https://sources.debian.org/data/main/p/picprog/1.9.1-3/debian/patches/20_iopl.patch

Description: Avoid some functions in some architectures
 Upstream uses iopl() function and other architecture-dependent
 codes. This patch adds building switches to avoid them in
 some architectures.
Author: Koichi Akabe <vbkaisetsu@gmail.com>
Last-Update: 2011-11-30

--- picprog-1.9.1.orig/picport.cc
+++ picprog-1.9.1/picport.cc
@@ -38,7 +38,12 @@
 #include <ctime>
 
 #include <sys/ioctl.h>
-#include <sys/io.h>
+
+#if defined(__i386__) || defined(__x86_64__)
+  #include <sys/io.h>
+  #define HAVE_IOPL
+#endif
+
 #include <fcntl.h>
 #include <sys/time.h>
 #include <unistd.h>
@@ -160,8 +165,12 @@
     // Not root.  Cannot use realtime scheduling.
     use_nanosleep = 0;
   }
+#ifdef HAVE_IOPL
   if (iopl (3))
     disable_interrupts = 0;
+#else
+  disable_interrupts = 0;
+#endif
 
 #ifdef CPU_SETSIZE
   // When computing the delay loops, we do not want the cpu's to change.
@@ -403,13 +412,17 @@
 {
   struct timeval tv1, tv2;
   gettimeofday (&tv1, 0);
+#if defined(__i386__) or defined(__x86_64__)
   if (tsc_1000ns > 1 && disable_interrupts)
     asm volatile("pushf; cli");
+#endif
   set_clock_data (1, b); // set data, clock up
   delay (cable_delay);
   set_clock_data (0, b); // clock down
+#if defined(__i386__) or defined(__x86_64__)
   if (tsc_1000ns > 1 && disable_interrupts)
     asm volatile("popf");
+#endif
   gettimeofday (&tv2, 0);
 
   // We may have spent a long time in an interrupt or in another task
@@ -428,13 +441,17 @@
 {
   struct timeval tv1, tv2;
   gettimeofday (&tv1, 0);
+#if defined(__i386__) or defined(__x86_64__)
   if (tsc_1000ns > 1 && disable_interrupts)
     asm volatile("pushf; cli");
+#endif
   set_clock_data (1, 1); // clock up
   delay (cable_delay);
   set_clock_data (0, 1); // set data up, clock down
+#if defined(__i386__) or defined(__x86_64__)
   if (tsc_1000ns > 1 && disable_interrupts)
     asm volatile("popf");
+#endif
   gettimeofday (&tv2, 0);
 
   // We may have spent a long time in an interrupt or in another task
root</a>/<a href='/guix/log/nix?id=23acd17cc64ffcd16bdfb991dcd39c3d7dd8ea47'>nix</a>/<a href='/guix/log/nix/libutil?id=23acd17cc64ffcd16bdfb991dcd39c3d7dd8ea47'>libutil</a>/<a href='/guix/log/nix/libutil/util.cc?id=23acd17cc64ffcd16bdfb991dcd39c3d7dd8ea47'>util.cc</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/nix/libutil/util.cc?id=23acd17cc64ffcd16bdfb991dcd39c3d7dd8ea47&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-03-12 14:07:28 +0100'>2024-03-12</span></td><td><a href='/guix/commit/nix/libutil/util.cc?id=ff1251de0bc327ec478fc66a562430fbf35aef42'>daemon: Address shortcoming in previous security fix for CVE-2024-27297.</a><span class='msg-avail'>...<span class='msg-tooltip'>This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.

Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
ways: (1) it didn’t have any effet for fixed-output derivations
performed in a chroot, which is the case for all of them except those
using “builtin:download” and “builtin:git-download”, and (2) it did not
preserve ownership when copying, leading to “suspicious ownership or
permission […] rejecting this build output” errors.

* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
‘chrootRootDir’ when copying ‘drv.outputs’.
* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
calls to preserve file ownership; this is necessary for chrooted
fixed-output derivation builds.
* nix/libutil/util.hh: Update comment.

Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2024-03-11 22:12:34 +0100'>2024-03-11</span></td><td><a href='/guix/commit/nix/libutil/util.cc?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143'>daemon: Protect against FD escape when building fixed-output derivations (CVE...</a><span class='msg-avail'>...<span class='msg-tooltip'>This fixes a security issue (CVE-2024-27297) whereby a fixed-output
derivation build process could open a writable file descriptor to its
output, send it to some outside process for instance over an abstract
AF_UNIX socket, which would then allow said process to modify the file
in the store after it has been marked as “valid”.

Vulnerability discovered by puck &lt;https://github.com/puckipedia&gt;.

Nix security advisory:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

Nix fix:
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9

* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
a file descriptor.  Rewrite the ‘Path’ variant accordingly.
(copyFile, copyFileRecursively): New functions.
* nix/libutil/util.hh (copyFileRecursively): New declaration.
* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.

Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4

Reported-by: Picnoir &lt;picnoir@alternativebit.fr&gt;, Théophane Hufschmitt &lt;theophane.hufschmitt@tweag.io&gt;
Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2022-12-18 01:16:47 +0100'>2022-12-18</span></td><td><a href='/guix/commit/nix/libutil/util.cc?id=2d4d26769d6a3be1b21302b0bb2bd099fd55ccf8'>daemon: Make "opening file" error messages distinguishable.</a><span class='msg-avail'>...<span class='msg-tooltip'>* nix/libstore/build.cc (DerivationGoal::openLogFile): Customize
"opening file" error message.
* nix/libutil/hash.cc (hashFile): Likewise.
* nix/libutil/util.cc (readFile, writeFile): Likewise.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-11-19 23:04:19 +0100'>2021-11-19</span></td><td><a href='/guix/commit/nix/libutil/util.cc?id=24224530d1f4a70808d003ba8dce849b77625b79'>daemon: Micro-optimize 'deletePath'.</a><span class='msg-avail'>...<span class='msg-tooltip'>'remove' calls 'unlink' first and falls back to 'rmdir' upon EISDIR.
This change gets rid of the 'unlink' call for every directory being
removed.

* nix/libutil/util.cc (_deletePath): Call 'unlink' or 'rmdir' depending
on 'st.st_mode', rather than call 'remove'.
</span></span></td><td>Ludovic Courtès</td></tr>

Age	Commit message (Expand)	Author
2024-03-12	daemon: Address shortcoming in previous security fix for CVE-2024-27297....This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156	Ludovic Courtès
2024-03-11	daemon: Protect against FD escape when building fixed-output derivations (CVE......This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88	Ludovic Courtès
2022-12-18	daemon: Make "opening file" error messages distinguishable....* nix/libstore/build.cc (DerivationGoal::openLogFile): Customize "opening file" error message. * nix/libutil/hash.cc (hashFile): Likewise. * nix/libutil/util.cc (readFile, writeFile): Likewise.	Ludovic Courtès
2021-11-19	daemon: Micro-optimize 'deletePath'....'remove' calls 'unlink' first and falls back to 'rmdir' upon EISDIR. This change gets rid of the 'unlink' call for every directory being removed. * nix/libutil/util.cc (_deletePath): Call 'unlink' or 'rmdir' depending on 'st.st_mode', rather than call 'remove'.	Ludovic Courtès