commit:     5d54665bac2e0881b4d22cf48632fd0412623565
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Tue Sep  3 15:26:42 2019 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Tue Sep  3 15:26:42 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d54665b

sys-apps/systemd: add patch for CVE-2019-15718

Bug: https://bugs.gentoo.org/693156
Package-Manager: Portage-2.3.73_p4, Repoman-2.3.17_p24
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 sys-apps/systemd/files/CVE-2019-15718.patch        | 31 ++++++++++++++++++++
 ...ystemd-243_rc2.ebuild => systemd-242-r7.ebuild} | 33 ++++++++++++++++++----
 ...md-243_rc2.ebuild => systemd-243_rc2-r1.ebuild} |  1 +
 3 files changed, 59 insertions(+), 6 deletions(-)

diff --git a/sys-apps/systemd/files/CVE-2019-15718.patch 
b/sys-apps/systemd/files/CVE-2019-15718.patch
new file mode 100644
index 00000000000..8186f7096f8
--- /dev/null
+++ b/sys-apps/systemd/files/CVE-2019-15718.patch
@@ -0,0 +1,31 @@
+From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbys...@in.waw.pl>
+Date: Tue, 27 Aug 2019 19:00:34 +0200
+Subject: [PATCH] shared/but-util: drop trusted annotation from
+ bus_open_system_watch_bind_with_description()
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1746057
+
+This only affects systemd-resolved. 
bus_open_system_watch_bind_with_description()
+is also used in timesyncd, but it has no methods, only read-only properties, 
and
+in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and 
does
+polkit checks.
+---
+ src/shared/bus-util.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
+index 6af115e7aa..821339d4ae 100644
+--- a/src/shared/bus-util.c
++++ b/src/shared/bus-util.c
+@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus 
**ret, const char *descri
+         if (r < 0)
+                 return r;
+ 
+-        r = sd_bus_set_trusted(bus, true);
+-        if (r < 0)
+-                return r;
+-
+         r = sd_bus_negotiate_creds(bus, true, 
SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS);
+         if (r < 0)
+                 return r;

diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild 
b/sys-apps/systemd/systemd-242-r7.ebuild
similarity index 93%
copy from sys-apps/systemd/systemd-243_rc2.ebuild
copy to sys-apps/systemd/systemd-242-r7.ebuild
index f00c416fa38..da5e7533d89 100644
--- a/sys-apps/systemd/systemd-243_rc2.ebuild
+++ b/sys-apps/systemd/systemd-242-r7.ebuild
@@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd";
 
 LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
 SLOT="0/2"
-IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls 
elfutils +gcrypt gnuefi http idn importd +kmod +lz4 lzma nat pam pcre policykit 
qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb"
+IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt 
gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode 
+resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb"
 
 REQUIRED_USE="importd? ( curl gcrypt lzma )"
 RESTRICT="!test? ( test )"
@@ -45,7 +45,10 @@ 
COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
                >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)]
                >=net-libs/gnutls-3.1.4:0=
        )
-       idn? ( net-dns/libidn2:= )
+       idn? (
+               libidn2? ( net-dns/libidn2:= )
+               !libidn2? ( net-dns/libidn:= )
+       )
        importd? (
                app-arch/bzip2:0=
                sys-libs/zlib:0=
@@ -185,6 +188,14 @@ src_prepare() {
 
        # Add local patches here
        PATCHES+=(
+               "${FILESDIR}"/242-gcc-9.patch
+               "${FILESDIR}"/242-socket-util-flush-accept.patch
+               "${FILESDIR}"/242-wireguard-listenport.patch
+               "${FILESDIR}"/242-file-max.patch
+               "${FILESDIR}"/242-rdrand-ryzen.patch
+               "${FILESDIR}"/242-networkd-ipv6-token.patch
+               "${FILESDIR}"/242-network-domains.patch
+               "${FILESDIR}"/CVE-2019-15718.patch
        )
 
        if ! use vanilla; then
@@ -244,7 +255,6 @@ multilib_src_configure() {
                # no deps
                -Defi=$(meson_multilib)
                -Dima=true
-               -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified)
                # Optional components/dependencies
                -Dacl=$(meson_multilib_native_use acl)
                -Dapparmor=$(meson_multilib_native_use apparmor)
@@ -257,7 +267,6 @@ multilib_src_configure() {
                -Dgnu-efi=$(meson_multilib_native_use gnuefi)
                -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
                -Dmicrohttpd=$(meson_multilib_native_use http)
-               -Didn=$(meson_multilib_native_use idn)
                -Dimportd=$(meson_multilib_native_use importd)
                -Dbzip2=$(meson_multilib_native_use importd)
                -Dzlib=$(meson_multilib_native_use importd)
@@ -301,6 +310,18 @@ multilib_src_configure() {
                -Dvconsole=$(meson_multilib)
        )
 
+       if multilib_is_native_abi && use idn; then
+               myconf+=(
+                       -Dlibidn2=$(usex libidn2 true false)
+                       -Dlibidn=$(usex libidn2 false true)
+               )
+       else
+               myconf+=(
+                       -Dlibidn2=false
+                       -Dlibidn=false
+               )
+       fi
+
        meson_src_configure "${myconf[@]}"
 }
 
@@ -310,7 +331,7 @@ multilib_src_compile() {
 
 multilib_src_test() {
        unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
-       meson_src_test
+       eninja test
 }
 
 multilib_src_install() {
@@ -343,7 +364,7 @@ multilib_src_install_all() {
        # Preserve empty dirs in /etc & /var, bug #437008
        keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
        keepdir /etc/kernel/install.d
-       keepdir /etc/systemd/{network,system,user}
+       keepdir /etc/systemd/{network,user}
        keepdir /etc/udev/{hwdb.d,rules.d}
        keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
        keepdir /usr/lib/{binfmt.d,modules-load.d}

diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild 
b/sys-apps/systemd/systemd-243_rc2-r1.ebuild
similarity index 99%
rename from sys-apps/systemd/systemd-243_rc2.ebuild
rename to sys-apps/systemd/systemd-243_rc2-r1.ebuild
index f00c416fa38..56cfe509a08 100644
--- a/sys-apps/systemd/systemd-243_rc2.ebuild
+++ b/sys-apps/systemd/systemd-243_rc2-r1.ebuild
@@ -185,6 +185,7 @@ src_prepare() {
 
        # Add local patches here
        PATCHES+=(
+               "${FILESDIR}"/CVE-2019-15718.patch
        )
 
        if ! use vanilla; then

Reply via email to