From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- ...-umask-from-002-to-022-in-CreateDir-macro.patch | 58 ++++++++++++++++++++++ net-misc/omniORB/files/ldflags.patch | 11 ++++ net-misc/omniORB/files/omniNames | 21 ++++++++ .../files/omniORB-4.1.4-format-security.patch | 16 ++++++ .../omniORB/files/omniORB-4.1.4-openssl-1.patch | 31 ++++++++++++ 5 files changed, 137 insertions(+) create mode 100644 net-misc/omniORB/files/change-umask-from-002-to-022-in-CreateDir-macro.patch create mode 100644 net-misc/omniORB/files/ldflags.patch create mode 100644 net-misc/omniORB/files/omniNames create mode 100644 net-misc/omniORB/files/omniORB-4.1.4-format-security.patch create mode 100644 net-misc/omniORB/files/omniORB-4.1.4-openssl-1.patch (limited to 'net-misc/omniORB/files') diff --git a/net-misc/omniORB/files/change-umask-from-002-to-022-in-CreateDir-macro.patch b/net-misc/omniORB/files/change-umask-from-002-to-022-in-CreateDir-macro.patch new file mode 100644 index 000000000000..2aaab59ef201 --- /dev/null +++ b/net-misc/omniORB/files/change-umask-from-002-to-022-in-CreateDir-macro.patch @@ -0,0 +1,58 @@ +From 2a0ea5621ef7cd9303e49657166dfd04ffa624d7 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky +Date: Tue, 16 Aug 2016 13:55:08 -0400 +Subject: [PATCH 1/1] mk: Change umask from 002 to 022 in the CreateDir macro. + +The build system has a macro called CreateDir that does more or less +what you'd expect. But before it creates the directory given to it, it +sets the umask to 002. This can be a vulnerability, since we don't +know who the end user will be building the software as; there may be +untrusted people in his default group. In that case, one of those +people can overwrite the scripts in the directory created by CreateDir +before the user executes them. + +There is a kernel-level workaround for these types of vulnerabilities +in the Grsecurity project called Trusted Path Execution (TPE). When +enabled, users are not allowed to execute files in directories not +owned by themselves or root. When that restriction is enabled, omniORB +fails to build (due to the aforementioned umask). + +This commit changes the umask to 022 in CreateDir. This should not +cause any problems (ha ha), and is safer than the previous umask of +002. It also fixes the build on systems where TPE is enabled. + +Gentoo-Bug: 576040 +--- + mk/beforeauto.mk.in | 2 +- + mk/beforedir.mk | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mk/beforeauto.mk.in b/mk/beforeauto.mk.in +index 83d544c..9f65c69 100644 +--- a/mk/beforeauto.mk.in ++++ b/mk/beforeauto.mk.in +@@ -167,7 +167,7 @@ unexport SUBDIRS + + define CreateDir + if [ ! -d $$dir ]; then \ +- (umask 002; set -x; $(MKDIRHIER) $$dir); \ ++ (umask 022; set -x; $(MKDIRHIER) $$dir); \ + fi + endef + +diff --git a/mk/beforedir.mk b/mk/beforedir.mk +index f804ed3..855bc4d 100644 +--- a/mk/beforedir.mk ++++ b/mk/beforedir.mk +@@ -187,7 +187,7 @@ unexport SUBDIRS + + define CreateDir + if [ ! -d $$dir ]; then \ +- (umask 002; set -x; $(MKDIRHIER) $$dir); \ ++ (umask 022; set -x; $(MKDIRHIER) $$dir); \ + fi + endef + +-- +2.7.3 + diff --git a/net-misc/omniORB/files/ldflags.patch b/net-misc/omniORB/files/ldflags.patch new file mode 100644 index 000000000000..471df27ae7f4 --- /dev/null +++ b/net-misc/omniORB/files/ldflags.patch @@ -0,0 +1,11 @@ +--- mk/beforeauto.mk.in.orig 2010-04-24 21:13:17.000000000 +0200 ++++ mk/beforeauto.mk.in 2010-04-24 21:14:24.000000000 +0200 +@@ -541,7 +541,7 @@ + SharedLibraryLibNameTemplate = lib$$1$$2.$(SHAREDLIB_SUFFIX) + SharedLibraryImplibNameTemplate = lib$$1$$2.a + +-SharedLibraryPlatformLinkFlagsTemplate = -shared -Wl,-soname,$$soname ++SharedLibraryPlatformLinkFlagsTemplate = -shared -Wl,-soname,$$soname @LDFLAGS@ + + define SharedLibraryFullName + fn() { \ diff --git a/net-misc/omniORB/files/omniNames b/net-misc/omniORB/files/omniNames new file mode 100644 index 000000000000..e2e7851fd3a2 --- /dev/null +++ b/net-misc/omniORB/files/omniNames @@ -0,0 +1,21 @@ +#!/sbin/openrc-run +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +depend() { + need net +} + +start() { + ebegin "Starting omniNames" + start-stop-daemon --start --background --make-pidfile --pidfile /var/run/omniNames.pid \ + --exec /usr/bin/omniNames -- -start -always -logdir /var/log/omniORB \ + -errlog /var/log/omniORB/omniORB.errors + eend $? "Error starting omniNames." +} + +stop() { + ebegin "Stopping omniNames" + start-stop-daemon --stop --pidfile /var/run/omniNames.pid + eend $? "Error stopping omniNames." +} diff --git a/net-misc/omniORB/files/omniORB-4.1.4-format-security.patch b/net-misc/omniORB/files/omniORB-4.1.4-format-security.patch new file mode 100644 index 000000000000..2af8d21d308d --- /dev/null +++ b/net-misc/omniORB/files/omniORB-4.1.4-format-security.patch @@ -0,0 +1,16 @@ + src/tool/omniidl/cxx/cccp/cccp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tool/omniidl/cxx/cccp/cccp.c b/src/tool/omniidl/cxx/cccp/cccp.c +index 0198b1a..64d80ae 100644 +--- a/src/tool/omniidl/cxx/cccp/cccp.c ++++ b/src/tool/omniidl/cxx/cccp/cccp.c +@@ -8034,7 +8034,7 @@ macroexpand (hp, op) + else + parse_error = macarg (NULL_PTR, 0); + if (parse_error) { +- error_with_line (line_for_error (start_line), parse_error); ++ error_with_line (line_for_error (start_line), "%s", parse_error); + break; + } + i++; diff --git a/net-misc/omniORB/files/omniORB-4.1.4-openssl-1.patch b/net-misc/omniORB/files/omniORB-4.1.4-openssl-1.patch new file mode 100644 index 000000000000..968013a25781 --- /dev/null +++ b/net-misc/omniORB/files/omniORB-4.1.4-openssl-1.patch @@ -0,0 +1,31 @@ +http://bugs.gentoo.org/326791 + +--- include/omniORB4/sslContext.h ++++ include/omniORB4/sslContext.h +@@ -111,7 +111,11 @@ + virtual ~sslContext(); + + protected: +- virtual SSL_METHOD* set_method(); ++ #if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ virtual const SSL_METHOD* set_method(); ++ #else ++ virtual SSL_METHOD* set_method(); ++ #endif + // Default to return SSLv23_method(). + + virtual void set_supported_versions(); +--- src/lib/omniORB/orbcore/ssl/sslContext.cc ++++ src/lib/omniORB/orbcore/ssl/sslContext.cc +@@ -197,7 +197,11 @@ + } + + ///////////////////////////////////////////////////////////////////////// ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++const SSL_METHOD* ++#else + SSL_METHOD* ++#endif + sslContext::set_method() { + return SSLv23_method(); + } -- cgit v1.2.3