commit: 06c2355e8eca30994fa0416793e2e04efd652c41 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Thu Oct 26 21:36:27 2017 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Thu Oct 26 21:36:45 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06c2355e
sys-apps/systemd: backport fix for CVE-2017-15908 Bug: https://bugs.gentoo.org/635514 Package-Manager: Portage-2.3.11_p4, Repoman-2.3.3_p62 sys-apps/systemd/files/CVE-2017-15908.patch | 39 +++ .../{systemd-235.ebuild => systemd-233-r5.ebuild} | 313 +++++++++++---------- .../{systemd-235.ebuild => systemd-235-r1.ebuild} | 1 + 3 files changed, 204 insertions(+), 149 deletions(-) diff --git a/sys-apps/systemd/files/CVE-2017-15908.patch b/sys-apps/systemd/files/CVE-2017-15908.patch new file mode 100644 index 00000000000..08e5e37514c --- /dev/null +++ b/sys-apps/systemd/files/CVE-2017-15908.patch @@ -0,0 +1,39 @@ +From 9f939335a07085aa9a9663efd1dca06ef6405d62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <[email protected]> +Date: Wed, 25 Oct 2017 11:19:19 +0200 +Subject: [PATCH] resolved: fix loop on packets with pseudo dns types + +Reported by Karim Hossen & Thomas Imbert from Sogeti ESEC R&D. + +https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351 +--- + src/resolve/resolved-dns-packet.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index e2f227bfc..35f4d0689 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -1514,7 +1514,7 @@ static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *sta + + found = true; + +- while (bitmask) { ++ for (; bitmask; bit++, bitmask >>= 1) + if (bitmap[i] & bitmask) { + uint16_t n; + +@@ -1528,10 +1528,6 @@ static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *sta + if (r < 0) + return r; + } +- +- bit++; +- bitmask >>= 1; +- } + } + + if (!found) +-- +2.15.0.rc2 + diff --git a/sys-apps/systemd/systemd-235.ebuild b/sys-apps/systemd/systemd-233-r5.ebuild similarity index 59% copy from sys-apps/systemd/systemd-235.ebuild copy to sys-apps/systemd/systemd-233-r5.ebuild index 6fe34a0809b..bce73fafb4f 100644 --- a/sys-apps/systemd/systemd-235.ebuild +++ b/sys-apps/systemd/systemd-233-r5.ebuild @@ -7,28 +7,29 @@ if [[ ${PV} == 9999 ]]; then EGIT_REPO_URI="https://github.com/systemd/systemd.git"; inherit git-r3 else - SRC_URI="https://github.com/systemd/systemd/archive/v${PV}.tar.gz -> ${P}.tar.gz" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~x86" + SRC_URI="https://github.com/systemd/systemd/archive/v${PV}.tar.gz -> ${P}.tar.gz + !doc? ( https://dev.gentoo.org/~floppym/dist/${P}-man.tar.gz )" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86" fi PYTHON_COMPAT=( python{3_4,3_5,3_6} ) -inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user +inherit autotools bash-completion-r1 linux-info multilib-minimal pam python-any-r1 systemd toolchain-funcs udev user DESCRIPTION="System and service manager for Linux" HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"; LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" -IUSE="acl apparmor audit build cryptsetup curl elfutils +gcrypt gnuefi http - idn importd +kmod libidn2 +lz4 lzma nat pam policykit +IUSE="acl apparmor audit build cryptsetup curl doc elfutils +gcrypt gnuefi http + idn importd +kmod +lz4 lzma nat pam policykit qrcode +seccomp selinux ssl sysv-utils test vanilla xkb" REQUIRED_USE="importd? ( curl gcrypt lzma )" MINKV="3.11" -COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] +COMMON_DEPEND=">=sys-apps/util-linux-2.27.1:0=[${MULTILIB_USEDEP}] sys-libs/libcap:0=[${MULTILIB_USEDEP}] !<sys-libs/glibc-2.16 acl? ( sys-apps/acl:0= ) @@ -42,10 +43,7 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] >=net-libs/libmicrohttpd-0.9.33:0= ssl? ( >=net-libs/gnutls-3.1.4:0= ) ) - idn? ( - libidn2? ( net-dns/libidn2 ) - !libidn2? ( net-dns/libidn ) - ) + idn? ( net-dns/libidn:0= ) importd? ( app-arch/bzip2:0= sys-libs/zlib:0= @@ -100,9 +98,13 @@ DEPEND="${COMMON_DEPEND} app-text/docbook-xml-dtd:4.5 app-text/docbook-xsl-stylesheets dev-libs/libxslt:0 - $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]') + doc? ( $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]') ) " +python_check_deps() { + has_version --host-root "dev-python/lxml[${PYTHON_USEDEP}]" +} + pkg_pretend() { if [[ ${MERGE_TYPE} != buildonly ]]; then local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS @@ -147,9 +149,16 @@ src_unpack() { } src_prepare() { + # Bug 463376 + sed -i -e 's/GROUP="dialout"/GROUP="uucp"/' rules/*.rules || die + local PATCHES=( - "${FILESDIR}"/235-0001-test-skip-hwdb-and-sysv-generator-if-the-features-ar.patch - "${FILESDIR}"/235-0002-networkd-Don-t-stop-networkd-if-CONFIG_FIB_RULES-n-i.patch + "${FILESDIR}/233-0001-Avoid-strict-DM-interface-version-dependencies-5519.patch" + "${FILESDIR}/233-CVE-2017-9445.patch" + "${FILESDIR}/233-format-warnings.patch" + "${FILESDIR}/233-0002-core-load-fragment-refuse-units-with-errors-in-RootD.patch" + "${FILESDIR}/233-0003-core-load-fragment-refuse-units-with-errors-in-certa.patch" + "${FILESDIR}/CVE-2017-15908.patch" ) if ! use vanilla; then @@ -157,159 +166,189 @@ src_prepare() { "${FILESDIR}/218-Dont-enable-audit-by-default.patch" "${FILESDIR}/228-noclean-tmp.patch" "${FILESDIR}/233-systemd-user-pam.patch" - "${FILESDIR}/234-uucp-group.patch" - "${FILESDIR}/generator-path.patch" ) fi [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) default + + eautoreconf } src_configure() { + # Keep using the one where the rules were installed. + MY_UDEVDIR=$(get_udevdir) + # Fix systems broken by bug #509454. + [[ ${MY_UDEVDIR} ]] || MY_UDEVDIR=/lib/udev + # Prevent conflicts with i686 cross toolchain, bug 559726 tc-export AR CC NM OBJCOPY RANLIB - python_setup + use doc && python_setup multilib-minimal_src_configure } -meson_use() { - usex "$1" true false -} - -meson_multilib() { - if multilib_is_native_abi; then - echo true - else - echo false - fi -} - -meson_multilib_native_use() { - if multilib_is_native_abi && use "$1"; then - echo true - else - echo false - fi -} - multilib_src_configure() { - local myconf=( - --localstatedir="${EPREFIX}/var" - -Dpamlibdir="$(getpam_mod_dir)" + local myeconfargs=( + # disable -flto since it is an optimization flag + # and makes distcc less effective + cc_cv_CFLAGS__flto=no + # disable -fuse-ld=gold since Gentoo supports explicit linker + # choice and forcing gold is undesired, #539998 + # ld.gold may collide with user's LDFLAGS, #545168 + # ld.gold breaks sparc, #573874 + cc_cv_LDFLAGS__Wl__fuse_ld_gold=no + + # Workaround for gcc-4.7, bug 554454. + cc_cv_CFLAGS__Werror_shadow=no + + # Workaround for bug 516346 + --enable-dependency-tracking + + --disable-maintainer-mode + --localstatedir=/var + --with-pamlibdir=$(getpam_mod_dir) # avoid bash-completion dep - -Dbashcompletiondir="$(get_bashcompdir)" + --with-bashcompletiondir="$(get_bashcompdir)" # make sure we get /bin:/sbin in $PATH - -Dsplit-usr=true - -Drootprefix="${EPREFIX}${ROOTPREFIX}" - -Dsysvinit-path= - -Dsysvrcnd-path= + --enable-split-usr + # For testing. + --with-rootprefix="${ROOTPREFIX-/usr}" + --with-rootlibdir="${ROOTPREFIX-/usr}/$(get_libdir)" + # disable sysv compatibility + --with-sysvinit-path= + --with-sysvrcnd-path= # no deps - -Defi=$(meson_multilib) - -Dima=true + --enable-efi + --enable-ima + # Optional components/dependencies - -Dacl=$(meson_multilib_native_use acl) - -Dapparmor=$(meson_multilib_native_use apparmor) - -Daudit=$(meson_multilib_native_use audit) - -Dlibcryptsetup=$(meson_multilib_native_use cryptsetup) - -Dlibcurl=$(meson_multilib_native_use curl) - -Delfutils=$(meson_multilib_native_use elfutils) - -Dgcrypt=$(meson_use gcrypt) - -Dgnu-efi=$(meson_multilib_native_use gnuefi) - -Defi-libdir="/usr/$(get_libdir)" - -Dmicrohttpd=$(meson_multilib_native_use http) - $(usex http -Dgnutls=$(meson_multilib_native_use ssl) -Dgnutls=false) - -Dimportd=$(meson_multilib_native_use importd) - -Dbzip2=$(meson_multilib_native_use importd) - -Dzlib=$(meson_multilib_native_use importd) - -Dkmod=$(meson_multilib_native_use kmod) - -Dlz4=$(meson_use lz4) - -Dxz=$(meson_use lzma) - -Dlibiptc=$(meson_multilib_native_use nat) - -Dpam=$(meson_use pam) - -Dpolkit=$(meson_multilib_native_use policykit) - -Dqrencode=$(meson_multilib_native_use qrcode) - -Dseccomp=$(meson_multilib_native_use seccomp) - -Dselinux=$(meson_multilib_native_use selinux) - #-Dtests=$(meson_multilib_native_use test) - -Ddbus=$(meson_multilib_native_use test) - -Dxkbcommon=$(meson_multilib_native_use xkb) + $(multilib_native_use_enable acl) + $(multilib_native_use_enable apparmor) + $(multilib_native_use_enable audit) + $(multilib_native_use_enable cryptsetup libcryptsetup) + $(multilib_native_use_enable curl libcurl) + $(multilib_native_use_enable elfutils) + $(use_enable gcrypt) + $(multilib_native_use_enable gnuefi) + --with-efi-libdir="/usr/$(get_libdir)" + $(multilib_native_use_enable http microhttpd) + $(usex http $(multilib_native_use_enable ssl gnutls) --disable-gnutls) + $(multilib_native_use_enable idn libidn) + $(multilib_native_use_enable importd) + $(multilib_native_use_enable importd bzip2) + $(multilib_native_use_enable importd zlib) + $(multilib_native_use_enable kmod) + $(use_enable lz4) + $(use_enable lzma xz) + $(multilib_native_use_enable nat libiptc) + $(use_enable pam) + $(multilib_native_use_enable policykit polkit) + $(multilib_native_use_enable qrcode qrencode) + $(multilib_native_use_enable seccomp) + $(multilib_native_use_enable selinux) + $(multilib_native_use_enable test tests) + $(multilib_native_use_enable test dbus) + $(multilib_native_use_enable xkb xkbcommon) + $(multilib_native_use_with doc python) + # hardcode a few paths to spare some deps - -Dpath-kill=/bin/kill - -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + KILL=/bin/kill + QUOTAON=/usr/sbin/quotaon + QUOTACHECK=/usr/sbin/quotacheck + + # TODO: we may need to restrict this to gcc + EFI_CC="$(tc-getCC)" + + # dbus paths + --with-dbuspolicydir="${EPREFIX}/etc/dbus-1/system.d" + --with-dbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" + --with-dbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" + + --with-ntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. - -Ddefault-kill-user-processes=false - - # multilib options - -Dbacklight=$(meson_multilib) - -Dbinfmt=$(meson_multilib) - -Dcoredump=$(meson_multilib) - -Denvironment-d=$(meson_multilib) - -Dfirstboot=$(meson_multilib) - -Dhibernate=$(meson_multilib) - -Dhostnamed=$(meson_multilib) - -Dhwdb=$(meson_multilib) - -Dldconfig=$(meson_multilib) - -Dlocaled=$(meson_multilib) - -Dman=$(meson_multilib) - -Dnetworkd=$(meson_multilib) - -Dquotacheck=$(meson_multilib) - -Drandomseed=$(meson_multilib) - -Drfkill=$(meson_multilib) - -Dsysusers=$(meson_multilib) - -Dtimedated=$(meson_multilib) - -Dtimesyncd=$(meson_multilib) - -Dtmpfiles=$(meson_multilib) - -Dvconsole=$(meson_multilib) + --without-kill-user-processes ) - if multilib_is_native_abi && use idn; then - myconf+=( - -Dlibidn2=$(usex libidn2 true false) - -Dlibidn=$(usex libidn2 false true) - ) - else - myconf+=( - -Dlibidn2=false - -Dlibidn=false - ) - fi + # Work around bug 463846. + tc-export CC - meson_src_configure "${myconf[@]}" + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" } multilib_src_compile() { - eninja + local mymakeopts=( + udevlibexecdir="${MY_UDEVDIR}" + ) + + if multilib_is_native_abi; then + emake "${mymakeopts[@]}" + else + emake built-sources + local targets=( + '$(rootlib_LTLIBRARIES)' + '$(lib_LTLIBRARIES)' + '$(pamlib_LTLIBRARIES)' + '$(pkgconfiglib_DATA)' + ) + echo "gentoo: ${targets[*]}" | emake "${mymakeopts[@]}" -f Makefile -f - gentoo + fi } multilib_src_test() { - eninja test + multilib_is_native_abi || return 0 + default } multilib_src_install() { - DESTDIR="${D}" eninja install + local mymakeopts=( + # automake fails with parallel libtool relinking + # https://bugs.gentoo.org/show_bug.cgi?id=491398 + -j1 + + udevlibexecdir="${MY_UDEVDIR}" + dist_udevhwdb_DATA= + DESTDIR="${D}" + ) + + if multilib_is_native_abi; then + emake "${mymakeopts[@]}" install + else + mymakeopts+=( + install-rootlibLTLIBRARIES + install-libLTLIBRARIES + install-pamlibLTLIBRARIES + install-pkgconfiglibDATA + install-includeHEADERS + install-pkgincludeHEADERS + ) + + emake "${mymakeopts[@]}" + fi } multilib_src_install_all() { - # meson doesn't know about docdir - mv "${ED%/}"/usr/share/doc/{systemd,${PF}} || die - + prune_libtool_files --modules einstalldocs dodoc "${FILESDIR}"/nsswitch.conf + if [[ ${PV} != 9999 ]]; then + use doc || doman "${WORKDIR}"/man/systemd.{directives,index}.7 + fi + if use sysv-utils; then for app in halt poweroff reboot runlevel shutdown telinit; do - dosym "${EPREFIX}${ROOTPREFIX%/}/bin/systemctl" /sbin/${app} + dosym "..${ROOTPREFIX-/usr}/bin/systemctl" /sbin/${app} done - dosym "${EPREFIX}${ROOTPREFIX%/}/lib/systemd/systemd" /sbin/init + dosym "..${ROOTPREFIX-/usr}/lib/systemd/systemd" /sbin/init else # we just keep sysvinit tools, so no need for the mans - rm "${ED%/}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 \ + rm "${D}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 \ || die - rm "${ED%/}"/usr/share/man/man1/init.1 || die + rm "${D}"/usr/share/man/man1/init.1 || die fi # Preserve empty dirs in /etc & /var, bug #437008 @@ -322,21 +361,11 @@ multilib_src_install_all() { # If we install these symlinks, there is no way for the sysadmin to remove them # permanently. - rm -f "${ED%/}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die - rm -f "${ED%/}"/etc/systemd/system/dbus-org.freedesktop.network1.service || die - rm -f "${ED%/}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die - rm -f "${ED%/}"/etc/systemd/system/dbus-org.freedesktop.resolve1.service || die - rm -fr "${ED%/}"/etc/systemd/system/network-online.target.wants || die - rm -fr "${ED%/}"/etc/systemd/system/sockets.target.wants || die - rm -fr "${ED%/}"/etc/systemd/system/sysinit.target.wants || die - - rm -r "${ED%/}${ROOTPREFIX%/}/lib/udev/hwdb.d" || die - - if [[ ! -e "${ED%/}"/usr/lib/systemd/systemd ]]; then - # Avoid breaking boot/reboot - dosym "../../..${ROOTPREFIX%/}/lib/systemd/systemd" /usr/lib/systemd/systemd - dosym "../../..${ROOTPREFIX%/}/lib/systemd/systemd-shutdown" /usr/lib/systemd/systemd-shutdown - fi + rm "${D}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die + rm -f "${D}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die + rm -r "${D}"/etc/systemd/system/network-online.target.wants || die + rm -r "${D}"/etc/systemd/system/sockets.target.wants || die + rm -r "${D}"/etc/systemd/system/sysinit.target.wants || die } migrate_locale() { @@ -383,19 +412,6 @@ migrate_locale() { fi } -pkg_preinst() { - # If /lib/systemd and /usr/lib/systemd are the same directory, remove the - # symlinks we created in src_install. - if [[ $(realpath "${EROOT%/}${ROOTPREFIX}/lib/systemd") == $(realpath "${EROOT%/}/usr/lib/systemd") ]]; then - if [[ -L ${ED%/}/usr/lib/systemd/systemd ]]; then - rm "${ED%/}/usr/lib/systemd/systemd" || die - fi - if [[ -L ${ED%/}/usr/lib/systemd/systemd-shutdown ]]; then - rm "${ED%/}/usr/lib/systemd/systemd-shutdown" || die - fi - fi -} - pkg_postinst() { newusergroup() { enewgroup "$1" @@ -403,7 +419,6 @@ pkg_postinst() { } enewgroup input - enewgroup kvm 78 enewgroup systemd-journal newusergroup systemd-bus-proxy newusergroup systemd-coredump @@ -419,7 +434,7 @@ pkg_postinst() { # Keep this here in case the database format changes so it gets updated # when required. Despite that this file is owned by sys-apps/hwids. if has_version "sys-apps/hwids[udev]"; then - udevadm hwdb --update --root="${EROOT%/}" + udevadm hwdb --update --root="${ROOT%/}" fi udev_reload || FAIL=1 diff --git a/sys-apps/systemd/systemd-235.ebuild b/sys-apps/systemd/systemd-235-r1.ebuild similarity index 99% rename from sys-apps/systemd/systemd-235.ebuild rename to sys-apps/systemd/systemd-235-r1.ebuild index 6fe34a0809b..2bb192a49e2 100644 --- a/sys-apps/systemd/systemd-235.ebuild +++ b/sys-apps/systemd/systemd-235-r1.ebuild @@ -150,6 +150,7 @@ src_prepare() { local PATCHES=( "${FILESDIR}"/235-0001-test-skip-hwdb-and-sysv-generator-if-the-features-ar.patch "${FILESDIR}"/235-0002-networkd-Don-t-stop-networkd-if-CONFIG_FIB_RULES-n-i.patch + "${FILESDIR}/CVE-2017-15908.patch" ) if ! use vanilla; then
