[gentoo-commits] proj/hardened-dev:musl commit in: sys-apps/iproute2/, sys-apps/iproute2/files/

[gentoo-commits] proj/hardened-dev:musl commit in: sys-apps/iproute2/, sys-apps/iproute2/files/

[Anthony G. Basile]

commit:     b9660100a94d218462eddd7ee011f54b0dbec7bb
Author:     Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Sat May  2 18:26:19 2015 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat May  2 23:42:54 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=b9660100

sys-apps/iproute2: bump to 3.19.0

 .../iproute2/files/iproute2-3.10.0-no-ipv6.patch   |  41 +++++++
 sys-apps/iproute2/files/iproute2-3.19.0-musl.patch |  22 ++++
 sys-apps/iproute2/iproute2-3.19.0-r99.ebuild       | 126 +++++++++++++++++++++
 3 files changed, 189 insertions(+)

diff --git a/sys-apps/iproute2/files/iproute2-3.10.0-no-ipv6.patch b/sys-apps/iproute2/files/iproute2-3.10.0-no-ipv6.patch
new file mode 100644
index 0000000..86d80d2
--- /dev/null
+++ b/sys-apps/iproute2/files/iproute2-3.10.0-no-ipv6.patch
@@ -0,0 +1,41 @@
+https://bugs.gentoo.org/326849
+
+allow ipv6 to be disabled
+
+--- a/ip/iptunnel.c
++++ b/ip/iptunnel.c
+@@ -629,13 +629,6 @@ int do_iptunnel(int argc, char **argv)
+ 		break;
+ 	case AF_INET:
+ 		break;
+-	/*
+-	 * This is silly enough but we have no easy way to make it
+-	 * protocol-independent because of unarranged structure between
+-	 * IPv4 and IPv6.
+-	 */
+-	case AF_INET6:
+-		return do_ip6tunnel(argc, argv);
+ 	default:
+ 		fprintf(stderr, "Unsupported protocol family: %d\n", preferred_family);
+ 		exit(-1);
+--- a/ip/Makefile
++++ b/ip/Makefile
+@@ -1,6 +1,6 @@
+ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
+-    rtm_map.o iptunnel.o ip6tunnel.o tunnel.o ipneigh.o ipntable.o iplink.o \
+-    ipmaddr.o ipmonitor.o ipmroute.o ipprefix.o iptuntap.o iptoken.o \
++    rtm_map.o iptunnel.o tunnel.o ipneigh.o ipntable.o iplink.o \
++    ipmaddr.o ipmonitor.o ipmroute.o iptuntap.o iptoken.o \
+     ipxfrm.o xfrm_state.o xfrm_policy.o xfrm_monitor.o \
+     iplink_vlan.o link_veth.o link_gre.o iplink_can.o \
+     iplink_macvlan.o iplink_macvtap.o ipl2tp.o link_vti.o \
+--- a/ip/ipmonitor.c
++++ b/ip/ipmonitor.c
+@@ -96,7 +96,6 @@ static int accept_msg(const struct socka
+ 	if (n->nlmsg_type == RTM_NEWPREFIX) {
+ 		if (prefix_banner)
+ 			fprintf(fp, "[PREFIX]");
+-		print_prefix(who, n, arg);
+ 		return 0;
+ 	}
+ 	if (n->nlmsg_type == RTM_NEWRULE || n->nlmsg_type == RTM_DELRULE) {

diff --git a/sys-apps/iproute2/files/iproute2-3.19.0-musl.patch b/sys-apps/iproute2/files/iproute2-3.19.0-musl.patch
new file mode 100644
index 0000000..6ebc808
--- /dev/null
+++ b/sys-apps/iproute2/files/iproute2-3.19.0-musl.patch
@@ -0,0 +1,22 @@
+diff -ur a/iproute2-3.19.0/include/linux/if_bridge.h b/iproute2-3.19.0/include/linux/if_bridge.h
+--- a/iproute2-3.19.0/include/linux/if_bridge.h	2015-02-11 01:14:32.000000000 -0200
++++ b/iproute2-3.19.0/include/linux/if_bridge.h	2015-04-25 21:39:38.130830774 -0200
+@@ -15,7 +15,6 @@
+ 
+ #include <linux/types.h>
+ #include <linux/if_ether.h>
+-#include <linux/in6.h>
+ 
+ #define SYSFS_BRIDGE_ATTR	"bridge"
+ #define SYSFS_BRIDGE_FDB	"brforward"
+diff -ur a/iproute2-3.19.0/lib/namespace.c b/iproute2-3.19.0/lib/namespace.c
+--- a/iproute2-3.19.0/lib/namespace.c	2015-02-11 01:14:32.000000000 -0200
++++ b/iproute2-3.19.0/lib/namespace.c	2015-04-25 21:39:01.273291557 -0200
+@@ -9,6 +9,7 @@
+ 
+ #include <fcntl.h>
+ #include <dirent.h>
++#include <sys/param.h>
+ 
+ #include "utils.h"
+ #include "namespace.h"

diff --git a/sys-apps/iproute2/iproute2-3.19.0-r99.ebuild b/sys-apps/iproute2/iproute2-3.19.0-r99.ebuild
new file mode 100644
index 0000000..63bccbd
--- /dev/null
+++ b/sys-apps/iproute2/iproute2-3.19.0-r99.ebuild
@@ -0,0 +1,126 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/iproute2/iproute2-3.19.0.ebuild,v 1.5 2015/04/25 12:36:09 zlogene Exp $
+
+EAPI="5"
+
+inherit eutils toolchain-funcs flag-o-matic multilib
+
+if [[ ${PV} == "9999" ]] ; then
+	EGIT_REPO_URI="git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git"
+	inherit git-2
+else
+	SRC_URI="mirror://kernel/linux/utils/net/${PN}/${P}.tar.xz"
+	KEYWORDS="amd64 ~arm ~mips ~ppc x86"
+fi
+
+DESCRIPTION="kernel routing and traffic control utilities"
+HOMEPAGE="http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="atm berkdb +iptables ipv6 minimal selinux"
+
+RDEPEND="!net-misc/arpd
+	iptables? ( >=net-firewall/iptables-1.4.20:= )
+	!minimal? ( berkdb? ( sys-libs/db ) )
+	atm? ( net-dialup/linux-atm )
+	selinux? ( sys-libs/libselinux )"
+DEPEND="${RDEPEND}
+	app-arch/xz-utils
+	iptables? ( virtual/pkgconfig )
+	sys-devel/bison
+	sys-devel/flex
+	>=sys-kernel/linux-headers-2.6.27
+	elibc_glibc? ( >=sys-libs/glibc-2.7 )"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-3.1.0-mtu.patch #291907
+	use ipv6 || epatch "${FILESDIR}"/${PN}-3.10.0-no-ipv6.patch #326849
+
+	epatch "${FILESDIR}"/${PN}-3.19.0-musl.patch
+
+	sed -i \
+		-e '/^CC =/d' \
+		-e "/^LIBDIR/s:=.*:=/$(get_libdir):" \
+		-e "s:-O2:${CFLAGS} ${CPPFLAGS}:" \
+		-e "/^HOSTCC/s:=.*:= $(tc-getBUILD_CC):" \
+		-e "/^WFLAGS/s:-Werror::" \
+		-e "/^DBM_INCLUDE/s:=.*:=${T}:" \
+		Makefile || die
+
+	# Use /run instead of /var/run.
+	sed -i \
+		-e 's:/var/run:/run:g' \
+		ip/ipnetns.c \
+		man/man8/ip-netns.8 || die
+
+	# build against system headers
+	rm -r include/netinet #include/linux include/ip{,6}tables{,_common}.h include/libiptc
+	sed -i 's:TCPI_OPT_ECN_SEEN:16:' misc/ss.c || die
+
+	# don't build arpd if USE=-berkdb #81660
+	use berkdb || sed -i '/^TARGETS=/s: arpd : :' misc/Makefile
+
+	use minimal && sed -i -e '/^SUBDIRS=/s:=.*:=lib tc:' Makefile
+}
+
+src_configure() {
+	tc-export AR CC PKG_CONFIG
+
+	# This sure is ugly.  Should probably move into toolchain-funcs at some point.
+	local setns
+	pushd "${T}" >/dev/null
+	echo 'main(){return setns();};' > test.c
+	${CC} ${CFLAGS} ${LDFLAGS} test.c >&/dev/null && setns=y || setns=n
+	echo 'main(){};' > test.c
+	${CC} ${CFLAGS} ${LDFLAGS} test.c -lresolv >&/dev/null || sed -i '/^LDLIBS/s:-lresolv::' "${S}"/Makefile
+	popd >/dev/null
+
+	cat <<-EOF > Config
+	TC_CONFIG_ATM := $(usex atm y n)
+	TC_CONFIG_XT  := $(usex iptables y n)
+	HAVE_SELINUX  := $(usex selinux y n)
+	IP_CONFIG_SETNS := ${setns}
+	# Use correct iptables dir, #144265 #293709
+	IPT_LIB_DIR := $(use iptables && ${PKG_CONFIG} xtables --variable=xtlibdir)
+	EOF
+}
+
+src_install() {
+	if use minimal ; then
+		into /
+		dosbin tc/tc
+		return 0
+	fi
+
+	emake \
+		DESTDIR="${D}" \
+		LIBDIR="${EPREFIX}"/$(get_libdir) \
+		SBINDIR="${EPREFIX}"/sbin \
+		CONFDIR="${EPREFIX}"/etc/iproute2 \
+		DOCDIR="${EPREFIX}"/usr/share/doc/${PF} \
+		MANDIR="${EPREFIX}"/usr/share/man \
+		ARPDDIR="${EPREFIX}"/var/lib/arpd \
+		install
+
+	rm "${ED}"/usr/share/doc/${PF}/*.{sgml,tex} || die #455988
+
+	dodir /bin
+	mv "${ED}"/{s,}bin/ip || die #330115
+
+	dolib.a lib/libnetlink.a
+	insinto /usr/include
+	doins include/libnetlink.h
+	# This local header pulls in a lot of linux headers it
+	# doesn't directly need.  Delete this header that requires
+	# linux-headers-3.8 until that goes stable.  #467716
+	sed -i '/linux\/netconf.h/d' "${ED}"/usr/include/libnetlink.h || die
+
+	if use berkdb ; then
+		dodir /var/lib/arpd
+		# bug 47482, arpd doesn't need to be in /sbin
+		dodir /usr/bin
+		mv "${ED}"/sbin/arpd "${ED}"/usr/bin/ || die
+	fi
+}

[gentoo-commits] proj/hardened-dev:musl commit in: sys-apps/iproute2/, sys-apps/iproute2/files/

[Anthony G. Basile]

commit:     4d631c77987ca3619e81c2f7311a33f2e252d030
Author:     Hinnerk van Bruinehsen <h.v.bruinehsen <AT> fu-berlin <DOT> de>
AuthorDate: Mon May 18 23:53:17 2015 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue May 19 21:44:46 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=4d631c77

=sys-apps/iproute2-4.0.0: fix build with musl

 .../files/iproute2-4.0.0-fix-build-with-musl.patch |  24 ++++
 .../iproute2-4.0.0-tc-show-buffer-overflow.patch   |  62 ++++++++++
 sys-apps/iproute2/iproute2-4.0.0-r99.ebuild        | 126 +++++++++++++++++++++
 3 files changed, 212 insertions(+)

diff --git a/sys-apps/iproute2/files/iproute2-4.0.0-fix-build-with-musl.patch b/sys-apps/iproute2/files/iproute2-4.0.0-fix-build-with-musl.patch
new file mode 100644
index 0000000..5281be3
--- /dev/null
+++ b/sys-apps/iproute2/files/iproute2-4.0.0-fix-build-with-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/include/linux/if_bridge.h b/include/linux/if_bridge.h
+index 913bd8e..260d1e0 100644
+--- a/include/linux/if_bridge.h
++++ b/include/linux/if_bridge.h
+@@ -15,7 +15,6 @@
+ 
+ #include <linux/types.h>
+ #include <linux/if_ether.h>
+-#include <linux/in6.h>
+ 
+ #define SYSFS_BRIDGE_ATTR	"bridge"
+ #define SYSFS_BRIDGE_FDB	"brforward"
+diff --git a/lib/namespace.c b/lib/namespace.c
+index c03a103..f121eaa 100644
+--- a/lib/namespace.c
++++ b/lib/namespace.c
+@@ -9,6 +9,7 @@
+ 
+ #include <fcntl.h>
+ #include <dirent.h>
++#include <sys/param.h>
+ 
+ #include "utils.h"
+ #include "namespace.h"

diff --git a/sys-apps/iproute2/files/iproute2-4.0.0-tc-show-buffer-overflow.patch b/sys-apps/iproute2/files/iproute2-4.0.0-tc-show-buffer-overflow.patch
new file mode 100644
index 0000000..6c6c9a5
--- /dev/null
+++ b/sys-apps/iproute2/files/iproute2-4.0.0-tc-show-buffer-overflow.patch
@@ -0,0 +1,62 @@
+https://bugs.gentoo.org/546928
+
+From 46679bbbe89699016d31486de7599590d02a5054 Mon Sep 17 00:00:00 2001
+From: Vadim Kochan <vadim4j@gmail.com>
+Date: Mon, 20 Apr 2015 08:33:32 +0300
+Subject: [PATCH] tc util: Fix possible buffer overflow when print class id
+
+Use correct handle buffer length.
+
+Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
+---
+ tc/tc_util.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/tc/tc_util.c b/tc/tc_util.c
+index 1d3153d..dc2b70f 100644
+--- a/tc/tc_util.c
++++ b/tc/tc_util.c
+@@ -128,30 +128,31 @@ ok:
+ 	return 0;
+ }
+ 
+-int print_tc_classid(char *buf, int len, __u32 h)
++int print_tc_classid(char *buf, int blen, __u32 h)
+ {
+-	char handle[40] = {};
++	SPRINT_BUF(handle) = {};
++	int hlen = SPRINT_BSIZE - 1;
+ 
+ 	if (h == TC_H_ROOT)
+ 		sprintf(handle, "root");
+ 	else if (h == TC_H_UNSPEC)
+-		snprintf(handle, len, "none");
++		snprintf(handle, hlen, "none");
+ 	else if (TC_H_MAJ(h) == 0)
+-		snprintf(handle, len, ":%x", TC_H_MIN(h));
++		snprintf(handle, hlen, ":%x", TC_H_MIN(h));
+ 	else if (TC_H_MIN(h) == 0)
+-		snprintf(handle, len, "%x:", TC_H_MAJ(h) >> 16);
++		snprintf(handle, hlen, "%x:", TC_H_MAJ(h) >> 16);
+ 	else
+-		snprintf(handle, len, "%x:%x", TC_H_MAJ(h) >> 16, TC_H_MIN(h));
++		snprintf(handle, hlen, "%x:%x", TC_H_MAJ(h) >> 16, TC_H_MIN(h));
+ 
+ 	if (use_names) {
+ 		char clname[IDNAME_MAX] = {};
+ 
+ 		if (id_to_name(cls_names, h, clname))
+-			snprintf(buf, len, "%s#%s", clname, handle);
++			snprintf(buf, blen, "%s#%s", clname, handle);
+ 		else
+-			snprintf(buf, len, "%s", handle);
++			snprintf(buf, blen, "%s", handle);
+ 	} else {
+-		snprintf(buf, len, "%s", handle);
++		snprintf(buf, blen, "%s", handle);
+ 	}
+ 
+ 	return 0;
+-- 
+2.3.5
+

diff --git a/sys-apps/iproute2/iproute2-4.0.0-r99.ebuild b/sys-apps/iproute2/iproute2-4.0.0-r99.ebuild
new file mode 100644
index 0000000..0ee21b5
--- /dev/null
+++ b/sys-apps/iproute2/iproute2-4.0.0-r99.ebuild
@@ -0,0 +1,126 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/iproute2/iproute2-4.0.0-r1.ebuild,v 1.1 2015/04/20 20:51:18 vapier Exp $
+
+EAPI="5"
+
+inherit eutils toolchain-funcs flag-o-matic multilib
+
+if [[ ${PV} == "9999" ]] ; then
+	EGIT_REPO_URI="git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git"
+	inherit git-2
+else
+	SRC_URI="mirror://kernel/linux/utils/net/${PN}/${P}.tar.xz"
+	KEYWORDS="amd64 ~arm ~mips ~ppc x86"
+fi
+
+DESCRIPTION="kernel routing and traffic control utilities"
+HOMEPAGE="http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="atm berkdb +iptables ipv6 minimal selinux"
+
+RDEPEND="!net-misc/arpd
+	iptables? ( >=net-firewall/iptables-1.4.20:= )
+	!minimal? ( berkdb? ( sys-libs/db:= ) )
+	atm? ( net-dialup/linux-atm )
+	selinux? ( sys-libs/libselinux )"
+DEPEND="${RDEPEND}
+	app-arch/xz-utils
+	iptables? ( virtual/pkgconfig )
+	sys-devel/bison
+	sys-devel/flex
+	>=sys-kernel/linux-headers-2.6.27
+	elibc_glibc? ( >=sys-libs/glibc-2.7 )"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-3.1.0-mtu.patch #291907
+	epatch "${FILESDIR}"/${P}-tc-show-buffer-overflow.patch #546928
+	use ipv6 || epatch "${FILESDIR}"/${PN}-3.10.0-no-ipv6.patch #326849
+	epatch "${FILESDIR}"/${PN}-4.0.0-fix-build-with-musl.patch
+
+	sed -i \
+		-e '/^CC =/d' \
+		-e "/^LIBDIR/s:=.*:=/$(get_libdir):" \
+		-e "s:-O2:${CFLAGS} ${CPPFLAGS}:" \
+		-e "/^HOSTCC/s:=.*:= $(tc-getBUILD_CC):" \
+		-e "/^WFLAGS/s:-Werror::" \
+		-e "/^DBM_INCLUDE/s:=.*:=${T}:" \
+		Makefile || die
+
+	# Use /run instead of /var/run.
+	sed -i \
+		-e 's:/var/run:/run:g' \
+		ip/ipnetns.c \
+		man/man8/ip-netns.8 || die
+
+	# build against system headers
+	rm -r include/netinet #include/linux include/ip{,6}tables{,_common}.h include/libiptc
+	sed -i 's:TCPI_OPT_ECN_SEEN:16:' misc/ss.c || die
+
+	# don't build arpd if USE=-berkdb #81660
+	use berkdb || sed -i '/^TARGETS=/s: arpd : :' misc/Makefile
+
+	use minimal && sed -i -e '/^SUBDIRS=/s:=.*:=lib tc:' Makefile
+}
+
+src_configure() {
+	tc-export AR CC PKG_CONFIG
+
+	# This sure is ugly.  Should probably move into toolchain-funcs at some point.
+	local setns
+	pushd "${T}" >/dev/null
+	echo 'main(){return setns();};' > test.c
+	${CC} ${CFLAGS} ${LDFLAGS} test.c >&/dev/null && setns=y || setns=n
+	echo 'main(){};' > test.c
+	${CC} ${CFLAGS} ${LDFLAGS} test.c -lresolv >&/dev/null || sed -i '/^LDLIBS/s:-lresolv::' "${S}"/Makefile
+	popd >/dev/null
+
+	cat <<-EOF > Config
+	TC_CONFIG_ATM := $(usex atm y n)
+	TC_CONFIG_XT  := $(usex iptables y n)
+	HAVE_SELINUX  := $(usex selinux y n)
+	IP_CONFIG_SETNS := ${setns}
+	# Use correct iptables dir, #144265 #293709
+	IPT_LIB_DIR := $(use iptables && ${PKG_CONFIG} xtables --variable=xtlibdir)
+	EOF
+}
+
+src_install() {
+	if use minimal ; then
+		into /
+		dosbin tc/tc
+		return 0
+	fi
+
+	emake \
+		DESTDIR="${D}" \
+		LIBDIR="${EPREFIX}"/$(get_libdir) \
+		SBINDIR="${EPREFIX}"/sbin \
+		CONFDIR="${EPREFIX}"/etc/iproute2 \
+		DOCDIR="${EPREFIX}"/usr/share/doc/${PF} \
+		MANDIR="${EPREFIX}"/usr/share/man \
+		ARPDDIR="${EPREFIX}"/var/lib/arpd \
+		install
+
+	rm "${ED}"/usr/share/doc/${PF}/*.{sgml,tex} || die #455988
+
+	dodir /bin
+	mv "${ED}"/{s,}bin/ip || die #330115
+
+	dolib.a lib/libnetlink.a
+	insinto /usr/include
+	doins include/libnetlink.h
+	# This local header pulls in a lot of linux headers it
+	# doesn't directly need.  Delete this header that requires
+	# linux-headers-3.8 until that goes stable.  #467716
+	sed -i '/linux\/netconf.h/d' "${ED}"/usr/include/libnetlink.h || die
+
+	if use berkdb ; then
+		dodir /var/lib/arpd
+		# bug 47482, arpd doesn't need to be in /sbin
+		dodir /usr/bin
+		mv "${ED}"/sbin/arpd "${ED}"/usr/bin/ || die
+	fi
+}