1 |
commit: 73e4184262bdb92c08fe83d2b9cd06f6a12ccb73 |
2 |
Author: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Oct 11 12:18:35 2018 +0000 |
4 |
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Oct 11 12:18:54 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73e41842 |
7 |
|
8 |
net-irc/unrealircd: revision bump to resolve CVE-2017-13649 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/628434 |
11 |
Signed-off-by: Michael Palimaka <kensington <AT> gentoo.org> |
12 |
Package-Manager: Portage-2.3.49, Repoman-2.3.11 |
13 |
|
14 |
net-irc/unrealircd/files/unrealircd.confd-r3 | 32 +++++ |
15 |
net-irc/unrealircd/files/unrealircd.initd-r2 | 38 +++++ |
16 |
net-irc/unrealircd/unrealircd-4.0.18-r1.ebuild | 184 +++++++++++++++++++++++++ |
17 |
3 files changed, 254 insertions(+) |
18 |
|
19 |
diff --git a/net-irc/unrealircd/files/unrealircd.confd-r3 b/net-irc/unrealircd/files/unrealircd.confd-r3 |
20 |
new file mode 100644 |
21 |
index 00000000000..66d9878f014 |
22 |
--- /dev/null |
23 |
+++ b/net-irc/unrealircd/files/unrealircd.confd-r3 |
24 |
@@ -0,0 +1,32 @@ |
25 |
+# Copyright 1999-2018 Gentoo Authors |
26 |
+# Distributed under the terms of the GNU General Public License v2 |
27 |
+ |
28 |
+# Which configuration file to load instead of unrealircd.conf. If you |
29 |
+# want to run multiple instances of unrealircd, you must edit |
30 |
+# files::pidfile to match UNREALIRCD_PIDFILE. You should also ensure |
31 |
+# that files::tunefile is different for each unrealircd instance. See |
32 |
+# https://www.unrealircd.org/docs/Configuration#Files_block |
33 |
+# |
34 |
+# To support multiple instances of unrealircd, you may create symlinks |
35 |
+# in /etc/init.d pointing to /etc/init.d/unrealircd. It is recommended |
36 |
+# that the scheme unrealircd.${instance_name} be used. For each |
37 |
+# instance, you may make a copy of this file with the appropriate name |
38 |
+# to override default options specific to that instance. |
39 |
+UNREALIRCD_CONF="/etc/unrealircd/${SVCNAME}.conf" |
40 |
+ |
41 |
+# The path where unrealircd is configured to create its pidfile. |
42 |
+UNREALIRCD_PIDFILE="/run/unrealircd/${SVCNAME#unreal}.pid" |
43 |
+ |
44 |
+# extra options to pass to unrealircd ... |
45 |
+# You should not specify the -f option here; use |
46 |
+# UNREALIRCD_CONF instead. |
47 |
+# |
48 |
+# [-h servername] |
49 |
+# [-p portnumber] |
50 |
+# [-x loglevel] |
51 |
+# [-t] (to enable debug output) |
52 |
+UNREALIRCD_OPTS="" |
53 |
+ |
54 |
+# Extra flags to pass to start-stop-daemon. When initially |
55 |
+# debugging, removing --quiet may help. |
56 |
+UNREALIRCD_SSD_OPTS="--quiet" |
57 |
|
58 |
diff --git a/net-irc/unrealircd/files/unrealircd.initd-r2 b/net-irc/unrealircd/files/unrealircd.initd-r2 |
59 |
new file mode 100644 |
60 |
index 00000000000..7d733a6e185 |
61 |
--- /dev/null |
62 |
+++ b/net-irc/unrealircd/files/unrealircd.initd-r2 |
63 |
@@ -0,0 +1,38 @@ |
64 |
+#!/sbin/openrc-run |
65 |
+# Copyright 1999-2018 Gentoo Authors |
66 |
+# Distributed under the terms of the GNU General Public License v2 |
67 |
+ |
68 |
+# Defaults |
69 |
+: ${UNREALIRCD_CONF:=/etc/unrealircd/${SVCNAME}.conf} |
70 |
+: ${UNREALIRCD_PIDFILE:=/run/unrealircd/${SVCNAME#unreal}.pid} |
71 |
+ |
72 |
+command="/usr/bin/unrealircd" |
73 |
+# Run the daemon in the foreground and let OpenRC background it. |
74 |
+# This way the PID file is created securely, as root. |
75 |
+command_args="-F -f ${UNREALIRCD_CONF} ${UNREALIRCD_OPTS}" |
76 |
+command_user=unrealircd |
77 |
+command_background=true |
78 |
+pidfile="${UNREALIRCD_PIDFILE}" |
79 |
+start_stop_daemon_args="${UNREALIRCD_SSD_OPTS}" |
80 |
+extra_started_commands="reload" |
81 |
+ |
82 |
+depend() { |
83 |
+ use dns net |
84 |
+ provide ircd |
85 |
+} |
86 |
+ |
87 |
+# It is unsafe for the unrealircd user to be able to write to its own |
88 |
+# PID file, since root will be sending e.g. kill signals to the PID |
89 |
+# listed in that file. Ensure that we overwrite the ownership and |
90 |
+# permissions on /run/unrealircd from previous init scripts. |
91 |
+start_pre() { |
92 |
+ checkpath --directory --owner root:root --mode 0700 /run/unrealircd |
93 |
+} |
94 |
+ |
95 |
+reload() { |
96 |
+ ebegin "Reloading ${RC_SVCNAME}" |
97 |
+ start-stop-daemon --signal HUP \ |
98 |
+ --pidfile "${pidfile}" \ |
99 |
+ ${UNREALIRCD_SSD_OPTS} |
100 |
+ eend $? |
101 |
+} |
102 |
|
103 |
diff --git a/net-irc/unrealircd/unrealircd-4.0.18-r1.ebuild b/net-irc/unrealircd/unrealircd-4.0.18-r1.ebuild |
104 |
new file mode 100644 |
105 |
index 00000000000..5c496d96d30 |
106 |
--- /dev/null |
107 |
+++ b/net-irc/unrealircd/unrealircd-4.0.18-r1.ebuild |
108 |
@@ -0,0 +1,184 @@ |
109 |
+# Copyright 1999-2018 Gentoo Authors |
110 |
+# Distributed under the terms of the GNU General Public License v2 |
111 |
+ |
112 |
+EAPI=6 |
113 |
+ |
114 |
+SSL_CERT_MANDATORY=1 |
115 |
+inherit ssl-cert user versionator |
116 |
+ |
117 |
+DESCRIPTION="An advanced Internet Relay Chat daemon" |
118 |
+HOMEPAGE="https://www.unrealircd.org/" |
119 |
+SRC_URI="https://www.unrealircd.org/${PN}$(get_version_component_range 1)/${P}.tar.gz" |
120 |
+ |
121 |
+LICENSE="GPL-2" |
122 |
+SLOT="0" |
123 |
+KEYWORDS="~amd64 ~ppc ~x86 ~x86-fbsd ~amd64-linux" |
124 |
+IUSE="class-nofakelag curl +extban-stacking +operoverride operoverride-verify +prefixaq |
125 |
+ showlistmodes shunnotices topicisnuhost +usermod" |
126 |
+ |
127 |
+RDEPEND=" |
128 |
+ dev-libs/openssl:0= |
129 |
+ dev-libs/libpcre2 |
130 |
+ dev-libs/tre |
131 |
+ >=net-dns/c-ares-1.7:= |
132 |
+ sys-libs/zlib |
133 |
+ curl? ( net-misc/curl[adns] ) |
134 |
+" |
135 |
+DEPEND="${RDEPEND} |
136 |
+ virtual/pkgconfig |
137 |
+" |
138 |
+ |
139 |
+DOCS=( doc/{Authors,Donation,RELEASE-NOTES{,.old},tao.of.irc,technical/,translations.txt} ) |
140 |
+ |
141 |
+pkg_pretend() { |
142 |
+ local v |
143 |
+ for v in ${REPLACING_VERSIONS}; do |
144 |
+ version_is_at_least 4 "${v}" && continue |
145 |
+ ewarn "The configuration file format has changed since ${v}." |
146 |
+ ewarn "Please be prepared to manually update them and visit:" |
147 |
+ ewarn "https://www.unrealircd.org/docs/Upgrading_from_3.2.x" |
148 |
+ break |
149 |
+ done |
150 |
+} |
151 |
+ |
152 |
+pkg_setup() { |
153 |
+ enewuser unrealircd |
154 |
+} |
155 |
+ |
156 |
+src_prepare() { |
157 |
+ # QA check against bundled pkgs |
158 |
+ rm -r extras || die |
159 |
+ |
160 |
+ if use class-nofakelag; then |
161 |
+ sed -i -e 's:#undef\( FAKELAG_CONFIGURABLE\):#define\1:' include/config.h || die |
162 |
+ fi |
163 |
+ |
164 |
+ # By default looks in /etc/unrealircd/ssl/curl-ca-bundle.crt. Fix |
165 |
+ # that to look for ca-certificates-provided file instead. %s is |
166 |
+ # CONFDIR. #618066 |
167 |
+ sed -i -e 's:%s/ssl/curl-ca-bundle.crt:%s/../ssl/certs/ca-certificates.crt:' src/s_conf.c || die |
168 |
+ |
169 |
+ eapply_user |
170 |
+} |
171 |
+ |
172 |
+src_configure() { |
173 |
+ # Default value for privatelibdir adds a build path to -Wl,-rpath. |
174 |
+ econf \ |
175 |
+ --with-bindir="${EPREFIX}"/usr/bin \ |
176 |
+ --with-cachedir="${EPREFIX}"/var/lib/${PN} \ |
177 |
+ --with-confdir="${EPREFIX}"/etc/${PN} \ |
178 |
+ --with-datadir="${EPREFIX}"/var/lib/${PN} \ |
179 |
+ --with-docdir="${EPREFIX}"/usr/share/doc/${PF} \ |
180 |
+ --with-logdir="${EPREFIX}"/var/log/${PN} \ |
181 |
+ --with-modulesdir="${EPREFIX}"/usr/"$(get_libdir)"/${PN}/modules \ |
182 |
+ --without-privatelibdir \ |
183 |
+ --with-pidfile="${EPREFIX}"/run/${PN}/ircd.pid \ |
184 |
+ --with-tmpdir="${EPREFIX}"/var/lib/${PN}/tmp \ |
185 |
+ --with-nick-history=2000 \ |
186 |
+ --with-sendq=3000000 \ |
187 |
+ --with-permissions=0640 \ |
188 |
+ --with-fd-setsize=1024 \ |
189 |
+ --with-system-cares \ |
190 |
+ --with-system-pcre2 \ |
191 |
+ --with-system-tre \ |
192 |
+ --enable-dynamic-linking \ |
193 |
+ --enable-ssl="${EPREFIX}"/usr \ |
194 |
+ $(use_enable curl libcurl "${EPREFIX}"/usr) \ |
195 |
+ $(use_enable prefixaq) \ |
196 |
+ $(use_with showlistmodes) \ |
197 |
+ $(use_with topicisnuhost) \ |
198 |
+ $(use_with shunnotices) \ |
199 |
+ $(use_with !operoverride no-operoverride) \ |
200 |
+ $(use_with operoverride-verify) \ |
201 |
+ $(use_with !usermod disableusermod) \ |
202 |
+ $(use_with !extban-stacking disable-extendedban-stacking) |
203 |
+} |
204 |
+ |
205 |
+src_install() { |
206 |
+ keepdir /var/log/${PN} |
207 |
+ keepdir /var/lib/${PN}/tmp |
208 |
+ |
209 |
+ newbin src/ircd ${PN} |
210 |
+ |
211 |
+ ( |
212 |
+ cd src/modules || die |
213 |
+ for subdir in $(find . -type d -print); do |
214 |
+ if [[ -n $(shopt -s nullglob; echo ${subdir}/*.so) ]]; then |
215 |
+ exeinto /usr/$(get_libdir)/${PN}/modules/"${subdir}" |
216 |
+ doexe "${subdir}"/*.so |
217 |
+ fi |
218 |
+ done |
219 |
+ ) |
220 |
+ |
221 |
+ insinto /etc/${PN} |
222 |
+ # Purposefully omitting the examples/ and ssl/ subdirectories. ssl |
223 |
+ # is redundant with app-misc/ca-certificates and examples will all |
224 |
+ # be in docs anyway. |
225 |
+ doins -r doc/conf/{aliases,help} |
226 |
+ doins doc/conf/*.conf |
227 |
+ newins doc/conf/examples/example.conf ${PN}.conf |
228 |
+ keepdir /etc/${PN}/ssl |
229 |
+ |
230 |
+ einstalldocs |
231 |
+ |
232 |
+ newinitd "${FILESDIR}"/${PN}.initd-r2 ${PN} |
233 |
+ newconfd "${FILESDIR}"/${PN}.confd-r3 ${PN} |
234 |
+ |
235 |
+ # config should be read-only |
236 |
+ fperms -R 0640 /etc/${PN} |
237 |
+ fperms 0750 /etc/${PN}{,/aliases,/help} |
238 |
+ fperms 0750 /etc/${PN}/ssl |
239 |
+ # state is editable but not owned by unrealircd directly |
240 |
+ fperms 0770 /var/log/${PN} |
241 |
+ fperms 0770 /var/lib/${PN}{,/tmp} |
242 |
+ fowners -R root:unrealircd /{etc,var/{lib,log}}/${PN} |
243 |
+} |
244 |
+ |
245 |
+pkg_postinst() { |
246 |
+ # Move docert call from src_install() to install_cert in pkg_postinst for |
247 |
+ # bug #201682 |
248 |
+ if [[ ! -f "${EROOT}"etc/${PN}/ssl/server.cert.key ]]; then |
249 |
+ if [[ -f "${EROOT}"etc/${PN}/server.cert.key ]]; then |
250 |
+ ewarn "The location ${PN} looks for SSL certificates has changed" |
251 |
+ ewarn "from ${EROOT}etc/${PN} to ${EROOT}etc/${PN}/ssl." |
252 |
+ ewarn "Please move your existing certificates." |
253 |
+ else |
254 |
+ ( |
255 |
+ umask 0037 |
256 |
+ install_cert /etc/${PN}/ssl/server.cert |
257 |
+ chown unrealircd "${EROOT}"etc/${PN}/ssl/server.cert.* |
258 |
+ ln -snf server.cert.key "${EROOT}"etc/${PN}/ssl/server.key.pem |
259 |
+ ) |
260 |
+ fi |
261 |
+ fi |
262 |
+ |
263 |
+ local unrealircd_conf="${EROOT}"etc/${PN}/${PN}.conf |
264 |
+ # Fix up the default cloak keys. |
265 |
+ if grep -qe '"and another one";$' "${unrealircd_conf}" && grep -qe '"aoAr1HnR6gl3sJ7hVz4Zb7x4YwpW";$' "${unrealircd_conf}"; then |
266 |
+ ebegin "Generating cloak-keys" |
267 |
+ local keys=( |
268 |
+ $(su ${PN} -s /bin/sh -c "${PN} -k 2>&1 | tail -n 3") |
269 |
+ ) |
270 |
+ [[ -n ${keys[0]} || -n ${keys[1]} || -n ${keys[2]} ]] |
271 |
+ eend $? |
272 |
+ |
273 |
+ ebegin "Substituting cloak-keys into ${unrealircd_conf}" |
274 |
+ sed -i \ |
275 |
+ -e '/cloak-keys/ { |
276 |
+n |
277 |
+s/"aoAr1HnR6gl3sJ7hVz4Zb7x4YwpW";/"'"${keys[0]}"'";/ |
278 |
+n |
279 |
+s/"and another one";/"'"${keys[1]}"'";/ |
280 |
+n |
281 |
+s/"and another one";/"'"${keys[2]}"'";/ |
282 |
+}' \ |
283 |
+ "${unrealircd_conf}" |
284 |
+ eend $? |
285 |
+ fi |
286 |
+ |
287 |
+ elog "UnrealIRCd will not run until you've set up /etc/unrealircd/unrealircd.conf" |
288 |
+ elog |
289 |
+ elog "You can also configure ${PN} start at boot with rc-update(1)." |
290 |
+ elog "It is recommended to run unrealircd as an unprivileged user." |
291 |
+ elog "The provided init.d script does this for you." |
292 |
+} |