gentoo resync : 02.01.2018

6 files changed, 291 insertions, 4 deletions

diff --git a/sys-apps/mawk/Manifest b/sys-apps/mawk/Manifest
index 24c529665aa2..ec157d49d770 100644
--- a/sys-apps/mawk/Manifest
+++ b/sys-apps/mawk/Manifest
@@ -1,9 +1,12 @@
+AUX mawk-1.3.4-sandbox-default.patch 2720 BLAKE2B 3f0a25b06f1045659b9dc7decbbd54c9355f94a6879cad0f121e825cb705652b14b7a4c4655f2fe89c2f921aea511f8b8755cd398d28ce9a47ffa6bfef158953 SHA512 bdceb22a51464de5786d469ffcc6fc7157a0aca3e3dc89553418a401de3735b95439691ccf5553d0746b3e793824821db85a2dfe14633db1ad5f1256fa3e65ab
+AUX mawk-1.3.4-sandbox.patch 3805 BLAKE2B a7d55816bea03fb949387c8a1acf310b6dbae60014601bc514f44cbf3a8632c275bf6b786b016e93450ecf60d61052b14b029e56d559656dc87fed72a66239af SHA512 03149ba3d3e0cd5fa6d50573cc50260346e91d82bfd510d8a069a3e076df49d2b85edd2b42632a34e21f9d82c384212272e99b1cf305b4c1a78e252b75da4eb3
 DIST mawk-1.3.4-20150503.tgz 468794 BLAKE2B 10a2942f990d67ebea3cf75c83beefbc58f6ad4ffc560260f8206a8fc79b03d1e4cb8bb4ad23b256a547b10e4885c1a0813f054aa60ab5cb1b20c8d974a508d8 SHA512 ac9dde6948328d8db94458448abdf7389f8862ae6093315dd19ed9d1cbeab60fca1fc7b084cda4ce09505010f7108612585e3c4ba9663ddf3adb869bf1d9d7b6
 DIST mawk-1.3.4-20160615.tgz 466312 BLAKE2B ad8077e44a069b4ba19d1c1051d488ee7234b834aa0a04be6bda72cd5726c84185d4bb7de564e1a862c43de1de81d36ff8d2b11ee001ebbcaf624de6aabe19ab SHA512 97062fe278f1ec30db2233f9bd5a2f60557e2362a2c785bce94a7b9eec9065138cf1349bc145c18194b5af56c8e943e63c95baea839282a65ba09062bdcca2ae
 DIST mawk-1.3.4-20161120.tgz 461464 BLAKE2B 7481345b391198cc9ec47f6ad84f0f07e31c931a40d59bde401d00ea7bc74b728c8149f80187e5d73923496e2eef1ec70bc097aedf0b68630f73264d45d96ebd SHA512 c5edcbff4ab1e40eb9b178a045fcd426a5f3c93a3ab5bc1ca1fa85a0977b8c9060967fcbda4e4a6e9e68628f50a2814e22939676008dced529377d2cf9bda5b2
 DIST mawk-1.3.4-20171017.tgz 460819 BLAKE2B 91cb4cd039ea7773b788db87389f8ec34914afc8b299fecfdd579fe89fc4e6d731bfdc9c06a2c6c3d75ab9e1022bf5dbe1c662962d6ccd8a8f6fe4f8589927ca SHA512 4ed6ca0ecca12e7409d3d364b72dc6a2b411c61bf53fe8aa0b0cac65a3bdb941921c0b81d94f34c8ac9f4922c8c7566d347b5e6b5c74518ae3a88904f9e20f27
 EBUILD mawk-1.3.4_p20150503.ebuild 825 BLAKE2B 1d5b1fb1ac43e06b019f86bdf8ca9fa2d4392e27fee2160e13b46c90ee567979d70442be3aea5d96f73497502238d919da684a6268d7918802f8d57aa7389db8 SHA512 7f7b0386ae02ee8bd6b2a3df4218f3dd732b22e9154b8bd37ed15afbeba2a145aa02161e64b8e2be78d4e6d9c2b58e3d4fa4c7d5b557f434c1cdf21e593bd749
 EBUILD mawk-1.3.4_p20160615.ebuild 870 BLAKE2B c25882ed451d83bfea7ca5dd731a6d532396c91f7a38236ae2b884cb5f504341a937da1dd4bb22805b6f94488414756a182bcd6e3e5eaa21ef74e8c90805e7f0 SHA512 5841a8486c4a59f16c1add9e9aceb89fc428b29a29359ce17e451dd46f66c0501b4260463f4b152e1403e391d86c30638edef328ee31ae9ec1b0b4aa0238afe8
-EBUILD mawk-1.3.4_p20161120.ebuild 879 BLAKE2B 26329579de34f167e6ce3ac06cb6aa2b8d9a941535fc66422fa62efd6c7d9f25f1aad2cfe4ddcfe157eaceae20d11cb0fc2d8f514101525d15fc49003ab24cdf SHA512 8479121ba985077b8002fe730ede99f548dfb806846ecb221aed06386e0c39879d915f6346ba9f71c16f864f315c0391bc4e6b8c2a1e105b826c0fe4bef8a670
+EBUILD mawk-1.3.4_p20161120.ebuild 878 BLAKE2B 438ed36e28fe7fc1fa09fbdbaad36d6f8ce5780972170ebb3fdfe04dd66da5ccaed8d8910bffd0841f732336e2cba0437dbe37b642abb2e35f151ca9205ea820 SHA512 0606dd2ad1d6f4e4ee59bed3c67d475da4f63b2ea7df8f84c045deb1afe919ee140c4a76da73cbc5dfe62c41df46b3faddfb0b20307b02bf2e6d41892d92927e
+EBUILD mawk-1.3.4_p20171017-r1.ebuild 1037 BLAKE2B 9c36e6b12d6a7b1c6448ed423509032464388849efc66312b24c8e7ba3efc11d94c3f425077f949514609bfcabb10da2d849a1977c919d068350c8137c942d14 SHA512 550d5d3f9123d402ecf442a94c8ccd87959eb8669a490e766e16d7b93acb5d3d23562527c5aac727cec44f1d068b339016dd901ac192662f06da3803f7ecd6a6
 EBUILD mawk-1.3.4_p20171017.ebuild 883 BLAKE2B deb941193402b058ecf23a7523698416660b09cfefcda6a51b2f2f50aaa72ba5b9230459826d82f9066b4bc8766c72f2a55583e21705f848df0ffa4d966509a5 SHA512 e072d0a8bb7125965bd3e0edea01eff17ef53b17baaf117fa7f5cd910acebd4cbc57f6725a6ae0419cf2eb177fcd3b8f4cdf5c5f0e7bb4d86fdbe86f7b75c9de
-MISC metadata.xml 253 BLAKE2B 295e9d6d93aaa12af413972e1590c67087801cc09c9aa6b59d4606c0f4106d1dacf2baa9858559083b4c6d91beeef218d0729e8593a33788958da6d2897e8ce2 SHA512 54a9069aeb4165d2dff3d473c8001bc51613aac9dff3f7f5e9971a9891a737a31511ffa11cbd523febe581ac1d9de2bdf2f40410f0c4239138f2ccca3ef15555
+MISC metadata.xml 359 BLAKE2B 988733eff41a4556cdb4f8d66adbe2864f33f4245ab1ba3a1456cb3b189fd12138cec7666d2fc125d275865a028274aaf5a41396430721ac96b913dc2f667f94 SHA512 bb64e60075207240fabd037108c2885b934d0dc0a72bdcce4c8c138555b1ebb4de811745235ee11fde75559ddf55f9488b71f53aab7e92df61099cba5ec28d2f
diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch
new file mode 100644
index 000000000000..c3b0fc1c892d
--- /dev/null
+++ b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch
@@ -0,0 +1,91 @@
+https://github.com/ThomasDickey/original-mawk/issues/49
+
+Note: We hand modify the configure file here because the version of autotools
+used by upstream is very old/finicky, and it's a simple enough change.
+
+From 1ac333b97615c451d7a4743b4724edd46d37a8b2 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@chromium.org>
+Date: Tue, 7 Nov 2017 01:07:47 -0500
+Subject: [PATCH 2/2] add a configure flag to lock sandbox by default
+
+This lets us deploy systems with the sandbox always enabled.
+---
+ configure    | 23 +++++++++++++++++++++++
+ configure.in | 11 +++++++++++
+ init.c       |  4 ++++
+ 3 files changed, 38 insertions(+)
+
+diff --git a/configure.in b/configure.in
+index 8b795fbd264b..770092005386 100644
+--- a/configure.in
++++ b/configure.in
+@@ -112,6 +112,17 @@ fi
+ AC_MSG_RESULT($with_init_srand)
+ 
+ ###############################################################################
++AC_MSG_CHECKING(if you want mawk to always run in sandbox mode)
++CF_ARG_ENABLE([forced-sandbox],
++[  --enable-forced-sandbox always run in sandbox mode],
++	[with_forced_sandbox=yes],
++	[with_forced_sandbox=no])
++if test "x${with_forced_sandbox}" != xno; then
++	CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX"
++fi
++AC_MSG_RESULT($with_forced_sandbox)
++
++###############################################################################
+ 
+ AC_PROG_YACC
+ CF_PROG_LINT
+diff --git a/init.c b/init.c
+index f7babb337e04..e035d6ea2fc0 100644
+--- a/init.c
++++ b/init.c
+@@ -492,6 +492,10 @@ process_cmdline(int argc, char **argv)
+ 
+   no_more_opts:
+ 
++#ifdef FORCED_SANDBOX
++    sandbox_flag = 1;
++#endif
++
+     tail->link = (PFILE *) 0;
+     pfile_list = dummy.link;
+ 
+diff --git a/configure b/configure
+index a3bf42fe9245..442875b8e58a 100755
+--- a/configure
++++ b/configure
+@@ -4132,6 +4132,29 @@ echo "$as_me:4131: result: $with_init_srand" >&5
+ echo "${ECHO_T}$with_init_srand" >&6
+ 
+ ###############################################################################
++echo "$as_me:4109: checking if you want mawk to always run in sandbox mode" >&5
++echo $ECHO_N "checking if you want mawk to always run in sandbox mode... $ECHO_C" >&6
++
++if test "${enable_forced_sandbox+set}" = set; then
++  enableval="$enable_forced_sandbox"
++  test "$enableval" != yes && enableval=no
++	if test "$enableval" != "no" ; then
++    with_forced_sandbox=yes
++	else
++		with_forced_sandbox=no
++	fi
++else
++  enableval=no
++	with_forced_sandbox=no
++
++fi;
++if test "x${with_forced_sandbox}" != xno; then
++	CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX"
++fi
++echo "$as_me:4131: result: $with_forced_sandbox" >&5
++echo "${ECHO_T}$with_forced_sandbox" >&6
++
++###############################################################################
+ 
+ for ac_prog in 'bison -y' byacc
+ do
+-- 
+2.13.5
+
diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch
new file mode 100644
index 000000000000..ae2ccbd50ec1
--- /dev/null
+++ b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch
@@ -0,0 +1,141 @@
+https://github.com/ThomasDickey/original-mawk/issues/49
+
+From ae3a324a5af1350aa1a6f648e10b9d6656d9fde4 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@chromium.org>
+Date: Tue, 7 Nov 2017 00:41:36 -0500
+Subject: [PATCH 1/2] add a -W sandbox mode
+
+This is like gawk's sandbox mode where arbitrary code execution and
+file redirection are locked down.  This way awk can be a more secure
+input/output mode.
+---
+ bi_funct.c | 3 +++
+ init.c     | 8 ++++++++
+ man/mawk.1 | 4 ++++
+ mawk.h     | 2 +-
+ scan.c     | 6 ++++++
+ 5 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/bi_funct.c b/bi_funct.c
+index 7742308c72a5..b524ac8dac8b 100644
+--- a/bi_funct.c
++++ b/bi_funct.c
+@@ -908,6 +908,9 @@ bi_system(CELL *sp GCC_UNUSED)
+ #ifdef HAVE_REAL_PIPES
+     int ret_val;
+ 
++    if (sandbox_flag)
++	rt_error("'system' function not allowed in sandbox mode");
++
+     TRACE_FUNC("bi_system", sp);
+ 
+     if (sp->type < C_STRING)
+diff --git a/init.c b/init.c
+index 0ab17b003f20..f7babb337e04 100644
+--- a/init.c
++++ b/init.c
+@@ -40,6 +40,7 @@ typedef enum {
+     W_RANDOM,
+     W_SPRINTF,
+     W_POSIX_SPACE,
++    W_SANDBOX,
+     W_USAGE
+ } W_OPTIONS;
+ 
+@@ -96,6 +97,7 @@ initialize(int argc, char **argv)
+ 
+ int dump_code_flag;		/* if on dump internal code */
+ short posix_space_flag;
++short sandbox_flag;
+ 
+ #ifdef	 DEBUG
+ int dump_RE = 1;		/* if on dump compiled REs  */
+@@ -153,6 +155,7 @@ usage(void)
+ 	"    -W random=number set initial random seed.",
+ 	"    -W sprintf=number adjust size of sprintf buffer.",
+ 	"    -W posix_space   do not consider \"\\n\" a space.",
++	"    -W sandbox       disable system() and I/O redirection.",
+ 	"    -W usage         show this message and exit.",
+     };
+     size_t n;
+@@ -255,6 +258,7 @@ parse_w_opt(char *source, char **next)
+ 	    DATA(RANDOM),
+ 	    DATA(SPRINTF),
+ 	    DATA(POSIX_SPACE),
++	    DATA(SANDBOX),
+ 	    DATA(USAGE)
+     };
+ #undef DATA
+@@ -389,6 +393,10 @@ process_cmdline(int argc, char **argv)
+ 		    posix_space_flag = 1;
+ 		    break;
+ 
++		case W_SANDBOX:
++		    sandbox_flag = 1;
++		    break;
++
+ 		case W_RANDOM:
+ 		    if (haveValue(optNext)) {
+ 			int x = atoi(optNext + 1);
+diff --git a/man/mawk.1 b/man/mawk.1
+index a3c794167dc9..0915d9d7ed5d 100644
+--- a/man/mawk.1
++++ b/man/mawk.1
+@@ -150,6 +150,10 @@ forces
+ \fB\*n\fP
+ not to consider '\en' to be space.
+ .TP
++\-\fBW \fRsandbox
++runs in a restricted mode where system(), input redirection (e.g. getline),
++output redirection (e.g. print and printf), and pipelines are disabled.
++.TP
+ \-\fBW \fRrandom=\fInum\fR
+ calls \fBsrand\fP with the given parameter
+ (and overrides the auto-seeding behavior).
+diff --git a/mawk.h b/mawk.h
+index 2d04be1adb34..a6ccc0071ecc 100644
+--- a/mawk.h
++++ b/mawk.h
+@@ -63,7 +63,7 @@ extern int dump_RE;
+ #define USE_BINMODE 0
+ #endif
+ 
+-extern short posix_space_flag, interactive_flag;
++extern short posix_space_flag, interactive_flag, sandbox_flag;
+ 
+ /*----------------
+  *  GLOBAL VARIABLES
+diff --git a/scan.c b/scan.c
+index 3a8fc9181ab8..c1833b8b7315 100644
+--- a/scan.c
++++ b/scan.c
+@@ -455,6 +455,8 @@ yylex(void)
+ 	    un_next();
+ 
+ 	if (getline_flag) {
++	    if (sandbox_flag)
++		rt_error("redirection not allowed in sandbox mode");
+ 	    getline_flag = 0;
+ 	    ct_ret(IO_IN);
+ 	} else
+@@ -462,6 +464,8 @@ yylex(void)
+ 
+     case SC_GT:		/* '>' */
+ 	if (print_flag && paren_cnt == 0) {
++	    if (sandbox_flag)
++		rt_error("redirection not allowed in sandbox mode");
+ 	    print_flag = 0;
+ 	    /* there are 3 types of IO_OUT
+ 	       -- build the error string in string_buff */
+@@ -488,6 +492,8 @@ yylex(void)
+ 	    un_next();
+ 
+ 	    if (print_flag && paren_cnt == 0) {
++		if (sandbox_flag)
++		    rt_error("pipe execution not allowed in sandbox mode");
+ 		print_flag = 0;
+ 		yylval.ival = PIPE_OUT;
+ 		string_buff[0] = '|';
+-- 
+2.13.5
+
diff --git a/sys-apps/mawk/mawk-1.3.4_p20161120.ebuild b/sys-apps/mawk/mawk-1.3.4_p20161120.ebuild
index 5db9517c4128..e70a4f0b2ee2 100644
--- a/sys-apps/mawk/mawk-1.3.4_p20161120.ebuild
+++ b/sys-apps/mawk/mawk-1.3.4_p20161120.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -12,7 +12,7 @@ SRC_URI="ftp://invisible-island.net/mawk/${MY_P}.tgz"
 
 LICENSE="GPL-2"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
 
 RDEPEND="app-eselect/eselect-awk"
 DEPEND="${RDEPEND}"
diff --git a/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild
new file mode 100644
index 000000000000..e50d8aa12776
--- /dev/null
+++ b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild
@@ -0,0 +1,49 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit toolchain-funcs
+
+MY_P=${P/_p/-}
+DESCRIPTION="an (often faster than gawk) awk-interpreter"
+HOMEPAGE="https://invisible-island.net/mawk/mawk.html"
+SRC_URI="ftp://ftp.invisible-island.net/mawk/${MY_P}.tgz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
+IUSE="forced-sandbox"
+
+RDEPEND="app-eselect/eselect-awk"
+DEPEND="${RDEPEND}"
+
+S=${WORKDIR}/${MY_P}
+
+DOCS=( ACKNOWLEDGMENT CHANGES README )
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.3.4-sandbox.patch
+	"${FILESDIR}"/${PN}-1.3.4-sandbox-default.patch
+)
+
+src_configure() {
+	tc-export BUILD_CC
+	econf $(use_enable forced-sandbox)
+}
+
+src_install() {
+	default
+
+	exeinto /usr/share/doc/${PF}/examples
+	doexe examples/*
+	docompress -x /usr/share/doc/${PF}/examples
+}
+
+pkg_postinst() {
+	eselect awk update ifunset
+}
+
+pkg_postrm() {
+	eselect awk update ifunset
+}
diff --git a/sys-apps/mawk/metadata.xml b/sys-apps/mawk/metadata.xml
index 56c124413057..fb5ddc9df936 100644
--- a/sys-apps/mawk/metadata.xml
+++ b/sys-apps/mawk/metadata.xml
@@ -5,4 +5,7 @@
 	<email>base-system@gentoo.org</email>
 	<name>Gentoo Base System</name>
 </maintainer>
+<use>
+	<flag name="forced-sandbox">Always enable -W sandbox mode for simpler/secure runtime</flag>
+</use>
 </pkgmetadata>