commit: 5d54665bac2e0881b4d22cf48632fd0412623565 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Tue Sep 3 15:26:42 2019 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Tue Sep 3 15:26:42 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d54665b
sys-apps/systemd: add patch for CVE-2019-15718 Bug: https://bugs.gentoo.org/693156 Package-Manager: Portage-2.3.73_p4, Repoman-2.3.17_p24 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> sys-apps/systemd/files/CVE-2019-15718.patch | 31 ++++++++++++++++++++ ...ystemd-243_rc2.ebuild => systemd-242-r7.ebuild} | 33 ++++++++++++++++++---- ...md-243_rc2.ebuild => systemd-243_rc2-r1.ebuild} | 1 + 3 files changed, 59 insertions(+), 6 deletions(-) diff --git a/sys-apps/systemd/files/CVE-2019-15718.patch b/sys-apps/systemd/files/CVE-2019-15718.patch new file mode 100644 index 00000000000..8186f7096f8 --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-15718.patch @@ -0,0 +1,31 @@ +From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbys...@in.waw.pl> +Date: Tue, 27 Aug 2019 19:00:34 +0200 +Subject: [PATCH] shared/but-util: drop trusted annotation from + bus_open_system_watch_bind_with_description() + +https://bugzilla.redhat.com/show_bug.cgi?id=1746057 + +This only affects systemd-resolved. bus_open_system_watch_bind_with_description() +is also used in timesyncd, but it has no methods, only read-only properties, and +in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does +polkit checks. +--- + src/shared/bus-util.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c +index 6af115e7aa..821339d4ae 100644 +--- a/src/shared/bus-util.c ++++ b/src/shared/bus-util.c +@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri + if (r < 0) + return r; + +- r = sd_bus_set_trusted(bus, true); +- if (r < 0) +- return r; +- + r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS); + if (r < 0) + return r; diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-242-r7.ebuild similarity index 93% copy from sys-apps/systemd/systemd-243_rc2.ebuild copy to sys-apps/systemd/systemd-242-r7.ebuild index f00c416fa38..da5e7533d89 100644 --- a/sys-apps/systemd/systemd-243_rc2.ebuild +++ b/sys-apps/systemd/systemd-242-r7.ebuild @@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"; LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" -IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb" +IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb" REQUIRED_USE="importd? ( curl gcrypt lzma )" RESTRICT="!test? ( test )" @@ -45,7 +45,10 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] >=net-libs/gnutls-3.1.4:0= ) - idn? ( net-dns/libidn2:= ) + idn? ( + libidn2? ( net-dns/libidn2:= ) + !libidn2? ( net-dns/libidn:= ) + ) importd? ( app-arch/bzip2:0= sys-libs/zlib:0= @@ -185,6 +188,14 @@ src_prepare() { # Add local patches here PATCHES+=( + "${FILESDIR}"/242-gcc-9.patch + "${FILESDIR}"/242-socket-util-flush-accept.patch + "${FILESDIR}"/242-wireguard-listenport.patch + "${FILESDIR}"/242-file-max.patch + "${FILESDIR}"/242-rdrand-ryzen.patch + "${FILESDIR}"/242-networkd-ipv6-token.patch + "${FILESDIR}"/242-network-domains.patch + "${FILESDIR}"/CVE-2019-15718.patch ) if ! use vanilla; then @@ -244,7 +255,6 @@ multilib_src_configure() { # no deps -Defi=$(meson_multilib) -Dima=true - -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified) # Optional components/dependencies -Dacl=$(meson_multilib_native_use acl) -Dapparmor=$(meson_multilib_native_use apparmor) @@ -257,7 +267,6 @@ multilib_src_configure() { -Dgnu-efi=$(meson_multilib_native_use gnuefi) -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)" -Dmicrohttpd=$(meson_multilib_native_use http) - -Didn=$(meson_multilib_native_use idn) -Dimportd=$(meson_multilib_native_use importd) -Dbzip2=$(meson_multilib_native_use importd) -Dzlib=$(meson_multilib_native_use importd) @@ -301,6 +310,18 @@ multilib_src_configure() { -Dvconsole=$(meson_multilib) ) + if multilib_is_native_abi && use idn; then + myconf+=( + -Dlibidn2=$(usex libidn2 true false) + -Dlibidn=$(usex libidn2 false true) + ) + else + myconf+=( + -Dlibidn2=false + -Dlibidn=false + ) + fi + meson_src_configure "${myconf[@]}" } @@ -310,7 +331,7 @@ multilib_src_compile() { multilib_src_test() { unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR - meson_src_test + eninja test } multilib_src_install() { @@ -343,7 +364,7 @@ multilib_src_install_all() { # Preserve empty dirs in /etc & /var, bug #437008 keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} keepdir /etc/kernel/install.d - keepdir /etc/systemd/{network,system,user} + keepdir /etc/systemd/{network,user} keepdir /etc/udev/{hwdb.d,rules.d} keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} keepdir /usr/lib/{binfmt.d,modules-load.d} diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-243_rc2-r1.ebuild similarity index 99% rename from sys-apps/systemd/systemd-243_rc2.ebuild rename to sys-apps/systemd/systemd-243_rc2-r1.ebuild index f00c416fa38..56cfe509a08 100644 --- a/sys-apps/systemd/systemd-243_rc2.ebuild +++ b/sys-apps/systemd/systemd-243_rc2-r1.ebuild @@ -185,6 +185,7 @@ src_prepare() { # Add local patches here PATCHES+=( + "${FILESDIR}"/CVE-2019-15718.patch ) if ! use vanilla; then
