) + +- Enable support for static PIE (bsc#1184646) +- select-modify-timeout.patch: linux: always update select timeout + (bsc#1184339, BZ #27706) + +- Don't remove -f[asynchronous-]unwind-tables during configure run, no + longer needed + +- nss-database-check-reload.patch: nsswitch: return result when nss + database is locked (BZ #27343) +- nss-load-chroot.patch: nss: Re-enable NSS module loading after chroot + (bsc#1182323, BZ #27389) +- x86-isa-level.patch: x86: Set minimum x86-64 level marker (bsc#1182522, + BZ #27318) +- nss-database-lookup.patch: nss: fix nss_database_lookup2's alternate + handling (bsc#1182247, BZ #27416) +- nss-revert-api.patch: remove -- gconv-assertion-iso-2022-jp.patch: gconv: Fix assertion failure in - ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) +- Disable x86 ISA level for now (bsc#1182522, BZ #27318) +- nss-revert-api.patch: Workaround for nss-compat brokeness (bsc#1182247, + BZ #27416) + +- Fix build of utils flavor for usrmerge + +- Prepare for usrmerge (bsc#1029961) + +- Add --enable-memory-tagging for aarch64 + +- Update to glibc 2.33 + * The dynamic linker accepts the --list-tunables argument which prints + all the supported tunables. + * The dynamic linker accepts the --argv0 argument and provides opportunity + to change argv[0] string. + * The dynamic linker loads optimized implementations of shared objects + from subdirectories under the glibc-hwcaps directory on the library + search path if the system's capabilities meet the requirements for + that subdirectory. + * The new --help option of the dynamic linker provides usage and + information and library search path diagnostics. + * The mallinfo2 function is added to report statistics as per mallinfo, + but with larger field widths to accurately report values that are + larger than fit in an integer. + * Add to provide query macros for x86 CPU features. + * A new fortification level _FORTIFY_SOURCE=3 is available. + * The mallinfo function is marked deprecated. + * When dlopen is used in statically linked programs, alternative library + implementations from HWCAP subdirectories are no longer loaded. + * The deprecated header and the function vtimes have been + removed. + * On s390(x), the type float_t is now derived from the macro + __FLT_EVAL_METHOD__ that is defined by the compiler, instead of being + hardcoded to double. + * A future version of glibc will stop loading shared objects from the + "tls" subdirectories on the library search path, the subdirectory that + corresponds to the AT_PLATFORM system name, and also stop employing + the legacy AT_HWCAP search mechanism. + * CVE-2021-3326: An assertion failure during conversion from the + ISO-20220-JP-3 character set using the iconv function has been fixed. +- Remove obsolete, unused /etc/default/nss +- aarch64-static-pie.patch, euc-kr-overrun.patch, + get-nprocs-cpu-online-parsing.patch, iconv-redundant-shift.patch, + iconv-ucs4-loop-bounds.patch, ifunc-fma4.patch, + intl-codeset-suffixes.patch, nscd-gc-cycle.patch, + printf-long-double-non-normal.patch, strerrorname-np.patch, + syslog-locking.patch, sysvipc.patch: Removed +- bsc#1180557 +- bsc#1181505 +- bsc#1191592 +- bsc#1201942 -- sysvipc-sem-stat-any.patch: sysvipc: Fix SEM_STAT_ANY kernel argument - pass (bsc#1180557, BZ #26637) +- Remove support for %optimize_power +- Move to power4 baseline on ppc -- aarch64-getauxval.patch: aarch64: Accept PLT calls to __getauxval within - libc.so (bsc#1167939) +- aarch64-static-pie.patch: fix static PIE start code for BTI + (bsc#1179450, BZ #27068) -- power10-support.patch: Add support for POWER10 (jsc#SLE-13520) -- iconv-option-parsing.patch: Rewrite iconv option parsing - (CVE-2016-10228, bsc#1027496, BZ #19519) - -- Update to glibc 2.31 -- glibc-2.14-crypt.diff, crypt_blowfish-const.patch, - crypt_blowfish-1.2-sha.diff, crypt_blowfish-gensalt.patch, - crypt_blowfish-1.2-hack_around_arm.diff, glibc-nodate.patch, - powerpc-elision-enable-envvar.patch, s390-elision-enable-envvar.patch, - crt-nocompress-debug-sections.patch, resolv-context-leak.patch, - dl-runtime-resolve-opt-avx512f.patch, libpthread-compat-wrappers.patch, - math-c++-compat.patch, remove-nss-nis-compat.patch, - eh-frame-zero-terminator.patch, ld-so-hwcap-x86-64.patch, - assert-pedantic.patch, getaddrinfo-errno.patch, resolv-conf-oom.patch, - dynarray-allocation.patch, nearbyint-inexact.patch, nss-compat.patch, - nscd-libnsl.patch, malloc-tcache-leak.patch, - falkor-memcpy-memmove.patch, aarch64-cpu-features.patch, - nss-files-large-buffers.patch, sysconf-uio-maxiov.patch, - glob-tilde-overflow.patch, dl-runtime-resolve-xsave.patch, - spawni-assert.patch, x86-64-dl-platform.patch, glob64-s390.patch, - tst-tlsopt-powerpc.patch, powerpc-hwcap-bits.patch, - malloc-tcache-check-overflow.patch, dl-init-paths-overflow.patch, - fillin-rpath-empty-tokens.patch, getcwd-absolute.patch, - memalign-overflow.patch, stack-guard-size-accounting.patch, - libgcc-rtld-now.patch, res-send-enomem.patch, - glibc-fix-avx512-mempcpy.patch, i386-memmove-sse2-unaligned.patch, - realpath-ssize-max-overflow.patch, localtime-2039.patch, - math-remove-slow-path.patch, aarch64-hwcap-atomics.patch, - glibc-fix-aarch64-build.diff, absolute-symbols.patch, - x86-haswell-string-flags.patch, - pthread-cond-broadcast-waiters-after-spinning.patch, - mman-map-sync.patch, mman-linux-map-shared-validate.patch, - nptl-setxid-error.patch, pthread-mutex-trylock-barrier.patch, - getaddrinfo-parse-ipv4-address.patch, japanese-era-name-may-2019.patch, - force-elision-race.patch, regex-read-overrun.patch, - regex-parse-reg-exp.patch, - 0001-S390-Add-configure-check-to-detect-z10-as-mininum-ar.patch, - 0002-S390-Use-hwcap-instead-of-dl_hwcap-in-ifunc-resolver.patch, - 0003-S390-Unify-31-64bit-memcpy.patch, - 0004-S390-Refactor-memcpy-mempcpy-ifunc-handling.patch, - 0005-S390-Remove-s390-specific-implementation-of-bcopy.patch, - 0006-S390-Use-memcpy-for-forward-cases-in-memmove.patch, - 0007-S390-Add-configure-check-to-detect-z13-as-mininum-ar.patch, - 0008-S390-Add-z13-memmove-ifunc-variant.patch, - 0009-S390-Add-z13-strstr-ifunc-variant.patch, - 0010-S390-Add-z13-memmem-ifunc-variant.patch, - 0011-S390-Cleanup-ifunc-resolve.h.patch, - 0012-S390-Mark-vx-and-vxe-as-important-hwcap.patch, - 0013-S390-Add-new-hwcap-values-for-new-cpu-architecture-a.patch, - 0014-S390-Add-configure-check-to-detect-support-for-arch1.patch, - 0015-S390-Add-arch13-memmove-ifunc-variant.patch, - 0016-S390-Add-arch13-strstr-ifunc-variant.patch, - 0017-S390-Add-arch13-memmem-ifunc-variant.patch, - prefer-map-32bit-exec.patch, s390-strstr-page-boundary.patch, - ppc-tle-htm-nosc.patch, - posix-Add-internal-symbols-for-posix_spawn-interface.patch, - glibc-2.29-posix-Use-posix_spawn-on-popen.patch, - backtrace-powerpc.patch, pthread-rwlock-pwn.patch, - manual-memory-protection.patch, ldbl-96-rem-pio2l.patch, - dl-sort-maps.patch, dlopen-filter-object.patch, - glob-use-after-free.patch, nptl-setxid-race.patch, nscd-senfile.patch, - ldd-system-interp.patch, abort-no-flush.patch, - fnmatch-collating-elements.patch, nss-files-long-lines-2.patch, - iconv-reset-input-buffer.patch, nscd-prune.patch, syslog-locking.patch: - Removed. -- long-double-alias.patch, glibc-nsswitch-usr.diff, euc-kr-overrun.patch, - riscv-syscall-clobber.patch, nscd-gc-cycle.patch: Added. +- intl-codeset-suffixes.patch: intl: Handle translation output codesets + with suffixes (BZ #26383) +- strerrorname-np.patch: string: Fix strerrorname_np return value (BZ + [#26555]) +- sysvipc.patch: sysvipc: Fix SEM_STAT_ANY kernel argument pass (BZ + [#26637], BZ #26639, BZ #26636) + +- Use --enable-cet on x86_64 to instrument glibc for indirect branch + tracking and shadow stack use. Enable indirect branch tracking + and shadow stack in the dynamic loader (jsc#PM-2110, bsc#1175154) -- nscd-senfile.patch: Fix concurrent changes on nscd aware files - (bsc#1171878, BZ #23178) -- nscd-prune.patch: nscd: bump GC cycle during cache pruning (bsc#1171878, - BZ #26130) +- Keep nsswitch.conf in /etc for SLES15 +- ifunc-fma4.patch: x86-64: Fix FMA4 detection in ifunc (BZ #26534) -- nptl-setxid-race.patch: nptl: wait for pending setxid request also in - detached thread (bsc#1162930, BZ #25942) +- Update to glibc 2.32 + * Unicode 13.0.0 Support + * New locale added: ckb_IQ + * The GNU C Library now loads audit modules listed in the DT_AUDIT and + DT_DEPAUDIT dynamic section entries of the main executable + * powerpc64le supports IEEE128 long double libm/libc redirects when + using the -mabi=ieeelongdouble to compile C code on supported GCC + toolchains + * To help detect buffer overflows and other out-of-bounds accesses + several APIs have been annotated with GCC 'access' attribute + * On Linux, functions the pthread_attr_setsigmask_np and + pthread_attr_getsigmask_np have been added + * The GNU C Library now provides the header file + which declares the variable __libc_single_threaded + * The functions sigabbrev_np and sigdescr_np have been added + * The functions strerrorname_np and strerrordesc_np have been added + * AArch64 now supports standard branch protection security hardening + in glibc when it is built with a GCC that is configured with + - -enable-standard-branch-protection (or if -mbranch-protection=standard + flag is passed when building both GCC target libraries and glibc, + in either case a custom GCC is needed) + * The deprecated header and the sysctl function have been + removed + * The sstk function is no longer available to newly linked binaries + * The legacy signal handling functions siginterrupt, sigpause, sighold, + sigrelse, sigignore and sigset, and the sigmask macro have been + deprecated + * ldconfig now defaults to the new format for ld.so.cache + * The deprecated arrays sys_siglist, _sys_siglist, and sys_sigabbrev + are no longer available to newly linked binaries, and their declarations + have been removed from + * The deprecated symbols sys_errlist, _sys_errlist, sys_nerr, and _sys_nerr + are no longer available to newly linked binaries, and their declarations + have been removed from from + * Both strerror and strerror_l now share the same internal buffer in the + calling thread, meaning that the returned string pointer may be invalided + or contents might be overwritten on subsequent calls in the same thread or + if the thread is terminated + * Using weak references to libpthread functions such as pthread_create + or pthread_key_create to detect the singled-threaded nature of a + program is an obsolescent feature + * The "files" NSS module no longer supports the "key" database (used for + secure RPC) + * The __morecore and __after_morecore_hook malloc hooks and the default + implementation __default_morecore have been deprecated + * The hesiod NSS module has been deprecated and will be removed in a + future version of glibc + * CVE-2016-10228: An infinite loop has been fixed in the iconv program when + invoked with the -c option and when processing invalid multi-byte input + sequences + * CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack + corruption when they were passed a pseudo-zero argument + * CVE-2020-1752: A use-after-free vulnerability in the glob function when + expanding ~user has been fixed. + * CVE-2020-6096: A signed comparison vulnerability in the ARMv7 memcpy and + memmove functions has been fixed +- riscv-syscall-clobber.patch, ldbl-96-rem-pio2l.patch, + long-double-alias.patch: Removed +- bsc#1027496 +- bsc#1162930 +- bsc#1166106 +- bsc#1167631 +- bsc#1167939 +- bsc#1194785, jsc#SLE-18195 +- bsc#1200855 +- bsc#1201560 +- bsc#1201640 +- bsc#1207571 +- jsc#SLE-13520 + +- long-double-alias.patch: Fix build with GCC 10 when long double = double +- nscd-gc-cycle.patch: nscd: bump GC cycle during cache pruning + (bsc#1171878, BZ #26130) + +- glibc-nsswitch-usr.diff: read /usr/etc/nsswitch.conf if + /etc/nsswitch.conf does not exist +- Install default nsswitch.conf in /usr/etc +- Don't install gai.conf in /etc -- glob-use-after-free.patch: Fix use-after-free in glob when expanding - ~user (CVE-2020-1752, bsc#1167631, BZ #25414) - -- dl-sort-maps.patch, dlopen-filter-object.patch: Allow dlopen of filter - object to work (bsc#1166106, BZ #16272) +- Split off %lang_package +- riscv-syscall-clobber.patch: riscv: Avoid clobbering register parameters + in syscall -- pthread-rwlock-pwn.patch: Fix rwlock stall with - PREFER_WRITER_NONRECURSIVE_NP (bsc#1164505, BZ #23861) -- manual-memory-protection.patch: manual: Document mprotect and introduce - section on memory protection (bsc#1163184) +- nsswitch.conf: comment out initgroups setting, so that it defaults to + the group setting (bsc#1164075) -- backtrace-powerpc.patch: Fix array overflow in backtrace on PowerPC - (CVE-2020-1751, bsc#1158996, BZ #25423) - -- posix-Add-internal-symbols-for-posix_spawn-interface.patch, - glibc-2.29-posix-Use-posix_spawn-on-popen.patch: Use posix_spawn on - popen (bsc#1149332, BZ #22834) +- fix-locking-in-_IO_cleanup.patch: update to latest version -- ppc-tle-htm-nosc.patch: powerpc: Fix syscalls during early process - initialization (SLE-8348, BZ #22685) +- Update to glibc 2.31 + * The GNU C Library now supports a feature test macro _ISOC2X_SOURCE to + enable features from the draft ISO C2X standard + * The functions that round their results to a narrower type now + have corresponding type-generic macros in + * The function pthread_clockjoin_np has been added, enabling join with a + terminated thread with a specific clock + * New locale added: mnw_MM (Mon language spoken in Myanmar). + * The DNS stub resolver will optionally send the AD (authenticated data) bit + in queries if the trust-ad option is set via the options directive in + /etc/resolv.conf (or if RES_TRUSTAD is set in _res.options) + * The totalorder and totalordermag functions, and the corresponding + functions for other floating-point types, now take pointer arguments to + avoid signaling NaNs possibly being converted to quiet NaNs in argument + passing + * The obsolete function stime is no longer available to newly linked + binaries, and its declaration has been removed from + * The gettimeofday function no longer reports information about a + system-wide time zone + * If a lazy binding failure happens during dlopen, during the execution of + an ELF constructor, the process is now terminated +- malloc-info-whitespace.patch, riscv-vfork.patch, + prefer-map-32bit-exec.patch, backtrace-powerpc.patch, + ldconfig-dynstr.patch: Removed. +- bsc#1157893 +- bsc#1163184 +- fate#325815, fate#325879, fate#325880, fate#325881, fate#325882 +- fate#325962 -- s390-strstr-page-boundary.patch: S390: Fix handling of needles crossing - a page in strstr z15 ifunc-variant (bsc#1157893, BZ #25226) +- backtrace-powerpc.patch: Fix array overflow in backtrace on PowerPC + (CVE-2020-1751, bsc#1158996, BZ #25423) +- Drop support for pluggable gconv modules (bsc#1159851) -- GNU1815 - Hardware support in toolchain (bsc#1151582) - 0001-S390-Add-configure-check-to-detect-z10-as-mininum-ar.patch - 0002-S390-Use-hwcap-instead-of-dl_hwcap-in-ifunc-resolver.patch - 0003-S390-Unify-31-64bit-memcpy.patch - 0004-S390-Refactor-memcpy-mempcpy-ifunc-handling.patch - 0005-S390-Remove-s390-specific-implementation-of-bcopy.patch - 0006-S390-Use-memcpy-for-forward-cases-in-memmove.patch - 0007-S390-Add-configure-check-to-detect-z13-as-mininum-ar.patch - 0008-S390-Add-z13-memmove-ifunc-variant.patch - 0009-S390-Add-z13-strstr-ifunc-variant.patch - 0010-S390-Add-z13-memmem-ifunc-variant.patch - 0011-S390-Cleanup-ifunc-resolve.h.patch - 0012-S390-Mark-vx-and-vxe-as-important-hwcap.patch - 0013-S390-Add-new-hwcap-values-for-new-cpu-architecture-a.patch - 0014-S390-Add-configure-check-to-detect-support-for-arch1.patch - 0015-S390-Add-arch13-memmove-ifunc-variant.patch - 0016-S390-Add-arch13-strstr-ifunc-variant.patch - 0017-S390-Add-arch13-memmem-ifunc-variant.patch - -- regex-parse-reg-exp.patch: ERE '0|()0|\1|0' causes regexec undefined - behavior (CVE-2009-5155, bsc#1127223, BZ #18986) -- regex-read-overrun.patch: regex: fix read overrun (CVE-2019-9169, - bsc#1127308, BZ #24114) +- nsswitch.conf: add usrfiles for services, protocols, rpc, ethers + and aliases for /usr/etc move -- crt-nocompress-debug-sections.patch: Don't compress debug sections in - crt*.o files (bsc#1123710) +- euc-kr-overrun.patch: Fix buffer overrun in EUC-KR conversion module + (CVE-2019-25013, BZ #24973) -- ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig - (bsc#1117993, BZ #23973) +- ldconfig-dynstr.patch: ldconfig: handle .dynstr located in separate + segment (bsc#1153149, BZ #25087) -- force-elision-race.patch: Fix race in pthread_mutex_lock while promoting - to PTHREAD_MUTEX_ELISION_NP (bsc#1131330, BZ #23275) +- Package gconv-modules.cache as %ghost +- Regenerate it also in the %post of glibc-local-base- + +- move mo files to glibc-locale as that's where all the other + informations for those locales are. glibc-locale-base only has English + anyways. + +- riscv-vfork.patch: Fix RISC-V vfork build with Linux 5.3 kernel headers + +- Remove NoSource tags (bsc#994835) + +- pwdutils is long gone and replaced by shadow + +- Update to glibc 2.30 + * Unicode 12.1.0 Support + * The dynamic linker accepts the --preload argument to preload shared + objects + * The twalk_r function has been added + * On Linux, the getdents64, gettid, and tgkill functions have been added + * Minguo (Republic of China) calendar support has been added + * The entry for the new Japanese era has been added + * Memory allocation functions malloc, calloc, realloc, reallocarray, valloc, + pvalloc, memalign, and posix_memalign fail now with total object size + larger than PTRDIFF_MAX + * The dynamic linker no longer refuses to load objects which reference + versioned symbols whose implementation has moved to a different soname + since the object has been linked + * Add new POSIX-proposed pthread_cond_clockwait, pthread_mutex_clocklock, + pthread_rwlock_clockrdlock, pthread_rwlock_clockwrlock and sem_clockwait + functions + * On AArch64 the GNU IFUNC resolver call ABI changed + * The copy_file_range function fails with ENOSYS if the kernel does not + support the system call of the same name + * The functions clock_gettime, clock_getres, clock_settime, + clock_getcpuclockid, clock_nanosleep were removed from the librt library + for new applications (on architectures which had them) + * The obsolete and never-implemented XSI STREAMS header files + and have been removed + * Support for the "inet6" option in /etc/resolv.conf and the RES_USE_INET6 + resolver flag (deprecated in glibc 2.25) have been removed + * The obsolete RES_INSECURE1 and RES_INSECURE2 option flags for the DNS stub + resolver have been removed from + * With --enable-bind-now, installed programs are now linked with the + BIND_NOW flag. + * On 32-bit Arm, support for the port-based I/O emulation and the + header have been removed + * The Linux-specific header and the sysctl function have been + deprecated and will be removed from a future version of glibc + * CVE-2019-7309: x86-64 memcmp used signed Jcc instructions to check + size + * CVE-2019-9169: Attempted case-insensitive regular-expression match + via proceed_next_node in posix/regexec.c leads to heap-based buffer + over-read +- pthread-rwlock-trylock-stalls.patch, + arm-systemtap-probe-constraint.patch, pthread-mutex-barrier.patch, + fork-handler-lock.patch, pthread-join-probe.patch, + riscv-clone-unwind.patch, add-new-Fortran-vector-math-header-file.patch, + regex-read-overrun.patch, japanese-era-name-may-2019.patch, + dl-show-auxv.patch, s390-vx-vxe-hwcap.patch, taisho-era-string.patch, + malloc-tracing-hooks.patch, pldd-inf-loop.patch, + malloc-large-bin-corruption-check.patch, wfile-sync-crash.patch, + malloc-tests-warnings.patch, fnmatch-collating-elements.patch, + iconv-reset-input-buffer.patch: Removed +- malloc-info-whitespace.patch: Remove unwanted leading whitespace in + malloc_info (BZ #24867) +- bsc#1100396 +- bsc#1130045 + +- Move /var/lib/misc/Makefile to /usr/share/misc/Makefile.makedb (bsc#1138726) + +- malloc-tests-warnings.patch: Fix warnings in malloc tests with GCC 9 + +- Set optflags for i686 after _lto_cflags is set (boo#1138807). + +- Disable LTO due to a usage of top-level assembler that + causes LTO issues (boo#1138807). + +- nss-files-long-lines-2.patch: Remove obsolete patch + +- dl-show-auxv.patch: Fix output of LD_SHOW_AUXV=1 +- s390-vx-vxe-hwcap.patch: S390: Mark vx and vxe as important hwcap +- taisho-era-string.patch: ja_JP: Change the offset for Taisho gan-nen + from 2 to 1 (BZ #24162) +- malloc-tracing-hooks.patch: malloc: Set and reset all hooks for tracing + (BZ #16573) +- pldd-inf-loop.patch: elf: Fix pldd (BZ#18035) +- malloc-large-bin-corruption-check.patch: malloc: Check for large bin + list corruption when inserting unsorted chunk (BZ #24216) +- wfile-sync-crash.patch: Fix crash in _IO_wfile_sync (BZ #20568) - Japanese era (bsc#1100396, BZ #22964) + Japanese era (BZ #22964) +- Replace glibc_post_upgrade with lua script -- pthread-mutex-trylock-barrier.patch: pthread_mutex_trylock does not use - the correct order of instructions while maintaining the robust mutex - list due to missing compiler barriers (bsc#1130045, BZ #24180) -- getaddrinfo-parse-ipv4-address.patch: getaddrinfo: Fully parse IPv4 - address strings (CVE-2016-10739, bsc#1122729, BZ #20018) - -- mman-map-sync.patch: Add MAP_SYNC from Linux 4.15 (bsc#1126590) -- mman-linux-map-shared-validate.patch: Add MAP_SHARED_VALIDATE from Linux - 4.15 (bsc#1126590) -- nptl-setxid-error.patch: nptl: Preserve error in setxid thread broadcast - in coredumps (bsc#1063675, BZ #22153) +- add-new-Fortran-vector-math-header-file.patch: Update from upstream -- x86-haswell-string-flags.patch: Fix Haswell CPU string flags - (bsc#1114984, BZ #23709) -- pthread-cond-broadcast-waiters-after-spinning.patch: Fix - waiters-after-spinning case (bsc#1114993, BZ #23538) +- regex-read-overrun.patch: fix read overrun (CVE-2019-9169, bsc#1127308, + BZ #24114) +- ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig + (bsc#1117993, BZ #23973) + +- Add add-new-Fortran-vector-math-header-file.patch. -- absolute-symbols.patch: Don't relocate absolute symbols (bsc#1112570, BZ - [#19818]) +- pthread-rwlock-trylock-stalls.patch: nptl: Fix pthread_rwlock_try*lock + stalls (BZ #23844) +- arm-systemtap-probe-constraint.patch: arm: Use "nr" constraint for + Systemtap probes (BZ #24164) +- pthread-mutex-barrier.patch: Add compiler barriers around modifications + of the robust mutex list for pthread_mutex_trylock (BZ #24180) +- fork-handler-lock.patch: nptl: Avoid fork handler lock for + async-signal-safe fork (BZ #24161) +- pthread-join-probe.patch: nptl: Fix invalid Systemtap probe in + pthread_join (BZ #24211) +- riscv-clone-unwind.patch: RISC-V: Fix elfutils testsuite unwind failures + (BZ #24040) + +- Update to glibc 2.29 + * The getcpu wrapper function has been added, which returns the currently + used CPU and NUMA node + * Optimized generic exp, exp2, log, log2, pow, sinf, cosf, sincosf and tanf + * The reallocarray function is now declared under _DEFAULT_SOURCE, not just + for _GNU_SOURCE, to match BSD environments + * For powercp64le ABI, Transactional Lock Elision is now enabled iff kernel + indicates that it will abort the transaction prior to entering the kernel + (PPC_FEATURE2_HTM_NOSC on hwcap2) + * The functions posix_spawn_file_actions_addchdir_np and + posix_spawn_file_actions_addfchdir_np have been added, enabling + posix_spawn and posix_spawnp to run the new process in a different + directory + * The popen and system do not run atfork handlers anymore (BZ#17490) + * strftime's default formatting of a locale's alternative year (%Ey) + has been changed to zero-pad the year to a minimum of two digits, + like "%y" + * As a GNU extension, the '_' and '-' flags can now be applied to + "%EY" to control how the year number is formatted + * The glibc.tune tunable namespace has been renamed to glibc.cpu and the + tunable glibc.tune.cpu has been renamed to glibc.cpu.name + * The type of the pr_uid and pr_gid members of struct elf_prpsinfo, defined + in , has been corrected to match the type actually used by + the Linux kernel + * An archaic GNU extension to scanf, under which '%as', '%aS', and '%a[...]' + meant to scan a string and allocate space for it with malloc, is now + restricted to programs compiled in C89 or C++98 mode with _GNU_SOURCE + defined +- unwind-ctor.patch, old-getdents64.patch, nss-files-leak.patch, + riscv-feholdexcept-setround.patch, + pthread-cond-broadcast-waiters-after-spinning.patch, + regex-uninit-memory-access.patch, spawni-maybe-script-execute.patch, + gethostid-gethostbyname-failure.patch, strstr-huge-needle.patch, + pthread-mutex-lock-elision-race.patch, x86-haswell-string-flags.patch, + if-nametoindex-descr-leak.patch, riscv-flush-icache.patch: Removed +- CVE-2016-10739 +- bsc#1114984 +- bsc#1114993 +- bsc#1122729 +- bsc#1131330 +- bsc#1149332 +- bsc#1151582 +- bsc#1164505 + +- fnmatch-collating-elements.patch: update +- riscv-flush-icache.patch: fix for compiling against 4.20 headers + +- if-nametoindex-descr-leak.patch: if_nametoindex: Fix descriptor leak for + overlong name (CVE-2018-19591, BZ #23927, bsc#1117603) + +- Fix typography for glibc-locale-base. + +- pthread-mutex-lock-elision-race.patch: Fix race in pthread_mutex_lock + while promoting to PTHREAD_MUTEX_ELISION_NP (BZ #23275) +- x86-haswell-string-flags.patch: x86: Fix Haswell CPU string flags (BZ + [#23709]) + +- unwind-ctor.patch: Add missing unwind information to ld.so on powerpc32 + (BZ #23707) +- old-getdents64.patch: Rewrite __old_getdents64 (BZ #23497) +- nss-files-leak.patch: Fix file stream leak in aliases lookup (BZ #23521) +- riscv-feholdexcept-setround.patch: Fix rounding save/restore bug +- pthread-cond-broadcast-waiters-after-spinning.patch: Fix + waiters-after-spinning case (BZ #23538) +- regex-uninit-memory-access.patch: fix uninitialized memory access (BZ + [#23578]) +- spawni-maybe-script-execute.patch: Fix segfault in maybe_script_execute +- gethostid-gethostbyname-failure.patch: Check for NULL value from + gethostbyname_r (BZ #23679) +- strstr-huge-needle.patch: Fix strstr bug with huge needles (BZ #23637) -- glibc-fix-aarch64-build.diff: Fix build on aarch64 with - binutils newer than 2.30. +- Add libpng-devel and zlib-devel for utils build -- aarch64-hwcap-atomics.patch: aarch64: add HWCAP_ATOMICS to - HWCAP_IMPORTANT (fate#325962) +- Update to glibc 2.28 + * The localization data for ISO 14651 is updated to match the 2016 + Edition 4 release of the standard, this matches data provided by + Unicode 9.0.0 + * Unicode 11.0.0 Support: Character encoding, character type info, and + transliteration tables are all updated to Unicode 11.0.0, using + generator scripts contributed by Mike FABIAN (Red Hat) + * functions that round their results to a narrower type are added + from TS 18661-1:2014 and TS 18661-3:2015 + * Two grammatical forms of month names are now supported + * The renameat2 function has been added, a variant of the renameat function + which has a flags argument + * The statx function has been added, a variant of the fstatat64 + function with an additional flags argument + * IDN domain names in getaddrinfo and getnameinfo now use the system libidn2 + library if installed + * Parsing of dynamic string tokens in DT_RPATH, DT_RUNPATH, DT_NEEDED, + DT_AUXILIARY, and DT_FILTER has been expanded to support the full + range of ELF gABI expressions including such constructs as + '$ORIGIN$ORIGIN' (if valid) + * Support for ISO C threads (ISO/IEC 9899:2011) has been added. + * The nonstandard header files and <_G_config.h> are no longer + installed + * The stdio functions 'getc' and 'putc' are no longer defined as macros + * All stdio functions now treat end-of-file as a sticky condition + * The macros 'major', 'minor', and 'makedev' are now only available from + the header + * The obsolete function ustat is no longer available to newly linked + binaries; the headers and have been removed + * The obsolete function nfsservctl is no longer available to newly linked + binaries + * The obsolete function name llseek is no longer available to newly linked + binaries + * The AI_IDN_ALLOW_UNASSIGNED and NI_IDN_ALLOW_UNASSIGNED flags for the + getaddrinfo and getnameinfo functions have been deprecated + * The AI_IDN_USE_STD3_ASCII_RULES and NI_IDN_USE_STD3_ASCII_RULES flags for + the getaddrinfo and getnameinfo functions have been deprecated + * The fcntl function now have a Long File Support variant named fcntl64 + * CVE-2016-6261, CVE-2016-6263, CVE-2017-14062: Various vulnerabilities have + been fixed by removing the glibc-internal IDNA implementation and using + the system-provided libidn2 library instead +- Split off all libcrypt related functions into package libxcrypt +- fix-locking-in-_IO_cleanup.patch, fnmatch-collating-elements.patch: + Rediff +- aarch64-sys-ptrace-update.patch, + crypt_blowfish-1.2-hack_around_arm.diff, crypt_blowfish-1.2-sha.diff, + crypt_blowfish-const.patch, crypt_blowfish-gensalt.patch, + glibc-2.14-crypt.diff, i386-memmove-sse2-unaligned.patch, + i386-sigaction-sa-restorer.patch, mempcpy-avx512.patch, + netgroup-cache-keys.patch, nss-database-multiple-dfn.patch, + pkey-get-reserved-name.patch, powerpc-sys-ptrace-undefine-macros.patch, + powerpc-sys-ptrace-update.patch, realpath-ssize-max-overflow.patch, + res-send-enomem.patch, riscv-fmax-fmin-nan.patch, + riscv-kernel-sigaction.patch, riscv-readelflib.patch, + riscv-tls-init.patch: Removed +- glibc_post_upgrade.c: Don't reload init (bsc#1103124) +- CVE-2009-5155, CVE-2015-8985 +- bsc#1092877 +- bsc#1102526 +- bsc#1112570 +- bsc#1126590 +- bsc#1127223 + +- Use python3-pexpect instead of python-pexpect -- math-remove-slow-path.patch: Remove slow paths from math routines - (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) +- riscv-kernel-sigaction.patch: fix struct kernel_sigaction to match the + kernel version (BZ #23069) -- localtime-2039.patch: Fix year 2039 bug for localtime with 64-bit time_t - (bsc#1102526, BZ #22639) +- glibc-2.3.90-langpackdir.diff: No longer search in /usr/share/locale-bundle -- i386-memmove-sse2-unaligned.patch: Fix SSE2 memmove issue when crossing - 2GB boundary (CVE-2017-18269, bnc#1094150, BZ #22644) +- mempcpy-avx512.patch: Don't write beyond destination in + __mempcpy_avx512_no_vzeroupper (CVE-2018-11237, bsc#1094154) -- glibc-fix-avx512-mempcpy.patch: replace with upstream version - -- Use %license also for COPYING and COPYING.LIB (bsc#1082318) - -- Add glibc-fix-avx512-mempcpy.patch as quick fix for mempcpy - buffer overwrite in memmove-avx512-no-vzeroupper.S for Knights - Landing CPUs (CVE-2018-11237, bnc#1094154, bnc#1092877, BZ #23196) +- Use %license also for COPYING, COPYING.LIB +- i386-memmove-sse2-unaligned.patch: Fix SSE2 memmove issue when crossing + 2GB boundary (CVE-2017-18269, bnc#1094150, BZ #22644) + -- Use %license (bsc#1082318) - -- stack-guard-size-accounting.patch: Fix stack guard size accounting - (bsc#1074208, BZ #22637) -- libgcc-rtld-now.patch: Open libgcc.so with RTLD_NOW during - pthread_cancel (bsc#1074208, BZ #22636) - -- Mark source0 as nosource in non-main source rpms - -- Add systemtap-headers to BuildRequires. -- Add --enable-systemtap to configure arguments. (fate#324969, - bsc#1073636) - -- memalign-overflow.patch: Fix integer overflows in internal memalign and - malloc functions (CVE-2018-6485, CVE-2018-6551, bsc#1079036, BZ #22343, - BZ #22774) +- pkey-get-reserved-name.patch: Linux: use reserved name __key in pkey_get + (BZ #22797) +- aarch64-sys-ptrace-update.patch: linux/aarch64: sync sys/ptrace.h with + Linux 4.15 (BZ #22433) +- powerpc-sys-ptrace-undefine-macros.patch: powerpc: Undefine Linux ptrace + macros that conflict with __ptrace_request +- powerpc-sys-ptrace-update.patch: linux/powerpc: sync sys/ptrace.h with + Linux 4.15 (BZ #22433, BZ #22807) +- netgroup-cache-keys.patch: Fix netgroup cache keys (BZ #22342) +- i386-sigaction-sa-restorer.patch: i386: Fix i386 sigaction sa_restorer + initialization (BZ #21269) +- riscv-tls-init.patch: RISC-V: Do not initialize $gp in TLS macros +- riscv-fmax-fmin-nan.patch: RISC-V: fmax/fmin: Handle signalling NaNs + correctly (BZ #22884) + +- nss-database-multiple-dfn.patch: Fix multiple definitions of + __nss_*_database (BZ #22918) + +- Use %license (boo#1082318) + +- Add systemtap-headers to BuildRequires +- Add --enable-systemtap to configure arguments (fate#324969, bsc#1073636) + +- riscv-readelflib.patch: Fix parsing flags in ELF64 files on riscv + +- Update to glibc 2.27 + * Optimized x86-64 asin, atan2, exp, expf, log, pow, atan, sin, cosf, + sinf, sincosf and tan with FMA + * Optimized x86-64 trunc and truncf for processors with SSE4.1 + * Optimized generic expf, exp2f, logf, log2f, powf, sinf, cosf and + sincosf + * In order to support faster and safer process termination the malloc API + family of functions will no longer print a failure address and stack + backtrace after detecting heap corruption + * The abort function terminates the process immediately, without flushing + stdio streams + * On platforms where long double has the IEEE binary128 format (aarch64, + alpha, mips64, riscv, s390 and sparc), the math library now implements + _Float128 interfaces for that type, as defined by ISO/IEC TS 18661-3:2015 + These are the same interfaces added in version 2.26 for some platforms where + this format is supported but is not the format of long double + * On platforms with support for _Float64x (aarch64, alpha, i386, ia64, + mips64, powerpc64le, riscv, s390, sparc and x86_64), the math library now + implements interfaces for that type, as defined by ISO/IEC TS + 18661-3:2015 + * The math library now implements interfaces for the _Float32, _Float64 and + _Float32x types, as defined by ISO/IEC TS 18661-3:2015 + * glibc now implements the memfd_create and mlock2 functions on Linux + * Support for memory protection keys was added + * The copy_file_range function was added + * The ldconfig utility now processes `include' directives using the C/POSIX + collation ordering + * Support for two grammatical forms of month names has been added + * Support for the RISC-V ISA running on Linux has been added + * Statically compiled applications attempting to load locales compiled for the + GNU C Library version 2.27 will fail and fall back to the builtin C/POSIX + locale + * Support for statically linked applications which call dlopen is deprecated + and will be removed in a future version of glibc + * Support for old programs which use internal stdio data structures and + functions is deprecated + * On GNU/Linux, the obsolete Linux constant PTRACE_SEIZE_DEVEL is no longer + defined by + * libm no longer supports SVID error handling (calling a user-provided + matherr function on error) or the _LIB_VERSION variable to control error + handling + * The libm functions pow10, pow10f and pow10l are no longer supported for + new programs + * The mcontext_t type is no longer the same as struct sigcontext + * The add-ons mechanism for building additional packages at the same time as + glibc has been removed + * The res_hnok, res_dnok, res_mailok and res_ownok functions now check that + the specified string can be parsed as a domain name + * In the malloc_info output, the element may contain another + element, "subheaps", which contains the number of sub-heaps + * In the malloc_info output, the element may contain another + element, "subheaps", which contains the number of sub-heaps + * The nonstandard header files and <_G_config.h> are deprecated + and will be removed in a future release + * CVE-2018-6485, CVE-2018-6551: The posix_memalign and memalign + functions, when called with an object size near the value of SIZE_MAX, + would return a pointer to a buffer which is too small, instead of NULL + (bsc#1079036) +- Support for Sun RPC is no longer available, use libtirpc instead +- glibc-nodate.patch, powerpc-elision-enable-envvar.patch, + s390-elision-enable-envvar.patch, resolv-context-leak.patch, + dl-runtime-resolve-opt-avx512f.patch, libpthread-compat-wrappers.patch, + math-c++-compat.patch, remove-nss-nis-compat.patch, + eh-frame-zero-terminator.patch, ld-so-hwcap-x86-64.patch, + assert-pedantic.patch, getaddrinfo-errno.patch, resolv-conf-oom.patch, + dynarray-allocation.patch, nearbyint-inexact.patch, nss-compat.patch, + nscd-libnsl.patch, malloc-tcache-leak.patch, + falkor-memcpy-memmove.patch, aarch64-cpu-features.patch, + nss-files-large-buffers.patch. sysconf-uio-maxiov.patch, + glob-tilde-overflow.patch, dl-runtime-resolve-xsave.patch, + spawni-assert.patch, x86-64-dl-platform.patch, glob64-s390.patch, + tst-tlsopt-powerpc.patch, powerpc-hwcap-bits.patch, + malloc-tcache-check-overflow.patch, dl-init-paths-overflow.patch, + fillin-rpath-empty-tokens.patch, getcwd-absolute.patch, + ldd-system-interp.patchabort-no-flush.patch: Removed +- All patches refreshed +- bsc#1063675 +- bsc#1074208 google-noto-fonts +fix: bsc#1202279 and gh#notofonts/Arimo#13 +- fix-arimo.patch + +fix: summary and descriptions not mentioning font being Serif + add: README.FAQ to answer some questions about Noto Fonts packaging + +feat: create new metapackage noto-fonts with all Noto Fonts except CJK and Emoji + +update: 20220524 -> 20220607 +- Noto Sans and Noto Sans Myanmar have been updated + fix(spec): add LICENSE to every package, remove redundant doc package +- It is likely a legal requirement that the license must be included with the package (rather than only recommends) +- Using the %license macro and including the license in every subpackage is the norm + fix(sh): prevent redundant .svn files from being compressed into archive + chore(spec): use install instead of mkdir and cp + chore(sh): fix typo + +- Add obsoletes and provides for google-{arimo,cousine,tinos}-fonts + +- Switch back to hinted ttf as unhinted otf causes blurring (boo#1199938) + +- Add obsoletes and provides for: + - noto-mono-fonts: Got merged into noto-sans-mono-fonts + - noto-sans-syriac* variants: Got merged into noto-sans-syriac-fonts + - noto-sans-tibetan-fonts: Got renamed to noto-serif-tibetan-fonts +- Update to version 20220524 + - Updated Noto Sans Myanmar and Noto Sans Tangsa Fonts + +- Clarify sources + +- Fix unversioned obsoletes +- Merge noto-sans-display-fonts into noto-sans-fonts + - Fixes inconsistent font family names see Github issue #2315 +- Bump version to 20220516 + - Start using OTF fonts to be in-line with Noto CJK and Emoji + - No new fonts + +- Update URL and source for zips +- Update to version 20220509 + - 96 new fonts, details at https://pastebin.com/ycnpAn88 + gstreamer-plugins-bad -- Add gstreamer-plugins-bad-CVE-2023-40474.patch: Backporting - ff91a3d8 from upstream, Fix possible overflow using - max_sub_layers_minus1 (CVE-2023-40474 bsc#1215793). +- Add gstreamer-plugins-bad-CVE-2023-40474.patch: + Backporting ce17e968 from upstream, Fix integer overflow causing + out of bounds writes when handling invalid uncompressed video. + (CVE-2023-40474 bsc#1215796) -- Add patch from upstream to fix a heap overwrite in PGS subtitle +- Add gstreamer-plugins-bad-CVE-2023-40476.patch: + Backporting ff91a3d8 from upstream, Fix possible overflow using + max_sub_layers_minus1. + (CVE-2023-40476 bsc#1215793) + +- Add 0001-dvdspu-Make-sure-enough-data-is-allocated-for-the.patch: + from upstream to fix a heap overwrite in PGS subtitle - execution (bsc#1213126, CVE-2023-37329): - * 0001-dvdspu-Make-sure-enough-data-is-allocated-for-the.patch + execution (CVE-2023-37329 bsc#1213126). less +- add zstd support to lessopen + +- Update to 643: + * Fix problem when a program piping into less reads from the tty, + like sudo asking for password (github #368). + * Fix search modifier ^E after ^W. + * Fix bug using negated (^N) search (github #374). + * Fix bug setting colors with -D on Windows build (github #386). + * Fix reading special chars like PageDown on Windows (github #378). + * Fix mouse wheel scrolling on Windows (github #379). + * Fix erroneous EOF when terminal window size changes (github #372). + * Fix compile error with some definitions of ECHONL (github #395). + * Fix crash on Windows when writing logfile (github #405). + * Fix regression in exit code when stdin is /dev/null and + output is a file (github #373). + * Add lesstest test suite to production release (github #344). + * Change lesstest output to conform with + automake Simple Test Format (github #399). + +- Update to 633 + * This release fixes a build problem found in less-632 on systems + which have termcap.h in a subdirectory (ncurses/termcap.h or + ncursesw/termcap.h). There is no functional difference between + less-632 and less-633 + +- Update to 632 (differences between 608 and 632) + * Add LESSUTFCHARDEF environment variable (github #275). + * Add # command (github #330). + * Add ^S search modifier (github #196). + * Add --wordwrap option (github #113). + * Add --no-vbell option (github #304). + * Add --no-search-headers option (github #44). + * Add --modelines option (github #89). + * Add --intr option (github #224). + * Add --proc-backspace, --proc-tab and --proc-return options (github #335). + * Add --show-preproc-errors option (github #258). + * Add LESS_LINES and LESS_COLUMNS environment variables (github #84). + * Add LESS_DATA_DELAY environment variable (github #337). + * Allow empty "lines" field in --header option. + * Update Unicode tables. + * Improve ability of ^X to interrupt F command (github #49). + * Status column (-J) shows off-screen matches. + * Parenthesized sub-patterns in searches are colored with unique colors, if supported by the regular expression library (github #196). + * Don't allow opening a tty as file input unless -f is set (github #309). + * Don't require newline input after +&... option (github #339). + * Fix incorrect handling of some Private Use Unicode characters. + * Fix ANSI color bug when overstriking with colored chars (github #276). + * Fix compiler const warning (github #279). + * Fix signal race in iread (github #280). + * Fix reading procfs files on Linux (github #282). + * Fix --ignore-case with ctrl-R (no regex) search (github #300). + * Fix bug doing repeat search after setting & filter (github #299). + * Fix bug doing repeat search before non-repeat search. + * Fix crash with -R and certain line lengths (github #338). + * Fix input of Windows dead keys (github #352). + * Don't retain search options from a cancelled search (github #302). + * Don't call realpath on fake filenames like "-" (github #289). + * Implement lesstest test suite. + * Convert function parameter definitions from K&R to C89 (github #316). +- Drop patch cve-2022-46663.patch (merged). + +- Refreshed all other patches with quilt to an uniform -p1 patch + style, which allows us to use %autosetup and simplify the spec + file a bit. + +- Update to 608: + * Add the --header option (github #43). + * Add the --no-number-headers option (github #178). + * Add the --status-line option. + * Add the --redraw-on-quit option (github #36). + * Add the --search-options option (github #213). + * Add the --exit-follow-on-close option (github #244). + * Add 'H' color type to set color of header lines. + * Add #version conditional to lesskey. + * Add += syntax to variable section in lesskey files. + * Allow option name in -- command to end with '=' in addition to '\n'. + * Add $HOME/.config to possible locations of lesskey file (github #153). + * Add $XDG_STATE_HOME and $HOME/.local/state to possible locations + of history file (github #223). + * Don't read or write history file in secure mode (github #201). + * Fix display of multibyte and double-width chars in prompt. + * Fix ESC-BACKSPACE command when BACKSPACE key does not send 0x08 + (github #188). + * Add more \k codes to lesskey format. + * Fix bug when empty file is modified while viewing it. + * Fix bug when parsing a malformed lesskey file (githb #234). + * Fix bug scrolling history when --incsearch is set (github #214). + * Fix buffer overflow when invoking lessecho with more than 63 -m/-n + options (github #198). + * Fix buffer overflow in bin_file (github #271). + * Fix bug restoring color at end of highlighted text. + * Fix bug in parsing lesskey file. + * Defer moving cursor to lower left in some more cases. + * Suppress TAB filename expansion in some cases where it doesn't make sense. + * Fix termlib detection when compiler doesn't accept + calls to undeclared functions. + * Escape filenames when invoking LESSCLOSE. + * Fix bug using multibyte UTF-8 char in search string + with --incsearch (github #273). + +- Which need one /usr/bin/which, not the package which libhugetlbfs +- Add libhugetlbfs-noexecstack.patch (bsc#1213639) +- Increase buffer size in libhugetlbfs-increase-mount-buffer.patch + as in the provided fix (bsc#1213639) + +- Add libhugetlbfs-increase-mount-buffer.patch for upstream issue gh#43 + (boo#1216576, bsc#1213639) + -- update to 2.17: - * PPC segement alignment restrictions can be disabled - * Added Aarch64 support - * Allow compiler overrides for 64 and 32 bit builds - * hugeadm now handles /etc/mtab being a simlink properly - * ppc64 fixes -- remove libhugetlbfs.ia64-libdir.patch: - ia64 is no longer supported by openSUSE -- add ignore-perl-modules.diff: do not install perl modules, unused - and are installed in the wrong place to be found anyway -- add ARM support -- add disable-rw-on-non-ldscripts.diff: Skip rw tests -- Do not install tests anymore - -- Tests compile fine for s390(x), also include them in the package, the same - way it is done for other archs as well. - libmbim +- Fix build with RPM 4.19: unnumbered patches are no longer + supported. + poppler-data +- update to 0.4.12: + * updated files from the adobe-type-tools repositories + -- Update to version 0.4.5: - + New data from Adobe. - + New data from xpdf. - psmisc +- Fix version at configure time as there was no .tarball-version + rsync +- Update to latest version from Factory (3.2.7) +- Deleted the following patches, already included in that version: + - rsync-CVE-2020-14387.patch + - rsync-CVE-2022-29154-trust-sender-1.patch + - rsync-CVE-2022-29154-trust-sender-2.patch + - rsync-CVE-2022-29154.patch + - rsync-fix-delay-updates-never-updates-after-interruption.patch + +- Rename patch to follow naming patch policies: + fortified-strlcpy-fix.patch -> rsync-fortified-strlcpy-fix.patch + +- Use "slp" for bcond, not "openslp", like we use for all other + packages, too. +- Disable slp patch and configure option if bcond slp is disabled. + +- add fortified-strlcpy-fix.patch (bsc#1214616, bsc#1214249) + +- Disable openslp support on new distros (bsc#1214884) + +- Add support directory to %docdir. + Includes some upstream provided scripts such as rrsync. (bsc#1212198) + +- Switch rsyncd symlink to a wrapper script to allow setting a distinct + SELinux type (bsc#1209654) + +- New version fixes bug (boo#1203727): implicit containing directory + sometimes rejected as unrequested +- update to 3.2.7 + * BUG FIXES: + - Fixed the client-side validating of the remote sender's filtering behavior. + - More fixes for the "unrequested file-list name" name, including a copy of + "/" with `--relative` enabled and a copy with a lot of related paths with + `--relative` enabled (often derived from a `--files-from` list). + - When rsync gets an unpack error on an ACL, mention the filename. + - Avoid over-setting sanitize_paths when a daemon is serving "/" (even if + "use chroot" is false). + * ENHANCEMENTS: + - Added negotiated daemon-auth support that allows a stronger checksum digest + to be used to validate a user's login to the daemon. Added SHA512, SHA256, + and SHA1 digests to MD5 & MD4. These new digests are at the highest priority + in the new daemon-auth negotiation list. + - Added support for the SHA1 digest in file checksums. While this tends to be + overkill, it is available if someone really needs it. This overly-long + checksum is at the lowest priority in the normal checksum negotiation list. + See [`--checksum-choice`](rsync.1#opt) (`--cc`) and the `RSYNC_CHECKSUM_LIST` + environment var for how to customize this. + - Improved the xattr hash table to use a 64-bit key without slowing down the + key's computation. This should make extra sure that a hash collision doesn't + happen. + - If the `--version` option is repeated (e.g. `-VV`) then the information is + output in a (still readable) JSON format. Client side only. + - The script `support/json-rsync-version` is available to get the JSON style + version output from any rsync. The script accepts either text on stdin + * *or** an arg that specifies an rsync executable to run with a doubled + `--version` option. If the text we get isn't already in JSON format, it is + converted. Newer rsync versions will provide more complete json info than + older rsync versions. Various tweaks are made to keep the flag names + consistent across versions. + - The [`use chroot`](rsyncd.conf.5#) daemon parameter now defaults to "unset" + so that rsync can use chroot when it works and a sanitized copy when chroot + is not supported (e.g., for a non-root daemon). Explicitly setting the + parameter to true or false (on or off) behaves the same way as before. + - The `--fuzzy` option was optimized a bit to try to cut down on the amount of + computations when considering a big pool of files. The simple heuristic from + Kenneth Finnegan resuled in about a 2x speedup. + - If rsync is forced to use protocol 29 or before (perhaps due to talking to an + rsync before 3.0.0), the modify time of a file is limited to 4-bytes. Rsync + now interprets this value as an unsigned integer so that a current year past + 2038 can continue to be represented. This does mean that years prior to 1970 + cannot be represented in an older protocol, but this trade-off seems like the + right choice given that (1) 2038 is very rapidly approaching, and (2) newer + protocols support a much wider range of old and new dates. + - The rsync client now treats an empty destination arg as an error, just like + it does for an empty source arg. This doesn't affect a `host:` arg (which is + treated the same as `host:.`) since the arg is not completely empty. The use + of [`--old-args`](rsync.1#opt) (including via `RSYNC_OLD_ARGS`) allows the + prior behavior of treating an empty destination arg as a ".". + * PACKAGING RELATED: + - The checksum code now uses openssl's EVP methods, which gets rid of various + deprecation warnings and makes it easy to support more digest methods. On + newer systems, the MD4 digest is marked as legacy in the openssl code, which + makes openssl refuse to support it via EVP. You can choose to ignore this + and allow rsync's MD4 code to be used for older rsync connections (when + talking to an rsync prior to 3.0.0) or you can choose to configure rsync to + tell openssl to enable legacy algorithms (see below). + - A simple openssl config file is supplied that can be installed for rsync to + use. If you install packaging/openssl-rsync.cnf to a public spot (such as + `/etc/ssl/openssl-rsync.cnf`) and then run configure with the option + `--with-openssl-conf=/path/name.cnf`, this will cause rsync to export the + configured path in the OPENSSL_CONF environment variable (when the variable + is not already set). This will enable openssl's MD4 code for rsync to use. + - The packager may wish to include an explicit "use chroot = true" in the top + section of their supplied /etc/rsyncd.conf file if the daemon is being + installed to run as the root user (though rsync should behave the same even + with the value unset, a little extra paranoia doesn't hurt). + - I've noticed that some packagers haven't installed support/nameconvert for + users to use in their chrooted rsync configs. Even if it is not installed + as an executable script (to avoid a python3 dependency) it would be good to + install it with the other rsync-related support scripts. + - It would be good to add support/json-rsync-version to the list of installed + support scripts. + +- Use bundled SLP patch now that upstream fixed it: + * Remove rsync-3.2.5-slp.patch + +- update to 3.2.6: + * More path-cleaning improvements in the file-list validation code to avoid + rejecting of valid args. + * A file-list validation fix for a --files-from file that ends without a + line-terminating character. + * Added a safety check that prevents the sender from removing destination + files when a local copy using --remove-source-files has some files that are + shared between the sending & receiving hierarchies, including the case + where the source dir & destination dir are identical. + * Fixed a bug in the internal MD4 checksum code that could cause the digest + to be sporadically incorrect (the openssl version was/is fine). + * A minor tweak to rrsync added "copy-devices" to the list of known args, but + left it disabled by default. + +- Build SLE version with g++-11 + to work around nondeterministic g++-7 (boo#1193895) + +- Migration to /usr/etc: Saving user changed configuration files + in /etc and restoring them while an RPM update. + +- Add upstream patch rsync-3.2.5-slp.patch, as the one included in + the released tarball doesn't fully apply. +- Drop patch rsync-CVE-2022-29154.patch, already included upstream. +- Update to 3.2.5 + * SECURITY FIXES: + - Added some file-list safety checking that helps to ensure that a rogue + sending rsync can't add unrequested top-level names and/or include recursive + names that should have been excluded by the sender. These extra safety + checks only require the receiver rsync to be updated. When dealing with an + untrusted sending host, it is safest to copy into a dedicated destination + directory for the remote content (i.e. don't copy into a destination + directory that contains files that aren't from the remote host unless you + trust the remote host). Fixes CVE-2022-29154. + - A fix for CVE-2022-37434 in the bundled zlib (buffer overflow issue). + * BUG FIXES: + - Fixed the handling of filenames specified with backslash-quoted wildcards + when the default remote-arg-escaping is enabled. + - Fixed the configure check for signed char that was causing a host that + defaults to unsigned characters to generate bogus rolling checksums. This + made rsync send mostly literal data for a copy instead of finding matching + data in the receiver's basis file (for a file that contains high-bit + characters). + - Lots of manpage improvements, including an attempt to better describe how + include/exclude filters work. + - If rsync is compiled with an xxhash 0.8 library and then moved to a system + with a dynamically linked xxhash 0.7 library, we now detect this and disable + the XX3 hashes (since these routines didn't stabilize until 0.8). + * ENHANCEMENTS: + - The [`--trust-sender`](rsync.1#opt) option was added as a way to bypass the + extra file-list safety checking (should that be required). + * PACKAGING RELATED: + - A note to those wanting to patch older rsync versions: the changes in this + release requires the quoted argument change from 3.2.4. Then, you'll want + every single code change from 3.2.5 since there is no fluff in this release. + - The build date that goes into the manpages is now based on the developer's + release date, not on the build's local-timezone interpretation of the date. + * DEVELOPER RELATED: + - Configure now defaults GETGROUPS_T to gid_t when cross compiling. + - Configure now looks for the bsd/string.h include file in order to fix the + build on a host that has strlcpy() in the main libc but not defined in the + main string.h file. + - * Added patch rsync-rsync-CVE-2022-29154.patch + * Added patch rsync-CVE-2022-29154.patch + +- Removed %config flag for files in /usr directory. + +- Moved logrotate files from user specific directory /etc/logrotate.d + to vendor specific directory /usr/etc/logrotate.d. + +- Update to 3.2.4 + * A new form of arg protection was added that works similarly to + the older `--protect-args` (`-s`) option but in a way that + avoids breaking things like rrsync. + * A long-standing bug was preventing rsync from figuring out the + current locale's decimal point character, which made rsync + always output numbers using the "C" locale. + * Too many changes to list, see included NEWS.md file. +- Drop rsync-CVE-2020-14387.patch, already included upstream. + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * rsyncd.service sqlite3 +- Sync version 3.44.0 from Factory + * Fixes bsc#1210660, CVE-2023-2137: Heap buffer overflow + * sqlite3-rtree-i686.patch: temporary build fix for 32-bit x86. + * Obsoletes sqlite-CVE-2022-46908.patch + * Obsoletes sqlite-src-3390000-func7-pg-181.patch + squashfs +- For reference: previous updates fixed + * CVE-2021-40153 (bsc#1189936) + * CVE-2015-4645, CVE-2015-4646 (bsc#935380) + +- update to 4.6.1: + * Race condition which can cause corruption of the "fragment + table" fixed. This is a regression introduced in August 2022, + and it has been seen when tailend packing is used (-tailends option). + * Fix build failure when the tools are being built without + extended attribute (XATTRs) support. + * Fix XATTR error message when an unrecognised prefix is + found + * Fix incorrect free of pointer when an unrecognised XATTR + prefix is found. + * Major improvements in extended attribute handling, + pseudo file handling, and miscellaneous new options and + improvements + * Extended attribute handling improved in Mksquashfs and + Sqfstar + * New Pseudo file xattr definition to add extended + attributes to files. + * New xattrs-add Action to add extended attributes to files + * Extended attribute handling improved in Unsquashfs + * Other major improvements + * Unsquashfs can now output Pseudo files to standard out. + * Mksquashfs can now input Pseudo files from standard in. + * Squashfs filesystems can now be converted (different + block size compression etc) without unpacking to an + intermediate filesystem or mounting, by piping the output of + Unsquashfs to Mksquashfs. + * Pseudo files are now supported by Sqfstar. + * "Non-anchored" excludes are now supported by Unsquashfs. + +- Do not repeat openSUSE / SLE version tests +- Actually format and package the man pages + +- set LZMA_XZ_SUPPORT=1 so you can (un)squash -comp lzma images + +- update to 4.5.1 (bsc#1190531, CVE-2021-41072): + * This release adds Manpages for Mksquashfs(1), Unsquashfs(1), + Sqfstar(1) and Sqfscat(1). + * The -help text output from the utilities has been improved + and extended as well (but the Manpages are now more + comprehensive). + * CVE-2021-41072 which is a writing outside of destination + exploit, has been fixed. + * The number of hard-links in the filesystem is now also + displayed by Mksquashfs in the output summary. + * The number of hard-links written by Unsquashfs is now + also displayed in the output summary. + * Unsquashfs will now write to a pre-existing destination + directory, rather than aborting. + * Unsquashfs now allows "." to used as the destination, to + extract to the current directory. + * The Unsquashfs progress bar now tracks empty files and + hardlinks, in addition to data blocks. + * -no-hardlinks option has been implemented for Sqfstar. + * More sanity checking for "corrupted" filesystems, including + checks for multiply linked directories and directory loops. + * Options that may cause filesystems to be unmountable have + been moved into a new "experts" category in the Mksquashfs + help text (and Manpage). + * Maximum cpiostyle filename limited to PATH_MAX. This + prevents attempts to overflow the stack, or cause system + calls to fail with a too long pathname. + * Don't always use "max open file limit" when calculating + length of queues, as a very large file limit can cause + Unsquashfs to abort. Instead use the smaller of max open + file limit and cache size. + * Fix Mksquashfs silently ignoring Pseudo file definitions + when appending. + * Don't abort if no XATTR support has been built in, and + there's XATTRs in the filesystem. This is a regression + introduced in 2019 in Version 4.4. + * Fix duplicate check when the last file block is sparse. + +- update to 4.5: + * Mksquashfs now supports "Actions". + * New sqfstar command which will create a Squashfs image from a tar archive. + * Tar style handling of source pathnames in Mksquashfs. + * Cpio style handling of source pathnames in Mksquashfs. + * New option to throttle the amount of CPU and I/O. + * Mksquashfs now allows no source directory to be specified. + * New Pseudo file "R" definition which allows a Regular file + o be created with data stored within the Pseudo file. + * Symbolic links are now followed in extract files + * Unsquashfs now supports "exclude" files. + * Max depth traversal option added. + * Unsquashfs can now output a "Pseudo file" representing the + input Squashfs filesystem. + * New -one-file-system option in Mksquashfs. + * New -no-hardlinks option in Mksquashfs. + * Exit code in Unsquashfs changed to distinguish between + non-fatal errors (exit 2), and fatal errors (exit 1). + * Xattr id count added in Unsquashfs "-stat" output. + * Unsquashfs "write outside directory" exploit fixed. + * Error handling in Unsquashfs writer thread fixed. + * Fix failure to truncate destination if appending aborted. + * Prevent Mksquashfs reading the destination file. + tiff -- security update: - * CVE-2023-38289 [bsc#1213589] - + tiff-CVE-2023-38289.patch - * CVE-2023-38288 [bsc#1213590] - + tiff-CVE-2023-38288.patch - * CVE-2023-3576 [bsc#1213273] - + tiff-CVE-2023-3576.patch - * CVE-2020-18768 [bsc#1214574] - + tiff-CVE-2020-18768.patch - * CVE-2023-26966 [bsc#1212881] - + tiff-CVE-2023-26966.patch - * CVE-2023-3618 [bsc#1213274] - + tiff-CVE-2023-3618.patch - * CVE-2023-2908 [bsc#1212888] - + tiff-CVE-2023-2908.patch - * CVE-2023-3316 [bsc#1212535] - + tiff-CVE-2023-3316.patch +- Update to version 4.6.0: + * API/ABI breaks: none + * WebP decoder: validate WebP blob width, height, band count against + TIFF parameters to avoid use of uninitialized variable, or decoding + corrupted content without explicit error (fixes issue #581, issue #582). + * WebP codec: turn exact mode when creating lossless files to avoid + altering R,G,B values in areas where alpha=0 + * Fix TransferFunction writing of only two transfer functions. + * TIFFReadDirectoryCheckOrder: avoid integer overflow. When it occurs, + it should be harmless in practice though + * tiffcp: remove -i option (ignore errors) + * This version removes a big number of utilities that have suffered from + lack of maintenance over the years and were the source of various + reported security issues: + + fax2ps + + fax2tiff + + pal2rgb + + ppm2tiff + + raw2tiff + + rgb2ycbcr + + thumbnail + + tiff2bw + + tiff2rgba + + tiffcmp + + tiffcrop + + tiffdither + + tiffgt + + tiffmedian + + tiff2ps + + tiff2pdf +- Remove no longer needed tiff-4.0.3-compress-warning.patch. + +- Update to version 4.5.1: + * Definition of tags reformatted (clang-format off) for better readability of tag comments in tiff.h and tif_dirinfo.c + * Do not install libtiff-4.pc when tiff-install is reset. + * Add versioninfo resource files for DLL and tools compiled with Windows MSVC and MINGW. + * Disable clang-formatting for tif_config.h.cmake.in and tiffconf.h.cmake.in because sensitive for CMake scripts. + * CMake: make WebP component name compatible with upstream ConfigWebP.cmake + * CMake: make Findliblzma with upstream CMake config file + * CMake: FindDeflate.cmake: fix several errors (issue #526). + * CMake: FindLERC.cmake: version string return added. + * CMake: export TiffConfig.cmake and TiffConfigVersion.cmake files + * CMake: fix export of INTERFACE_INCLUDE_DIRECTORIES + * Hardcode HOST_FILLORDER to FILLORDER_LSB2MSB and make 'H' flag of TIFFOpen() to warn and an alias of FILLORDER_MSB2LSB. tif_lerc.c: use WORDS_BIGENDIAN instead of HOST_BIGENDIAN. + * Optimize relative seeking within TIFFSetDirectory() by using the learned list of IFD offsets. + * Improve internal IFD offset and directory number map handling. + * Behavior of TIFFOpen() mode "r+" in the Windows implementation adjusted to that of Linux. + * TIFFDirectory td_fieldsset type changed from unsigned long, which can be 32 or 64 bits, to uint32_t (fixes issue #484). + * tif_ojpeg.c: checking for division by zero (fixes issue #554). + * LZWDecode(): avoid crash when trying to read again from a strip whith a missing end-of-information marker (fixes issue #548). + * Fixed runtime error: applying zero offset to null pointer in countInkNamesString(). + * Fixing crash in TIFFUnlinkDirectory() when called with directory number zero ("TIFFUnlinkDirectory(0)") as well as fixing incorrect behaviour when unlinking the first directory. + * tif_luv: check and correct for NaN data in uv_encode() (issue #530). + * TIFFClose() avoid NULL pointer dereferencing (issue #515). + * tif_hash_set.c: include tif_hash_set.h after tif_config.h to let a chance for GDAL symbol renaming trick. + * Fax3: fix failure to decode some fax3 number_of_images and add test for Fax3 decoding issues (issue #513). + * TIFFSetDirectory() and TIFFWriteDirectorySec() avoid harmless unsigned-integer-overflow (due to gdal oss-fuzz #54311 and #54343). + * tif_ojpeg.c: fix issue #554 by checking for division by zero in OJPEGWriteHeaderInfo(). + * LZWDecode(): avoid crash when trying to read again from a strip whith a missing end-of-information marker (issue #548). +- Drop no longer needed patches: + * tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch + * tiff-CVE-2022-48281.patch + * tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch - * CVE-2023-25433 [bsc#1212883] +- Update to 4.5.0: + * tdir_t type updated to uint32_t. This type is now used for the return + value of TIFFCurrentDirectory() and TIFFNumberOfDirectories(), and as + the argument of TIFFSetDirectory() and TIFFUnlinkDirectory() + * Addition of an open option concept with the new functions TIFFOpenExt(), + TIFFOpenWExt(), TIFFFdOpenExt(), TIFFClientOpenExt(), TIFFOpenOptionsAlloc(), + TIFFOpenOptionsFree() + * Leveraging above mentioned open option concept, addition of a new capability + to limit the size of a single dynamic memory allocation done by the library + with TIFFOpenOptionsSetMaxSingleMemAlloc() + * Related to IFD-Loop detection refactoring, the number of IFDs that libtiff + can browse through has been extended from 65535 to 1048576. This value is + a build-time setting that can be configured with CMake's TIFF_MAX_DIR_COUNT + variable or autoconf's --with-max-dir-count option. + * Whole code base reformatting of .c/.h files using new .clang-format format + * Documentation changed from static HTML and man pages to + Restructured Text (rst). HTML and man pages are now build artifacts. + * SONAME version bumped to 6 due to changes in symbol versioning. + * autoconf/cmake: detect (not yet released) libjpeg-turbo 2.2 to take into + its capability of handling both 8-bit JPEG and 12-bit JPEG in a single build. + * autoconf/cmake: detect sphinx-build to build HTML and man pages + * CMakeLists.txt: fix warning with -Wdev + * CMake: correctly set default value of 'lzma' option when liblzma is detected + * CMake: Moved linking of CMath::CMath into CMath_LIBRARY check. + * Fix CMake build to be compatible with FetchContent. + * cmake: Correct duplicate definition of _CRT_SECURE_NO_WARNINGS + * cmake: Fixes for Visual Studio 2022. + * Adds Requires.private generation so that pkg-config can correctly find + the dependencies of libtiff. + * Fix dependency on libm on Android + * Fix build in tif_lzw.c + * CMake: Add options for disabling tools, tests, contrib and docs. + * tiffcrop: Fix memory allocation to require a larger buffer (CVE-2022-3570, CVE-2022-3598) + [bsc#1205422] + * tiffcrop: disable incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option + (CVE-2022-3627, CVE-2022-3597, CVE-2022-3626) + * tiffcrop: fix floating-point exception (CVE-2022-2056, CVE-2022-2057, CVE-2022-2058) + * _TIFFCheckFieldIsValidForCodec(): return FALSE when passed a codec-specific tag + and the codec is not configured (CVE-2022-34526) + * Revised handling of TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value (CVE-2022-3599) + * tiffcrop: -S option mutually exclusive (CVE-2022-2519, CVE-2022-2520, CVE-2022-2521) +- Drop tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch +- Drop tiff-CVE-2022-34526.patch +- Drop tiff-CVE-2022-3599.patch +- Drop tiff-CVE-2022-3598.patch +- Drop tiff-CVE-2022-3970.patch +- Drop tiff-CVE-2022-2519,CVE-2022-2520,CVE-2022-2521.patch +- Drop tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch + - * CVE-2022-3570 [bsc#1205422] - * CVE-2022-3598 [bsc#1204642] - + tiff-CVE-2022-3598,3570.patch + * CVE-2022-3970 [bsc#1205392] + + tiff-CVE-2022-3970.patch - * CVE-2022-3970 [bsc#1205392] - + tiff-CVE-2022-3970.patch + * CVE-2022-3598 [bsc#1204642] + + tiff-CVE-2022-3598.patch - * CVE-2022-2867 [bsc#1202466] - * CVE-2022-2868 [bsc#1202467] - * CVE-2022-2869 [bsc#1202468] - + tiff-CVE-2022-2867,CVE-2022-2868,CVE-2022-2869.patch - -- CVE-2022-34266 [bsc#1201971] and [bsc#1201723]: - Rename tiff-CVE-2022-0561.patch to - tiff-CVE-2022-0561,CVE-2022-34266.patch - This CVE is actually a duplicate. +- update to 4.4.0: + * TIFFIsBigTiff() function added. + * Functions TIFFFieldSetGetSize() and TIFFieldSetGetCountSize() added. + * LZWDecode(): major speed improvements (~30% faster) + * Predictor 2 (horizontal differenciation): support 64-bit + * Support libjpeg 9d + * avoid hang in TIFFRewriteDirectory() if a classic file > 4 GB is attempted + to be created + * tif_jbig.c: fix crash when reading a file with multiple IFD in + memory-mapped mode and when bit reversal is needed + * TIFFFetchNormalTag(): avoid calling memcpy() with a null source pointer and + size of zero + * TIFFWriteDirectoryTagData(): turn assertion on data length into a runtime + check + * TIFFFetchStripThing(): avoid calling memcpy() with a null source pointer + and size of zero + * TIFFReadDirectory(): avoid calling memcpy() with a null source pointer and + size of zero + * TIFFYCbCrToRGBInit(): avoid Integer-overflow + * TIFFGetField(TIFFTAG_STRIPBYTECOUNTS/TIFFTAG_STRIPOFFSETS): return error if + returned pointer is NULL (fixes #342) + * OJPEG: avoid assertion when using TIFFReadScanline() + * TIFFReadDirectory: fix OJPEG hack + * LZW codec: fix support for strips/tiles > 2 GB on Windows + * TIFFAppendToStrip(): fix rewrite-in-place logic + * Fix TIFFRewriteDirectory discarding directories. + * TIFFReadCustomDirectory(): avoid crash when reading SubjectDistance tag on + a non EXIF directory + * Fix Segmentation fault printing GPS directory if Altitude tag is present + * tif_jpeg.c: do not emit progressive scans with mozjpeg. (#266) + * _TIFFRewriteField(): fix when writing a IFD with a single tile that is a + sparse one, on big endian hosts + * Fix all remaining uses of legacy Deflate compression id and warn on use. + * CVE-2022-22844 bsc#1194539 + * CVE-2022-2867 bsc#1202466 + * CVE-2022-2868 bsc#1202467 + * CVE-2022-2869 bsc#1202468 +- drop tiff-CVE-2022-0907.patch, tiff-CVE-2022-0561.patch, tiff-CVE-2022-0562.patch, + tiff-CVE-2022-0865.patch, tiff-CVE-2022-0909.patch, tiff-CVE-2022-0924.patch, + tiff-CVE-2022-0908.patch, tiff-CVE-2022-1056,CVE-2022-0891.patch: all upstream +- add signature validation, adds tiff.keyring + +- security update: + * CVE-2022-0907 [bsc#1197070] + + tiff-CVE-2022-0907.patch + + * CVE-2022-34266 [bsc#1201723] [bsc#1201971] -- security update: Fix buffer overwrite - * CVE-2019-17546[bsc#1154365] - + tiff-CVE-2019-17546.patch -- security update: Fix heap based buffer overflow in pal2rgb - * CVE-2017-17095[bsc#1071031] - + tiff-CVE-2017-17095.patch -- security update: Fix OOB in _TIFFmemcpy - * CVE-2022-22844[bsc#1194539] - + tiff-CVE-2022-22844.patch -- security update: Fix memory allocation failure in tif_read.c - * CVE-2020-35521[bsc#1182808] CVE-2020-35522[bsc#1182809] - + tiff-CVE-2020-35521,CVE-2020-35522.patch -- security update: Fix DOS via invertImage() - * CVE-2020-19131[bsc#1190312] - + tiff-CVE-2020-19131.patch -- security update: Fix heap-based buffer overflow in TIFF2PDF tool - * CVE-2020-35524[bsc#1182812] - + tiff-CVE-2020-35524.patch -- security update: Fix integer overflow in tif_getimage - * CVE-2020-35523 [bsc#1182811] - + tiff-CVE-2020-35523.patch - -- security update: amend patch to fix test -- modified patches - % tiff-CVE-2019-14973.patch (refreshed) - -- security update: Fix integer overflow in _TIFFCheckMalloc() - * CVE-2019-14973 [bsc#1146608] - + tiff-CVE-2019-14973.patch +- switch source url to https + +- version update to 4.3.0 + * Build and usage of the library and its utilities requires a C99 + capable compiler. + * New optional codec for the LERC (Limited Error Raster Compression) + compression scheme. To have it available, configure libtiff against + the SDK available at https://github.com/esri/lerc + * Removal of unused, or now useless due to C99 availability, + functions in port/ + * tiffcmp: fix comparaison with pixels that are + fractional number of bytes + * tiff2ps: exit the loop in case of error + * tiff2pdf: check that tiff_datasize fits in a signed tsize_t + +- version update to 4.2.0 + Major changes: + * Optional support for using libdeflate is added. + * Many of the tools now support a memory usage limit. + See http://www.simplesystems.org/libtiff/v4.2.0.html for more. + * CVE-2020-35521 bsc#1182808 + * CVE-2020-35522 bsc#1182809 + * CVE-2020-35523 bsc#1182811 + * CVE-2020-35524 bsc#1182812 + +- Drop webp support as it would introduce build cycle + +- Enable zstd and webp support + +- version update to 4.1.0 + * fixes several CVEs mentioned below and more, + see ChangeLog + * CVE-2019-17546 bsc#1154365 + * CVE-2017-17095 bsc#1071031 + * CVE-2019-14973 bsc#1146608 + * CVE-2020-19131 bsc#1190312 +- deleted patches + - tiff-CVE-2018-12900.patch (upstreamed) + - tiff-CVE-2018-17000,19210.patch (upstreamed) + - tiff-CVE-2019-6128.patch (upstreamed) + - tiff-CVE-2019-7663.patch (upstreamed) +- amend tiff-CVE-2018-12900.patch: fix wrong error message + [bsc#1099257] + +- Support only SLE12+ and remove the no longer needed conditions + - * CVE-2018-18661 [bsc#1113672] - + tiff-CVE-2018-18661.patch - * CVE-2018-18557 [bsc#1113094] - + tiff-CVE-2018-18557.patch -- asan_build: build ASAN included -- debug_build: build more suitable for debugging +- upddated to 4.0.10: + * fixes several CVEs mentioned below plus CVE-2018-18557 [bsc#1113094] + and CVE-2018-18661 [bsc#1113672] and more +- removed patches + * tiff-CVE-2017-11613,CVE-2018-16335,15209.patch + * tiff-CVE-2017-18013.patch + * tiff-CVE-2017-9935,CVE-2018-17795.patch + * tiff-CVE-2018-10779.patch + * tiff-CVE-2018-10963.patch + * tiff-CVE-2018-17100.patch + * tiff-CVE-2018-17101.patch + * tiff-CVE-2018-7456.patch + * tiff-CVE-2018-8905.patch + * tiff-4.0.9-bsc1081690-CVE-2018-5784.patch - * CVE-2018-17100 [bsc#1108637] - + tiff-CVE-2018-17100.patch - * CVE-2018-17101 [bsc#1108627] - + tiff-CVE-2018-17101.patch + * CVE-2018-17100 [bsc#1108637] + + tiff-CVE-2018-17100.patch + * CVE-2018-17101 [bsc#1108627] + + tiff-CVE-2018-17101.patch + +- remove pal2rgb tool [bsc#1071031] + +- security update traceroute +- security update +- added patches + fix CVE-2023-46316 [bsc#1216591], wrapper scripts do not properly parse command lines + + traceroute-CVE-2023-46316.patch + yast2-trans +- Update to version 84.87.20231121.7869d671a6: + * New POT for text domain 'hana-ha'. + +- Update to version 84.87.20231117.f12231d4de: + * New POT for text domain 'cc'. + +- Update to version 84.87.20231104.b73ad6fbc9: + * Translated using Weblate (Slovak) + * Translated using Weblate (Czech) + * Translated using Weblate (Dutch) + * Translated using Weblate (Catalan) + * Translated using Weblate (Japanese) + * Translated using Weblate (Japanese) + * New POT for text domain 'storage'. + * New POT for text domain 'installation'. + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * New POT for text domain 'update'. + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + +- Update to version 84.87.20231027.a9c9df2125: + * Translated using Weblate (Galician) + * Translated using Weblate (Macedonian) + * Translated using Weblate (Macedonian) + * Translated using Weblate (Macedonian) + * Translated using Weblate (Macedonian) + * Translated using Weblate (Macedonian) + * Translated using Weblate (Macedonian) + * Translated using Weblate (Italian) + * Translated using Weblate (Catalan) + * Translated using Weblate (Czech) + * Translated using Weblate (Czech) + * Translated using Weblate (Slovak) + * Translated using Weblate (Slovak) + * Translated using Weblate (Dutch) + * Translated using Weblate (Japanese) + * New POT for text domain 'storage'. + * New POT for text domain 'country'. + * Translated using Weblate (Dutch) + * Translated using Weblate (Catalan) + * Translated using Weblate (Japanese) + * Translated using Weblate (French) + * New POT for text domain 'qt-pkg'. + +- Update to version 84.87.20231004.bd479b5f2d: + * Translated using Weblate (Portuguese (Brazil)) + * Translated using Weblate (Portuguese (Brazil)) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Catalan) + * Translated using Weblate (Catalan) + +- Update to version 84.87.20230930.5f9e01162a: + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * New POT for text domain 'storage'. + +- Update to version 84.87.20230922.91d997adab: + * New POT for text domain 'packager'. + * New POT for text domain 'iscsi-client'. + +- Update to version 84.87.20230913.43f962446c: + * Translated using Weblate (Indonesian) + * New POT for text domain 'control'. + +- Update to version 84.87.20230909.35988571be: + * Translated using Weblate (Swedish) + * Translated using Weblate (Swedish) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Russian) + +- Update to version 84.87.20230901.be24cb382f: + * Translated using Weblate (Slovak) + * Translated using Weblate (Dutch) + * Translated using Weblate (Japanese) + * Translated using Weblate (Czech) + * Translated using Weblate (Catalan) + * New POT for text domain 'bootloader'. + * Translated using Weblate (Kurdish) + * Translated using Weblate (Kurdish) + +- Update to version 84.87.20230818.ea489402e5: + * Translated using Weblate (Latvian) + * Translated using Weblate (Catalan) + * Translated using Weblate (Catalan) + * Translated using Weblate (Catalan) + +- Update to version 84.87.20230811.13616e3be9: + * Translated using Weblate (Georgian) + * Translated using Weblate (Slovak) + * Translated using Weblate (Slovak) + * Translated using Weblate (Slovak) + * Translated using Weblate (Japanese) + * Translated using Weblate (Japanese) + * Translated using Weblate (Japanese) + * Translated using Weblate (Czech) + * Translated using Weblate (Dutch) + * Translated using Weblate (Czech) + * Translated using Weblate (Dutch) + * Translated using Weblate (Czech) + * New POT for text domain 'users'. + * New POT for text domain 'storage'. + * New POT for text domain 'sap-installation-wizard'. + * New POT for text domain 'qt-pkg'. + * New POT for text domain 'qt'. + * New POT for text domain 'pam'. + * New POT for text domain 'ncurses'. + * New POT for text domain 'migration_sle'. + * New POT for text domain 'kdump'. + * New POT for text domain 'installation'. + * New POT for text domain 'control'. + +- Update to version 84.87.20230729.64eca7e0a1: + * Translated using Weblate (Kurdish) + * Translated using Weblate (Czech) + +- Update to version 84.87.20230720.09601d9b28: + * Translated using Weblate (English (United Kingdom)) + * Translated using Weblate (English (United Kingdom)) + * Translated using Weblate (Russian) + +- Update to version 84.87.20230714.966688ddd0: + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + +- Update to version 84.87.20230708.d1de37aed1: + * Translated using Weblate (Chinese (China) (zh_CN)) + * Translated using Weblate (Kurdish) + +- Update to version 84.87.20230630.ccfa6add46: + * Translated using Weblate (Indonesian) + * Translated using Weblate (Finnish) + +- Update to version 84.87.20230619.113a4fdc71: + * Translated using Weblate (Kurdish) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Kurdish) + * Translated using Weblate (Kurdish) + * Translated using Weblate (Kurdish) + * Translated using Weblate (Kurdish) + * Translated using Weblate (Arabic) + * Translated using Weblate (Kurdish) + * Translated using Weblate (Italian) + * New POT for text domain 'users'. + * New POT for text domain 's390'. + * New POT for text domain 'storage'. + * New POT for text domain 'apparmor'. + +- Update to version 84.87.20230602.240a95214f: + * New POT for text domain 'control'. + * Translated using Weblate (Macedonian) + * New POT for text domain 'autoinst'. +