[gentoo-commits] repo/gentoo:master commit in: sys-apps/man-db/files/, sys-apps/man-db/
commit: 5f96b31dfd4738313f0ffbde83945f64c2b46ca2 Author: Lars Wendler gentoo org> AuthorDate: Tue Apr 21 07:37:32 2020 + Commit: Lars Wendler gentoo org> CommitDate: Tue Apr 21 07:37:32 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f96b31d sys-apps/man-db: Removed old Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Lars Wendler gentoo.org> sys-apps/man-db/Manifest | 2 - sys-apps/man-db/files/man-db.cron| 11 --- sys-apps/man-db/man-db-2.7.6.1-r2.ebuild | 110 -- sys-apps/man-db/man-db-2.9.0.ebuild | 157 --- 4 files changed, 280 deletions(-) diff --git a/sys-apps/man-db/Manifest b/sys-apps/man-db/Manifest index 6e12ba7270a..071f45cf4b9 100644 --- a/sys-apps/man-db/Manifest +++ b/sys-apps/man-db/Manifest @@ -1,4 +1,2 @@ -DIST man-db-2.7.6.1.tar.xz 1541316 BLAKE2B ea3aa7e90ea8af4882bd99d99374cc37d9c0c7f70bb970973eb3f2178aa4323bcdebc7f39f142ec0144dbe55a9f86aba15d9fe281d2662d280b8e6dca9452f24 SHA512 623c5e7f8b7c289908b2c926f8777293b8d39aeceef0d2509d701a8b0bfa81408650f655c8608318221786c751a79ee91124b07993de5298cd7fa6d8bb737301 DIST man-db-2.8.7.tar.xz 1839012 BLAKE2B 19b438b1083cfd838421f29ed053fe85686929bc9f2105fe399ea99622f138bca2ca17cddb9223362db2d5f9c4bb3669865ecf749fe845ea8e4223027f67 SHA512 9f9d6f3b776c0b35f95c179fb668f2dc3db3d3e63a162cfda98c5d126fe147f2418e1a1503037ebe28314f57d9b6f48b7f7674d611df14424973a866a61ff2d9 -DIST man-db-2.9.0.tar.xz 1857216 BLAKE2B b797c1bc48027346114d35f00624686daa7e139cf5836e207b482d645009b95577bc13cbad3f1b2498e8c7e8c2f530d43aa8dec96ebad6bb84e6cc77064319d1 SHA512 7deb4421c7944276c6edf974b1336ee2f6605ee470c98d374544e2fcaa32ec2afe077c5fd020fc1f74df058384a293b8ad5a92d86b1c15a949573af46ba09cda DIST man-db-2.9.1.tar.xz 1875456 BLAKE2B 42d7d5f49bf19e031bde18dd60cbf18a7656e8756f2cc5d3789cab6ea82283115ed0303ae2f7f7ffd3e32310302b7b70b4e39704bd5c2a08ab60a38905d8c448 SHA512 ae2d1e9f293795c63f5a9a1a765478a9a59cbe5fe6f759647be5057c1ae53f90baee8d5467921f3d0102300f2111a5026eeb25f78401bcb16ce45ad790634977 diff --git a/sys-apps/man-db/files/man-db.cron b/sys-apps/man-db/files/man-db.cron deleted file mode 100644 index b3794f25573..000 --- a/sys-apps/man-db/files/man-db.cron +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -# Use same perms/settings as the ebuild. -cachedir="/var/cache/man" -if [ ! -d "${cachedir}" ]; then - mkdir -p "${cachedir}" - chown man:man "${cachedir}" - chmod 0755 "${cachedir}" -fi - -exec nice mandb --quiet diff --git a/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild b/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild deleted file mode 100644 index a4faae26809..000 --- a/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild +++ /dev/null @@ -1,110 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=5 - -inherit eutils ltprune user versionator - -DESCRIPTION="a man replacement that utilizes berkdb instead of flat files" -HOMEPAGE="http://www.nongnu.org/man-db/; -SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" - -LICENSE="GPL-3" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux" -IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" - -CDEPEND=">=dev-libs/libpipeline-1.4.0 - berkdb? ( sys-libs/db:= ) - gdbm? ( sys-libs/gdbm:= ) - !berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) - sys-apps/groff - zlib? ( sys-libs/zlib ) - !sys-apps/man" -DEPEND="${CDEPEND} - app-arch/xz-utils - virtual/pkgconfig - nls? ( - >=app-text/po4a-0.45 - sys-devel/gettext - )" -RDEPEND="${CDEPEND} - selinux? ( sec-policy/selinux-mandb ) -" -PDEPEND="manpager? ( app-text/manpager )" - -pkg_setup() { - # Create user now as Makefile in src_install does setuid/chown - enewgroup man 15 - enewuser man 13 -1 /usr/share/man man - - if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150 - ewarn "Defaulting to USE=gdbm due to ambiguous berkdb/gdbm USE flag settings" - fi -} - -src_configure() { - export ac_cv_lib_z_gzopen=$(usex zlib) - local myeconfargs=( - --docdir='$(datarootdir)'/doc/${PF} - --with-systemdtmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d - --enable-setuid - --enable-cache-owner=man - --with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" - $(use_enable nls) - $(use_enable static-libs static) - --with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) - ) - econf "${myeconfargs[@]}" - - # Disable color output from groff so that the manpager can add it. #184604 - sed -i \ - -e '/^#DEFINE.*\<[nt]roff\>/{s:^#::;s:$: -c:}' \ - src/man_db.conf
[gentoo-commits] repo/gentoo:master commit in: sys-apps/man-db/files/, sys-apps/man-db/
commit: 8607cad379185ee6b427dc78dcf7c5fcd90de541 Author: Lars Wendler gentoo org> AuthorDate: Thu Feb 8 11:56:06 2018 + Commit: Lars Wendler gentoo org> CommitDate: Thu Feb 8 11:56:55 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8607cad3 sys-apps/man-db: Revump to drop seccomp again. It segfaults. Might re-add seccomp once 2.8.1 has been released. Package-Manager: Portage-2.3.24, Repoman-2.3.6 .../files/man-db-2.8.0-refactor_drop_privs.patch | 120 .../man-db/files/man-db-2.8.0-seccomp_suid.patch | 126 - ...n-db-2.8.0-r1.ebuild => man-db-2.8.0-r2.ebuild} | 7 +- 3 files changed, 2 insertions(+), 251 deletions(-) diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch deleted file mode 100644 index 87db57afb9e..000 --- a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001 -From: Colin Watson-Date: Wed, 7 Feb 2018 12:23:15 + -Subject: Refactor do_system_drop_privs - -Now that we have pipecmd_pre_exec, this can be simplified quite a bit. - -* lib/security.c (drop_privs): New function. -(do_system_drop_privs_child, do_system_drop_privs): Remove. -* lib/security.h (drop_privs): Add prototype. -(do_system_drop_privs): Remove prototype. -* src/man.c (make_browser): Add drop_privs pre-exec hook to browser -command. -(format_display): Call browser using pipeline_run rather than -do_system_drop_privs, since it now has a pre-exec hook to drop -privileges. - lib/security.c | 37 +++-- - lib/security.h | 2 +- - src/man.c | 7 +-- - 3 files changed, 9 insertions(+), 37 deletions(-) - -diff --git a/lib/security.c b/lib/security.c -index 6e84de8..c9b365d 100644 a/lib/security.c -+++ b/lib/security.c -@@ -158,42 +158,11 @@ void regain_effective_privs (void) - #endif /* MAN_OWNER */ - } - --#ifdef MAN_OWNER --void do_system_drop_privs_child (void *data) -+/* Pipeline command pre-exec hook to permanently drop privileges. */ -+void drop_privs (void *data ATTRIBUTE_UNUSED) - { -- pipeline *p = data; -- -+#ifdef MAN_OWNER - if (idpriv_drop ()) - gripe_set_euid (); -- exit (pipeline_run (p)); --} --#endif /* MAN_OWNER */ -- --/* The safest way to execute a pipeline with no effective privileges is to -- * fork, permanently drop privileges in the child, run the pipeline from the -- * child, and wait for it to die. -- * -- * It is possible to use saved IDs to avoid the fork, since effective IDs -- * are copied to saved IDs on execve; we used to do this. However, forking -- * is not expensive enough to justify the extra code. -- * -- * Note that this frees the supplied pipeline. -- */ --int do_system_drop_privs (pipeline *p) --{ --#ifdef MAN_OWNER -- pipecmd *child_cmd; -- pipeline *child; -- int status; -- -- child_cmd = pipecmd_new_function ("unprivileged child", --do_system_drop_privs_child, NULL, p); -- child = pipeline_new_commands (child_cmd, NULL); -- status = pipeline_run (child); -- -- pipeline_free (p); -- return status; --#else /* !MAN_OWNER */ -- return pipeline_run (p); - #endif /* MAN_OWNER */ - } -diff --git a/lib/security.h b/lib/security.h -index 7545502..851127d 100644 a/lib/security.h -+++ b/lib/security.h -@@ -27,7 +27,7 @@ - /* security.c */ - extern void drop_effective_privs (void); - extern void regain_effective_privs (void); --extern int do_system_drop_privs (struct pipeline *p); -+extern void drop_privs (void *data); - extern void init_security (void); - extern int running_setuid (void); - extern struct passwd *get_man_owner (void); -diff --git a/src/man.c b/src/man.c -index 959d6cc..ff7ebc7 100644 a/src/man.c -+++ b/src/man.c -@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file, - static pipeline *make_browser (const char *pattern, const char *file) - { - pipeline *p; -+ pipecmd *cmd; - char *browser = xmalloc (1); - int found_percent_s = 0; - char *percent; -@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file) - free (esc_file); - } - -- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL); -+ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL); -+ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL); -+ p = pipeline_new_commands (cmd, NULL); - pipeline_ignore_signals (p, 1); - free (browser); - -@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp, - pipeline *browser; - debug ("Trying browser: %s\n", candidate); - browser = make_browser (candidate,
[gentoo-commits] repo/gentoo:master commit in: sys-apps/man-db/files/, sys-apps/man-db/
commit: 66af02c4670b0c8547c27810c1e2ddbe60c5788c Author: Lars Wendler gentoo org> AuthorDate: Thu Feb 8 07:53:09 2018 + Commit: Lars Wendler gentoo org> CommitDate: Thu Feb 8 07:59:22 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66af02c4 sys-apps/man-db: Revbump adding seccomp support. Removed old. Package-Manager: Portage-2.3.24, Repoman-2.3.6 .../files/man-db-2.8.0-libseccomp_automagic.patch | 99 +--- .../files/man-db-2.8.0-refactor_drop_privs.patch | 120 .../man-db/files/man-db-2.8.0-seccomp_suid.patch | 126 + ...{man-db-2.8.0.ebuild => man-db-2.8.0-r1.ebuild} | 19 ++-- 4 files changed, 335 insertions(+), 29 deletions(-) diff --git a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch index 333bc5fe295..cf9c1257317 100644 --- a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch +++ b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch @@ -1,42 +1,107 @@ -From c693c0d6c41e777def51984035710779697d1989 Mon Sep 17 00:00:00 2001 +From 3d4ab15670079aa8e898f80a650b3be941230486 Mon Sep 17 00:00:00 2001 From: Lars Wendler-Date: Tue, 6 Feb 2018 14:41:22 +0100 -Subject: [PATCH] Change libseccomp logic to not be automagic only. +Date: Tue, 6 Feb 2018 15:30:21 +0100 +Subject: [PATCH] Change libseccomp logic to not be automagic only -Introduce --with-libseccomp configure option so that users can disable -seccomp even if libseccomp is available on the system. -The default is unchanged to before this patch. If no --with(out)-libseccomp -has been given on command line, the macro looks for presence of libseccomp -and uses that if found. +Introduce --without-libseccomp configure option so that users can +disable seccomp even if libseccomp is available on the system. + +The default is unchanged from before this patch. If no +--with(out)-libseccomp has been given on the command line, the macro +looks for presence of libseccomp and uses that if found. + +* m4/man-libseccomp.m4: Guard pkg-config test with a command-line +option. --- - m4/man-libseccomp.m4 | 19 ++- - 1 file changed, 14 insertions(+), 5 deletions(-) +diff --git a/configure b/configure +index 3f949306..8eaca64e 100755 +--- a/configure b/configure +@@ -1718,6 +1718,7 @@ with_included_regex + enable_nls + with_libiconv_prefix + with_libintl_prefix ++with_libseccomp + ' + ac_precious_vars='build_alias + host_alias +@@ -2459,6 +2460,7 @@ Optional Packages: + --without-libiconv-prefix don't search for libiconv in includedir and libdir + --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib + --without-libintl-prefix don't search for libintl in includedir and libdir ++ --without-libseccompdo not confine subprocesses using seccomp + + Some influential environment variables: + CC C compiler command +@@ -47295,6 +47297,15 @@ fi + + # Check for libseccomp library. + ++# Check whether --with-libseccomp was given. ++if test "${with_libseccomp+set}" = set; then : ++ withval=$with_libseccomp; ++else ++ with_libseccomp=check ++fi ++ ++ if test "x$with_libseccomp" != "xno"; then ++ + pkg_failed=no + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libseccomp" >&5 + $as_echo_n "checking for libseccomp... " >&6; } +@@ -47353,11 +47364,15 @@ fi + # Put the nasty error message in config.log where it belongs + echo "$libseccomp_PKG_ERRORS" >&5 + +- : ++ if test "x$with_libseccomp" = "xyes"; then ++ as_fn_error $? "--with-libseccomp given but cannot find libseccomp" "$LINENO" 5 ++ fi + elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } +- : ++ if test "x$with_libseccomp" = "xyes"; then ++ as_fn_error $? "--with-libseccomp given but cannot find libseccomp" "$LINENO" 5 ++ fi + else + libseccomp_CFLAGS=$pkg_cv_libseccomp_CFLAGS + libseccomp_LIBS=$pkg_cv_libseccomp_LIBS +@@ -47367,6 +47382,7 @@ $as_echo "yes" >&6; } + $as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h + + fi ++ fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: default CC = \"$CC\"" >&5 diff --git a/m4/man-libseccomp.m4 b/m4/man-libseccomp.m4 -index a9377317..17a52f72 100644 +index a9377317..c90e3aa4 100644 --- a/m4/man-libseccomp.m4 +++ b/m4/man-libseccomp.m4 @@ -1,9 +1,18 @@ - # man-libseccomp.m4 serial 1 +-# man-libseccomp.m4 serial 1 ++# man-libseccomp.m4 serial 2 dnl MAN_LIBSECCOMP -dnl Check for the libseccomp library. -+dnl Add a --with-libseccomp option. ++dnl Add a --without-libseccomp option; check for the libseccomp library. AC_DEFUN([MAN_LIBSECCOMP], -[PKG_CHECK_MODULES([libseccomp], [libseccomp], -
[gentoo-commits] repo/gentoo:master commit in: sys-apps/man-db/files/, sys-apps/man-db/
commit: aaa42799b39bd2ad5a345ab28c71dac1a7a94664 Author: Robin H. Johnson gentoo org> AuthorDate: Tue Feb 21 21:45:35 2017 + Commit: Robin H. Johnson gentoo org> CommitDate: Tue Feb 21 21:46:15 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aaa42799 sys-apps/man-db: re-fix security bug #602588 because of comment #18. Package-Manager: portage-2.3.3 Signed-off-by: Robin H. Johnson gentoo.org> sys-apps/man-db/files/man-db.cron| 9 +-- sys-apps/man-db/man-db-2.7.6.1-r2.ebuild | 109 +++ 2 files changed, 114 insertions(+), 4 deletions(-) diff --git a/sys-apps/man-db/files/man-db.cron b/sys-apps/man-db/files/man-db.cron index ced63900fc..d94e594d1a 100644 --- a/sys-apps/man-db/files/man-db.cron +++ b/sys-apps/man-db/files/man-db.cron @@ -1,10 +1,11 @@ #!/bin/sh # Use same perms/settings as the ebuild. -if [ ! -d /var/cache/man ]; then - mkdir -p /var/cache/man - chown man:root /var/cache/man - chmod 2755 /var/cache/man +cachedir="/var/cache/man" +if [ ! -d ${cachedir} ]; then + mkdir -p "${cachedir}" + chown man:man "${cachedir}" + chmod 0755 "${cachedir}" fi exec nice mandb --quiet diff --git a/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild b/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild new file mode 100644 index 00..176e09719e --- /dev/null +++ b/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild @@ -0,0 +1,109 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit eutils user versionator + +DESCRIPTION="a man replacement that utilizes berkdb instead of flat files" +HOMEPAGE="http://www.nongnu.org/man-db/; +SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" +IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" + +CDEPEND=">=dev-libs/libpipeline-1.4.0 + berkdb? ( sys-libs/db:= ) + gdbm? ( sys-libs/gdbm ) + !berkdb? ( !gdbm? ( sys-libs/gdbm ) ) + sys-apps/groff + zlib? ( sys-libs/zlib ) + !sys-apps/man" +DEPEND="${CDEPEND} + app-arch/xz-utils + virtual/pkgconfig + nls? ( + >=app-text/po4a-0.45 + sys-devel/gettext + )" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-mandb ) +" +PDEPEND="manpager? ( app-text/manpager )" + +pkg_setup() { + # Create user now as Makefile in src_install does setuid/chown + enewgroup man 15 + enewuser man 13 -1 /usr/share/man man + + if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150 + ewarn "Defaulting to USE=gdbm due to ambiguous berkdb/gdbm USE flag settings" + fi +} + +src_configure() { + export ac_cv_lib_z_gzopen=$(usex zlib) + econf \ + --docdir='$(datarootdir)'/doc/${PF} \ + --with-systemdtmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d \ + --enable-setuid \ + --enable-cache-owner=man \ + --with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" \ + $(use_enable nls) \ + $(use_enable static-libs static) \ + --with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) + + # Disable color output from groff so that the manpager can add it. #184604 + sed -i \ + -e '/^#DEFINE.*\<[nt]roff\>/{s:^#::;s:$: -c:}' \ + src/man_db.conf || die +} + +src_install() { + default + dodoc docs/{HACKING,TODO} + prune_libtool_files + + exeinto /etc/cron.daily + newexe "${FILESDIR}"/man-db.cron man-db #289884 +} + +pkg_preinst() { + local cachedir="${EROOT}var/cache/man" + # If the system was already exploited, and the attacker is hiding in the + # cachedir of the old man-db, let's wipe them out. + # see bug #602588 comment 18 + local _replacing_version= + local _setgid_vuln=0 + for _replacing_version in ${REPLACING_VERSIONS}; do + if version_is_at_least '2.7.6.1-r2' "${_replacing_version}"; then + debug-print "Skipping security bug #602588 ... existing installation (${_replacing_version}) should not be affected!" + else + _setgid_vuln=1 + debug-print "Applying cleanup for security bug #602588" + fi + done + [[ ${_setgid_vuln} -eq 1 ]] && rm -rf "${cachedir}" + + # Fall back to recreating the cachedir + if [[ ! -d ${cachedir} ]] ; then + mkdir -p "${cachedir}" || die + chown man:man "${cachedir}" || die + fi + + # Update the whatis cache + if [[ -f ${cachedir}/whatis ]] ; then + einfo "Cleaning ${cachedir} from sys-apps/man" +