Gentoo Archives: gentoo-commits

From: Mike Gilbert <floppym@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/, sys-apps/systemd/
Date: Tue, 03 Sep 2019 15:27:38
Message-Id: 1567524402.5d54665bac2e0881b4d22cf48632fd0412623565.floppym@gentoo
1 commit: 5d54665bac2e0881b4d22cf48632fd0412623565
2 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
3 AuthorDate: Tue Sep 3 15:26:42 2019 +0000
4 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
5 CommitDate: Tue Sep 3 15:26:42 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d54665b
7
8 sys-apps/systemd: add patch for CVE-2019-15718
9
10 Bug: https://bugs.gentoo.org/693156
11 Package-Manager: Portage-2.3.73_p4, Repoman-2.3.17_p24
12 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
13
14 sys-apps/systemd/files/CVE-2019-15718.patch | 31 ++++++++++++++++++++
15 ...ystemd-243_rc2.ebuild => systemd-242-r7.ebuild} | 33 ++++++++++++++++++----
16 ...md-243_rc2.ebuild => systemd-243_rc2-r1.ebuild} | 1 +
17 3 files changed, 59 insertions(+), 6 deletions(-)
18
19 diff --git a/sys-apps/systemd/files/CVE-2019-15718.patch b/sys-apps/systemd/files/CVE-2019-15718.patch
20 new file mode 100644
21 index 00000000000..8186f7096f8
22 --- /dev/null
23 +++ b/sys-apps/systemd/files/CVE-2019-15718.patch
24 @@ -0,0 +1,31 @@
25 +From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001
26 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@××××××.pl>
27 +Date: Tue, 27 Aug 2019 19:00:34 +0200
28 +Subject: [PATCH] shared/but-util: drop trusted annotation from
29 + bus_open_system_watch_bind_with_description()
30 +
31 +https://bugzilla.redhat.com/show_bug.cgi?id=1746057
32 +
33 +This only affects systemd-resolved. bus_open_system_watch_bind_with_description()
34 +is also used in timesyncd, but it has no methods, only read-only properties, and
35 +in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does
36 +polkit checks.
37 +---
38 + src/shared/bus-util.c | 4 ----
39 + 1 file changed, 4 deletions(-)
40 +
41 +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
42 +index 6af115e7aa..821339d4ae 100644
43 +--- a/src/shared/bus-util.c
44 ++++ b/src/shared/bus-util.c
45 +@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri
46 + if (r < 0)
47 + return r;
48 +
49 +- r = sd_bus_set_trusted(bus, true);
50 +- if (r < 0)
51 +- return r;
52 +-
53 + r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS);
54 + if (r < 0)
55 + return r;
56
57 diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-242-r7.ebuild
58 similarity index 93%
59 copy from sys-apps/systemd/systemd-243_rc2.ebuild
60 copy to sys-apps/systemd/systemd-242-r7.ebuild
61 index f00c416fa38..da5e7533d89 100644
62 --- a/sys-apps/systemd/systemd-243_rc2.ebuild
63 +++ b/sys-apps/systemd/systemd-242-r7.ebuild
64 @@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
65
66 LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
67 SLOT="0/2"
68 -IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb"
69 +IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb"
70
71 REQUIRED_USE="importd? ( curl gcrypt lzma )"
72 RESTRICT="!test? ( test )"
73 @@ -45,7 +45,10 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
74 >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)]
75 >=net-libs/gnutls-3.1.4:0=
76 )
77 - idn? ( net-dns/libidn2:= )
78 + idn? (
79 + libidn2? ( net-dns/libidn2:= )
80 + !libidn2? ( net-dns/libidn:= )
81 + )
82 importd? (
83 app-arch/bzip2:0=
84 sys-libs/zlib:0=
85 @@ -185,6 +188,14 @@ src_prepare() {
86
87 # Add local patches here
88 PATCHES+=(
89 + "${FILESDIR}"/242-gcc-9.patch
90 + "${FILESDIR}"/242-socket-util-flush-accept.patch
91 + "${FILESDIR}"/242-wireguard-listenport.patch
92 + "${FILESDIR}"/242-file-max.patch
93 + "${FILESDIR}"/242-rdrand-ryzen.patch
94 + "${FILESDIR}"/242-networkd-ipv6-token.patch
95 + "${FILESDIR}"/242-network-domains.patch
96 + "${FILESDIR}"/CVE-2019-15718.patch
97 )
98
99 if ! use vanilla; then
100 @@ -244,7 +255,6 @@ multilib_src_configure() {
101 # no deps
102 -Defi=$(meson_multilib)
103 -Dima=true
104 - -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified)
105 # Optional components/dependencies
106 -Dacl=$(meson_multilib_native_use acl)
107 -Dapparmor=$(meson_multilib_native_use apparmor)
108 @@ -257,7 +267,6 @@ multilib_src_configure() {
109 -Dgnu-efi=$(meson_multilib_native_use gnuefi)
110 -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
111 -Dmicrohttpd=$(meson_multilib_native_use http)
112 - -Didn=$(meson_multilib_native_use idn)
113 -Dimportd=$(meson_multilib_native_use importd)
114 -Dbzip2=$(meson_multilib_native_use importd)
115 -Dzlib=$(meson_multilib_native_use importd)
116 @@ -301,6 +310,18 @@ multilib_src_configure() {
117 -Dvconsole=$(meson_multilib)
118 )
119
120 + if multilib_is_native_abi && use idn; then
121 + myconf+=(
122 + -Dlibidn2=$(usex libidn2 true false)
123 + -Dlibidn=$(usex libidn2 false true)
124 + )
125 + else
126 + myconf+=(
127 + -Dlibidn2=false
128 + -Dlibidn=false
129 + )
130 + fi
131 +
132 meson_src_configure "${myconf[@]}"
133 }
134
135 @@ -310,7 +331,7 @@ multilib_src_compile() {
136
137 multilib_src_test() {
138 unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
139 - meson_src_test
140 + eninja test
141 }
142
143 multilib_src_install() {
144 @@ -343,7 +364,7 @@ multilib_src_install_all() {
145 # Preserve empty dirs in /etc & /var, bug #437008
146 keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
147 keepdir /etc/kernel/install.d
148 - keepdir /etc/systemd/{network,system,user}
149 + keepdir /etc/systemd/{network,user}
150 keepdir /etc/udev/{hwdb.d,rules.d}
151 keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
152 keepdir /usr/lib/{binfmt.d,modules-load.d}
153
154 diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-243_rc2-r1.ebuild
155 similarity index 99%
156 rename from sys-apps/systemd/systemd-243_rc2.ebuild
157 rename to sys-apps/systemd/systemd-243_rc2-r1.ebuild
158 index f00c416fa38..56cfe509a08 100644
159 --- a/sys-apps/systemd/systemd-243_rc2.ebuild
160 +++ b/sys-apps/systemd/systemd-243_rc2-r1.ebuild
161 @@ -185,6 +185,7 @@ src_prepare() {
162
163 # Add local patches here
164 PATCHES+=(
165 + "${FILESDIR}"/CVE-2019-15718.patch
166 )
167
168 if ! use vanilla; then