[gentoo-commits] repo/gentoo:master commit in: app-shells/bash/files/, app-shells/bash/ - gentoo-commits

From:	Lars Wendler <polynomial-c@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: app-shells/bash/files/, app-shells/bash/
Date:	Thu, 07 Jan 2021 00:48:52
Message-Id:	`1609980525.ba53be405112d10b85e88cc2637156804b88bd91.polynomial-c@gentoo`

1

commit:     ba53be405112d10b85e88cc2637156804b88bd91

2

Author:     Hank Leininger <hlein <AT> korelogic <DOT> com>

3

AuthorDate: Wed Dec 11 22:06:45 2019 +0000

4

Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

5

CommitDate: Thu Jan  7 00:48:45 2021 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba53be40

7

8

app-shells/bash: fix CVE-2019-18276 (priv-dropping bug)

9

10

Cherry-picked the relevant parts of

11

https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff

12

and modified the patches to apply.

13

14

Note that the existing bash-5.0*patch files are applied with -p0, which

15

is not the norm for eapply, etc.  I simply followed what was required

16

to work with the rest of the existing patches.

17

18

Signed-off-by: Hank Leininger <hlein <AT> korelogic.com>

19

Bug: https://bugs.gentoo.org/702488

20

Package-Manager: Portage-2.3.81, Repoman-2.3.18

21

Closes: https://github.com/gentoo/gentoo/pull/13941

22

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

23

24

 app-shells/bash/bash-5.0_p11-r1.ebuild             | 266 +++++++++++++++++++++

25

 .../files/bash-5.0_p11-disable_priv_mode.patch     |  85 +++++++

26

 2 files changed, 351 insertions(+)

27

28

diff --git a/app-shells/bash/bash-5.0_p11-r1.ebuild b/app-shells/bash/bash-5.0_p11-r1.ebuild

29

new file mode 100644

30

index 00000000000..a6cf9c086ce

31

--- /dev/null

32

+++ b/app-shells/bash/bash-5.0_p11-r1.ebuild

33

@@ -0,0 +1,266 @@

34

+# Copyright 1999-2019 Gentoo Authors

35

+# Distributed under the terms of the GNU General Public License v2

36

+

37

+EAPI=7

38

+

39

+inherit flag-o-matic toolchain-funcs multilib prefix

40

+

41

+# Official patchlevel

42

+# See ftp://ftp.cwru.edu/pub/bash/bash-5.0-patches/

43

+PLEVEL=${PV##*_p}

44

+MY_PV=${PV/_p*}

45

+MY_PV=${MY_PV/_/-}

46

+MY_P=${PN}-${MY_PV}

47

+is_release() {

48

+	case ${PV} in

49

+	*_alpha*|*_beta*|*_rc*) return 1 ;;

50

+	*) return 0 ;;

51

+	esac

52

+}

53

+[[ ${PV} != *_p* ]] && PLEVEL=0

54

+patches() {

55

+	local opt=$1 plevel=${2:-${PLEVEL}} pn=${3:-${PN}} pv=${4:-${MY_PV}}

56

+	[[ ${plevel} -eq 0 ]] && return 1

57

+	eval set -- {1..${plevel}}

58

+	set -- $(printf "${pn}${pv/\.}-%03d " "$@")

59

+	if [[ ${opt} == -s ]] ; then

60

+		echo "${@/#/${DISTDIR}/}"

61

+	else

62

+		local u

63

+		for u in ftp://ftp.cwru.edu/pub/bash mirror://gnu/${pn} ; do

64

+			printf "${u}/${pn}-${pv}-patches/%s " "$@"

65

+		done

66

+	fi

67

+}

68

+

69

+# The version of readline this bash normally ships with.

70

+READLINE_VER="8.0"

71

+

72

+DESCRIPTION="The standard GNU Bourne again shell"

73

+HOMEPAGE="http://tiswww.case.edu/php/chet/bash/bashtop.html"

74

+if is_release ; then

75

+	SRC_URI="mirror://gnu/bash/${MY_P}.tar.gz $(patches)"

76

+else

77

+	SRC_URI="ftp://ftp.cwru.edu/pub/bash/${MY_P}.tar.gz"

78

+fi

79

+

80

+LICENSE="GPL-3"

81

+SLOT="0"

82

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

83

+IUSE="afs bashlogger examples mem-scramble +net nls plugins +readline"

84

+

85

+DEPEND="

86

+	>=sys-libs/ncurses-5.2-r2:0=

87

+	nls? ( virtual/libintl )

88

+	readline? ( >=sys-libs/readline-${READLINE_VER}:0= )

89

+"

90

+RDEPEND="

91

+	${DEPEND}

92

+	!<sys-apps/portage-2.1.6.7_p1

93

+"

94

+# we only need yacc when the .y files get patched (bash42-005)

95

+#DEPEND+=" virtual/yacc"

96

+

97

+S="${WORKDIR}/${MY_P}"

98

+

99

+PATCHES=(

100

+	# Patches from Chet sent to bashbug ml

101

+	"${FILESDIR}"/${PN}-5.0-history-append.patch

102

+	"${FILESDIR}"/${PN}-5.0-syslog-history-extern.patch

103

+	# fix CVE-2019-18276 #702488

104

+	"${FILESDIR}"/${PN}-5.0_p11-disable_priv_mode.patch

105

+)

106

+

107

+pkg_setup() {

108

+	if is-flag -malign-double ; then #7332

109

+		eerror "Detected bad CFLAGS '-malign-double'.  Do not use this"

110

+		eerror "as it breaks LFS (struct stat64) on x86."

111

+		die "remove -malign-double from your CFLAGS mr ricer"

112

+	fi

113

+	if use bashlogger ; then

114

+		ewarn "The logging patch should ONLY be used in restricted (i.e. honeypot) envs."

115

+		ewarn "This will log ALL output you enter into the shell, you have been warned."

116

+	fi

117

+}

118

+

119

+src_unpack() {

120

+	unpack ${MY_P}.tar.gz

121

+}

122

+

123

+src_prepare() {

124

+	# Include official patches

125

+	[[ ${PLEVEL} -gt 0 ]] && eapply -p0 $(patches -s)

126

+

127

+	# Clean out local libs so we know we use system ones w/releases.

128

+	if is_release ; then

129

+		rm -rf lib/{readline,termcap}/*

130

+		touch lib/{readline,termcap}/Makefile.in # for config.status

131

+		sed -ri -e 's:\$[(](RL|HIST)_LIBSRC[)]/[[:alpha:]]*.h::g' Makefile.in || die

132

+	fi

133

+

134

+	# Prefixify hardcoded path names. No-op for non-prefix.

135

+	hprefixify pathnames.h.in

136

+

137

+	# Avoid regenerating docs after patches #407985

138

+	sed -i -r '/^(HS|RL)USER/s:=.*:=:' doc/Makefile.in || die

139

+	touch -r . doc/*

140

+

141

+	eapply -p0 "${PATCHES[@]}"

142

+	eapply_user

143

+}

144

+

145

+src_configure() {

146

+	local myconf=(

147

+		--disable-profiling

148

+		--docdir='$(datarootdir)'/doc/${PF}

149

+		--htmldir='$(docdir)/html'

150

+		--with-curses

151

+		$(use_enable mem-scramble)

152

+		$(use_enable net net-redirections)

153

+		$(use_enable readline)

154

+		$(use_enable readline bang-history)

155

+		$(use_enable readline history)

156

+		$(use_with afs)

157

+		$(use_with mem-scramble bash-malloc)

158

+	)

159

+

160

+	# For descriptions of these, see config-top.h

161

+	# bashrc/#26952 bash_logout/#90488 ssh/#24762 mktemp/#574426

162

+	append-cppflags \

163

+		-DDEFAULT_PATH_VALUE=\'\"${EPREFIX}/usr/local/sbin:${EPREFIX}/usr/local/bin:${EPREFIX}/usr/sbin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/bin\"\' \

164

+		-DSTANDARD_UTILS_PATH=\'\"${EPREFIX}/bin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/usr/sbin\"\' \

165

+		-DSYS_BASHRC=\'\"${EPREFIX}/etc/bash/bashrc\"\' \

166

+		-DSYS_BASH_LOGOUT=\'\"${EPREFIX}/etc/bash/bash_logout\"\' \

167

+		-DNON_INTERACTIVE_LOGIN_SHELLS \

168

+		-DSSH_SOURCE_BASHRC \

169

+		$(use bashlogger && echo -DSYSLOG_HISTORY)

170

+

171

+	# Don't even think about building this statically without

172

+	# reading Bug 7714 first.  If you still build it statically,

173

+	# don't come crying to us with bugs ;).

174

+	#use static && export LDFLAGS="${LDFLAGS} -static"

175

+	use nls || myconf+=( --disable-nls )

176

+

177

+	# Historically, we always used the builtin readline, but since

178

+	# our handling of SONAME upgrades has gotten much more stable

179

+	# in the PM (and the readline ebuild itself preserves the old

180

+	# libs during upgrades), linking against the system copy should

181

+	# be safe.

182

+	# Exact cached version here doesn't really matter as long as it

183

+	# is at least what's in the DEPEND up above.

184

+	export ac_cv_rl_version=${READLINE_VER%%_*}

185

+

186

+	# Force linking with system curses ... the bundled termcap lib

187

+	# sucks bad compared to ncurses.  For the most part, ncurses

188

+	# is here because readline needs it.  But bash itself calls

189

+	# ncurses in one or two small places :(.

190

+

191

+	if is_release ; then

192

+		# Use system readline only with released versions.

193

+		myconf+=( --with-installed-readline=. )

194

+	fi

195

+

196

+	if use plugins; then

197

+		append-ldflags -Wl,-rpath,/usr/$(get_libdir)/bash

198

+	else

199

+		# Disable the plugins logic by hand since bash doesn't

200

+		# provide a way of doing it.

201

+		export ac_cv_func_dl{close,open,sym}=no \

202

+			ac_cv_lib_dl_dlopen=no ac_cv_header_dlfcn_h=no

203

+		sed -i \

204

+			-e '/LOCAL_LDFLAGS=/s:-rdynamic::' \

205

+			configure || die

206

+	fi

207

+	tc-export AR #444070

208

+	econf "${myconf[@]}"

209

+}

210

+

211

+src_compile() {

212

+	emake

213

+

214

+	if use plugins ; then

215

+		emake -C examples/loadables all others

216

+	fi

217

+}

218

+

219

+src_install() {

220

+	local d f

221

+

222

+	default

223

+

224

+	dodir /bin

225

+	mv "${ED}"/usr/bin/bash "${ED}"/bin/ || die

226

+	dosym bash /bin/rbash

227

+

228

+	insinto /etc/bash

229

+	doins "${FILESDIR}"/bash_logout

230

+	doins "$(prefixify_ro "${FILESDIR}"/bashrc)"

231

+	keepdir /etc/bash/bashrc.d

232

+	insinto /etc/skel

233

+	for f in bash{_logout,_profile,rc} ; do

234

+		newins "${FILESDIR}"/dot-${f} .${f}

235

+	done

236

+

237

+	local sed_args=(

238

+		-e "s:#${USERLAND}#@::"

239

+		-e '/#@/d'

240

+	)

241

+	if ! use readline ; then

242

+		sed_args+=( #432338

243

+			-e '/^shopt -s histappend/s:^:#:'

244

+			-e 's:use_color=true:use_color=false:'

245

+		)

246

+	fi

247

+	sed -i \

248

+		"${sed_args[@]}" \

249

+		"${ED}"/etc/skel/.bashrc \

250

+		"${ED}"/etc/bash/bashrc || die

251

+

252

+	if use plugins ; then

253

+		exeinto /usr/$(get_libdir)/bash

254

+		doexe $(echo examples/loadables/*.o | sed 's:\.o::g')

255

+		insinto /usr/include/bash-plugins

256

+		doins *.h builtins/*.h include/*.h lib/{glob/glob.h,tilde/tilde.h}

257

+	fi

258

+

259

+	if use examples ; then

260

+		for d in examples/{functions,misc,scripts,startup-files} ; do

261

+			exeinto /usr/share/doc/${PF}/${d}

262

+			insinto /usr/share/doc/${PF}/${d}

263

+			for f in ${d}/* ; do

264

+				if [[ ${f##*/} != PERMISSION ]] && [[ ${f##*/} != *README ]] ; then

265

+					doexe ${f}

266

+				else

267

+					doins ${f}

268

+				fi

269

+			done

270

+		done

271

+	fi

272

+

273

+	doman doc/*.1

274

+	newdoc CWRU/changelog ChangeLog

275

+	dosym bash.info /usr/share/info/bashref.info

276

+}

277

+

278

+pkg_preinst() {

279

+	if [[ -e ${EROOT}/etc/bashrc ]] && [[ ! -d ${EROOT}/etc/bash ]] ; then

280

+		mkdir -p "${EROOT}"/etc/bash

281

+		mv -f "${EROOT}"/etc/bashrc "${EROOT}"/etc/bash/

282

+	fi

283

+

284

+	if [[ -L ${EROOT}/bin/sh ]] ; then

285

+		# rewrite the symlink to ensure that its mtime changes. having /bin/sh

286

+		# missing even temporarily causes a fatal error with paludis.

287

+		local target=$(readlink "${EROOT}"/bin/sh)

288

+		local tmp=$(emktemp "${EROOT}"/bin)

289

+		ln -sf "${target}" "${tmp}"

290

+		mv -f "${tmp}" "${EROOT}"/bin/sh

291

+	fi

292

+}

293

+

294

+pkg_postinst() {

295

+	# If /bin/sh does not exist, provide it

296

+	if [[ ! -e ${EROOT}/bin/sh ]] ; then

297

+		ln -sf bash "${EROOT}"/bin/sh

298

+	fi

299

+}

300

301

diff --git a/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch b/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch

302

new file mode 100644

303

index 00000000000..9a05c8b8613

304

--- /dev/null

305

+++ b/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch

306

@@ -0,0 +1,85 @@

307

+diff -urP ../bash-5.0.orig/config.h.in config.h.in

308

+--- ../bash-5.0.orig/config.h.in	2018-12-04 09:54:17.000000000 -0700

309

++++ config.h.in	2019-12-10 11:34:42.157926317 -0700

310

+@@ -1,6 +1,6 @@

311

+ /* config.h -- Configuration file for bash. */

312

+

313

+-/* Copyright (C) 1987-2009,2011-2012 Free Software Foundation, Inc.

314

++/* Copyright (C) 1987-2009,2011-2012,2013-2019 Free Software Foundation, Inc.

315

+

316

+    This file is part of GNU Bash, the Bourne Again SHell.

317

+

318

+@@ -807,6 +807,14 @@

319

+ #undef HAVE_SETREGID

320

+ #undef HAVE_DECL_SETREGID

321

+

322

++/* Define if you have the setregid function.  */

323

++#undef HAVE_SETRESGID

324

++#undef HAVE_DECL_SETRESGID

325

++

326

++/* Define if you have the setresuid function.  */

327

++#undef HAVE_SETRESUID

328

++#undef HAVE_DECL_SETRESUID

329

++

330

+ /* Define if you have the setvbuf function.  */

331

+ #undef HAVE_SETVBUF

332

+

333

+diff -urP ../bash-5.0.orig/configure configure

334

+--- ../bash-5.0.orig/configure	2019-01-02 07:43:31.000000000 -0700

335

++++ configure	2019-12-10 11:34:42.166926317 -0700

336

+@@ -10281,6 +10281,17 @@

337

+ #define HAVE_DECL_SETREGID $ac_have_decl

338

+ _ACEOF

339

+

340

++ac_fn_c_check_decl "$LINENO" "" "ac_cv_have_decl_" "$ac_includes_default"

341

++if test "x$ac_cv_have_decl_" = xyes; then :

342

++  ac_have_decl=1

343

++else

344

++  ac_have_decl=0

345

++fi

346

++

347

++cat >>confdefs.h <<_ACEOF

348

++#define HAVE_DECL_ $ac_have_decl

349

++_ACEOF

350

++(setresuid, setresgid)

351

+ ac_fn_c_check_decl "$LINENO" "strcpy" "ac_cv_have_decl_strcpy" "$ac_includes_default"

352

+ if test "x$ac_cv_have_decl_strcpy" = xyes; then :

353

+   ac_have_decl=1

354

+diff -urP ../bash-5.0.orig/configure.ac configure.ac

355

+--- ../bash-5.0.orig/configure.ac	2019-01-02 07:39:11.000000000 -0700

356

++++ configure.ac	2019-12-10 11:34:42.168926317 -0700

357

+@@ -810,6 +810,7 @@

358

+ AC_CHECK_DECLS([printf])

359

+ AC_CHECK_DECLS([sbrk])

360

+ AC_CHECK_DECLS([setregid])

361

++AC_CHECK_DECLS[(setresuid, setresgid])

362

+ AC_CHECK_DECLS([strcpy])

363

+ AC_CHECK_DECLS([strsignal])

364

+

365

+diff -urP ../bash-5.0.orig/shell.c shell.c

366

+--- ../bash-5.0.orig/shell.c	2018-12-06 09:28:21.000000000 -0700

367

++++ shell.c	2019-12-10 11:34:42.170926317 -0700

368

+@@ -1293,7 +1293,11 @@

369

+ {

370

+   int e;

371

+

372

++#if HAVE_DECL_SETRESUID

373

++  if (setresuid (current_user.uid, current_user.uid, current_user.uid) < 0)

374

++#else

375

+   if (setuid (current_user.uid) < 0)

376

++#endif

377

+     {

378

+       e = errno;

379

+       sys_error (_("cannot set uid to %d: effective uid %d"), current_user.uid, current_user.euid);

380

+@@ -1302,7 +1306,11 @@

381

+ 	exit (e);

382

+ #endif

383

+     }

384

++#if HAVE_DECL_SETRESGID

385

++  if (setresgid (current_user.gid, current_user.gid, current_user.gid) < 0)

386

++#else

387

+   if (setgid (current_user.gid) < 0)

388

++#endif

389

+     sys_error (_("cannot set gid to %d: effective gid %d"), current_user.gid, current_user.egid);

390

+

391

+   current_user.euid = current_user.uid;

1	commit: ba53be405112d10b85e88cc2637156804b88bd91
2	Author: Hank Leininger <hlein <AT> korelogic <DOT> com>
3	AuthorDate: Wed Dec 11 22:06:45 2019 +0000
4	Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5	CommitDate: Thu Jan 7 00:48:45 2021 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba53be40
7
8	app-shells/bash: fix CVE-2019-18276 (priv-dropping bug)
9
10	Cherry-picked the relevant parts of
11	https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff
12	and modified the patches to apply.
13
14	Note that the existing bash-5.0*patch files are applied with -p0, which
15	is not the norm for eapply, etc. I simply followed what was required
16	to work with the rest of the existing patches.
17
18	Signed-off-by: Hank Leininger <hlein <AT> korelogic.com>
19	Bug: https://bugs.gentoo.org/702488
20	Package-Manager: Portage-2.3.81, Repoman-2.3.18
21	Closes: https://github.com/gentoo/gentoo/pull/13941
22	Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
23
24	app-shells/bash/bash-5.0_p11-r1.ebuild \| 266 +++++++++++++++++++++
25	.../files/bash-5.0_p11-disable_priv_mode.patch \| 85 +++++++
26	2 files changed, 351 insertions(+)
27
28	diff --git a/app-shells/bash/bash-5.0_p11-r1.ebuild b/app-shells/bash/bash-5.0_p11-r1.ebuild
29	new file mode 100644
30	index 00000000000..a6cf9c086ce
31	--- /dev/null
32	+++ b/app-shells/bash/bash-5.0_p11-r1.ebuild
33	@@ -0,0 +1,266 @@
34	+# Copyright 1999-2019 Gentoo Authors
35	+# Distributed under the terms of the GNU General Public License v2
36	+
37	+EAPI=7
38	+
39	+inherit flag-o-matic toolchain-funcs multilib prefix
40	+
41	+# Official patchlevel
42	+# See ftp://ftp.cwru.edu/pub/bash/bash-5.0-patches/
43	+PLEVEL=${PV##*_p}
44	+MY_PV=${PV/_p*}
45	+MY_PV=${MY_PV/_/-}
46	+MY_P=${PN}-${MY_PV}
47	+is_release() {
48	+ case ${PV} in
49	+ _alpha\|_beta\|_rc) return 1 ;;
50	+ *) return 0 ;;
51	+ esac
52	+}
53	+[[ ${PV} != _p ]] && PLEVEL=0
54	+patches() {
55	+ local opt=$1 plevel=${2:-${PLEVEL}} pn=${3:-${PN}} pv=${4:-${MY_PV}}
56	+ [[ ${plevel} -eq 0 ]] && return 1
57	+ eval set -- {1..${plevel}}
58	+ set -- $(printf "${pn}${pv/\.}-%03d " "$@")
59	+ if [[ ${opt} == -s ]] ; then
60	+ echo "${@/#/${DISTDIR}/}"
61	+ else
62	+ local u
63	+ for u in ftp://ftp.cwru.edu/pub/bash mirror://gnu/${pn} ; do
64	+ printf "${u}/${pn}-${pv}-patches/%s " "$@"
65	+ done
66	+ fi
67	+}
68	+
69	+# The version of readline this bash normally ships with.
70	+READLINE_VER="8.0"
71	+
72	+DESCRIPTION="The standard GNU Bourne again shell"
73	+HOMEPAGE="http://tiswww.case.edu/php/chet/bash/bashtop.html"
74	+if is_release ; then
75	+ SRC_URI="mirror://gnu/bash/${MY_P}.tar.gz $(patches)"
76	+else
77	+ SRC_URI="ftp://ftp.cwru.edu/pub/bash/${MY_P}.tar.gz"
78	+fi
79	+
80	+LICENSE="GPL-3"
81	+SLOT="0"
82	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
83	+IUSE="afs bashlogger examples mem-scramble +net nls plugins +readline"
84	+
85	+DEPEND="
86	+ >=sys-libs/ncurses-5.2-r2:0=
87	+ nls? ( virtual/libintl )
88	+ readline? ( >=sys-libs/readline-${READLINE_VER}:0= )
89	+"
90	+RDEPEND="
91	+ ${DEPEND}
92	+ !<sys-apps/portage-2.1.6.7_p1
93	+"
94	+# we only need yacc when the .y files get patched (bash42-005)
95	+#DEPEND+=" virtual/yacc"
96	+
97	+S="${WORKDIR}/${MY_P}"
98	+
99	+PATCHES=(
100	+ # Patches from Chet sent to bashbug ml
101	+ "${FILESDIR}"/${PN}-5.0-history-append.patch
102	+ "${FILESDIR}"/${PN}-5.0-syslog-history-extern.patch
103	+ # fix CVE-2019-18276 #702488
104	+ "${FILESDIR}"/${PN}-5.0_p11-disable_priv_mode.patch
105	+)
106	+
107	+pkg_setup() {
108	+ if is-flag -malign-double ; then #7332
109	+ eerror "Detected bad CFLAGS '-malign-double'. Do not use this"
110	+ eerror "as it breaks LFS (struct stat64) on x86."
111	+ die "remove -malign-double from your CFLAGS mr ricer"
112	+ fi
113	+ if use bashlogger ; then
114	+ ewarn "The logging patch should ONLY be used in restricted (i.e. honeypot) envs."
115	+ ewarn "This will log ALL output you enter into the shell, you have been warned."
116	+ fi
117	+}
118	+
119	+src_unpack() {
120	+ unpack ${MY_P}.tar.gz
121	+}
122	+
123	+src_prepare() {
124	+ # Include official patches
125	+ [[ ${PLEVEL} -gt 0 ]] && eapply -p0 $(patches -s)
126	+
127	+ # Clean out local libs so we know we use system ones w/releases.
128	+ if is_release ; then
129	+ rm -rf lib/{readline,termcap}/*
130	+ touch lib/{readline,termcap}/Makefile.in # for config.status
131	+ sed -ri -e 's:\$[(](RL\|HIST)_LIBSRC[)]/[[:alpha:]]*.h::g' Makefile.in \|\| die
132	+ fi
133	+
134	+ # Prefixify hardcoded path names. No-op for non-prefix.
135	+ hprefixify pathnames.h.in
136	+
137	+ # Avoid regenerating docs after patches #407985
138	+ sed -i -r '/^(HS\|RL)USER/s:=.*:=:' doc/Makefile.in \|\| die
139	+ touch -r . doc/*
140	+
141	+ eapply -p0 "${PATCHES[@]}"
142	+ eapply_user
143	+}
144	+
145	+src_configure() {
146	+ local myconf=(
147	+ --disable-profiling
148	+ --docdir='$(datarootdir)'/doc/${PF}
149	+ --htmldir='$(docdir)/html'
150	+ --with-curses
151	+ $(use_enable mem-scramble)
152	+ $(use_enable net net-redirections)
153	+ $(use_enable readline)
154	+ $(use_enable readline bang-history)
155	+ $(use_enable readline history)
156	+ $(use_with afs)
157	+ $(use_with mem-scramble bash-malloc)
158	+ )
159	+
160	+ # For descriptions of these, see config-top.h
161	+ # bashrc/#26952 bash_logout/#90488 ssh/#24762 mktemp/#574426
162	+ append-cppflags \
163	+ -DDEFAULT_PATH_VALUE=\'\"${EPREFIX}/usr/local/sbin:${EPREFIX}/usr/local/bin:${EPREFIX}/usr/sbin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/bin\"\' \
164	+ -DSTANDARD_UTILS_PATH=\'\"${EPREFIX}/bin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/usr/sbin\"\' \
165	+ -DSYS_BASHRC=\'\"${EPREFIX}/etc/bash/bashrc\"\' \
166	+ -DSYS_BASH_LOGOUT=\'\"${EPREFIX}/etc/bash/bash_logout\"\' \
167	+ -DNON_INTERACTIVE_LOGIN_SHELLS \
168	+ -DSSH_SOURCE_BASHRC \
169	+ $(use bashlogger && echo -DSYSLOG_HISTORY)
170	+
171	+ # Don't even think about building this statically without
172	+ # reading Bug 7714 first. If you still build it statically,
173	+ # don't come crying to us with bugs ;).
174	+ #use static && export LDFLAGS="${LDFLAGS} -static"
175	+ use nls \|\| myconf+=( --disable-nls )
176	+
177	+ # Historically, we always used the builtin readline, but since
178	+ # our handling of SONAME upgrades has gotten much more stable
179	+ # in the PM (and the readline ebuild itself preserves the old
180	+ # libs during upgrades), linking against the system copy should
181	+ # be safe.
182	+ # Exact cached version here doesn't really matter as long as it
183	+ # is at least what's in the DEPEND up above.
184	+ export ac_cv_rl_version=${READLINE_VER%%_*}
185	+
186	+ # Force linking with system curses ... the bundled termcap lib
187	+ # sucks bad compared to ncurses. For the most part, ncurses
188	+ # is here because readline needs it. But bash itself calls
189	+ # ncurses in one or two small places :(.
190	+
191	+ if is_release ; then
192	+ # Use system readline only with released versions.
193	+ myconf+=( --with-installed-readline=. )
194	+ fi
195	+
196	+ if use plugins; then
197	+ append-ldflags -Wl,-rpath,/usr/$(get_libdir)/bash
198	+ else
199	+ # Disable the plugins logic by hand since bash doesn't
200	+ # provide a way of doing it.
201	+ export ac_cv_func_dl{close,open,sym}=no \
202	+ ac_cv_lib_dl_dlopen=no ac_cv_header_dlfcn_h=no
203	+ sed -i \
204	+ -e '/LOCAL_LDFLAGS=/s:-rdynamic::' \
205	+ configure \|\| die
206	+ fi
207	+ tc-export AR #444070
208	+ econf "${myconf[@]}"
209	+}
210	+
211	+src_compile() {
212	+ emake
213	+
214	+ if use plugins ; then
215	+ emake -C examples/loadables all others
216	+ fi
217	+}
218	+
219	+src_install() {
220	+ local d f
221	+
222	+ default
223	+
224	+ dodir /bin
225	+ mv "${ED}"/usr/bin/bash "${ED}"/bin/ \|\| die
226	+ dosym bash /bin/rbash
227	+
228	+ insinto /etc/bash
229	+ doins "${FILESDIR}"/bash_logout
230	+ doins "$(prefixify_ro "${FILESDIR}"/bashrc)"
231	+ keepdir /etc/bash/bashrc.d
232	+ insinto /etc/skel
233	+ for f in bash{_logout,_profile,rc} ; do
234	+ newins "${FILESDIR}"/dot-${f} .${f}
235	+ done
236	+
237	+ local sed_args=(
238	+ -e "s:#${USERLAND}#@::"
239	+ -e '/#@/d'
240	+ )
241	+ if ! use readline ; then
242	+ sed_args+=( #432338
243	+ -e '/^shopt -s histappend/s:^:#:'
244	+ -e 's:use_color=true:use_color=false:'
245	+ )
246	+ fi
247	+ sed -i \
248	+ "${sed_args[@]}" \
249	+ "${ED}"/etc/skel/.bashrc \
250	+ "${ED}"/etc/bash/bashrc \|\| die
251	+
252	+ if use plugins ; then
253	+ exeinto /usr/$(get_libdir)/bash
254	+ doexe $(echo examples/loadables/*.o \| sed 's:\.o::g')
255	+ insinto /usr/include/bash-plugins
256	+ doins .h builtins/.h include/*.h lib/{glob/glob.h,tilde/tilde.h}
257	+ fi
258	+
259	+ if use examples ; then
260	+ for d in examples/{functions,misc,scripts,startup-files} ; do
261	+ exeinto /usr/share/doc/${PF}/${d}
262	+ insinto /usr/share/doc/${PF}/${d}
263	+ for f in ${d}/* ; do
264	+ if [[ ${f##/} != PERMISSION ]] && [[ ${f##/} != *README ]] ; then
265	+ doexe ${f}
266	+ else
267	+ doins ${f}
268	+ fi
269	+ done
270	+ done
271	+ fi
272	+
273	+ doman doc/*.1
274	+ newdoc CWRU/changelog ChangeLog
275	+ dosym bash.info /usr/share/info/bashref.info
276	+}
277	+
278	+pkg_preinst() {
279	+ if [[ -e ${EROOT}/etc/bashrc ]] && [[ ! -d ${EROOT}/etc/bash ]] ; then
280	+ mkdir -p "${EROOT}"/etc/bash
281	+ mv -f "${EROOT}"/etc/bashrc "${EROOT}"/etc/bash/
282	+ fi
283	+
284	+ if [[ -L ${EROOT}/bin/sh ]] ; then
285	+ # rewrite the symlink to ensure that its mtime changes. having /bin/sh
286	+ # missing even temporarily causes a fatal error with paludis.
287	+ local target=$(readlink "${EROOT}"/bin/sh)
288	+ local tmp=$(emktemp "${EROOT}"/bin)
289	+ ln -sf "${target}" "${tmp}"
290	+ mv -f "${tmp}" "${EROOT}"/bin/sh
291	+ fi
292	+}
293	+
294	+pkg_postinst() {
295	+ # If /bin/sh does not exist, provide it
296	+ if [[ ! -e ${EROOT}/bin/sh ]] ; then
297	+ ln -sf bash "${EROOT}"/bin/sh
298	+ fi
299	+}
300
301	diff --git a/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch b/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch
302	new file mode 100644
303	index 00000000000..9a05c8b8613
304	--- /dev/null
305	+++ b/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch
306	@@ -0,0 +1,85 @@
307	+diff -urP ../bash-5.0.orig/config.h.in config.h.in
308	+--- ../bash-5.0.orig/config.h.in 2018-12-04 09:54:17.000000000 -0700
309	++++ config.h.in 2019-12-10 11:34:42.157926317 -0700
310	+@@ -1,6 +1,6 @@
311	+ /* config.h -- Configuration file for bash. */
312	+
313	+-/* Copyright (C) 1987-2009,2011-2012 Free Software Foundation, Inc.
314	++/* Copyright (C) 1987-2009,2011-2012,2013-2019 Free Software Foundation, Inc.
315	+
316	+ This file is part of GNU Bash, the Bourne Again SHell.
317	+
318	+@@ -807,6 +807,14 @@
319	+ #undef HAVE_SETREGID
320	+ #undef HAVE_DECL_SETREGID
321	+
322	++/* Define if you have the setregid function. */
323	++#undef HAVE_SETRESGID
324	++#undef HAVE_DECL_SETRESGID
325	++
326	++/* Define if you have the setresuid function. */
327	++#undef HAVE_SETRESUID
328	++#undef HAVE_DECL_SETRESUID
329	++
330	+ /* Define if you have the setvbuf function. */
331	+ #undef HAVE_SETVBUF
332	+
333	+diff -urP ../bash-5.0.orig/configure configure
334	+--- ../bash-5.0.orig/configure 2019-01-02 07:43:31.000000000 -0700
335	++++ configure 2019-12-10 11:34:42.166926317 -0700
336	+@@ -10281,6 +10281,17 @@
337	+ #define HAVE_DECL_SETREGID $ac_have_decl
338	+ _ACEOF
339	+
340	++ac_fn_c_check_decl "$LINENO" "" "ac_cv_have_decl_" "$ac_includes_default"
341	++if test "x$ac_cv_have_decl_" = xyes; then :
342	++ ac_have_decl=1
343	++else
344	++ ac_have_decl=0
345	++fi
346	++
347	++cat >>confdefs.h <<_ACEOF
348	++#define HAVE_DECL_ $ac_have_decl
349	++_ACEOF
350	++(setresuid, setresgid)
351	+ ac_fn_c_check_decl "$LINENO" "strcpy" "ac_cv_have_decl_strcpy" "$ac_includes_default"
352	+ if test "x$ac_cv_have_decl_strcpy" = xyes; then :
353	+ ac_have_decl=1
354	+diff -urP ../bash-5.0.orig/configure.ac configure.ac
355	+--- ../bash-5.0.orig/configure.ac 2019-01-02 07:39:11.000000000 -0700
356	++++ configure.ac 2019-12-10 11:34:42.168926317 -0700
357	+@@ -810,6 +810,7 @@
358	+ AC_CHECK_DECLS([printf])
359	+ AC_CHECK_DECLS([sbrk])
360	+ AC_CHECK_DECLS([setregid])
361	++AC_CHECK_DECLS[(setresuid, setresgid])
362	+ AC_CHECK_DECLS([strcpy])
363	+ AC_CHECK_DECLS([strsignal])
364	+
365	+diff -urP ../bash-5.0.orig/shell.c shell.c
366	+--- ../bash-5.0.orig/shell.c 2018-12-06 09:28:21.000000000 -0700
367	++++ shell.c 2019-12-10 11:34:42.170926317 -0700
368	+@@ -1293,7 +1293,11 @@
369	+ {
370	+ int e;
371	+
372	++#if HAVE_DECL_SETRESUID
373	++ if (setresuid (current_user.uid, current_user.uid, current_user.uid) < 0)
374	++#else
375	+ if (setuid (current_user.uid) < 0)
376	++#endif
377	+ {
378	+ e = errno;
379	+ sys_error (_("cannot set uid to %d: effective uid %d"), current_user.uid, current_user.euid);
380	+@@ -1302,7 +1306,11 @@
381	+ exit (e);
382	+ #endif
383	+ }
384	++#if HAVE_DECL_SETRESGID
385	++ if (setresgid (current_user.gid, current_user.gid, current_user.gid) < 0)
386	++#else
387	+ if (setgid (current_user.gid) < 0)
388	++#endif
389	+ sys_error (_("cannot set gid to %d: effective gid %d"), current_user.gid, current_user.egid);
390	+
391	+ current_user.euid = current_user.uid;

Gentoo Archives: gentoo-commits