summary refs log tree commit diff
path: root/pkgs/os-specific/linux/busybox
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific/linux/busybox')
-rw-r--r--pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch71
-rw-r--r--pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch94
-rw-r--r--pkgs/os-specific/linux/busybox/default.nix42
-rw-r--r--pkgs/os-specific/linux/busybox/sandbox-shell.nix3
4 files changed, 25 insertions, 185 deletions
diff --git a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch b/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch
deleted file mode 100644
index 029333b57e4..00000000000
--- a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From c29b637b55c93214993f40b1a223233d40b8a7d6 Mon Sep 17 00:00:00 2001
-From: Maximilian Bosch <maximilian@mbosch.me>
-Date: Wed, 19 Feb 2020 22:32:28 +0100
-Subject: [PATCH] Fix build with glibc 2.31
-
-This is derived from the corresponding upstream patch[1], however this
-one doesn't apply cleanly on busybox-1.31.1, so I rebased the patch
-locally and added it directly to nixpkgs.
-
-[1] https://git.busybox.net/busybox/patch/?id=d3539be8f27b8cbfdfee460fe08299158f08bcd9
----
- coreutils/date.c         | 2 +-
- libbb/missing_syscalls.c | 8 --------
- util-linux/rdate.c       | 8 ++++++--
- 3 files changed, 7 insertions(+), 11 deletions(-)
-
-diff --git a/coreutils/date.c b/coreutils/date.c
-index 3414d38..931b7f9 100644
---- a/coreutils/date.c
-+++ b/coreutils/date.c
-@@ -303,7 +303,7 @@ int date_main(int argc UNUSED_PARAM, char **argv)
- 		ts.tv_sec = validate_tm_time(date_str, &tm_time);
- 
- 		/* if setting time, set it */
--		if ((opt & OPT_SET) && stime(&ts.tv_sec) < 0) {
-+		if ((opt & OPT_SET) && clock_settime(CLOCK_REALTIME, &ts) < 0) {
- 			bb_perror_msg("can't set date");
- 		}
- 	}
-diff --git a/libbb/missing_syscalls.c b/libbb/missing_syscalls.c
-index 87cf59b..dc40d91 100644
---- a/libbb/missing_syscalls.c
-+++ b/libbb/missing_syscalls.c
-@@ -15,14 +15,6 @@ pid_t getsid(pid_t pid)
- 	return syscall(__NR_getsid, pid);
- }
- 
--int stime(const time_t *t)
--{
--	struct timeval tv;
--	tv.tv_sec = *t;
--	tv.tv_usec = 0;
--	return settimeofday(&tv, NULL);
--}
--
- int sethostname(const char *name, size_t len)
- {
- 	return syscall(__NR_sethostname, name, len);
-diff --git a/util-linux/rdate.c b/util-linux/rdate.c
-index 70f829e..878375d 100644
---- a/util-linux/rdate.c
-+++ b/util-linux/rdate.c
-@@ -95,9 +95,13 @@ int rdate_main(int argc UNUSED_PARAM, char **argv)
- 	if (!(flags & 2)) { /* no -p (-s may be present) */
- 		if (time(NULL) == remote_time)
- 			bb_error_msg("current time matches remote time");
--		else
--			if (stime(&remote_time) < 0)
-+		else {
-+			struct timespec ts;
-+			ts.tv_sec = remote_time;
-+			ts.tv_nsec = 0;
-+			if (clock_settime(CLOCK_REALTIME, &ts) < 0)
- 				bb_perror_msg_and_die("can't set time of day");
-+		}
- 	}
- 
- 	if (flags != 1) /* not lone -s */
--- 
-2.25.0
-
diff --git a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch b/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
deleted file mode 100644
index d11cd670d5e..00000000000
--- a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Tue, 19 May 2020 18:20:39 +0100
-Subject: [PATCH] wget: implement TLS verification with
- ENABLE_FEATURE_WGET_OPENSSL
-
-When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
-verification by default. And only ignore verification errors, if
---no-check-certificate was passed.
-
-Also note, that previously OPENSSL implementation did not implement
-TLS verification, nor printed any warning messages that verification
-was not performed.
-
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
-
-CVE-2018-1000500
-
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
----
- networking/wget.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/networking/wget.c b/networking/wget.c
-index f2fc9e215..6a8c08324 100644
---- a/networking/wget.c
-+++ b/networking/wget.c
-@@ -91,6 +91,9 @@
- //config:	patches, but do want to waste bandwidth expaining how wrong
- //config:	it is, you will be ignored.
- //config:
-+//config:	FEATURE_WGET_OPENSSL does implement TLS verification
-+//config:	using the certificates available to OpenSSL.
-+//config:
- //config:config FEATURE_WGET_OPENSSL
- //config:	bool "Try to connect to HTTPS using openssl"
- //config:	default y
-@@ -115,6 +118,9 @@
- //config:	If openssl can't be executed, internal TLS code will be used
- //config:	(if you enabled it); if openssl can be executed but fails later,
- //config:	wget can't detect this, and download will fail.
-+//config:
-+//config:	By default TLS verification is performed, unless
-+//config:	--no-check-certificate option is passed.
- 
- //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
- 
-@@ -124,8 +130,11 @@
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
- //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:       "	[--no-check-certificate]\n"
-+//usage:	)
- /* Since we ignore these opts, we don't show them in --help */
--/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
-+/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
- /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
- //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
- //usage:	)
-@@ -137,7 +146,9 @@
- //usage:       "Retrieve files via HTTP or FTP\n"
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
--///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	)
- //usage:	)
- //usage:     "\n	-c		Continue retrieval of aborted transfer"
- //usage:     "\n	-q		Quiet"
-@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 	pid = xvfork();
- 	if (pid == 0) {
- 		/* Child */
--		char *argv[8];
-+		char *argv[9];
- 
- 		close(sp[0]);
- 		xmove_fd(sp[1], 0);
-@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 			argv[5] = (char*)"-servername";
- 			argv[6] = (char*)servername;
- 		}
-+		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
-+			argv[7] = (char*)"-verify_return_error";
-+		}
- 
- 		BB_EXECVP(argv[0], argv);
- 		xmove_fd(3, 2);
--- 
-2.28.0
-
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index 728d2d49118..4949cd7c14a 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, lib, buildPackages, fetchurl, fetchzip
-, enableStatic ? false
+{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab
+, enableStatic ? stdenv.hostPlatform.isStatic
 , enableMinimal ? false
 # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
 # nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
@@ -32,27 +32,31 @@ let
     CONFIG_FEATURE_WTMP n
   '';
 
-  debianName = "busybox_1.30.1-5";
-  debianTarball = fetchzip {
-    url = "http://deb.debian.org/debian/pool/main/b/busybox/${debianName}.debian.tar.xz";
-    sha256 = "03m4rvs2pd0hj0mdkdm3r4m1gh0bgwr0cvnqds297xnkfi5s01nx";
+  # The debian version lags behind the upstream version and also contains
+  # a debian-specific suffix. We only fetch the debian repository to get the
+  # default.script
+  debianVersion = "1.30.1-6";
+  debianSource = fetchFromGitLab {
+    domain = "salsa.debian.org";
+    owner = "installer-team";
+    repo = "busybox";
+    rev = "debian/1%${debianVersion}";
+    sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
   };
-  debianDispatcherScript = "${debianTarball}/tree/udhcpc/etc/udhcpc/default.script";
+  debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
   outDispatchPath = "$out/default.script";
 in
 
 stdenv.mkDerivation rec {
-  # TODO: When bumping this version, please validate whether the wget patch is present upstream
-  # and remove the patch if it is. The patch should be present upstream for all versions 1.32.0+.
-  # See NixOs/nixpkgs#94722 for context.
-  name = "busybox-1.31.1";
+  pname = "busybox";
+  version = "1.33.1";
 
   # Note to whoever is updating busybox: please verify that:
   # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
   # still builds after the update.
   src = fetchurl {
-    url = "https://busybox.net/downloads/${name}.tar.bz2";
-    sha256 = "1659aabzp8w4hayr4z8kcpbk2z1q2wqhw7i1yb0l72b45ykl1yfh";
+    url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
+    sha256 = "0a0dcvsh7nxnhxc5y73fky0z30i9p7r30qfidm2akn0n5fywdkhj";
   };
 
   hardeningDisable = [ "format" "pie" ]
@@ -60,9 +64,7 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./busybox-in-store.patch
-    ./0001-Fix-build-with-glibc-2.31.patch
-    ./0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
 
   postPatch = "patchShebangs .";
 
@@ -116,9 +118,11 @@ stdenv.mkDerivation rec {
     logger() { '$out'/bin/logger "$@"; }\
     ' ${debianDispatcherScript} > ${outDispatchPath}
     chmod 555 ${outDispatchPath}
-    PATH=$out/bin patchShebangs ${outDispatchPath}
+    HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
   '';
 
+  strictDeps = true;
+
   depsBuildBuild = [ buildPackages.stdenv.cc ];
 
   buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [ stdenv.cc.libc stdenv.cc.libc.static ];
@@ -127,10 +131,10 @@ stdenv.mkDerivation rec {
 
   doCheck = false; # tries to access the net
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tiny versions of common UNIX utilities in a single small executable";
     homepage = "https://busybox.net/";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = with maintainers; [ TethysSvensson ];
     platforms = platforms.linux;
     priority = 10;
diff --git a/pkgs/os-specific/linux/busybox/sandbox-shell.nix b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
index 036ea0a0f48..fa70e5f91d8 100644
--- a/pkgs/os-specific/linux/busybox/sandbox-shell.nix
+++ b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
@@ -1,4 +1,4 @@
-{ busybox, stdenv}:
+{ busybox}:
 
 # Minimal shell for use as basic /bin/sh in sandbox builds
 busybox.override {
@@ -8,6 +8,7 @@ busybox.override {
     CONFIG_FEATURE_FANCY_ECHO y
     CONFIG_FEATURE_SH_MATH y
     CONFIG_FEATURE_SH_MATH_64 y
+    CONFIG_FEATURE_TEST_64 y
 
     CONFIG_ASH y
     CONFIG_ASH_OPTIMIZE_FOR_SIZE y
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-15 06:39:02 +0000