gentoo auto-resync : 10:03:2025 - 01:49:12

5 files changed, 214 insertions, 2 deletions

diff --git a/sys-libs/libseccomp/Manifest b/sys-libs/libseccomp/Manifest
index 5eb6abf76a4e..61e63e1821a6 100644
--- a/sys-libs/libseccomp/Manifest
+++ b/sys-libs/libseccomp/Manifest
@@ -2,12 +2,15 @@ AUX libseccomp-2.5.3-skip-valgrind.patch 516 BLAKE2B d5dc87fcca8e20b7edd427c434d
 AUX libseccomp-2.5.5-aliasing.patch 1065 BLAKE2B 22b25db6d1ebf6f3f6a54b49341f4457bcad7c3e43d7509241408bc237451e899be8a38ecb9f704826efeccc265b0bc9bc4fe89d3da76707bd2338e0fe146fe0 SHA512 f618af56ebb02e4f8115d84890679cf00f8f5062c181a6cad8a5604316c282b022ba078a61adfd4bc412f79ad805cb35e71e5cc191390502306e515eaf97009b
 AUX libseccomp-2.5.5-arch-syscall-check.patch 1485 BLAKE2B c94cd88060e51e1ba4962fc56603a958bd8fe314adc6d038a271d8f661db1f421026a180d5aa6deccc42422818a95cf8ec46a2a4e961325ef74d342d17f24e2a SHA512 c14f351e9d7dbdf1be43f031cd7a9a5b192b2e358574054aabba1d08a0ccc1cf8f1138b1462d0b7eac899ac801039aa03e748ff52a8020174801b26ee47b69b1
 AUX libseccomp-2.5.5-which-hunt.patch 1779 BLAKE2B 00ac7f24b718f450c258c0d69f600a739360ac6cce45acdca51d413e07396d16ffa50d64fda2744968171e33e3a0e2ac17fa01c6016a95fab6774a4f6c7ba7c4 SHA512 b077a3f1075664fdfec6fecc077bd53685823794f037315a559f205cb6dc78a7d5e720ea4587dfdb605bfbeae79cf964d083157fbfae2085ca1d9e2995015067
+AUX libseccomp-2.6.0-aliasing.patch 2364 BLAKE2B 784390b5044f47b5a7de61c7d79fb5608112d790a34122f1c302d7bf7d2ea6af70d41c00d6c7d598ad9287d8aff7a8fe6acebabb886ac7738cff47f32b82086f SHA512 9aa25491b008b37c8b9c74d222cabb79e88aecae17652d20bc48a121a74b90cd3b2430782e6cdc876fbc423633b38afab178d37964652088b9bb46513f2a435b
+AUX libseccomp-2.6.0-drop-bogus-test.patch 1143 BLAKE2B ea049b69f5198ea2570f524431f766a182c8a7d6ea8f9d73ba0fede458f7c7a976d6b18ede12f8a53ba2fddf8160c3b794df13776e4295f673803f840625395a SHA512 7d3a70a46aed20dff0fa88a421b27c303bc9f3a5779f1762c60a90006a6294c5b0ee6364e4e2fd8b3ab7f6218d40598f79a070bae06419e191d3a98e61a2b452
 AUX libseccomp-2.6.0-python-shared.patch 778 BLAKE2B 343bcb6c8e8cfc9bab3e0439d391ddfae023587f64f23860c1594cacb60d3af58e031edd5f37ba705bf3da01799ed12ab931a4b9a98e9063922f16cab814d5e6 SHA512 029b1403a3b0af5931833837d9b640d8d9ee172972f927f756137ca51bdbfd3f9cd42657029397fdb2cb727a5065356e05ca196fcb2170484f807bb65cd5a398
 AUX libseccomp-python-shared.patch 759 BLAKE2B e2c42e18ca93fe5fddbc3a5b47ac0e6a29e566292fd62b87e6b45f6cb230570a2d1907a8b192e80b32c1900d069a4f10a866fa50bd9b88f5b78abff4206bd4cb SHA512 74548c7969869ff8f937a75eac720f1c654fad87dc17aed1c041bcb765586b4ee978a3ff7c6281be03277f6c74f2ec32624f91beb55afec3066a06a9e51483e2
 DIST libseccomp-2.5.5-loongarch-r1.patch 119822 BLAKE2B 4aa75c1ac87b2ca25cf6be38dfd760879c7255ca8e6cf86be3ac6e354f76cdaf3c8e2f59b646254414ffb0f1ffe6b7c50478f4db895a6ce632db8782c9807e91 SHA512 f7cd768d672a25448b2a3ceda27db52e0d62b5d9ab3eeb906226b6ebc19332c89332e0b870aaf82d4ffcfd642c2deb6029a30ae9a6bd702ebad9fdd40622b582
 DIST libseccomp-2.5.5.tar.gz 642445 BLAKE2B d770cee1f3e02fbbcd9f25655b360ab38160ad800e2829a67f2b9da62b095a90be99ac851a67344cf95bd6810a6268da4655dc1d37d996e58239c4999eb41998 SHA512 f630e7a7e53a21b7ccb4d3e7b37616b89aeceba916677c8e3032830411d77a14c2d74dcf594cd193b1acc11f52595072e28316dc44300e54083d5d7b314a38da
 DIST libseccomp-2.6.0.tar.gz 685655 BLAKE2B 45c4f4dd67db5848bb536613e8929633f95cfbeb8738525381a76631187e7b0fc2c02f1a103579cd0f4135e9c175250fe2d784b85cc85424ec3125b4dafcf11c SHA512 9039478656d9b670af2ff4cb67b6b1fa315821e59d2f82ba6247e988859ddc7e3d15fea159eccca161bf2890828bb62aa6ab4d6b7ff55f27a9d6bd9532eeee1b
 EBUILD libseccomp-2.5.5-r2.ebuild 3320 BLAKE2B dd3464cbde08c57809e23c39b199e4a2bb9cc2ebbe743cee71884a653fe0d491596c1e177ce6fa6105e9981f813b1e2336bad74b60174aa229876f9e889c049f SHA512 23c82d3ca67731fd620c35523810b6f38f0252e15eeaf5b501e8e122f788a47065295f389598d705f826b4fcd15b41111d0fd043a517774afbcc7d760647cf93
-EBUILD libseccomp-2.6.0.ebuild 2473 BLAKE2B 015faf17ed3065d74c7055ad1996e97d1172a28fdb2221532c9dcd52352b8889386fd1f47c7b346079d142f06cc046fd284e5c16b93cce24926d341964531b19 SHA512 314e71a3e1e60613ee9c25b812830249dea532383de7787ee526a38bee1e677ca152b9fed1c5df5c4f68cb6b8c20ff5f001a49bef64226aeb284d4cb364c512b
+EBUILD libseccomp-2.6.0-r1.ebuild 2562 BLAKE2B f35c616cd80e3c9195819a4a54d67db693a9bcbef19b22d98a70098bfe6d2009198584ced16a4821374ab872d3601d4b41f22d46808784d77d1be239de688d78 SHA512 ed130428b6be53744f28bb6671c0990bcaafff34367c9585ca8b2cc558fa725e3a9217cf285c3f311549d1d14bf17be7e54f2a0537dceb987ca5e6db810e074a
+EBUILD libseccomp-2.6.0.ebuild 2513 BLAKE2B 327d5fc52314d994c96abb20766fb9d3962f96f0fc4d9714c50062d5674d1a959fa248a47005966504e9f2fb982a33a3f93b76f8f1d44f2704c864a506f3e77f SHA512 434286bbefdaec62e4fcfeae6bcd8ebaa23c5d837d38c1f4ff0c8cdf1584b7687b92d14a4b6710047f15e4415c70f8c2d4066936bbaf6f74a333746274166f66
 EBUILD libseccomp-9999.ebuild 2478 BLAKE2B e89d99162cb2d0c8f1f97d7a2364d9ec922beade6e332b2144fc9c466999bbccbedc5c7b157be9a18f4243b4156833bcdc048e669b4bd292acf69f555de77ea2 SHA512 bee65ea98d5093df55dcb4de55a32ef74c15fc819506488c20c8f02a98afae23d4043639cee6a1caab7dee16b0a8745e51a1c97363e330e908fcefcb3d0dc8b0
 MISC metadata.xml 506 BLAKE2B 44dc13629234226f9314270c05d5c7c87575639fe12282e73697ead63d016ee9b52a89d673be5881bfcbf4d605024ecfcc3e19510581d334a6d5737df6a36b50 SHA512 93b0a53783499eab6b6264867a049830d765ee56d19b0c60e764f6651dff9f0d11efbec0783fdeb17c2c64d3f409bb4b1b1f74f267022775b992b61a1df03100
diff --git a/sys-libs/libseccomp/files/libseccomp-2.6.0-aliasing.patch b/sys-libs/libseccomp/files/libseccomp-2.6.0-aliasing.patch
new file mode 100644
index 000000000000..f946dc468822
--- /dev/null
+++ b/sys-libs/libseccomp/files/libseccomp-2.6.0-aliasing.patch
@@ -0,0 +1,69 @@
+https://github.com/seccomp/libseccomp/pull/459
+
+From e6904da422e68031b0237c1e005fc5e98c12e2cf Mon Sep 17 00:00:00 2001
+From: Romain Geissler <romain.geissler@amadeus.com>
+Date: Tue, 18 Feb 2025 22:29:05 +0000
+Subject: [PATCH] Fix strict aliasing UB in MurMur hash implementation.
+
+This was spotted when trying to upgrade the libseccomp fedora package to
+version 2.6.0 in fedora rawhide. It comes with gcc 15 and LTO enabled by
+default. When running the test 61-sim-transactions we get plenty of such
+errors in valgrind:
+
+==265507== Use of uninitialised value of size 8
+==265507==    at 0x4096AD: _hsh_add (gen_bpf.c:599)
+==265507==    by 0x40A557: UnknownInlinedFun (gen_bpf.c:2016)
+==265507==    by 0x40A557: gen_bpf_generate (gen_bpf.c:2341)
+==265507==    by 0x400CDE: UnknownInlinedFun (db.c:2685)
+==265507==    by 0x400CDE: UnknownInlinedFun (db.c:2682)
+==265507==    by 0x400CDE: UnknownInlinedFun (api.c:756)
+==265507==    by 0x400CDE: UnknownInlinedFun (util.c:162)
+==265507==    by 0x400CDE: UnknownInlinedFun (util.c:153)
+==265507==    by 0x400CDE: main (61-sim-transactions.c:128)
+==265507==  Uninitialised value was created by a stack allocation
+==265507==    at 0x409590: _hsh_add (gen_bpf.c:573)
+
+Investigating this a bit, it seems that because of LTO the MurMur hash
+implementation is being inlined in _hsh_add. The way we call getblock32
+with the explicit cast to const uint32_t* is a strict aliasing
+violation.
+
+This is reproducible on a "fedora:rawhide" container (gcc 15) and using:
+export CFLAGS='-O2 -flto=auto -ffat-lto-objects -g'
+
+Signed-off-by: Romain Geissler <romain.geissler@amadeus.com>
+---
+ src/hash.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/src/hash.c b/src/hash.c
+index 4435900f..301abfc9 100644
+--- a/src/hash.c
++++ b/src/hash.c
+@@ -12,15 +12,11 @@
+  */
+ 
+ #include <stdlib.h>
++#include <string.h>
+ #include <inttypes.h>
+ 
+ #include "hash.h"
+ 
+-static inline uint32_t getblock32(const uint32_t *p, int i)
+-{
+-	return p[i];
+-}
+-
+ static inline uint32_t rotl32(uint32_t x, int8_t r)
+ {
+ 	return (x << r) | (x >> (32 - r));
+@@ -56,7 +52,7 @@ uint32_t hash(const void *key, size_t length)
+ 	/* body */
+ 	blocks = (const uint32_t *)(data + nblocks * 4);
+ 	for(i = -nblocks; i; i++) {
+-		k1 = getblock32(blocks, i);
++		memcpy(&k1, &blocks[i], sizeof(uint32_t));
+ 
+ 		k1 *= c1;
+ 		k1 = rotl32(k1, 15);
+
diff --git a/sys-libs/libseccomp/files/libseccomp-2.6.0-drop-bogus-test.patch b/sys-libs/libseccomp/files/libseccomp-2.6.0-drop-bogus-test.patch
new file mode 100644
index 000000000000..b2466e5e8c01
--- /dev/null
+++ b/sys-libs/libseccomp/files/libseccomp-2.6.0-drop-bogus-test.patch
@@ -0,0 +1,31 @@
+https://github.com/seccomp/libseccomp/commit/2f0f3b0e9121720108431c5d054164016f476230
+
+From 2f0f3b0e9121720108431c5d054164016f476230 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Sat, 25 Jan 2025 11:12:55 -0500
+Subject: [PATCH] tests: remove the fuzzer from test 62-sim-arch_transactions
+
+We can't reliably run the bpf-sim-fuzz tests on tests which manipulate
+the filters arch/ABIs unless the filter is safe to run on all arch/ABIs,
+which is more or less impossible.  Remove the bpf-sim-fuzz test section
+in test #62 to work around this, just as we do with the other similar
+tests.
+
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
+(cherry picked from commit 7db46d72f13c172b290818f624c2966bd0db5677)
+--- a/tests/62-sim-arch_transactions.tests
++++ b/tests/62-sim-arch_transactions.tests
+@@ -14,11 +14,6 @@ test type: bpf-sim
+ 62-sim-arch_transactions	+x86_64	open		N	N	N	N	N	N	KILL
+ 62-sim-arch_transactions	+x86_64	close		N	N	N	N	N	N	ALLOW
+ 
+-test type: bpf-sim-fuzz
+-
+-# Testname			StressCount
+-62-sim-arch_transactions	5
+-
+ test type: bpf-valgrind
+ 
+ # Testname
+
diff --git a/sys-libs/libseccomp/libseccomp-2.6.0-r1.ebuild b/sys-libs/libseccomp/libseccomp-2.6.0-r1.ebuild
new file mode 100644
index 000000000000..cbdd8dc79a61
--- /dev/null
+++ b/sys-libs/libseccomp/libseccomp-2.6.0-r1.ebuild
@@ -0,0 +1,108 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_EXT=1
+DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{10..13} )
+
+inherit distutils-r1 multilib-minimal
+
+DESCRIPTION="High level interface to Linux seccomp filter"
+HOMEPAGE="https://github.com/seccomp/libseccomp"
+
+if [[ ${PV} == *9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/seccomp/libseccomp.git"
+	PRERELEASE="2.6.0"
+	inherit autotools git-r3
+else
+	SRC_URI="https://github.com/seccomp/libseccomp/releases/download/v${PV}/${P}.tar.gz"
+	KEYWORDS="-* ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~x86 ~amd64-linux ~x86-linux"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="python static-libs test"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+# We need newer kernel headers; we don't keep strict control of the exact
+# version here, just be safe and pull in the latest stable ones. bug #551248
+DEPEND="
+	>=sys-kernel/linux-headers-5.15
+	python? ( ${PYTHON_DEPS} )
+"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	${DEPEND}
+	dev-util/gperf
+	python? (
+		${DISTUTILS_DEPS}
+		dev-python/cython[${PYTHON_USEDEP}]
+	)
+"
+
+PATCHES=(
+	"${FILESDIR}"/libseccomp-2.6.0-python-shared.patch
+	"${FILESDIR}"/libseccomp-2.5.3-skip-valgrind.patch
+	"${FILESDIR}"/${P}-drop-bogus-test.patch
+	"${FILESDIR}"/${PN}-2.6.0-aliasing.patch
+)
+
+src_prepare() {
+	default
+
+	if [[ ${PV} == *9999 ]] ; then
+		sed -i -e "s/0.0.0/${PRERELEASE}/" configure.ac || die
+
+		eautoreconf
+	fi
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		$(use_enable static-libs static)
+		--disable-python
+	)
+
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake
+
+	if multilib_is_native_abi && use python ; then
+		# setup.py expects libseccomp.so to live in "../.libs"
+		# Copy the python files to the right place for this.
+		rm -r "${BUILD_DIR}"/src/python || die
+		cp -r "${S}"/src/python "${BUILD_DIR}"/src/python || die
+		local -x CPPFLAGS="-I\"${BUILD_DIR}/include\" -I\"${S}/include\" ${CPPFLAGS}"
+
+		# setup.py reads VERSION_RELEASE from the environment
+		local -x VERSION_RELEASE=${PRERELEASE-${PV}}
+
+		pushd "${BUILD_DIR}/src/python" >/dev/null || die
+		distutils-r1_src_compile
+		popd >/dev/null || die
+	fi
+}
+
+multilib_src_test() {
+	emake -Onone check
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi && use python ; then
+		distutils-r1_src_install
+	fi
+}
+
+multilib_src_install_all() {
+	find "${ED}" -type f -name "${PN}.la" -delete || die
+
+	einstalldocs
+}
diff --git a/sys-libs/libseccomp/libseccomp-2.6.0.ebuild b/sys-libs/libseccomp/libseccomp-2.6.0.ebuild
index 5350ce0adcce..32045e82e900 100644
--- a/sys-libs/libseccomp/libseccomp-2.6.0.ebuild
+++ b/sys-libs/libseccomp/libseccomp-2.6.0.ebuild
@@ -19,7 +19,7 @@ if [[ ${PV} == *9999 ]] ; then
 	inherit autotools git-r3
 else
 	SRC_URI="https://github.com/seccomp/libseccomp/releases/download/v${PV}/${P}.tar.gz"
-	KEYWORDS="-* amd64 arm arm64 ~hppa ~loong ~mips ~ppc ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux"
+	KEYWORDS="-* amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux"
 fi
 
 LICENSE="LGPL-2.1"
@@ -47,6 +47,7 @@ BDEPEND="
 PATCHES=(
 	"${FILESDIR}"/libseccomp-2.6.0-python-shared.patch
 	"${FILESDIR}"/libseccomp-2.5.3-skip-valgrind.patch
+	"${FILESDIR}"/${P}-drop-bogus-test.patch
 )
 
 src_prepare() {