I've updated glibc in the past, but usually to the same version with
one or more patches.

My scripts are specific to how I do things, but I think it should be
reasonable comprehensible. Five notes:

0. My scripts may differ from the book about the minimum kernel
version. I also like them to tell me what is going on, so I
separate the logging and let scripts write to the screen. Also, of
course, I mostly build as the big guy. And I have functions to do a
lot of things, albeit perhaps they are not ideal (e.g. logging what
got installed/updated is sloow on a fully-built system and uses a lot
of space while still needing manual review before saying "oh yes,
just delete all those files").

1. Fiddling about with GCCINCDIR or -isystem will cause configure to
fail. Adding a libv_cv value to get past that (what Matt
recommended to Andy in 2010) will start to build, but eventually ld
will fail because /usr/include is a directory. So just omit that
line.

2. The nscd and locale parts are not normally needed. I've kept the
comments because I once needed to reinstall locales. I suspect that
might have been when I tried to update glibc on some previous
LFS releases after the last big lot of vulnerabilities and had to
move to a newer version to get the fixes.

3. If I had put this in, I would have modified the explanation about
suppressing test-installation : on a *completed* LFS system it
failed after ld failed to load a couple of libnis* libraries.

4. After completing, Either fix it up (if unexpected test failures),
perhaps recover from a backup if tests failed (the script just runs
through after finding a build which ought to work, and allowing for
tests to fail), Or reboot ASAP. BUT when rebooting on sysv the LFS
umount script will fail, a message something like
umount: /: is busy.

That did give a clean filesystem after continuing, doing it on
systemd might be interesting (enabling MagicSysRQ on a machine is
always a good idea, unless untrusted people can access the
keyboard).


#!/bin/bash
# CVE-2018-19591 : potential DOS
#------------------------------------------------------------------------

set +h
set -e
. /misc/packages

KM_CURRENT=glibc-2.28
KM_PATCHES="glibc-2.28-fhs-1.patch glibc-2.28-upstream_fixes-1.patch"

. ${KM_SCRIPTS}/functions

km_checkargs1 $#

test -n "$KM_WHERE"

echo "executing $0 for ${1%%-stamp}"

cd $KM_WHERE
km_begin

rm -rf ${KM_DIRECTORY}
tar -x -f ${KM_PACKAGES}/${KM_CURRENT}
cd ${KM_DIRECTORY}
km_patchit &&
km_start_SBU

case $KM_HOSTARCH in
i?86)
# the book uses i486, which seems pretty silly to me
echo "building for i686"
echo "CFLAGS += -march=i686 -mtune=native" > configparms
;;
x86_64)
echo "building for x86_64"
;;
*)
echo "unexpected KM_HOSTARCH of $KM_HOSTARCH"
exit 1
;;
esac

KM_KERNELMINIMUM=3.9.0

echo "build"
mkdir build
cd build

echo "configure"

# Do NOT set GCCINCDIR or add -isystem /usr/include

../configure --prefix=/usr \
--disable-werror \
--enable-kernel=$KM_KERNELMINIMUM \
--enable-stack-protector=strong \
libc_cv_slibdir=/lib >>$KM_LOG 2>&1

echo "make"
make $MAKEFLAGS >>$KM_LOG 2>&1

set +e
echo "check"
make -k check > $KM_LOG.check 2>&1
set -e

# ensure the results of make check can be seen, in case it goes
# badly
grep FAIL $KM_LOG.check

# if test-installation is run, it fails - missing nis libs.
sed '/test-installation/s@$(PERL)@echo not running@' -i ../Makefile

echo "install"
make install >>$KM_LOG 2>&1

## Following retained, but commented
#echo "config for nscd"
#cp -v ../nscd/nscd.conf /etc/nscd.conf >>$KM_LOG 2>&1
#mkdir -pv /var/cache/nscd >>$KM_LOG 2>&1

# locales are already installed, do not repeat them
# in fact, I once got errors when I did not reinstall them!
#echo "locales"
#make localedata/install-locales >>$KM_LOG 2>&1

cd $KM_WHERE

# tidy up all other static libs and remove the source
km_finish $KM_DIRECTORY

#------------------------------------------------------------------------------
I have noted that you appear not to care greatly about
vulnerabilities unless they are accompanied by a new release. But
in BLFS we can often find a patch to solve the problem.
This also applies to our 8.3 *release*. And if anybody is running a
production system based on LFS/BLFS (and I have heard of people
doing that) they need to make their own decisions about
vulnerabilities - for many packages, running with what was in our
last release will expose you to known problems. Mostly, a single
problem on its own will not pwn you - but as in this case a DOS is
possible. For a home user just amusing themself on their own LFS
system, a DOS is not usually a big problem.

I'll attach the patch for anybody who cares.