From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1185293-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 63EE813835A
	for <garchives@archives.gentoo.org>; Tue,  7 Jul 2020 13:56:50 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 9C228E086D;
	Tue,  7 Jul 2020 13:56:49 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 50E4FE086D
	for <gentoo-commits@lists.gentoo.org>; Tue,  7 Jul 2020 13:56:49 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 3523D34F2C4
	for <gentoo-commits@lists.gentoo.org>; Tue,  7 Jul 2020 13:56:47 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 1AFAF290
	for <gentoo-commits@lists.gentoo.org>; Tue,  7 Jul 2020 13:56:44 +0000 (UTC)
From: "Joonas Niilola" <juippis@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Joonas Niilola" <juippis@gentoo.org>
Message-ID: <1594130191.40bc6b7f79069264f3cbc918ffae4af4feab2bb5.juippis@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/hylafaxplus/, net-misc/hylafaxplus/files/
X-VCS-Repository: repo/gentoo
X-VCS-Files: net-misc/hylafaxplus/Manifest net-misc/hylafaxplus/files/hylafaxplus-CVE-2020-1539x.patch net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild
X-VCS-Directories: net-misc/hylafaxplus/files/ net-misc/hylafaxplus/
X-VCS-Committer: juippis
X-VCS-Committer-Name: Joonas Niilola
X-VCS-Revision: 40bc6b7f79069264f3cbc918ffae4af4feab2bb5
X-VCS-Branch: master
Date: Tue,  7 Jul 2020 13:56:44 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 7fba12b9-3c16-4c9e-a0f5-d84a35d44f6e
X-Archives-Hash: 72290c0e87f1b13b634ae4f81aed76c1

commit:     40bc6b7f79069264f3cbc918ffae4af4feab2bb5
Author:     John Helmert III <jchelmert3 <AT> posteo <DOT> net>
AuthorDate: Wed Jul  1 04:33:35 2020 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Tue Jul  7 13:56:31 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40bc6b7f

net-misc/hylafaxplus: Add 7.0.2 (security bump)

Bug: https://bugs.gentoo.org/730290
Package-Manager: Portage-2.3.103, Repoman-2.3.23
Signed-off-by: John Helmert III <jchelmert3 <AT> posteo.net>
Closes: https://github.com/gentoo/gentoo/pull/16541
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 net-misc/hylafaxplus/Manifest                      |   1 +
 .../files/hylafaxplus-CVE-2020-1539x.patch         | 110 ++++++++++++++
 net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild      | 160 +++++++++++++++++++++
 3 files changed, 271 insertions(+)

diff --git a/net-misc/hylafaxplus/Manifest b/net-misc/hylafaxplus/Manifest
index 3e0b1d426ce..51882b7cd3d 100644
--- a/net-misc/hylafaxplus/Manifest
+++ b/net-misc/hylafaxplus/Manifest
@@ -1,2 +1,3 @@
 DIST hylafax-5.5.5.tar.gz 1353495 BLAKE2B e1b41a5cf5502ad28467625495171c085f43f4352b73bfd633da851a1366502aca04a157790ad4a7f3d634a6adbb5dab4c1eeb294283352e9eedaf03c565cb42 SHA512 ee6225ae044c567093103f35c30d848db757636c1d8db78e8f7cb43eb01ea34ab229a81ca4175e2bf30d3c87b598d5b5797b7d92b0dc852bf4b69c697baca8cf
 DIST hylafax-5.6.1.tar.gz 1370677 BLAKE2B bd93d54f2c3e2c5c4c33617a0d95569c82bcbd32f669fb2ea513b86e112a5743ae6b4ddc8d43f3bd4af6006517e8787392c84bf60e715c104ddb0d819b22985a SHA512 c86c33dc9e8feec4e265156fa3bbda18cf187feeef5c812ff3d3c7857de048a688bb979fcd3494ee8fe58a004a384a2a161d05245c86d0c304311d63f62a9eb1
+DIST hylafax-7.0.2.tar.gz 1393586 BLAKE2B cbf99f91a0aa07783dd30e76ce8416b2933240d4bf829220909000519f9c9e14a324163707c14504848ba71e7c1ee7d98455f06bb040c2c50c1493d0138122aa SHA512 ea68404ad79e798b29450683eaa927e73033e0fa8160b803a3e2c9000df487c81193cc8fc0c1187477f5e1b2e26eec1c065ebc17e0be82e9a3e3758b1b5b5e4e

diff --git a/net-misc/hylafaxplus/files/hylafaxplus-CVE-2020-1539x.patch b/net-misc/hylafaxplus/files/hylafaxplus-CVE-2020-1539x.patch
new file mode 100644
index 00000000000..6c484590c46
--- /dev/null
+++ b/net-misc/hylafaxplus/files/hylafaxplus-CVE-2020-1539x.patch
@@ -0,0 +1,110 @@
+commit e8f8196230ae15f6f7d7104ded3e2633002506e4
+Author: faxguy <faxguy@5505949e-d877-4686-9e03-c53b7a51b376>
+Date:   Sat Jun 13 23:46:33 2020 +0000
+
+    Johannes Segitz reported two issues:
+    
+    1) faxaddmodem, faxsetup, and probemodem create temporary directories in a way that is not secure due to a race condition.
+    
+    2) The HylaFAX spool directory bin and etc subdirectories are not secure against uucp deleting and recreating scripts that root runs.
+    
+    These changes address these two issues.
+    
+    
+    
+    git-svn-id: https://svn.code.sf.net/p/hylafax/HylaFAX+@2534 5505949e-d877-4686-9e03-c53b7a51b376
+
+diff --git a/CONTRIBUTORS b/CONTRIBUTORS
+index 057739f..a9d4f21 100644
+--- a/CONTRIBUTORS
++++ b/CONTRIBUTORS
+@@ -203,6 +203,7 @@ following for their contributions:
+   Travis Schafer			LogSend and LogRecv modem config options, documentation fixes
+   Sven Schmidt
+   Steven Schoch				faxrcvd faxinfo text parsing
++  Johannes Segitz			code security audit
+   John Sellens
+   Chris Severance			documentation fixes, scripting improvements
+   Simon <iahnl@iah.nl>
+diff --git a/Makefile.in b/Makefile.in
+index 1ee4d76..ec0cda7 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -208,7 +208,10 @@ makeServerDirs::
+ 	    -idb hylafax.sw.server -root ${INSTALLROOT} -dir ${SPOOL}
+ 	-${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m ${DIRMODE} \
+ 	    -idb hylafax.sw.server -dir \
+-	    -root ${INSTALLROOT} -F ${SPOOL} bin client config dev etc info log recvq status
++	    -root ${INSTALLROOT} -F ${SPOOL} client config dev info log recvq status
++	-${INSTALL} -u root -g root -m ${DIRMODE} \
++	    -idb hylafax.sw.server -dir \
++	    -root ${INSTALLROOT} -F ${SPOOL} bin etc
+ 	-${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m 700 \
+ 	    -idb hylafax.sw.server -dir \
+ 	    -root ${INSTALLROOT} -F ${SPOOL} sendq doneq docq tmp pollq archive
+diff --git a/etc/faxaddmodem.sh.in b/etc/faxaddmodem.sh.in
+index dc39917..c4d3ff1 100644
+--- a/etc/faxaddmodem.sh.in
++++ b/etc/faxaddmodem.sh.in
+@@ -113,12 +113,14 @@ if [ "$euid" != "root" ]; then
+ fi
+ 
+ # security
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.faxaddmodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+-    TMPDIR=/tmp/.faxaddmodem$$
++    echo "Failed to create temporary directory.  Cannot continue."
++    exit 1
+ fi
+-@RM@ -rf $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+ 
+ SH=$SCRIPT_SH			# shell for use below
+ CPATH=$SPOOL/etc/config		# prefix of configuration file
+diff --git a/etc/faxsetup.sh.in b/etc/faxsetup.sh.in
+index 556eef5..b4aae40 100644
+--- a/etc/faxsetup.sh.in
++++ b/etc/faxsetup.sh.in
+@@ -922,12 +922,14 @@ if onServer; then
+     #
+ 
+     # Setup TMPDIR before anything can trap and rm it
++    o="`umask`"
++    umask 077
+     TMPDIR=`(mktemp -d /tmp/.faxsetup.XXXXXX) 2>/dev/null`
++    umask "$o"
+     if test x$TMPDIR = x; then
+-	TMPDIR=/tmp/.faxsetup$$
++	echo "Failed to create temporary directory.  Cannot continue."
++	exit 1
+     fi
+-    $RM -rf $TMPDIR
+-    (umask 077 ; mkdir $TMPDIR) || exit 1
+ 
+     JUNK="etc/setup.tmp"
+     trap "$RM \$JUNK; $RM -r \$TMPDIR; exit 1" 1 2 15
+diff --git a/etc/probemodem.sh.in b/etc/probemodem.sh.in
+index 55b5d9b..c0abf15 100644
+--- a/etc/probemodem.sh.in
++++ b/etc/probemodem.sh.in
+@@ -85,12 +85,14 @@ test -f $SPOOL/etc/setup.cache || {
+ . $SPOOL/etc/setup.cache	# common configuration stuff
+ . $SPOOL/etc/setup.modem	# modem-specific stuff
+ 
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.probemodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+-    TMPDIR=/tmp/.probemodem$$
++    echo "Failed to create temporary directory.  Cannot continue."
++    exit 1
+ fi
+-@RM@ -fr $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+ 
+ SH=$SCRIPT_SH			# shell for use below
+ OUT=$TMPDIR/probemodem$$	# temp file in which modem output is recorded

diff --git a/net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild b/net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild
new file mode 100644
index 00000000000..2e43871ac72
--- /dev/null
+++ b/net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild
@@ -0,0 +1,160 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit pam toolchain-funcs
+
+MY_PN="${PN/plus/}"
+MY_P="${MY_PN}-${PV}"
+
+DESCRIPTION="Enterprise client-server fax package for class 1 and 2 fax modems"
+HOMEPAGE="https://hylafax.sourceforge.net"
+SRC_URI="mirror://sourceforge/hylafax/${MY_P}.tar.gz"
+
+SLOT="0"
+LICENSE="hylafaxplus"
+KEYWORDS="~amd64 ~x86"
+IUSE="html jbig lcms ldap mgetty pam"
+
+DEPEND="
+	app-text/ghostscript-gpl
+	media-libs/tiff:0[jbig?]
+	!net-dialup/mgetty[fax]
+	>=sys-libs/zlib-1.1.4
+	virtual/awk
+	virtual/jpeg:0
+	virtual/mta
+	jbig? ( media-libs/jbigkit )
+	lcms? ( media-libs/lcms )
+	ldap? (  net-nds/openldap )
+	mgetty? ( net-dialup/mgetty[-fax] )
+	pam? ( sys-libs/pam )
+"
+RDEPEND="${DEPEND}
+	!net-dialup/sendpage
+	net-mail/metamail
+"
+
+S="${WORKDIR}/${MY_P}"
+
+CONFIG_PROTECT="${CONFIG_PROTECT} /var/spool/fax/etc /usr/lib/fax"
+CONFIG_PROTECT_MASK="${CONFIG_PROTECT_MASK} /var/spool/fax/etc/xferfaxlog"
+
+PATCHES=(
+	"${FILESDIR}/ldconfig-patch"
+	"${FILESDIR}/${PN}-CVE-2020-1539x.patch"
+)
+
+src_prepare() {
+	default
+
+	# force it not to strip binaries
+	for dir in etc util faxalter faxcover faxd faxmail faxrm faxstat \
+		hfaxd sendfax sendpage ; do
+			sed -i -e "s:-idb:-idb \"nostrip\" -idb:g" \
+				"${dir}"/Makefile.in || die "sed on ${dir}/Makefile.in failed"
+	done
+
+	sed -i -e "s:hostname:hostname -f:g" util/{faxrcvd,pollrcvd}.sh.in || die "sed on hostname failed"
+
+	# Respect LDFLAGS(at least partially)
+	sed -i -e "/^LDFLAGS/s/LDOPTS}/LDOPTS} ${LDFLAGS}/" defs.in || die "sed on defs.in failed"
+
+	sed -i -e "s|-fpic|-fPIC|g" \
+		configure || die
+}
+
+src_configure() {
+	do_configure() {
+		echo ./configure --nointeractive ${1}
+		# eval required for quoting in ${my_conf} to work properly, better way?
+		eval ./configure --nointeractive ${1} || die "./configure failed"
+	}
+	local my_conf="
+		--with-DIR_BIN=/usr/bin
+		--with-DIR_SBIN=/usr/sbin
+		--with-DIR_LIB=/usr/$(get_libdir)
+		--with-DIR_LIBEXEC=/usr/sbin
+		--with-DIR_LIBDATA=/usr/$(get_libdir)/fax
+		--with-DIR_LOCALE=/usr/share/locale
+		--with-DIR_LOCKS=/var/lock
+		--with-DIR_MAN=/usr/share/man
+		--with-DIR_SPOOL=/var/spool/fax
+		--with-DIR_HTML=/usr/share/doc/${P}/html
+		--with-DIR_CGI="${WORKDIR}"
+		--with-PATH_DPSRIP=/var/spool/fax/bin/ps2fax
+		--with-PATH_IMPRIP=\"\"
+		--with-SYSVINIT=no
+		--with-REGEX=yes
+		--with-LIBTIFF=\"-ltiff -ljpeg -lz\"
+		--with-OPTIMIZER=\"${CFLAGS}\"
+		--with-DSO=auto
+		--with-HTML=$(usex html)"
+
+	if use mgetty; then
+		my_conf="${my_conf} \
+			--with-PATH_GETTY=/sbin/mgetty \
+			--with-PATH_EGETTY=/sbin/mgetty \
+			--with-PATH_VGETTY=/usr/sbin/vgetty"
+	else
+		# GETTY defaults to /sbin/agetty
+		my_conf="${my_conf} \
+			--with-PATH_EGETTY=/bin/false \
+			--with-PATH_VGETTY=/bin/false"
+	fi
+
+	#--enable-pam isn't valid
+	use pam || my_conf="${my_conf} $(use_enable pam)"
+	use lcms || my_conf="${my_conf} $(use_enable lcms)"
+	use ldap || my_conf="${my_conf} $(use_enable ldap)"
+	use jbig || my_conf="${my_conf} $(use_enable jbig)"
+
+	tc-export CC CXX AR RANLIB
+
+	do_configure "${my_conf}"
+}
+
+src_compile() {
+	# Parallel building is borked, bug #????
+	emake -j1
+}
+
+src_install() {
+	dodir /usr/{bin,sbin} /usr/$(get_libdir)/fax /usr/share/man
+	dodir /var/spool /var/spool/fax
+	fowners uucp:uucp /var/spool/fax
+	fperms 0600 /var/spool/fax
+	dodir "/usr/share/doc/${P}/samples"
+
+	emake DESTDIR="${D}" \
+		BIN="${D}/usr/bin" \
+		SBIN="${D}/usr/sbin" \
+		LIBDIR="${D}/usr/$(get_libdir)" \
+		LIB="${D}/usr/$(get_libdir)" \
+		LIBEXEC="${D}/usr/sbin" \
+		LIBDATA="${D}/usr/$(get_libdir)/fax" \
+		DIR_LOCALE="${D}/usr/share/locale" \
+		MAN="${D}/usr/share/man" \
+		SPOOL="${D}/var/spool/fax" \
+		HTMLDIR="${D}/usr/share/doc/${PF}/html" \
+		install
+
+	keepdir /var/spool/fax/{archive,client,etc,pollq,recvq,tmp}
+	keepdir /var/spool/fax/{status,sendq,log,info,doneq,docq,dev}
+
+	einfo "Adding env.d entry for ${PN}"
+	newenvd - 99hylafaxplus <<-EOF
+	PATH="/var/spool/fax/bin"
+	CONFIG_PROTECT="/var/spool/fax/etc /usr/$(get_libdir)/fax"
+	CONFIG_PROTECT_MASK="/var/spool/fax/etc/xferfaxlog"
+	EOF
+
+	newconfd "${FILESDIR}/${PN}-conf" ${PN}
+	newinitd "${FILESDIR}/${PN}-init" ${PN}
+
+	use pam && pamd_mimic_system ${MY_PN} auth account session
+
+	einstalldocs
+	docinto samples
+}