Merge pull request #3295 from flatcar/buildbot/weekly-portage-stable-package-updates-2025-09-22

Weekly portage-stable package updates 2025-09-22

Author: krnowak

changelog/security/2025-09-24-weekly-updates.md

@@ -0,0 +1,3 @@
+- binutils ([CVE-2025-5244](https://www.cve.org/CVERecord?id=CVE-2025-5244), [CVE-2025-5245](https://www.cve.org/CVERecord?id=CVE-2025-5245) [CVE-2025-8225](https://www.cve.org/CVERecord?id=CVE-2025-8225))
+- curl ([CVE-2025-9086](https://www.cve.org/CVERecord?id=CVE-2025-9086), [CVE-2025-10148](https://www.cve.org/CVERecord?id=CVE-2025-10148))
+- go ([CVE-2025-47910](https://www.cve.org/CVERecord?id=CVE-2025-47910))

changelog/updates/2025-09-24-weekly-updates.md

@@ -0,0 +1,21 @@
+- SDK: go ([1.24.7](https://go.dev/doc/devel/release#go1.24.minor))
+- SDK: pkgcheck ([0.10.37](https://github.com/pkgcore/pkgcheck/releases/tag/v0.10.37))
+- SDK: rust ([1.89.0](https://blog.rust-lang.org/2025/08/07/Rust-1.89.0/))
+- base, dev: bash ([5.3_p3](https://lists.gnu.org/archive/html/bug-bash/2025-07/msg00005.html))
+- base, dev: btrfs-progs ([6.16](https://github.com/kdave/btrfs-progs/releases/tag/v6.16))
+- base, dev: cryptsetup ([2.8.1](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.8.1/docs/v2.8.1-ReleaseNotes))
+- base, dev: curl ([8.16.0](https://curl.se/ch/8.16.0.html))
+- base, dev: expat ([2.7.2](https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes))
+- base, dev: gcc ([14.3.1_p20250801](https://gcc.gnu.org/pipermail/gcc/2025-May/246078.html))
+- base, dev: hwdata ([0.398](https://github.com/vcrhonek/hwdata/releases/tag/v0.398))
+- base, dev: readline ([8.3_p1](https://lists.gnu.org/archive/html/bug-bash/2025-07/msg00005.html))
+- base, dev: samba ([4.22.3](https://www.samba.org/samba/history/samba-4.22.3.html) (includes [4.22.2](https://www.samba.org/samba/history/samba-4.22.2.html), [4.22.1](https://www.samba.org/samba/history/samba-4.22.1.html), [4.22.0](https://www.samba.org/samba/history/samba-4.22.0.html), [4.21.0](https://www.samba.org/samba/history/samba-4.21.0.html)))
+- base, dev: talloc ([2.4.3](https://gitlab.com/samba-team/samba/-/commit/77229f73c20af69ab0f3c96efbb229ff64a9dfe4))
+- base, dev: tdb ([1.4.13](https://gitlab.com/samba-team/samba/-/commit/70a8c7a89a6d62d2ff172d79b5f4e6439300b88d))
+- base, dev: tevent ([0.16.2](https://gitlab.com/samba-team/samba/-/commit/8d398acbbb7fdc0ff50fe6ba80433deaf92515c6))
+- dev: binutils ([2.45](https://lists.gnu.org/archive/html/info-gnu/2025-07/msg00009.html))
+- sysext-incus, sysext-podman, vmware: fuse ([3.17.4](https://github.com/libfuse/libfuse/releases/tag/fuse-3.17.4))
+- sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers (570.190)
+- sysext-python: jaraco-functools ([4.3.0](https://raw.githubusercontent.com/jaraco/jaraco.functools/refs/tags/v4.3.0/NEWS.rst))
+- sysext-python: markdown-it-py ([4.0.0](https://github.com/executablebooks/markdown-it-py/releases/tag/v4.0.0))
+- sysext-python: requests ([2.32.5](https://github.com/psf/requests/releases/tag/v2.32.5))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -50,11 +50,17 @@ dev-cpp/azure-identity
 dev-cpp/azure-security-keyvault-certificates
 dev-cpp/azure-security-keyvault-keys
 
+# CVE-2025-47910
+=dev-lang/go-1.24.7 ~amd64 ~arm64
+
 # Keep versions on both arches in sync.
 =dev-lang/yasm-1.3.0-r1 ~arm64
 =dev-libs/cowsql-1.15.9 ~arm64
 =dev-libs/ding-libs-0.6.2-r1 ~arm64
 
+# CVE-2025-59375
+=dev-libs/expat-2.7.2 ~amd64 ~arm64
+
 # CVE-2025-7039
 =dev-libs/glib-2.84.4 ~amd64 ~arm64
 
@@ -90,11 +96,17 @@ dev-cpp/azure-security-keyvault-keys
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
 
+# CVE-2025-9086, CVE-2025-10148
+=net-misc/curl-8.16.0-r1 ~amd64 ~arm64
+
 # Packages are in Gentoo but not expected to be used outside Flatcar, so they
 # are generally never stabilised. Thus an unusual form is used to pick up the
 # latest version of the package with the unstable keywords.
 sys-apps/azure-vm-utils
 
+# Bump systemd v257 from SDK to base.
+=sys-apps/systemd-257.7 ~amd64 ~arm64
+
 # Keep versions on both arches in sync.
 =sys-apps/zram-generator-1.2.1 ~arm64
 =sys-auth/sssd-2.9.7 ~arm64
@@ -104,7 +116,6 @@ sys-apps/azure-vm-utils
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
 # Keep versions on both arches in sync.
+=sys-devel/binutils-2.45-r1 ~arm64
 =sys-fs/lxcfs-6.0.4 ~arm64
-
-# Bump systemd v257 from SDK to base.
-=sys-apps/systemd-257.7 ~amd64 ~arm64
+=sys-libs/binutils-libs-2.45-r1 ~arm64

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask

@@ -10,13 +10,6 @@ sys-boot/syslinux perl
 # not needed, problems building with GCC 7.3.0
 sys-libs/ncurses cxx
 
-# app-editors/nano with `USE=unicode` results in build failures in SDK
-# stage1, because ncurses >= 6.2_p20210619 which does not have the USE
-# flag at all.
-# To fix that, exclude the unicode USE flag from packages.use.force list,
-# which is defined in portage-stable.
-app-editors/nano unicode
-
 # Pulls dev-python/sphinx, which in turn pulls a lot of other python stuff.
 sys-fs/btrfs-progs man
 

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.8.1-r1.ebuild

@@ -68,9 +68,7 @@ src_prepare() {
 src_configure() {
 	use static-libs && lto-guarantee-fat
 
-	if tc-ld-is-lld ; then
-		export LDFLAGS="${LDFLAGS} -Wl,--undefined-version"
-	fi
+	append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
 
 	multilib-minimal_src_configure
 }

sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/Manifest

@@ -1,2 +1,3 @@
 DIST p11-kit-0.25.5.tar.xz 1002056 BLAKE2B 96d6a9c2807586abafae4da4df89f566672733963997d6a83e00aaf83a7a0c0e2995638f505e98fb87a90c60bde28814f1e8b7d5071bf0af96bb0467105a1ddc SHA512 177ec6ff5eb891901078306dce2bf3f5c1a0e5c2a8c493bdf5a08ae1ff1240fdf6952961e973c373f80ac3d1d5a9927e07f4da49e4ff92269d992e744889fc94
 DIST p11-kit-0.25.8.tar.xz 1060504 BLAKE2B d351b7b015920d7ecf1b9d3b4f1f3fc62c7ef46c1dc9ed3475b9ac7f5dbf5a47b2d2a19049e7eef81e35d0f993a860ee5df1864f0341596dca143140ae14e5c4 SHA512 4a3852459a4a5e4ea71eea5d23ef74deeb51c66b28d095be30a263f10d1f47853341f8628eb0c43c88247503059a4c1f67017965a70cd3c7df31d86e458a8162
+DIST p11-kit-0.25.9.tar.xz 530960 BLAKE2B d9895b1479179b39c9b50878deefc40afbd29a291814e62e345b6758c4fde8023383b2708701ab1f684e7874a8657a5a988ed453d10802f5b3b51267d7a689ab SHA512 8232839f398e058325bc6f3666fcec293a85ed8d655bdf285ee267db4dd71bbdb8c5ab7b225bb6524a2536e4c1b00ac6ceeaf9053638da691a04882fb9b73c42

sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/p11-kit-0.25.9.ebuild

@@ -0,0 +1,76 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..14} )
+inherit shell-completion meson-multilib python-any-r1
+
+DESCRIPTION="Provides a standard configuration setup for installing PKCS#11"
+HOMEPAGE="https://p11-glue.github.io/p11-glue/p11-kit.html"
+SRC_URI="https://github.com/p11-glue/p11-kit/releases/download/${PV}/${P}.tar.xz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="+libffi gtk-doc nls systemd test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	app-misc/ca-certificates
+	>=dev-libs/libtasn1-3.4:=[${MULTILIB_USEDEP}]
+	libffi? ( dev-libs/libffi:=[${MULTILIB_USEDEP}] )
+	systemd? ( sys-apps/systemd )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	${PYTHON_DEPS}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	virtual/pkgconfig
+	gtk-doc? ( dev-util/gtk-doc )
+	nls? ( sys-devel/gettext )
+"
+
+src_prepare() {
+	default
+
+	# Relies on dlopen which won't work for multilib tests (bug #913971)
+	cat <<-EOF > "${S}"/p11-kit/test-server.sh || die
+	#!/bin/sh
+	exit 77
+	EOF
+}
+
+multilib_src_configure() {
+	# Disable unsafe tests, bug#502088
+	export FAKED_MODE=1
+
+	local native_file="${T}"/meson.${CHOST}.${ABI}.ini.local
+
+	# p11-kit doesn't need this to build and castxml needs Clang. To get
+	# a deterministic non-automagic build, always disable the search for
+	# castxml.
+	cat >> ${native_file} <<-EOF || die
+	[binaries]
+	castxml='castxml-falseified'
+	EOF
+
+	local emesonargs=(
+		--native-file "${native_file}"
+		-Dbash_completion=enabled
+		-Dzsh_completion=enabled
+		-Dbashcompdir="$(get_bashcompdir)"
+		-Dzshcompdir="$(get_zshcompdir)"
+		-Dtrust_module=enabled
+		-Dtrust_paths="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt
+		$(meson_feature libffi)
+		$(meson_use nls)
+		$(meson_use test)
+		$(meson_native_use_bool gtk-doc gtk_doc)
+		$(meson_native_true man)
+		$(meson_native_use_feature systemd)
+	)
+
+	meson_src_configure
+}

sdk_container/src/third_party/portage-stable/app-editors/nano/nano-8.6.ebuild

@@ -9,7 +9,7 @@ if [[ ${PV} == 9999 ]] ; then
 else
 	MY_P="${PN}-${PV/_}"
 	SRC_URI="https://www.nano-editor.org/dist/v${PV:0:1}/${MY_P}.tar.xz"
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 fi
 
 DESCRIPTION="GNU GPL'd Pico clone with more functionality"