glibc: 2.37-39 -> 2.38-23

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -24,6 +24,8 @@
   - `root` and `wheel` are not given the ability to set (or preserve)
     arbitrary environment variables.
 
+- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
+
 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
 
 ## New Services {#sec-release-23.11-new-services}

pkgs/applications/audio/mamba/default.nix

@@ -37,5 +37,8 @@ stdenv.mkDerivation rec {
     license = licenses.bsd0;
     maintainers = with maintainers; [ magnetophon orivej ];
     platforms = platforms.linux;
+    # 2023-08-19, `-Werror=format-security` fails for xputty
+    # reported as https://github.com/brummer10/libxputty/issues/12
+    broken = true;
   };
 }

pkgs/applications/radio/direwolf/default.nix

@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
     sha256 = "0xmz64m02knbrpasfij4rrq53ksxna5idxwgabcw4n2b1ig7pyx5";
   };
 
+  patches = [ ./fix-strlcpy-usage.patch ];
+
   nativeBuildInputs = [ cmake ];
 
   strictDeps = true;

pkgs/applications/radio/direwolf/fix-strlcpy-usage.patch

@@ -0,0 +1,89 @@
+strlcpy is now part of glibc, so there's absolutely no reason for a custom implementation, especially
+one with printf debugging. Hence, removing all of that.
+
+See also https://hydra.nixos.org/build/230546596
+See glibc commit 454a20c8756c9c1d55419153255fc7692b3d2199
+
+diff --git a/external/misc/strlcpy.c b/external/misc/strlcpy.c
+index ff18800..b1cb443 100644
+--- a/external/misc/strlcpy.c
++++ b/external/misc/strlcpy.c
+@@ -56,65 +56,3 @@
+
+ #include "textcolor.h"
+
+-/*
+- * Copy src to string dst of size siz.  At most siz-1 characters
+- * will be copied.  Always NUL terminates (unless siz == 0).
+- * Returns strlen(src); if retval >= siz, truncation occurred.
+- */
+-
+-#if DEBUG_STRL
+-size_t strlcpy_debug(char *__restrict__ dst, const char *__restrict__ src, size_t siz, const char *file, const char *func, int line)
+-#else
+-size_t strlcpy_debug(char *__restrict__ dst, const char *__restrict__ src, size_t siz)
+-#endif
+-{
+-	char *d = dst;
+-	const char *s = src;
+-	size_t n = siz;
+-	size_t retval;
+-
+-#if DEBUG_STRL
+-	if (dst == NULL) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("ERROR: strlcpy dst is NULL.  (%s %s %d)\n", file, func, line);
+-		return (0);
+-	}
+-	if (src == NULL) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("ERROR: strlcpy src is NULL.  (%s %s %d)\n", file, func, line);
+-		return (0);
+-	}
+-	if (siz == 1 || siz == 4) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("Suspicious strlcpy siz.  Is it using sizeof a pointer variable?  (%s %s %d)\n", file, func, line);
+-	}
+-#endif
+-
+-	/* Copy as many bytes as will fit */
+-	if (n != 0 && --n != 0) {
+-		do {
+-			if ((*d++ = *s++) == 0)
+-				break;
+-		} while (--n != 0);
+-	}
+-
+-	/* Not enough room in dst, add NUL and traverse rest of src */
+-	if (n == 0) {
+-		if (siz != 0)
+-			*d = '\0';		/* NUL-terminate dst */
+-		while (*s++)
+-			;
+-	}
+-
+-	retval = s - src - 1;	/* count does not include NUL */
+-
+-#if DEBUG_STRL
+-	if (retval >= siz) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("WARNING: strlcpy result length %d exceeds maximum length %d.  (%s %s %d)\n",
+-				(int)retval, (int)(siz-1), file, func, line);
+-	}
+-#endif
+-	return (retval);
+-}
+-
+diff --git a/src/direwolf.h b/src/direwolf.h
+index efc329b..22eb748 100644
+--- a/src/direwolf.h
++++ b/src/direwolf.h
+@@ -294,7 +294,7 @@ char *strcasestr(const char *S, const char *FIND);
+ #define HAVE_STRLCPY 1
+
+
+-#define DEBUG_STRL 1
++#define DEBUG_STRL 0
+
+ #if DEBUG_STRL
+

pkgs/applications/science/misc/root/default.nix

@@ -2,6 +2,7 @@
 , lib
 , callPackage
 , fetchurl
+, fetchpatch
 , makeWrapper
 , cmake
 , coreutils
@@ -109,6 +110,18 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./sw_vers.patch
+    # glibc >=2.38 already has strlcat implemented.
+    # merged upstream, remove on next package bump.
+    (fetchpatch {
+      url = "https://github.com/root-project/root/commit/8fb0e35446ed67c9d56639b4708c8f05459b7f84.patch";
+      hash = "sha256-7EabmYanqlQsYSQsi+S9eWs1v1pY6MncopL420Y3D4w=";
+    })
+  ] ++ lib.optionals (python.pkgs.pythonAtLeast "3.11") [
+    # Fix build against Python 3.11
+    (fetchpatch {
+      url = "https://github.com/root-project/root/commit/484deb056dacf768aba4954073b41105c431bffc.patch";
+      hash = "sha256-4qur2e3SxMIPgOg4IjlvuULR2BObuP7xdvs+LmNT2/s=";
+    })
   ];
 
   preConfigure = ''

pkgs/applications/virtualization/kvmtool/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation {
     sha256 = "sha256-wpc5DfHnui0lBVH4uOq6a7pXVUZStjNLRvauu6QpRvE=";
   };
 
+  patches = [ ./strlcpy-glibc-2.38-fix.patch ];
+
   buildInputs = lib.optionals stdenv.hostPlatform.isAarch64 [ dtc ];
 
   enableParallelBuilding = true;

pkgs/applications/virtualization/kvmtool/strlcpy-glibc-2.38-fix.patch

@@ -0,0 +1,25 @@
+Manually tell the compiler that strlcpy exists. The `try-build` function seems
+somewhat broken, i.e. any code that I try to pass to it doesn't link because of an
+"undefined reference to main" error (and some more quoting issues with newlines being
+swalloed).
+
+Because both musl and glibc seemt o support strlcpy nowadays, I decided to just skip the
+possibly broken feature-check and hardcode that it exists.
+
+diff --git a/Makefile b/Makefile
+index ed2414b..37be9cd 100644
+--- a/Makefile
++++ b/Makefile
+@@ -239,10 +239,8 @@ endif
+ # On a given system, some libs may link statically, some may not; so, check
+ # both and only build those that link!
+
+-ifeq ($(call try-build,$(SOURCE_STRLCPY),$(CFLAGS),$(LDFLAGS)),y)
+-	CFLAGS_DYNOPT	+= -DHAVE_STRLCPY
+-	CFLAGS_STATOPT	+= -DHAVE_STRLCPY
+-endif
++CFLAGS_DYNOPT	+= -DHAVE_STRLCPY
++CFLAGS_STATOPT	+= -DHAVE_STRLCPY
+
+ ifeq ($(call try-build,$(SOURCE_BFD),$(CFLAGS),$(LDFLAGS) -lbfd -static),y)
+ 	CFLAGS_STATOPT	+= -DCONFIG_HAS_BFD

pkgs/development/compilers/swift/foundation/default.nix

@@ -5,6 +5,7 @@
 
 { lib
 , stdenv
+, fetchpatch
 , callPackage
 , cmake
 , ninja
@@ -23,6 +24,15 @@ in stdenv.mkDerivation {
   inherit (sources) version;
   src = sources.swift-corelibs-foundation;
 
+  patches = [
+    # from https://github.com/apple/swift-corelibs-foundation/pull/4811
+    # fix build with glibc >=2.38
+    (fetchpatch {
+      url = "https://github.com/apple/swift-corelibs-foundation/commit/47260803a108c6e0d639adcebeed3ac6a76e8bcd.patch";
+      hash = "sha256-1JUSQW86IHKkBZqxvpk0P8zcSKntzOTNlMoGBfgeT4c=";
+    })
+  ];
+
   outputs = [ "out" "dev" ];
 
   nativeBuildInputs = [ cmake ninja swift ];

pkgs/development/libraries/glibc/common.nix

@@ -43,9 +43,9 @@
 } @ args:
 
 let
-  version = "2.37";
-  patchSuffix = "-39";
-  sha256 = "sha256-Ilfv8RGhgV109GhW2q9AsBnB5VMVbGnUi6DL/Bu5GkM=";
+  version = "2.38";
+  patchSuffix = "-23";
+  sha256 = "sha256-+4KZiZiyspllRnvBtp0VLpwwfSzzAcnq+0VVt3DvP9I=";
 in
 
 assert withLinuxHeaders -> linuxHeaders != null;
@@ -59,14 +59,14 @@ stdenv.mkDerivation ({
   patches =
     [
       /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping.
-          $ git fetch --all -p && git checkout origin/release/2.37/master && git describe
-          glibc-2.37-39-g6529a7466c
-          $ git show --minimal --reverse glibc-2.37.. | gzip -9n --rsyncable - > 2.37-master.patch.gz
+          $ git fetch --all -p && git checkout origin/release/2.38/master && git describe
+          glibc-2.38-23-g0e1ef6779a
+          $ git show --minimal --reverse glibc-2.38.. | gzip -9n --rsyncable - > 2.38-master.patch.gz
 
          To compare the archive contents zdiff can be used.
-          $ zdiff -u 2.37-master.patch.gz ../nixpkgs/pkgs/development/libraries/glibc/2.37-master.patch.gz
+          $ zdiff -u 2.38-master.patch.gz ../nixpkgs/pkgs/development/libraries/glibc/2.38-master.patch.gz
        */
-      ./2.37-master.patch.gz
+      ./2.38-master.patch.gz
 
       /* Allow NixOS and Nix to handle the locale-archive. */
       ./nix-locale-archive.patch
@@ -89,10 +89,11 @@ stdenv.mkDerivation ({
 
       ./0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch
 
-      /* Patch derived from archlinux (at the time of adding they're at 2.37),
-         https://github.com/archlinux/svntogit-packages/blob/packages/glibc/trunk/reenable_DT_HASH.patch
+      /* Patch derived from archlinux,
+         https://gitlab.archlinux.org/archlinux/packaging/packages/glibc/-/blob/e54d98e2d1aae4930ecad9404ef12234922d9dfd/reenable_DT_HASH.patch
 
-        See https://github.com/NixOS/nixpkgs/pull/188492#issuecomment-1233802991 for context.
+         See also https://github.com/ValveSoftware/Proton/issues/6051
+         & https://github.com/NixOS/nixpkgs/pull/188492#issuecomment-1233802991
       */
       ./reenable_DT_HASH.patch
     ]
@@ -135,6 +136,7 @@ stdenv.mkDerivation ({
       "--enable-bind-now"
       (lib.withFeatureAs withLinuxHeaders "headers" "${linuxHeaders}/include")
       (lib.enableFeature profilingLibraries "profile")
+      "--enable-fortify-source"
     ] ++ lib.optionals (stdenv.hostPlatform.isx86 || stdenv.hostPlatform.isAarch64) [
       # This feature is currently supported on
       # i386, x86_64 and x32 with binutils 2.29 or later,
@@ -159,7 +161,7 @@ stdenv.mkDerivation ({
       "libc_cv_as_needed=no"
     ]
     ++ lib.optional withGd "--with-gd"
-    ++ lib.optional (!withLibcrypt) "--disable-crypt";
+    ++ lib.optional withLibcrypt "--enable-crypt";
 
   makeFlags = (args.makeFlags or []) ++ [
     "OBJCOPY=${stdenv.cc.targetPrefix}objcopy"