Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Gilbert <floppym@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/, sys-apps/systemd/
Date: Sat, 28 Oct 2017 18:58:40
Message-Id: 1509217109.2e698f887553690f3172ab1c1cabf36296dd901e.floppym@gentoo
1 commit: 2e698f887553690f3172ab1c1cabf36296dd901e
2 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
3 AuthorDate: Sat Oct 28 18:57:31 2017 +0000
4 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
5 CommitDate: Sat Oct 28 18:58:29 2017 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e698f88
7
8 sys-apps/systemd: backport fix for CVE-2017-9217
9
10 Bug: https://bugs.gentoo.org/635718
11 Package-Manager: Portage-2.3.12_p5, Repoman-2.3.3_p75
12
13 sys-apps/systemd/files/CVE-2017-9217.patch | 28 ++
14 sys-apps/systemd/systemd-233-r6.ebuild | 462 +++++++++++++++++++++++++++++
15 2 files changed, 490 insertions(+)
16
17 diff --git a/sys-apps/systemd/files/CVE-2017-9217.patch b/sys-apps/systemd/files/CVE-2017-9217.patch
18 new file mode 100644
19 index 00000000000..68d0f36d491
20 --- /dev/null
21 +++ b/sys-apps/systemd/files/CVE-2017-9217.patch
22 @@ -0,0 +1,28 @@
23 +From a924f43f30f9c4acaf70618dd2a055f8b0f166be Mon Sep 17 00:00:00 2001
24 +From: Evgeny Vereshchagin <evvers@××.ru>
25 +Date: Wed, 24 May 2017 08:56:48 +0300
26 +Subject: [PATCH] resolved: bugfix of null pointer p->question dereferencing
27 + (#6020)
28 +
29 +See https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
30 +---
31 + src/resolve/resolved-dns-packet.c | 3 +++
32 + 1 file changed, 3 insertions(+)
33 +
34 +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
35 +index 652970284..240ee448f 100644
36 +--- a/src/resolve/resolved-dns-packet.c
37 ++++ b/src/resolve/resolved-dns-packet.c
38 +@@ -2269,6 +2269,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {
39 + if (r < 0)
40 + return r;
41 +
42 ++ if (!p->question)
43 ++ return 0;
44 ++
45 + if (p->question->n_keys != 1)
46 + return 0;
47 +
48 +--
49 +2.15.0.rc2
50 +
51
52 diff --git a/sys-apps/systemd/systemd-233-r6.ebuild b/sys-apps/systemd/systemd-233-r6.ebuild
53 new file mode 100644
54 index 00000000000..e6ffcf46e81
55 --- /dev/null
56 +++ b/sys-apps/systemd/systemd-233-r6.ebuild
57 @@ -0,0 +1,462 @@
58 +# Copyright 1999-2017 Gentoo Foundation
59 +# Distributed under the terms of the GNU General Public License v2
60 +
61 +EAPI=6
62 +
63 +if [[ ${PV} == 9999 ]]; then
64 + EGIT_REPO_URI="https://github.com/systemd/systemd.git"
65 + inherit git-r3
66 +else
67 + SRC_URI="https://github.com/systemd/systemd/archive/v${PV}.tar.gz -> ${P}.tar.gz
68 + !doc? ( https://dev.gentoo.org/~floppym/dist/${P}-man.tar.gz )"
69 + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86"
70 +fi
71 +
72 +PYTHON_COMPAT=( python{3_4,3_5,3_6} )
73 +
74 +inherit autotools bash-completion-r1 linux-info multilib-minimal pam python-any-r1 systemd toolchain-funcs udev user
75 +
76 +DESCRIPTION="System and service manager for Linux"
77 +HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
78 +
79 +LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
80 +SLOT="0/2"
81 +IUSE="acl apparmor audit build cryptsetup curl doc elfutils +gcrypt gnuefi http
82 + idn importd +kmod +lz4 lzma nat pam policykit
83 + qrcode +seccomp selinux ssl sysv-utils test vanilla xkb"
84 +
85 +REQUIRED_USE="importd? ( curl gcrypt lzma )"
86 +
87 +MINKV="3.11"
88 +
89 +COMMON_DEPEND=">=sys-apps/util-linux-2.27.1:0=[${MULTILIB_USEDEP}]
90 + sys-libs/libcap:0=[${MULTILIB_USEDEP}]
91 + !<sys-libs/glibc-2.16
92 + acl? ( sys-apps/acl:0= )
93 + apparmor? ( sys-libs/libapparmor:0= )
94 + audit? ( >=sys-process/audit-2:0= )
95 + cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= )
96 + curl? ( net-misc/curl:0= )
97 + elfutils? ( >=dev-libs/elfutils-0.158:0= )
98 + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
99 + http? (
100 + >=net-libs/libmicrohttpd-0.9.33:0=
101 + ssl? ( >=net-libs/gnutls-3.1.4:0= )
102 + )
103 + idn? ( net-dns/libidn:0= )
104 + importd? (
105 + app-arch/bzip2:0=
106 + sys-libs/zlib:0=
107 + )
108 + kmod? ( >=sys-apps/kmod-15:0= )
109 + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
110 + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
111 + nat? ( net-firewall/iptables:0= )
112 + pam? ( virtual/pam:=[${MULTILIB_USEDEP}] )
113 + qrcode? ( media-gfx/qrencode:0= )
114 + seccomp? ( >=sys-libs/libseccomp-2.3.1:0= )
115 + selinux? ( sys-libs/libselinux:0= )
116 + sysv-utils? (
117 + !sys-apps/systemd-sysv-utils
118 + !sys-apps/sysvinit )
119 + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )
120 + abi_x86_32? ( !<=app-emulation/emul-linux-x86-baselibs-20130224-r9
121 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] )"
122 +
123 +# baselayout-2.2 has /run
124 +RDEPEND="${COMMON_DEPEND}
125 + >=sys-apps/baselayout-2.2
126 + selinux? ( sec-policy/selinux-base-policy[systemd] )
127 + !build? ( || (
128 + sys-apps/util-linux[kill(-)]
129 + sys-process/procps[kill(+)]
130 + sys-apps/coreutils[kill(-)]
131 + ) )
132 + !sys-auth/nss-myhostname
133 + !<sys-kernel/dracut-044
134 + !sys-fs/eudev
135 + !sys-fs/udev"
136 +
137 +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
138 +PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
139 + >=sys-apps/hwids-20150417[udev]
140 + >=sys-fs/udev-init-scripts-25
141 + policykit? ( sys-auth/polkit )
142 + !vanilla? ( sys-apps/gentoo-systemd-integration )"
143 +
144 +# Newer linux-headers needed by ia64, bug #480218
145 +DEPEND="${COMMON_DEPEND}
146 + app-arch/xz-utils:0
147 + dev-util/gperf
148 + >=dev-util/intltool-0.50
149 + >=sys-apps/coreutils-8.16
150 + >=sys-kernel/linux-headers-${MINKV}
151 + virtual/pkgconfig
152 + gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
153 + test? ( sys-apps/dbus )
154 + app-text/docbook-xml-dtd:4.2
155 + app-text/docbook-xml-dtd:4.5
156 + app-text/docbook-xsl-stylesheets
157 + dev-libs/libxslt:0
158 + doc? ( $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]') )
159 +"
160 +
161 +python_check_deps() {
162 + has_version --host-root "dev-python/lxml[${PYTHON_USEDEP}]"
163 +}
164 +
165 +pkg_pretend() {
166 + if [[ ${MERGE_TYPE} != buildonly ]]; then
167 + local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS
168 + ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
169 + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
170 + ~TIMERFD ~TMPFS_XATTR ~UNIX
171 + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH
172 + ~!FW_LOADER_USER_HELPER ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED
173 + ~!SYSFS_DEPRECATED_V2"
174 +
175 + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL"
176 + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER"
177 + kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG"
178 + kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES"
179 +
180 + if linux_config_exists; then
181 + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH)
182 + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then
183 + ewarn "It's recommended to set an empty value to the following kernel config option:"
184 + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}"
185 + fi
186 + if linux_chkconfig_present X86; then
187 + CONFIG_CHECK+=" ~DMIID"
188 + fi
189 + fi
190 +
191 + if kernel_is -lt ${MINKV//./ }; then
192 + ewarn "Kernel version at least ${MINKV} required"
193 + fi
194 +
195 + check_extra_config
196 + fi
197 +}
198 +
199 +pkg_setup() {
200 + :
201 +}
202 +
203 +src_unpack() {
204 + default
205 + [[ ${PV} != 9999 ]] || git-r3_src_unpack
206 +}
207 +
208 +src_prepare() {
209 + # Bug 463376
210 + sed -i -e 's/GROUP="dialout"/GROUP="uucp"/' rules/*.rules || die
211 +
212 + local PATCHES=(
213 + "${FILESDIR}/233-0001-Avoid-strict-DM-interface-version-dependencies-5519.patch"
214 + "${FILESDIR}/233-CVE-2017-9445.patch"
215 + "${FILESDIR}/233-format-warnings.patch"
216 + "${FILESDIR}/233-0002-core-load-fragment-refuse-units-with-errors-in-RootD.patch"
217 + "${FILESDIR}/233-0003-core-load-fragment-refuse-units-with-errors-in-certa.patch"
218 + "${FILESDIR}/CVE-2017-15908.patch"
219 + "${FILESDIR}/CVE-2017-9217.patch"
220 + )
221 +
222 + if ! use vanilla; then
223 + PATCHES+=(
224 + "${FILESDIR}/218-Dont-enable-audit-by-default.patch"
225 + "${FILESDIR}/228-noclean-tmp.patch"
226 + "${FILESDIR}/233-systemd-user-pam.patch"
227 + )
228 + fi
229 +
230 + [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
231 +
232 + default
233 +
234 + eautoreconf
235 +}
236 +
237 +src_configure() {
238 + # Keep using the one where the rules were installed.
239 + MY_UDEVDIR=$(get_udevdir)
240 + # Fix systems broken by bug #509454.
241 + [[ ${MY_UDEVDIR} ]] || MY_UDEVDIR=/lib/udev
242 +
243 + # Prevent conflicts with i686 cross toolchain, bug 559726
244 + tc-export AR CC NM OBJCOPY RANLIB
245 +
246 + use doc && python_setup
247 +
248 + multilib-minimal_src_configure
249 +}
250 +
251 +multilib_src_configure() {
252 + local myeconfargs=(
253 + # disable -flto since it is an optimization flag
254 + # and makes distcc less effective
255 + cc_cv_CFLAGS__flto=no
256 + # disable -fuse-ld=gold since Gentoo supports explicit linker
257 + # choice and forcing gold is undesired, #539998
258 + # ld.gold may collide with user's LDFLAGS, #545168
259 + # ld.gold breaks sparc, #573874
260 + cc_cv_LDFLAGS__Wl__fuse_ld_gold=no
261 +
262 + # Workaround for gcc-4.7, bug 554454.
263 + cc_cv_CFLAGS__Werror_shadow=no
264 +
265 + # Workaround for bug 516346
266 + --enable-dependency-tracking
267 +
268 + --disable-maintainer-mode
269 + --localstatedir=/var
270 + --with-pamlibdir=$(getpam_mod_dir)
271 + # avoid bash-completion dep
272 + --with-bashcompletiondir="$(get_bashcompdir)"
273 + # make sure we get /bin:/sbin in $PATH
274 + --enable-split-usr
275 + # For testing.
276 + --with-rootprefix="${ROOTPREFIX-/usr}"
277 + --with-rootlibdir="${ROOTPREFIX-/usr}/$(get_libdir)"
278 + # disable sysv compatibility
279 + --with-sysvinit-path=
280 + --with-sysvrcnd-path=
281 + # no deps
282 + --enable-efi
283 + --enable-ima
284 +
285 + # Optional components/dependencies
286 + $(multilib_native_use_enable acl)
287 + $(multilib_native_use_enable apparmor)
288 + $(multilib_native_use_enable audit)
289 + $(multilib_native_use_enable cryptsetup libcryptsetup)
290 + $(multilib_native_use_enable curl libcurl)
291 + $(multilib_native_use_enable elfutils)
292 + $(use_enable gcrypt)
293 + $(multilib_native_use_enable gnuefi)
294 + --with-efi-libdir="/usr/$(get_libdir)"
295 + $(multilib_native_use_enable http microhttpd)
296 + $(usex http $(multilib_native_use_enable ssl gnutls) --disable-gnutls)
297 + $(multilib_native_use_enable idn libidn)
298 + $(multilib_native_use_enable importd)
299 + $(multilib_native_use_enable importd bzip2)
300 + $(multilib_native_use_enable importd zlib)
301 + $(multilib_native_use_enable kmod)
302 + $(use_enable lz4)
303 + $(use_enable lzma xz)
304 + $(multilib_native_use_enable nat libiptc)
305 + $(use_enable pam)
306 + $(multilib_native_use_enable policykit polkit)
307 + $(multilib_native_use_enable qrcode qrencode)
308 + $(multilib_native_use_enable seccomp)
309 + $(multilib_native_use_enable selinux)
310 + $(multilib_native_use_enable test tests)
311 + $(multilib_native_use_enable test dbus)
312 + $(multilib_native_use_enable xkb xkbcommon)
313 + $(multilib_native_use_with doc python)
314 +
315 + # hardcode a few paths to spare some deps
316 + KILL=/bin/kill
317 + QUOTAON=/usr/sbin/quotaon
318 + QUOTACHECK=/usr/sbin/quotacheck
319 +
320 + # TODO: we may need to restrict this to gcc
321 + EFI_CC="$(tc-getCC)"
322 +
323 + # dbus paths
324 + --with-dbuspolicydir="${EPREFIX}/etc/dbus-1/system.d"
325 + --with-dbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
326 + --with-dbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
327 +
328 + --with-ntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
329 +
330 + # Breaks screen, tmux, etc.
331 + --without-kill-user-processes
332 + )
333 +
334 + # Work around bug 463846.
335 + tc-export CC
336 +
337 + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
338 +}
339 +
340 +multilib_src_compile() {
341 + local mymakeopts=(
342 + udevlibexecdir="${MY_UDEVDIR}"
343 + )
344 +
345 + if multilib_is_native_abi; then
346 + emake "${mymakeopts[@]}"
347 + else
348 + emake built-sources
349 + local targets=(
350 + '$(rootlib_LTLIBRARIES)'
351 + '$(lib_LTLIBRARIES)'
352 + '$(pamlib_LTLIBRARIES)'
353 + '$(pkgconfiglib_DATA)'
354 + )
355 + echo "gentoo: ${targets[*]}" | emake "${mymakeopts[@]}" -f Makefile -f - gentoo
356 + fi
357 +}
358 +
359 +multilib_src_test() {
360 + multilib_is_native_abi || return 0
361 + default
362 +}
363 +
364 +multilib_src_install() {
365 + local mymakeopts=(
366 + # automake fails with parallel libtool relinking
367 + # https://bugs.gentoo.org/show_bug.cgi?id=491398
368 + -j1
369 +
370 + udevlibexecdir="${MY_UDEVDIR}"
371 + dist_udevhwdb_DATA=
372 + DESTDIR="${D}"
373 + )
374 +
375 + if multilib_is_native_abi; then
376 + emake "${mymakeopts[@]}" install
377 + else
378 + mymakeopts+=(
379 + install-rootlibLTLIBRARIES
380 + install-libLTLIBRARIES
381 + install-pamlibLTLIBRARIES
382 + install-pkgconfiglibDATA
383 + install-includeHEADERS
384 + install-pkgincludeHEADERS
385 + )
386 +
387 + emake "${mymakeopts[@]}"
388 + fi
389 +}
390 +
391 +multilib_src_install_all() {
392 + prune_libtool_files --modules
393 + einstalldocs
394 + dodoc "${FILESDIR}"/nsswitch.conf
395 +
396 + if [[ ${PV} != 9999 ]]; then
397 + use doc || doman "${WORKDIR}"/man/systemd.{directives,index}.7
398 + fi
399 +
400 + if use sysv-utils; then
401 + for app in halt poweroff reboot runlevel shutdown telinit; do
402 + dosym "..${ROOTPREFIX-/usr}/bin/systemctl" /sbin/${app}
403 + done
404 + dosym "..${ROOTPREFIX-/usr}/lib/systemd/systemd" /sbin/init
405 + else
406 + # we just keep sysvinit tools, so no need for the mans
407 + rm "${D}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 \
408 + || die
409 + rm "${D}"/usr/share/man/man1/init.1 || die
410 + fi
411 +
412 + # Preserve empty dirs in /etc & /var, bug #437008
413 + keepdir /etc/binfmt.d /etc/modules-load.d /etc/tmpfiles.d \
414 + /etc/systemd/ntp-units.d /etc/systemd/user /var/lib/systemd \
415 + /var/log/journal/remote
416 +
417 + # Symlink /etc/sysctl.conf for easy migration.
418 + dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf
419 +
420 + # If we install these symlinks, there is no way for the sysadmin to remove them
421 + # permanently.
422 + rm "${D}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die
423 + rm -f "${D}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die
424 + rm -r "${D}"/etc/systemd/system/network-online.target.wants || die
425 + rm -r "${D}"/etc/systemd/system/sockets.target.wants || die
426 + rm -r "${D}"/etc/systemd/system/sysinit.target.wants || die
427 +}
428 +
429 +migrate_locale() {
430 + local envd_locale_def="${EROOT%/}/etc/env.d/02locale"
431 + local envd_locale=( "${EROOT%/}"/etc/env.d/??locale )
432 + local locale_conf="${EROOT%/}/etc/locale.conf"
433 +
434 + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then
435 + # If locale.conf does not exist...
436 + if [[ -e ${envd_locale} ]]; then
437 + # ...either copy env.d/??locale if there's one
438 + ebegin "Moving ${envd_locale} to ${locale_conf}"
439 + mv "${envd_locale}" "${locale_conf}"
440 + eend ${?} || FAIL=1
441 + else
442 + # ...or create a dummy default
443 + ebegin "Creating ${locale_conf}"
444 + cat > "${locale_conf}" <<-EOF
445 + # This file has been created by the sys-apps/systemd ebuild.
446 + # See locale.conf(5) and localectl(1).
447 +
448 + # LANG=${LANG}
449 + EOF
450 + eend ${?} || FAIL=1
451 + fi
452 + fi
453 +
454 + if [[ ! -L ${envd_locale} ]]; then
455 + # now, if env.d/??locale is not a symlink (to locale.conf)...
456 + if [[ -e ${envd_locale} ]]; then
457 + # ...warn the user that he has duplicate locale settings
458 + ewarn
459 + ewarn "To ensure consistent behavior, you should replace ${envd_locale}"
460 + ewarn "with a symlink to ${locale_conf}. Please migrate your settings"
461 + ewarn "and create the symlink with the following command:"
462 + ewarn "ln -s -n -f ../locale.conf ${envd_locale}"
463 + ewarn
464 + else
465 + # ...or just create the symlink if there's nothing here
466 + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink"
467 + ln -n -s ../locale.conf "${envd_locale_def}"
468 + eend ${?} || FAIL=1
469 + fi
470 + fi
471 +}
472 +
473 +pkg_postinst() {
474 + newusergroup() {
475 + enewgroup "$1"
476 + enewuser "$1" -1 -1 -1 "$1"
477 + }
478 +
479 + enewgroup input
480 + enewgroup systemd-journal
481 + newusergroup systemd-bus-proxy
482 + newusergroup systemd-coredump
483 + newusergroup systemd-journal-gateway
484 + newusergroup systemd-journal-remote
485 + newusergroup systemd-journal-upload
486 + newusergroup systemd-network
487 + newusergroup systemd-resolve
488 + newusergroup systemd-timesync
489 +
490 + systemd_update_catalog
491 +
492 + # Keep this here in case the database format changes so it gets updated
493 + # when required. Despite that this file is owned by sys-apps/hwids.
494 + if has_version "sys-apps/hwids[udev]"; then
495 + udevadm hwdb --update --root="${ROOT%/}"
496 + fi
497 +
498 + udev_reload || FAIL=1
499 +
500 + # Bug 465468, make sure locales are respect, and ensure consistency
501 + # between OpenRC & systemd
502 + migrate_locale
503 +
504 + systemd_reenable systemd-networkd.service systemd-resolved.service
505 +
506 + if [[ ${FAIL} ]]; then
507 + eerror "One of the postinst commands failed. Please check the postinst output"
508 + eerror "for errors. You may need to clean up your system and/or try installing"
509 + eerror "systemd again."
510 + eerror
511 + fi
512 +}
513 +
514 +pkg_prerm() {
515 + # If removing systemd completely, remove the catalog database.
516 + if [[ ! ${REPLACED_BY_VERSION} ]]; then
517 + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database
518 + fi
519 +}
Report Message
Find on MARC Find on Google Groups