commit: 6eccdbb6b0a53e812fcac7766898d31b756d96e2 Author: Andrew Savchenko <bircoph <AT> gentoo <DOT> org> AuthorDate: Mon Dec 13 16:57:54 2021 +0000 Commit: Andrew Savchenko <bircoph <AT> gentoo <DOT> org> CommitDate: Mon Dec 13 16:58:57 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eccdbb6
net-proxy/privoxy: update to 3.0.33 - Version bump to 3.0.33 Fixes: CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, CVE-2021-44543 - Add new USE flags: jit (for PCRE), sanitize - REQUIRED_USE: extended-statistics depends on threads Bug: https://bugs.gentoo.org/769557 Bug: https://bugs.gentoo.org/829051 Package-Manager: Portage-3.0.29, Repoman-3.0.3 Signed-off-by: Andrew Savchenko <bircoph <AT> gentoo.org> net-proxy/privoxy/Manifest | 1 + .../files/privoxy-3.0.33-configure-msan.patch | 13 ++ net-proxy/privoxy/metadata.xml | 3 + net-proxy/privoxy/privoxy-3.0.33.ebuild | 158 +++++++++++++++++++++ 4 files changed, 175 insertions(+) diff --git a/net-proxy/privoxy/Manifest b/net-proxy/privoxy/Manifest index 2bb3d36bce49..225fc03773b4 100644 --- a/net-proxy/privoxy/Manifest +++ b/net-proxy/privoxy/Manifest @@ -1 +1,2 @@ DIST privoxy-3.0.32-stable-src.tar.gz 1834528 BLAKE2B c846dada5fd34b80be9f7a75dc4177f3907241f6cf28b4120929687523d449d73b6a78bfe73f0a1086fbb3a8388103beb1e5a62becdffa24bf57d34cbb6cda56 SHA512 da41c0045bf593219df64718645eff984b5df43737811cc0fa12fce7e8ae1ab59eefbe20f23d6ce8f62216cfd81f1a9c319688d15693c25eed36010f3e1d5ffd +DIST privoxy-3.0.33-stable-src.tar.gz 1579540 BLAKE2B 4b76aa2e84160bab346d0548019158edb5562ca1dbf5356f765a6b91967f352f99c45c852254acf3d8e85cf8e8d210c050d1cf69ace3e5dbda8cdd13c1138df3 SHA512 9684455dbce7f6d8f5defd31aa9a7316e0c1dc896525ab4d562d0359462b541b1c366dea9db07b798f3e00b9cbcc44f494d8c431bcb10f2cb05b5bca3cfeaf75 diff --git a/net-proxy/privoxy/files/privoxy-3.0.33-configure-msan.patch b/net-proxy/privoxy/files/privoxy-3.0.33-configure-msan.patch new file mode 100644 index 000000000000..c89fed3947f3 --- /dev/null +++ b/net-proxy/privoxy/files/privoxy-3.0.33-configure-msan.patch @@ -0,0 +1,13 @@ +diff --git a/configure.in b/configure.in +index 84f6a0db7..e7e68be0c 100644 +--- a/configure.in ++++ b/configure.in +@@ -168,7 +168,7 @@ if test "x$with_asan" = "xyes"; then + LDFLAGS="$LDFLAGS -fsanitize=address" + fi + +-AC_ARG_WITH(asan, [ --with-msan Enable MemorySanitizer. Requires compiler support.]) ++AC_ARG_WITH(msan, [ --with-msan Enable MemorySanitizer. Requires compiler support.]) + if test "x$with_msan" = "xyes"; then + CFLAGS="$CFLAGS -fsanitize=memory" + LDFLAGS="$LDFLAGS -fsanitize=memory" diff --git a/net-proxy/privoxy/metadata.xml b/net-proxy/privoxy/metadata.xml index 287c64fc2abc..bab34089e102 100644 --- a/net-proxy/privoxy/metadata.xml +++ b/net-proxy/privoxy/metadata.xml @@ -26,12 +26,15 @@ <flag name="fuzz">Exposes Privoxy internals to input from files or stdout. Intended for fuzzing testing</flag> <flag name="graceful-termination">Allow to shutdown Privoxy through the webinterface</flag> <flag name="image-blocking">Allows the +handle-as-image action, to send "blocked" images instead of HTML</flag> + <flag name="jit">Enable PCRE jit (recommended)</flag> <flag name="lfs">Support large files (>2GB) on 32-bit systems</flag> <flag name="mbedtls">Use <pkg>net-libs/mbedtls</pkg> for HTTPS filtering</flag> <flag name="openssl">Use <pkg>dev-libs/openssl</pkg> for HTTPS filtering</flag> <flag name="png-images">Use PNG format instead of GIF for built-in images</flag> + <flag name="sanitize">Enable asan, msan and usan sanitizers. Your compiler must support them</flag> <flag name="ssl">HTTPS inspection support. Enables privoxy to perform SSL MITM filtering, see docs, use with care</flag> <flag name="stats">Keep statistics</flag> + <flag name="threads">Enable POSIX threads. Highly recommended, otherwise both build and run-time features may not work properly.</flag> <flag name="toggle">Support temporary disable toggle via web interface</flag> <flag name="tools">Install log parser, regression tester and user agent generator tools</flag> <flag name="whitelists">Support trust files (white lists)</flag> diff --git a/net-proxy/privoxy/privoxy-3.0.33.ebuild b/net-proxy/privoxy/privoxy-3.0.33.ebuild new file mode 100644 index 000000000000..0d13b91d1507 --- /dev/null +++ b/net-proxy/privoxy/privoxy-3.0.33.ebuild @@ -0,0 +1,158 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools systemd toolchain-funcs + +[ "${PV##*_}" = "beta" ] && + PRIVOXY_STATUS="beta" || + PRIVOXY_STATUS="stable" + +HOMEPAGE="https://www.privoxy.org https://sourceforge.net/projects/ijbswa/"; +DESCRIPTION="A web proxy with advanced filtering capabilities for enhancing privacy" +SRC_URI="mirror://sourceforge/ijbswa/${P%_*}-${PRIVOXY_STATUS}-src.tar.gz" + +IUSE="+acl brotli client-tags compression editor extended-host-patterns +extended-statistics external-filters +fast-redirects +force fuzz +graceful-termination +image-blocking ipv6 +jit lfs +mbedtls openssl +png-images sanitize selinux ssl +stats +threads toggle tools whitelists ++zlib" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86" +LICENSE="GPL-2+" + +DEPEND=" + acct-group/privoxy + acct-user/privoxy + dev-libs/libpcre + brotli? ( app-arch/brotli ) + ssl? ( + mbedtls? ( net-libs/mbedtls:= ) + openssl? ( dev-libs/openssl:= ) + ) + zlib? ( sys-libs/zlib:= ) +" +RDEPEND="${DEPEND} + extended-host-patterns? ( dev-lang/perl ) + selinux? ( sec-policy/selinux-privoxy ) + tools? ( + net-misc/curl + dev-lang/perl + ) +" +REQUIRED_USE=" + brotli? ( zlib ) + client-tags? ( threads ) + compression? ( zlib ) + extended-statistics? ( threads ) + fuzz? ( zlib ) + ssl? ( ^^ ( mbedtls openssl ) threads ) + toggle? ( editor ) +" + +S="${WORKDIR}/${P%_*}-${PRIVOXY_STATUS}" + +PATCHES=( + "${FILESDIR}"/${PN}-3.0.32-gentoo.patch + "${FILESDIR}"/${PN}-3.0.28-strip.patch + "${FILESDIR}"/${PN}-3.0.33-configure-msan.patch +) + +pkg_pretend() { + if ! use threads; then + ewarn + ewarn "Privoxy may be very slow without threads support, consider to enable them." + ewarn "See also https://www.privoxy.org/faq/trouble.html#GENTOO-RICERS"; + ewarn "Additionally some features may not build or work poperly. You are on your own." + ewarn + fi +} + +src_prepare() { + default + mv configure.in configure.ac || die + sed -i "s|/p\.p/|/config.privoxy.org/|g" tools/privoxy-regression-test.pl || die + + # autoreconf needs to be called even if we don't modify any autotools source files + # See main makefile + eautoreconf +} + +src_configure() { + local myconf="--without-mbedtls --without-openssl" + if use ssl; then + myconf="$(use_with mbedtls) $(use_with openssl)" + fi + if use sanitize; then + myconf+=" --with-usan" + # msan is available in clang only + # asan is broken with current configure tests in gcc + tc-is-clang && myconf+=" --with-msan --with-asan" + fi + + # --with-debug only enables debug CFLAGS + # --with-docbook and --with-db2html and their deps are useless, + # since docs are already pregenerated in the source tarball + econf \ + --sysconfdir=/etc/privoxy \ + --enable-dynamic-pcre \ + --without-assertions \ + --with-user=privoxy \ + --with-group=privoxy \ + $(use_enable acl acl-support) \ + $(use_enable compression) \ + $(use_enable client-tags) \ + $(use_enable editor) \ + $(use_enable extended-host-patterns pcre-host-patterns) \ + $(use_enable extended-statistics) \ + $(use_enable fast-redirects) \ + $(use_enable force) \ + $(use_enable fuzz) \ + $(use_enable graceful-termination) \ + $(use_enable image-blocking) \ + $(use_enable jit pcre-jit-compilation) \ + $(use_enable ipv6 ipv6-support) \ + $(use_enable kernel_FreeBSD accept-filter) \ + $(use_enable lfs large-file-support) \ + $(use_enable png-images no-gifs) \ + $(use_enable stats) \ + $(use_enable threads pthread) \ + $(use_enable toggle) \ + $(use_enable whitelists trust-files) \ + $(use_enable zlib) \ + $(use_with brotli) \ + ${myconf} +} + +src_install() { + default + + newinitd "${FILESDIR}/privoxy.initd-3" privoxy + systemd_dounit "${FILESDIR}"/${PN}.service + + insinto /etc/logrotate.d + newins "${FILESDIR}/privoxy.logrotate" privoxy + + diropts -m 0750 -g privoxy -o privoxy + keepdir /var/log/privoxy + + use extended-host-patterns && newbin tools/url-pattern-translator.pl privoxy-url-pattern-translator.pl + if use tools; then + dobin tools/{privoxy-log-parser.pl,privoxy-regression-test.pl} + newbin tools/uagen.pl privoxy-uagen.pl + fi + + rmdir "${ED}/var/run" || die + chown privoxy:root "${ED}/etc/privoxy" || die +} + +pkg_postinst() { + if use extended-host-patterns; then + ewarn + ewarn "You enabled extended-host-patterns, now you *must* convert all action files in" + ewarn "PCRE-compatible format, or privoxy will fail to start. Helper tool" + ewarn "privoxy-url-pattern-translator.pl is available." + ewarn + fi +}
