[gentoo-commits] repo/gentoo:master commit in: net-im/openfire/ - gentoo-commits

From:	Michael Orlitzky <mjo@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-im/openfire/
Date:	Sun, 23 Jun 2019 17:15:55
Message-Id:	`1561310116.c32aef5d13c57017978860eb65c1c4f5ce88721c.mjo@gentoo`

1

commit:     c32aef5d13c57017978860eb65c1c4f5ce88721c

2

Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>

3

AuthorDate: Sun Jun 23 17:13:53 2019 +0000

4

Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>

5

CommitDate: Sun Jun 23 17:15:16 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c32aef5d

7

8

net-im/openfire: new revision to clean up ownership handling.

9

10

The new revision (-r2) is intended to clean up some of the ownership

11

and group handling that led to the security issue in bug 630914. Note

12

that while that *particular* bug was fixed, the ebuild was still

13

calling "chmod" in a user-controlled directory, which is also

14

exploitable. The following changes hopefully eliminate all of

15

those problems:

16

17

  * Add /opt/openfire/conf to CONFIG_PROTECT.

18

19

  * Use insopts/diropts to create everything under /opt/openfire with

20

    the correct ownership and permissions to begin with.

21

22

  * Install conf/openfire.xml and conf/security.xml in src_install(),

23

    instead of creating (and chmod'ing) them later in pkg_postinst().

24

25

  * Drop pkg_postinst() entirely now that we install {openfire,security}.xml

26

    in src_install().

27

28

Bug: https://bugs.gentoo.org/630914

29

Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>

30

Package-Manager: Portage-2.3.66, Repoman-2.3.11

31

32

 net-im/openfire/openfire-4.2.3-r2.ebuild | 80 ++++++++++++++++++++++++++++++++

33

 1 file changed, 80 insertions(+)

34

35

diff --git a/net-im/openfire/openfire-4.2.3-r2.ebuild b/net-im/openfire/openfire-4.2.3-r2.ebuild

36

new file mode 100644

37

index 00000000000..d504e403aba

38

--- /dev/null

39

+++ b/net-im/openfire/openfire-4.2.3-r2.ebuild

40

@@ -0,0 +1,80 @@

41

+# Copyright 1999-2019 Gentoo Authors

42

+# Distributed under the terms of the GNU General Public License v2

43

+

44

+EAPI=6

45

+

46

+inherit eutils java-pkg-2 java-ant-2 systemd

47

+

48

+MY_P=${PN}_src_${PV//./_}

49

+DESCRIPTION="Openfire (formerly wildfire) real time collaboration (RTC) server"

50

+HOMEPAGE="http://www.igniterealtime.org/projects/openfire/"

51

+SRC_URI="http://www.igniterealtime.org/builds/openfire/${MY_P}.tar.gz"

52

+

53

+LICENSE="GPL-2"

54

+SLOT="0"

55

+KEYWORDS="~amd64 ~x86"

56

+IUSE="doc"

57

+

58

+RDEPEND=">=virtual/jre-1.7"

59

+DEPEND="net-im/jabber-base

60

+	~dev-java/ant-contrib-1.0_beta2

61

+	>=virtual/jdk-1.7"

62

+

63

+S=${WORKDIR}/${PN}_src

64

+

65

+pkg_setup() {

66

+	java-pkg-2_pkg_setup

67

+}

68

+

69

+src_compile() {

70

+	# Jikes doesn't support -source 1.5

71

+	java-pkg_filter-compiler jikes

72

+

73

+	ANT_TASKS="ant-contrib"

74

+	eant -f build/build.xml openfire plugins $(use_doc)

75

+

76

+	# delete nativeAuth prebuilt libs:

77

+	#    uses outdated unmaintained libshaj, does not support amd64

78

+	rm -rfv target/openfire/resources/nativeAuth || die

79

+}

80

+

81

+src_install() {

82

+	#Protect ssl key on upgrade

83

+	dodir /etc/env.d/

84

+	echo 'CONFIG_PROTECT="/opt/openfire/resources/security/"' > "${D}"/etc/env.d/98openfire

85

+	echo 'CONFIG_PROTECT="/opt/openfire/conf/"' > "${D}"/etc/env.d/98openfire

86

+

87

+	newinitd "${FILESDIR}"/openfire-initd openfire

88

+	newconfd "${FILESDIR}"/openfire-confd openfire

89

+	systemd_dounit "${FILESDIR}"/${PN}.service

90

+

91

+	diropts --owner=jabber --group=jabber

92

+	insopts --owner=jabber --group=jabber

93

+	dodir /opt/openfire

94

+

95

+	dodir /opt/openfire/logs

96

+	keepdir /opt/openfire/logs

97

+

98

+	dodir /opt/openfire/lib

99

+	insinto /opt/openfire/lib

100

+	doins target/openfire/lib/*

101

+

102

+	dodir /opt/openfire/plugins

103

+	insinto /opt/openfire/plugins

104

+	doins -r target/openfire/plugins/*

105

+

106

+	dodir /opt/openfire/resources

107

+	insinto /opt/openfire/resources

108

+	doins -r target/openfire/resources/*

109

+

110

+	if use doc; then

111

+		dohtml -r documentation/docs/*

112

+	fi

113

+	dodoc documentation/dist/*

114

+

115

+	dodir /opt/openfire/conf

116

+	insinto /opt/openfire/conf

117

+	insopts --mode=0600 --owner=jabber --group=jabber

118

+	newins target/openfire/conf/openfire.xml openfire.xml

119

+	newins target/openfire/conf/security.xml security.xml

120

+}

1	commit: c32aef5d13c57017978860eb65c1c4f5ce88721c
2	Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
3	AuthorDate: Sun Jun 23 17:13:53 2019 +0000
4	Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
5	CommitDate: Sun Jun 23 17:15:16 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c32aef5d
7
8	net-im/openfire: new revision to clean up ownership handling.
9
10	The new revision (-r2) is intended to clean up some of the ownership
11	and group handling that led to the security issue in bug 630914. Note
12	that while that particular bug was fixed, the ebuild was still
13	calling "chmod" in a user-controlled directory, which is also
14	exploitable. The following changes hopefully eliminate all of
15	those problems:
16
17	* Add /opt/openfire/conf to CONFIG_PROTECT.
18
19	* Use insopts/diropts to create everything under /opt/openfire with
20	the correct ownership and permissions to begin with.
21
22	* Install conf/openfire.xml and conf/security.xml in src_install(),
23	instead of creating (and chmod'ing) them later in pkg_postinst().
24
25	* Drop pkg_postinst() entirely now that we install {openfire,security}.xml
26	in src_install().
27
28	Bug: https://bugs.gentoo.org/630914
29	Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>
30	Package-Manager: Portage-2.3.66, Repoman-2.3.11
31
32	net-im/openfire/openfire-4.2.3-r2.ebuild \| 80 ++++++++++++++++++++++++++++++++
33	1 file changed, 80 insertions(+)
34
35	diff --git a/net-im/openfire/openfire-4.2.3-r2.ebuild b/net-im/openfire/openfire-4.2.3-r2.ebuild
36	new file mode 100644
37	index 00000000000..d504e403aba
38	--- /dev/null
39	+++ b/net-im/openfire/openfire-4.2.3-r2.ebuild
40	@@ -0,0 +1,80 @@
41	+# Copyright 1999-2019 Gentoo Authors
42	+# Distributed under the terms of the GNU General Public License v2
43	+
44	+EAPI=6
45	+
46	+inherit eutils java-pkg-2 java-ant-2 systemd
47	+
48	+MY_P=${PN}_src_${PV//./_}
49	+DESCRIPTION="Openfire (formerly wildfire) real time collaboration (RTC) server"
50	+HOMEPAGE="http://www.igniterealtime.org/projects/openfire/"
51	+SRC_URI="http://www.igniterealtime.org/builds/openfire/${MY_P}.tar.gz"
52	+
53	+LICENSE="GPL-2"
54	+SLOT="0"
55	+KEYWORDS="~amd64 ~x86"
56	+IUSE="doc"
57	+
58	+RDEPEND=">=virtual/jre-1.7"
59	+DEPEND="net-im/jabber-base
60	+ ~dev-java/ant-contrib-1.0_beta2
61	+ >=virtual/jdk-1.7"
62	+
63	+S=${WORKDIR}/${PN}_src
64	+
65	+pkg_setup() {
66	+ java-pkg-2_pkg_setup
67	+}
68	+
69	+src_compile() {
70	+ # Jikes doesn't support -source 1.5
71	+ java-pkg_filter-compiler jikes
72	+
73	+ ANT_TASKS="ant-contrib"
74	+ eant -f build/build.xml openfire plugins $(use_doc)
75	+
76	+ # delete nativeAuth prebuilt libs:
77	+ # uses outdated unmaintained libshaj, does not support amd64
78	+ rm -rfv target/openfire/resources/nativeAuth \|\| die
79	+}
80	+
81	+src_install() {
82	+ #Protect ssl key on upgrade
83	+ dodir /etc/env.d/
84	+ echo 'CONFIG_PROTECT="/opt/openfire/resources/security/"' > "${D}"/etc/env.d/98openfire
85	+ echo 'CONFIG_PROTECT="/opt/openfire/conf/"' > "${D}"/etc/env.d/98openfire
86	+
87	+ newinitd "${FILESDIR}"/openfire-initd openfire
88	+ newconfd "${FILESDIR}"/openfire-confd openfire
89	+ systemd_dounit "${FILESDIR}"/${PN}.service
90	+
91	+ diropts --owner=jabber --group=jabber
92	+ insopts --owner=jabber --group=jabber
93	+ dodir /opt/openfire
94	+
95	+ dodir /opt/openfire/logs
96	+ keepdir /opt/openfire/logs
97	+
98	+ dodir /opt/openfire/lib
99	+ insinto /opt/openfire/lib
100	+ doins target/openfire/lib/*
101	+
102	+ dodir /opt/openfire/plugins
103	+ insinto /opt/openfire/plugins
104	+ doins -r target/openfire/plugins/*
105	+
106	+ dodir /opt/openfire/resources
107	+ insinto /opt/openfire/resources
108	+ doins -r target/openfire/resources/*
109	+
110	+ if use doc; then
111	+ dohtml -r documentation/docs/*
112	+ fi
113	+ dodoc documentation/dist/*
114	+
115	+ dodir /opt/openfire/conf
116	+ insinto /opt/openfire/conf
117	+ insopts --mode=0600 --owner=jabber --group=jabber
118	+ newins target/openfire/conf/openfire.xml openfire.xml
119	+ newins target/openfire/conf/security.xml security.xml
120	+}

Gentoo Archives: gentoo-commits