Hardened Lunar-Linux Patches and their Descriptions

From Lunar Linux
Jump to: navigation, search

Contents

gcc 4.1.2

posix-1.patch - Makes GCC Posix Compliant

binutils 2.17

branch_update-1.patch - This is the binutils-2_17-branch (bug fix branch) update, compared from binutils-2.17-release and binutils-2_17-branch with all the fluff removed (CVS entries, maintainer files, etc). This patch should be updated periodically.
hardened_tmp-3.patch - This patch uses mkstemp(3) and mkdtemp(3) for temporary file creation, if they are available, rather than the default mktemp(3). This is safer and removes some compiler warnings.
lazy-1.patch - This adds -z lazy option, inverse of -z now.
pt_pax-1.patch - This adds PT_PAX_FLAGS to Binutils. See: http://pax.grsecurity.net/
posix-1.patch - Makes binutils Posix Compliant

coreutils 6.7

i18n-1.patch - This patch fixes various problems with multibyte character support.
uname-1.patch - Fix the output of uname once and for all.

glibc 2.5

blowfish.patch - This patch adds blowfish crypto to libcrypt.
branch_update-2.patch - This is a branch update for Glibc-2.5, and should be rechecked periodically. See the "Changelog" and "localedata/ChangeLog" files for specific details.
dl_execstack_PaX-1.patch - This is needed for Pax. http://pax.grsecurity.net/
hardened_tmp-1.patch - This patch instructs mktemp(1) to use temporary file directory from the '-t' option. It also makes sure temporary files get removed after exiting the scripts.
iconv_unnest-1.patch - Move nested function to a static one so we avoid generating a trampoline.
localedef_segfault-1.patch - Fixes Segfault when using localdef. This problem is only noticed when using PaX and some architectures besides x86. See debian bug # 231438
pt_pax-1.patch - This is needed for Pax. http://pax.grsecurity.net/
strlcpy_strlcat-1.patch - http://www.courtesan.com/todd/papers/strlcpy.html

Berkeley DB 4.5.20

fixes-1.patch - Fixes a couple of issues when trying to access databases through the Java API.

procps 3.2.7

hardened_cflags-2.patch - Check for gcc -fpie, -fpic, -fstack-protector, and ld -pie, -z relro, -z now. Use whatever works.

perl 5.8.8

regex_ssp-1.patch - The regex code in this version of Perl segfaults when compiled with stack smashing protector. This patch disables stack smashing protector just on the affected files.
libc-2.patch - this patch adapts some hard-wired paths to the C library. It uses the $prefix variable to locate the correct libc.
fPIC-1.patch - Fixes a test that checks to see which paramater needs to be used for -fPIC and forces the objects in DynaLoader to be built with -fPIC.

readline 5.2

readline52-001 - Patch 001 from upstream: In some cases, code that is intended to be used in the presence of multibyte characters is called when no such characters are present, leading to incorrect display position calculations and incorrect redisplay.

zlib 1.2.3

fPIC-1.patch - 1.) Build shared and static lib in one pass 2.) Always add -fPIC when building shared lib, don't expect the user to set it.

file 4.20

reg_startend-1.patch - Fixes a bug caused by an undefined constant

groff 1.19.2

parallel_make-1.patch - This patch fixes the dependencies in the groff Makefile so parallel builds are possible.

less 394

signal_fix-1.patch - This patch fixes a bug with the configure script so that 'sigset_t', and 'sigprocmask', are detected and used.

module-init-tools 3.2.2

modprobe-1.patch - Updates modprobe functionality to fix problem where aliases don't quite work properly
nostatic-1.patch - This patch removes the use of zlib.a, and removes insmod.static.

shadow 4.0.18.1

owl_blowfish-1.patch - Use this patch with the Glibc blowfish patch (also from openwall).

sysvinit 2.86

owl_blowfish.patch - Use this patch with the Glibc blowfish patch (also from openwall).

bash 3.2

fixes-2.patch - A combined patch containing patches 001-009 from upstream.

diffutils 2.8.7

hardened_tmp-1.patch - This patch removes the more portable and less safe use of tmpname(3), in preference of mkstemp(3).
i18n-1.patch - Fixes treatment of whitespace in multibyte locales.

grep 2.5.1a

config_update-1.patch - Updates config.sub and config.guess
redhat_fixes-2.patch -
Various fixes from RedHat.
Individual patches:
 grep-2.5.1-fgrep.patch,
 grep-2.5.1-bracket.patch,
 grep-2.5-i18n.patch,
 grep-2.5.1-oi.patch,
 grep-2.5.1-manpage.patch,
 grep-2.5.1-color.patch,
 grep-2.5.1-icolor.patch,
 grep-2.5.1-egf-speedup.patch,
 grep-2.5.1-dfa-optional.patch,
 grep-2.5.1-tests.patch,
 grep-2.5.1-w.patch

sed 4.1.5

fixes-1.patch - This patch includes:
Redhat/Fedora - sed-4.1.5-bz185374.patch
Redhat/Fedora - sed-4.1.5-relsymlink.patch
OpenWall/Owl - sed-4.1.5-owl-warnings.diff
Gentoo - sed-4.1.5-alloca.patch

And a handfull of additional compiler warning fixes, including the addition of --enable-gcc-warnings (-Werror -Wall -Wformat -Wformat-security). Wrap fchown in assert() to deal with gcc -D_FORTIFY_SOURCE warnings (only if _FORTIFY_SOURCE is defined).

Added strlcpy(), and assert(), code if the system does not have them. This had to be put into one big patch mainly because of strlcpy().

texinfo 4.8a

multibyte-1.patch - Info assumes that a string width in character cells is the same as its length in bytes. This patch avoids cases when this assumption is not true.
tempfile_fix-1.patch - (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files.

util-linux 2.12r

PIC-1.patch - This is needed for Grsec. http://www..grsecurity.net/ Util linux doesn't build with position independence without this patch.
gcc4_fixes-1.patch - Fixes GCC4 Compile Issues
hardened_cflags-1.patch - Check for gcc -fpie, -fpic, -fstack-protector, and ld -pie, -z relro, -z now. Use whatever works.
loop_AES-3.1b.patch.gz - util-linux patch that adds support for AES and other ciphers (from eswap.txt).
mips64_fix-1.patch - Fixes compile issue under MIPS 64 bit
missing_header-1.patch - Fixes the missing delcaration of R_OK in swapon.c build
nologin-1.patch - This patch adds /sbin/nologin and 'man 8 nologin', for polite

login refusal. nologin will try to read /etc/nologin.txt to use it for a message, if /etc/nologin.txt does not exist it will use a hardcoded message. If you do not want nologin to try to read /etc/nologin.txt at all then use:

make NOLOGIN_TXT=no

vim 7.0

fixes-15.patch - Contains patches 001-206 from upstream excluding patches 005, 027, 028, 032, 045, 057, 065, 074, 108, 130, 132, 138, 156, 161, 170, 171, 180, 197, and 198 as they are for "extras" (e.g. Mac, Windows) only.
fortify_warnings-1.patch - This patch fixes warnings caused by -D_FORTIFY_SOURCE=2.
hardened_tmp-2.patch - This patch modifies Vim for paranoid temporary file creation.
mandir-1.patch - Adjusts installation of manual pages to meet Man-DB expectations. Additional change to explicitly install the man pages into /usr/share/man instead of /usr/man by Ag Hatzim.
spellfile-1.patch - Allows downloading spellfiles via HTTP, thus reverting the negative effect of ftp://ftp.vim.org/pub/vim/patches/7.0/7.0.010

autofs 4.1.4

consolidated-1.patch - A consolidation of nine upstram packages. ========= This patch provides a configure option to disable the use of a lock file when calling mount from autofs. It also adds a patch to the "patches" directory that needs to be used for mount to (hopefully) prevent /etc/mtab corruption when rapidly mounting filesystems when autofs does not use locking.

bin86 0.16.17

x86_64-1.patch - Allows bin86 to compile on x86_64, which permits lilo to be used in a 64-bit system. I'm dubious about ROCK's attempts to automatically add dual-licensing to all their patches, but bin86 is already GPL'd. I've heard from the maintainer that this will be included in the next upload.

xmms 1.2.10

gcc4-1.patch - Fixes build issue when using GCC-4

xinetd 2.3.14

config_update-1.patch - Updates config.sub and config.guess

vorbis-tools 1.1.1

utf8-1.patch - Vorbiscomment doesn't handle utf-8 characters correctly. https://trac.xiph.org/ticket/685

unzip 5.52

PIC-2.patch - This patch compiles unzip with -fPIE, and disables assembly so that unzip and libunzip do not have TEXT RELOCATION's. Needed for HLFS. This patch also makes unzip use a non-executable stack, needed with Grsecurity kernels.
dont_make_noise-1.patch - When unzipping files, the unzip stub prints out lot of "useful" info messages. These messages can cause applications such as Midnight Commander to display strange behavior. This patch is useful for users linking unzip to the system zlib (i.e. installed as per the BLFS guidelines).
fix_libz-1.patch - Fixes compilation against system zlib.
security_fix-1.patch - Fixes CVE-2005-2475 and CVE-2005-4667
Personal tools
Namespaces
Variants
Actions
Wiki Navigation
Project Sites
Toolbox