public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Mike Gilbert" <floppym@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/, sys-apps/systemd/
Date: Tue,  3 Sep 2019 15:27:33 +0000 (UTC)	[thread overview]
Message-ID: <1567524402.5d54665bac2e0881b4d22cf48632fd0412623565.floppym@gentoo> (raw)

commit:     5d54665bac2e0881b4d22cf48632fd0412623565
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Tue Sep  3 15:26:42 2019 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Tue Sep  3 15:26:42 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d54665b

sys-apps/systemd: add patch for CVE-2019-15718

Bug: https://bugs.gentoo.org/693156
Package-Manager: Portage-2.3.73_p4, Repoman-2.3.17_p24
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 sys-apps/systemd/files/CVE-2019-15718.patch        | 31 ++++++++++++++++++++
 ...ystemd-243_rc2.ebuild => systemd-242-r7.ebuild} | 33 ++++++++++++++++++----
 ...md-243_rc2.ebuild => systemd-243_rc2-r1.ebuild} |  1 +
 3 files changed, 59 insertions(+), 6 deletions(-)

diff --git a/sys-apps/systemd/files/CVE-2019-15718.patch b/sys-apps/systemd/files/CVE-2019-15718.patch
new file mode 100644
index 00000000000..8186f7096f8
--- /dev/null
+++ b/sys-apps/systemd/files/CVE-2019-15718.patch
@@ -0,0 +1,31 @@
+From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 27 Aug 2019 19:00:34 +0200
+Subject: [PATCH] shared/but-util: drop trusted annotation from
+ bus_open_system_watch_bind_with_description()
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1746057
+
+This only affects systemd-resolved. bus_open_system_watch_bind_with_description()
+is also used in timesyncd, but it has no methods, only read-only properties, and
+in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does
+polkit checks.
+---
+ src/shared/bus-util.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
+index 6af115e7aa..821339d4ae 100644
+--- a/src/shared/bus-util.c
++++ b/src/shared/bus-util.c
+@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri
+         if (r < 0)
+                 return r;
+ 
+-        r = sd_bus_set_trusted(bus, true);
+-        if (r < 0)
+-                return r;
+-
+         r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS);
+         if (r < 0)
+                 return r;

diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-242-r7.ebuild
similarity index 93%
copy from sys-apps/systemd/systemd-243_rc2.ebuild
copy to sys-apps/systemd/systemd-242-r7.ebuild
index f00c416fa38..da5e7533d89 100644
--- a/sys-apps/systemd/systemd-243_rc2.ebuild
+++ b/sys-apps/systemd/systemd-242-r7.ebuild
@@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
 
 LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
 SLOT="0/2"
-IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb"
+IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb"
 
 REQUIRED_USE="importd? ( curl gcrypt lzma )"
 RESTRICT="!test? ( test )"
@@ -45,7 +45,10 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
 		>=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)]
 		>=net-libs/gnutls-3.1.4:0=
 	)
-	idn? ( net-dns/libidn2:= )
+	idn? (
+		libidn2? ( net-dns/libidn2:= )
+		!libidn2? ( net-dns/libidn:= )
+	)
 	importd? (
 		app-arch/bzip2:0=
 		sys-libs/zlib:0=
@@ -185,6 +188,14 @@ src_prepare() {
 
 	# Add local patches here
 	PATCHES+=(
+		"${FILESDIR}"/242-gcc-9.patch
+		"${FILESDIR}"/242-socket-util-flush-accept.patch
+		"${FILESDIR}"/242-wireguard-listenport.patch
+		"${FILESDIR}"/242-file-max.patch
+		"${FILESDIR}"/242-rdrand-ryzen.patch
+		"${FILESDIR}"/242-networkd-ipv6-token.patch
+		"${FILESDIR}"/242-network-domains.patch
+		"${FILESDIR}"/CVE-2019-15718.patch
 	)
 
 	if ! use vanilla; then
@@ -244,7 +255,6 @@ multilib_src_configure() {
 		# no deps
 		-Defi=$(meson_multilib)
 		-Dima=true
-		-Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified)
 		# Optional components/dependencies
 		-Dacl=$(meson_multilib_native_use acl)
 		-Dapparmor=$(meson_multilib_native_use apparmor)
@@ -257,7 +267,6 @@ multilib_src_configure() {
 		-Dgnu-efi=$(meson_multilib_native_use gnuefi)
 		-Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
 		-Dmicrohttpd=$(meson_multilib_native_use http)
-		-Didn=$(meson_multilib_native_use idn)
 		-Dimportd=$(meson_multilib_native_use importd)
 		-Dbzip2=$(meson_multilib_native_use importd)
 		-Dzlib=$(meson_multilib_native_use importd)
@@ -301,6 +310,18 @@ multilib_src_configure() {
 		-Dvconsole=$(meson_multilib)
 	)
 
+	if multilib_is_native_abi && use idn; then
+		myconf+=(
+			-Dlibidn2=$(usex libidn2 true false)
+			-Dlibidn=$(usex libidn2 false true)
+		)
+	else
+		myconf+=(
+			-Dlibidn2=false
+			-Dlibidn=false
+		)
+	fi
+
 	meson_src_configure "${myconf[@]}"
 }
 
@@ -310,7 +331,7 @@ multilib_src_compile() {
 
 multilib_src_test() {
 	unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
-	meson_src_test
+	eninja test
 }
 
 multilib_src_install() {
@@ -343,7 +364,7 @@ multilib_src_install_all() {
 	# Preserve empty dirs in /etc & /var, bug #437008
 	keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
 	keepdir /etc/kernel/install.d
-	keepdir /etc/systemd/{network,system,user}
+	keepdir /etc/systemd/{network,user}
 	keepdir /etc/udev/{hwdb.d,rules.d}
 	keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
 	keepdir /usr/lib/{binfmt.d,modules-load.d}

diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-243_rc2-r1.ebuild
similarity index 99%
rename from sys-apps/systemd/systemd-243_rc2.ebuild
rename to sys-apps/systemd/systemd-243_rc2-r1.ebuild
index f00c416fa38..56cfe509a08 100644
--- a/sys-apps/systemd/systemd-243_rc2.ebuild
+++ b/sys-apps/systemd/systemd-243_rc2-r1.ebuild
@@ -185,6 +185,7 @@ src_prepare() {
 
 	# Add local patches here
 	PATCHES+=(
+		"${FILESDIR}"/CVE-2019-15718.patch
 	)
 
 	if ! use vanilla; then


             reply	other threads:[~2019-09-03 15:27 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-03 15:27 Mike Gilbert [this message]
  -- strict thread matches above, loose matches on Subject: below --
2024-09-26 19:15 [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/, sys-apps/systemd/ Mike Gilbert
2024-04-29 17:27 Sam James
2023-12-28  3:53 Sam James
2023-07-06  8:15 Sam James
2023-05-05  4:13 Sam James
2023-04-29  3:50 Mike Gilbert
2023-01-30  2:14 Mike Gilbert
2023-01-13 20:06 Mike Gilbert
2023-01-13  5:33 Sam James
2023-01-11  7:50 Sam James
2022-10-15 18:57 Mike Gilbert
2022-10-14 21:18 Sam James
2022-09-18 15:52 Mike Gilbert
2022-08-02 23:40 Sam James
2022-05-24 22:35 Sam James
2022-05-23 18:35 Mike Gilbert
2022-05-21 22:22 Mike Gilbert
2022-05-07 18:32 Mike Gilbert
2022-04-30  0:30 Sam James
2022-04-28  1:26 Sam James
2022-01-15 15:41 Mike Gilbert
2022-01-13 16:29 Mike Gilbert
2021-10-26 15:00 Mike Gilbert
2021-07-20 19:19 Mike Gilbert
2021-07-11 14:41 Mike Gilbert
2021-06-20 17:33 Mike Gilbert
2021-04-27 18:16 Mike Gilbert
2021-03-17 14:19 Mike Gilbert
2020-11-03 15:48 Mike Gilbert
2020-10-14 19:15 Mike Gilbert
2020-09-24 14:51 Mike Gilbert
2020-08-22  1:56 Mike Gilbert
2020-07-06 14:05 Mike Gilbert
2020-06-11  2:29 Mike Gilbert
2020-03-09 21:22 Mike Gilbert
2020-01-26 17:19 Mike Gilbert
2020-01-07  7:19 Mike Gilbert
2019-07-31 14:06 Mike Gilbert
2019-06-17 16:19 Mike Gilbert
2019-05-23 12:26 Louis Sautier
2019-05-09 13:41 Mike Gilbert
2019-05-08 17:29 Mike Gilbert
2019-04-05 20:56 Mike Gilbert
2018-10-30 14:34 Mike Gilbert
2018-09-29 15:27 Mike Gilbert
2018-03-26 21:14 Pacho Ramos
2017-12-31  1:40 Mike Gilbert
2017-12-28 16:01 Mike Gilbert
2017-10-28 18:58 Mike Gilbert
2017-10-08 17:11 Mike Gilbert
2017-09-08 21:16 Mike Gilbert
2017-08-13 23:32 Mike Gilbert
2017-07-12 20:23 Mike Gilbert
2017-06-28 17:01 Mike Gilbert
2017-03-12 17:59 Mike Gilbert
2017-01-03 18:15 Mike Gilbert
2016-12-18 23:08 Mike Gilbert
2016-04-16 20:32 Mike Gilbert
2015-12-12 15:17 Mike Gilbert
2015-11-24 16:28 Mike Gilbert
2015-10-25  9:11 Michał Górny

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1567524402.5d54665bac2e0881b4d22cf48632fd0412623565.floppym@gentoo \
    --to=floppym@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox