Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sam James <sam@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-auth/sssd/
Date: Sat, 18 Sep 2021 23:46:05
Message-Id: 1632008631.0fd94449ab622b0de7e70b8c47cada64dd0349e7.sam@gentoo
1 commit: 0fd94449ab622b0de7e70b8c47cada64dd0349e7
2 Author: Jeremi Piotrowski <jpiotrowski <AT> microsoft <DOT> com>
3 AuthorDate: Tue Aug 24 13:26:41 2021 +0000
4 Commit: Sam James <sam <AT> gentoo <DOT> org>
5 CommitDate: Sat Sep 18 23:43:51 2021 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fd94449
7
8 sys-auth/sssd: add patch for CVE-2021-3621 for 2.3.1
9
10 This is a backport of https://github.com/SSSD/sssd/pull/5748 adapted to 2.3.1.
11 A change was necessary: src/tools/sssctl/sssctl_logs.c wasn't passing
12 '--no-create' to truncate in 2.3.1 yet.
13
14 [sam@: moved file to devspace due to patch size]
15
16 Bug: https://bugs.gentoo.org/808911
17 Signed-off-by: Jeremi Piotrowski <jpiotrowski <AT> microsoft.com>
18 Closes: https://github.com/gentoo/gentoo/pull/22159
19 Signed-off-by: Sam James <sam <AT> gentoo.org>
20
21 sys-auth/sssd/Manifest | 1 +
22 sys-auth/sssd/sssd-2.3.1-r3.ebuild | 290 +++++++++++++++++++++++++++++++++++++
23 2 files changed, 291 insertions(+)
24
25 diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest
26 index 3143bfe9821..cb3f830192c 100644
27 --- a/sys-auth/sssd/Manifest
28 +++ b/sys-auth/sssd/Manifest
29 @@ -1,2 +1,3 @@
30 +DIST sssd-2.3.1-CVE-2021-3621.patch.bz2 3174 BLAKE2B 201c51fff92dd17d9517834e59a12422850ee3c5aab1efff51bcdc5b82521516589271222b6be36d12da2a388d122d37e9f455d593f22551ba9ea58ead694b49 SHA512 faffe46b710e3f8b2db54fc4f637b176b72f6bc31a2d5d1cae7a5ffc81609c4faa5decee1d6db4b2bf87451677c8eda068e153e38755f013afbce982daf58f65
31 DIST sssd-2.3.1.tar.gz 7186526 BLAKE2B 6d630fe75b9b426ef54adbe1704fde8e01fc34df7861028c07ce2985db8a151ce743d633061386fea6460fe8eabb89242b816d4bac87975bb9b7b2064ad1d547 SHA512 6aeb52d5222c5992d581296996749327bcaf276e4eb4413a6a32ea6529343432cfe413006aca4245c19b38b515be1c4c2ef88a157c617d889274179253355bc6
32 DIST sssd-2.5.2.tar.gz 7579208 BLAKE2B ec5d9aeaf5b5e05b56c01f9137f6f24db05544dbd48458d742285b60e7beb6d48af865f3415e11ce89e187f4643bbecf15bbb321859ec80cfe458eb781cea6c9 SHA512 a9bac7b2cc23022dce3bcda314c9c26a0a0914c448f6d5a51c5ba18670f04c1fd1a94cb20173235b6285df1dcc9251cb6b3f3e71a220037b4eb66668e6f33c48
33
34 diff --git a/sys-auth/sssd/sssd-2.3.1-r3.ebuild b/sys-auth/sssd/sssd-2.3.1-r3.ebuild
35 new file mode 100644
36 index 00000000000..4df7454beca
37 --- /dev/null
38 +++ b/sys-auth/sssd/sssd-2.3.1-r3.ebuild
39 @@ -0,0 +1,290 @@
40 +# Copyright 1999-2021 Gentoo Authors
41 +# Distributed under the terms of the GNU General Public License v2
42 +
43 +EAPI=7
44 +
45 +PYTHON_COMPAT=( python3_{7,8,9} )
46 +
47 +inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs
48 +
49 +DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
50 +HOMEPAGE="https://github.com/SSSD/sssd"
51 +SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz"
52 +SRC_URI+=" https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-CVE-2021-3621.patch.bz2"
53 +
54 +LICENSE="GPL-3"
55 +SLOT="0"
56 +KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
57 +IUSE="acl doc +locator +netlink nfsv4 nls +man pac python samba selinux sudo systemd test valgrind"
58 +RESTRICT="!test? ( test )"
59 +
60 +REQUIRED_USE="pac? ( samba )
61 + python? ( ${PYTHON_REQUIRED_USE} )"
62 +
63 +DEPEND="
64 + >=app-crypt/mit-krb5-1.10.3
65 + app-crypt/p11-kit
66 + >=dev-libs/ding-libs-0.2
67 + dev-libs/glib:2
68 + >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos]
69 + >=dev-libs/libpcre-8.30:=
70 + >=dev-libs/popt-1.16
71 + >=dev-libs/openssl-1.0.2:0=
72 + >=net-dns/bind-tools-9.9[gssapi]
73 + >=net-dns/c-ares-1.7.4
74 + >=net-nds/openldap-2.4.30[sasl]
75 + >=sys-apps/dbus-1.6
76 + >=sys-apps/keyutils-1.5:=
77 + >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}]
78 + >=sys-libs/talloc-2.0.7
79 + >=sys-libs/tdb-1.2.9
80 + >=sys-libs/tevent-0.9.16
81 + >=sys-libs/ldb-1.1.17-r1:=
82 + virtual/libintl
83 + locator? (
84 + >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}]
85 + >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}]
86 + )
87 + acl? ( net-fs/cifs-utils[acl] )
88 + netlink? ( dev-libs/libnl:3 )
89 + nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) )
90 + nls? ( >=sys-devel/gettext-0.18 )
91 + pac? (
92 + app-crypt/mit-krb5[${MULTILIB_USEDEP}]
93 + net-fs/samba
94 + )
95 + python? ( ${PYTHON_DEPS} )
96 + samba? ( >=net-fs/samba-4.10.2[winbind] )
97 + selinux? (
98 + >=sys-libs/libselinux-2.1.9
99 + >=sys-libs/libsemanage-2.1
100 + )
101 + systemd? (
102 + dev-libs/jansson:0=
103 + net-libs/http-parser:0=
104 + net-misc/curl:0=
105 + )"
106 +RDEPEND="${DEPEND}
107 + >=sys-libs/glibc-2.17[nscd]
108 + selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )"
109 +BDEPEND=">=sys-devel/autoconf-2.69-r5
110 + virtual/pkgconfig
111 + doc? ( app-doc/doxygen )
112 + test? (
113 + dev-libs/check
114 + dev-libs/softhsm:2
115 + dev-util/cmocka
116 + net-libs/gnutls[pkcs11,tools]
117 + sys-libs/libfaketime
118 + sys-libs/nss_wrapper
119 + sys-libs/pam_wrapper
120 + sys-libs/uid_wrapper
121 + valgrind? ( dev-util/valgrind )
122 + )
123 + man? (
124 + app-text/docbook-xml-dtd:4.4
125 + >=dev-libs/libxslt-1.1.26
126 + nls? ( app-text/po4a )
127 + )"
128 +
129 +CONFIG_CHECK="~KEYS"
130 +
131 +MULTILIB_WRAPPED_HEADERS=(
132 + /usr/include/ipa_hbac.h
133 + /usr/include/sss_idmap.h
134 + /usr/include/sss_nss_idmap.h
135 + # --with-ifp
136 + /usr/include/sss_sifp.h
137 + /usr/include/sss_sifp_dbus.h
138 + # from 1.15.3
139 + /usr/include/sss_certmap.h
140 +)
141 +
142 +PATCHES=(
143 + "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch
144 + "${WORKDIR}"/${P}-CVE-2021-3621.patch
145 +)
146 +
147 +pkg_setup() {
148 + linux-info_pkg_setup
149 +}
150 +
151 +src_prepare() {
152 + sed -i 's:/var/run:/run:' \
153 + "${S}"/src/examples/logrotate || die
154 +
155 + default
156 + eautoreconf
157 + multilib_copy_sources
158 + if use python && multilib_is_native_abi; then
159 + python_setup
160 + fi
161 +}
162 +
163 +src_configure() {
164 + local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1)
165 +
166 + multilib-minimal_src_configure
167 +}
168 +
169 +multilib_src_configure() {
170 + local myconf=()
171 +
172 + myconf+=(
173 + --localstatedir="${EPREFIX}"/var
174 + --runstatedir="${EPREFIX}"/run
175 + --with-pid-path="${EPREFIX}"/run
176 + --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
177 + --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
178 + --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
179 + --with-db-path="${EPREFIX}"/var/lib/sss/db
180 + --with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache
181 + --with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf
182 + --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes
183 + --with-mcache-path="${EPREFIX}"/var/lib/sss/mc
184 + --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets
185 + --with-log-path="${EPREFIX}"/var/log/sssd
186 + --with-os=gentoo
187 + --with-nscd="${EPREFIX}"/usr/sbin/nscd
188 + --with-unicode-lib="glib2"
189 + --disable-rpath
190 + --sbindir=/usr/sbin
191 + --with-crypto="libcrypto"
192 + --enable-local-provider
193 + $(multilib_native_use_with systemd kcm)
194 + $(multilib_native_use_with systemd secrets)
195 + $(use_with samba)
196 + --with-smb-idmap-interface-version=6
197 + $(multilib_native_use_enable acl cifs-idmap-plugin)
198 + $(multilib_native_use_with selinux)
199 + $(multilib_native_use_with selinux semanage)
200 + $(use_enable locator krb5-locator-plugin)
201 + $(use_enable pac pac-responder)
202 + $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
203 + $(use_enable nls)
204 + $(multilib_native_use_with netlink libnl)
205 + $(multilib_native_use_with man manpages)
206 + $(multilib_native_use_with sudo)
207 + $(multilib_native_with autofs)
208 + $(multilib_native_with ssh)
209 + $(use_enable valgrind)
210 + --without-python2-bindings
211 + $(multilib_native_use_with python python3-bindings)
212 + )
213 +
214 + # Annoyingly configure requires that you pick systemd XOR sysv
215 + if use systemd; then
216 + myconf+=(
217 + --with-initscript="systemd"
218 + --with-systemdunitdir=$(systemd_get_systemunitdir)
219 + )
220 + else
221 + myconf+=(--with-initscript="sysv")
222 + fi
223 +
224 + if ! multilib_is_native_abi; then
225 + # work-around all the libraries that are used for CLI and server
226 + myconf+=(
227 + {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' '
228 + # ldb headers are fine since native needs it
229 + # ldb lib fails... but it does not seem to bother
230 + {DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' '
231 + {PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' '
232 + {NDR_NBT,SMBCLIENT,NDR_KRB5PAC}_{CFLAGS,LIBS}=' '
233 +
234 + # use native include path for dbus (needed for build)
235 + DBUS_CFLAGS="${native_dbus_cflags}"
236 +
237 + # non-pkgconfig checks
238 + ac_cv_lib_ldap_ldap_search=yes
239 + --without-secrets
240 + --without-kcm
241 + )
242 + fi
243 +
244 + econf "${myconf[@]}"
245 +}
246 +
247 +multilib_src_compile() {
248 + if multilib_is_native_abi; then
249 + default
250 + use doc && emake docs
251 + if use man || use nls; then
252 + emake update-po
253 + fi
254 + else
255 + emake libnss_sss.la pam_sss.la
256 + use locator && emake sssd_krb5_locator_plugin.la
257 + use pac && emake sssd_pac_plugin.la
258 + fi
259 +}
260 +
261 +multilib_src_install() {
262 + if multilib_is_native_abi; then
263 + emake -j1 DESTDIR="${D}" "${_at_args[@]}" install
264 + if use python; then
265 + python_optimize
266 + python_fix_shebang "${ED}"
267 + fi
268 +
269 + else
270 + # easier than playing with automake...
271 + dopammod .libs/pam_sss.so
272 +
273 + into /
274 + dolib.so .libs/libnss_sss.so*
275 +
276 + if use locator; then
277 + exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5
278 + doexe .libs/sssd_krb5_locator_plugin.so
279 + fi
280 +
281 + if use pac; then
282 + exeinto /usr/$(get_libdir)/krb5/plugins/authdata
283 + doexe .libs/sssd_pac_plugin.so
284 + fi
285 + fi
286 +}
287 +
288 +multilib_src_install_all() {
289 + einstalldocs
290 + find "${ED}" -type f -name '*.la' -delete || die
291 +
292 + insinto /etc/sssd
293 + insopts -m600
294 + doins "${S}"/src/examples/sssd-example.conf
295 +
296 + insinto /etc/logrotate.d
297 + insopts -m644
298 + newins "${S}"/src/examples/logrotate sssd
299 +
300 + newconfd "${FILESDIR}"/sssd.conf sssd
301 +
302 + keepdir /var/lib/sss/db
303 + keepdir /var/lib/sss/deskprofile
304 + keepdir /var/lib/sss/gpo_cache
305 + keepdir /var/lib/sss/keytabs
306 + keepdir /var/lib/sss/mc
307 + keepdir /var/lib/sss/pipes/private
308 + keepdir /var/lib/sss/pubconf/krb5.include.d
309 + keepdir /var/lib/sss/secrets
310 + keepdir /var/log/sssd
311 +
312 + # strip empty dirs
313 + if ! use doc ; then
314 + rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die
315 + rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap,sss_simpleifp}_doc || die
316 + fi
317 +
318 + rm -r "${ED}"/run || die
319 +}
320 +
321 +multilib_src_test() {
322 + multilib_is_native_abi && emake check
323 +}
324 +
325 +pkg_postinst() {
326 + elog "You must set up sssd.conf (default installed into /etc/sssd)"
327 + elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
328 + elog "features. Please see howto in https://sssd.io/docs/design_pages/smartcard_authentication_require.html"
329 +}
Report Message
Find on MARC Find on Google Groups