[gentoo-commits] repo/gentoo:master commit in: net-misc/omniORB/, net-misc/omniORB/files/

[gentoo-commits] repo/gentoo:master commit in: net-misc/omniORB/, net-misc/omniORB/files/

[Michael Orlitzky]

commit:     dd5396cb80f0b3434113092cf76472775c7b2905
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Tue Aug 16 13:44:11 2016 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Tue Aug 16 19:03:52 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd5396cb

net-misc/omniORB: new version using EAPI=6 and a few ebuild fixes.

There has been a new version of this maintainer-needed package
available for a while, and a user requested a version bump, so I've
updated to the latest available stable release (bug 560680). In doing
so, I added the missing PYTHON_DEPS and PYTHON_REQUIRED_USE from the
python-single-r1 eclass (bug 547660). I also patched the build system
to use a umask of 022 instead of 002 when creating directories, to fix
compilation on systems with TPE (bug 576040).

For the new version, the ebuild was updated to use EAPI=6. Some
patches were dropped, as the fixes were merged upstream. IPv6 support
was added with a straightforward $(use_with ipv6) call. Some errors
were clarified, and some quoting adjusted -- minor housekeeping.

Gentoo-Bug: 547660
Gentoo-Bug: 560680
Gentoo-Bug: 576040

Package-Manager: portage-2.2.28

 net-misc/omniORB/Manifest                          |   1 +
 ...-umask-from-002-to-022-in-CreateDir-macro.patch |  58 ++++++++++++
 net-misc/omniORB/omniORB-4.2.1_p2.ebuild           | 104 +++++++++++++++++++++
 3 files changed, 163 insertions(+)

diff --git a/net-misc/omniORB/Manifest b/net-misc/omniORB/Manifest
index baac7e5..d32fbfd 100644
--- a/net-misc/omniORB/Manifest
+++ b/net-misc/omniORB/Manifest
@@ -1 +1,2 @@
 DIST omniORB-4.1.4.tar.gz 3093814 SHA256 84fb9790c25d6e46248c9773747e393b429573190da2150850d4a49debda4e8e SHA512 0ed989dd9a8c024a575ebbe1def137d11c4e52297727883d26cb1fdc87d2965e6d0152ee4b7b90097f2d97eb22501bb968eff0d070e88f80a9fef6b7439e1a1c WHIRLPOOL 16b12ade124e62b57d8401c73975a4a0861166f080b0f735e7ad363dca1a7387d807e5c8bf4ae9b90b70f41a03e9811109bcb917e78b833578e891b78c9da55f
+DIST omniORB-4.2.1-2.tar.bz2 2663504 SHA256 9b638c7047a05551c42fe13901194e63b58750d4124654bfa26203d09cb5072d SHA512 574bbc66f9eee87f06500c798e034a289e6104b3a921c8e956231c5c042a3306016b2aa69699eadef25edb97bed7580f7f27beec3893582a1ba16bb01f934fd6 WHIRLPOOL fc85c5e9a328ce64bcf97c66a7710b272196659360d60d575bc89af308f96de7fec490bf52e6e6d7b221e5ce6577b77caef8b333fef31b000dba4dd7833e00ec

diff --git a/net-misc/omniORB/files/change-umask-from-002-to-022-in-CreateDir-macro.patch b/net-misc/omniORB/files/change-umask-from-002-to-022-in-CreateDir-macro.patch
new file mode 100644
index 0000000..2aaab59
--- /dev/null
+++ b/net-misc/omniORB/files/change-umask-from-002-to-022-in-CreateDir-macro.patch
@@ -0,0 +1,58 @@
+From 2a0ea5621ef7cd9303e49657166dfd04ffa624d7 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Tue, 16 Aug 2016 13:55:08 -0400
+Subject: [PATCH 1/1] mk: Change umask from 002 to 022 in the CreateDir macro.
+
+The build system has a macro called CreateDir that does more or less
+what you'd expect. But before it creates the directory given to it, it
+sets the umask to 002. This can be a vulnerability, since we don't
+know who the end user will be building the software as; there may be
+untrusted people in his default group. In that case, one of those
+people can overwrite the scripts in the directory created by CreateDir
+before the user executes them.
+
+There is a kernel-level workaround for these types of vulnerabilities
+in the Grsecurity project called Trusted Path Execution (TPE). When
+enabled, users are not allowed to execute files in directories not
+owned by themselves or root. When that restriction is enabled, omniORB
+fails to build (due to the aforementioned umask).
+
+This commit changes the umask to 022 in CreateDir. This should not
+cause any problems (ha ha), and is safer than the previous umask of
+002. It also fixes the build on systems where TPE is enabled.
+
+Gentoo-Bug: 576040
+---
+ mk/beforeauto.mk.in | 2 +-
+ mk/beforedir.mk     | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mk/beforeauto.mk.in b/mk/beforeauto.mk.in
+index 83d544c..9f65c69 100644
+--- a/mk/beforeauto.mk.in
++++ b/mk/beforeauto.mk.in
+@@ -167,7 +167,7 @@ unexport SUBDIRS
+ 
+ define CreateDir
+ if [ ! -d $$dir ]; then \
+-   (umask 002; set -x; $(MKDIRHIER) $$dir); \
++   (umask 022; set -x; $(MKDIRHIER) $$dir); \
+ fi
+ endef
+ 
+diff --git a/mk/beforedir.mk b/mk/beforedir.mk
+index f804ed3..855bc4d 100644
+--- a/mk/beforedir.mk
++++ b/mk/beforedir.mk
+@@ -187,7 +187,7 @@ unexport SUBDIRS
+ 
+ define CreateDir
+ if [ ! -d $$dir ]; then \
+-   (umask 002; set -x; $(MKDIRHIER) $$dir); \
++   (umask 022; set -x; $(MKDIRHIER) $$dir); \
+ fi
+ endef
+ 
+-- 
+2.7.3
+

diff --git a/net-misc/omniORB/omniORB-4.2.1_p2.ebuild b/net-misc/omniORB/omniORB-4.2.1_p2.ebuild
new file mode 100644
index 0000000..bf7babc
--- /dev/null
+++ b/net-misc/omniORB/omniORB-4.2.1_p2.ebuild
@@ -0,0 +1,104 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+# The build system picks one version of python and sticks with it. It
+# tries to guess your version (based on /usr/bin/python), but for
+# consistency we have to force it to use one that we specify. The
+# highest version the configure script will accept is python-3.3, but
+# that's on it's way out, so we prefer to stick with python-2.7 for now.
+PYTHON_COMPAT=( python2_7 )
+inherit python-single-r1
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+MY_P="${P/_p/-}"
+DESCRIPTION="A robust, high-performance CORBA 2 ORB"
+HOMEPAGE="http://omniorb.sourceforge.net/"
+SRC_URI="mirror://sourceforge/omniorb/${MY_P}.tar.bz2"
+
+LICENSE="LGPL-2 GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86"
+IUSE="doc ipv6 ssl"
+
+RDEPEND="${PYTHON_DEPS}
+	ssl? ( dev-libs/openssl:0= )"
+DEPEND="${RDEPEND}"
+
+S="${WORKDIR}/${PN}-${PV/_p2/}"
+
+PATCHES=(
+	"${FILESDIR}/omniORB-4.1.4-format-security.patch"
+	"${FILESDIR}/change-umask-from-002-to-022-in-CreateDir-macro.patch"
+)
+
+src_prepare() {
+	default
+
+	# The OPTC(XX)FLAGS variables aren't present in these files, but we
+	# will set them when we call emake.
+	sed \
+		-e 's/^CXXDEBUGFLAGS.*/CXXDEBUGFLAGS = $(OPTCXXFLAGS)/' \
+		-e 's/^CDEBUGFLAGS.*/CDEBUGFLAGS = $(OPTCFLAGS)/' \
+		-i mk/beforeauto.mk.in mk/platforms/i586_linux_2.0*.mk || \
+		die 'failed to switch CFLAGS variables in the makefile includes'
+
+	# The out-of-source build is suggested by upstream.
+	mkdir build || die 'failed to create build directory'
+}
+
+src_configure() {
+	cd build || die 'failed to change into the build directory'
+
+	ECONF_SOURCE=".." econf \
+				--disable-static \
+				--with-omniORB-config=/etc/omniorb/omniORB.cfg \
+				--with-omniNames-logdir=/var/log/omniORB \
+				--libdir="/usr/$(get_libdir)" \
+				$(use_enable ipv6) \
+				$(use_with ssl openssl "/usr")
+}
+
+src_compile() {
+	cd build || die 'failed to change into the build directory'
+	emake OPTCFLAGS="${CFLAGS}" OPTCXXFLAGS="${CXXFLAGS}"
+}
+
+src_install() {
+	cd build || die 'failed to change into the build directory'
+	default
+
+	rm "${ED}/usr/bin/omniidlrun.py" || \
+		die 'failed to remove redundant omniidlrun.py'
+
+	cd "${S}" || die "failed to change into the ${S} directory"
+
+	dodoc CREDITS doc/*.html ReleaseNotes.txt update.log
+	dodoc -r doc/omniORB
+
+	if use doc; then
+		dodoc doc/*.pdf
+	fi
+
+	cat <<- EOF > "${T}/90omniORB"
+		PATH="/usr/share/omniORB/bin/scripts"
+		OMNIORB_CONFIG="/etc/omniorb/omniORB.cfg"
+	EOF
+	doenvd "${T}/90omniORB"
+	doinitd "${FILESDIR}"/omniNames
+
+	cp "sample.cfg" "${T}/omniORB.cfg" || die
+	cat <<- EOF >> "${T}/omniORB.cfg"
+		# resolve the omniNames running on localhost
+		InitRef = NameService=corbaname::localhost
+	EOF
+	insinto /etc/omniorb
+	doins "${T}"/omniORB.cfg
+
+	keepdir /var/log/omniORB
+
+	python_optimize
+	python_fix_shebang "${ED}"/usr/bin/omniidl
+}