gentoo auto-resync : 14:08:2024 - 11:06:13

6 files changed, 570 insertions, 2 deletions

diff --git a/net-misc/Manifest.gz b/net-misc/Manifest.gz
index 89aa160fca88..0e88c16d76c5 100644
--- a/net-misc/Manifest.gz
+++ b/net-misc/Manifest.gz
diff --git a/net-misc/asterisk/Manifest b/net-misc/asterisk/Manifest
index ea9f74092681..0b195af24501 100644
--- a/net-misc/asterisk/Manifest
+++ b/net-misc/asterisk/Manifest
@@ -1,6 +1,7 @@
 AUX asterisk-16.16.2-no-var-run-install.patch 728 BLAKE2B 25fc61c4aa68d9e3243d1161e68e0b61b14b5505eadd00fdf46e1c3977e7fb536afd42dc6c9a07f400a686c19afd04fd8f00fc1cb916978783a9e54ecfe81dd4 SHA512 ab1e7ac700711125162396c4ebe590eb000f4ad6c4cbe8845794f5d06353a4a52167fcc83ee97860f38540089cad6d45f2e8589c1f30098e85479a2b4c722f75
 AUX asterisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch 1447 BLAKE2B 2785ea3e923d048f83bb2e25d7a645fe27e69051d43c5c4577e98218b6044cf79661d69076737d55dff8bd5be19f87dcfa24bd54003cbea3f36a736234941dc8 SHA512 05eb7e0ca1eee4f6ebae8fd3be67c34cf0d27ac90393c0c9f21f2c4fda5e69f91fbd63d7ebedbcd26f5e2498c1fd4ff9a4079fdfaf5741819892cda6f5753623
 AUX asterisk-16.30.1-r1-iax2_jitterbuffer.patch 2464 BLAKE2B f2f7d109e4876a1ec58d4af4b96415d58250ffb4ea5caa6d75873b8f853b0773747e9e8d4baba09c55ded62fa206444bd6eaef312bfb891f84044be7088a1595 SHA512 ae0649de6ffbc8b0aa35f38ae8600366f7cbf9f3342686d04705b13e6f3085bdd40bd3fb73a001cd727063db86e0bbc6a31f7691bdde2034ddd67ba6af959cdf
+AUX asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch 6965 BLAKE2B d834fd3831c7871906ba6f6486bdad86e9d3b07d5f0409a1bfd159564a4ca6f7002f38ae2f096fb4083419b90a9c617172cddba466c4c64d7fa0a6b7663ebca1 SHA512 5dbf962b31aa32c99b36264d1d3a600444c4d6e59126e9b86a1f7b029d30d5239145031a1de58cac2cb952653bcf2122a78ae9030074f00bea599f45db7e4aac
 DIST asterisk-16.30.1.tar.gz 28234979 BLAKE2B a9cd732feb00408876f90328d7f14dbfe426829e607f9b8e812ff25823c8dc1facab1ecd423e1d4f33c1623f3769197fa3b1fe3181efad0b231c96c0afb1dd16 SHA512 1624d207e80351f976c084344d09d67fe37b526a42970da007f5407be006d107e951093209415a68c891e2bd9cb142421e7acd1ac9fba2c1b1c064aee2224cb6
 DIST asterisk-18.21.0.tar.gz 28446501 BLAKE2B 15a0f928f9c20eb676ffa25af8ac771494a417744758e6e9304451502ee2981c09e1c89c7012ec11edfb9a6bfd15599d462922a373a8f8d7d5074ea0b8c7e7cf SHA512 4a3c57af70b74918b61e1c67423667a876fcc519376f1795054a55700acb5d05da8e4e0a3e3187760203bc262678a6c29eae07ed2a5e2df84a9a555ec79cb48f
 DIST asterisk-18.24.2.tar.gz 28530320 BLAKE2B a2597effb6e5b10588fe34ebd9b91cedb80605d9ccabd2a8bfe3f2d1e66cd1599be87d4124cc34a7492fc39fd5345b3080e3669b0aa810a9220395d0aba845f2 SHA512 e81dd3819daae82b217164d9026f6f626400b6623092169b2300248f6c2be9cb80bb74157cc4eff38eb6da645f491da2e47712f8b9f4d7a12af5c6703eafcd85
@@ -8,6 +9,7 @@ DIST asterisk-20.9.2.tar.gz 28293235 BLAKE2B f5d165b53e019435d760a49eeb2a31dc455
 DIST asterisk-21.4.2.tar.gz 26346837 BLAKE2B d90654671751438598a8d15df8caee092ff6be173b24eec22be49962f867eb3264aae1e1f747b4c08aa51d50a8d7a70cb5b91b89edd944efb46c2807c582d935 SHA512 01dc6452b4cea64fa3bd7d0aa38dd07ad2008b491ec7f2d64ee2eb47583731066bac1fa86d3b3e781b6ee7454a69bb585f77b3fd51a75a1dfd9b0541c31b12b4
 EBUILD asterisk-16.30.1-r1.ebuild 11416 BLAKE2B d159192dd4b7e5807046b85e0c8237c0d555bc7a95ebc71d802f3e664f5617d845399d0b9383c739066c9403f7896475a1310c89a56b76fe2322023b4d75ef1e SHA512 258f1d1878fd9ced49fe4e9b12c01bb1803896e2a614a2b3c4518a4aab1d54b50a92c8ccf73dde0664a092c492fabad912f81c1cc327feed7b15cd792a124d99
 EBUILD asterisk-16.30.1-r2.ebuild 11268 BLAKE2B bc730a8130fa484d1d0ff90e9a75b584569daa86e811be6b43ef086e2b149a4f32e1bef43f76e5985799368f7cebb5476f3037f171b42fe5ee4b8ab4eea01dfe SHA512 072955f38dbd5101dbff614dd3d762300d1a192d71f369b1a04c9c3bfa256c3ef5ed0ca839248b4aa3f1131ac26b75995aca1a28ce1f2ad41a40a5f51a44dbe0
+EBUILD asterisk-16.30.1-r3.ebuild 11354 BLAKE2B 5da296f63f753764d91a89a9b754a32745a81a2d07249df08950c68562ec481b9cd303250117834ccb898ae7bf69e848948ffb9153727929db990cd43861e3aa SHA512 51c28b4f32af6d2ba337be94f04e9ed35c25a944ad2dd3badb67e35ca86cb3fcf6caedc81121c3a8bb4bb3cdf0b76e4b036b81d196641dde3704e999a36d0834
 EBUILD asterisk-18.21.0.ebuild 11294 BLAKE2B 30b1c60fd758f8c3bd063cb377ac5d623628c3c1a87edbce363bf4d5177b6b44e2a2f0623280506dda05e137ef2c2eed68dc947ecf86ce51bfee5da31538e8e1 SHA512 5c57817da45196cf9bd5834c2267abb9809a638ed8d702ff817c2c04995fb2242719b62acce052c57636fb072c0562d04a4f813526fcadfc7aad79be532c43b4
 EBUILD asterisk-18.24.2.ebuild 11163 BLAKE2B 3c5f7f87ae4ff062b2c48ffdedf0a4907e077c09183a28ffa4c5b51a0016edcc888d90ea0e0155a722fc274b3bba120ed6216bd68fa88169696b482dd89d92d5 SHA512 29fafe19c4fe54be2db06f442a8733fd478f6e797130a92ff02b20a7ca9cd41393e4ab55acf7a480836f0e7083d1e595ac8acee1092e7a3a116cc63235f8d313
 EBUILD asterisk-20.9.2.ebuild 11012 BLAKE2B 35ee0e408bbd1cac76d105cd2101ccb5644b9e6e7fc77a8b51f56c8780c81b45343646aea1844b07bd6047f047dc21bb0ac3968da81358ede02e2573031f86dc SHA512 7e66a49985edc5ae120f2e39e36890e0f875ca23c3d3fb2d9b71127852f9fd8485229222f5b5bcf5083e3ff1787d2172edf6739f342c9e1ce985a84b168ac7c6
diff --git a/net-misc/asterisk/asterisk-16.30.1-r3.ebuild b/net-misc/asterisk/asterisk-16.30.1-r3.ebuild
new file mode 100644
index 000000000000..0d859d8098ae
--- /dev/null
+++ b/net-misc/asterisk/asterisk-16.30.1-r3.ebuild
@@ -0,0 +1,361 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+LUA_COMPAT=( lua5-{1..4} )
+
+inherit autotools linux-info lua-single toolchain-funcs
+
+DESCRIPTION="Asterisk: A Modular Open Source PBX System"
+HOMEPAGE="https://www.asterisk.org/"
+SRC_URI="https://downloads.asterisk.org/pub/telephony/asterisk/releases/${P}.tar.gz"
+LICENSE="GPL-2"
+SLOT="0/${PV%%.*}"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86"
+
+IUSE_VOICEMAIL_STORAGE=(
+	+voicemail_storage_file
+	voicemail_storage_odbc
+	voicemail_storage_imap
+)
+IUSE="${IUSE_VOICEMAIL_STORAGE[*]} alsa blocks bluetooth calendar +caps cluster codec2 curl debug deprecated doc freetds gtalk http iconv ilbc ldap lua mysql newt odbc oss pjproject portaudio postgres radius selinux snmp span speex srtp +ssl static statsd syslog systemd unbound vorbis xmpp"
+IUSE_EXPAND="VOICEMAIL_STORAGE"
+REQUIRED_USE="gtalk? ( xmpp )
+	lua? ( ${LUA_REQUIRED_USE} )
+	^^ ( ${IUSE_VOICEMAIL_STORAGE[*]//+/} )
+	voicemail_storage_odbc? ( odbc )
+"
+
+PATCHES=(
+	"${FILESDIR}/asterisk-16.16.2-no-var-run-install.patch"
+	"${FILESDIR}/asterisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch"
+	"${FILESDIR}/asterisk-16.30.1-r1-iax2_jitterbuffer.patch"
+	"${FILESDIR}/asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch"
+)
+
+DEPEND="acct-user/asterisk
+	acct-group/asterisk
+	dev-db/sqlite:3
+	dev-libs/popt
+	>=dev-libs/jansson-2.11:=
+	dev-libs/libedit
+	dev-libs/libxml2:2
+	dev-libs/libxslt
+	sys-apps/util-linux
+	sys-libs/zlib
+	virtual/libcrypt:=
+	alsa? ( media-libs/alsa-lib )
+	bluetooth? ( net-wireless/bluez:= )
+	calendar? (
+		net-libs/neon:=
+		dev-libs/libical:=
+		dev-libs/iksemel
+	)
+	caps? ( sys-libs/libcap )
+	blocks? ( sys-libs/blocksruntime )
+	cluster? ( sys-cluster/corosync )
+	codec2? ( media-libs/codec2:= )
+	curl? ( net-misc/curl )
+	freetds? ( dev-db/freetds )
+	gtalk? ( dev-libs/iksemel )
+	http? ( dev-libs/gmime:2.6 )
+	iconv? ( virtual/libiconv )
+	ilbc? ( media-libs/libilbc )
+	ldap? ( net-nds/openldap:= )
+	lua? ( ${LUA_DEPS} )
+	mysql? ( dev-db/mysql-connector-c:= )
+	newt? ( dev-libs/newt )
+	odbc? ( dev-db/unixODBC )
+	pjproject? ( >=net-libs/pjproject-2.9:= )
+	portaudio? ( media-libs/portaudio )
+	postgres? ( dev-db/postgresql:* )
+	radius? ( net-dialup/freeradius-client )
+	snmp? ( net-analyzer/net-snmp:= )
+	span? ( media-libs/spandsp )
+	speex? (
+		media-libs/libogg
+		media-libs/speex
+		media-libs/speexdsp
+	)
+	srtp? ( net-libs/libsrtp:0 )
+	ssl? (
+		dev-libs/openssl:0=
+	)
+	systemd? ( sys-apps/systemd )
+	!systemd? ( !sys-apps/systemd )
+	unbound? ( net-dns/unbound )
+	vorbis? (
+		media-libs/libogg
+		media-libs/libvorbis
+	)
+	voicemail_storage_imap? ( net-libs/c-client[ssl=] )
+	xmpp? ( dev-libs/iksemel )
+"
+
+RDEPEND="${DEPEND}
+	net-misc/asterisk-core-sounds
+	net-misc/asterisk-extra-sounds
+	net-misc/asterisk-moh-opsound
+	selinux? ( sec-policy/selinux-asterisk )
+	syslog? ( virtual/logger )"
+PDEPEND="net-misc/asterisk-base"
+
+BDEPEND="dev-libs/libxml2:2
+	virtual/pkgconfig"
+
+QA_DT_NEEDED="/usr/lib.*/libasteriskssl[.]so[.][0-9]\+"
+
+_make_args=(
+	"NOISY_BUILD=yes"
+	"ASTDBDIR=\$(ASTDATADIR)/astdb"
+	"ASTVARRUNDIR=/run/asterisk"
+	"ASTCACHEDIR=/var/cache/asterisk"
+	"OPTIMIZE="
+	"DEBUG="
+	"DESTDIR=${D}"
+	"CONFIG_SRC=configs/samples"
+	"CONFIG_EXTEN=.sample"
+)
+
+pkg_pretend() {
+	CONFIG_CHECK="~!NF_CONNTRACK_SIP"
+	local WARNING_NF_CONNTRACK_SIP="SIP (NAT) connection tracking is enabled. Some users
+	have reported that this module dropped critical SIP packets in their deployments. You
+	may want to disable it if you see such problems."
+	check_extra_config
+
+	[[ "${MERGE_TYPE}" == binary ]] && return
+
+	if tc-is-clang; then
+		use blocks || die "CC=clang requires USE=blocks"
+	else
+		use blocks && die "USE=blocks can only be used with CC=clang"
+	fi
+}
+
+pkg_setup() {
+	use lua && lua-single_pkg_setup
+}
+
+src_prepare() {
+	default
+	AT_M4DIR="autoconf third-party third-party/pjproject third-party/jansson" \
+		AC_CONFIG_SUBDIRS=menuselect eautoreconf
+}
+
+src_configure() {
+	local vmst
+	local copt cstate
+
+	econf \
+		SED=sed \
+		LUA_VERSION="${ELUA#lua}" \
+		--libdir="/usr/$(get_libdir)" \
+		--localstatedir="/var" \
+		--with-crypto \
+		--with-gsm=internal \
+		--with-popt \
+		--with-z \
+		--with-libedit \
+		--without-jansson-bundled \
+		--without-pjproject-bundled \
+		$(use_with caps cap) \
+		$(use_with codec2) \
+		$(use_with lua lua) \
+		$(use_with http gmime) \
+		$(use_with newt) \
+		$(use_with pjproject) \
+		$(use_with portaudio) \
+		$(use_with ssl) \
+		$(use_with unbound)
+
+	_menuselect() {
+		menuselect/menuselect "$@" || die "menuselect $* failed."
+	}
+
+	_use_select() {
+		local state=$(use "$1" && echo enable || echo disable)
+		shift # remove use from parameters
+
+		while [[ -n $1 ]]; do
+			_menuselect --${state} "$1" menuselect.makeopts
+			shift
+		done
+	}
+
+	# Blank out sounds/sounds.xml file to prevent
+	# asterisk from installing sounds files (we pull them in via
+	# asterisk-{core,extra}-sounds and asterisk-moh-opsound.
+	>"${S}"/sounds/sounds.xml
+
+	# That NATIVE_ARCH chatter really is quite bothersome
+	sed -i 's/NATIVE_ARCH=/NATIVE_ARCH=0/' build_tools/menuselect-deps || die "Unable to squelch noisy build system"
+
+	# Compile menuselect binary for optional components
+	emake "${_make_args[@]}" menuselect.makeopts
+
+	# Disable astdb2* tools.  We've been on sqlite long enough
+	# that this should really no longer be a problem (bug #https://bugs.gentoo.org/872194)
+	_menuselect --disable astdb2sqlite3 menuselect.makeopts
+	_menuselect --disable astdb2bdb menuselect.makeopts
+
+	# Disable BUILD_NATIVE (bug #667498)
+	_menuselect --disable build_native menuselect.makeopts
+
+	# Broken functionality is forcibly disabled (bug #360143)
+	_menuselect --disable chan_misdn menuselect.makeopts
+	_menuselect --disable chan_ooh323 menuselect.makeopts
+
+	# Utility set is forcibly enabled (bug #358001)
+	_menuselect --enable smsq menuselect.makeopts
+	_menuselect --enable streamplayer menuselect.makeopts
+	_menuselect --enable aelparse menuselect.makeopts
+	_menuselect --enable astman menuselect.makeopts
+
+	# this is connected, otherwise it would not find
+	# ast_pktccops_gate_alloc symbol
+	_menuselect --enable chan_mgcp menuselect.makeopts
+	_menuselect --enable res_pktccops menuselect.makeopts
+
+	# SSL is forcibly enabled, IAX2 & DUNDI are expected to be available
+	_menuselect --enable pbx_dundi menuselect.makeopts
+	_menuselect --enable func_aes menuselect.makeopts
+	_menuselect --enable chan_iax2 menuselect.makeopts
+
+	# SQlite3 is now the main database backend, enable related features
+	_menuselect --enable cdr_sqlite3_custom menuselect.makeopts
+	_menuselect --enable cel_sqlite3_custom menuselect.makeopts
+
+	# Disable conversion tools (which fails to compile in some cases).
+	_menuselect --disable astdb2bdb menuselect.makeopts
+
+	# The others are based on USE-flag settings
+	_use_select alsa         chan_alsa
+	_use_select bluetooth    chan_mobile
+	_use_select calendar     res_calendar res_calendar_{caldav,ews,exchange,icalendar}
+	_use_select cluster      res_corosync
+	_use_select codec2       codec_codec2
+	_use_select curl         func_curl res_config_curl res_curl
+	_use_select deprecated   app_macro
+	_use_select freetds      {cdr,cel}_tds
+	_use_select gtalk        chan_motif
+	_use_select http         res_http_post
+	_use_select iconv        func_iconv
+	_use_select ilbc         codec_ilbc format_ilbc
+	_use_select ldap         res_config_ldap
+	_use_select lua          pbx_lua
+	_use_select mysql        app_mysql cdr_mysql res_config_mysql
+	_use_select odbc         cdr_adaptive_odbc res_config_odbc {cdr,cel,res,func}_odbc
+	_use_select oss          chan_oss
+	_use_select postgres     {cdr,cel}_pgsql res_config_pgsql
+	_use_select radius       {cdr,cel}_radius
+	_use_select snmp         res_snmp
+	_use_select span         res_fax_spandsp
+	_use_select speex        {codec,func}_speex
+	_use_select speex        format_ogg_speex
+	_use_select srtp         res_srtp
+	_use_select statsd       res_statsd res_{endpoint,chan}_stats
+	_use_select syslog       cdr_syslog
+	_use_select vorbis       format_ogg_vorbis
+	_use_select xmpp         res_xmpp
+
+	# Voicemail storage ...
+	for vmst in "${IUSE_VOICEMAIL_STORAGE[@]}"; do
+		if use "${vmst#+}"; then
+			_menuselect --enable "$(echo "${vmst##*_}" | tr '[:lower:]' '[:upper:]')_STORAGE" menuselect.makeopts
+		fi
+	done
+
+	if use debug; then
+		for o in DONT_OPTIMIZE DEBUG_FD_LEAKS MALLOC_DEBUG BETTER_BACKTRACES; do
+			_menuselect --enable "${o}" menuselect.makeopts
+		done
+	fi
+
+	if [[ -n "${GENTOO_ASTERISK_CUSTOM_MENUSELECT:+yes}" ]]; then
+		for copt in ${GENTOO_ASTERISK_CUSTOM_MENUSELECT}; do
+			cstate=--enable
+			[[ "${copt}" == -* ]] && cstate=--disable
+			ebegin "Custom option ${copt#[-+]} ${cstate:2}d"
+			_menuselect ${cstate} "${copt#[-+]}"
+			eend $?
+		done
+	fi
+}
+
+src_compile() {
+	emake "${_make_args[@]}"
+}
+
+src_install() {
+	local d
+
+	dodir "/usr/$(get_libdir)/pkgconfig"
+
+	diropts -m 0750 -o root -g asterisk
+	dodir /etc/asterisk
+
+	emake "${_make_args[@]}" install install-configs
+
+	fowners asterisk: /var/lib/asterisk/astdb
+
+	if use radius; then
+		insinto /etc/radiusclient/
+		doins contrib/dictionary.digium
+	fi
+
+	# keep directories
+	diropts -m 0750 -o asterisk -g root
+	keepdir /var/spool/asterisk/{system,tmp,meetme,monitor,dictate,voicemail,recording,outgoing}
+	diropts -m 0750 -o asterisk -g asterisk
+	keepdir /var/log/asterisk/{cdr-csv,cdr-custom}
+
+	# Reset diropts else dodoc uses it for doc installations.
+	diropts -m0755
+
+	# install the upgrade documentation
+	dodoc UPGRADE* BUGS CREDITS
+
+	# install extra documentation
+	use doc && dodoc doc/*.{txt,pdf}
+
+	# Asterisk installs a few folders that's empty by design,
+	# but still required.  This finds them, and marks them for
+	# portage.
+	while read d <&3; do
+		keepdir "${d#${ED}}"
+	done 3< <(find "${ED}"/var -type d -empty || die "Find failed.")
+}
+
+pkg_postinst() {
+	if [ -z "${REPLACING_VERSIONS}" ]; then
+		elog "Asterisk Wiki: https://wiki.asterisk.org/wiki/"
+		elog "Gentoo VoIP IRC Channel: #gentoo-voip @ irc.libera.chat"
+	elif [ "$(ver_cut 1 "${REPLACING_VERSIONS}")" != "$(ver_cut 1)" ]; then
+		elog "You are updating from Asterisk $(ver_cut 1 "${REPLACING_VERSIONS}") upgrade document:"
+		elog "https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+$(ver_cut 1)"
+		elog "Gentoo VoIP IRC Channel: #gentoo-voip @ irc.libera.chat"
+	fi
+
+	if use deprecated; then
+		ewarn "You really aught to port whatever code you have that depends on this since these are going to go away."
+		ewarn "Refer: https://wiki.asterisk.org/wiki/display/AST/Module+Deprecation"
+	fi
+
+	if [[ -n "${GENTOO_ASTERISK_CUSTOM_MENUSELECT:+yes}" ]]; then
+		ewarn "You are using GENTOO_ASTERISK_CUSTOM_MENUSELECT, this should only be used"
+		ewarn "for debugging, for anything else, please file a bug on https://bugs.gentoo.org"
+	fi
+
+	if [[ -f /var/lib/asterisk/astdb.sqlite3 ]]; then
+		ewarn "Default astdb location has changed from /var/lib/asterisk to /var/lib/asterisk/astdb"
+		ewarn "You still have a /var/lib/asterisk/astdb.sqlite file.  You need to either set"
+		ewarn "astdbdir in /etc/asterisk/asterisk.conf to /var/lib/asterisk or follow these"
+		ewarn "steps to migrate:"
+		ewarn "1.  /etc/init.d/asterisk stop"
+		ewarn "2.  mv /var/lib/asterisk/astdb.sqlite /var/lib/asterisk/astdb/"
+		ewarn "3.  /etc/init.d/asterisk start"
+		ewarn "This update was done partly for security reasons so that /var/lib/asterisk can be root owned."
+	fi
+}
diff --git a/net-misc/asterisk/files/asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch b/net-misc/asterisk/files/asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch
new file mode 100644
index 000000000000..f33e73037979
--- /dev/null
+++ b/net-misc/asterisk/files/asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch
@@ -0,0 +1,205 @@
+From faddd99f2b9408b524e5eb8a01589fe1fa282df2 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@sangoma.com>
+Date: Mon, 22 Jul 2024 08:05:03 -0600
+Subject: [PATCH 1/2] manager.c: Add entries to Originate blacklist
+
+Added Reload and DBdeltree to the list of dialplan application that
+can't be executed via the Originate manager action without also
+having write SYSTEM permissions.
+
+Added CURL, DB*, FILE, ODBC and REALTIME* to the list of dialplan
+functions that can't be executed via the Originate manager action
+without also having write SYSTEM permissions.
+
+If the Queue application is attempted to be run by the Originate
+manager action and an AGI parameter is specified in the app data,
+it'll be rejected unless the manager user has either the AGI or
+SYSTEM permissions.
+
+Resolves: #GHSA-c4cg-9275-6w44
+---
+ main/manager.c | 161 +++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 141 insertions(+), 20 deletions(-)
+
+diff --git a/main/manager.c b/main/manager.c
+index cb64a234e5..2ce88a3ab8 100644
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -6325,6 +6325,145 @@ aocmessage_cleanup:
+ 	return 0;
+ }
+ 
++struct originate_permissions_entry {
++	const char *search;
++	int permission;
++	int (*searchfn)(const char *app, const char *data, const char *search);
++};
++
++/*!
++ * \internal
++ * \brief Check if the application is allowed for Originate
++ *
++ * \param app The "app" parameter
++ * \param data The "appdata" parameter (ignored)
++ * \param search The search string
++ * \retval 1 Match
++ * \retval 0 No match
++ */
++static int app_match(const char *app, const char *data, const char *search)
++{
++	/*
++	 * We use strcasestr so we don't have to trim any blanks
++	 * from the front or back of the string.
++	 */
++	return !!(strcasestr(app, search));
++}
++
++/*!
++ * \internal
++ * \brief Check if the appdata is allowed for Originate
++ *
++ * \param app The "app" parameter (ignored)
++ * \param data The "appdata" parameter
++ * \param search The search string
++ * \retval 1 Match
++ * \retval 0 No match
++ */
++static int appdata_match(const char *app, const char *data, const char *search)
++{
++	return !!(strstr(data, search));
++}
++
++/*!
++ * \internal
++ * \brief Check if the Queue application is allowed for Originate
++ *
++ * It's only allowed if there's no AGI parameter set
++ *
++ * \param app The "app" parameter
++ * \param data The "appdata" parameter
++ * \param search The search string
++ * \retval 1 Match
++ * \retval 0 No match
++ */
++static int queue_match(const char *app, const char *data, const char *search)
++{
++	char *parse;
++	AST_DECLARE_APP_ARGS(args,
++		AST_APP_ARG(queuename);
++		AST_APP_ARG(options);
++		AST_APP_ARG(url);
++		AST_APP_ARG(announceoverride);
++		AST_APP_ARG(queuetimeoutstr);
++		AST_APP_ARG(agi);
++		AST_APP_ARG(gosub);
++		AST_APP_ARG(rule);
++		AST_APP_ARG(position);
++	);
++
++	if (!strcasestr(app, "queue")) {
++		return 0;
++	}
++
++	parse = ast_strdupa(data);
++	AST_STANDARD_APP_ARGS(args, parse);
++
++	/*
++	 * The Queue application is fine unless the AGI parameter is set.
++	 * If it is, we need to check the user's permissions.
++	 */
++	return !ast_strlen_zero(args.agi);
++}
++
++/*
++ * The Originate application and application data are passed
++ * to each searchfn in the list.  If a searchfn returns true
++ * and the user's permissions don't include the permissions specified
++ * in the list entry, the Originate action will be denied.
++ *
++ * If no searchfn returns true, the Originate action is allowed.
++ */
++static struct originate_permissions_entry originate_app_permissions[] = {
++	/*
++	 * The app_match function checks if the search string is
++	 * anywhere in the app parameter.  The check is case-insensitive.
++	 */
++	{ "agi", EVENT_FLAG_SYSTEM, app_match },
++	{ "dbdeltree", EVENT_FLAG_SYSTEM, app_match },
++	{ "exec", EVENT_FLAG_SYSTEM, app_match },
++	{ "externalivr", EVENT_FLAG_SYSTEM, app_match },
++	{ "mixmonitor", EVENT_FLAG_SYSTEM, app_match },
++	{ "originate", EVENT_FLAG_SYSTEM, app_match },
++	{ "reload", EVENT_FLAG_SYSTEM, app_match },
++	{ "system", EVENT_FLAG_SYSTEM, app_match },
++	/*
++	 * Since the queue_match function specifically checks
++	 * for the presence of the AGI parameter, we'll allow
++	 * the call if the user has either the AGI or SYSTEM
++	 * permission.
++	 */
++	{ "queue", EVENT_FLAG_AGI | EVENT_FLAG_SYSTEM, queue_match },
++	/*
++	 * The appdata_match function checks if the search string is
++	 * anywhere in the appdata parameter.  Unlike app_match,
++	 * the check is case-sensitive.  These are generally
++	 * dialplan functions.
++	 */
++	{ "CURL", EVENT_FLAG_SYSTEM, appdata_match },
++	{ "DB", EVENT_FLAG_SYSTEM, appdata_match },
++	{ "EVAL", EVENT_FLAG_SYSTEM, appdata_match },
++	{ "FILE", EVENT_FLAG_SYSTEM, appdata_match },
++	{ "ODBC", EVENT_FLAG_SYSTEM, appdata_match },
++	{ "REALTIME", EVENT_FLAG_SYSTEM, appdata_match },
++	{ "SHELL", EVENT_FLAG_SYSTEM, appdata_match },
++	{ NULL, 0 },
++};
++
++static int is_originate_app_permitted(const char *app, const char *data,
++	int permission)
++{
++	int i;
++
++	for (i = 0; originate_app_permissions[i].search; i++) {
++		if (originate_app_permissions[i].searchfn(app, data, originate_app_permissions[i].search)) {
++			return !!(permission & originate_app_permissions[i].permission);
++		}
++	}
++
++	return 1;
++}
++
+ static int action_originate(struct mansession *s, const struct message *m)
+ {
+ 	const char *name = astman_get_header(m, "Channel");
+@@ -6418,26 +6557,8 @@ static int action_originate(struct mansession *s, const struct message *m)
+ 	}
+ 
+ 	if (!ast_strlen_zero(app) && s->session) {
+-		int bad_appdata = 0;
+-		/* To run the System application (or anything else that goes to
+-		 * shell), you must have the additional System privilege */
+-		if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
+-			&& (
+-				strcasestr(app, "system") ||      /* System(rm -rf /)
+-				                                     TrySystem(rm -rf /)       */
+-				strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))
+-				                                     TryExec(System(rm -rf /)) */
+-				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
+-				                                     EAGI(/bin/rm,-rf /)       */
+-				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
+-				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
+-				strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
+-				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
+-				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+-				)) {
+-			char error_buf[64];
+-			snprintf(error_buf, sizeof(error_buf), "Originate Access Forbidden: %s", bad_appdata ? "Data" : "Application");
+-			astman_send_error(s, m, error_buf);
++		if (!is_originate_app_permitted(app, appdata, s->session->writeperm)) {
++			astman_send_error(s, m, "Originate Access Forbidden: app or data blacklisted");
+ 			res = 0;
+ 			goto fast_orig_cleanup;
+ 		}
+-- 
+2.44.2
+
diff --git a/net-misc/freerdp/Manifest b/net-misc/freerdp/Manifest
index 0f083d1c646c..5f0d2ab22d3a 100644
--- a/net-misc/freerdp/Manifest
+++ b/net-misc/freerdp/Manifest
@@ -15,7 +15,7 @@ EBUILD freerdp-2.11.5-r10.ebuild 3675 BLAKE2B 81ed6fb24d6bdd2ca894b2368e47adc299
 EBUILD freerdp-2.11.7.ebuild 4059 BLAKE2B f104ca6d06a417cc3e5930fe85eadbf9fa10c61bb52e544daeaaf3316c216ba6363b0b1d3d1a0b79455fe9613831748901f0edce28f5d2df9cca8abffdd349a3 SHA512 fe9ebbcacf18cb59d16458c5cfe47cf15fe89150ebfeca176b6d288b96112ef0965e517171f87c16e62590eee8b3a6a106fe2ba87062061e98dd36f33671b18a
 EBUILD freerdp-2.9999.ebuild 4014 BLAKE2B 8e16a4c7dc35301402fbae5da1ba9da5673f0b5c4d8da811e5671f91816265a7dad92b5ae69533f44c084cec371962eac4499a0bb7ce98665336abf3ddaa730e SHA512 7ca53326d24353a2e1bc2d5c006c6a0866c98363d11ab231ff1c086119545979019ad9e13d9e40d4903bb020f4b891a041c0c93edfd566def19296b870e968fc
 EBUILD freerdp-3.4.0-r12.ebuild 4202 BLAKE2B 5f55807ba41422d61497b7ee08a0b150ad41a92ea50a83c9d1aaac06700b1b7b99927c651a9e861860935bb0643174be983e09e2b9f07e5cf99bb3c75016d2b1 SHA512 6a3029a833773ae2e30da1510d4a7d0b185cc300d1c53c164ae8da5f63b3fd63d2a0bc90616546b0ce45f162eda34b907230392267facb948123ea3ef60d21a2
-EBUILD freerdp-3.6.3.ebuild 4341 BLAKE2B 6cae4f931a469fc450bbc6c9a91c96593d5c5ac72f494b6a5698c64f7b27cdf8631660e7b4ef9ea08cec3f3f7c10739aaf77ac10ddb99393a96fa256bc8055c1 SHA512 bd0521d9f012ace258461ad1d7b840b262b04bc735b19700adffb2eb229889bbe9f08a29eae164438e5bae2a7ee6c459e3be408eb00b261092d889a6454e2f25
+EBUILD freerdp-3.6.3.ebuild 4340 BLAKE2B 8472e441c21a0a9495242e314e52be5013b17b54a8694d6fe8560cb8e31fbbd23996fdabb98de6d87c0f4c1b5eb4596d416d41d3039904d747fa3ff12f7ca425 SHA512 4bf09d96f4931f12d1511a75599bdcb8cb28b80b4d43ebd8d16e33e8210ffbdf1690fac6d66c06657d165d22db1ac5db1eff4cae0eacc466ffb4f8d7ba764d23
 EBUILD freerdp-3.7.0.ebuild 4288 BLAKE2B 46b1483dc049b9a791bc35d29a8c411a5d9a3c9efb0768ccfa51b9f95fb050815611fc25339f55797ca605a0bf0f9cdea27bac61ee532c6e88932068b8a8c237 SHA512 284f977053213df5d2ca5f7e1e778a513a38e0c37e853133ec3f7a1520940f742ab9112d8383190cb2fd17d5f3cc7a08b88cd9efb199746db069a8a54c7eb517
 EBUILD freerdp-9999.ebuild 4288 BLAKE2B 46b1483dc049b9a791bc35d29a8c411a5d9a3c9efb0768ccfa51b9f95fb050815611fc25339f55797ca605a0bf0f9cdea27bac61ee532c6e88932068b8a8c237 SHA512 284f977053213df5d2ca5f7e1e778a513a38e0c37e853133ec3f7a1520940f742ab9112d8383190cb2fd17d5f3cc7a08b88cd9efb199746db069a8a54c7eb517
 MISC metadata.xml 650 BLAKE2B 619e236cb4c4b249beafc2e4772c5321e5c912242a0e69d7e181867a83078ebfadd639aa5b7cf2a0da58572ade2ae374bfd61f41d83e333065bbfde2c06533ed SHA512 f9ec3e33c342c2a364be4d780c0fc69800617896bda40e473175f0b98f39925ea7bcc1896993782470fd9aad1b04edc2848baf5db2a8dd4e2c4099c062e657ae
diff --git a/net-misc/freerdp/freerdp-3.6.3.ebuild b/net-misc/freerdp/freerdp-3.6.3.ebuild
index 2603e73e7407..1985626de20c 100644
--- a/net-misc/freerdp/freerdp-3.6.3.ebuild
+++ b/net-misc/freerdp/freerdp-3.6.3.ebuild
@@ -17,7 +17,7 @@ else
 	S="${WORKDIR}/${MY_P}"
 	SRC_URI="https://pub.freerdp.com/releases/${MY_P}.tar.gz
 		verify-sig? ( https://pub.freerdp.com/releases/${MY_P}.tar.gz.asc )"
-	KEYWORDS="~alpha amd64 ~arm arm64 ~loong ppc ppc64 ~riscv x86"
+	KEYWORDS="~alpha amd64 arm arm64 ~loong ppc ppc64 ~riscv x86"
 	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-akallabeth )"
 	VERIFY_SIG_OPENPGP_KEY_PATH="/usr/share/openpgp-keys/akallabeth.asc"
 fi