summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMart Raudsepp <leio@gentoo.org>2019-07-23 16:00:09 +0300
committerMart Raudsepp <leio@gentoo.org>2019-07-23 16:00:23 +0300
commitf584ca053067b4aa6fb09cfe655ab260035366d2 (patch)
tree96833610806ce437dd00ea15cd5f457d901939fd /dev-libs
parentapp-misc/rtlamr: Fix typo in HOMEPAGE (diff)
downloadgentoo-f584ca053067b4aa6fb09cfe655ab260035366d2.tar.gz
gentoo-f584ca053067b4aa6fb09cfe655ab260035366d2.tar.bz2
gentoo-f584ca053067b4aa6fb09cfe655ab260035366d2.zip
dev-libs/glib: fix CVE-2019-12450
plus an unrelated small patch from upstream 2-58 branch. Bug: https://bugs.gentoo.org/690498 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org>
Diffstat (limited to 'dev-libs')
-rw-r--r--dev-libs/glib/files/2.58.3-CVE-2019-12450.patch53
-rw-r--r--dev-libs/glib/files/2.58.3-gdbusmessage-limit-fix.patch120
-rw-r--r--dev-libs/glib/glib-2.58.3-r1.ebuild315
3 files changed, 488 insertions, 0 deletions
diff --git a/dev-libs/glib/files/2.58.3-CVE-2019-12450.patch b/dev-libs/glib/files/2.58.3-CVE-2019-12450.patch
new file mode 100644
index 000000000000..949ac56431f1
--- /dev/null
+++ b/dev-libs/glib/files/2.58.3-CVE-2019-12450.patch
@@ -0,0 +1,53 @@
+From e6b769819d63d2b24b251dbc9f902fe6fd614da3 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: [PATCH] gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+---
+ gio/gfile.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index 1cc69166a..13b435480 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+ FALSE, NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
+- info,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ else
+ out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+- FALSE, 0, info,
++ FALSE, G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ }
+ else if (flags & G_FILE_COPY_OVERWRITE)
+@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream *)g_file_replace (destination,
+ NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ cancellable, error);
+ }
+ else
+ {
+- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
+ }
+
+ if (!out)
+--
+2.20.1
+
diff --git a/dev-libs/glib/files/2.58.3-gdbusmessage-limit-fix.patch b/dev-libs/glib/files/2.58.3-gdbusmessage-limit-fix.patch
new file mode 100644
index 000000000000..0828132003d3
--- /dev/null
+++ b/dev-libs/glib/files/2.58.3-gdbusmessage-limit-fix.patch
@@ -0,0 +1,120 @@
+From 2d655ef8954695cabf9e99cc61411de2bb4cb847 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <withnall@endlessm.com>
+Date: Mon, 28 Jan 2019 14:36:42 +0000
+Subject: [PATCH] gdbusmessage: Fix check on upper limit of message size
+
+There was a typo in the figure checked against. Add a unit test.
+
+Signed-off-by: Philip Withnall <withnall@endlessm.com>
+
+https://gitlab.gnome.org/GNOME/glib/issues/1642
+---
+ gio/gdbusmessage.c | 2 +-
+ gio/tests/gdbus-message.c | 72 ++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 72 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gdbusmessage.c b/gio/gdbusmessage.c
+index 169e6fd15..2ad51f888 100644
+--- a/gio/gdbusmessage.c
++++ b/gio/gdbusmessage.c
+@@ -1984,7 +1984,7 @@ g_dbus_message_bytes_needed (guchar *blob,
+ "Unable to determine message blob length - given blob is malformed");
+ }
+
+- if (ret > (2<<27))
++ if (ret > (1<<27))
+ {
+ g_set_error (error,
+ G_IO_ERROR,
+diff --git a/gio/tests/gdbus-message.c b/gio/tests/gdbus-message.c
+index 88a9c5d86..74e0f712e 100644
+--- a/gio/tests/gdbus-message.c
++++ b/gio/tests/gdbus-message.c
+@@ -141,6 +141,74 @@ message_copy (void)
+
+ /* ---------------------------------------------------------------------------------------------------- */
+
++/* Test g_dbus_message_bytes_needed() returns correct results for a variety of
++ * arbitrary binary inputs.*/
++static void
++message_bytes_needed (void)
++{
++ const struct
++ {
++ const guint8 blob[16];
++ gssize expected_bytes_needed;
++ }
++ vectors[] =
++ {
++ /* Little endian with header rounding */
++ { { 'l', 0, 0, 1, /* endianness, message type, flags, protocol version */
++ 50, 0, 0, 0, /* body length */
++ 1, 0, 0, 0, /* message serial */
++ 7, 0, 0, 0 /* header length */}, 74 },
++ /* Little endian without header rounding */
++ { { 'l', 0, 0, 1, /* endianness, message type, flags, protocol version */
++ 50, 0, 0, 0, /* body length */
++ 1, 0, 0, 0, /* message serial */
++ 8, 0, 0, 0 /* header length */}, 74 },
++ /* Big endian with header rounding */
++ { { 'B', 0, 0, 1, /* endianness, message type, flags, protocol version */
++ 0, 0, 0, 50, /* body length */
++ 0, 0, 0, 1, /* message serial */
++ 0, 0, 0, 7 /* header length */}, 74 },
++ /* Big endian without header rounding */
++ { { 'B', 0, 0, 1, /* endianness, message type, flags, protocol version */
++ 0, 0, 0, 50, /* body length */
++ 0, 0, 0, 1, /* message serial */
++ 0, 0, 0, 8 /* header length */}, 74 },
++ /* Invalid endianness */
++ { { '!', 0, 0, 1, /* endianness, message type, flags, protocol version */
++ 0, 0, 0, 50, /* body length */
++ 0, 0, 0, 1, /* message serial */
++ 0, 0, 0, 8 /* header length */}, -1 },
++ /* Oversized */
++ { { 'l', 0, 0, 1, /* endianness, message type, flags, protocol version */
++ 0, 0, 0, 0x08, /* body length (128MiB) */
++ 1, 0, 0, 0, /* message serial */
++ 7, 0, 0, 0 /* header length */}, -1 },
++ };
++ gsize i;
++
++ for (i = 0; i < G_N_ELEMENTS (vectors); i++)
++ {
++ gssize bytes_needed;
++ GError *local_error = NULL;
++
++ g_test_message ("Vector: %" G_GSIZE_FORMAT, i);
++
++ bytes_needed = g_dbus_message_bytes_needed ((guchar *) vectors[i].blob,
++ G_N_ELEMENTS (vectors[i].blob),
++ &local_error);
++
++ if (vectors[i].expected_bytes_needed < 0)
++ g_assert_error (local_error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT);
++ else
++ g_assert_no_error (local_error);
++ g_assert_cmpint (bytes_needed, ==, vectors[i].expected_bytes_needed);
++
++ g_clear_error (&local_error);
++ }
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
+ int
+ main (int argc,
+ char *argv[])
+@@ -151,6 +219,8 @@ main (int argc,
+
+ g_test_add_func ("/gdbus/message/lock", message_lock);
+ g_test_add_func ("/gdbus/message/copy", message_copy);
+- return g_test_run();
++ g_test_add_func ("/gdbus/message/bytes-needed", message_bytes_needed);
++
++ return g_test_run ();
+ }
+
+--
+2.20.1
+
diff --git a/dev-libs/glib/glib-2.58.3-r1.ebuild b/dev-libs/glib/glib-2.58.3-r1.ebuild
new file mode 100644
index 000000000000..310e79a8cf41
--- /dev/null
+++ b/dev-libs/glib/glib-2.58.3-r1.ebuild
@@ -0,0 +1,315 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+PYTHON_COMPAT=( python{2_7,3_5,3_6,3_7} )
+GNOME2_EAUTORECONF=yes
+
+inherit autotools bash-completion-r1 epunt-cxx flag-o-matic gnome2 libtool linux-info \
+ multilib multilib-minimal pax-utils python-any-r1 toolchain-funcs virtualx
+
+# Until bug #537330 glib is a reverse dependency of pkgconfig and, then
+# adding new dependencies end up making stage3 to grow. Every addition needs
+# then to be think very closely.
+
+DESCRIPTION="The GLib library of C routines"
+HOMEPAGE="https://www.gtk.org/"
+SRC_URI="${SRC_URI}
+ https://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz" # pkg.m4 for eautoreconf
+
+LICENSE="LGPL-2.1+"
+SLOT="2"
+IUSE="dbus debug fam gtk-doc kernel_linux +mime selinux static-libs systemtap test utils xattr"
+
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux"
+
+# Added util-linux multilib dependency to have libmount support (which
+# is always turned on on linux systems, unless explicitly disabled, but
+# this ebuild does not do that anyway) (bug #599586)
+
+RDEPEND="
+ !<dev-util/gdbus-codegen-${PV}
+ >=dev-libs/libpcre-8.31:3[${MULTILIB_USEDEP},static-libs?]
+ >=virtual/libiconv-0-r1[${MULTILIB_USEDEP}]
+ >=virtual/libffi-3.0.13-r1:=[${MULTILIB_USEDEP}]
+ >=virtual/libintl-0-r2[${MULTILIB_USEDEP}]
+ >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
+ kernel_linux? ( >=sys-apps/util-linux-2.23[${MULTILIB_USEDEP}] )
+ selinux? ( >=sys-libs/libselinux-2.2.2-r5[${MULTILIB_USEDEP}] )
+ xattr? ( >=sys-apps/attr-2.4.47-r1[${MULTILIB_USEDEP}] )
+ fam? ( >=virtual/fam-0-r1[${MULTILIB_USEDEP}] )
+ utils? (
+ >=dev-util/gdbus-codegen-${PV}
+ virtual/libelf:0=
+ )
+"
+DEPEND="${RDEPEND}
+ app-text/docbook-xml-dtd:4.1.2
+ app-text/docbook-xsl-stylesheets
+ >=dev-libs/libxslt-1.0
+ >=sys-devel/gettext-0.11
+ gtk-doc? ( >=dev-util/gtk-doc-1.20 )
+ systemtap? ( >=dev-util/systemtap-1.3 )
+ ${PYTHON_DEPS}
+ test? (
+ sys-devel/gdb
+ >=dev-util/gdbus-codegen-${PV}
+ >=sys-apps/dbus-1.2.14 )
+"
+# configure.ac has gtk-doc-am stuff behind m4_ifdef, so we don't need a gtk-doc-am build dep
+
+# Migration of glib-genmarshal, glib-mkenums and gtester-report to a separate
+# python depending package, which can be buildtime depended in packages that
+# need these tools, without pulling in python at runtime.
+RDEPEND="${RDEPEND}
+ >=dev-util/glib-utils-${PV}"
+PDEPEND="
+ dbus? ( gnome-base/dconf )
+ mime? ( x11-misc/shared-mime-info )
+"
+# shared-mime-info needed for gio/xdgmime, bug #409481
+# dconf is needed to be able to save settings, bug #498436
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/gio-querymodules$(get_exeext)
+)
+
+pkg_setup() {
+ if use kernel_linux ; then
+ CONFIG_CHECK="~INOTIFY_USER"
+ if use test ; then
+ CONFIG_CHECK="~IPV6"
+ WARNING_IPV6="Your kernel needs IPV6 support for running some tests, skipping them."
+ fi
+ linux-info_pkg_setup
+ fi
+ python-any-r1_pkg_setup
+}
+
+src_prepare() {
+ # Prevent build failure in stage3 where pkgconfig is not available, bug #481056
+ mv -f "${WORKDIR}"/pkg-config-*/pkg.m4 "${S}"/m4macros/ || die
+
+ if use test; then
+ # Disable tests requiring dev-util/desktop-file-utils when not installed, bug #286629, upstream bug #629163
+ if ! has_version dev-util/desktop-file-utils ; then
+ ewarn "Some tests will be skipped due dev-util/desktop-file-utils not being present on your system,"
+ ewarn "think on installing it to get these tests run."
+ sed -i -e "/appinfo\/associations/d" gio/tests/appinfo.c || die
+ sed -i -e "/g_test_add_func/d" gio/tests/desktop-app-info.c || die
+ fi
+
+ # gdesktopappinfo requires existing terminal (gnome-terminal or any
+ # other), falling back to xterm if one doesn't exist
+ #if ! has_version x11-terms/xterm && ! has_version x11-terms/gnome-terminal ; then
+ # ewarn "Some tests will be skipped due to missing terminal program"
+ # These tests seem to sometimes fail even with a terminal; skip for now and reevulate with meson
+ # Also try https://gitlab.gnome.org/GNOME/glib/issues/1601 once ready for backport (or in a bump) and file new issue if still fails
+ sed -i -e "/appinfo\/launch/d" gio/tests/appinfo.c || die
+ # desktop-app-info/launch* might fail similarly
+ sed -i -e "/desktop-app-info\/launch-as-manager/d" gio/tests/desktop-app-info.c || die
+ #fi
+
+ # https://bugzilla.gnome.org/show_bug.cgi?id=722604
+ sed -i -e "/timer\/stop/d" glib/tests/timer.c || die
+ sed -i -e "/timer\/basic/d" glib/tests/timer.c || die
+
+ ewarn "Tests for search-utils have been skipped"
+ sed -i -e "/search-utils/d" glib/tests/Makefile.am || die
+ else
+ # Don't build tests, also prevents extra deps, bug #512022
+ sed -i -e 's/ tests//' {.,gio,glib}/Makefile.am || die
+ fi
+
+ # gdbus-codegen is a separate package
+ eapply "${FILESDIR}"/${PN}-2.58.2-external-gdbus-codegen.patch
+
+ # gdbus message upper limit check fix from glib-2-58
+ eapply "${FILESDIR}"/${PV}-gdbusmessage-limit-fix.patch
+ # gfile copy fallback security fix (wrong permissions at start)
+ eapply "${FILESDIR}"/${PV}-CVE-2019-12450.patch
+
+ # Tarball doesn't come with gtk-doc.make and we can't unconditionally depend on dev-util/gtk-doc due
+ # to circular deps during bootstramp. If actually not building gtk-doc, an almost empty file will do
+ # fine as well - this is also what upstream autogen.sh does if gtkdocize is not found. If gtk-doc is
+ # installed, eautoreconf will call gtkdocize, which overwrites the empty gtk-doc.make with a full copy.
+ cat > gtk-doc.make << EOF
+EXTRA_DIST =
+CLEANFILES =
+EOF
+
+ gnome2_src_prepare
+ epunt_cxx
+}
+
+multilib_src_configure() {
+ # Avoid circular depend with dev-util/pkgconfig and
+ # native builds (cross-compiles won't need pkg-config
+ # in the target ROOT to work here)
+ if ! tc-is-cross-compiler && ! $(tc-getPKG_CONFIG) --version >& /dev/null; then
+ if has_version sys-apps/dbus; then
+ export DBUS1_CFLAGS="-I/usr/include/dbus-1.0 -I/usr/$(get_libdir)/dbus-1.0/include"
+ export DBUS1_LIBS="-ldbus-1"
+ fi
+ export LIBFFI_CFLAGS="-I$(echo /usr/$(get_libdir)/libffi-*/include)"
+ export LIBFFI_LIBS="-lffi"
+ export PCRE_CFLAGS=" " # test -n "$PCRE_CFLAGS" needs to pass
+ export PCRE_LIBS="-lpcre"
+ fi
+
+ # These configure tests don't work when cross-compiling.
+ if tc-is-cross-compiler ; then
+ # https://bugzilla.gnome.org/show_bug.cgi?id=756473
+ case ${CHOST} in
+ hppa*|metag*) export glib_cv_stack_grows=yes ;;
+ *) export glib_cv_stack_grows=no ;;
+ esac
+ # https://bugzilla.gnome.org/show_bug.cgi?id=756474
+ export glib_cv_uscore=no
+ # https://bugzilla.gnome.org/show_bug.cgi?id=756475
+ export ac_cv_func_posix_get{pwuid,grgid}_r=yes
+ fi
+
+ local myconf
+
+ case "${CHOST}" in
+ *-mingw*) myconf="${myconf} --with-threads=win32" ;;
+ *) myconf="${myconf} --with-threads=posix" ;;
+ esac
+
+ # libelf used only by the gresource bin
+ ECONF_SOURCE="${S}" gnome2_src_configure ${myconf} \
+ $(usex debug --enable-debug=yes ' ') \
+ $(use_enable xattr) \
+ $(use_enable fam) \
+ $(multilib_native_use_enable gtk-doc) \
+ $(use_enable kernel_linux libmount) \
+ $(use_enable selinux) \
+ $(use_enable static-libs static) \
+ $(use_enable systemtap dtrace) \
+ $(use_enable systemtap systemtap) \
+ $(multilib_native_use_enable utils libelf) \
+ --with-python=${EPYTHON} \
+ --disable-compile-warnings \
+ --enable-man \
+ --with-pcre=system \
+ --with-xml-catalog="${EPREFIX}/etc/xml/catalog"
+
+ if multilib_is_native_abi; then
+ local d
+ for d in glib gio gobject; do
+ ln -s "${S}"/docs/reference/${d}/html docs/reference/${d}/html || die
+ done
+ fi
+}
+
+multilib_src_test() {
+ export XDG_CONFIG_DIRS=/etc/xdg
+ export XDG_DATA_DIRS=/usr/local/share:/usr/share
+ export G_DBUS_COOKIE_SHA1_KEYRING_DIR="${T}/temp"
+ export LC_TIME=C # bug #411967
+ unset GSETTINGS_BACKEND # bug #596380
+ python_setup
+
+ # Related test is a bit nitpicking
+ mkdir "$G_DBUS_COOKIE_SHA1_KEYRING_DIR"
+ chmod 0700 "$G_DBUS_COOKIE_SHA1_KEYRING_DIR"
+
+ # Hardened: gdb needs this, bug #338891
+ if host-is-pax ; then
+ pax-mark -mr "${BUILD_DIR}"/tests/.libs/assert-msg-test \
+ || die "Hardened adjustment failed"
+ fi
+
+ # Need X for dbus-launch session X11 initialization
+ virtx emake check
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" completiondir="$(get_bashcompdir)" install
+ keepdir /usr/$(get_libdir)/gio/modules
+}
+
+multilib_src_install_all() {
+ einstalldocs
+
+ # These are installed by dev-util/glib-utils
+ # TODO: With patching we might be able to get rid of the python-any deps and removals, and test depend on glib-utils instead; revisit with meson
+ rm "${ED}usr/bin/glib-genmarshal" || die
+ rm "${ED}usr/share/man/man1/glib-genmarshal.1" || die
+ rm "${ED}usr/bin/glib-mkenums" || die
+ rm "${ED}usr/share/man/man1/glib-mkenums.1" || die
+ rm "${ED}usr/bin/gtester-report" || die
+ rm "${ED}usr/share/man/man1/gtester-report.1" || die
+
+ # Do not install charset.alias even if generated, leave it to libiconv
+ rm -f "${ED}/usr/$(get_libdir)/charset.alias"
+
+ # Don't install gdb python macros, bug 291328
+ rm -rf "${ED}/usr/share/gdb/" "${ED}/usr/share/glib-2.0/gdb/"
+
+ # Completely useless with or without USE static-libs, people need to use pkg-config
+ find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_preinst() {
+ gnome2_pkg_preinst
+
+ # Make gschemas.compiled belong to glib alone
+ local cache="usr/share/glib-2.0/schemas/gschemas.compiled"
+
+ if [[ -e ${EROOT}${cache} ]]; then
+ cp "${EROOT}"${cache} "${ED}"/${cache} || die
+ else
+ touch "${ED}"/${cache} || die
+ fi
+
+ multilib_pkg_preinst() {
+ # Make giomodule.cache belong to glib alone
+ local cache="usr/$(get_libdir)/gio/modules/giomodule.cache"
+
+ if [[ -e ${EROOT}${cache} ]]; then
+ cp "${EROOT}"${cache} "${ED}"/${cache} || die
+ else
+ touch "${ED}"/${cache} || die
+ fi
+ }
+
+ # Don't run the cache ownership when cross-compiling, as it would end up with an empty cache
+ # file due to inability to create it and GIO might not look at any of the modules there
+ if ! tc-is-cross-compiler ; then
+ multilib_foreach_abi multilib_pkg_preinst
+ fi
+}
+
+pkg_postinst() {
+ # force (re)generation of gschemas.compiled
+ GNOME2_ECLASS_GLIB_SCHEMAS="force"
+
+ gnome2_pkg_postinst
+
+ multilib_pkg_postinst() {
+ gnome2_giomodule_cache_update \
+ || die "Update GIO modules cache failed (for ${ABI})"
+ }
+ if ! tc-is-cross-compiler ; then
+ multilib_foreach_abi multilib_pkg_postinst
+ else
+ ewarn "Updating of GIO modules cache skipped due to cross-compilation."
+ ewarn "You might want to run gio-querymodules manually on the target for"
+ ewarn "your final image for performance reasons and re-run it when packages"
+ ewarn "installing GIO modules get upgraded or added to the image."
+ fi
+}
+
+pkg_postrm() {
+ gnome2_pkg_postrm
+
+ if [[ -z ${REPLACED_BY_VERSION} ]]; then
+ multilib_pkg_postrm() {
+ rm -f "${EROOT}"usr/$(get_libdir)/gio/modules/giomodule.cache
+ }
+ multilib_foreach_abi multilib_pkg_postrm
+ rm -f "${EROOT}"usr/share/glib-2.0/schemas/gschemas.compiled
+ fi
+}