1 |
commit: 0fd94449ab622b0de7e70b8c47cada64dd0349e7 |
2 |
Author: Jeremi Piotrowski <jpiotrowski <AT> microsoft <DOT> com> |
3 |
AuthorDate: Tue Aug 24 13:26:41 2021 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 18 23:43:51 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fd94449 |
7 |
|
8 |
sys-auth/sssd: add patch for CVE-2021-3621 for 2.3.1 |
9 |
|
10 |
This is a backport of https://github.com/SSSD/sssd/pull/5748 adapted to 2.3.1. |
11 |
A change was necessary: src/tools/sssctl/sssctl_logs.c wasn't passing |
12 |
'--no-create' to truncate in 2.3.1 yet. |
13 |
|
14 |
[sam@: moved file to devspace due to patch size] |
15 |
|
16 |
Bug: https://bugs.gentoo.org/808911 |
17 |
Signed-off-by: Jeremi Piotrowski <jpiotrowski <AT> microsoft.com> |
18 |
Closes: https://github.com/gentoo/gentoo/pull/22159 |
19 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
20 |
|
21 |
sys-auth/sssd/Manifest | 1 + |
22 |
sys-auth/sssd/sssd-2.3.1-r3.ebuild | 290 +++++++++++++++++++++++++++++++++++++ |
23 |
2 files changed, 291 insertions(+) |
24 |
|
25 |
diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest |
26 |
index 3143bfe9821..cb3f830192c 100644 |
27 |
--- a/sys-auth/sssd/Manifest |
28 |
+++ b/sys-auth/sssd/Manifest |
29 |
@@ -1,2 +1,3 @@ |
30 |
+DIST sssd-2.3.1-CVE-2021-3621.patch.bz2 3174 BLAKE2B 201c51fff92dd17d9517834e59a12422850ee3c5aab1efff51bcdc5b82521516589271222b6be36d12da2a388d122d37e9f455d593f22551ba9ea58ead694b49 SHA512 faffe46b710e3f8b2db54fc4f637b176b72f6bc31a2d5d1cae7a5ffc81609c4faa5decee1d6db4b2bf87451677c8eda068e153e38755f013afbce982daf58f65 |
31 |
DIST sssd-2.3.1.tar.gz 7186526 BLAKE2B 6d630fe75b9b426ef54adbe1704fde8e01fc34df7861028c07ce2985db8a151ce743d633061386fea6460fe8eabb89242b816d4bac87975bb9b7b2064ad1d547 SHA512 6aeb52d5222c5992d581296996749327bcaf276e4eb4413a6a32ea6529343432cfe413006aca4245c19b38b515be1c4c2ef88a157c617d889274179253355bc6 |
32 |
DIST sssd-2.5.2.tar.gz 7579208 BLAKE2B ec5d9aeaf5b5e05b56c01f9137f6f24db05544dbd48458d742285b60e7beb6d48af865f3415e11ce89e187f4643bbecf15bbb321859ec80cfe458eb781cea6c9 SHA512 a9bac7b2cc23022dce3bcda314c9c26a0a0914c448f6d5a51c5ba18670f04c1fd1a94cb20173235b6285df1dcc9251cb6b3f3e71a220037b4eb66668e6f33c48 |
33 |
|
34 |
diff --git a/sys-auth/sssd/sssd-2.3.1-r3.ebuild b/sys-auth/sssd/sssd-2.3.1-r3.ebuild |
35 |
new file mode 100644 |
36 |
index 00000000000..4df7454beca |
37 |
--- /dev/null |
38 |
+++ b/sys-auth/sssd/sssd-2.3.1-r3.ebuild |
39 |
@@ -0,0 +1,290 @@ |
40 |
+# Copyright 1999-2021 Gentoo Authors |
41 |
+# Distributed under the terms of the GNU General Public License v2 |
42 |
+ |
43 |
+EAPI=7 |
44 |
+ |
45 |
+PYTHON_COMPAT=( python3_{7,8,9} ) |
46 |
+ |
47 |
+inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs |
48 |
+ |
49 |
+DESCRIPTION="System Security Services Daemon provides access to identity and authentication" |
50 |
+HOMEPAGE="https://github.com/SSSD/sssd" |
51 |
+SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz" |
52 |
+SRC_URI+=" https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-CVE-2021-3621.patch.bz2" |
53 |
+ |
54 |
+LICENSE="GPL-3" |
55 |
+SLOT="0" |
56 |
+KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" |
57 |
+IUSE="acl doc +locator +netlink nfsv4 nls +man pac python samba selinux sudo systemd test valgrind" |
58 |
+RESTRICT="!test? ( test )" |
59 |
+ |
60 |
+REQUIRED_USE="pac? ( samba ) |
61 |
+ python? ( ${PYTHON_REQUIRED_USE} )" |
62 |
+ |
63 |
+DEPEND=" |
64 |
+ >=app-crypt/mit-krb5-1.10.3 |
65 |
+ app-crypt/p11-kit |
66 |
+ >=dev-libs/ding-libs-0.2 |
67 |
+ dev-libs/glib:2 |
68 |
+ >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos] |
69 |
+ >=dev-libs/libpcre-8.30:= |
70 |
+ >=dev-libs/popt-1.16 |
71 |
+ >=dev-libs/openssl-1.0.2:0= |
72 |
+ >=net-dns/bind-tools-9.9[gssapi] |
73 |
+ >=net-dns/c-ares-1.7.4 |
74 |
+ >=net-nds/openldap-2.4.30[sasl] |
75 |
+ >=sys-apps/dbus-1.6 |
76 |
+ >=sys-apps/keyutils-1.5:= |
77 |
+ >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] |
78 |
+ >=sys-libs/talloc-2.0.7 |
79 |
+ >=sys-libs/tdb-1.2.9 |
80 |
+ >=sys-libs/tevent-0.9.16 |
81 |
+ >=sys-libs/ldb-1.1.17-r1:= |
82 |
+ virtual/libintl |
83 |
+ locator? ( |
84 |
+ >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}] |
85 |
+ >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}] |
86 |
+ ) |
87 |
+ acl? ( net-fs/cifs-utils[acl] ) |
88 |
+ netlink? ( dev-libs/libnl:3 ) |
89 |
+ nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) ) |
90 |
+ nls? ( >=sys-devel/gettext-0.18 ) |
91 |
+ pac? ( |
92 |
+ app-crypt/mit-krb5[${MULTILIB_USEDEP}] |
93 |
+ net-fs/samba |
94 |
+ ) |
95 |
+ python? ( ${PYTHON_DEPS} ) |
96 |
+ samba? ( >=net-fs/samba-4.10.2[winbind] ) |
97 |
+ selinux? ( |
98 |
+ >=sys-libs/libselinux-2.1.9 |
99 |
+ >=sys-libs/libsemanage-2.1 |
100 |
+ ) |
101 |
+ systemd? ( |
102 |
+ dev-libs/jansson:0= |
103 |
+ net-libs/http-parser:0= |
104 |
+ net-misc/curl:0= |
105 |
+ )" |
106 |
+RDEPEND="${DEPEND} |
107 |
+ >=sys-libs/glibc-2.17[nscd] |
108 |
+ selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )" |
109 |
+BDEPEND=">=sys-devel/autoconf-2.69-r5 |
110 |
+ virtual/pkgconfig |
111 |
+ doc? ( app-doc/doxygen ) |
112 |
+ test? ( |
113 |
+ dev-libs/check |
114 |
+ dev-libs/softhsm:2 |
115 |
+ dev-util/cmocka |
116 |
+ net-libs/gnutls[pkcs11,tools] |
117 |
+ sys-libs/libfaketime |
118 |
+ sys-libs/nss_wrapper |
119 |
+ sys-libs/pam_wrapper |
120 |
+ sys-libs/uid_wrapper |
121 |
+ valgrind? ( dev-util/valgrind ) |
122 |
+ ) |
123 |
+ man? ( |
124 |
+ app-text/docbook-xml-dtd:4.4 |
125 |
+ >=dev-libs/libxslt-1.1.26 |
126 |
+ nls? ( app-text/po4a ) |
127 |
+ )" |
128 |
+ |
129 |
+CONFIG_CHECK="~KEYS" |
130 |
+ |
131 |
+MULTILIB_WRAPPED_HEADERS=( |
132 |
+ /usr/include/ipa_hbac.h |
133 |
+ /usr/include/sss_idmap.h |
134 |
+ /usr/include/sss_nss_idmap.h |
135 |
+ # --with-ifp |
136 |
+ /usr/include/sss_sifp.h |
137 |
+ /usr/include/sss_sifp_dbus.h |
138 |
+ # from 1.15.3 |
139 |
+ /usr/include/sss_certmap.h |
140 |
+) |
141 |
+ |
142 |
+PATCHES=( |
143 |
+ "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch |
144 |
+ "${WORKDIR}"/${P}-CVE-2021-3621.patch |
145 |
+) |
146 |
+ |
147 |
+pkg_setup() { |
148 |
+ linux-info_pkg_setup |
149 |
+} |
150 |
+ |
151 |
+src_prepare() { |
152 |
+ sed -i 's:/var/run:/run:' \ |
153 |
+ "${S}"/src/examples/logrotate || die |
154 |
+ |
155 |
+ default |
156 |
+ eautoreconf |
157 |
+ multilib_copy_sources |
158 |
+ if use python && multilib_is_native_abi; then |
159 |
+ python_setup |
160 |
+ fi |
161 |
+} |
162 |
+ |
163 |
+src_configure() { |
164 |
+ local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1) |
165 |
+ |
166 |
+ multilib-minimal_src_configure |
167 |
+} |
168 |
+ |
169 |
+multilib_src_configure() { |
170 |
+ local myconf=() |
171 |
+ |
172 |
+ myconf+=( |
173 |
+ --localstatedir="${EPREFIX}"/var |
174 |
+ --runstatedir="${EPREFIX}"/run |
175 |
+ --with-pid-path="${EPREFIX}"/run |
176 |
+ --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd |
177 |
+ --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) |
178 |
+ --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb |
179 |
+ --with-db-path="${EPREFIX}"/var/lib/sss/db |
180 |
+ --with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache |
181 |
+ --with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf |
182 |
+ --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes |
183 |
+ --with-mcache-path="${EPREFIX}"/var/lib/sss/mc |
184 |
+ --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets |
185 |
+ --with-log-path="${EPREFIX}"/var/log/sssd |
186 |
+ --with-os=gentoo |
187 |
+ --with-nscd="${EPREFIX}"/usr/sbin/nscd |
188 |
+ --with-unicode-lib="glib2" |
189 |
+ --disable-rpath |
190 |
+ --sbindir=/usr/sbin |
191 |
+ --with-crypto="libcrypto" |
192 |
+ --enable-local-provider |
193 |
+ $(multilib_native_use_with systemd kcm) |
194 |
+ $(multilib_native_use_with systemd secrets) |
195 |
+ $(use_with samba) |
196 |
+ --with-smb-idmap-interface-version=6 |
197 |
+ $(multilib_native_use_enable acl cifs-idmap-plugin) |
198 |
+ $(multilib_native_use_with selinux) |
199 |
+ $(multilib_native_use_with selinux semanage) |
200 |
+ $(use_enable locator krb5-locator-plugin) |
201 |
+ $(use_enable pac pac-responder) |
202 |
+ $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) |
203 |
+ $(use_enable nls) |
204 |
+ $(multilib_native_use_with netlink libnl) |
205 |
+ $(multilib_native_use_with man manpages) |
206 |
+ $(multilib_native_use_with sudo) |
207 |
+ $(multilib_native_with autofs) |
208 |
+ $(multilib_native_with ssh) |
209 |
+ $(use_enable valgrind) |
210 |
+ --without-python2-bindings |
211 |
+ $(multilib_native_use_with python python3-bindings) |
212 |
+ ) |
213 |
+ |
214 |
+ # Annoyingly configure requires that you pick systemd XOR sysv |
215 |
+ if use systemd; then |
216 |
+ myconf+=( |
217 |
+ --with-initscript="systemd" |
218 |
+ --with-systemdunitdir=$(systemd_get_systemunitdir) |
219 |
+ ) |
220 |
+ else |
221 |
+ myconf+=(--with-initscript="sysv") |
222 |
+ fi |
223 |
+ |
224 |
+ if ! multilib_is_native_abi; then |
225 |
+ # work-around all the libraries that are used for CLI and server |
226 |
+ myconf+=( |
227 |
+ {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' ' |
228 |
+ # ldb headers are fine since native needs it |
229 |
+ # ldb lib fails... but it does not seem to bother |
230 |
+ {DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' ' |
231 |
+ {PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' ' |
232 |
+ {NDR_NBT,SMBCLIENT,NDR_KRB5PAC}_{CFLAGS,LIBS}=' ' |
233 |
+ |
234 |
+ # use native include path for dbus (needed for build) |
235 |
+ DBUS_CFLAGS="${native_dbus_cflags}" |
236 |
+ |
237 |
+ # non-pkgconfig checks |
238 |
+ ac_cv_lib_ldap_ldap_search=yes |
239 |
+ --without-secrets |
240 |
+ --without-kcm |
241 |
+ ) |
242 |
+ fi |
243 |
+ |
244 |
+ econf "${myconf[@]}" |
245 |
+} |
246 |
+ |
247 |
+multilib_src_compile() { |
248 |
+ if multilib_is_native_abi; then |
249 |
+ default |
250 |
+ use doc && emake docs |
251 |
+ if use man || use nls; then |
252 |
+ emake update-po |
253 |
+ fi |
254 |
+ else |
255 |
+ emake libnss_sss.la pam_sss.la |
256 |
+ use locator && emake sssd_krb5_locator_plugin.la |
257 |
+ use pac && emake sssd_pac_plugin.la |
258 |
+ fi |
259 |
+} |
260 |
+ |
261 |
+multilib_src_install() { |
262 |
+ if multilib_is_native_abi; then |
263 |
+ emake -j1 DESTDIR="${D}" "${_at_args[@]}" install |
264 |
+ if use python; then |
265 |
+ python_optimize |
266 |
+ python_fix_shebang "${ED}" |
267 |
+ fi |
268 |
+ |
269 |
+ else |
270 |
+ # easier than playing with automake... |
271 |
+ dopammod .libs/pam_sss.so |
272 |
+ |
273 |
+ into / |
274 |
+ dolib.so .libs/libnss_sss.so* |
275 |
+ |
276 |
+ if use locator; then |
277 |
+ exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5 |
278 |
+ doexe .libs/sssd_krb5_locator_plugin.so |
279 |
+ fi |
280 |
+ |
281 |
+ if use pac; then |
282 |
+ exeinto /usr/$(get_libdir)/krb5/plugins/authdata |
283 |
+ doexe .libs/sssd_pac_plugin.so |
284 |
+ fi |
285 |
+ fi |
286 |
+} |
287 |
+ |
288 |
+multilib_src_install_all() { |
289 |
+ einstalldocs |
290 |
+ find "${ED}" -type f -name '*.la' -delete || die |
291 |
+ |
292 |
+ insinto /etc/sssd |
293 |
+ insopts -m600 |
294 |
+ doins "${S}"/src/examples/sssd-example.conf |
295 |
+ |
296 |
+ insinto /etc/logrotate.d |
297 |
+ insopts -m644 |
298 |
+ newins "${S}"/src/examples/logrotate sssd |
299 |
+ |
300 |
+ newconfd "${FILESDIR}"/sssd.conf sssd |
301 |
+ |
302 |
+ keepdir /var/lib/sss/db |
303 |
+ keepdir /var/lib/sss/deskprofile |
304 |
+ keepdir /var/lib/sss/gpo_cache |
305 |
+ keepdir /var/lib/sss/keytabs |
306 |
+ keepdir /var/lib/sss/mc |
307 |
+ keepdir /var/lib/sss/pipes/private |
308 |
+ keepdir /var/lib/sss/pubconf/krb5.include.d |
309 |
+ keepdir /var/lib/sss/secrets |
310 |
+ keepdir /var/log/sssd |
311 |
+ |
312 |
+ # strip empty dirs |
313 |
+ if ! use doc ; then |
314 |
+ rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die |
315 |
+ rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap,sss_simpleifp}_doc || die |
316 |
+ fi |
317 |
+ |
318 |
+ rm -r "${ED}"/run || die |
319 |
+} |
320 |
+ |
321 |
+multilib_src_test() { |
322 |
+ multilib_is_native_abi && emake check |
323 |
+} |
324 |
+ |
325 |
+pkg_postinst() { |
326 |
+ elog "You must set up sssd.conf (default installed into /etc/sssd)" |
327 |
+ elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" |
328 |
+ elog "features. Please see howto in https://sssd.io/docs/design_pages/smartcard_authentication_require.html" |
329 |
+} |