[gentoo-commits] repo/gentoo:master commit in: dev-libs/cyrus-sasl/, dev-libs/cyrus-sasl/files/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/cyrus-sasl/, dev-libs/cyrus-sasl/files/
Date:	Mon, 23 Dec 2019 21:41:56
Message-Id:	`1577136894.ec41e92e4aec19aa605f5d410ba06cc86e7b48f0.whissi@gentoo`

1

commit:     ec41e92e4aec19aa605f5d410ba06cc86e7b48f0

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Mon Dec 23 21:34:38 2019 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Mon Dec 23 21:34:54 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec41e92e

7

8

dev-libs/cyrus-sasl: fix CVE-2019-19906

9

10

Bug: https://bugs.gentoo.org/703628

11

Package-Manager: Portage-2.3.82, Repoman-2.3.20

12

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

13

14

 dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild    | 259 +++++++++++++++++++++

15

 .../files/cyrus-sasl-2.1.27-CVE-2019-19906.patch   |  20 ++

16

 2 files changed, 279 insertions(+)

17

18

diff --git a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild

19

new file mode 100644

20

index 00000000000..25c41df746a

21

--- /dev/null

22

+++ b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild

23

@@ -0,0 +1,259 @@

24

+# Copyright 1999-2019 Gentoo Authors

25

+# Distributed under the terms of the GNU General Public License v2

26

+

27

+EAPI=6

28

+

29

+inherit flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd eapi7-ver

30

+

31

+SASLAUTHD_CONF_VER="2.1.26"

32

+

33

+DESCRIPTION="The Cyrus SASL (Simple Authentication and Security Layer)"

34

+HOMEPAGE="https://www.cyrusimap.org/sasl/"

35

+#SRC_URI="ftp://ftp.cyrusimap.org/cyrus-sasl/${P}.tar.gz"

36

+SRC_URI="https://github.com/cyrusimap/${PN}/releases/download/${P}/${P}.tar.gz"

37

+

38

+LICENSE="BSD-with-attribution"

39

+SLOT="2"

40

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

41

+IUSE="authdaemond berkdb gdbm kerberos ldapdb libressl openldap mysql pam postgres sample selinux sqlite srp ssl static-libs urandom"

42

+

43

+CDEPEND="

44

+	net-mail/mailbase

45

+	authdaemond? ( || ( net-mail/courier-imap mail-mta/courier ) )

46

+	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )

47

+	gdbm? ( >=sys-libs/gdbm-1.10-r1:=[${MULTILIB_USEDEP}] )

48

+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )

49

+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )

50

+	mysql? ( dev-db/mysql-connector-c:0=[${MULTILIB_USEDEP}] )

51

+	pam? ( >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] )

52

+	postgres? ( dev-db/postgresql:* )

53

+	sqlite? ( >=dev-db/sqlite-3.8.2:3[${MULTILIB_USEDEP}] )

54

+	ssl? (

55

+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )

56

+		libressl? ( dev-libs/libressl:=[${MULTILIB_USEDEP}] )

57

+	)

58

+	java? ( >=virtual/jdk-1.6:= )"

59

+

60

+REQUIRED_USE="ldapdb? ( openldap )"

61

+

62

+RDEPEND="

63

+	${CDEPEND}

64

+	selinux? ( sec-policy/selinux-sasl )"

65

+

66

+DEPEND="${CDEPEND}"

67

+

68

+MULTILIB_WRAPPED_HEADERS=(

69

+	/usr/include/sasl/md5global.h

70

+)

71

+

72

+PATCHES=(

73

+	"${FILESDIR}/${PN}-2.1.27-avoid_pic_overwrite.patch"

74

+	"${FILESDIR}/${PN}-2.1.27-autotools_fixes.patch"

75

+	"${FILESDIR}/${PN}-2.1.27-as_needed.patch"

76

+	"${FILESDIR}/${PN}-2.1.25-auxprop.patch"

77

+	"${FILESDIR}/${PN}-2.1.27-gss_c_nt_hostbased_service.patch"

78

+	"${FILESDIR}/${PN}-2.1.26-missing-size_t.patch"

79

+	"${FILESDIR}/${PN}-2.1.27-doc_build_fix.patch"

80

+	"${FILESDIR}/${PN}-2.1.27-memmem.patch"

81

+	"${FILESDIR}/${PN}-2.1.27-CVE-2019-19906.patch"

82

+)

83

+

84

+pkg_setup() {

85

+	java-pkg-opt-2_pkg_setup

86

+}

87

+

88

+src_prepare() {

89

+	default

90

+

91

+	# Get rid of the -R switch (runpath_switch for Sun)

92

+	# >=gcc-4.6 errors out with unknown option

93

+	sed -i -e '/LIB_SQLITE.*-R/s/ -R[^"]*//' \

94

+		configure.ac || die

95

+

96

+	# Use plugindir for sasldir

97

+	sed -i '/^sasldir =/s:=.*:= $(plugindir):' \

98

+		"${S}"/plugins/Makefile.{am,in} || die "sed failed"

99

+

100

+	# #486740 #468556

101

+	sed -i -e 's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:g' \

102

+		-e 's:AC_CONFIG_MACRO_DIR:AC_CONFIG_MACRO_DIRS:g' \

103

+		configure.ac || die

104

+

105

+	eautoreconf

106

+}

107

+

108

+src_configure() {

109

+	append-flags -fno-strict-aliasing

110

+	if [[ ${CHOST} == *-solaris* ]] ; then

111

+		# getpassphrase is defined in /usr/include/stdlib.h

112

+		append-cppflags -DHAVE_GETPASSPHRASE

113

+	else

114

+		# this horrendously breaks things on Solaris

115

+		append-cppflags -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED -D_BSD_SOURCE -DLDAP_DEPRECATED

116

+	fi

117

+

118

+	multilib-minimal_src_configure

119

+}

120

+

121

+multilib_src_configure() {

122

+	# Java support.

123

+	multilib_is_native_abi && use java && export JAVAC="${JAVAC} ${JAVACFLAGS}"

124

+

125

+	local myeconfargs=(

126

+		--enable-login

127

+		--enable-ntlm

128

+		--enable-auth-sasldb

129

+		--disable-cmulocal

130

+		--disable-krb4

131

+		--disable-macos-framework

132

+		--enable-otp

133

+		--without-sqlite

134

+		--with-saslauthd="${EPREFIX}"/run/saslauthd

135

+		--with-pwcheck="${EPREFIX}"/run/saslauthd

136

+		--with-configdir="${EPREFIX}"/etc/sasl2

137

+		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2

138

+		--with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2

139

+		--with-sphinx-build=no

140

+		$(use_with ssl openssl)

141

+		$(use_with pam)

142

+		$(use_with openldap ldap)

143

+		$(use_enable ldapdb)

144

+		$(multilib_native_use_enable sample)

145

+		$(use_enable kerberos gssapi)

146

+		$(multilib_native_use_enable java)

147

+		$(multilib_native_use_with mysql mysql "${EPREFIX}"/usr)

148

+		$(multilib_native_use_with postgres pgsql "${EPREFIX}"/usr/$(get_libdir)/postgresql)

149

+		$(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir))

150

+		$(use_enable srp)

151

+		$(use_enable static-libs static)

152

+

153

+		# Add authdaemond support (bug #56523).

154

+		$(usex authdaemond --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket '')

155

+

156

+		# Fix for bug #59634.

157

+		$(usex ssl '' --without-des)

158

+

159

+		# Use /dev/urandom instead of /dev/random (bug #46038).

160

+		$(usex urandom --with-devrandom=/dev/urandom '')

161

+	)

162

+

163

+	if use sqlite || { multilib_is_native_abi && { use mysql || use postgres; }; } ; then

164

+		myeconfargs+=( --enable-sql )

165

+	else

166

+		myeconfargs+=( --disable-sql )

167

+	fi

168

+

169

+	# Default to GDBM if both 'gdbm' and 'berkdb' are present.

170

+	if use gdbm ; then

171

+		einfo "Building with GNU DB as database backend for your SASLdb"

172

+		myeconfargs+=( --with-dblib=gdbm )

173

+	elif use berkdb ; then

174

+		einfo "Building with BerkeleyDB as database backend for your SASLdb"

175

+		myeconfargs+=(

176

+			--with-dblib=berkeley

177

+			--with-bdb-incdir="$(db_includedir)"

178

+		)

179

+	else

180

+		einfo "Building without SASLdb support"

181

+		myeconfargs+=( --with-dblib=none )

182

+	fi

183

+

184

+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"

185

+}

186

+

187

+multilib_src_compile() {

188

+	emake

189

+

190

+	# Default location for java classes breaks OpenOffice (bug #60769).

191

+	# Thanks to axxo@g.o for the solution.

192

+	if multilib_is_native_abi && use java ; then

193

+		jar -cvf ${PN}.jar -C java $(find java -name "*.class")

194

+	fi

195

+}

196

+

197

+multilib_src_install() {

198

+	default

199

+

200

+	if multilib_is_native_abi; then

201

+		if use sample ; then

202

+			docinto sample

203

+			dodoc "${S}"/sample/*.c

204

+			exeinto /usr/share/doc/${P}/sample

205

+			doexe sample/client sample/server

206

+		fi

207

+

208

+		# Default location for java classes breaks OpenOffice (bug #60769).

209

+		if use java; then

210

+			java-pkg_dojar ${PN}.jar

211

+			java-pkg_regso "${ED}/usr/$(get_libdir)/libjavasasl$(get_libname)"

212

+			# hackish, don't wanna dig through makefile

213

+			rm -rf "${ED}/usr/$(get_libdir)/java" || die

214

+			docinto "java"

215

+			dodoc "${S}/java/README" "${FILESDIR}/java.README.gentoo" "${S}"/java/doc/*

216

+			dodir "/usr/share/doc/${PF}/java/Test"

217

+			insinto "/usr/share/doc/${PF}/java/Test"

218

+			doins "${S}"/java/Test/*.java

219

+		fi

220

+

221

+		dosbin saslauthd/testsaslauthd

222

+	fi

223

+}

224

+

225

+multilib_src_install_all() {

226

+	doman man/*

227

+

228

+	keepdir /etc/sasl2

229

+

230

+	# Reset docinto to default value (#674296)

231

+	docinto

232

+	dodoc AUTHORS ChangeLog doc/legacy/TODO

233

+	newdoc pwcheck/README README.pwcheck

234

+

235

+	newdoc docsrc/sasl/release-notes/$(ver_cut 1-2)/index.rst release-notes

236

+	edos2unix ${ED%/}/usr/share/doc/${PF}/release-notes

237

+

238

+	docinto html

239

+	dodoc doc/html/*.html

240

+

241

+	newpamd "${FILESDIR}/saslauthd.pam-include" saslauthd

242

+

243

+	newinitd "${FILESDIR}/pwcheck.rc6" pwcheck

244

+	systemd_dounit "${FILESDIR}/pwcheck.service"

245

+

246

+	newinitd "${FILESDIR}/saslauthd2.rc7" saslauthd

247

+	newconfd "${FILESDIR}/saslauthd-${SASLAUTHD_CONF_VER}.conf" saslauthd

248

+	systemd_dounit "${FILESDIR}/saslauthd.service"

249

+	systemd_dotmpfilesd "${FILESDIR}/${PN}.conf"

250

+

251

+	# The get_modname bit is important: do not remove the .la files on

252

+	# platforms where the lib isn't called .so for cyrus searches the .la to

253

+	# figure out what the name is supposed to be instead

254

+	if ! use static-libs && [[ $(get_modname) == .so ]] ; then

255

+		find "${ED}" -name "*.la" -delete || die

256

+	fi

257

+}

258

+

259

+pkg_postinst () {

260

+	# Generate an empty sasldb2 with correct permissions.

261

+	if ( use berkdb || use gdbm ) && [[ ! -f "${EROOT}/etc/sasl2/sasldb2" ]] ; then

262

+		einfo "Generating an empty sasldb2 with correct permissions ..."

263

+		echo "p" | "${EROOT}/usr/sbin/saslpasswd2" -f "${EROOT}/etc/sasl2/sasldb2" -p login \

264

+			|| die "Failed to generate sasldb2"

265

+		"${EROOT}/usr/sbin/saslpasswd2" -f "${EROOT}/etc/sasl2/sasldb2" -d login \

266

+			|| die "Failed to delete temp user"

267

+		chown root:mail "${EROOT}/etc/sasl2/sasldb2" \

268

+			|| die "Failed to chown ${EROOT}/etc/sasl2/sasldb2"

269

+		chmod 0640 "${EROOT}/etc/sasl2/sasldb2" \

270

+			|| die "Failed to chmod ${EROOT}/etc/sasl2/sasldb2"

271

+	fi

272

+

273

+	if use authdaemond ; then

274

+		elog "You need to add a user running a service using Courier's"

275

+		elog "authdaemon to the 'mail' group. For example, do:"

276

+		elog "	gpasswd -a postfix mail"

277

+		elog "to add the 'postfix' user to the 'mail' group."

278

+	fi

279

+

280

+	elog "pwcheck and saslauthd home directories have moved to:"

281

+	elog "  /run/saslauthd, using tmpfiles.d"

282

+}

283

284

diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch

285

new file mode 100644

286

index 00000000000..82b9e1fb6db

287

--- /dev/null

288

+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch

289

@@ -0,0 +1,20 @@

290

+Description: CVE-2019-19906: Off-by-one in _sasl_add_string function

291

+Origin: vendor

292

+Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587

293

+Bug-Debian: https://bugs.debian.org/947043

294

+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906

295

+Author: Stephan Zeisberg <stephan@××××××.de>

296

+Reviewed-by: Salvatore Bonaccorso <carnil@××××××.org>

297

+Last-Update: 2019-12-19

298

+

299

+--- a/lib/common.c

300

++++ b/lib/common.c

301

+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t

302

+

303

+   if (add==NULL) add = "(null)";

304

+

305

+-  addlen=strlen(add); /* only compute once */

306

++  addlen=strlen(add)+1; /* only compute once */

307

+   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)

308

+     return SASL_NOMEM;

309

+

1	commit: ec41e92e4aec19aa605f5d410ba06cc86e7b48f0
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Mon Dec 23 21:34:38 2019 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Mon Dec 23 21:34:54 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec41e92e
7
8	dev-libs/cyrus-sasl: fix CVE-2019-19906
9
10	Bug: https://bugs.gentoo.org/703628
11	Package-Manager: Portage-2.3.82, Repoman-2.3.20
12	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
13
14	dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild \| 259 +++++++++++++++++++++
15	.../files/cyrus-sasl-2.1.27-CVE-2019-19906.patch \| 20 ++
16	2 files changed, 279 insertions(+)
17
18	diff --git a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
19	new file mode 100644
20	index 00000000000..25c41df746a
21	--- /dev/null
22	+++ b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
23	@@ -0,0 +1,259 @@
24	+# Copyright 1999-2019 Gentoo Authors
25	+# Distributed under the terms of the GNU General Public License v2
26	+
27	+EAPI=6
28	+
29	+inherit flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd eapi7-ver
30	+
31	+SASLAUTHD_CONF_VER="2.1.26"
32	+
33	+DESCRIPTION="The Cyrus SASL (Simple Authentication and Security Layer)"
34	+HOMEPAGE="https://www.cyrusimap.org/sasl/"
35	+#SRC_URI="ftp://ftp.cyrusimap.org/cyrus-sasl/${P}.tar.gz"
36	+SRC_URI="https://github.com/cyrusimap/${PN}/releases/download/${P}/${P}.tar.gz"
37	+
38	+LICENSE="BSD-with-attribution"
39	+SLOT="2"
40	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
41	+IUSE="authdaemond berkdb gdbm kerberos ldapdb libressl openldap mysql pam postgres sample selinux sqlite srp ssl static-libs urandom"
42	+
43	+CDEPEND="
44	+ net-mail/mailbase
45	+ authdaemond? ( \|\| ( net-mail/courier-imap mail-mta/courier ) )
46	+ berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
47	+ gdbm? ( >=sys-libs/gdbm-1.10-r1:=[${MULTILIB_USEDEP}] )
48	+ kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
49	+ openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
50	+ mysql? ( dev-db/mysql-connector-c:0=[${MULTILIB_USEDEP}] )
51	+ pam? ( >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] )
52	+ postgres? ( dev-db/postgresql:* )
53	+ sqlite? ( >=dev-db/sqlite-3.8.2:3[${MULTILIB_USEDEP}] )
54	+ ssl? (
55	+ !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
56	+ libressl? ( dev-libs/libressl:=[${MULTILIB_USEDEP}] )
57	+ )
58	+ java? ( >=virtual/jdk-1.6:= )"
59	+
60	+REQUIRED_USE="ldapdb? ( openldap )"
61	+
62	+RDEPEND="
63	+ ${CDEPEND}
64	+ selinux? ( sec-policy/selinux-sasl )"
65	+
66	+DEPEND="${CDEPEND}"
67	+
68	+MULTILIB_WRAPPED_HEADERS=(
69	+ /usr/include/sasl/md5global.h
70	+)
71	+
72	+PATCHES=(
73	+ "${FILESDIR}/${PN}-2.1.27-avoid_pic_overwrite.patch"
74	+ "${FILESDIR}/${PN}-2.1.27-autotools_fixes.patch"
75	+ "${FILESDIR}/${PN}-2.1.27-as_needed.patch"
76	+ "${FILESDIR}/${PN}-2.1.25-auxprop.patch"
77	+ "${FILESDIR}/${PN}-2.1.27-gss_c_nt_hostbased_service.patch"
78	+ "${FILESDIR}/${PN}-2.1.26-missing-size_t.patch"
79	+ "${FILESDIR}/${PN}-2.1.27-doc_build_fix.patch"
80	+ "${FILESDIR}/${PN}-2.1.27-memmem.patch"
81	+ "${FILESDIR}/${PN}-2.1.27-CVE-2019-19906.patch"
82	+)
83	+
84	+pkg_setup() {
85	+ java-pkg-opt-2_pkg_setup
86	+}
87	+
88	+src_prepare() {
89	+ default
90	+
91	+ # Get rid of the -R switch (runpath_switch for Sun)
92	+ # >=gcc-4.6 errors out with unknown option
93	+ sed -i -e '/LIB_SQLITE.-R/s/ -R[^"]//' \
94	+ configure.ac \|\| die
95	+
96	+ # Use plugindir for sasldir
97	+ sed -i '/^sasldir =/s:=.*:= $(plugindir):' \
98	+ "${S}"/plugins/Makefile.{am,in} \|\| die "sed failed"
99	+
100	+ # #486740 #468556
101	+ sed -i -e 's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:g' \
102	+ -e 's:AC_CONFIG_MACRO_DIR:AC_CONFIG_MACRO_DIRS:g' \
103	+ configure.ac \|\| die
104	+
105	+ eautoreconf
106	+}
107	+
108	+src_configure() {
109	+ append-flags -fno-strict-aliasing
110	+ if [[ ${CHOST} == -solaris ]] ; then
111	+ # getpassphrase is defined in /usr/include/stdlib.h
112	+ append-cppflags -DHAVE_GETPASSPHRASE
113	+ else
114	+ # this horrendously breaks things on Solaris
115	+ append-cppflags -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED -D_BSD_SOURCE -DLDAP_DEPRECATED
116	+ fi
117	+
118	+ multilib-minimal_src_configure
119	+}
120	+
121	+multilib_src_configure() {
122	+ # Java support.
123	+ multilib_is_native_abi && use java && export JAVAC="${JAVAC} ${JAVACFLAGS}"
124	+
125	+ local myeconfargs=(
126	+ --enable-login
127	+ --enable-ntlm
128	+ --enable-auth-sasldb
129	+ --disable-cmulocal
130	+ --disable-krb4
131	+ --disable-macos-framework
132	+ --enable-otp
133	+ --without-sqlite
134	+ --with-saslauthd="${EPREFIX}"/run/saslauthd
135	+ --with-pwcheck="${EPREFIX}"/run/saslauthd
136	+ --with-configdir="${EPREFIX}"/etc/sasl2
137	+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2
138	+ --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2
139	+ --with-sphinx-build=no
140	+ $(use_with ssl openssl)
141	+ $(use_with pam)
142	+ $(use_with openldap ldap)
143	+ $(use_enable ldapdb)
144	+ $(multilib_native_use_enable sample)
145	+ $(use_enable kerberos gssapi)
146	+ $(multilib_native_use_enable java)
147	+ $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr)
148	+ $(multilib_native_use_with postgres pgsql "${EPREFIX}"/usr/$(get_libdir)/postgresql)
149	+ $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir))
150	+ $(use_enable srp)
151	+ $(use_enable static-libs static)
152	+
153	+ # Add authdaemond support (bug #56523).
154	+ $(usex authdaemond --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket '')
155	+
156	+ # Fix for bug #59634.
157	+ $(usex ssl '' --without-des)
158	+
159	+ # Use /dev/urandom instead of /dev/random (bug #46038).
160	+ $(usex urandom --with-devrandom=/dev/urandom '')
161	+ )
162	+
163	+ if use sqlite \|\| { multilib_is_native_abi && { use mysql \|\| use postgres; }; } ; then
164	+ myeconfargs+=( --enable-sql )
165	+ else
166	+ myeconfargs+=( --disable-sql )
167	+ fi
168	+
169	+ # Default to GDBM if both 'gdbm' and 'berkdb' are present.
170	+ if use gdbm ; then
171	+ einfo "Building with GNU DB as database backend for your SASLdb"
172	+ myeconfargs+=( --with-dblib=gdbm )
173	+ elif use berkdb ; then
174	+ einfo "Building with BerkeleyDB as database backend for your SASLdb"
175	+ myeconfargs+=(
176	+ --with-dblib=berkeley
177	+ --with-bdb-incdir="$(db_includedir)"
178	+ )
179	+ else
180	+ einfo "Building without SASLdb support"
181	+ myeconfargs+=( --with-dblib=none )
182	+ fi
183	+
184	+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
185	+}
186	+
187	+multilib_src_compile() {
188	+ emake
189	+
190	+ # Default location for java classes breaks OpenOffice (bug #60769).
191	+ # Thanks to axxo@g.o for the solution.
192	+ if multilib_is_native_abi && use java ; then
193	+ jar -cvf ${PN}.jar -C java $(find java -name "*.class")
194	+ fi
195	+}
196	+
197	+multilib_src_install() {
198	+ default
199	+
200	+ if multilib_is_native_abi; then
201	+ if use sample ; then
202	+ docinto sample
203	+ dodoc "${S}"/sample/*.c
204	+ exeinto /usr/share/doc/${P}/sample
205	+ doexe sample/client sample/server
206	+ fi
207	+
208	+ # Default location for java classes breaks OpenOffice (bug #60769).
209	+ if use java; then
210	+ java-pkg_dojar ${PN}.jar
211	+ java-pkg_regso "${ED}/usr/$(get_libdir)/libjavasasl$(get_libname)"
212	+ # hackish, don't wanna dig through makefile
213	+ rm -rf "${ED}/usr/$(get_libdir)/java" \|\| die
214	+ docinto "java"
215	+ dodoc "${S}/java/README" "${FILESDIR}/java.README.gentoo" "${S}"/java/doc/*
216	+ dodir "/usr/share/doc/${PF}/java/Test"
217	+ insinto "/usr/share/doc/${PF}/java/Test"
218	+ doins "${S}"/java/Test/*.java
219	+ fi
220	+
221	+ dosbin saslauthd/testsaslauthd
222	+ fi
223	+}
224	+
225	+multilib_src_install_all() {
226	+ doman man/*
227	+
228	+ keepdir /etc/sasl2
229	+
230	+ # Reset docinto to default value (#674296)
231	+ docinto
232	+ dodoc AUTHORS ChangeLog doc/legacy/TODO
233	+ newdoc pwcheck/README README.pwcheck
234	+
235	+ newdoc docsrc/sasl/release-notes/$(ver_cut 1-2)/index.rst release-notes
236	+ edos2unix ${ED%/}/usr/share/doc/${PF}/release-notes
237	+
238	+ docinto html
239	+ dodoc doc/html/*.html
240	+
241	+ newpamd "${FILESDIR}/saslauthd.pam-include" saslauthd
242	+
243	+ newinitd "${FILESDIR}/pwcheck.rc6" pwcheck
244	+ systemd_dounit "${FILESDIR}/pwcheck.service"
245	+
246	+ newinitd "${FILESDIR}/saslauthd2.rc7" saslauthd
247	+ newconfd "${FILESDIR}/saslauthd-${SASLAUTHD_CONF_VER}.conf" saslauthd
248	+ systemd_dounit "${FILESDIR}/saslauthd.service"
249	+ systemd_dotmpfilesd "${FILESDIR}/${PN}.conf"
250	+
251	+ # The get_modname bit is important: do not remove the .la files on
252	+ # platforms where the lib isn't called .so for cyrus searches the .la to
253	+ # figure out what the name is supposed to be instead
254	+ if ! use static-libs && [[ $(get_modname) == .so ]] ; then
255	+ find "${ED}" -name "*.la" -delete \|\| die
256	+ fi
257	+}
258	+
259	+pkg_postinst () {
260	+ # Generate an empty sasldb2 with correct permissions.
261	+ if ( use berkdb \|\| use gdbm ) && [[ ! -f "${EROOT}/etc/sasl2/sasldb2" ]] ; then
262	+ einfo "Generating an empty sasldb2 with correct permissions ..."
263	+ echo "p" \| "${EROOT}/usr/sbin/saslpasswd2" -f "${EROOT}/etc/sasl2/sasldb2" -p login \
264	+ \|\| die "Failed to generate sasldb2"
265	+ "${EROOT}/usr/sbin/saslpasswd2" -f "${EROOT}/etc/sasl2/sasldb2" -d login \
266	+ \|\| die "Failed to delete temp user"
267	+ chown root:mail "${EROOT}/etc/sasl2/sasldb2" \
268	+ \|\| die "Failed to chown ${EROOT}/etc/sasl2/sasldb2"
269	+ chmod 0640 "${EROOT}/etc/sasl2/sasldb2" \
270	+ \|\| die "Failed to chmod ${EROOT}/etc/sasl2/sasldb2"
271	+ fi
272	+
273	+ if use authdaemond ; then
274	+ elog "You need to add a user running a service using Courier's"
275	+ elog "authdaemon to the 'mail' group. For example, do:"
276	+ elog " gpasswd -a postfix mail"
277	+ elog "to add the 'postfix' user to the 'mail' group."
278	+ fi
279	+
280	+ elog "pwcheck and saslauthd home directories have moved to:"
281	+ elog " /run/saslauthd, using tmpfiles.d"
282	+}
283
284	diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch
285	new file mode 100644
286	index 00000000000..82b9e1fb6db
287	--- /dev/null
288	+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch
289	@@ -0,0 +1,20 @@
290	+Description: CVE-2019-19906: Off-by-one in _sasl_add_string function
291	+Origin: vendor
292	+Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587
293	+Bug-Debian: https://bugs.debian.org/947043
294	+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906
295	+Author: Stephan Zeisberg <stephan@××××××.de>
296	+Reviewed-by: Salvatore Bonaccorso <carnil@××××××.org>
297	+Last-Update: 2019-12-19
298	+
299	+--- a/lib/common.c
300	++++ b/lib/common.c
301	+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t
302	+
303	+ if (add==NULL) add = "(null)";
304	+
305	+- addlen=strlen(add); /* only compute once */
306	++ addlen=strlen(add)+1; /* only compute once */
307	+ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
308	+ return SASL_NOMEM;
309	+

Gentoo Archives: gentoo-commits