From 3a7259637a572d5818ad1c363fe4a85282823e12 Mon Sep 17 00:00:00 2001
From: Lars Wendler <polynomial-c@gentoo.org>
Date: Wed, 20 Apr 2016 10:03:56 +0200
Subject: net-dialup/freeradius: Security bump to versions 2.2.9 and 3.0.11

See security bugs #553308 and #560994.
Also fixing version bump request #551246, init script bug #551246 and
missing dependency on sys-libs/talloc (#543302).

Package-Manager: portage-2.2.28
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
---
 net-dialup/freeradius/Manifest                 |   2 +
 net-dialup/freeradius/freeradius-2.2.9.ebuild  | 196 ++++++++++++++++++++++
 net-dialup/freeradius/freeradius-3.0.11.ebuild | 216 +++++++++++++++++++++++++
 3 files changed, 414 insertions(+)
 create mode 100644 net-dialup/freeradius/freeradius-2.2.9.ebuild
 create mode 100644 net-dialup/freeradius/freeradius-3.0.11.ebuild

(limited to 'net-dialup')

diff --git a/net-dialup/freeradius/Manifest b/net-dialup/freeradius/Manifest
index a2dffed40d87..d6713c1028e3 100644
--- a/net-dialup/freeradius/Manifest
+++ b/net-dialup/freeradius/Manifest
@@ -1,3 +1,5 @@
 DIST freeradius-2.2.0-patches-4.tar.xz 3140 SHA256 9fd7b6f7e1501d63a073e6279b20eb6d8154e7898d81c85a5c548543ab33c1af SHA512 38ebd65d9ad8ce8f513f2f5c7fd9ff43b81cf468038a49f9eb7f4a54d13783e88866c3031e7abc0fc8b65d2aec4f347efa358b9e7e2aadb2d15567ce7e125d1d WHIRLPOOL a532444f6bfebe260a6b4bf43157fa1624ce9920a86635172ac94e0f757263904bac6ca6a472e12df73e32a8d25d6f7b094272bd743d13c566f23bfcbff6df27
 DIST freeradius-server-2.2.5.tar.gz 4415950 SHA256 8c4c2a0b600a8d85d2235589a5e80d4fefd1f52317e9daf8193731566fa9d012 SHA512 511599b4f4f5906441d0cda61946341f2226b9aae69b6f68b03a19898b6385499a8221933c191232d50f736cab93f0f6f271e4defe4552e7738cb21e2415f053 WHIRLPOOL 629ac42749b736a7cd606c97fb149ea6f3b11d0e77bc5fc69785e4c7956f073131eb16420f276de5664e977a37a6784d0bbff08a15c1c23389f5369320a4cb12
+DIST freeradius-server-2.2.9.tar.gz 4424239 SHA256 e1b8fcdb7467719ecd760678b628a733b3d14e998dc240d8563c5093f98aacd3 SHA512 a631f68165fe96d030c7d15ebc72ed3885badf089ad155204a773686747f17f355181f087e389c76b96525affcd54f4c16e4a7788375968eef0899c6a416a27e WHIRLPOOL 14382f14a7fe0943733e445b8ea334745d5c01596bf2530ff0c8dd53c3cc3836f8895b95c1128dcc71db5b95361e9a5829a6abb136422cb819e98656ca8a2ca9
+DIST freeradius-server-3.0.11.tar.gz 4808234 SHA256 b97b72915315f2dcd34001af2c1737947f91ad9104a40408b92b030356e25d59 SHA512 451ba4052db68f9855aff96e12df282b31a98973361001f393dac23cb030274d9d9fb9ae85f7feef077e69d7d57152e427fb861892c8fd700b3e17e3389fea64 WHIRLPOOL 06a9e949b69d4244e1d02471e969032aa3ac5781d682c1b7bb87f7c87646fe7a217b6f477391e855e51bfb28214ded836a08acc3eb3e34f6626b1f9dc59d2f2e
 DIST freeradius-server-3.0.3.tar.gz 4387083 SHA256 57e9932e5401670d0f0000080b942aee2cd6ca80422f76acd21f13a4be46335e SHA512 a4fbb0a19f5946182c0cac6d62270db378674e48350c7c3b8f7d8a2a1b16c95c9b205af8d7ed22009b6392d4ab7cb251694d2593a39d9e4efc8eec9ff736bd01 WHIRLPOOL 2f263e096e3ace00feb39f68662d5f3346ce35dfd7a451b23ebfffd5abef4a881ca2e7115eb274a8c10fef965c4e82a3d3144595c226307995703875d7133ef5
diff --git a/net-dialup/freeradius/freeradius-2.2.9.ebuild b/net-dialup/freeradius/freeradius-2.2.9.ebuild
new file mode 100644
index 000000000000..c815ad7dc134
--- /dev/null
+++ b/net-dialup/freeradius/freeradius-2.2.9.ebuild
@@ -0,0 +1,196 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools eutils pam python-any-r1 user
+
+PATCHSET=4
+
+MY_P="${PN}-server-${PV}"
+
+DESCRIPTION="Highly configurable free RADIUS server"
+SRC_URI="
+	ftp://ftp.freeradius.org/pub/radius/${MY_P}.tar.gz
+	ftp://ftp.freeradius.org/pub/radius/old/${MY_P}.tar.gz
+	https://dev.gentoo.org/~flameeyes/${PN}/${PN}-2.2.0-patches-${PATCHSET}.tar.xz
+
+"
+HOMEPAGE="http://www.freeradius.org/"
+
+KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+LICENSE="GPL-2"
+SLOT="0"
+
+IUSE="
+	debug firebird iodbc kerberos ldap mysql odbc oracle pam pcap
+	postgres python readline sqlite ssl
+"
+RESTRICT="firebird? ( bindist )"
+
+RDEPEND="!net-dialup/cistronradius
+	!net-dialup/gnuradius
+	sys-devel/libtool
+	dev-lang/perl
+	sys-libs/gdbm
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:0= )
+	pcap? ( net-libs/libpcap )
+	mysql? ( virtual/mysql )
+	postgres? ( dev-db/postgresql:= )
+	firebird? ( dev-db/firebird )
+	pam? ( virtual/pam )
+	ssl? ( dev-libs/openssl:0= )
+	ldap? ( net-nds/openldap )
+	kerberos? ( virtual/krb5 )
+	sqlite? ( dev-db/sqlite:3 )
+	odbc? ( dev-db/unixODBC )
+	iodbc? ( dev-db/libiodbc )
+	oracle? ( dev-db/oracle-instantclient-basic )"
+DEPEND="${RDEPEND}"
+
+S="${WORKDIR}/${MY_P}"
+
+pkg_setup() {
+	enewgroup radius
+	enewuser radius -1 -1 /var/log/radius radius
+
+	python-any-r1_pkg_setup
+	export PYTHONBIN="${EPYTHON}"
+}
+
+src_prepare() {
+	eapply \
+		"${WORKDIR}"/patches/0002*patch \
+		"${WORKDIR}"/patches/0004*patch \
+		"${FILESDIR}"/${PN}-2.2.5-gentoo.patch
+
+	# most of the configuration options do not appear as ./configure
+	# switches. Instead it identifies the directories that are available
+	# and run through them. These might check for the presence of
+	# various libraries, in which case they are not built.  To avoid
+	# automagic dependencies, we just remove all the modules that we're
+	# not interested in using.
+
+	use ssl || { rm -r src/modules/rlm_eap/types/rlm_eap_{tls,ttls,peap} || die ; }
+	use ldap || { rm -r src/modules/rlm_ldap || die ; }
+	use kerberos || { rm -r src/modules/rlm_krb5 || die ; }
+	use pam || { rm -r src/modules/rlm_pam || die ; }
+	use python || { rm -r src/modules/rlm_python || die ; }
+	# Do not install ruby rlm module, bug #483108
+	rm -r src/modules/rlm_ruby || die
+
+	# these are all things we don't have in portage/I don't want to deal
+	# with myself
+	rm -r src/modules/rlm_eap/types/rlm_eap_tnc || die # requires TNCS library
+	rm -r src/modules/rlm_eap/types/rlm_eap_ikev2 || die # requires libeap-ikev2
+	rm -r src/modules/rlm_opendirectory || die # requires some membership.h
+	rm -r src/modules/rlm_redis{,who} || die # requires redis
+	rm -r src/modules/rlm_sql/drivers/rlm_sql_{db2,freetds,sybase} || die
+
+	# sql drivers that are not part of experimental are loaded from a
+	# file, so we have to remove them from the file itself when we
+	# remove them.
+	usesqldriver() {
+		local flag=$1
+		local driver=rlm_sql_${2:-${flag}}
+
+		if ! use ${flag}; then
+			rm -r src/modules/rlm_sql/drivers/${driver} || die
+			sed -i -e /${driver}/d src/modules/rlm_sql/stable || die
+		fi
+	}
+
+	usesqldriver mysql
+	usesqldriver postgres postgresql
+	usesqldriver firebird
+	usesqldriver iodbc
+	usesqldriver odbc unixodbc
+	usesqldriver oracle
+	usesqldriver sqlite
+
+	# remove bundled ltdl to avoid conflicts
+	rm -r libltdl
+
+	default
+
+	eautoreconf
+}
+
+src_configure() {
+	# fix bug #77613
+	if has_version app-crypt/heimdal; then
+		myconf+=( --enable-heimdal-krb5 )
+	fi
+
+	use readline || export ac_cv_lib_readline=no
+	use pcap || export ac_cv_lib_pcap_pcap_open_live=no
+
+	# do not try to enable static with static-libs; upstream is a
+	# massacre of libtool best practices so you also have to make sure
+	# to --enable-shared explicitly.
+	econf \
+		--enable-shared --disable-static \
+		--disable-ltdl-install \
+		--with-system-libtool \
+		--with-system-libltdl \
+		--with-ascend-binary \
+		--with-udpfromto \
+		--with-dhcp \
+		--with-iodbc-include-dir=/usr/include/iodbc \
+		--with-experimental-modules \
+		--with-docdir=/usr/share/doc/${PF} \
+		--with-logdir=/var/log/radius \
+		$(use_enable debug developer) \
+		$(use_with ldap edir) \
+		$(use_with ssl openssl) \
+		${myconf[@]}
+}
+
+src_compile() {
+	emake LIBTOOL=libtool
+}
+
+src_install() {
+	dodir /etc
+	diropts -m0750 -o root -g radius
+	dodir /etc/raddb
+	diropts -m0750 -o radius -g radius
+	dodir /var/log/radius
+	keepdir /var/log/radius/radacct
+	diropts
+
+	emake LIBTOOL=libtool R="${D}" install
+
+	fowners -R root:radius /etc/raddb
+
+	# Fixing pidfile location (#546482)
+	sed \
+		'/^run_dir =/s@${localstatedir}@@' \
+		-i "${D}"/etc/raddb/radiusd.conf || die
+
+	pamd_mimic_system radiusd auth account password session
+
+	dodoc CREDITS
+
+	rm "${D}/usr/sbin/rc.radiusd" || die
+
+	newinitd "${FILESDIR}/radius.init-r3" radiusd
+	newconfd "${FILESDIR}/radius.conf-r3" radiusd
+}
+
+pkg_config() {
+	if use ssl; then
+		cd "${ROOT}"/etc/raddb/certs
+		./bootstrap
+	fi
+}
+
+pkg_preinst() {
+	if ! has_version ${CATEGORY}/${PN} && use ssl; then
+		elog "You have to run \`emerge --config =${CATEGORY}/${PF}\` to be able"
+		elog "to start the radiusd service."
+	fi
+}
diff --git a/net-dialup/freeradius/freeradius-3.0.11.ebuild b/net-dialup/freeradius/freeradius-3.0.11.ebuild
new file mode 100644
index 000000000000..900a8f8b7970
--- /dev/null
+++ b/net-dialup/freeradius/freeradius-3.0.11.ebuild
@@ -0,0 +1,216 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools eutils pam python-any-r1 user
+
+#PATCHSET=4
+
+MY_P="${PN}-server-${PV}"
+
+DESCRIPTION="Highly configurable free RADIUS server"
+SRC_URI="
+	ftp://ftp.freeradius.org/pub/radius/${MY_P}.tar.gz
+	ftp://ftp.freeradius.org/pub/radius/old/${MY_P}.tar.gz
+"
+HOMEPAGE="http://www.freeradius.org/"
+
+KEYWORDS=""
+LICENSE="GPL-2"
+SLOT="0"
+
+IUSE="
+	debug firebird iodbc kerberos ldap mysql odbc oracle pam pcap
+	postgres python readline sqlite ssl
+"
+RESTRICT="test firebird? ( bindist )"
+
+RDEPEND="!net-dialup/cistronradius
+	!net-dialup/gnuradius
+	sys-devel/libtool
+	dev-lang/perl
+	sys-libs/gdbm
+	sys-libs/talloc
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:0= )
+	pcap? ( net-libs/libpcap )
+	mysql? ( virtual/mysql )
+	postgres? ( dev-db/postgresql:= )
+	firebird? ( dev-db/firebird )
+	pam? ( virtual/pam )
+	ssl? ( dev-libs/openssl:0= )
+	ldap? ( net-nds/openldap )
+	kerberos? ( virtual/krb5 )
+	sqlite? ( dev-db/sqlite:3 )
+	odbc? ( dev-db/unixODBC )
+	iodbc? ( dev-db/libiodbc )
+	oracle? ( dev-db/oracle-instantclient-basic )"
+DEPEND="${RDEPEND}"
+
+S="${WORKDIR}/${MY_P}"
+
+pkg_setup() {
+	enewgroup radius
+	enewuser radius -1 -1 /var/log/radius radius
+
+	python-any-r1_pkg_setup
+	export PYTHONBIN="${EPYTHON}"
+}
+
+src_prepare() {
+	# most of the configuration options do not appear as ./configure
+	# switches. Instead it identifies the directories that are available
+	# and run through them. These might check for the presence of
+	# various libraries, in which case they are not built.  To avoid
+	# automagic dependencies, we just remove all the modules that we're
+	# not interested in using.
+
+	use ssl || { rm -r src/modules/rlm_eap/types/rlm_eap_{tls,ttls,peap} || die ; }
+	use ldap || { rm -r src/modules/rlm_ldap || die ; }
+	use kerberos || { rm -r src/modules/rlm_krb5 || die ; }
+	use pam || { rm -r src/modules/rlm_pam || die ; }
+	use python || { rm -r src/modules/rlm_python || die ; }
+	# Do not install ruby rlm module, bug #483108
+	rm -r src/modules/rlm_ruby || die
+
+	# these are all things we don't have in portage/I don't want to deal
+	# with myself
+	rm -r src/modules/rlm_eap/types/rlm_eap_tnc || die # requires TNCS library
+	rm -r src/modules/rlm_eap/types/rlm_eap_ikev2 || die # requires libeap-ikev2
+	rm -r src/modules/rlm_opendirectory || die # requires some membership.h
+	rm -r src/modules/rlm_redis{,who} || die # requires redis
+	rm -r src/modules/rlm_sql/drivers/rlm_sql_{db2,freetds} || die
+
+	# sql drivers that are not part of experimental are loaded from a
+	# file, so we have to remove them from the file itself when we
+	# remove them.
+	usesqldriver() {
+		local flag=$1
+		local driver=rlm_sql_${2:-${flag}}
+
+		if ! use ${flag}; then
+			rm -r src/modules/rlm_sql/drivers/${driver} || die
+			sed -i -e /${driver}/d src/modules/rlm_sql/stable || die
+		fi
+	}
+
+	sed -i \
+		-e 's:/var/run/radiusd:/run/radiusd:g' \
+		-e '/^run_dir/s:${localstatedir}::g' \
+		raddb/radiusd.conf.in || die
+
+	# verbosity
+	# build shared libraries using jlibtool --shared
+	sed -i \
+		-e '/$(LIBTOOL)/s|--quiet ||g' \
+		-e 's:--mode=\(compile\|link\):& --shared:g' \
+		Make.inc.in || die
+
+	sed -i \
+		-e 's|--silent ||g' \
+		-e 's:--mode=\(compile\|link\):& --shared:g' \
+		scripts/libtool.mk || die
+
+	# crude measure to stop jlibtool from running ranlib and ar
+	sed -i \
+		-e '/LIBRARIAN/s|".*"|"true"|g' \
+		-e '/RANLIB/s|".*"|"true"|g' \
+		scripts/jlibtool.c || die
+
+	usesqldriver mysql
+	usesqldriver postgres postgresql
+	usesqldriver firebird
+	usesqldriver iodbc
+	usesqldriver odbc unixodbc
+	usesqldriver oracle
+	usesqldriver sqlite
+
+	default
+
+	eautoreconf
+}
+
+src_configure() {
+	# fix bug #77613
+	if has_version app-crypt/heimdal; then
+		myconf+=( --enable-heimdal-krb5 )
+	fi
+
+	use readline || export ac_cv_lib_readline=no
+	use pcap || export ac_cv_lib_pcap_pcap_open_live=no
+
+	# do not try to enable static with static-libs; upstream is a
+	# massacre of libtool best practices so you also have to make sure
+	# to --enable-shared explicitly.
+	econf \
+		--enable-shared \
+		--disable-static \
+		--disable-ltdl-install \
+		--with-system-libtool \
+		--with-system-libltdl \
+		--with-ascend-binary \
+		--with-udpfromto \
+		--with-dhcp \
+		--with-iodbc-include-dir=/usr/include/iodbc \
+		--with-experimental-modules \
+		--with-docdir=/usr/share/doc/${PF} \
+		--with-logdir=/var/log/radius \
+		$(use_enable debug developer) \
+		$(use_with ldap edir) \
+		$(use_with ssl openssl) \
+		${myconf[@]}
+}
+
+src_compile() {
+	# verbose, do not generate certificates
+	emake \
+		Q='' ECHO=true \
+		LOCAL_CERT_PRODUCTS=''
+}
+
+src_install() {
+	dodir /etc
+	diropts -m0750 -o root -g radius
+	dodir /etc/raddb
+	diropts -m0750 -o radius -g radius
+	dodir /var/log/radius
+	keepdir /var/log/radius/radacct
+	diropts
+
+	# verbose, do not install certificates
+	emake -j1 \
+		Q='' ECHO=true \
+		LOCAL_CERT_PRODUCTS='' \
+		R="${D}" \
+		install
+
+	fowners -R root:radius /etc/raddb
+
+	pamd_mimic_system radiusd auth account password session
+
+	dodoc CREDITS
+
+	rm "${D}/usr/sbin/rc.radiusd" || die
+
+	newinitd "${FILESDIR}/radius.init-r3" radiusd
+	newconfd "${FILESDIR}/radius.conf-r3" radiusd
+
+	prune_libtool_files
+}
+
+pkg_config() {
+	if use ssl; then
+		cd "${ROOT}"/etc/raddb/certs
+		./bootstrap
+	fi
+}
+
+pkg_preinst() {
+	if ! has_version ${CATEGORY}/${PN} && use ssl; then
+		elog "You have to run \`emerge --config =${CATEGORY}/${PF}\` to be able"
+		elog "to start the radiusd service."
+	fi
+}
-- 
cgit v1.2.3-65-gdbad