From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id EA3EA138334 for ; Tue, 3 Sep 2019 15:27:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EC771E0809; Tue, 3 Sep 2019 15:27:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C055EE0809 for ; Tue, 3 Sep 2019 15:27:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DD0B034AB18 for ; Tue, 3 Sep 2019 15:27:35 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 6148D622 for ; Tue, 3 Sep 2019 15:27:33 +0000 (UTC) From: "Mike Gilbert" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Gilbert" Message-ID: <1567524402.5d54665bac2e0881b4d22cf48632fd0412623565.floppym@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/, sys-apps/systemd/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-apps/systemd/files/CVE-2019-15718.patch sys-apps/systemd/systemd-242-r7.ebuild sys-apps/systemd/systemd-243_rc2-r1.ebuild sys-apps/systemd/systemd-243_rc2.ebuild X-VCS-Directories: sys-apps/systemd/ sys-apps/systemd/files/ X-VCS-Committer: floppym X-VCS-Committer-Name: Mike Gilbert X-VCS-Revision: 5d54665bac2e0881b4d22cf48632fd0412623565 X-VCS-Branch: master Date: Tue, 3 Sep 2019 15:27:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 674c7186-7504-450b-ad9d-88b49a847700 X-Archives-Hash: 8b33ceb5e65d540911c007122d4afe0d commit: 5d54665bac2e0881b4d22cf48632fd0412623565 Author: Mike Gilbert gentoo org> AuthorDate: Tue Sep 3 15:26:42 2019 +0000 Commit: Mike Gilbert gentoo org> CommitDate: Tue Sep 3 15:26:42 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d54665b sys-apps/systemd: add patch for CVE-2019-15718 Bug: https://bugs.gentoo.org/693156 Package-Manager: Portage-2.3.73_p4, Repoman-2.3.17_p24 Signed-off-by: Mike Gilbert gentoo.org> sys-apps/systemd/files/CVE-2019-15718.patch | 31 ++++++++++++++++++++ ...ystemd-243_rc2.ebuild => systemd-242-r7.ebuild} | 33 ++++++++++++++++++---- ...md-243_rc2.ebuild => systemd-243_rc2-r1.ebuild} | 1 + 3 files changed, 59 insertions(+), 6 deletions(-) diff --git a/sys-apps/systemd/files/CVE-2019-15718.patch b/sys-apps/systemd/files/CVE-2019-15718.patch new file mode 100644 index 00000000000..8186f7096f8 --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-15718.patch @@ -0,0 +1,31 @@ +From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 27 Aug 2019 19:00:34 +0200 +Subject: [PATCH] shared/but-util: drop trusted annotation from + bus_open_system_watch_bind_with_description() + +https://bugzilla.redhat.com/show_bug.cgi?id=1746057 + +This only affects systemd-resolved. bus_open_system_watch_bind_with_description() +is also used in timesyncd, but it has no methods, only read-only properties, and +in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does +polkit checks. +--- + src/shared/bus-util.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c +index 6af115e7aa..821339d4ae 100644 +--- a/src/shared/bus-util.c ++++ b/src/shared/bus-util.c +@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri + if (r < 0) + return r; + +- r = sd_bus_set_trusted(bus, true); +- if (r < 0) +- return r; +- + r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS); + if (r < 0) + return r; diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-242-r7.ebuild similarity index 93% copy from sys-apps/systemd/systemd-243_rc2.ebuild copy to sys-apps/systemd/systemd-242-r7.ebuild index f00c416fa38..da5e7533d89 100644 --- a/sys-apps/systemd/systemd-243_rc2.ebuild +++ b/sys-apps/systemd/systemd-242-r7.ebuild @@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" -IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb" +IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux split-usr +sysv-utils test vanilla xkb" REQUIRED_USE="importd? ( curl gcrypt lzma )" RESTRICT="!test? ( test )" @@ -45,7 +45,10 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] >=net-libs/gnutls-3.1.4:0= ) - idn? ( net-dns/libidn2:= ) + idn? ( + libidn2? ( net-dns/libidn2:= ) + !libidn2? ( net-dns/libidn:= ) + ) importd? ( app-arch/bzip2:0= sys-libs/zlib:0= @@ -185,6 +188,14 @@ src_prepare() { # Add local patches here PATCHES+=( + "${FILESDIR}"/242-gcc-9.patch + "${FILESDIR}"/242-socket-util-flush-accept.patch + "${FILESDIR}"/242-wireguard-listenport.patch + "${FILESDIR}"/242-file-max.patch + "${FILESDIR}"/242-rdrand-ryzen.patch + "${FILESDIR}"/242-networkd-ipv6-token.patch + "${FILESDIR}"/242-network-domains.patch + "${FILESDIR}"/CVE-2019-15718.patch ) if ! use vanilla; then @@ -244,7 +255,6 @@ multilib_src_configure() { # no deps -Defi=$(meson_multilib) -Dima=true - -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified) # Optional components/dependencies -Dacl=$(meson_multilib_native_use acl) -Dapparmor=$(meson_multilib_native_use apparmor) @@ -257,7 +267,6 @@ multilib_src_configure() { -Dgnu-efi=$(meson_multilib_native_use gnuefi) -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)" -Dmicrohttpd=$(meson_multilib_native_use http) - -Didn=$(meson_multilib_native_use idn) -Dimportd=$(meson_multilib_native_use importd) -Dbzip2=$(meson_multilib_native_use importd) -Dzlib=$(meson_multilib_native_use importd) @@ -301,6 +310,18 @@ multilib_src_configure() { -Dvconsole=$(meson_multilib) ) + if multilib_is_native_abi && use idn; then + myconf+=( + -Dlibidn2=$(usex libidn2 true false) + -Dlibidn=$(usex libidn2 false true) + ) + else + myconf+=( + -Dlibidn2=false + -Dlibidn=false + ) + fi + meson_src_configure "${myconf[@]}" } @@ -310,7 +331,7 @@ multilib_src_compile() { multilib_src_test() { unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR - meson_src_test + eninja test } multilib_src_install() { @@ -343,7 +364,7 @@ multilib_src_install_all() { # Preserve empty dirs in /etc & /var, bug #437008 keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} keepdir /etc/kernel/install.d - keepdir /etc/systemd/{network,system,user} + keepdir /etc/systemd/{network,user} keepdir /etc/udev/{hwdb.d,rules.d} keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} keepdir /usr/lib/{binfmt.d,modules-load.d} diff --git a/sys-apps/systemd/systemd-243_rc2.ebuild b/sys-apps/systemd/systemd-243_rc2-r1.ebuild similarity index 99% rename from sys-apps/systemd/systemd-243_rc2.ebuild rename to sys-apps/systemd/systemd-243_rc2-r1.ebuild index f00c416fa38..56cfe509a08 100644 --- a/sys-apps/systemd/systemd-243_rc2.ebuild +++ b/sys-apps/systemd/systemd-243_rc2-r1.ebuild @@ -185,6 +185,7 @@ src_prepare() { # Add local patches here PATCHES+=( + "${FILESDIR}"/CVE-2019-15718.patch ) if ! use vanilla; then