1 |
commit: 5d54665bac2e0881b4d22cf48632fd0412623565 |
2 |
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Sep 3 15:26:42 2019 +0000 |
4 |
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Sep 3 15:26:42 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d54665b |
7 |
|
8 |
sys-apps/systemd: add patch for CVE-2019-15718 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/693156 |
11 |
Package-Manager: Portage-2.3.73_p4, Repoman-2.3.17_p24 |
12 |
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> |
13 |
|
14 |
sys-apps/systemd/files/CVE-2019-15718.patch | 31 ++++++++++++++++++++ |
15 |
...ystemd-243_rc2.ebuild => systemd-242-r7.ebuild} | 33 ++++++++++++++++++---- |
16 |
...md-243_rc2.ebuild => systemd-243_rc2-r1.ebuild} | 1 + |
17 |
3 files changed, 59 insertions(+), 6 deletions(-) |
18 |
|
19 |
diff --git a/sys-apps/systemd/files/CVE-2019-15718.patch b/sys-apps/systemd/files/CVE-2019-15718.patch |
20 |
new file mode 100644 |
21 |
index 00000000000..8186f7096f8 |
22 |
--- /dev/null |
23 |
+++ b/sys-apps/systemd/files/CVE-2019-15718.patch |
24 |
@@ -0,0 +1,31 @@ |
25 |
+From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001 |
26 |
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@××××××.pl> |
27 |
+Date: Tue, 27 Aug 2019 19:00:34 +0200 |
28 |
+Subject: [PATCH] shared/but-util: drop trusted annotation from |
29 |
+ bus_open_system_watch_bind_with_description() |
30 |
+ |
31 |
+https://bugzilla.redhat.com/show_bug.cgi?id=1746057 |
32 |
+ |
33 |
+This only affects systemd-resolved. bus_open_system_watch_bind_with_description() |
34 |
+is also used in timesyncd, but it has no methods, only read-only properties, and |
35 |
+in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does |
36 |
+polkit checks. |
37 |
+--- |
38 |
+ src/shared/bus-util.c | 4 ---- |
39 |
+ 1 file changed, 4 deletions(-) |
40 |
+ |
41 |
+diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c |
42 |
+index 6af115e7aa..821339d4ae 100644 |
43 |
+--- a/src/shared/bus-util.c |
44 |
++++ b/src/shared/bus-util.c |
45 |
+@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri |
46 |
+ if (r < 0) |
47 |
+ return r; |
48 |
+ |
49 |
+- r = sd_bus_set_trusted(bus, true); |
50 |
+- if (r < 0) |
51 |
+- return r; |
52 |
+- |
53 |
+ r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS); |
54 |
+ if (r < 0) |
55 |
+ return r; |
56 |
|
57 |
diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-242-r7.ebuild |
58 |
similarity index 93% |
59 |
copy from sys-apps/systemd/systemd-243_rc2.ebuild |
60 |
copy to sys-apps/systemd/systemd-242-r7.ebuild |
61 |
index f00c416fa38..da5e7533d89 100644 |
62 |
--- a/sys-apps/systemd/systemd-243_rc2.ebuild |
63 |
+++ b/sys-apps/systemd/systemd-242-r7.ebuild |
64 |
@@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" |
65 |
|
66 |
LICENSE="GPL-2 LGPL-2.1 MIT public-domain" |
67 |
SLOT="0/2" |
68 |
-IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb" |
69 |
+IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb" |
70 |
|
71 |
REQUIRED_USE="importd? ( curl gcrypt lzma )" |
72 |
RESTRICT="!test? ( test )" |
73 |
@@ -45,7 +45,10 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] |
74 |
>=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] |
75 |
>=net-libs/gnutls-3.1.4:0= |
76 |
) |
77 |
- idn? ( net-dns/libidn2:= ) |
78 |
+ idn? ( |
79 |
+ libidn2? ( net-dns/libidn2:= ) |
80 |
+ !libidn2? ( net-dns/libidn:= ) |
81 |
+ ) |
82 |
importd? ( |
83 |
app-arch/bzip2:0= |
84 |
sys-libs/zlib:0= |
85 |
@@ -185,6 +188,14 @@ src_prepare() { |
86 |
|
87 |
# Add local patches here |
88 |
PATCHES+=( |
89 |
+ "${FILESDIR}"/242-gcc-9.patch |
90 |
+ "${FILESDIR}"/242-socket-util-flush-accept.patch |
91 |
+ "${FILESDIR}"/242-wireguard-listenport.patch |
92 |
+ "${FILESDIR}"/242-file-max.patch |
93 |
+ "${FILESDIR}"/242-rdrand-ryzen.patch |
94 |
+ "${FILESDIR}"/242-networkd-ipv6-token.patch |
95 |
+ "${FILESDIR}"/242-network-domains.patch |
96 |
+ "${FILESDIR}"/CVE-2019-15718.patch |
97 |
) |
98 |
|
99 |
if ! use vanilla; then |
100 |
@@ -244,7 +255,6 @@ multilib_src_configure() { |
101 |
# no deps |
102 |
-Defi=$(meson_multilib) |
103 |
-Dima=true |
104 |
- -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified) |
105 |
# Optional components/dependencies |
106 |
-Dacl=$(meson_multilib_native_use acl) |
107 |
-Dapparmor=$(meson_multilib_native_use apparmor) |
108 |
@@ -257,7 +267,6 @@ multilib_src_configure() { |
109 |
-Dgnu-efi=$(meson_multilib_native_use gnuefi) |
110 |
-Defi-libdir="${ESYSROOT}/usr/$(get_libdir)" |
111 |
-Dmicrohttpd=$(meson_multilib_native_use http) |
112 |
- -Didn=$(meson_multilib_native_use idn) |
113 |
-Dimportd=$(meson_multilib_native_use importd) |
114 |
-Dbzip2=$(meson_multilib_native_use importd) |
115 |
-Dzlib=$(meson_multilib_native_use importd) |
116 |
@@ -301,6 +310,18 @@ multilib_src_configure() { |
117 |
-Dvconsole=$(meson_multilib) |
118 |
) |
119 |
|
120 |
+ if multilib_is_native_abi && use idn; then |
121 |
+ myconf+=( |
122 |
+ -Dlibidn2=$(usex libidn2 true false) |
123 |
+ -Dlibidn=$(usex libidn2 false true) |
124 |
+ ) |
125 |
+ else |
126 |
+ myconf+=( |
127 |
+ -Dlibidn2=false |
128 |
+ -Dlibidn=false |
129 |
+ ) |
130 |
+ fi |
131 |
+ |
132 |
meson_src_configure "${myconf[@]}" |
133 |
} |
134 |
|
135 |
@@ -310,7 +331,7 @@ multilib_src_compile() { |
136 |
|
137 |
multilib_src_test() { |
138 |
unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR |
139 |
- meson_src_test |
140 |
+ eninja test |
141 |
} |
142 |
|
143 |
multilib_src_install() { |
144 |
@@ -343,7 +364,7 @@ multilib_src_install_all() { |
145 |
# Preserve empty dirs in /etc & /var, bug #437008 |
146 |
keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} |
147 |
keepdir /etc/kernel/install.d |
148 |
- keepdir /etc/systemd/{network,system,user} |
149 |
+ keepdir /etc/systemd/{network,user} |
150 |
keepdir /etc/udev/{hwdb.d,rules.d} |
151 |
keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} |
152 |
keepdir /usr/lib/{binfmt.d,modules-load.d} |
153 |
|
154 |
diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-243_rc2-r1.ebuild |
155 |
similarity index 99% |
156 |
rename from sys-apps/systemd/systemd-243_rc2.ebuild |
157 |
rename to sys-apps/systemd/systemd-243_rc2-r1.ebuild |
158 |
index f00c416fa38..56cfe509a08 100644 |
159 |
--- a/sys-apps/systemd/systemd-243_rc2.ebuild |
160 |
+++ b/sys-apps/systemd/systemd-243_rc2-r1.ebuild |
161 |
@@ -185,6 +185,7 @@ src_prepare() { |
162 |
|
163 |
# Add local patches here |
164 |
PATCHES+=( |
165 |
+ "${FILESDIR}"/CVE-2019-15718.patch |
166 |
) |
167 |
|
168 |
if ! use vanilla; then |