[gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/

["Slawek Lis" <slis@gentoo.org>]

commit:     78745195e87a1b2b6698d6600d74da6932ebcadd
Author:     Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Tue Jan 23 09:15:07 2018 +0000
Commit:     Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Tue Jan 23 09:15:19 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78745195

net-analyzer/suricata: version bump to 4.0.3

This should fix security problems reported in https://bugs.gentoo.org/635662

Package-Manager: Portage-2.3.20, Repoman-2.3.6

 net-analyzer/suricata/Manifest              |   1 +
 net-analyzer/suricata/suricata-4.0.3.ebuild | 163 ++++++++++++++++++++++++++++
 2 files changed, 164 insertions(+)

diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index dee7b9c1e63..3115c23a894 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -3,3 +3,4 @@ DIST suricata-3.0.1.tar.gz 3315637 BLAKE2B f92e8f4b9708b265eda2476dbedaaa3a5c417
 DIST suricata-3.1.3.tar.gz 3340627 BLAKE2B 6dff61a876591485fc32053912abfe8ec2ac23ff40ed63e4140d3c494adbf83b7310afae67f0b2c552f45c6ec9ed02db94635b3d90e4ac74e3da8de3a611f65b SHA512 d29c2c4344d52ba3d8c5ed4331a35b512e323c9a13a73e3039df6406d8c6389d05e3b311db6b561125c12dfbea67b121afbdecb7f0a5cb0594cf339b492726fb
 DIST suricata-3.2.1.tar.gz 11754332 BLAKE2B 1f72f9460c363aa86933a7105f0267d89e5b7e11db8668d30f2e84a545856cc53e4edc403f434533271697fc73d45fbd9ea2ce2cc4f07c245ba0724e3d0cae60 SHA512 6b0e5565368a085f059f62c9862364a9fcd970158b17671a25bcbed9b3ef8fcf857b1760a6d186ebe3227dde45070bc69a8b0d0bfd341f39a4d42ef93d12f290
 DIST suricata-3.2.tar.gz 11732080 BLAKE2B e5315edc7fb42792f165ebc6b43b3bef8ca8151857305adb6ac1cd2bbf93f5f679ac9762ac48836bf94dfdfc820e4dc7fdcaa73a2b609e3128524f39cd24c741 SHA512 327f5a62449af44f6cb95220e1ff9bf61b51db7bd25f2b1e8def3e8650ba754304cf9d02fc30b46b6cbaa6b5f94fa3d4be90edb8a293ff3b6c0927b596a2976e
+DIST suricata-4.0.3.tar.gz 12392388 BLAKE2B 9b6338b343ff85f070d61608ff9dc7f25df868fdffbc13b5a8d245cb3db5cd757cb1785c827c388653b2f8a7977129259671900bc1abfebeb878a668b4058bdf SHA512 aa6b6d1ae86efad0184ba4fa06375f34334e07c22b7b1f82bf17fcb0ae48ad7f867bced57ab4f713de01583965e1260cb82e1355f78002071b689dddd3b53892

diff --git a/net-analyzer/suricata/suricata-4.0.3.ebuild b/net-analyzer/suricata/suricata-4.0.3.ebuild
new file mode 100644
index 00000000000..604eae665be
--- /dev/null
+++ b/net-analyzer/suricata/suricata-4.0.3.ebuild
@@ -0,0 +1,163 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+inherit autotools eutils user
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="http://suricata-ids.org/"
+SRC_URI="http://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet control-socket cuda debug +detection geoip hardened logrotate lua luajit nflog +nfqueue redis +rules test"
+
+REQUIRED_USE="lua? ( !luajit )"
+
+DEPEND="
+	>=dev-libs/jansson-2.2
+	dev-libs/libpcre
+	dev-libs/libyaml
+	net-libs/libnet:*
+	net-libs/libnfnetlink
+	dev-libs/nspr
+	dev-libs/nss
+	>=net-libs/libhtp-0.5.20
+	net-libs/libpcap
+	sys-apps/file
+	cuda?       ( dev-util/nvidia-cuda-toolkit )
+	geoip?      ( dev-libs/geoip )
+	lua?        ( dev-lang/lua:* )
+	luajit?     ( dev-lang/luajit:* )
+	nflog?      ( net-libs/libnetfilter_log )
+	nfqueue?    ( net-libs/libnetfilter_queue )
+	redis?      ( dev-libs/hiredis )
+	logrotate?      ( app-admin/logrotate )
+	sys-libs/libcap-ng
+"
+# #446814
+#	prelude?    ( dev-libs/libprelude )
+#	pfring?     ( sys-process/numactl net-libs/pf_ring)
+RDEPEND="${DEPEND}"
+
+pkg_setup() {
+	enewgroup ${PN}
+	enewuser ${PN} -1 -1 /var/lib/${PN} "${PN}"
+}
+
+src_prepare() {
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		"--localstatedir=/var/" \
+		"--enable-non-bundled-htp" \
+		$(use_enable af-packet) \
+		$(use_enable detection) \
+		$(use_enable nfqueue) \
+		$(use_enable test coccinelle) \
+		$(use_enable test unittests) \
+		$(use_enable control-socket unix-socket)
+	)
+
+	if use cuda ; then
+		myeconfargs+=( $(use_enable cuda) )
+	fi
+	if use geoip ; then
+		myeconfargs+=( $(use_enable geoip) )
+	fi
+	if use hardened ; then
+		myeconfargs+=( $(use_enable hardened gccprotect) )
+	fi
+	if use nflog ; then
+		myeconfargs+=( $(use_enable nflog) )
+	fi
+	if use redis ; then
+		myeconfargs+=( $(use_enable redis hiredis) )
+	fi
+	# not supported yet (no pfring in portage)
+# 	if use pfring ; then
+# 		myeconfargs+=( $(use_enable pfring) )
+# 	fi
+	# no libprelude in portage
+# 	if use prelude ; then
+# 		myeconfargs+=( $(use_enable prelude) )
+# 	fi
+	if use lua ; then
+		myeconfargs+=( $(use_enable lua) )
+	fi
+	if use luajit ; then
+		myeconfargs+=( $(use_enable luajit) )
+	fi
+
+# this should be used when pf_ring use flag support will be added
+# 	LIBS+="-lrt -lnuma"
+
+	# avoid upstream configure script trying to add -march=native to CFLAGS
+	myeconfargs+=( --enable-gccmarch-native=no )
+
+	if use debug ; then
+		myeconfargs+=( $(use_enable debug) )
+		# so we can get a backtrace according to "reporting bugs" on upstream web site
+		CFLAGS="-ggdb -O0" econf LIBS="${LIBS}" ${myeconfargs[@]}
+	else
+		econf LIBS="${LIBS}" ${myeconfargs[@]}
+	fi
+}
+
+src_install() {
+	emake DESTDIR="${D}" install
+
+	insinto "/etc/${PN}"
+	doins {classification,reference,threshold}.config suricata.yaml
+
+	if use rules ; then
+		insinto "/etc/${PN}/rules"
+		doins rules/*.rules
+	fi
+
+	dodir "/var/lib/${PN}"
+	dodir "/var/log/${PN}"
+
+	fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+	fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+
+	newinitd "${FILESDIR}/${P}-init" ${PN}
+	newconfd "${FILESDIR}/${P}-conf" ${PN}
+
+	if use logrotate; then
+		insopts -m0644
+		insinto /etc/logrotate.d
+		newins "${FILESDIR}"/${PN}-logrotate ${PN}
+	fi
+}
+
+pkg_postinst() {
+	elog "The ${PN} init script expects to find the path to the configuration"
+	elog "file as well as extra options in /etc/conf.d."
+	elog ""
+	elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+	elog "then create a symlink to the init script from a link called"
+	elog "${PN}.foo - like so"
+	elog "   cd /etc/${PN}"
+	elog "   ${EDITOR##*/} suricata-foo.yaml"
+	elog "   cd /etc/init.d"
+	elog "   ln -s ${PN} ${PN}.foo"
+	elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+	elog ""
+	elog "You can create as many ${PN}.foo* services as you wish."
+
+	if use logrotate; then
+		elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
+	fi
+
+	if use debug; then
+		elog "You enabled the debug USE flag. Please read this link to report bugs upstream:"
+		elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+		elog "You need to also ensure the FEATURES variable in make.conf contains the"
+		elog "'nostrip' option to produce useful core dumps or back traces."
+	fi
+}