sysroot: apply security updates after debootstrap

[brainos233]

Apply security updates after debootstrap is complete, as debootstrap can only use one repository when creating chroot.

[renpytom]

Does this accomplish anything? Ren'Py should be compiling everything it doesn't dynamically link against itself. So I'm not clear what this will improve.

[brainos233]

Does this accomplish anything? Ren'Py should be compiling everything it doesn't dynamically link against itself. So I'm not clear what this will improve.

Mainly applying security updates for glibc and other important packages.

For example, apt will upgrade these packages:

Details

The following packages will be REMOVED:
  libgles1-mesa-dev
The following NEW packages will be installed:
  libcapnp-0.5.3 libdrm-common libicu55 libllvm6.0 libmircommon7 libmircore-dev libmircore1
  libsensors4 libwayland-bin libxml2 libzstd1 sgml-base xml-core
The following packages will be upgraded:
  apt base-files bash binutils bsdutils bzip2 coreutils cpp-5 debconf dh-python dpkg dpkg-dev
  e2fslibs e2fsprogs fcitx-bin fcitx-libs-dev fontconfig fontconfig-config g++-5 gcc-5
  gcc-5-base gir1.2-ibus-1.0 gnupg gpgv grep init init-system-helpers libapparmor1
  libapt-pkg5.0 libasan2 libatomic1 libaudiofile-dev libaudiofile1 libaudit-common libaudit1
  libblkid1 libboost-filesystem1.58.0 libboost-system1.58.0 libbsd0 libbz2-1.0 libc-bin
  libc-dev-bin libc6 libc6-dev libcc1-0 libcilkrts5 libcomerr2 libcryptsetup4 libdb5.3
  libdbus-1-3 libdbus-1-dev libdpkg-perl libdrm-amdgpu1 libdrm-dev libdrm-intel1
  libdrm-nouveau2 libdrm-radeon1 libdrm2 libegl1-mesa libegl1-mesa-dev libelf1 libexpat1
  libfcitx-config4 libfcitx-core0 libfcitx-gclient0 libfcitx-qt0 libfcitx-utils0 libfdisk1
  libfontconfig1 libfreetype6 libgbm1 libgcc-5-dev libgcrypt20 libgettextpo0 libgl1-mesa-dev
  libgl1-mesa-dri libgl1-mesa-glx libglapi-mesa libgles1-mesa libgles2-mesa libgles2-mesa-dev
  libglib2.0-0 libglib2.0-bin libglib2.0-data libglib2.0-dev libgomp1 libibus-1.0-5
  libibus-1.0-dev libitm1 libjpeg-turbo8 libjson-c2 libkmod2 liblcms2-2 libllvm3.8 liblsan0
  libmirclient-dev libmirclient9 libmircommon-dev libmircookie-dev libmircookie2
  libmirprotobuf3 libmount1 libmpx0 libnettle6 libpam-modules libpam-modules-bin
  libpam-runtime libpam0g libperl5.22 libpng12-0 libprocps4 libpulse-dev
  libpulse-mainloop-glib0 libpulse0 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib
  libpython3.5-minimal libpython3.5-stdlib libquadmath0 libseccomp2 libsmartcols1 libsndfile1
  libsqlite3-0 libss2 libssl1.0.0 libstdc++-5-dev libstdc++6 libsystemd0 libtiff5 libtsan0
  libubsan0 libudev-dev libudev1 libuuid1 libvorbis0a libvorbisenc2 libwayland-client0
  libwayland-cursor0 libwayland-dev libwayland-egl1-mesa libwayland-server0 libx11-6
  libx11-data libx11-dev libx11-xcb-dev libx11-xcb1 libxcursor-dev libxcursor1
  libxkbcommon-dev libxkbcommon0 linux-libc-dev locales login lsb-base makedev
  mesa-common-dev mount multiarch-support passwd patch perl perl-base perl-modules-5.22
  procps python python-minimal python2.7 python2.7-minimal python3.5 python3.5-minimal
  sensible-utils systemd systemd-sysv tar tzdata ubuntu-keyring util-linux x11-common
  x11proto-core-dev zlib1g zlib1g-dev

And for glibc from 2.23-0ubuntu3 to 2.23-0ubuntu11.3, fixed the following security vulnerabilities:

Details

glibc (2.23-0ubuntu11.3) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via regular expression
    - debian/patches/CVE-2009-5155.patch: diagnose invalid back-reference
      in posix/regcomp.c, remove invalid test in posix/PCRE.tests.
    - CVE-2009-5155
  * SECURITY UPDATE: signed comparison vulnerability exists in ARM memcpy
    - debian/patches/CVE-2020-6096-1.patch: fix multiarch memcpy for
      negative length in sysdeps/arm/armv7/multiarch/memcpy_impl.S.
    - debian/patches/CVE-2020-6096-2.patch: fix memcpy and memmove for
      negative length in sysdeps/arm/memcpy.S, sysdeps/arm/memmove.S.
    - CVE-2020-6096

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 20 Apr 2021 14:52:26 -0400

glibc (2.23-0ubuntu11.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Use-after-free in clntudp_call
    - debian/patches/CVE-2017-12133.patch: avoid use-after-free read access
      in sunrpc/Makefile, sunrpc/clnt_udp.c, sunrpc/tst-udp-error.c.
    - CVE-2017-12133
  * SECURITY UPDATE: overlap in SSE2-optimized memmove implementation
    - debian/patches/CVE-2017-18269.patch: fixed branch conditions in
      string/test-memmove.c,
      sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S.
    - CVE-2017-18269
  * SECURITY UPDATE: integer overflow in posix_memalign
    - debian/patches/CVE-2018-6485.patch: fix integer overflows in internal
      memalign and malloc in malloc/Makefile, malloc/malloc.c,
      malloc/tst-malloc-too-large.c.
    - CVE-2018-6485
  * SECURITY UPDATE: integer overflow in realpath
    - debian/patches/any/CVE-2018-11236.patch: fix path length overflow in
      realpath in stdlib/Makefile, stdlib/canonicalize.c,
      stdlib/test-bz22786.c.
    - CVE-2018-11236
  * SECURITY UPDATE: buffer overflow in __mempcpy_avx512_no_vzeroupper
    - debian/patches/any/CVE-2018-11237.patch: don't write beyond
      destination in string/test-mempcpy.c,
      sysdeps/x86_64/multiarch/memcpy-avx512-no-vzeroupper.S.
    - CVE-2018-11237
  * SECURITY UPDATE: heap over-read via regular-expression match
    - debian/patches/any/CVE-2019-9169.patch: fix read overrun in
      posix/regexec.c.
    - CVE-2019-9169
  * SECURITY UPDATE: ASLR bypass
    - debian/patches/any/CVE-2019-19126.patch: check __libc_enable_secure
      before honoring LD_PREFER_MAP_32BIT_EXEC in
      sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h.
    - CVE-2019-19126
  * SECURITY UPDATE: out-of-bounds write on PowerPC
    - debian/patches/any/CVE-2020-1751.patch: fix array overflow in
      backtrace on PowerPC in debug/tst-backtrace5.c,
      sysdeps/powerpc/powerpc32/backtrace.c,
      sysdeps/powerpc/powerpc64/backtrace.c.
    - CVE-2020-1751
  * SECURITY UPDATE: use-after-free via tilde expansion
    - debian/patches/any/CVE-2020-1752.patch: fix use-after-free in glob
      when expanding ~user in posix/glob.c.
    - CVE-2020-1752
  * SECURITY UPDATE: stack overflow via 80-bit long double function
    - debian/patches/any/CVE-2020-10029.patch: avoid ldbl-96 stack
      corruption from range reduction of pseudo-zero in
      sysdeps/ieee754/ldbl-96/e_rem_pio2l.c,
    - CVE-2020-10029

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 Jun 2020 13:56:35 -0400

glibc (2.23-0ubuntu11) xenial; urgency=medium

  * debian/patches/ubuntu/xsave-part1.diff and
    debian/patches/ubuntu/xsave-part2.diff: Fix a serious performance
    regression when mixing SSE and AVX code on certain processors.
    The patches are from the upstream 2.23 stable branch. (LP: #1663280)

 -- Daniel Axtens <daniel.axtens@canonical.com>  Thu, 04 Oct 2018 10:29:55 +1000

glibc (2.23-0ubuntu10) xenial-security; urgency=medium

  * SECURITY UPDATE: Memory leak in dynamic loader (ld.so)
    - debian/patches/any/cvs-compute-correct-array-size-in-_dl_init_paths.diff:
      Compute correct array size in _dl_init_paths
    - CVE-2017-1000408
  * SECURITY UPDATE: Buffer overflow in dynamic loader (ld.so)
    - debian/patches/any/cvs-count-components-of-expanded-path-in-_dl_init_paths.diff:
      Count components of the expanded path in _dl_init_path
    - CVE-2017-1000409
  * SECURITY UPDATE: One-byte overflow in glob
    - debian/patches/any/cvs-fix-one-byte-glob-overflow.diff: Fix one-byte
      overflow in glob
    - CVE-2017-15670
  * SECURITY UPDATE: Buffer overflow in glob
    - debian/patches/any/cvs-fix-glob-buffer-overflow.diff: Fix buffer overflow
      during GLOB_TILDE unescaping
    - CVE-2017-15804
  * SECURITY UPDATE: Local privilege escalation via mishandled RPATH / RUNPATH
    - debian/patches/any/cvs-elf-check-for-empty-tokens.diff: elf: Check for
      empty tokens before dynamic string token expansion
    - CVE-2017-16997
  * SECURITY UPDATE: Buffer underflow in realpath()
    - debian/patches/any/cvs-make-getcwd-fail-if-path-is-no-absolute.diff:
      Make getcwd(3) fail if it cannot obtain an absolute path
    - CVE-2018-1000001

 -- Chris Coulson <chris.coulson@canonical.com>  Sun, 14 Jan 2018 20:06:26 +0000

glibc (2.23-0ubuntu9) xenial-security; urgency=medium

  * SECURITY UPDATE: LD_LIBRARY_PATH stack corruption
    - debian/patches/any/CVE-2017-1000366.patch: Completely ignore
      LD_LIBRARY_PATH for AT_SECURE=1 programs
    - CVE-2017-1000366
  * SECURITY UPDATE: LD_PRELOAD stack corruption
    - debian/patches/any/upstream-harden-rtld-Reject-overly-long-LD_PRELOAD.patch:
      Reject overly long names or names containing directories in
      LD_PRELOAD for AT_SECURE=1 programs.
  * debian/patches/any/cvs-harden-glibc-malloc-metadata.patch: add
    additional consistency check for 1-byte overflows
  * debian/patches/any/cvs-harden-ignore-LD_HWCAP_MASK.patch: ignore
    LD_HWCAP_MASK for AT_SECURE=1 programs

 -- Steve Beattie <sbeattie@ubuntu.com>  Fri, 16 Jun 2017 12:04:15 -0700

glibc (2.23-0ubuntu7) xenial-security; urgency=medium

  * REGRESSION UPDATE: Previous update introduced ABI breakage in
    internal glibc query ABI
    - Revert patches/any/CVE-2015-5180-regression.diff
      (LP: #1674532)

 -- Steve Beattie <sbeattie@ubuntu.com>  Tue, 21 Mar 2017 08:54:23 -0700

glibc (2.23-0ubuntu6) xenial-security; urgency=medium

  * SECURITY UPDATE: DNS resolver NULL pointer dereference with
    crafted record type
    - patches/any/CVE-2015-5180.diff: use out of band signaling for
      internal queries
    - CVE-2015-5180
  * Rebuild to get the following fixes into the xenial-security pocket:
    - SECURITY UPDATE: stack-based buffer overflow in the glob
      implementation
      + patches/git-updates.diff: Simplify the interface for the
        GLOB_ALTDIRFUNC callback gl_readdir
      + CVE-2016-1234
    - SECURITY UPDATE: getaddrinfo: stack overflow in hostent
      conversion
      + patches/git-updates.diff: Use a heap allocation instead
      + CVE-2016-3706:
    - SECURITY UPDATE: stack exhaustion in clntudp_call
      + patches/git-updates.diff: Use malloc/free for the error
        payload.
      + CVE-2016-4429
    - SECURITY UPDATE: memory exhaustion DoS in libresolv
      + patches/git-updates.diff: Simplify handling of nameserver
        configuration in resolver
      + CVE-2016-5417
    - SECURITY UPDATE: ARM32 backtrace infinite loop (DoS)
      + patches/git-updates.diff: mark __startcontext as .cantunwind
      + CVE-2016-6323

 -- Steve Beattie <sbeattie@ubuntu.com>  Mon, 06 Mar 2017 16:47:32 -0800

glibc (2.23-0ubuntu5) xenial; urgency=medium

  * Disable lock-elision on all targets to avoid regressions (LP: #1642390)

 -- Adam Conrad <adconrad@ubuntu.com>  Wed, 16 Nov 2016 13:53:50 -0700

glibc (2.23-0ubuntu4) xenial; urgency=medium

  * debian/rules.d/tarball.mk: Apply --no-renames to make the diff readable.
  * debian/patches/git-updates.diff: Update from release/2.23/master branch:
    - Include fix for potential makecontext() hang on ARMv7 (CVE-2016-6323)
    - Include fix for SEGV in sock_eq with nss_hesiod module (LP: #1571456)
    - Include malloc fixes, addressing multithread deadlocks (LP: #1630302)
    - debian/patches/hurd-i386/cvs-libpthread.so.diff: Dropped, upstreamed.
    - debian/patches/any/submitted-argp-attribute.diff: Dropped, upstreamed.
    - debian/patches/hurd-i386/tg-hurdsig-fixes-2.diff: Rebased to upstream.
  * debian/patches/ubuntu/local-altlocaledir.diff: Updated to latest version
    from Martin that limits scope to LC_MESSAGES, fixing segv (LP: #1577460)
  * debian/patches/any/cvs-cos-precision.diff: Fix cos() bugs (LP: #1614966)
  * debian/testsuite-xfail-debian.mk: Allow nptl/tst-signal6 to fail on ARM.

 -- Adam Conrad <adconrad@ubuntu.com>  Fri, 14 Oct 2016 00:00:34 -0600

[renpytom]

Sure, but we're never actually running those packages - just dynamically linking against them.