dev-libs/libcgroup: address CVE-2018-14348, bug #664324

Package-Manager: Portage-2.3.40, Repoman-2.3.9

2 files changed, 124 insertions, 0 deletions

diff --git a/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch b/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch
new file mode 100644
index 000000000000..42286ae8785f
--- /dev/null
+++ b/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch
@@ -0,0 +1,28 @@
+commit 0d88b73d189ea3440ccaab00418d6469f76fa590
+Author: Michal Hocko <mhocko@suse.com>
+Date:   Wed Jul 18 11:24:29 2018 +0200
+
+    cgrulesengd: remove umask(0)
+    
+    One of our partners has noticed that cgred daemon is creating a log file
+    (/var/log/cgred) with too wide permissions (0666) and that is seen as
+    a security bug because an untrusted user can write to otherwise
+    restricted area. CVE-2018-14348 has been assigned to this issue.
+    
+    Signed-off-by: Michal Hocko <mhocko@suse.com>
+    Acked-by: Balbir Singh <bsingharora@gmail.com>
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index ea51f11..0d288f3 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -889,9 +889,6 @@ int cgre_start_daemon(const char *logp, const int logf,
+ 		} else if (pid > 0) {
+ 			exit(EXIT_SUCCESS);
+ 		}
+-
+-		/* Change the file mode mask. */
+-		umask(0);
+ 	} else {
+ 		flog(LOG_DEBUG, "Not using daemon mode\n");
+ 		pid = getpid();
diff --git a/dev-libs/libcgroup/libcgroup-0.41-r5.ebuild b/dev-libs/libcgroup/libcgroup-0.41-r5.ebuild
new file mode 100644
index 000000000000..a17306a01ae2
--- /dev/null
+++ b/dev-libs/libcgroup/libcgroup-0.41-r5.ebuild
@@ -0,0 +1,96 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools flag-o-matic linux-info pam
+
+DESCRIPTION="Tools and libraries to configure and manage kernel control groups"
+HOMEPAGE="http://libcg.sourceforge.net/"
+SRC_URI="mirror://sourceforge/project/libcg/${PN}/v${PV}/${P}.tar.bz2"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+IUSE="+daemon elibc_musl pam static-libs +tools"
+
+RDEPEND="pam? ( virtual/pam )"
+
+DEPEND="
+	${RDEPEND}
+	sys-devel/bison
+	sys-devel/flex
+	elibc_musl? ( sys-libs/fts-standalone )
+	"
+REQUIRED_USE="daemon? ( tools )"
+
+DOCS=(README_daemon README README_systemd INSTALL)
+pkg_setup() {
+	local CONFIG_CHECK="~CGROUPS"
+	if use daemon; then
+		CONFIG_CHECK="${CONFIG_CHECK} ~CONNECTOR ~PROC_EVENTS"
+	fi
+	linux-info_pkg_setup
+}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-replace_DECLS.patch
+	"${FILESDIR}"/${P}-replace_INLCUDES.patch
+	"${FILESDIR}"/${P}-reorder-headers.patch
+	"${FILESDIR}"/${P}-remove-umask.patch
+)
+
+src_prepare() {
+	default
+	# Change rules file location
+	sed -e 's:/etc/cgrules.conf:/etc/cgroup/cgrules.conf:' \
+		-i src/libcgroup-internal.h || die "sed failed"
+	sed -e 's:/etc/cgconfig.conf:/etc/cgroup/cgconfig.conf:' \
+		-i src/libcgroup-internal.h || die "sed failed"
+	sed -e 's:\(pam_cgroup_la_LDFLAGS.*\):\1\ -avoid-version:' \
+		-i src/pam/Makefile.am || die "sed failed"
+	sed -e 's#/var/run#/run#g' -i configure.in || die "sed failed"
+
+	eautoreconf
+}
+
+src_configure() {
+	local my_conf
+
+	if use pam; then
+		my_conf=" --enable-pam-module-dir=$(getpam_mod_dir) "
+	fi
+
+	use elibc_musl && append-ldflags "-lfts"
+	econf \
+		$(use_enable static-libs static) \
+		$(use_enable daemon) \
+		$(use_enable pam) \
+		$(use_enable tools) \
+		${my_conf}
+}
+
+src_test() {
+	# Use mount cgroup to build directory
+	# sandbox restricted to trivial build,
+	# possible kill Diego tanderbox ;)
+	true
+}
+
+src_install() {
+	default
+	prune_libtool_files --all
+
+	insinto /etc/cgroup
+	doins samples/*.conf || die
+
+	if use tools; then
+		newconfd "${FILESDIR}"/cgconfig.confd-r1 cgconfig || die
+		newinitd "${FILESDIR}"/cgconfig.initd-r1 cgconfig || die
+	fi
+
+	if use daemon; then
+		newconfd "${FILESDIR}"/cgred.confd-r2 cgred || die
+		newinitd "${FILESDIR}"/cgred.initd-r1 cgred || die
+	fi
+}