On Tue, 18 Feb 2025 13:19:42 +0900 Nobuhiro Iwamatsu <iwama...@debian.org> wrote: > Source: efitools > Followup-For: Bug #1069410 > > Hi Gianfranco, > > > Hello, I found a patch in Ubuntu archive, unfortunately the patch is > > really huge, and I'm not confident to just upload it because > > it also drops some support. > > > > I'm attaching the diff file. > > Thanks for the patch. > I have checked this patch on amd64, armhf and arm64. There seems to be > no issue. Do you have a plans to NMU with this fix?
Given more than 4 months of FTBFS and RC bug, I've NMUed after importing the patches added in Ubuntu so that it can build again and migrate to testing. debdiff attached.
diff -Nru efitools-1.9.2/debian/changelog efitools-1.9.2/debian/changelog --- efitools-1.9.2/debian/changelog 2024-09-27 15:09:33.000000000 +0100 +++ efitools-1.9.2/debian/changelog 2025-02-24 22:19:32.000000000 +0000 @@ -1,3 +1,10 @@ +efitools (1.9.2-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * Import patches from Ubuntu to fix FTBFS. (Closes: #1069410) + + -- Luca Boccassi <bl...@debian.org> Mon, 24 Feb 2025 22:19:32 +0000 + efitools (1.9.2-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru efitools-1.9.2/debian/patches/fix-ftbfs-lp2083030.patch efitools-1.9.2/debian/patches/fix-ftbfs-lp2083030.patch --- efitools-1.9.2/debian/patches/fix-ftbfs-lp2083030.patch 1970-01-01 01:00:00.000000000 +0100 +++ efitools-1.9.2/debian/patches/fix-ftbfs-lp2083030.patch 2025-02-24 22:19:27.000000000 +0000 @@ -0,0 +1,240 @@ +Description: Fix FTBFS + - Remove redefintions of __STDC_VERSION__ + - Add _XOPEN_SOURCE=700 to expose some APIs being used + - Remove dangerous usage of mktemp and sscanf + - Use standard C types over non-standard aliases + - Remove CFLAGS disabling mitigations + - Stop building EFI binaries +Author: Mate Kukri <mate.ku...@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/efitools/+bug/2083030 +Last-Update: 2024-09-27 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Make.rules ++++ b/Make.rules +@@ -17,7 +17,7 @@ + endif + INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol + CPPFLAGS = -DCONFIG_$(ARCH) +-CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check ++CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -D_XOPEN_SOURCE=700 + LDFLAGS = -nostdlib + CRTOBJ = crt0-efi-$(ARCH).o + CRTPATHS = /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi +--- a/cert-to-efi-sig-list.c ++++ b/cert-to-efi-sig-list.c +@@ -6,7 +6,6 @@ + + + #include <stdint.h> +-#define __STDC_VERSION__ 199901L + #include <efi.h> + #ifdef CONFIG_arm + /* FIXME: +--- a/efi-keytool.c ++++ b/efi-keytool.c +@@ -15,7 +15,6 @@ + #include <fcntl.h> + #include <unistd.h> + +-#define __STDC_VERSION__ 199901L + #include <efi.h> + + #include <kernel_efivars.h> +--- a/efi-readvar.c ++++ b/efi-readvar.c +@@ -17,7 +17,6 @@ + + #include <openssl/x509.h> + +-#define __STDC_VERSION__ 199901L + #include <efi.h> + + #include <kernel_efivars.h> +--- a/efi-updatevar.c ++++ b/efi-updatevar.c +@@ -11,6 +11,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> ++#include <strings.h> + #include <sys/stat.h> + #include <fcntl.h> + #include <unistd.h> +@@ -20,7 +21,6 @@ + #include <openssl/err.h> + #include <openssl/pem.h> + +-#define __STDC_VERSION__ 199901L + #include <efi.h> + + #include <kernel_efivars.h> +--- a/flash-var.c ++++ b/flash-var.c +@@ -10,7 +10,6 @@ + #include <fcntl.h> + #include <unistd.h> + +-#define __STDC_VERSION__ 199901L + #include <efi.h> + + #include <version.h> +--- a/hash-to-efi-sig-list.c ++++ b/hash-to-efi-sig-list.c +@@ -4,7 +4,6 @@ + * see COPYING file + */ + #include <stdint.h> +-#define __STDC_VERSION__ 199901L + #include <efi.h> + #ifdef CONFIG_arm + /* FIXME: +--- a/lib/kernel_efivars.c ++++ b/lib/kernel_efivars.c +@@ -16,7 +16,6 @@ + #include <unistd.h> + #include <time.h> + +-#define __STDC_VERSION__ 199901L + #include <efi.h> + + #include <kernel_efivars.h> +@@ -29,54 +28,39 @@ + void + kernel_variable_init(void) + { +- char fname[] = "/tmp/efi.XXXXXX"; +- char cmdline[256]; +- int fd, ret; +- struct stat st; +- char *buf; +- +- if (kernel_efi_path) +- return; +- mktemp(fname); +- snprintf(cmdline, sizeof(cmdline), "mount -l > %s", fname); +- ret = system(cmdline); +- if (WEXITSTATUS(ret) != 0) +- /* hopefully stderr said what was wrong */ +- exit(1); +- fd = open(fname, O_RDONLY); +- unlink(fname); +- if (fd < 0) { +- fprintf(stderr, "Failed to open output of %s\n", cmdline); +- exit(1); +- } +- if (fstat(fd, &st) < 0) { +- perror("stat failed"); +- exit(1); +- } +- if (st.st_size == 0) { +- fprintf(stderr, "No efivarfs filesystem is mounted\n"); ++ FILE *mount_l_fp = NULL; ++ char *path = NULL; ++ char *type = NULL; ++ ++ mount_l_fp = popen("mount -l", "r"); ++ ++ if (mount_l_fp == NULL) { ++ fprintf(stderr, "Failed to get output of mount -l\n"); + exit(1); + } +- buf = malloc(st.st_size); +- read(fd, buf, st.st_size); +- close(fd); +- +- char *ptr = buf; +- char path[512], type[512]; +- while (ptr < buf + st.st_size) { +- int count; +- +- sscanf(ptr, "%*s on %s type %s %*[^\n]\n%n", path, type, &count); +- ptr += count; +- if (strcmp(type, "efivarfs") == 0) ++ ++ while (fscanf(mount_l_fp, "%*s on %ms type %ms %*[^\n]\n", &path, &type) == 2) { ++ if (strcmp(type, "efivarfs") == 0) { ++ kernel_efi_path = strdup(path); + break; ++ } ++ free(path); ++ path = NULL; ++ free(type); ++ type = NULL; + } +- if (strcmp(type, "efivarfs") != 0) { ++ ++ if (mount_l_fp != NULL) ++ pclose(mount_l_fp); ++ if (path != NULL) ++ free(path); ++ if (type != NULL) ++ free(type); ++ ++ if (kernel_efi_path == NULL) { + fprintf(stderr, "No efivarfs filesystem is mounted\n"); + exit(1); + } +- kernel_efi_path = malloc(strlen(path) + 1); +- strcpy(kernel_efi_path, path); + } + + int +--- a/sig-list-to-certs.c ++++ b/sig-list-to-certs.c +@@ -4,7 +4,6 @@ + * see COPYING file + */ + #include <stdint.h> +-#define __STDC_VERSION__ 199901L + #include <efi.h> + #ifdef CONFIG_arm + /* FIXME: +--- a/sign-efi-sig-list.c ++++ b/sign-efi-sig-list.c +@@ -4,7 +4,6 @@ + * see COPYING file + */ + #include <stdint.h> +-#define __STDC_VERSION__ 199901L + #include <efi.h> + #ifdef CONFIG_arm + /* FIXME: +--- a/lib/asn1/oid.h ++++ b/lib/asn1/oid.h +@@ -11,11 +11,11 @@ + #define OID_H_ + + typedef struct { +- u_char octet; +- u_int next; +- u_int down; +- u_int level; +- const u_char *name; ++ unsigned char octet; ++ unsigned int next; ++ unsigned int down; ++ unsigned int level; ++ const unsigned char *name; + } oid_t; + + extern const oid_t oid_names[]; +--- a/Makefile ++++ b/Makefile +@@ -30,15 +30,13 @@ + + EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES)) + +-all: $(EFISIGNED) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \ ++all: $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \ + $(KEYUPDATEAUTH) $(KEYBLACKLISTAUTH) $(KEYHASHBLACKLISTAUTH) + + + install: all + $(INSTALL) -m 755 -d $(MANDIR) + $(INSTALL) -m 644 $(MANPAGES) $(MANDIR) +- $(INSTALL) -m 755 -d $(EFIDIR) +- $(INSTALL) -m 755 $(EFIFILES) $(EFIDIR) + $(INSTALL) -m 755 -d $(BINDIR) + $(INSTALL) -m 755 $(BINARIES) $(BINDIR) + $(INSTALL) -m 755 mkusb.sh $(BINDIR)/efitool-mkusb diff -Nru efitools-1.9.2/debian/patches/sbat-compat.patch efitools-1.9.2/debian/patches/sbat-compat.patch --- efitools-1.9.2/debian/patches/sbat-compat.patch 1970-01-01 01:00:00.000000000 +0100 +++ efitools-1.9.2/debian/patches/sbat-compat.patch 2025-02-24 22:19:27.000000000 +0000 @@ -0,0 +1,84 @@ +diff --git a/include/pecoff.h b/include/pecoff.h +index 537d134..6ac57d1 100644 +--- a/include/pecoff.h ++++ b/include/pecoff.h +@@ -1,7 +1,8 @@ + #include <PeImage.h> + + EFI_STATUS +-pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data); ++pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data, ++ UINTN size); + EFI_STATUS + pecoff_relocate(PE_COFF_LOADER_IMAGE_CONTEXT *context, void **data); + EFI_STATUS +diff --git a/lib/pecoff.c b/lib/pecoff.c +index 26d9dcf..96878b9 100644 +--- a/lib/pecoff.c ++++ b/lib/pecoff.c +@@ -69,7 +69,7 @@ + #include <buildefi.h> + + EFI_STATUS +-pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data) ++pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data, UINTN size) + { + EFI_IMAGE_DOS_HEADER *DosHdr = data; + EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data; +@@ -116,7 +116,7 @@ pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data) + context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections; + context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); + +- if (context->SecDir->VirtualAddress >= context->ImageSize) { ++ if (context->SecDir->VirtualAddress >= size) { + Print(L"Malformed security header\n"); + return EFI_INVALID_PARAMETER; + } +@@ -404,7 +404,7 @@ pecoff_execute_image(EFI_FILE *file, CHAR16 *name, EFI_HANDLE image, + } + + Print(L"Read %d bytes from %s\n", DataSize, name); +- efi_status = pecoff_read_header(&context, buffer); ++ efi_status = pecoff_read_header(&context, buffer, DataSize); + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to read header\n"); + goto out; +diff --git a/lib/pkcs7verify.c b/lib/pkcs7verify.c +index 06701fd..2bdadbe 100644 +--- a/lib/pkcs7verify.c ++++ b/lib/pkcs7verify.c +@@ -172,7 +172,7 @@ pkcs7verify_allow(VOID *data, UINTN len) + EFI_STATUS status; + int i; + +- status = pecoff_read_header(&context, data); ++ status = pecoff_read_header(&context, data, len); + if (status != EFI_SUCCESS) + goto out; + +diff --git a/lib/sha256.c b/lib/sha256.c +index 180fa16..9ca1c21 100644 +--- a/lib/sha256.c ++++ b/lib/sha256.c +@@ -290,7 +290,7 @@ sha256_get_pecoff_digest_mem(void *buffer, UINTN DataSize, + * filled to the end of the page */ + DataSize = ALIGN_VALUE(DataSize, 8); + +- efi_status = pecoff_read_header(&context, buffer); ++ efi_status = pecoff_read_header(&context, buffer, DataSize); + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to read header\n"); + return efi_status; +diff --git a/lib/shim_protocol.c b/lib/shim_protocol.c +index a735aa1..9ef4a20 100644 +--- a/lib/shim_protocol.c ++++ b/lib/shim_protocol.c +@@ -13,7 +13,7 @@ + static EFI_STATUS shimprotocol_context(void *data, unsigned int size, + PE_COFF_LOADER_IMAGE_CONTEXT *context) + { +- return pecoff_read_header(context, data); ++ return pecoff_read_header(context, data, size); + } + + static EFI_STATUS shimprotocol_verify(void *buffer, UINT32 size) diff -Nru efitools-1.9.2/debian/patches/series efitools-1.9.2/debian/patches/series --- efitools-1.9.2/debian/patches/series 2024-09-27 15:09:33.000000000 +0100 +++ efitools-1.9.2/debian/patches/series 2025-02-24 22:19:32.000000000 +0000 @@ -2,3 +2,5 @@ fix-deps.patch allow-riscv64-build.patch efitools-add-build-support-for-loongarch64.patch +sbat-compat.patch +fix-ftbfs-lp2083030.patch
