Skip to content

Update glibc #2049

Merged
merged 18 commits into from
Apr 13, 2021
Merged

Update glibc #2049

merged 18 commits into from
Apr 13, 2021

Conversation

donald
Copy link
Collaborator

@donald donald commented Mar 10, 2021

Update with:

bee update linux-headers-4.14.87-0.x86_64
bee update glibc-2.33-0.x86_64
bee update glibc-locales-2.33-0.x86_64
bee update libtirpc-1.3.1-0.x86_64
bee install libnss_nis-3.1-0.x86_64
bee install libnsl-1.3.0-0.x86_64
bee install rpcsvc-proto-1.4.2-0.x86_64
bee update autofs-5.1.7-1.x86_64
systemctl restart cron
systemctl restart cyrus-sasl.service
systemctl daemon-reexec

@donald
Copy link
Collaborator Author

donald commented Mar 10, 2021

Easy approach does not work. After update, sudo and ssh become unusable. Even when Linux-PAM is rebuild and updated with the new glibc. Problem persists after reboot.

@thomas
Copy link
Collaborator

thomas commented Mar 10, 2021 via email

@donald
Copy link
Collaborator Author

donald commented Mar 10, 2021

This is the link I mentioned today in the vc: https://abi-laboratory.pro/?view=timeline&l=glibc

@donald
Copy link
Collaborator Author

donald commented Mar 11, 2021

https://sourceware.org/git?p=glibc.git;a=blob;f=NEWS;h=aa0f10a891f8f9b4e6f0f6d25b6a307898c07d82;hb=HEAD#l367

Remove configure option --enable-obsolete-nsl. libnsl is only built as shared library for backward compatibility and the NSS modules "nis" and "nisplus" are not built at all

@donald
Copy link
Collaborator Author

donald commented Mar 12, 2021

"sudo" and "su" happy again, "sshd" not yet.

@donald
Copy link
Collaborator Author

donald commented Mar 13, 2021

sshd: This took me many hours to find, because I suspected problems in the pam/nss/nis area, but in facts it is totally unrelated.

  • sshd runs a process, which communicates to the peer, in a seccomp sandbox. The system calls, which are usable by the sandboxed process are limited to a defined set.
  • The process uses nanosleep()
  • Before glibc version 2.31 nanosleep() was implemented with the system call nanosleep. From 2.31 on, it is implemented with the system call clock_nanosleep 1
  • Because of this change in glibc, the secomp filter list of openssh needed to be updated, which was done in 2 3. These patches are included in openssh since version 8.2p1

So our openssh version 7.9p1 is to old for glibc 2.33.

@thomas
Copy link
Collaborator

thomas commented Mar 13, 2021 via email

@donald
Copy link
Collaborator Author

donald commented Mar 13, 2021

Yeah, just upgrade openssh and the problem is gone.

@thomas
Copy link
Collaborator

thomas commented Mar 13, 2021 via email

@donald donald mentioned this pull request Mar 15, 2021
@donald
Copy link
Collaborator Author

donald commented Mar 16, 2021

Update procedure:

bee update linux-headers-4.14.87-0.x86_64
bee update glibc-2.33-0.x86_64
bee update glibc-locales-2.33-0.x86_64
bee update libtirpc-1.3.1-0.x86_64
bee install libnss_nis-3.1-0.x86_64
bee install libnsl-1.3.0-0.x86_64
bee install rpcsvc-proto-1.4.2-0.x86_64
bee update autofs-5.1.7-1.x86_64
systemctl restart cron
systemctl restart cyrus-sasl.service
systemctl daemon-reexec

plus potentially anything which does dlopen (e.g. all httpd web servers)

@donald
Copy link
Collaborator Author

donald commented Mar 16, 2021

Could someone test this on a workstation ?

  • log in, start some applications ( thunderbird, r-studio :-) )
  • update glibc while still logged in (procedure in this thread)
  • see if running applications still work
  • quit and restart applications
  • log out, log in, start applications
  • log out, reboot, log in, start applications

@donald
Copy link
Collaborator Author

donald commented Mar 28, 2021

Test on workstation done.

@donald
Copy link
Collaborator Author

donald commented Apr 2, 2021

We should test whether the gdm lock screen needs a restart (becaus of pam plugins). Also test xlock (I dont think there is a problem)

@pmenzel
Copy link
Collaborator

pmenzel commented Apr 2, 2021

We should test whether the gdm lock screen needs a restart (because of pam plugins). Also test xlock (I dont think there is a problem)

GDM? lightdm is used for some time now. What lock screen do you mean?

And for locking, XScreenSaver is used to my knowledge (xlockxscreensarver-command -lock).

(I recommend slock though. ;-))

pmenzel and others added 14 commits April 2, 2021 11:31
From the [announcement][1]:

> NEWS for version 2.29
> ====================
>
> * The getcpu wrapper function has been added, which returns the
>   currently used CPU and NUMA node.  This function is Linux-specific.
>
> * A new convenience target has been added for distribution maintainers
>   to build and install all locales as directories with files.  The new
>   target is run by issuing the following command in your build tree:
>   'make localedata/install-locale-files', with an optional DESTDIR
>   to set the install root if you wish to install into a non-default
>   configured location.
>
> * Optimized generic exp, exp2, log, log2, pow, sinf, cosf, sincosf and
>   tanf.
>
> * The reallocarray function is now declared under _DEFAULT_SOURCE, not
>   just for _GNU_SOURCE, to match BSD environments.
>
> * For powercp64le ABI, Transactional Lock Elision is now enabled iff
>   kernel indicates that it will abort the transaction prior to entering
>   the kernel (PPC_FEATURE2_HTM_NOSC on hwcap2).  On older kernels the
>   transaction is suspended, and this caused some undefined side-effects
>   issues by aborting transactions manually.  Glibc avoided it by abort
>   transactions manually on each syscall, but it lead to performance
>   issues on newer kernels where the HTM state is saved and restore
>   lazily (the state being saved even when the process actually does not
>   use HTM).
>
> * The functions posix_spawn_file_actions_addchdir_np and
>   posix_spawn_file_actions_addfchdir_np have been added, enabling
>   posix_spawn and posix_spawnp to run the new process in a different
>   directory.  These functions are GNU extensions.  The function
>   posix_spawn_file_actions_addchdir_np is similar to the Solaris
>   function of the same name.
>
> * The popen and system do not run atfork handlers anymore (BZ#17490).
>   Although it is a possible POSIX violation, the POSIX rationale in
>   pthread_atfork documentation regarding atfork handlers is to handle
>   inconsistent mutex state after a fork call in a multi-threaded
>   process.
>   In both popen and system there is no direct access to user-defined
>   mutexes.
>
> * Support for the C-SKY ABIV2 running on Linux has been added.  This
>   port requires at least binutils-2.32, gcc-9.0, and linux-4.20.  Two
>   ABIs are supported:
>     - C-SKY ABIV2 soft-float little-endian
>     - C-SKY ABIV2 hard-float little-endian
>
> * strftime's default formatting of a locale's alternative year (%Ey)
>   has been changed to zero-pad the year to a minimum of two digits,
>   like "%y".  This improves the display of Japanese era years during
>   the first nine years of a new era, and is expected to be harmless
>   for all other locales (only Japanese locales regularly have
>   alternative year numbers less than 10).  Zero-padding can be
>   overridden with the '_' or '-' flags (which are GNU extensions).
>
> * As a GNU extension, the '_' and '-' flags can now be applied to
>   "%EY" to control how the year number is formatted; they have the
>   same effect that they would on "%Ey".

[…]

> Security related changes:
>
>   CVE-2018-19591: A file descriptor leak in if_nametoindex can lead to a
>   denial of service due to resource exhaustion when processing
>   getaddrinfo calls with crafted host names.  Reported by Guido Vranken.
>
>   CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
>   32 bits of a 64-bit register with with non-zero upper 32 bit.  When it
>   happened, accessing the 32-bit size_t value as the full 64-bit
>   register in the assembly string/memory functions would cause a buffer
>   overflow.
>   Reported by H.J. Lu.
>
>   CVE-2016-10739: The getaddrinfo function could successfully parse IPv4
>   addresses with arbitrary trailing characters, potentially leading to
>   data or command injection issues in applications.

[1]: https://sourceware.org/ml/libc-announce/2019/msg00000.html
That is the oldest Linux kernel version, currently in MarIuX.
    --enable-stack-protector=[yes|no|all|strong]
                            Use -fstack-protector[-all|-strong] to detect glibc
                            buffer overflows
Remove debug code from mee_check.
Remove --disable-profile, because that is the default.
Remove options, which no longer exist.
This code was formerly part of glibc, but is now standalone to
be able to link against TI-RPC for IPv6 support.
This package contains rpcsvc proto.x files from glibc, which are
missing in libtirpc. Additional it contains rpcgen, which is needed
to create header files and sources from protocol files.
This package is only needed, if glibc is installed without the
deprecated sunrpc functionality and libtirpc should replace
Fix

   ./include/rpc_subs.h:19:10: fatal error: rpc/rpc.h: No such file or directory
    #include <rpc/rpc.h>
             ^~~~~~~~~~~

libtirpc provides the include files in another directory than glibc did.

Add --with-libtirpc so that pkg_config is used to pick up the right
include path:

    $ pkg-config --cflags libtirpc
    -I/usr/include/tirpc
This package contains the libnsl library. This library contains
the public client interface for NIS(YP) and NIS+.

This code was formerly part of glibc, but is now standalone to
be able to link against TI-RPC for IPv6 support.

The NIS(YP) functions are still maintained, the NIS+ part is
deprecated and should not be used anymore.
@donald
Copy link
Collaborator Author

donald commented Apr 4, 2021

GDM? lightdm is used for some time now. What lock screen do you mean?

Sorry, login screen. Yes, lightdm (user gdm, though).

And for locking, XScreenSaver is used to my knowledge (xlockxscreensarver-command -lock).

Whatever, the screen lock.

@donald
Copy link
Collaborator Author

donald commented Apr 6, 2021

Tested login screen and lock screen. No problem.

@pmenzel
Copy link
Collaborator

pmenzel commented Apr 13, 2021

What is the current status? The usability tests passed, right?

@donald donald marked this pull request as ready for review April 13, 2021 09:48
@donald
Copy link
Collaborator Author

donald commented Apr 13, 2021

Status: I think we can risk it...

Copy link
Collaborator

@pmenzel pmenzel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bee update/install command to update all effected packages would be great.

@donald
Copy link
Collaborator Author

donald commented Apr 13, 2021

Above, #2049 (comment) , still valid.
In theory we need to restart the Apache http daemon after the installation, but I couldn't even reproduce the problem with a test Apache server on theinternet even when killing workers....

@donald donald merged commit 531d6c0 into master Apr 13, 2021
Sign in to join this conversation on GitHub.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants