Gentoo Packages

After a prolonged time of dormancy, this overlay is under active maintenance again. This news item summarises about a month of work.

== What has changed ==

• Per-package audits — pkgcheck cleanups, dated rationale for suppressions, metadata.xml normalization.
• Version handling — keep last-of-each-major for rollback; drop versions whose upstream caps don't solve against ::gentoo rather than relax the cap.
• sys-kernel/pf-sources -r70 GA-based slots — see the separate news item dated 2026-05-06.
• Sister distfile repo at github.com/istitov/extra-stuff for bundled patches that would otherwise hit pkgcheck's SizeViolation in the main overlay.

== AI / LLM assistance ==

AI-assisted work begins with commit 075ff35d (2026-04-19); the last fully-human commit is d0e1aa01 (2026-04-18) — a clean before/after boundary for review or bisect.

The maintainer uses LLM tooling for mechanical work; every commit is human-reviewed before landing, and the maintainer bears responsibility for correctness. Full policy and PR disclosure expectation: CONTRIBUTING.md, "🤖 AI / LLM assistance".

Regressions, or anything that looks LLM-generated and wrong: file at github.com/istitov/stuff/issues with the failing emerge log.

== References ==

• README.md — overlay highlights and design choices.
• CONTRIBUTING.md — house-style checklist and AI/LLM policy.

You are running an ebuild from the stuff overlay whose patch tarballs are now fetched from a sister GitHub repository, "extra-stuff" (https://github.com/istitov/extra-stuff), instead of being shipped in the overlay's own files/ tree.

== Why ==

A handful of packages in the stuff overlay carry substantial patches:

• sys-kernel/pf-sources -r70 ebuilds — a curated subset of natalenko's pf-kernel patchset, ~150 KiB to ~1 MiB per slot.
• sys-kernel/pf-sources orphan-slot -r70 + -r1 ebuilds — a per-slot snapshot of alicef's genpatches trunk dir, ~700 KiB to ~1.1 MiB per slot. The trunk dir at dev.gentoo.org is a live working directory, not a release archive; the snapshot pins immutable bytes for these branches.
• sci-visualization/gwyddion3-3.9-r1 — three pygwy stage patches (~600 KiB uncompressed).

Hosting these in the overlay's files/ tree pushed pkgcheck size limits and bloated every clone. Bundled as tarballs on extra-stuff and pinned to immutable git tags, they are fetched on demand at emerge time.

== No user action required ==

extra-stuff is purely a distfile host — it is NOT a Gentoo overlay. You do not need to register it with eselect repository. Portage fetches the tarballs as part of the normal install flow, and verifies them against BLAKE2B + SHA512 hashes pinned in each affected package's Manifest. If extra-stuff bytes ever changed in place, the hash mismatch would block the install.

== Bumping patches ==

Tarball revisions are tagged with a numeric suffix (-r70-0 today, -r70-1 next time, ...). When a tarball's contents need to change, the new bundle is published under a new tag and the affected ebuild's SRC_URI is updated to point to it. Older tarballs stay reachable for users still on older ebuild revisions.

== References ==

• extra-stuff repo: https://github.com/istitov/extra-stuff
• stuff overlay: https://github.com/istitov/stuff

This news item is for all pf-sources users in the stuff overlay. Three further news items, displayed only to specific revision cohorts, cover the technical details:

• "pf-sources: -r70 curated patch design" — for users on -r70.
• "pf-sources: CVE-2026-31431 Copy Fail patches" — for users on the affected -r1 / -r2 ebuilds.
• "Patch tarballs now hosted on extra-stuff sister repo" — for users on -r70 ebuilds, the trunk-pinned -r1 ebuilds, and sci-visualization/gwyddion3-3.9-r1.

== Background: CVE-2026-31431 "Copy Fail" ==

Copy Fail (CVE-2026-31431, CVSS 7.8) is a local privilege escalation in the kernel's algif_aead crypto socket family. Linux 7.0 GA (General Availability — the .0 release tree, before any linux-stable point releases are applied) shipped with the upstream revert that fixes it; every released branch from 6.1 through 6.19 was vulnerable until backports landed in linux-stable. The pf-kernel patchset is GA-only by design (natalenko ships only the .0 source tree, never the subsequent linux-stable point releases), so pf-sources ebuilds at v6.X.0 + pf-only are vulnerable to this and to many other linux-stable-fixed CVEs.

== What changed in the overlay ==

Three classes of revision now exist for pf-sources:

• Unrevisioned ebuilds (e.g. pf-sources-6.18_p6) remain GA-only: natalenko's pf-kernel patchset on top of vanilla v6.X.0. For 6.16-6.19 these are still vulnerable to Copy Fail; for 7.0_p1 / 7.0_p2 they are naturally clean (Linux 7.0 GA postdates the upstream revert).

• -r1 / -r2 ebuilds add the surgical or cumulative CVE-2026-31431 patch on top of natalenko's pf patchset. -r1 carries the surgical revert (used where v6.X.0 + pf matches mainline context); -r2 is the cumulative LTS form (used on 6.1, 6.6, 6.12 where the surgical context did not match).

• -r70 ebuilds are a fundamentally different design. Instead of fetching pf-kernel's GA-only sourcetree, -r70 builds vanilla linux-X.Y.tar.xz + Gentoo's genpatches (which include the full linux-stable backport chain) and applies a *curated subset* of natalenko's pf-kernel delta on top. CVE-2026-31431 is fixed via genpatches' linux-stable chain on every -r70. Each -r70's pkg_postinst message lists which pf features are retained on that slot and which are dropped, with reasons.

== GA-only ebuild phase-out ==

The four still-vulnerable GA-only ebuilds enter a 30-day lastrite cycle:

• sys-kernel/pf-sources-6.16_p5
• sys-kernel/pf-sources-6.17_p4
• sys-kernel/pf-sources-6.18_p6
• sys-kernel/pf-sources-6.19_p5

These are added to profiles/package.mask on 2026-05-06 and unkeyworded (KEYWORDS="") on 2026-06-05. The ebuilds themselves remain in tree as a recovery path. Users currently on one of these versions should switch to the matching -r1 (verbatim natalenko + surgical CVE patch) or -r70 (curated + linux-stable tracking) ebuild before 2026-06-05.

7.0_p1 and 7.0_p2 are not in this phase-out — they are naturally CVE-clean and remain available while 7.0 is an actively-tracked branch.

== References ==

• https://www.cve.org/CVERecord?id=CVE-2026-31431
• https://copy.fail/
• https://pfkernel.natalenko.name/
• https://dev.gentoo.org/~alicef/genpatches/

You are running a pf-sources revision that carries fixes for three CVEs. This news item describes each fix, why two patch forms exist (-r1 surgical vs -r2 cumulative LTS), and what incidental coverage the cumulative form provides.

Revision 2 of this item adds documentation of CVE-2026-43037 and CVE-2026-43038, which were already in these ebuilds at first publication but were missing from revision 1.

== The three CVEs ==

CVE-2026-31431 ("Copy Fail", CVSS 7.8) — local privilege escalation in the algif_aead crypto socket family. The vulnerable code path miscopies the Authenticated Associated Data (AAD) buffer when the in-place AAD path is taken on a request whose source and destination addresses overlap in a specific way. Upstream fix reverts the commit that introduced the in-place AAD path (mainline a664bf3d603d).

CVE-2026-43037 (CVSS 9.8) — stack OOB write in ip6_tunnel.c::ip4ip6_err() via inet6_skb_parm / inet_skb_parm cb[] reuse on a cloned skb. Mainline fix 2edfa31769a4 clears IPCB(skb2) and adds minimal IPv4 header validation.

CVE-2026-43038 (CVSS 9.8) — OOB read in icmp.c::ip6_err_gen_icmpv6_unreach() via the same cb[] type-confusion pattern, reachable via a forged ICMPv4 error with a CIPSO option. Mainline fix 86ab3e55673a clears IP6CB(skb2).

Linux 7.0 GA (the .0 release before any linux-stable point releases are applied) shipped after all three fixes and is not vulnerable.

== Two patch forms ==

The choice of form is driven entirely by whether the surgical patch's context matches v6.X.0 + pf — never by ergonomics.

• Surgical (pf-sources-6.16_p5-r1, -6.17_p4-r1, -6.18_p6-r1, -6.19_p5-r1) — the three upstream patches applied directly to v6.X.0 + pf: cve-2026-31431-algif_aead-revert-out-of-place.patch cve-2026-43037-ip6_tunnel-clear-skb-cb.patch cve-2026-43038-icmpv6-clear-skb-cb.patch

• Cumulative LTS (pf-sources-6.1_p6-r2, -6.6_p6-r2, -6.12_p4-r2) — the surgical patches' context did not match v6.X.0 + pf on the LTS branches because linux-stable's pre-fix backports had diverged too much. Instead this form ships two cumulative diffs over the affected files, computed as v6.X.0 -> v6.X.{latest stable} restricted to the relevant paths: cve-2026-31431-algif_aead-cumulative-<branch>.patch cve-2026-43037-43038-cumulative-<branch>.patch

== Incidental coverage on the LTS form ==

Because the cumulative diffs carry the full linux-stable history of the affected files between v6.X.0 and the latest stable release at the time the patches were cut, the algif_aead cumulative incidentally covers two more CVEs that landed in those files:

• CVE-2026-43043 — af_alg scatterwalk NULL-deref.
• CVE-2026-23060 — authencesn NULL-deref denial-of-service.

The surgical -r1 revisions do NOT incidentally cover these; they target only the named CVE commits.

== References ==

• https://www.cve.org/CVERecord?id=CVE-2026-31431
• https://www.cve.org/CVERecord?id=CVE-2026-43037
• https://www.cve.org/CVERecord?id=CVE-2026-43038
• https://www.cve.org/CVERecord?id=CVE-2026-43043
• https://www.cve.org/CVERecord?id=CVE-2026-23060
• https://copy.fail/

You are running a pf-sources -r70 ebuild. This news item explains the -r70 design and the tracking commitment for your branch.

== Design ==

The pf-sources -r70 ebuilds in this overlay track linux-stable via Gentoo's genpatches, with a curated subset of natalenko's pf-kernel patchset on top. CVE-2026-31431 (the "Copy Fail" algif_aead LPE) and other linux-stable-fixed CVEs are picked up via the genpatches stable chain on every -r70 — no separate patch is needed. This is fundamentally different from the unrevisioned and -r1 / -r2 pf-sources ebuilds, which apply natalenko's full patchset to vanilla v6.X.0 with no linux-stable backports.

For each -r70 slot, the curated subset retains pf features that are genuinely additive (BBRv3, x86 ISA-level helpers, zstd library updates, DDCCI / DDCCI-backlight, AMD-pstate enhancements, syscall.tbl additions, mm/include hooks) and drops pf changes that conflict with linux-stable backports or that gentoo-sources has already addressed (kernel/sched core/fair/rt, top-level arch/x86/Kconfig, "minor fixes" already landed in stable).

Each -r70 ebuild's pkg_postinst message lists exactly which pf features are retained on that slot and which are dropped, with reasons.

== Tracking commitment by branch ==

• Active branches (currently 6.18, 6.19, 7.0) — while natalenko continues to ship pf releases and linux-stable continues to ship point releases, the -r70 is re-cut on each genpatches bump. The curated pf delta usually carries forward; the gentoo-sources base shifts.

• LTS branches (currently 6.1, 6.6, 6.12) — natalenko has moved on but linux-stable continues for years. The pf delta is frozen at the last pf release for the branch; the -r70 is regenerated against each new genpatches release for the lifetime of upstream's stable maintenance.

• EOL branches (the 14 non-LTS slots 6.2-6.5, 6.7-6.11, 6.13-6.17) — linux-stable has stopped. The -r70 is frozen at the last genpatches release on that branch. No further updates; future security work happens on a still-active branch.

== References ==

• Per-slot retained / dropped breakdown: each -r70 ebuild's pkg_postinst message.
• https://pfkernel.natalenko.name/
• https://dev.gentoo.org/~alicef/genpatches/

This is a GLEP 42 news-item template. It is here as a reference for the next real news item this overlay needs to ship. The directory name is `TEMPLATE/` (no YYYY-MM-DD prefix), so `eselect news` and Portage both skip it during news discovery and it never reaches users.

To create a real news item:

1. Copy this directory, renaming it to
   `YYYY-MM-DD-short-slug/`, e.g.
   `2026-05-01-gwyddion-2x-dropped/`.
2. Rename `TEMPLATE.en.txt` inside the new directory to
   match: `2026-05-01-gwyddion-2x-dropped.en.txt`.
3. Update the headers above (Title, Author, Posted).
4. Replace this body prose with the actual announcement.
5. Keep `Revision: 1` on first publication. Increment it
   only if you edit an item that has already been published.

Header notes:

• `Display-If-Installed` (optional, repeatable) restricts display to users who have the named package atom installed. Without it, the item shows to every user on sync. Prefer scoping to installed packages when the news is relevant only to some.
• `Display-If-Keyword: amd64` restricts by architecture.
• `Display-If-Profile: default/linux/amd64/23.0` restricts by profile.
• Body lines should wrap at ~70 characters for readability in the default `eselect news read` output.
• The item is signed by the maintainer's key at push time (same flow as ebuild commits in this overlay) — no in-repo signature is needed.

Reference:

• GLEP 42: https://www.gentoo.org/glep/glep-0042.html
• eselect news: `man eselect-news`

Remove this whole template body and the placeholder headers before publishing.