From: "Mike Gilbert" <floppym@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/, sys-apps/systemd/
Date: Tue, 3 Sep 2019 15:27:33 +0000 (UTC) [thread overview]
Message-ID: <1567524402.5d54665bac2e0881b4d22cf48632fd0412623565.floppym@gentoo> (raw)
commit: 5d54665bac2e0881b4d22cf48632fd0412623565
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Tue Sep 3 15:26:42 2019 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Tue Sep 3 15:26:42 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d54665b
sys-apps/systemd: add patch for CVE-2019-15718
Bug: https://bugs.gentoo.org/693156
Package-Manager: Portage-2.3.73_p4, Repoman-2.3.17_p24
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
sys-apps/systemd/files/CVE-2019-15718.patch | 31 ++++++++++++++++++++
...ystemd-243_rc2.ebuild => systemd-242-r7.ebuild} | 33 ++++++++++++++++++----
...md-243_rc2.ebuild => systemd-243_rc2-r1.ebuild} | 1 +
3 files changed, 59 insertions(+), 6 deletions(-)
diff --git a/sys-apps/systemd/files/CVE-2019-15718.patch b/sys-apps/systemd/files/CVE-2019-15718.patch
new file mode 100644
index 00000000000..8186f7096f8
--- /dev/null
+++ b/sys-apps/systemd/files/CVE-2019-15718.patch
@@ -0,0 +1,31 @@
+From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 27 Aug 2019 19:00:34 +0200
+Subject: [PATCH] shared/but-util: drop trusted annotation from
+ bus_open_system_watch_bind_with_description()
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1746057
+
+This only affects systemd-resolved. bus_open_system_watch_bind_with_description()
+is also used in timesyncd, but it has no methods, only read-only properties, and
+in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does
+polkit checks.
+---
+ src/shared/bus-util.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
+index 6af115e7aa..821339d4ae 100644
+--- a/src/shared/bus-util.c
++++ b/src/shared/bus-util.c
+@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri
+ if (r < 0)
+ return r;
+
+- r = sd_bus_set_trusted(bus, true);
+- if (r < 0)
+- return r;
+-
+ r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS);
+ if (r < 0)
+ return r;
diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-242-r7.ebuild
similarity index 93%
copy from sys-apps/systemd/systemd-243_rc2.ebuild
copy to sys-apps/systemd/systemd-242-r7.ebuild
index f00c416fa38..da5e7533d89 100644
--- a/sys-apps/systemd/systemd-243_rc2.ebuild
+++ b/sys-apps/systemd/systemd-242-r7.ebuild
@@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
-IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb"
+IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb"
REQUIRED_USE="importd? ( curl gcrypt lzma )"
RESTRICT="!test? ( test )"
@@ -45,7 +45,10 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
>=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)]
>=net-libs/gnutls-3.1.4:0=
)
- idn? ( net-dns/libidn2:= )
+ idn? (
+ libidn2? ( net-dns/libidn2:= )
+ !libidn2? ( net-dns/libidn:= )
+ )
importd? (
app-arch/bzip2:0=
sys-libs/zlib:0=
@@ -185,6 +188,14 @@ src_prepare() {
# Add local patches here
PATCHES+=(
+ "${FILESDIR}"/242-gcc-9.patch
+ "${FILESDIR}"/242-socket-util-flush-accept.patch
+ "${FILESDIR}"/242-wireguard-listenport.patch
+ "${FILESDIR}"/242-file-max.patch
+ "${FILESDIR}"/242-rdrand-ryzen.patch
+ "${FILESDIR}"/242-networkd-ipv6-token.patch
+ "${FILESDIR}"/242-network-domains.patch
+ "${FILESDIR}"/CVE-2019-15718.patch
)
if ! use vanilla; then
@@ -244,7 +255,6 @@ multilib_src_configure() {
# no deps
-Defi=$(meson_multilib)
-Dima=true
- -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified)
# Optional components/dependencies
-Dacl=$(meson_multilib_native_use acl)
-Dapparmor=$(meson_multilib_native_use apparmor)
@@ -257,7 +267,6 @@ multilib_src_configure() {
-Dgnu-efi=$(meson_multilib_native_use gnuefi)
-Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
-Dmicrohttpd=$(meson_multilib_native_use http)
- -Didn=$(meson_multilib_native_use idn)
-Dimportd=$(meson_multilib_native_use importd)
-Dbzip2=$(meson_multilib_native_use importd)
-Dzlib=$(meson_multilib_native_use importd)
@@ -301,6 +310,18 @@ multilib_src_configure() {
-Dvconsole=$(meson_multilib)
)
+ if multilib_is_native_abi && use idn; then
+ myconf+=(
+ -Dlibidn2=$(usex libidn2 true false)
+ -Dlibidn=$(usex libidn2 false true)
+ )
+ else
+ myconf+=(
+ -Dlibidn2=false
+ -Dlibidn=false
+ )
+ fi
+
meson_src_configure "${myconf[@]}"
}
@@ -310,7 +331,7 @@ multilib_src_compile() {
multilib_src_test() {
unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
- meson_src_test
+ eninja test
}
multilib_src_install() {
@@ -343,7 +364,7 @@ multilib_src_install_all() {
# Preserve empty dirs in /etc & /var, bug #437008
keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
keepdir /etc/kernel/install.d
- keepdir /etc/systemd/{network,system,user}
+ keepdir /etc/systemd/{network,user}
keepdir /etc/udev/{hwdb.d,rules.d}
keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
keepdir /usr/lib/{binfmt.d,modules-load.d}
diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-243_rc2-r1.ebuild
similarity index 99%
rename from sys-apps/systemd/systemd-243_rc2.ebuild
rename to sys-apps/systemd/systemd-243_rc2-r1.ebuild
index f00c416fa38..56cfe509a08 100644
--- a/sys-apps/systemd/systemd-243_rc2.ebuild
+++ b/sys-apps/systemd/systemd-243_rc2-r1.ebuild
@@ -185,6 +185,7 @@ src_prepare() {
# Add local patches here
PATCHES+=(
+ "${FILESDIR}"/CVE-2019-15718.patch
)
if ! use vanilla; then
next reply other threads:[~2019-09-03 15:27 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-03 15:27 Mike Gilbert [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-09-26 19:15 [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/, sys-apps/systemd/ Mike Gilbert
2024-04-29 17:27 Sam James
2023-12-28 3:53 Sam James
2023-07-06 8:15 Sam James
2023-05-05 4:13 Sam James
2023-04-29 3:50 Mike Gilbert
2023-01-30 2:14 Mike Gilbert
2023-01-13 20:06 Mike Gilbert
2023-01-13 5:33 Sam James
2023-01-11 7:50 Sam James
2022-10-15 18:57 Mike Gilbert
2022-10-14 21:18 Sam James
2022-09-18 15:52 Mike Gilbert
2022-08-02 23:40 Sam James
2022-05-24 22:35 Sam James
2022-05-23 18:35 Mike Gilbert
2022-05-21 22:22 Mike Gilbert
2022-05-07 18:32 Mike Gilbert
2022-04-30 0:30 Sam James
2022-04-28 1:26 Sam James
2022-01-15 15:41 Mike Gilbert
2022-01-13 16:29 Mike Gilbert
2021-10-26 15:00 Mike Gilbert
2021-07-20 19:19 Mike Gilbert
2021-07-11 14:41 Mike Gilbert
2021-06-20 17:33 Mike Gilbert
2021-04-27 18:16 Mike Gilbert
2021-03-17 14:19 Mike Gilbert
2020-11-03 15:48 Mike Gilbert
2020-10-14 19:15 Mike Gilbert
2020-09-24 14:51 Mike Gilbert
2020-08-22 1:56 Mike Gilbert
2020-07-06 14:05 Mike Gilbert
2020-06-11 2:29 Mike Gilbert
2020-03-09 21:22 Mike Gilbert
2020-01-26 17:19 Mike Gilbert
2020-01-07 7:19 Mike Gilbert
2019-07-31 14:06 Mike Gilbert
2019-06-17 16:19 Mike Gilbert
2019-05-23 12:26 Louis Sautier
2019-05-09 13:41 Mike Gilbert
2019-05-08 17:29 Mike Gilbert
2019-04-05 20:56 Mike Gilbert
2018-10-30 14:34 Mike Gilbert
2018-09-29 15:27 Mike Gilbert
2018-03-26 21:14 Pacho Ramos
2017-12-31 1:40 Mike Gilbert
2017-12-28 16:01 Mike Gilbert
2017-10-28 18:58 Mike Gilbert
2017-10-08 17:11 Mike Gilbert
2017-09-08 21:16 Mike Gilbert
2017-08-13 23:32 Mike Gilbert
2017-07-12 20:23 Mike Gilbert
2017-06-28 17:01 Mike Gilbert
2017-03-12 17:59 Mike Gilbert
2017-01-03 18:15 Mike Gilbert
2016-12-18 23:08 Mike Gilbert
2016-04-16 20:32 Mike Gilbert
2015-12-12 15:17 Mike Gilbert
2015-11-24 16:28 Mike Gilbert
2015-10-25 9:11 Michał Górny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1567524402.5d54665bac2e0881b4d22cf48632fd0412623565.floppym@gentoo \
--to=floppym@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox