1 |
commit: e18f23bb2a2da949d03482b4a5f3a77c37d97c09 |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Jun 12 10:39:20 2018 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jun 12 10:40:15 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e18f23bb |
7 |
|
8 |
dev-libs/openssl: Add patch for CVE-2018-0732 |
9 |
|
10 |
Package-Manager: Portage-2.3.40, Repoman-2.3.9 |
11 |
|
12 |
.../files/openssl-1.0.2o-CVE-2018-0732.patch | 39 +++ |
13 |
.../files/openssl-1.1.0h-CVE-2018-0732.patch | 39 +++ |
14 |
.../files/openssl-1.1.1_pre7-CVE-2018-0732.patch | 39 +++ |
15 |
dev-libs/openssl/openssl-1.0.2o-r4.ebuild | 294 --------------------- |
16 |
...l-1.0.2o-r5.ebuild => openssl-1.0.2o-r6.ebuild} | 1 + |
17 |
...l-1.1.0h-r1.ebuild => openssl-1.1.0h-r2.ebuild} | 1 + |
18 |
....1_pre7.ebuild => openssl-1.1.1_pre7-r1.ebuild} | 1 + |
19 |
7 files changed, 120 insertions(+), 294 deletions(-) |
20 |
|
21 |
diff --git a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch |
22 |
new file mode 100644 |
23 |
index 00000000000..148e7c3bc1a |
24 |
--- /dev/null |
25 |
+++ b/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch |
26 |
@@ -0,0 +1,39 @@ |
27 |
+From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 |
28 |
+From: Guido Vranken <guidovranken@×××××.com> |
29 |
+Date: Mon, 11 Jun 2018 19:38:54 +0200 |
30 |
+Subject: [PATCH] Reject excessively large primes in DH key generation. |
31 |
+ |
32 |
+CVE-2018-0732 |
33 |
+ |
34 |
+Signed-off-by: Guido Vranken <guidovranken@×××××.com> |
35 |
+ |
36 |
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) |
37 |
+ |
38 |
+Reviewed-by: Tim Hudson <tjh@×××××××.org> |
39 |
+Reviewed-by: Matt Caswell <matt@×××××××.org> |
40 |
+(Merged from https://github.com/openssl/openssl/pull/6457) |
41 |
+--- |
42 |
+ crypto/dh/dh_key.c | 7 ++++++- |
43 |
+ 1 file changed, 6 insertions(+), 1 deletion(-) |
44 |
+ |
45 |
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c |
46 |
+index 387558f1467..f235e0d682b 100644 |
47 |
+--- a/crypto/dh/dh_key.c |
48 |
++++ b/crypto/dh/dh_key.c |
49 |
+@@ -130,10 +130,15 @@ static int generate_key(DH *dh) |
50 |
+ int ok = 0; |
51 |
+ int generate_new_key = 0; |
52 |
+ unsigned l; |
53 |
+- BN_CTX *ctx; |
54 |
++ BN_CTX *ctx = NULL; |
55 |
+ BN_MONT_CTX *mont = NULL; |
56 |
+ BIGNUM *pub_key = NULL, *priv_key = NULL; |
57 |
+ |
58 |
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { |
59 |
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); |
60 |
++ return 0; |
61 |
++ } |
62 |
++ |
63 |
+ ctx = BN_CTX_new(); |
64 |
+ if (ctx == NULL) |
65 |
+ goto err; |
66 |
|
67 |
diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch |
68 |
new file mode 100644 |
69 |
index 00000000000..e7dfba43f2a |
70 |
--- /dev/null |
71 |
+++ b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch |
72 |
@@ -0,0 +1,39 @@ |
73 |
+From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 |
74 |
+From: Guido Vranken <guidovranken@×××××.com> |
75 |
+Date: Mon, 11 Jun 2018 19:38:54 +0200 |
76 |
+Subject: [PATCH] Reject excessively large primes in DH key generation. |
77 |
+ |
78 |
+CVE-2018-0732 |
79 |
+ |
80 |
+Signed-off-by: Guido Vranken <guidovranken@×××××.com> |
81 |
+ |
82 |
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) |
83 |
+ |
84 |
+Reviewed-by: Tim Hudson <tjh@×××××××.org> |
85 |
+Reviewed-by: Matt Caswell <matt@×××××××.org> |
86 |
+(Merged from https://github.com/openssl/openssl/pull/6457) |
87 |
+--- |
88 |
+ crypto/dh/dh_key.c | 7 ++++++- |
89 |
+ 1 file changed, 6 insertions(+), 1 deletion(-) |
90 |
+ |
91 |
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c |
92 |
+index fce9ff47f36..58003d70878 100644 |
93 |
+--- a/crypto/dh/dh_key.c |
94 |
++++ b/crypto/dh/dh_key.c |
95 |
+@@ -78,10 +78,15 @@ static int generate_key(DH *dh) |
96 |
+ int ok = 0; |
97 |
+ int generate_new_key = 0; |
98 |
+ unsigned l; |
99 |
+- BN_CTX *ctx; |
100 |
++ BN_CTX *ctx = NULL; |
101 |
+ BN_MONT_CTX *mont = NULL; |
102 |
+ BIGNUM *pub_key = NULL, *priv_key = NULL; |
103 |
+ |
104 |
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { |
105 |
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); |
106 |
++ return 0; |
107 |
++ } |
108 |
++ |
109 |
+ ctx = BN_CTX_new(); |
110 |
+ if (ctx == NULL) |
111 |
+ goto err; |
112 |
|
113 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch |
114 |
new file mode 100644 |
115 |
index 00000000000..6c336f2507a |
116 |
--- /dev/null |
117 |
+++ b/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch |
118 |
@@ -0,0 +1,39 @@ |
119 |
+From 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe Mon Sep 17 00:00:00 2001 |
120 |
+From: Guido Vranken <guidovranken@×××××.com> |
121 |
+Date: Mon, 11 Jun 2018 19:38:54 +0200 |
122 |
+Subject: [PATCH] Reject excessively large primes in DH key generation. |
123 |
+ |
124 |
+CVE-2018-0732 |
125 |
+ |
126 |
+Signed-off-by: Guido Vranken <guidovranken@×××××.com> |
127 |
+ |
128 |
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@×××××.com> |
129 |
+Reviewed-by: Viktor Dukhovni <viktor@×××××××.org> |
130 |
+Reviewed-by: Rich Salz <rsalz@×××××××.org> |
131 |
+Reviewed-by: Matt Caswell <matt@×××××××.org> |
132 |
+(Merged from https://github.com/openssl/openssl/pull/6457) |
133 |
+--- |
134 |
+ crypto/dh/dh_key.c | 7 ++++++- |
135 |
+ 1 file changed, 6 insertions(+), 1 deletion(-) |
136 |
+ |
137 |
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c |
138 |
+index 6901548ed69..752542b5563 100644 |
139 |
+--- a/crypto/dh/dh_key.c |
140 |
++++ b/crypto/dh/dh_key.c |
141 |
+@@ -78,10 +78,15 @@ static int generate_key(DH *dh) |
142 |
+ int ok = 0; |
143 |
+ int generate_new_key = 0; |
144 |
+ unsigned l; |
145 |
+- BN_CTX *ctx; |
146 |
++ BN_CTX *ctx = NULL; |
147 |
+ BN_MONT_CTX *mont = NULL; |
148 |
+ BIGNUM *pub_key = NULL, *priv_key = NULL; |
149 |
+ |
150 |
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { |
151 |
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); |
152 |
++ return 0; |
153 |
++ } |
154 |
++ |
155 |
+ ctx = BN_CTX_new(); |
156 |
+ if (ctx == NULL) |
157 |
+ goto err; |
158 |
|
159 |
diff --git a/dev-libs/openssl/openssl-1.0.2o-r4.ebuild b/dev-libs/openssl/openssl-1.0.2o-r4.ebuild |
160 |
deleted file mode 100644 |
161 |
index 335dce5ded3..00000000000 |
162 |
--- a/dev-libs/openssl/openssl-1.0.2o-r4.ebuild |
163 |
+++ /dev/null |
164 |
@@ -1,294 +0,0 @@ |
165 |
-# Copyright 1999-2018 Gentoo Foundation |
166 |
-# Distributed under the terms of the GNU General Public License v2 |
167 |
- |
168 |
-EAPI="6" |
169 |
- |
170 |
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal |
171 |
- |
172 |
-PATCH_SET="openssl-1.0.2-patches-1.4" |
173 |
-MY_P=${P/_/-} |
174 |
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" |
175 |
-HOMEPAGE="https://www.openssl.org/" |
176 |
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz |
177 |
- mirror://gentoo/${PATCH_SET}.tar.xz |
178 |
- https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz |
179 |
- https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz" |
180 |
- |
181 |
-LICENSE="openssl" |
182 |
-SLOT="0" |
183 |
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux" |
184 |
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib" |
185 |
-RESTRICT="!bindist? ( bindist )" |
186 |
- |
187 |
-RDEPEND=">=app-misc/c_rehash-1.7-r1 |
188 |
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
189 |
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
190 |
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )" |
191 |
-DEPEND="${RDEPEND} |
192 |
- >=dev-lang/perl-5 |
193 |
- sctp? ( >=net-misc/lksctp-tools-1.0.12 ) |
194 |
- test? ( |
195 |
- sys-apps/diffutils |
196 |
- sys-devel/bc |
197 |
- )" |
198 |
-PDEPEND="app-misc/ca-certificates" |
199 |
- |
200 |
-# This does not copy the entire Fedora patchset, but JUST the parts that |
201 |
-# are needed to make it safe to use EC with RESTRICT=bindist. |
202 |
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN |
203 |
-SOURCE1=hobble-openssl |
204 |
-SOURCE12=ec_curve.c |
205 |
-SOURCE13=ectest.c |
206 |
-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC |
207 |
-#PATCH37=openssl-1.1.0-ec-curves.patch |
208 |
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' |
209 |
-FEDORA_GIT_BRANCH='f25' |
210 |
-FEDORA_SRC_URI=() |
211 |
-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 ) |
212 |
-FEDORA_PATCH=( $PATCH1 $PATCH37 ) |
213 |
-for i in "${FEDORA_SOURCE[@]}" ; do |
214 |
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) |
215 |
-done |
216 |
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix |
217 |
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" ) |
218 |
-done |
219 |
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" |
220 |
- |
221 |
-S="${WORKDIR}/${MY_P}" |
222 |
- |
223 |
-MULTILIB_WRAPPED_HEADERS=( |
224 |
- usr/include/openssl/opensslconf.h |
225 |
-) |
226 |
- |
227 |
-src_prepare() { |
228 |
- if use bindist; then |
229 |
- # This just removes the prefix, and puts it into WORKDIR like the RPM. |
230 |
- for i in "${FEDORA_SOURCE[@]}" ; do |
231 |
- cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die |
232 |
- done |
233 |
- # .spec %prep |
234 |
- bash "${WORKDIR}"/"${SOURCE1}" || die |
235 |
- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die |
236 |
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1 |
237 |
- for i in "${FEDORA_PATCH[@]}" ; do |
238 |
- eapply "${DISTDIR}"/"${i}" |
239 |
- done |
240 |
- # Also see the configure parts below: |
241 |
- # enable-ec \ |
242 |
- # $(use_ssl !bindist ec2m) \ |
243 |
- # $(use_ssl !bindist srp) \ |
244 |
- fi |
245 |
- |
246 |
- # keep this in sync with app-misc/c_rehash |
247 |
- SSL_CNF_DIR="/etc/ssl" |
248 |
- |
249 |
- # Make sure we only ever touch Makefile.org and avoid patching a file |
250 |
- # that gets blown away anyways by the Configure script in src_configure |
251 |
- rm -f Makefile |
252 |
- |
253 |
- if ! use vanilla ; then |
254 |
- eapply "${WORKDIR}"/patch/*.patch |
255 |
- fi |
256 |
- |
257 |
- eapply_user |
258 |
- |
259 |
- # disable fips in the build |
260 |
- # make sure the man pages are suffixed #302165 |
261 |
- # don't bother building man pages if they're disabled |
262 |
- sed -i \ |
263 |
- -e '/DIRS/s: fips : :g' \ |
264 |
- -e '/^MANSUFFIX/s:=.*:=ssl:' \ |
265 |
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ |
266 |
- -e $(has noman FEATURES \ |
267 |
- && echo '/^install:/s:install_docs::' \ |
268 |
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ |
269 |
- Makefile.org \ |
270 |
- || die |
271 |
- # show the actual commands in the log |
272 |
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared |
273 |
- |
274 |
- # since we're forcing $(CC) as makedep anyway, just fix |
275 |
- # the conditional as always-on |
276 |
- # helps clang (#417795), and versioned gcc (#499818) |
277 |
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die |
278 |
- |
279 |
- # quiet out unknown driver argument warnings since openssl |
280 |
- # doesn't have well-split CFLAGS and we're making it even worse |
281 |
- # and 'make depend' uses -Werror for added fun (#417795 again) |
282 |
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments |
283 |
- |
284 |
- # allow openssl to be cross-compiled |
285 |
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die |
286 |
- chmod a+rx gentoo.config || die |
287 |
- |
288 |
- append-flags -fno-strict-aliasing |
289 |
- append-flags $(test-flags-CC -Wa,--noexecstack) |
290 |
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
291 |
- |
292 |
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 |
293 |
- # The config script does stupid stuff to prompt the user. Kill it. |
294 |
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die |
295 |
- ./config --test-sanity || die "I AM NOT SANE" |
296 |
- |
297 |
- multilib_copy_sources |
298 |
-} |
299 |
- |
300 |
-multilib_src_configure() { |
301 |
- unset APPS #197996 |
302 |
- unset SCRIPTS #312551 |
303 |
- unset CROSS_COMPILE #311473 |
304 |
- |
305 |
- tc-export CC AR RANLIB RC |
306 |
- |
307 |
- # Clean out patent-or-otherwise-encumbered code |
308 |
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher) |
309 |
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm |
310 |
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography |
311 |
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2 |
312 |
- # RC5: Expired https://en.wikipedia.org/wiki/RC5 |
313 |
- |
314 |
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } |
315 |
- echoit() { echo "$@" ; "$@" ; } |
316 |
- |
317 |
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") |
318 |
- |
319 |
- # See if our toolchain supports __uint128_t. If so, it's 64bit |
320 |
- # friendly and can use the nicely optimized code paths. #460790 |
321 |
- local ec_nistp_64_gcc_128 |
322 |
- # Disable it for now though #469976 |
323 |
- #if ! use bindist ; then |
324 |
- # echo "__uint128_t i;" > "${T}"/128.c |
325 |
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then |
326 |
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" |
327 |
- # fi |
328 |
- #fi |
329 |
- |
330 |
- # https://github.com/openssl/openssl/issues/2286 |
331 |
- if use ia64 ; then |
332 |
- replace-flags -g3 -g2 |
333 |
- replace-flags -ggdb3 -ggdb2 |
334 |
- fi |
335 |
- |
336 |
- local sslout=$(./gentoo.config) |
337 |
- einfo "Use configuration ${sslout:-(openssl knows best)}" |
338 |
- local config="Configure" |
339 |
- [[ -z ${sslout} ]] && config="config" |
340 |
- |
341 |
- # Fedora hobbled-EC needs 'no-ec2m', 'no-srp' |
342 |
- echoit \ |
343 |
- ./${config} \ |
344 |
- ${sslout} \ |
345 |
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \ |
346 |
- enable-camellia \ |
347 |
- enable-ec \ |
348 |
- $(use_ssl !bindist ec2m) \ |
349 |
- $(use_ssl !bindist srp) \ |
350 |
- ${ec_nistp_64_gcc_128} \ |
351 |
- enable-idea \ |
352 |
- enable-mdc2 \ |
353 |
- enable-rc5 \ |
354 |
- enable-tlsext \ |
355 |
- $(use_ssl asm) \ |
356 |
- $(use_ssl gmp gmp -lgmp) \ |
357 |
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ |
358 |
- $(use_ssl rfc3779) \ |
359 |
- $(use_ssl sctp) \ |
360 |
- $(use_ssl sslv2 ssl2) \ |
361 |
- $(use_ssl sslv3 ssl3) \ |
362 |
- $(use_ssl tls-heartbeat heartbeats) \ |
363 |
- $(use_ssl zlib) \ |
364 |
- --prefix="${EPREFIX}"/usr \ |
365 |
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \ |
366 |
- --libdir=$(get_libdir) \ |
367 |
- shared threads \ |
368 |
- || die |
369 |
- |
370 |
- # Clean out hardcoded flags that openssl uses |
371 |
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ |
372 |
- -e 's:^CFLAG=::' \ |
373 |
- -e 's:-fomit-frame-pointer ::g' \ |
374 |
- -e 's:-O[0-9] ::g' \ |
375 |
- -e 's:-march=[-a-z0-9]* ::g' \ |
376 |
- -e 's:-mcpu=[-a-z0-9]* ::g' \ |
377 |
- -e 's:-m[a-z0-9]* ::g' \ |
378 |
- ) |
379 |
- sed -i \ |
380 |
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \ |
381 |
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \ |
382 |
- Makefile || die |
383 |
-} |
384 |
- |
385 |
-multilib_src_compile() { |
386 |
- # depend is needed to use $confopts; it also doesn't matter |
387 |
- # that it's -j1 as the code itself serializes subdirs |
388 |
- emake -j1 depend |
389 |
- emake all |
390 |
- # rehash is needed to prep the certs/ dir; do this |
391 |
- # separately to avoid parallel build issues. |
392 |
- emake rehash |
393 |
-} |
394 |
- |
395 |
-multilib_src_test() { |
396 |
- emake -j1 test |
397 |
-} |
398 |
- |
399 |
-multilib_src_install() { |
400 |
- emake INSTALL_PREFIX="${D}" install |
401 |
-} |
402 |
- |
403 |
-multilib_src_install_all() { |
404 |
- # openssl installs perl version of c_rehash by default, but |
405 |
- # we provide a shell version via app-misc/c_rehash |
406 |
- rm "${ED}"/usr/bin/c_rehash || die |
407 |
- |
408 |
- local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el ) |
409 |
- einstalldocs |
410 |
- |
411 |
- use rfc3779 && dodoc engines/ccgost/README.gost |
412 |
- |
413 |
- # This is crappy in that the static archives are still built even |
414 |
- # when USE=static-libs. But this is due to a failing in the openssl |
415 |
- # build system: the static archives are built as PIC all the time. |
416 |
- # Only way around this would be to manually configure+compile openssl |
417 |
- # twice; once with shared lib support enabled and once without. |
418 |
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a |
419 |
- |
420 |
- # create the certs directory |
421 |
- dodir ${SSL_CNF_DIR}/certs |
422 |
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die |
423 |
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired} |
424 |
- |
425 |
- # Namespace openssl programs to prevent conflicts with other man pages |
426 |
- cd "${ED}"/usr/share/man |
427 |
- local m d s |
428 |
- for m in $(find . -type f | xargs grep -L '#include') ; do |
429 |
- d=${m%/*} ; d=${d#./} ; m=${m##*/} |
430 |
- [[ ${m} == openssl.1* ]] && continue |
431 |
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" |
432 |
- mv ${d}/{,ssl-}${m} |
433 |
- # fix up references to renamed man pages |
434 |
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} |
435 |
- ln -s ssl-${m} ${d}/openssl-${m} |
436 |
- # locate any symlinks that point to this man page ... we assume |
437 |
- # that any broken links are due to the above renaming |
438 |
- for s in $(find -L ${d} -type l) ; do |
439 |
- s=${s##*/} |
440 |
- rm -f ${d}/${s} |
441 |
- ln -s ssl-${m} ${d}/ssl-${s} |
442 |
- ln -s ssl-${s} ${d}/openssl-${s} |
443 |
- done |
444 |
- done |
445 |
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" |
446 |
- |
447 |
- dodir /etc/sandbox.d #254521 |
448 |
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl |
449 |
- |
450 |
- diropts -m0700 |
451 |
- keepdir ${SSL_CNF_DIR}/private |
452 |
-} |
453 |
- |
454 |
-pkg_postinst() { |
455 |
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" |
456 |
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null |
457 |
- eend $? |
458 |
-} |
459 |
|
460 |
diff --git a/dev-libs/openssl/openssl-1.0.2o-r5.ebuild b/dev-libs/openssl/openssl-1.0.2o-r6.ebuild |
461 |
similarity index 99% |
462 |
rename from dev-libs/openssl/openssl-1.0.2o-r5.ebuild |
463 |
rename to dev-libs/openssl/openssl-1.0.2o-r6.ebuild |
464 |
index 5f43db3451e..f7ae84bae16 100644 |
465 |
--- a/dev-libs/openssl/openssl-1.0.2o-r5.ebuild |
466 |
+++ b/dev-libs/openssl/openssl-1.0.2o-r6.ebuild |
467 |
@@ -90,6 +90,7 @@ src_prepare() { |
468 |
|
469 |
if ! use vanilla ; then |
470 |
eapply "${WORKDIR}"/patch/*.patch |
471 |
+ eapply "${FILESDIR}"/${P}-CVE-2018-0732.patch |
472 |
fi |
473 |
|
474 |
eapply_user |
475 |
|
476 |
diff --git a/dev-libs/openssl/openssl-1.1.0h-r1.ebuild b/dev-libs/openssl/openssl-1.1.0h-r2.ebuild |
477 |
similarity index 99% |
478 |
rename from dev-libs/openssl/openssl-1.1.0h-r1.ebuild |
479 |
rename to dev-libs/openssl/openssl-1.1.0h-r2.ebuild |
480 |
index 6e38d19eaf5..5881fe74d35 100644 |
481 |
--- a/dev-libs/openssl/openssl-1.1.0h-r1.ebuild |
482 |
+++ b/dev-libs/openssl/openssl-1.1.0h-r2.ebuild |
483 |
@@ -57,6 +57,7 @@ MULTILIB_WRAPPED_HEADERS=( |
484 |
PATCHES=( |
485 |
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 |
486 |
"${FILESDIR}"/${P}-CVE-2018-0737.patch |
487 |
+ "${FILESDIR}"/${P}-CVE-2018-0732.patch |
488 |
) |
489 |
|
490 |
src_prepare() { |
491 |
|
492 |
diff --git a/dev-libs/openssl/openssl-1.1.1_pre7.ebuild b/dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild |
493 |
similarity index 99% |
494 |
rename from dev-libs/openssl/openssl-1.1.1_pre7.ebuild |
495 |
rename to dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild |
496 |
index e022bf39b77..d7246b0d043 100644 |
497 |
--- a/dev-libs/openssl/openssl-1.1.1_pre7.ebuild |
498 |
+++ b/dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild |
499 |
@@ -36,6 +36,7 @@ MULTILIB_WRAPPED_HEADERS=( |
500 |
|
501 |
PATCHES=( |
502 |
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 |
503 |
+ "${FILESDIR}"/${P}-CVE-2018-0732.patch |
504 |
) |
505 |
|
506 |
src_prepare() { |