From f625b9919a60a30f1bd860f7d1b2eac183ced593 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Wed, 8 Aug 2018 20:11:47 +0100 Subject: gentoo resync : 08.08.2018 --- app-emulation/Manifest.gz | Bin 19841 -> 19851 bytes app-emulation/buildah/Manifest | 4 +- app-emulation/buildah/buildah-1.1.ebuild | 56 ------ app-emulation/buildah/buildah-1.3.ebuild | 56 ++++++ app-emulation/lxc/Manifest | 4 + .../lxc/files/lxc-2.1.1-cve-2018-6556.patch | 118 +++++++++++ .../lxc/files/lxc-3.0.1-cve-2018-6556.patch | 110 +++++++++++ app-emulation/lxc/lxc-2.1.1-r1.ebuild | 215 +++++++++++++++++++++ app-emulation/lxc/lxc-3.0.1-r1.ebuild | 163 ++++++++++++++++ app-emulation/reg/Manifest | 2 + .../reg/files/reg-0.15.4-listen-addr.patch | 47 +++++ app-emulation/reg/reg-0.15.4-r2.ebuild | 50 +++++ app-emulation/spice/Manifest | 2 +- .../spice/files/spice-0.14.0-libressl_fix.patch | 2 +- 14 files changed, 769 insertions(+), 60 deletions(-) delete mode 100644 app-emulation/buildah/buildah-1.1.ebuild create mode 100644 app-emulation/buildah/buildah-1.3.ebuild create mode 100644 app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch create mode 100644 app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch create mode 100644 app-emulation/lxc/lxc-2.1.1-r1.ebuild create mode 100644 app-emulation/lxc/lxc-3.0.1-r1.ebuild create mode 100644 app-emulation/reg/files/reg-0.15.4-listen-addr.patch create mode 100644 app-emulation/reg/reg-0.15.4-r2.ebuild (limited to 'app-emulation') diff --git a/app-emulation/Manifest.gz b/app-emulation/Manifest.gz index fa7be5b31104..588fc5265f99 100644 Binary files a/app-emulation/Manifest.gz and b/app-emulation/Manifest.gz differ diff --git a/app-emulation/buildah/Manifest b/app-emulation/buildah/Manifest index 6f9187f6cec2..21e5396c4e39 100644 --- a/app-emulation/buildah/Manifest +++ b/app-emulation/buildah/Manifest @@ -1,5 +1,5 @@ -DIST buildah-1.1.tar.gz 4253820 BLAKE2B ae30a677a2f569d87da0ab85732078912598cf25f7b22ad25540f5d89797983a8549eef1bc8d151d4e0be078b97e024df145bb882bdd8443becb07774bfb5875 SHA512 9957590d7413436195307746682496616fd2350b832242f33fb4cb07c1144addae445eeff062f403d26a68329f1153468489032bc9bbcf870839c760a720ef95 DIST buildah-1.2.tar.gz 4403310 BLAKE2B df3a1d12a41e9d585d3191103140fc232a2c247283996f394bd151f61615057b15d934e165be47794465c30217c32b3e6b53fbf4d2ef5a2f3349840dadad8171 SHA512 0aac0a80c3c50f0171199e549c0321ce1a756ca838dd9d92b0b0d58bd6b4e212390642c8a4a2aea794616292058624ab0c8707d2ea0cdcbcc555b387df611dc2 -EBUILD buildah-1.1.ebuild 1388 BLAKE2B 8dd9609a8d7c8e2f132e7f0d07b311c05fb0a364cd9c63d3f68c065e40bfe4776c3b1650463064ff96b40dc64ebaec9c87c6ed346705f371925822b2d097a7db SHA512 fb2c0381296021c4e4e60649532413b154c2a5e28fcc91fa3998e8be1e845d0c5f215bb17b0397441df63fd5bfea7d72b9f281ec891cf11b1bd309b2e52d8bcb +DIST buildah-1.3.tar.gz 4486873 BLAKE2B 35fb62626d2466495da47579cf4ab23603797ef42a9308245fa97c87a91fcb978f4d02724ce79c2b4ac620d9868ca8974e4701ba6a96ccf739e5ccb4e6d9693a SHA512 c8e161254495cb652caf9a54a051155008e41575487d26aacd38355f0a447ae0e8973b33a978e6a2d5a6c8105400d49dae46878c5f3631ab51aa3556d5033ccd EBUILD buildah-1.2.ebuild 1407 BLAKE2B b57e8bf75b9db19b56b8a9f4bda2cf0c9347a2919b41c22194b17a88880ea98b7e3e75f00bdc4bea61b314ad90d511c64732fe7dd0f37409b9cc727a394f2ca3 SHA512 3a69febb77c2a22d93e5bf868db42b498b5d464e73182916f4754fabe7e55f91033cfc302c025ac45519f559f48f32524daad04e0ee89ded3b964d6481035f90 +EBUILD buildah-1.3.ebuild 1418 BLAKE2B ade5ca1b6c9a5d3d2d8ef4f5c7335b5826f9ad671593b064bdf2b297b546a10b6139c2a937817acf820c3a5f67d610d50f8bfe5d48a8f41fece8c9b2e6e2b716 SHA512 7638b2557ca122a566026e2fb7d7050d13d16c6623bb958edb1895b08e02c32cd9754760bae3c7d8a31f1a611e27cece6038a6000b796bd48101790d1f6671d7 MISC metadata.xml 433 BLAKE2B 5b06389433033a1cf28f5fcae5dd41f4ebe0582d9537e8e163fad82046a66477a6ac3ed26ea63e60ea392919afcd3f0f45ae8ddabefd3a518707d5adff04e9d6 SHA512 3ab67ceda6ca0c8bd10f8868172d9686c8eeaa856760453be1c3ba907abb734ba37f5e9885547a16f69c67aa8d96e576de1ddf3208c08f4d44c2d90b081c74a6 diff --git a/app-emulation/buildah/buildah-1.1.ebuild b/app-emulation/buildah/buildah-1.1.ebuild deleted file mode 100644 index 3be0b76e6b5f..000000000000 --- a/app-emulation/buildah/buildah-1.1.ebuild +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 -inherit bash-completion-r1 golang-vcs-snapshot - -KEYWORDS="~amd64" -DESCRIPTION="A tool that facilitates building OCI images" -HOMEPAGE="https://github.com/projectatomic/buildah" -LICENSE="Apache-2.0" -SLOT="0" -IUSE="ostree selinux" -EGO_PN="${HOMEPAGE#*//}" -EGIT_COMMIT="v${PV}" -GIT_COMMIT="fbf46d3" -SRC_URI="https://${EGO_PN}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz" -RDEPEND="app-crypt/gpgme:= - app-emulation/skopeo - dev-libs/libgpg-error:= - dev-libs/libassuan:= - sys-fs/lvm2:= - sys-libs/libseccomp:= - selinux? ( sys-libs/libselinux:= )" -DEPEND="${RDEPEND}" -RESTRICT="test" -REQUIRED_USE="!selinux? ( !ostree )" -S="${WORKDIR}/${P}/src/${EGO_PN}" - -src_prepare() { - default - sed -e 's|^\(GIT_COMMIT := \).*|\1'${GIT_COMMIT}'|' -i Makefile || die - - [[ -f ostree_tag.sh ]] || die - use ostree || { echo -e "#!/bin/sh\necho containers_image_ostree_stub" > \ - ostree_tag.sh || die; } - - [[ -f selinux_tag.sh ]] || die - use selinux || { echo -e "#!/bin/sh\ntrue" > \ - selinux_tag.sh || die; } -} - -src_compile() { - GOPATH="${WORKDIR}/${P}" emake all -} - -src_install() { - dodoc CHANGELOG.md CONTRIBUTING.md README.md - doman docs/*.1 - dodoc -r docs/tutorials - dobin ${PN} imgtype - dobashcomp contrib/completions/bash/buildah -} - -src_test() { - GOPATH="${WORKDIR}/${P}" emake test-unit -} diff --git a/app-emulation/buildah/buildah-1.3.ebuild b/app-emulation/buildah/buildah-1.3.ebuild new file mode 100644 index 000000000000..2a0a4173a777 --- /dev/null +++ b/app-emulation/buildah/buildah-1.3.ebuild @@ -0,0 +1,56 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +inherit bash-completion-r1 golang-vcs-snapshot + +KEYWORDS="~amd64" +DESCRIPTION="A tool that facilitates building OCI images" +HOMEPAGE="https://github.com/projectatomic/buildah" +LICENSE="Apache-2.0" +SLOT="0" +IUSE="ostree selinux" +EGO_PN="${HOMEPAGE#*//}" +EGIT_COMMIT="v${PV}" +GIT_COMMIT="be87762" +SRC_URI="https://${EGO_PN}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz" +RDEPEND="app-crypt/gpgme:= + app-emulation/skopeo + dev-libs/libgpg-error:= + dev-libs/libassuan:= + sys-fs/lvm2:= + sys-libs/libseccomp:= + selinux? ( sys-libs/libselinux:= )" +DEPEND="${RDEPEND}" +RESTRICT="test" +REQUIRED_USE="!selinux? ( !ostree )" +S="${WORKDIR}/${P}/src/${EGO_PN}" + +src_prepare() { + default + sed -e 's|^\(GIT_COMMIT := \).*|\1'${GIT_COMMIT}'|' -i Makefile || die + + [[ -f ostree_tag.sh ]] || die + use ostree || { echo -e "#!/bin/sh\necho containers_image_ostree_stub" > \ + ostree_tag.sh || die; } + + [[ -f selinux_tag.sh ]] || die + use selinux || { echo -e "#!/bin/sh\ntrue" > \ + selinux_tag.sh || die; } +} + +src_compile() { + GOPATH="${WORKDIR}/${P}" emake all +} + +src_install() { + dodoc CHANGELOG.md CONTRIBUTING.md README.md install.md troubleshooting.md + doman docs/*.1 + dodoc -r docs/tutorials + dobin ${PN} imgtype + dobashcomp contrib/completions/bash/buildah +} + +src_test() { + GOPATH="${WORKDIR}/${P}" emake test-unit +} diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest index fa83fd403c2a..1ac07d727089 100644 --- a/app-emulation/lxc/Manifest +++ b/app-emulation/lxc/Manifest @@ -1,12 +1,16 @@ AUX lxc-2.0.5-omit-sysconfig.patch 259 BLAKE2B 977e151fbb8c9d98e89aaa5ee0426e64ab4286b4440af1582086a0ced8c6568efb470ccf68786da6ea52c82d1f4e81feac45bec411febc04fc31d108f05ccde2 SHA512 0aed9aca687accc6df79e97f48ab333043256e8ae68c8643f2b2452cc8013191238867d64ec71f7d399c59a43d3ba698b35d965090c5cb149b4f41302432e6e7 AUX lxc-2.0.6-bash-completion.patch 919 BLAKE2B a364398ad6fe44213ba1097e961813d4cbc71efbaf25f90a44201dc95151b7676dbe1c086b3a34fb38ffb9ef2a5ebb25f9885e809c11ec1b1e9a6516f48a3ae1 SHA512 caa90c8bad2a79b4e42b781f00d6f2a7be37fc5c5301592b026c88db2652c90871be940c86a9156f03bc186f76cf2068a2d3084e9abc7a5896ea081885085d41 AUX lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch 5145 BLAKE2B 5e4c73811b6f912cc721606603ba69b225655c343eb51ecec7110e8bc477ddd08704aa4b892203cfe539c441cc7437959606e0a196ec26e313859253d088c007 SHA512 49494eb1a7d21c3755a5301cc3bec75832588ba9bd598f0d40be90b84426332567c6b525ca089b77a92629b953b89f42a2e4ed2834e5a125e6079a35e1a17a04 +AUX lxc-2.1.1-cve-2018-6556.patch 3994 BLAKE2B 791b80852408df5f325465a6ceea5bf7986641da4c988db1f61bebabe656554aa5032186f4e5409093c14b9c9fb3ee3d7bf06e338c5f4c19cb4e2eb9d8d1db36 SHA512 fcce5387cc1d67fcb035073a5295e15570b114d202f4b077363a5059813a28b7165b5ea3e32beb4b1be8d45613bc5d7d8223ed2ebff45d5e95b5fd1e87dbd490 AUX lxc-2.1.1-fix-cgroup2-detection.patch 856 BLAKE2B e877e8a968d059c2034a2b5c23946241a6b45172f893e313bff30a7f798e3b1440e5a1e8ee277816308fb509901b52584a44021a156a91671e299964dd69b1bd SHA512 eb0fc8dee5a59d1641e8b3024bf79be2273aa15131fd7eaee98d80585c39ddb93d8d9cfe98c7f866ab2461fe8c6c7e3c038ec1a1263a6f9b02ed323a267b87f2 AUX lxc-3.0.0-bash-completion.patch 915 BLAKE2B 8bb879e391cec349d211b47d321c64ea091c8475ac9a8c4adfb45918c044f6c49d9b9bce546082907d696f697baf0870893c4427abeafa496db89f99190cd091 SHA512 2f3728fcf5e88eecc1ae05bf038ef83baa375194c5bef0d0ef68feaf4d8092cdd8efef6b3c27207c4abd28b085f087af517242c65747b47d0a8fa840f6b9d279 +AUX lxc-3.0.1-cve-2018-6556.patch 3481 BLAKE2B 2ee1d488f7be81d97908d83d84346c5800b2d3f5ef395fb97c60263134b6e7e5048be7020e296e9d45b2ca17b0d8d0d911d0e3e1b08fe02866f506743f13270d SHA512 0cfc93c4f1a989e6c8d29c232aa8569649dd0797419f58c5e83b9febf851ed7b605a552a0b521e1c57de0179a08ee9e6ee8243130758867901fd5b26533425ca AUX lxc.initd.7 3468 BLAKE2B 37b0d044594f1c66631f991315e49c4ceea4640bf6c459e6bba713fb76ef9a8ee1fcbc49da68bd0f1e2929cf9904e0113a3b321166f7c3d360fcebeab6665e5a SHA512 c5841cff7d8b58d4283a26719e8a5db1be2c4add0f31065393b863b6626460180d91632106bc50cde4d3e74ae46a57d581fa1f01140dfa95522aba12277f9eaa AUX lxc_at.service.4 265 BLAKE2B 4454528e69a5c986c23c0c4ccc10ebe03a0650e47cd30208355d2f4a70a4cb46392473eccddd736988f1b72954948876601aaf99977d8e6014a7c774a416160f SHA512 d61e7103e90e6ffb3202533e7d7555d8c02b943f06ec6c0d673713c1c0ede58641312c65d6dd6a15907c1171522e6148c2313d7b11acbd85d59fe65758cd52b3 DIST lxc-2.1.1.tar.gz 1378640 BLAKE2B 5fca516540a886729434579ff99acf3baa06977fa0e0b6f24dbf15094626335fc073597d308276e3dd20e27ceabf1477cc8e99d1fd24cf50b9aed2720b887b69 SHA512 2989d57acddfe091adcf8031721c3c9a2f8eff5476bd6155366b76ea7511e0f6120e669276e056e3963863e0f0acf3b095d44c36fa6652e67c197671f28cbdd4 DIST lxc-3.0.1.tar.gz 1239920 BLAKE2B 7be668c11d7211540fe7e2fb6318d38eac0d8d493914f4705d097fca4c004a8d2191609d02bd9e1d9204c3c0b9ea937084d3f9050fc841f6d777768067af3d19 SHA512 f51b0844f61f64d4efc530454eae1fa499f7f1b908bd3b40d7031e7f311a402893a7504bddbc53f2ef9da2b3154d1b047fc4d876b99f0d487d7c79de64eea505 +EBUILD lxc-2.1.1-r1.ebuild 6818 BLAKE2B e885b3a11de8a131433bec83b1d47b8c2277fd575d2d8bbf475bbb6ad5b1b520fbe204f61034816a96eef2734b5986d1bdaf9f39c2c61f4d1e47597c49eaf90c SHA512 15d46b88c5163ed35d25e404696350d0ef4906c4b264f5c1e9987a2f98a24b68c8187222a39a041a7de622621ae3dc5a9e6b58ab24754e57a70e2e1374f8c840 EBUILD lxc-2.1.1.ebuild 6763 BLAKE2B a4d6e09451ebb728147e1ebeca98292422472040eea4a7664e8659d2d00774933b16e264b2af3a0ad6a90750586369a02cc6149959bb3a218a528f4f8f0aa773 SHA512 e5838b9a63d096284905d3f000c268a6c398835c2054c2d0bb92e3e6ed2d0b3aaeb2a417d2c04b8182ced7447a47fa9e1340e89f92d0fd6dd48238544684a727 +EBUILD lxc-3.0.1-r1.ebuild 5191 BLAKE2B 9f459a526990f82180248e70c618479b12bd2f0ebbed6531d380a379256f214511b1213e1627a4fc813d36d38a05b4f44894f14ce9d7fef2da1fd0f5d1db9b51 SHA512 3e32d03eb7bf76be38b9fba3b2b0645273c497d9053ff91167908675d133b7e55ab80f7f8bb6a58ecefb1c9b002ef8727b63af56cd2c478a6dea2e8dd9c4f033 EBUILD lxc-3.0.1.ebuild 5136 BLAKE2B 3e439cf609c87cbd2d88e0d9c646b64998f072a7cc2c04b0e5f5537d0297d9f0d66ff39e184d03a8828fec5f32ea959b76bb5b4c9471d546102bceee46577329 SHA512 1f02404f7d8ad22bb7517d0ed25987ce1ef73034736f6a1d2f7ff2b804d1be8ae712545575725736a9ac4019e316629b43bed0e21ebe60e5ed094334840c67fa MISC metadata.xml 670 BLAKE2B 1318dc9a17178a46375589bcc92685e1a49146cd7384e36d996e675875a55c8402e2a037546dadd2ce1399557b77366f03179d8ef51cdbe106e9b27c3f3dbff9 SHA512 c1d3d15e52953b8dcd280c90d73467258cdf41d6f6505f231c0c031f40b0a467147798651bb327b498dd4ac694783441896584941a0c05d34e45af8dc9c6db70 diff --git a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch new file mode 100644 index 000000000000..bad1e274527e --- /dev/null +++ b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch @@ -0,0 +1,118 @@ +From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 25 Jul 2018 19:56:54 +0200 +Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic + +Signed-off-by: Christian Brauner +--- + src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- + src/lxc/utils.c | 12 ++++++++++++ + src/lxc/utils.h | 5 +++++ + 3 files changed, 49 insertions(+), 3 deletions(-) + +ADDENDUM from vdupras@gentoo.org: Original patch from Christian didn't +include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in +code that doesn't compile. I fetched the definition from the stable-3.0 +branch and included it to this patch. Also, this diff is regenerated +from lxc-2.1.1 tag instead of stable-2.0 branch. + +diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c +index 6f550f0d..09a342ac 100644 +--- a/src/lxc/lxc_user_nic.c ++++ b/src/lxc/lxc_user_nic.c +@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + } else if (request == LXC_USERNIC_DELETE) { +- netns_fd = open(args.pid, O_RDONLY); ++ char opath[LXC_PROC_PID_FD_LEN]; ++ ++ /* Open the path with O_PATH which will not trigger an actual ++ * open(). Don't report an errno to the caller to not leak ++ * information whether the path exists or not. ++ * When stracing setuid is stripped so this is not a concern ++ * either. ++ */ ++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Could not open \"%s\": %s\n", args.pid, +- strerror(errno)); ++ usernic_error("Failed to open \"%s\"\n", args.pid); + exit(EXIT_FAILURE); + } ++ ++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { ++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); ++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* Now get an fd that we can use in setns() calls. */ ++ ret = open(opath, O_RDONLY | O_CLOEXEC); ++ if (ret < 0) { ++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ close(netns_fd); ++ netns_fd = ret; + } + + if (!create_db_dir(LXC_USERNIC_DB)) { +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index e6a44a51..c2a08a9d 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) + return has_type; + } + ++bool fhas_fs_type(int fd, fs_type_magic magic_val) ++{ ++ int ret; ++ struct statfs sb; ++ ++ ret = fstatfs(fd, &sb); ++ if (ret < 0) ++ return false; ++ ++ return is_fs_type(&sb, magic_val); ++} ++ + bool lxc_nic_exists(char *nic) + { + #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index e83ed49e..06ec74d7 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -46,11 +46,16 @@ + #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask)) + #endif + ++#ifndef NSFS_MAGIC ++#define NSFS_MAGIC 0x6e736673 ++#endif ++ + /* Useful macros */ + /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ + #define LXC_NUMSTRLEN64 21 + #define LXC_LINELEN 4096 + #define LXC_IDMAPLEN 4096 ++#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1) + + /* returns 1 on success, 0 if there were any failures */ + extern int lxc_rmdir_onedev(char *path, const char *exclude); +@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz); + /* __typeof__ should be safe to use with all compilers. */ + typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; + extern bool has_fs_type(const char *path, fs_type_magic magic_val); ++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); + extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern bool lxc_nic_exists(char *nic); diff --git a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch new file mode 100644 index 000000000000..198e835e6c59 --- /dev/null +++ b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch @@ -0,0 +1,110 @@ +From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 25 Jul 2018 19:56:54 +0200 +Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic + +Signed-off-by: Christian Brauner +--- + src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- + src/lxc/utils.c | 12 ++++++++++++ + src/lxc/utils.h | 5 +++++ + 3 files changed, 49 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c +index ec9cd97e..c5beb6c8 100644 +--- a/src/lxc/cmd/lxc_user_nic.c ++++ b/src/lxc/cmd/lxc_user_nic.c +@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + } else if (request == LXC_USERNIC_DELETE) { +- netns_fd = open(args.pid, O_RDONLY); ++ char opath[LXC_PROC_PID_FD_LEN]; ++ ++ /* Open the path with O_PATH which will not trigger an actual ++ * open(). Don't report an errno to the caller to not leak ++ * information whether the path exists or not. ++ * When stracing setuid is stripped so this is not a concern ++ * either. ++ */ ++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Could not open \"%s\": %s\n", args.pid, +- strerror(errno)); ++ usernic_error("Failed to open \"%s\"\n", args.pid); ++ exit(EXIT_FAILURE); ++ } ++ ++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { ++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); ++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* Now get an fd that we can use in setns() calls. */ ++ ret = open(opath, O_RDONLY | O_CLOEXEC); ++ if (ret < 0) { ++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); ++ close(netns_fd); + exit(EXIT_FAILURE); + } ++ close(netns_fd); ++ netns_fd = ret; + } + + if (!create_db_dir(LXC_USERNIC_DB)) { +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 26f1b058..69d362dc 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) + return has_type; + } + ++bool fhas_fs_type(int fd, fs_type_magic magic_val) ++{ ++ int ret; ++ struct statfs sb; ++ ++ ret = fstatfs(fd, &sb); ++ if (ret < 0) ++ return false; ++ ++ return is_fs_type(&sb, magic_val); ++} ++ + bool lxc_nic_exists(char *nic) + { + #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 7d672b77..fedc395b 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -95,6 +95,10 @@ + #define CGROUP2_SUPER_MAGIC 0x63677270 + #endif + ++#ifndef NSFS_MAGIC ++#define NSFS_MAGIC 0x6e736673 ++#endif ++ + /* Useful macros */ + /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ + #define LXC_NUMSTRLEN64 21 +@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz); + /* __typeof__ should be safe to use with all compilers. */ + typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; + extern bool has_fs_type(const char *path, fs_type_magic magic_val); ++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); + extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern bool lxc_nic_exists(char *nic); + extern int lxc_make_tmpfile(char *template, bool rm); +-- +2.17.1 + diff --git a/app-emulation/lxc/lxc-2.1.1-r1.ebuild b/app-emulation/lxc/lxc-2.1.1-r1.ebuild new file mode 100644 index 000000000000..921619a1f75e --- /dev/null +++ b/app-emulation/lxc/lxc-2.1.1-r1.ebuild @@ -0,0 +1,215 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python3_{4,5,6} ) +DISTUTILS_OPTIONAL=1 + +inherit autotools bash-completion-r1 distutils-r1 linux-info versionator flag-o-matic systemd readme.gentoo-r1 +DESCRIPTION="LinuX Containers userspace utilities" +HOMEPAGE="https://linuxcontainers.org/" +SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz" + +KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86" + +LICENSE="LGPL-3" +SLOT="0" +IUSE="cgmanager examples lua python seccomp selinux" + +RDEPEND=" + net-libs/gnutls + sys-libs/libcap + cgmanager? ( app-admin/cgmanager ) + lua? ( >=dev-lang/lua-5.1:= ) + python? ( ${PYTHON_DEPS} ) + seccomp? ( sys-libs/libseccomp ) + selinux? ( sys-libs/libselinux )" + +DEPEND="${RDEPEND} + app-text/docbook-sgml-utils + >=sys-kernel/linux-headers-3.2" + +RDEPEND="${RDEPEND} + sys-apps/util-linux + app-misc/pax-utils + virtual/awk" + +CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE + ~CPUSETS ~CGROUP_CPUACCT + ~CGROUP_SCHED + + ~NAMESPACES + ~IPC_NS ~USER_NS ~PID_NS + + ~NETLINK_DIAG ~PACKET_DIAG + ~INET_UDP_DIAG ~INET_TCP_DIAG + ~UNIX_DIAG ~CHECKPOINT_RESTORE + + ~CGROUP_FREEZER + ~UTS_NS ~NET_NS + ~VETH ~MACVLAN + + ~POSIX_MQUEUE + ~!NETPRIO_CGROUP + + ~!GRKERNSEC_CHROOT_MOUNT + ~!GRKERNSEC_CHROOT_DOUBLE + ~!GRKERNSEC_CHROOT_PIVOT + ~!GRKERNSEC_CHROOT_CHMOD + ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT +" + +ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" + +ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" + +ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" +ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" + +ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" +ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" + +ERROR_NETLINK_DIAG="CONFIG_NETLINK_DIAG: needed for lxc-checkpoint" +ERROR_PACKET_DIAG="CONFIG_PACKET_DIAG: needed for lxc-checkpoint" +ERROR_INET_UDP_DIAG="CONFIG_INET_UDP_DIAG: needed for lxc-checkpoint" +ERROR_INET_TCP_DIAG="CONFIG_INET_TCP_DIAG: needed for lxc-checkpoint" +ERROR_UNIX_DIAG="CONFIG_UNIX_DIAG: needed for lxc-checkpoint" +ERROR_CHECKPOINT_RESTORE="CONFIG_CHECKPOINT_RESTORE: needed for lxc-checkpoint" + +ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" + +ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." + +ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" + +DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) + +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +pkg_setup() { + kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" + linux-info_pkg_setup +} + +src_prepare() { + eapply "${FILESDIR}"/${PN}-2.0.6-bash-completion.patch + #558854 + eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch + eapply "${FILESDIR}"/${PN}-2.1.1-fix-cgroup2-detection.patch + eapply "${FILESDIR}"/${PN}-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch + eapply "${FILESDIR}"/${PN}-2.1.1-cve-2018-6556.patch + eapply_user + eautoreconf +} + +src_configure() { + append-flags -fno-strict-aliasing + + if use python; then + #541932 + python_setup "python3*" + export PKG_CONFIG_PATH="${T}/${EPYTHON}/pkgconfig:${PKG_CONFIG_PATH}" + fi + + # I am not sure about the --with-rootfs-path + # /var/lib/lxc is probably more appropriate than + # /usr/lib/lxc. + # Note by holgersson: Why is apparmor disabled? + + # --enable-doc is for manpages which is why we don't link it to a "doc" + # USE flag. We always want man pages. + econf \ + --localstatedir=/var \ + --bindir=/usr/bin \ + --sbindir=/usr/bin \ + --with-config-path=/var/lib/lxc \ + --with-rootfs-path=/var/lib/lxc/rootfs \ + --with-distro=gentoo \ + --with-runtime-path=/run \ + --disable-apparmor \ + --disable-werror \ + --enable-doc \ + $(use_enable cgmanager) \ + $(use_enable examples) \ + $(use_enable lua) \ + $(use_enable python) \ + $(use_enable seccomp) \ + $(use_enable selinux) +} + +python_compile() { + distutils-r1_python_compile build_ext -I.. -L../lxc/.libs --no-pkg-config +} + +src_compile() { + default + + if use python; then + pushd "${S}/src/python-${PN}" > /dev/null + distutils-r1_src_compile + popd > /dev/null + fi +} + +src_install() { + default + + mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die + # start-ephemeral is no longer a command but removing it here + # generates QA warnings (still in upstream completion script) + bashcomp_alias ${PN}-start \ + ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,start-ephemeral,stop,unfreeze,wait} + + if use python; then + pushd "${S}/src/python-lxc" > /dev/null + # Unset DOCS. This has been handled by the default target + unset DOCS + distutils-r1_src_install + popd > /dev/null + fi + + keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc + + find "${D}" -name '*.la' -delete + + # Gentoo-specific additions! + newinitd "${FILESDIR}/${PN}.initd.7" ${PN} + + # Remember to compare our systemd unit file with the upstream one + # config/init/systemd/lxc.service.in + systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service" + + DOC_CONTENTS=" + Starting from version ${PN}-1.1.0-r3, the default lxc path has been + moved from /etc/lxc to /var/lib/lxc. If you still want to use /etc/lxc + please add the following to your /etc/lxc/lxc.conf + + lxc.lxcpath = /etc/lxc + + For openrc, there is an init script provided with the package. + You _should_ only need to symlink /etc/init.d/lxc to + /etc/init.d/lxc.configname to start the container defined in + /etc/lxc/configname.conf. + + Correspondingly, for systemd a service file lxc@.service is installed. + Enable and start lxc@configname in order to start the container defined + in /etc/lxc/configname.conf. + + If you want checkpoint/restore functionality, please install criu + (sys-process/criu)." + DISABLE_AUTOFORMATTING=true + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog +} diff --git a/app-emulation/lxc/lxc-3.0.1-r1.ebuild b/app-emulation/lxc/lxc-3.0.1-r1.ebuild new file mode 100644 index 000000000000..bf2c75e44b88 --- /dev/null +++ b/app-emulation/lxc/lxc-3.0.1-r1.ebuild @@ -0,0 +1,163 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam + +DESCRIPTION="LinuX Containers userspace utilities" +HOMEPAGE="https://linuxcontainers.org/" +SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz" + +KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86" + +LICENSE="LGPL-3" +SLOT="0" +IUSE="examples pam python seccomp selinux +templates" + +RDEPEND=" + net-libs/gnutls + sys-libs/libcap + pam? ( virtual/pam ) + seccomp? ( sys-libs/libseccomp ) + selinux? ( sys-libs/libselinux )" + +DEPEND="${RDEPEND} + >=app-text/docbook-sgml-utils-0.6.14-r2 + >=sys-kernel/linux-headers-3.2" + +RDEPEND="${RDEPEND} + sys-apps/util-linux + app-misc/pax-utils + virtual/awk" + +PDEPEND="templates? ( app-emulation/lxc-templates ) + python? ( dev-python/python3-lxc )" + +CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE + ~CPUSETS ~CGROUP_CPUACCT + ~CGROUP_SCHED + + ~NAMESPACES + ~IPC_NS ~USER_NS ~PID_NS + + ~CGROUP_FREEZER + ~UTS_NS ~NET_NS + ~VETH ~MACVLAN + + ~POSIX_MQUEUE + ~!NETPRIO_CGROUP + + ~!GRKERNSEC_CHROOT_MOUNT + ~!GRKERNSEC_CHROOT_DOUBLE + ~!GRKERNSEC_CHROOT_PIVOT + ~!GRKERNSEC_CHROOT_CHMOD + ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT +" + +ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" + +ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" + +ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" +ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" + +ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" +ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" + +ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" + +ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." + +ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" + +DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) + +pkg_setup() { + kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" + linux-info_pkg_setup +} + +src_prepare() { + eapply "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch + #558854 + eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch + eapply "${FILESDIR}"/${PN}-3.0.1-cve-2018-6556.patch + eapply_user + eautoreconf +} + +src_configure() { + append-flags -fno-strict-aliasing + + # I am not sure about the --with-rootfs-path + # /var/lib/lxc is probably more appropriate than + # /usr/lib/lxc. + # Note by holgersson: Why is apparmor disabled? + + # --enable-doc is for manpages which is why we don't link it to a "doc" + # USE flag. We always want man pages. + econf \ + --localstatedir=/var \ + --bindir=/usr/bin \ + --sbindir=/usr/bin \ + --with-config-path=/var/lib/lxc \ + --with-rootfs-path=/var/lib/lxc/rootfs \ + --with-distro=gentoo \ + --with-runtime-path=/run \ + --disable-apparmor \ + --disable-werror \ + --enable-doc \ + $(use_enable examples) \ + $(use_enable pam) \ + $(use_with pam pamdir $(getpam_mod_dir)) \ + $(use_enable seccomp) \ + $(use_enable selinux) +} + +src_install() { + default + + mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die + bashcomp_alias ${PN}-start \ + ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} + + keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc + rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" + + find "${D}" -name '*.la' -delete + + # Gentoo-specific additions! + newinitd "${FILESDIR}/${PN}.initd.7" ${PN} + + # Remember to compare our systemd unit file with the upstream one + # config/init/systemd/lxc.service.in + systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service" + + DOC_CONTENTS=" + For openrc, there is an init script provided with the package. + You _should_ only need to symlink /etc/init.d/lxc to + /etc/init.d/lxc.configname to start the container defined in + /etc/lxc/configname.conf. + + Correspondingly, for systemd a service file lxc@.service is installed. + Enable and start lxc@configname in order to start the container defined + in /etc/lxc/configname.conf. + + If you want checkpoint/restore functionality, please install criu + (sys-process/criu)." + DISABLE_AUTOFORMATTING=true + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog +} diff --git a/app-emulation/reg/Manifest b/app-emulation/reg/Manifest index ae60d2fb68cc..0f3530bdf452 100644 --- a/app-emulation/reg/Manifest +++ b/app-emulation/reg/Manifest @@ -1,6 +1,8 @@ +AUX reg-0.15.4-listen-addr.patch 1519 BLAKE2B f25399e776125d433cfbc15b4e48167b7606e1c2e23604d3e68fe1e262b4c1304f12d7e3b9f3cb17de77a485a4be483f17dc3627ba7a19b350e2752ed2c23e68 SHA512 d1d3303ccdf272d8526184a5be1f28107762681cf796a568ff01249b0ff6dc5c9c5c9d6a9f47bb244cdadd42f3b24e9b21fbe3d6cdc8bc410a681d4b606f48d8 AUX reg.confd 68 BLAKE2B 90fbc7677653b2e1389a0a0dd4c06f8a108fc70f6ae8d53fb94a5ef4669296679cf0f15bf985594837b0d455206f1b928df8a65596e81c0c717c5908c1987b0c SHA512 c0e7e68e8fd09cd46af3a01dc3507ef55dc25016b00e425e673734c864f05c63fcf3dc10b7ca987f166b33cfbfea62ca6c3458b73e28d3683d5bc81cbda84c4e AUX reg.initd 595 BLAKE2B 36a5fd61c46810c1924c86c00392348e0907501f896114c3c523daebfd110e5ea292d4087fc4a41ba91ccd952c1c6b27fe1b1db60364575352a9eb9e4b207258 SHA512 96919a0d2f29631c4296bcf8adfb78d63f5d732ed350491f7df14f45744c945559110454a0c24726962da7519dd790a37a6c6a2e0d3586599dc7231743fbe03a DIST reg-0.15.4.tar.gz 4052737 BLAKE2B 34bc68d3cb161bbea02bfc0ed142cb764f2db64610ac7b2b92130cfc838cfa4fde4794da9fd2d38a9bb73e994cf386ac9f50beaa4435b88cf034a4f4d0b648cc SHA512 d5948b095c310c2697a2f7b80a342af6949e4cb66c521cdb370a6fbead7424d729057fe71952291ee1ed82717cd7bb29141f6a2f85c946e33fd96da1c17912dd EBUILD reg-0.15.4-r1.ebuild 1060 BLAKE2B 769a395dd1cfa2cbcdd691dc66a2e94f8b9efbbf24347dd9ebf56da7a6a705d6e057efaac9a227d9e22e52b679dda38ef3bbebab31c8f33b0989d5cd43f13e8b SHA512 8fc065165a355d2a8cdccd05b94fd49bf0513878f668a0123379adabe5b37a2b5e337bccd9906667ebce2f116837c1eca6923acbc57e017d9bb588e5ab40807d +EBUILD reg-0.15.4-r2.ebuild 1179 BLAKE2B afce38e0d6c9bc23af77eb7b995f0514b9b8d02d08c5f7c6a139b7643bcb3aad420d61a62deadb318e9ed0dca0d00e71407f4af914a435fbf75db1c6b0cf22d9 SHA512 18640a5b6fb4bb170dfa2ae7d6b9824e5bae12861cb8c699f31beb8bf8e183244840dfd4807d1703383fdd934e0dd621e2e24c55b95345f96724d08828166fa0 EBUILD reg-0.15.4.ebuild 836 BLAKE2B 5f6e3dcef97cdf67fbcc9d07b02ee66a611396fb98831f192e25e5af90fd8c01b9c15f4462008eae7f87174111a1e1f6902237380d7ffe49d151e5525698e0f3 SHA512 6e63c4018a663d0b65a35ea71cefc7dd4d62e3e16c2bc4c79cf38c25a5a2c9f07345f70f3267a356d46214a3092373651692d337798be8facca2b52f028c3405 MISC metadata.xml 326 BLAKE2B 82f2440e792104c0c9e1afe4d95b9972efc7b233524637e32f11c2b5746aba7990d88f01a542e25f7a5c9c52aac0c5c1e25bc5703d3e855ea8e8ef4ffe87929c SHA512 9fea1224db7eb9316eff5bd89ebf748cbf35160516b33a9c9a3a07d1db6a2fa64dafcf8623a24af09429f7b76cc94ee02a39145162d0b039cb9d0137bc51a20e diff --git a/app-emulation/reg/files/reg-0.15.4-listen-addr.patch b/app-emulation/reg/files/reg-0.15.4-listen-addr.patch new file mode 100644 index 000000000000..21f2759e5b8c --- /dev/null +++ b/app-emulation/reg/files/reg-0.15.4-listen-addr.patch @@ -0,0 +1,47 @@ +From b3c826e2e48108d832cbe9fc3b630e7ff207915a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Manuel=20R=C3=BCger?= +Date: Wed, 18 Jul 2018 19:47:12 +0200 +Subject: [PATCH] server: Allow to restrict listen address (#115) + +e.g. limit to listen on localhost only +--- + server.go | 12 +++++++----- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/server.go b/server.go +index 8866efed..a7cc2048 100644 +--- a/server.go ++++ b/server.go +@@ -35,6 +35,7 @@ func (cmd *serverCommand) Register(fs *flag.FlagSet) { + + fs.StringVar(&cmd.cert, "cert", "", "path to ssl cert") + fs.StringVar(&cmd.key, "key", "", "path to ssl key") ++ fs.StringVar(&cmd.listenAddress, "listen-address", "", "address to listen on") + fs.StringVar(&cmd.port, "port", "8080", "port for server to run on") + fs.StringVar(&cmd.assetPath, "asset-path", "", "Path to assets and templates") + +@@ -48,10 +49,11 @@ type serverCommand struct { + + generateAndExit bool + +- cert string +- key string +- port string +- assetPath string ++ cert string ++ key string ++ listenAddress string ++ port string ++ assetPath string + } + + func (cmd *serverCommand) Run(ctx context.Context, args []string) error { +@@ -180,7 +182,7 @@ func (cmd *serverCommand) Run(ctx context.Context, args []string) error { + + // Set up the server. + server := &http.Server{ +- Addr: ":" + cmd.port, ++ Addr: cmd.listenAddress + ":" + cmd.port, + Handler: mux, + } + logrus.Infof("Starting server on port %q", cmd.port) diff --git a/app-emulation/reg/reg-0.15.4-r2.ebuild b/app-emulation/reg/reg-0.15.4-r2.ebuild new file mode 100644 index 000000000000..1bebb08c1e9d --- /dev/null +++ b/app-emulation/reg/reg-0.15.4-r2.ebuild @@ -0,0 +1,50 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +inherit golang-build golang-vcs-snapshot user + +EGO_PN="github.com/genuinetools/reg" +GIT_COMMIT="8c930c585418564a4ce472fbbfccb8c5741c2520" +ARCHIVE_URI="https://${EGO_PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" +KEYWORDS="~amd64" + +DESCRIPTION="Docker registry v2 command line client" +HOMEPAGE="https://github.com/genuinetools/reg" +SRC_URI="${ARCHIVE_URI}" +LICENSE="MIT" +SLOT="0" +IUSE="" + +RESTRICT="test" + +PATCHES=( "${FILESDIR}"/${P}-listen-addr.patch ) + +pkg_setup() { + enewgroup reg + enewuser reg -1 -1 /var/lib/reg reg +} + +src_prepare() { + pushd src/${EGO_PN} || die + default + popd || die +} + +src_compile() { + pushd src/${EGO_PN} || die + GOPATH="${S}" go build -v -ldflags "-X ${EGO_PN}/version.GITCOMMIT=${GIT_COMMIT} -X ${EGO_PN}/version.VERSION=${PV}" -o "${S}"/bin/reg . || die + popd || die +} + +src_install() { + dobin bin/* + dodoc src/${EGO_PN}/README.md + insinto /var/lib/${PN} + doins -r src/${EGO_PN}/server/* + newinitd "${FILESDIR}"/reg.initd reg + newconfd "${FILESDIR}"/reg.confd reg + + keepdir /var/log/reg + fowners -R reg:reg /var/log/reg /var/lib/reg/static +} diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest index 8449262ec0e5..b03e8c4f61ff 100644 --- a/app-emulation/spice/Manifest +++ b/app-emulation/spice/Manifest @@ -3,7 +3,7 @@ AUX spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch 1902 AUX spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch 1022 BLAKE2B eff6063372af35b926663393afc022a4e0b875c22402136ed41be394951958789a2c8de26e8791664cbef1c8bee7e9344f8fe7f39563e7b14567f9ebff2b0fa8 SHA512 4f815f091c0eec1ccfaa3438390087d4b7390e3ea84e353e42638a850e0faa552077af443719f2015ce36375ac2ac400721677462a2739ecf05fdf8c2e778b41 AUX spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch 2988 BLAKE2B 99bca01b78b4acb875085628613f47a8c07c87061b77a50fdb4abc45770aa75a88bc75310e3a8a558d303861f17480b6362751f4073a54c5909aaca8c11422ef SHA512 ee15a37c45527869415d301968857f47a4536462bcea6fb5608862fa7019b2eeba36d08563b74feb7a96bc565dd6fe09349c736c4677d43c1f13fc95f1c42c06 AUX spice-0.13.3-skip_faulty_lz4_check.patch 566 BLAKE2B 4775395c0e39e8c930078365ac2b05c21d30698b4cd472e56eb77fcde3f83894f3649c066824ad424dd0178200e17a8cd207046552dfebd3944de88e96d406e9 SHA512 aa16b86446f42a08c5d76927090e6b01817308520b34affcdd28a9e89d70d344f5ce47d1600c5cc564ecdf428cbfe8cf456ce8d3ccf4e686bd0cfb2f9fe5fe33 -AUX spice-0.14.0-libressl_fix.patch 488 BLAKE2B ab316ba0e5ca7299304dae229216291f0c2e80720f16dd0bd3de825b311b57cea3dd52b1afa029e5c246abe4244c30deda55f40262085ed2290799748cdb27d2 SHA512 80d809aa7cb92cb5b51a00c1d92f3160110ceefedf6fbebdc77726dec99f253fa9c308b5e5356620ea5b426c14857ad87d8aa861913b22c5b1eecb6df1ce922e +AUX spice-0.14.0-libressl_fix.patch 530 BLAKE2B 136e0b87931d487a018cdf0be4acfc0b05d474eb2e1a0583e05f9184ac6aa3b3a5dc58537ed167b13655b9180f06ba489c7805caa95d39a1af1fff410000e675 SHA512 f29f0a47edb2552b0908d0ceea7546efa90ad572217ce9184da031507be9f65a83ef39684dc3d8610bea4993a8f26ed78bce17781c893a4fca1cbdf9ba5140e3 AUX spice-0.14.0-openssl1.1_fix.patch 614 BLAKE2B fb7b39e73d37bc6ab27035c7d7a742fa648afb62777bcbd9dbdd7480b5b5461da6147b4f3368e04aaf04f8ef5780aeab1e7679f4fcf7aa1005df7d28a4fca7a1 SHA512 1b0b83b7222af0f60bdb5a3469881a4e84f8df824d2741710da04b8bdec95e691f97137f2ee67ad71065918b329285d215aa086d5f46dc83b18334eb17ef6dc8 DIST spice-0.13.3.tar.bz2 1322505 BLAKE2B 56f9cd34bb48fdcf750230242b27567db713ef749649d4b780a82d0d4ec5d326b19540c9bb4f36c164d40a692eb0368c39e05ee8dba319dd8461a0315e5a9a17 SHA512 63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a DIST spice-0.14.0.tar.bz2 1330195 BLAKE2B 08f93e8ddeb79adb4feac0557a854cc41fd096a9dfefc0baaca176803c2a03ef9286c4f61a135d62ad22e3ac3f4bb31ffd1614c8ddeaec7ae8c01eca34da1750 SHA512 84532146aa628ca6ca459a82afb89d6391892e063668fd4a68023c92cee7ca868b6c82e31dd9886819b76ea745ebdae0d0030e1f608d8f58f51c00f0b09bae1f diff --git a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch b/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch index 2f77fa5a0006..1dfce9480e9c 100644 --- a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch +++ b/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch @@ -7,7 +7,7 @@ index a9ed650..27aa5d3 100644 #include -#if OPENSSL_VERSION_NUMBER < 0x10100000 -+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined (LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000 || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1) { return M_ASN1_STRING_data(asn1); -- cgit v1.2.3