From b84c638edf3f9826b95421faf6ebd296ad538e3e Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 1 Jan 2024 07:10:36 +0000 Subject: [PATCH 1/3] app-misc/jq: Sync with Gentoo It's from Gentoo commit c0a1468912f1e9a489b057cf6433d9c95c655aa3. --- .../portage-stable/app-misc/jq/Manifest | 1 + .../app-misc/jq/jq-1.7.1.ebuild | 84 +++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/app-misc/jq/jq-1.7.1.ebuild diff --git a/sdk_container/src/third_party/portage-stable/app-misc/jq/Manifest b/sdk_container/src/third_party/portage-stable/app-misc/jq/Manifest index 71d260f19bc..84749239736 100644 --- a/sdk_container/src/third_party/portage-stable/app-misc/jq/Manifest +++ b/sdk_container/src/third_party/portage-stable/app-misc/jq/Manifest @@ -1 +1,2 @@ +DIST jq-1.7.1.gh.tar.gz 1323338 BLAKE2B 17e3b68e23f9a7f1aa8749ede6c0b8fe435990899886f0c96da36d130c17d13609ba7f910321316f0c3b35985360f8cb5e6a3b12caea5e9bc7792e128798f137 SHA512 af9c444e5306423182f467a53acdf45bb8aefa058a47f490ce16395f0aebfb7627e3843f65e96f41cd9d4b72b8ad274ab0bdb061abc6990b1158f86d2256d4ec DIST jq-1.7.gh.tar.gz 1267139 BLAKE2B b6a54f9beaabd7915d7a8f14cda9621573f1796af53fe1645561a7a199787a7e9b2b2df038208f23e63f339dec567851b70696ffb8194986250527333d36d44e SHA512 01676319fe98d5ab1e278430b2c58ec594191cc9485a20312d658c0e199ac7ea5f5e934817ce98da0864ec7e0a018aae9b87525260e8ab6a7bde918db483bd84 diff --git a/sdk_container/src/third_party/portage-stable/app-misc/jq/jq-1.7.1.ebuild b/sdk_container/src/third_party/portage-stable/app-misc/jq/jq-1.7.1.ebuild new file mode 100644 index 00000000000..99985e23fcb --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-misc/jq/jq-1.7.1.ebuild @@ -0,0 +1,84 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools + +MY_PV="${PV/_/}" +MY_P="${PN}-${MY_PV}" +DESCRIPTION="A lightweight and flexible command-line JSON processor" +HOMEPAGE="https://stedolan.github.io/jq/" +SRC_URI="https://github.com/jqlang/jq/archive/refs/tags/${MY_P}.tar.gz -> ${P}.gh.tar.gz" +S="${WORKDIR}/${PN}-${MY_P}" + +LICENSE="MIT CC-BY-3.0" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~arm64-macos ~x64-macos ~x64-solaris" +IUSE="+oniguruma static-libs test" + +ONIGURUMA_MINPV='>=dev-libs/oniguruma-6.9.3' # Keep this in sync with bundled modules/oniguruma/ +DEPEND=" + >=sys-devel/bison-3.0 + sys-devel/flex + oniguruma? ( ${ONIGURUMA_MINPV}:=[static-libs?] ) +" +RDEPEND=" + !static-libs? ( + oniguruma? ( ${ONIGURUMA_MINPV}[static-libs?] ) + ) +" +PATCHES=( + "${FILESDIR}"/jq-1.6-r3-never-bundle-oniguruma.patch + "${FILESDIR}"/jq-1.7-runpath.patch +) + +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( oniguruma )" + +src_prepare() { + sed -e '/^dist_doc_DATA/d; s:-Wextra ::' -i Makefile.am || die + printf "#!/bin/sh\\nprintf '%s'\\n\n" "${MY_PV}" > scripts/version || die + + # jq-1.6-r3-never-bundle-oniguruma makes sure we build with the system oniguruma, + # but the bundled copy of oniguruma still gets eautoreconf'd since it + # exists; save the cycles by nuking it. + sed -e '/modules\/oniguruma/d' -i Makefile.am || die + rm -rf "${S}"/modules/oniguruma || die + + default + + sed -i "s/\[jq_version\]/[${MY_PV}]/" configure.ac || die + + eautoreconf +} + +src_configure() { + local econfargs=( + # don't try to rebuild docs + --disable-docs + --disable-valgrind + --disable-maintainer-mode + --enable-rpathhack + $(use_enable static-libs static) + $(use_with oniguruma oniguruma yes) + ) + econf "${econfargs[@]}" +} + +src_test() { + if ! LD_LIBRARY_PATH="${S}/.libs" nonfatal emake check; then + if [[ -r "${S}/test-suite.log" ]]; then + eerror "Tests failed, outputting testsuite log" + cat "${S}/test-suite.log" + fi + die "Tests failed" + fi +} + +src_install() { + local DOCS=( AUTHORS NEWS.md README.md SECURITY.md ) + default + + use static-libs || { find "${D}" -name '*.la' -delete || die; } +} From ec0f0435fa4d3dd8756c4f362e92eb42ee14f2c6 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 5 Jan 2024 12:17:30 +0100 Subject: [PATCH 2/3] overlay profiles: accept keywords of app-misc/jq 1.7.1 We need to accept keywords for both arches to address CVE-2023-50246, CVE-2023-50268. --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 51ab420c0b7..046c4ec86cf 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -31,6 +31,9 @@ # Keep versions on both arches in sync. =app-misc/pax-utils-1.3.7 ~amd64 +# Needed for addressing CVE-2023-50246, CVE-2023-50268 +=app-misc/jq-1.7.1 ~amd64 ~arm64 + # Required for addressing CVE-2022-3715. =app-shells/bash-5.2_p15-r7 ~amd64 ~arm64 From b231722fc97bd7b0d9fcd85513b021940fdfe249 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 5 Jan 2024 12:21:28 +0100 Subject: [PATCH 3/3] changelog: add changelog for jq 1.7.1 As the issues affect only jq 1.7, included only in unreleased Flatcar, security changelog is not needed. --- changelog/updates/2024-01-05-jq-1.7.1.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/updates/2024-01-05-jq-1.7.1.md diff --git a/changelog/updates/2024-01-05-jq-1.7.1.md b/changelog/updates/2024-01-05-jq-1.7.1.md new file mode 100644 index 00000000000..886fcf05194 --- /dev/null +++ b/changelog/updates/2024-01-05-jq-1.7.1.md @@ -0,0 +1 @@ +- jq ([1.7.1](https://github.com/jqlang/jq/releases/tag/jq-1.7.1))