1 |
vapier 15/03/04 07:34:28 |
2 |
|
3 |
Modified: ChangeLog |
4 |
Added: openssl-1.0.2-r2.ebuild |
5 |
Log: |
6 |
Add fix from upstream for CVE-2015-0209 #541502 by Agostino Sarubbo and CVE-2015-0288 #542038 by Kristian Fiskerstrand. |
7 |
|
8 |
(Portage version: 2.2.17/cvs/Linux x86_64, signed Manifest commit with key D2E96200) |
9 |
|
10 |
Revision Changes Path |
11 |
1.630 dev-libs/openssl/ChangeLog |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/ChangeLog?rev=1.630&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/ChangeLog?rev=1.630&content-type=text/plain |
15 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/ChangeLog?r1=1.629&r2=1.630 |
16 |
|
17 |
Index: ChangeLog |
18 |
=================================================================== |
19 |
RCS file: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v |
20 |
retrieving revision 1.629 |
21 |
retrieving revision 1.630 |
22 |
diff -u -r1.629 -r1.630 |
23 |
--- ChangeLog 28 Jan 2015 19:35:28 -0000 1.629 |
24 |
+++ ChangeLog 4 Mar 2015 07:34:28 -0000 1.630 |
25 |
@@ -1,6 +1,14 @@ |
26 |
# ChangeLog for dev-libs/openssl |
27 |
# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 |
28 |
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.629 2015/01/28 19:35:28 mgorny Exp $ |
29 |
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.630 2015/03/04 07:34:28 vapier Exp $ |
30 |
+ |
31 |
+*openssl-1.0.2-r2 (04 Mar 2015) |
32 |
+ |
33 |
+ 04 Mar 2015; Mike Frysinger <vapier@g.o> |
34 |
+ +files/openssl-1.0.2-CVE-2015-0209.patch, |
35 |
+ +files/openssl-1.0.2-CVE-2015-0288.patch, +openssl-1.0.2-r2.ebuild: |
36 |
+ Add fix from upstream for CVE-2015-0209 #541502 by Agostino Sarubbo and |
37 |
+ CVE-2015-0288 #542038 by Kristian Fiskerstrand. |
38 |
|
39 |
28 Jan 2015; Michał Górny <mgorny@g.o> openssl-0.9.8z_p1-r2.ebuild, |
40 |
openssl-0.9.8z_p2.ebuild, openssl-0.9.8z_p3.ebuild, openssl-0.9.8z_p4.ebuild, |
41 |
|
42 |
|
43 |
|
44 |
1.1 dev-libs/openssl/openssl-1.0.2-r2.ebuild |
45 |
|
46 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/openssl-1.0.2-r2.ebuild?rev=1.1&view=markup |
47 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/openssl-1.0.2-r2.ebuild?rev=1.1&content-type=text/plain |
48 |
|
49 |
Index: openssl-1.0.2-r2.ebuild |
50 |
=================================================================== |
51 |
# Copyright 1999-2015 Gentoo Foundation |
52 |
# Distributed under the terms of the GNU General Public License v2 |
53 |
# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-1.0.2-r2.ebuild,v 1.1 2015/03/04 07:34:28 vapier Exp $ |
54 |
|
55 |
EAPI="4" |
56 |
|
57 |
inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal |
58 |
|
59 |
REV="1.7" |
60 |
MY_P=${P/_/-} |
61 |
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" |
62 |
HOMEPAGE="http://www.openssl.org/" |
63 |
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz |
64 |
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}" |
65 |
|
66 |
LICENSE="openssl" |
67 |
SLOT="0" |
68 |
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" |
69 |
IUSE="bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib" |
70 |
|
71 |
# The blocks are temporary just to make sure people upgrade to a |
72 |
# version that lack runtime version checking. We'll drop them in |
73 |
# the future. |
74 |
RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
75 |
zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
76 |
kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] ) |
77 |
abi_x86_32? ( |
78 |
!<=app-emulation/emul-linux-x86-baselibs-20140508 |
79 |
!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] |
80 |
) |
81 |
!<net-misc/openssh-5.9_p1-r4 |
82 |
!<net-libs/neon-0.29.6-r1" |
83 |
DEPEND="${RDEPEND} |
84 |
sys-apps/diffutils |
85 |
>=dev-lang/perl-5 |
86 |
sctp? ( net-misc/lksctp-tools ) |
87 |
test? ( sys-devel/bc )" |
88 |
PDEPEND="app-misc/ca-certificates" |
89 |
|
90 |
S="${WORKDIR}/${MY_P}" |
91 |
|
92 |
MULTILIB_WRAPPED_HEADERS=( |
93 |
usr/include/openssl/opensslconf.h |
94 |
) |
95 |
|
96 |
src_prepare() { |
97 |
SSL_CNF_DIR="/etc/ssl" |
98 |
sed \ |
99 |
-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \ |
100 |
-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \ |
101 |
"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \ |
102 |
> "${WORKDIR}"/c_rehash || die #416717 |
103 |
|
104 |
# Make sure we only ever touch Makefile.org and avoid patching a file |
105 |
# that gets blown away anyways by the Configure script in src_configure |
106 |
rm -f Makefile |
107 |
|
108 |
epatch "${FILESDIR}"/${P}-CVE-2015-0209.patch #541502 |
109 |
epatch "${FILESDIR}"/${P}-CVE-2015-0288.patch #542038 |
110 |
if ! use vanilla ; then |
111 |
epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421 |
112 |
epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743 |
113 |
epatch "${FILESDIR}"/${PN}-1.0.2-parallel-build.patch |
114 |
epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch |
115 |
epatch "${FILESDIR}"/${PN}-1.0.2-s_client-verify.patch #472584 |
116 |
|
117 |
epatch_user #332661 |
118 |
fi |
119 |
|
120 |
# disable fips in the build |
121 |
# make sure the man pages are suffixed #302165 |
122 |
# don't bother building man pages if they're disabled |
123 |
sed -i \ |
124 |
-e '/DIRS/s: fips : :g' \ |
125 |
-e '/^MANSUFFIX/s:=.*:=ssl:' \ |
126 |
-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ |
127 |
-e $(has noman FEATURES \ |
128 |
&& echo '/^install:/s:install_docs::' \ |
129 |
|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ |
130 |
Makefile.org \ |
131 |
|| die |
132 |
# show the actual commands in the log |
133 |
sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared |
134 |
|
135 |
# since we're forcing $(CC) as makedep anyway, just fix |
136 |
# the conditional as always-on |
137 |
# helps clang (#417795), and versioned gcc (#499818) |
138 |
sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die |
139 |
|
140 |
# quiet out unknown driver argument warnings since openssl |
141 |
# doesn't have well-split CFLAGS and we're making it even worse |
142 |
# and 'make depend' uses -Werror for added fun (#417795 again) |
143 |
[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments |
144 |
|
145 |
# allow openssl to be cross-compiled |
146 |
cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die |
147 |
chmod a+rx gentoo.config |
148 |
|
149 |
append-flags -fno-strict-aliasing |
150 |
append-flags $(test-flags-CC -Wa,--noexecstack) |
151 |
append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
152 |
|
153 |
sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 |
154 |
# The config script does stupid stuff to prompt the user. Kill it. |
155 |
sed -i '/stty -icanon min 0 time 50; read waste/d' config || die |
156 |
./config --test-sanity || die "I AM NOT SANE" |
157 |
|
158 |
multilib_copy_sources |
159 |
} |
160 |
|
161 |
multilib_src_configure() { |
162 |
unset APPS #197996 |
163 |
unset SCRIPTS #312551 |
164 |
unset CROSS_COMPILE #311473 |
165 |
|
166 |
tc-export CC AR RANLIB RC |
167 |
|
168 |
# Clean out patent-or-otherwise-encumbered code |
169 |
# Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) |
170 |
# IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm |
171 |
# EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography |
172 |
# MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 |
173 |
# RC5: Expirted http://en.wikipedia.org/wiki/RC5 |
174 |
|
175 |
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } |
176 |
echoit() { echo "$@" ; "$@" ; } |
177 |
|
178 |
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") |
179 |
|
180 |
# See if our toolchain supports __uint128_t. If so, it's 64bit |
181 |
# friendly and can use the nicely optimized code paths. #460790 |
182 |
local ec_nistp_64_gcc_128 |
183 |
# Disable it for now though #469976 |
184 |
#if ! use bindist ; then |
185 |
# echo "__uint128_t i;" > "${T}"/128.c |
186 |
# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then |
187 |
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" |
188 |
# fi |
189 |
#fi |
190 |
|
191 |
local sslout=$(./gentoo.config) |
192 |
einfo "Use configuration ${sslout:-(openssl knows best)}" |
193 |
local config="Configure" |
194 |
[[ -z ${sslout} ]] && config="config" |
195 |
|
196 |
echoit \ |
197 |
./${config} \ |
198 |
${sslout} \ |
199 |
$(use sctp && echo "sctp") \ |
200 |
$(use cpu_flags_x86_sse2 || echo "no-sse2") \ |
201 |
enable-camellia \ |
202 |
$(use_ssl !bindist ec) \ |
203 |
${ec_nistp_64_gcc_128} \ |
204 |
enable-idea \ |
205 |
enable-mdc2 \ |
206 |
enable-rc5 \ |
207 |
enable-tlsext \ |
208 |
$(use_ssl gmp gmp -lgmp) \ |
209 |
$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ |
210 |
$(use_ssl rfc3779) \ |
211 |
$(use_ssl tls-heartbeat heartbeats) \ |
212 |
$(use_ssl zlib) \ |
213 |
--prefix="${EPREFIX}"/usr \ |
214 |
--openssldir="${EPREFIX}"${SSL_CNF_DIR} \ |
215 |
--libdir=$(get_libdir) \ |
216 |
shared threads \ |
217 |
|| die |
218 |
|
219 |
# Clean out hardcoded flags that openssl uses |
220 |
local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ |
221 |
-e 's:^CFLAG=::' \ |
222 |
-e 's:-fomit-frame-pointer ::g' \ |
223 |
-e 's:-O[0-9] ::g' \ |
224 |
-e 's:-march=[-a-z0-9]* ::g' \ |
225 |
-e 's:-mcpu=[-a-z0-9]* ::g' \ |
226 |
-e 's:-m[a-z0-9]* ::g' \ |
227 |
) |
228 |
sed -i \ |
229 |
-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \ |
230 |
-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \ |
231 |
Makefile || die |
232 |
} |
233 |
|
234 |
multilib_src_compile() { |
235 |
# depend is needed to use $confopts; it also doesn't matter |
236 |
# that it's -j1 as the code itself serializes subdirs |
237 |
emake -j1 depend |
238 |
emake all |
239 |
# rehash is needed to prep the certs/ dir; do this |
240 |
# separately to avoid parallel build issues. |
241 |
emake rehash |
242 |
} |
243 |
|
244 |
multilib_src_test() { |
245 |
emake -j1 test |
246 |
} |
247 |
|
248 |
multilib_src_install() { |
249 |
emake INSTALL_PREFIX="${D}" install |
250 |
} |
251 |
|
252 |
multilib_src_install_all() { |
253 |
dobin "${WORKDIR}"/c_rehash #333117 |
254 |
dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el |
255 |
dohtml -r doc/* |
256 |
use rfc3779 && dodoc engines/ccgost/README.gost |
257 |
|
258 |
# This is crappy in that the static archives are still built even |
259 |
# when USE=static-libs. But this is due to a failing in the openssl |
260 |
# build system: the static archives are built as PIC all the time. |
261 |
# Only way around this would be to manually configure+compile openssl |
262 |
# twice; once with shared lib support enabled and once without. |
263 |
use static-libs || rm -f "${ED}"/usr/lib*/lib*.a |
264 |
|
265 |
# create the certs directory |
266 |
dodir ${SSL_CNF_DIR}/certs |
267 |
cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die |
268 |
rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired} |
269 |
|
270 |
# Namespace openssl programs to prevent conflicts with other man pages |
271 |
cd "${ED}"/usr/share/man |
272 |
local m d s |
273 |
for m in $(find . -type f | xargs grep -L '#include') ; do |
274 |
d=${m%/*} ; d=${d#./} ; m=${m##*/} |
275 |
[[ ${m} == openssl.1* ]] && continue |
276 |
[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" |
277 |
mv ${d}/{,ssl-}${m} |
278 |
# fix up references to renamed man pages |
279 |
sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} |
280 |
ln -s ssl-${m} ${d}/openssl-${m} |
281 |
# locate any symlinks that point to this man page ... we assume |
282 |
# that any broken links are due to the above renaming |
283 |
for s in $(find -L ${d} -type l) ; do |
284 |
s=${s##*/} |
285 |
rm -f ${d}/${s} |
286 |
ln -s ssl-${m} ${d}/ssl-${s} |
287 |
ln -s ssl-${s} ${d}/openssl-${s} |
288 |
done |
289 |
done |
290 |
[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" |
291 |
|
292 |
dodir /etc/sandbox.d #254521 |
293 |
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl |
294 |
|
295 |
diropts -m0700 |
296 |
keepdir ${SSL_CNF_DIR}/private |
297 |
} |
298 |
|
299 |
pkg_preinst() { |
300 |
has_version ${CATEGORY}/${PN}:0.9.8 && return 0 |
301 |
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8 |
302 |
} |
303 |
|
304 |
pkg_postinst() { |
305 |
ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" |
306 |
c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null |
307 |
eend $? |
308 |
|
309 |
has_version ${CATEGORY}/${PN}:0.9.8 && return 0 |
310 |
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8 |
311 |
} |