gentoo resync : 14.05.2020

5 files changed, 220 insertions, 5 deletions

diff --git a/net-vpn/openconnect/Manifest b/net-vpn/openconnect/Manifest
index 02c9069843b3..c03b54e9a7a7 100644
--- a/net-vpn/openconnect/Manifest
+++ b/net-vpn/openconnect/Manifest
@@ -1,11 +1,14 @@
+AUX 8.09-gnutls-buffer-overflow.patch 2172 BLAKE2B 6c1251936ad2606c9b68036820e930efc392132b365faa14e690a6df4daa339c24614f856423a2d7d04bcbb3b799e96486dfb18430a6b9d8016eaeaf60a19ee5 SHA512 d74920e6eb5f8ef6ca4dcf03cf8d47a5e2ed480573dfd0c8742851e9b830fc6b379b24e945c5b429a50919a7a5041f007ba76ba93dc22eaecb27e84a84a89011
 AUX README.OpenRC.txt 715 BLAKE2B 1f76faac7bf705fc3a4adbb8902e0fbd3354e654f0af59cb59b92fc4188400c9dfeef0267ebe39c8eb4842df8a6421aaf472e7bd20097cdc0d620e10fbafd28a SHA512 172b845cc46465119d14e304a0ea9a13d28497bc9e80688eab3ccce0e14ee17917fb6b8a06dd7e9a4657ef4f51a023045ac45bc5d8823e29b2d0cb9854425f66
 AUX openconnect.conf.in 941 BLAKE2B 8cfa197edfe3b3754e45281b33d51bee0dd80746ac129b071710ca9d6f5aa5da16a3c3ad5fa52c6bfdc0ae4a9b1e3cfea2c20909c6164e67e0dba880cf08fc8a SHA512 a689df7141621c80bca77fdd1e01397b98882c7fd8db79b2fe1495916656522234e3af739538002533c003e4243e9af4bf80cd73bae961e15568997ce89ef6d5
 AUX openconnect.init.in-r4 1775 BLAKE2B 2237238a2d149532e90c96190829e9ef51afa50487a0fd45c3c4d2e983fb8755bdf0de3eca44df740b286f4d353b03d71fcd2c2a27129f18031b2bd01989f738 SHA512 7b832550ef21ddb4b1c0eae7f3838b925745a5ebbdb74f1583fb8710b75175ebcbc7b1558ce95f59cd78542bec8bc01f7ab6d32ec4a5b168bb8a516a8907d362
 AUX openconnect.logrotate 116 BLAKE2B 308d088f7c06239ec68831e415df420362c1825ae279fa6f736f36df0bf2e7efc8ea6a4ab43d9b53680dd0ab5028c92bf70a0597b56a20da06b302457e7d5f07 SHA512 ea1b6caf6278fea515c299072ee799ab3676014784703d7fa8e4f4d7bfc4599650c386d9706a3e6d92c195c9e5e1628fa6efc1124e1ae72875cc9eaab73cb077
 DIST openconnect-8.06.tar.gz 2030905 BLAKE2B d9659e4f027e11a0348c1c4358831e5f470f0305e04c22716010c68810ae300a7062ab8f57e3fc80b7d90caf855ce2f1c0af1b04eb7032b70486eee2eacc47e5 SHA512 6319aa6b20bf16994b376c2cc2a7cbf2b26a36f35e9607c1886e8fa7a2e1fe111bfb37f9349693ef52a3d2ce718c37e15fe263664e6c0bcbd33ced5ddb9e31b2
 DIST openconnect-8.08.tar.gz 2038269 BLAKE2B 78e76aee1d22179dc1e8fff03e57ee5df0d7a04cf88c5f844ba5b87c9b8a0f89766489e0dcc6b1023c07ea8b2e4da8ea2723470423b3c0c8d4bc47ed1c1e3fa4 SHA512 3bf42e194b88f06bbc6c385002e7b76952964e230fc86ee1d803be72204073ffe41286a3d8e189456fd7b905fa63577e6adc64137e893eccada80419c114eeb8
+DIST openconnect-8.09.tar.gz 2083279 BLAKE2B 4588c693a7a641faad271b034e8713f00fda04a872641e45a8ce3e1a236b8d2f4e1b8d973d20e7a9fc656f9460a0e990cbaada008d4ecf9a46353f20c25ac87a SHA512 f6890f5bce4b36b162e4590bce8a61d65fc0ae803d62a3dd408fbb13e96ce41b6443740132808491093032545aea919f9076e34bc11160c503c5e3c46457e7bd
 DIST vpnc-scripts-20200226.tar.gz 21460 BLAKE2B 8f00ce3dc49725758abce27f3688946df1bbd4e92769ef02aa9ee66db8b9f41bef3442eaa5405ab1467476899c6d364dfea898ed924ca83497823a85515d48e5 SHA512 3a1eac4ccfaefb0f837189c8cef696b33ab8b8a68cb50a3ad29206b708d0aa479e8eed0c09bef6f60d056cd98d63cc898a1609d734030a63df3be2cfa6c00f9a
 EBUILD openconnect-8.06.ebuild 2902 BLAKE2B e35780d945d40094ab41e08aa27f026432561734b16bb705f5472e7c8ed20e26e3adfb4c7326aceb8b57244cb7a7c7a34f908e225bdab20b4d6596c921016bd5 SHA512 06960353039c6ae6827c4f661ea32848395ba12dcea7c3067a33ef9a492cfc639a8724cf2282b45a79c0040ac25098998239f5efd41b4d0edb384b90798b37ab
-EBUILD openconnect-8.08.ebuild 2993 BLAKE2B 15b25c5bfc81538da3d0107f8b5636a6485221bc9365b48d815c5843070130e35f406ff0f2cdf7b8dd02ef6f4172e27935a0e654d066f0a99b3aaeb5342e05d0 SHA512 a920129fb6bddd45ea4903720676f3536d398a1609818a29c721b96290a07573a1733a8b13b6dcdf6f5af67e6df93a58b9ff13d4ef633fae44ecca2e4365c9c2
-EBUILD openconnect-9999.ebuild 2993 BLAKE2B 15b25c5bfc81538da3d0107f8b5636a6485221bc9365b48d815c5843070130e35f406ff0f2cdf7b8dd02ef6f4172e27935a0e654d066f0a99b3aaeb5342e05d0 SHA512 a920129fb6bddd45ea4903720676f3536d398a1609818a29c721b96290a07573a1733a8b13b6dcdf6f5af67e6df93a58b9ff13d4ef633fae44ecca2e4365c9c2
+EBUILD openconnect-8.08.ebuild 3000 BLAKE2B a5b19466dc4a8f5cfb00520520c9d82044da2bf41011689d73bdc0d08b0665cc475362449ff4408537116ff3de2440163db899404f478e53706b839a357042d3 SHA512 7687a960a30a0438ba5d86e615224900b1095ed289a6349f429d77e9b86ac41bc557360270b73ac2fce0f7106031066eece093cc269250233d82016d46bf0cc6
+EBUILD openconnect-8.09-r1.ebuild 3089 BLAKE2B 8467127dcfed473dbfad66a8ac013353db30a80c89915fc3b111fd842aeebf3cdd01102c57e7fcad41a14d10227e2a2d104cea41774c61c3f59f109105b87531 SHA512 db7f2f027fc6b358ec88352a9a3da6901dd357b98d0e0bb2a4cef85f0023f042857e5940e7765abd5e1d2a973b81adfaaa3ccd3012e55425b2ca34bc32bed24f
+EBUILD openconnect-9999.ebuild 3005 BLAKE2B 8c279c574aa355a0c5325d145031623d2dcd11476a9be3f6d30a862b4fa9ee7f4e9faf03332dd2a51345c9f4287f7cc1e0936572005aabbb05fe3e0c497e1db3 SHA512 98734450f88bbeb0b292895ef4b43bcc0d1044df4aa8f02c0f3f09b3c436fbb10401070d3422ab43b474d59fc779aa07c13caecf268679a1845d44f593ed5c92
 MISC metadata.xml 523 BLAKE2B c4a4ebc18284b99d3b983740180460ad1c83933860c4d8df14886a740cad0a1dbf363881ffd430adb24feaf49a2a9d02f6d3a80d5bcd96fc36f2cdb1aea2bff5 SHA512 7701ea4b9ed4d0051d915700fbd20eb28ca03024f8c4beecd8e0192e8cfd82c136cec32f29cd1e76a3059913f1b04af8066ee2700cab393bb270a8cbe18214c8
diff --git a/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch
new file mode 100644
index 000000000000..bf8990ae3d3c
--- /dev/null
+++ b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch
@@ -0,0 +1,62 @@
+From eef4c1f9d24478aa1d2dd9ac7ec32efb2137f474 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Fri, 8 May 2020 10:39:41 -0400
+Subject: [PATCH] gnutls: prevent buffer overflow in get_cert_name
+
+The test suite for ocserv calls openconnect with a certificate that has
+a name that is 84 bytes in length. The buffer passed to get_cert_name is
+currently 80 bytes.
+
+The gnutls_x509_crt_get_dn_by_oid function will update the buffer size
+parameter if the buffer is too small.
+
+http://man7.org/linux/man-pages/man3/gnutls_x509_crt_get_dn_by_oid.3.html
+
+RETURNS
+       GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long
+       enough, and in that case the  buf_size will be updated with the
+       required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no
+       data in the current index. On success 0 is returned.
+
+Use a temporary variable to avoid clobbering the namelen variable that is
+passed to get_cert_name.
+
+Bug: https://bugs.gentoo.org/721570
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Mike Gilbert <floppym@gentoo.org>
+---
+ gnutls.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/gnutls.c b/gnutls.c
+index 36bc82e0..53bf2a43 100644
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -546,12 +546,19 @@ static int count_x509_certificates(gnutls_datum_t *datum)
+ 
+ static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen)
+ {
++	/* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will
++	 * update the length argument to the required size, and return
++	 * GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original
++	 * length variable. */
++	size_t nl = namelen;
+ 	if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
+-					  0, 0, name, &namelen) &&
+-	    gnutls_x509_crt_get_dn(cert, name, &namelen)) {
+-		name[namelen-1] = 0;
+-		snprintf(name, namelen-1, "<unknown>");
+-		return -EINVAL;
++					  0, 0, name, &nl)) {
++		nl = namelen;
++		if (gnutls_x509_crt_get_dn(cert, name, &nl)) {
++			name[namelen-1] = 0;
++			snprintf(name, namelen-1, "<unknown>");
++			return -EINVAL;
++		}
+ 	}
+ 	return 0;
+ }
+-- 
+2.26.2
+
diff --git a/net-vpn/openconnect/openconnect-8.08.ebuild b/net-vpn/openconnect/openconnect-8.08.ebuild
index 85ac062266be..cd814ccbd7ec 100644
--- a/net-vpn/openconnect/openconnect-8.08.ebuild
+++ b/net-vpn/openconnect/openconnect-8.08.ebuild
@@ -13,7 +13,7 @@ if [[ ${PV} == 9999 ]]; then
 	inherit git-r3 autotools
 else
 	ARCHIVE_URI="ftp://ftp.infradead.org/pub/${PN}/${P}.tar.gz"
-	KEYWORDS="~amd64"
+	KEYWORDS="~amd64 ~ppc64"
 fi
 VPNC_VER=20200226
 SRC_URI="${ARCHIVE_URI}
diff --git a/net-vpn/openconnect/openconnect-8.09-r1.ebuild b/net-vpn/openconnect/openconnect-8.09-r1.ebuild
new file mode 100644
index 000000000000..26838ebbd2c6
--- /dev/null
+++ b/net-vpn/openconnect/openconnect-8.09-r1.ebuild
@@ -0,0 +1,150 @@
+# Copyright 2011-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python{3_6,3_7} )
+PYTHON_REQ_USE="xml"
+
+inherit linux-info python-any-r1
+
+if [[ ${PV} == 9999 ]]; then
+	EGIT_REPO_URI="https://gitlab.com/openconnect/openconnect.git"
+	inherit git-r3 autotools
+else
+	ARCHIVE_URI="ftp://ftp.infradead.org/pub/${PN}/${P}.tar.gz"
+	KEYWORDS="amd64 ~arm arm64 ppc64 ~x86"
+fi
+VPNC_VER=20200226
+SRC_URI="${ARCHIVE_URI}
+	ftp://ftp.infradead.org/pub/vpnc-scripts/vpnc-scripts-${VPNC_VER}.tar.gz"
+
+DESCRIPTION="Free client for Cisco AnyConnect SSL VPN software"
+HOMEPAGE="http://www.infradead.org/openconnect.html"
+
+LICENSE="LGPL-2.1 GPL-2"
+SLOT="0/5"
+IUSE="doc +gnutls gssapi libproxy lz4 nls smartcard static-libs stoken test"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	dev-libs/libxml2
+	sys-libs/zlib
+	!gnutls? (
+		>=dev-libs/openssl-1.0.1h:0=[static-libs?]
+	)
+	gnutls? (
+		app-crypt/trousers
+		app-misc/ca-certificates
+		dev-libs/nettle
+		>=net-libs/gnutls-3.6.13:0=[static-libs?]
+	)
+	gssapi? ( virtual/krb5 )
+	libproxy? ( net-libs/libproxy )
+	lz4? ( app-arch/lz4:= )
+	nls? ( virtual/libintl )
+	smartcard? ( sys-apps/pcsc-lite:0= )
+	stoken? ( app-crypt/stoken )
+"
+RDEPEND="${DEPEND}
+	sys-apps/iproute2
+"
+BDEPEND="
+	virtual/pkgconfig
+	doc? ( ${PYTHON_DEPS} sys-apps/groff )
+	nls? ( sys-devel/gettext )
+	test? (
+		net-libs/socket_wrapper
+		net-vpn/ocserv
+		sys-libs/uid_wrapper
+	)
+"
+
+CONFIG_CHECK="~TUN"
+
+pkg_pretend() {
+	check_extra_config
+}
+
+pkg_setup() {
+	:
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999 ]]; then
+		git-r3_src_unpack
+	fi
+	default
+}
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}"/8.09-gnutls-buffer-overflow.patch
+	)
+	default
+	if [[ ${PV} == 9999 ]]; then
+		eautoreconf
+	fi
+}
+
+src_configure() {
+	if use doc; then
+		python_setup
+	else
+		export ac_cv_path_PYTHON=
+	fi
+
+	# Used by tests if userpriv is disabled
+	addwrite /run/netns
+
+	local myconf=(
+		--disable-dsa-tests
+		$(use_enable nls)
+		$(use_enable static-libs static)
+		$(use_with !gnutls openssl)
+		$(use_with gnutls)
+		$(use_with libproxy)
+		$(use_with lz4)
+		$(use_with gssapi)
+		$(use_with smartcard libpcsclite)
+		$(use_with stoken)
+		--with-vpnc-script="${EPREFIX}/etc/openconnect/openconnect.sh"
+		--without-java
+	)
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local charset
+	for charset in UTF-8 ISO8859-2; do
+		if [[ $(LC_ALL=cs_CZ.${charset} locale charmap 2>/dev/null) != ${charset} ]]; then
+			# If we don't have valid cs_CZ locale data, auth-nonascii will fail.
+			# Force a test skip by exiting with status 77.
+			sed -i -e '2i exit 77' tests/auth-nonascii || die
+			break
+		fi
+	done
+	default
+}
+
+src_install() {
+	default
+
+	find "${ED}" -name '*.la' -delete || die
+
+	dodoc "${FILESDIR}"/README.OpenRC.txt
+
+	newinitd "${FILESDIR}"/openconnect.init.in-r4 openconnect
+	insinto /etc/openconnect
+
+	newconfd "${FILESDIR}"/openconnect.conf.in openconnect
+
+	exeinto /etc/openconnect
+	newexe "${WORKDIR}"/vpnc-scripts-${VPNC_VER}/vpnc-script openconnect.sh
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/openconnect.logrotate openconnect
+
+	keepdir /var/log/openconnect
+}
diff --git a/net-vpn/openconnect/openconnect-9999.ebuild b/net-vpn/openconnect/openconnect-9999.ebuild
index 85ac062266be..bda6b965640b 100644
--- a/net-vpn/openconnect/openconnect-9999.ebuild
+++ b/net-vpn/openconnect/openconnect-9999.ebuild
@@ -13,7 +13,7 @@ if [[ ${PV} == 9999 ]]; then
 	inherit git-r3 autotools
 else
 	ARCHIVE_URI="ftp://ftp.infradead.org/pub/${PN}/${P}.tar.gz"
-	KEYWORDS="~amd64"
+	KEYWORDS="~amd64 ~ppc64"
 fi
 VPNC_VER=20200226
 SRC_URI="${ARCHIVE_URI}
@@ -37,7 +37,7 @@ DEPEND="
 		app-crypt/trousers
 		app-misc/ca-certificates
 		dev-libs/nettle
-		>=net-libs/gnutls-3:0=[static-libs?]
+		>=net-libs/gnutls-3.6.13:0=[static-libs?]
 	)
 	gssapi? ( virtual/krb5 )
 	libproxy? ( net-libs/libproxy )