diff options
-rw-r--r-- | sys-apps/man-db/Manifest | 1 | ||||
-rw-r--r-- | sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch | 45 | ||||
-rw-r--r-- | sys-apps/man-db/man-db-2.8.0.ebuild | 128 |
3 files changed, 174 insertions, 0 deletions
diff --git a/sys-apps/man-db/Manifest b/sys-apps/man-db/Manifest index 591b7273dd20..05aa8e84537c 100644 --- a/sys-apps/man-db/Manifest +++ b/sys-apps/man-db/Manifest @@ -1 +1,2 @@ DIST man-db-2.7.6.1.tar.xz 1541316 BLAKE2B ea3aa7e90ea8af4882bd99d99374cc37d9c0c7f70bb970973eb3f2178aa4323bcdebc7f39f142ec0144dbe55a9f86aba15d9fe281d2662d280b8e6dca9452f24 SHA512 623c5e7f8b7c289908b2c926f8777293b8d39aeceef0d2509d701a8b0bfa81408650f655c8608318221786c751a79ee91124b07993de5298cd7fa6d8bb737301 +DIST man-db-2.8.0.tar.xz 1620344 BLAKE2B abb2879848f4db187d28bb3d8359ecfab0033ea3a5333ebd1a837733de563972d97153f11c08e8669553dc5cddea12ca774117985b32d218a30db407437717f3 SHA512 06f52ecd6e7ced858a32117ea4be3ed5fc3d4428cb810d31b85dd75556e999f5badc6eb81f642b56afe2a697462ccca9fd8cc5ecfbd40f132d5a74f84f316d39 diff --git a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch new file mode 100644 index 000000000000..333bc5fe2957 --- /dev/null +++ b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch @@ -0,0 +1,45 @@ +From c693c0d6c41e777def51984035710779697d1989 Mon Sep 17 00:00:00 2001 +From: Lars Wendler <polynomial-c@gentoo.org> +Date: Tue, 6 Feb 2018 14:41:22 +0100 +Subject: [PATCH] Change libseccomp logic to not be automagic only. + +Introduce --with-libseccomp configure option so that users can disable +seccomp even if libseccomp is available on the system. +The default is unchanged to before this patch. If no --with(out)-libseccomp +has been given on command line, the macro looks for presence of libseccomp +and uses that if found. +--- + m4/man-libseccomp.m4 | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/m4/man-libseccomp.m4 b/m4/man-libseccomp.m4 +index a9377317..17a52f72 100644 +--- a/m4/man-libseccomp.m4 ++++ b/m4/man-libseccomp.m4 +@@ -1,9 +1,18 @@ + # man-libseccomp.m4 serial 1 + dnl MAN_LIBSECCOMP +-dnl Check for the libseccomp library. ++dnl Add a --with-libseccomp option. + AC_DEFUN([MAN_LIBSECCOMP], +-[PKG_CHECK_MODULES([libseccomp], [libseccomp], +- [AC_DEFINE([HAVE_LIBSECCOMP], [1], +- [Define to 1 if you have the `libseccomp' library.])], +- [:]) ++ [AC_ARG_WITH([libseccomp], ++ [AS_HELP_STRING([--with-libseccomp], ++ [use libseccomp to do most subprocessing])], ++ [], ++ [with_libseccomp=check]) ++ if test "x$with_libseccomp" != "xno"; then ++ PKG_CHECK_MODULES([libseccomp], [libseccomp], ++ [AC_DEFINE([HAVE_LIBSECCOMP], [1], ++ [Define to 1 if you have the `libseccomp' library.])], ++ [if test "xyes" = "x$with_libseccomp"; then ++ AC_MSG_ERROR(--with-libseccomp given but cannot find libseccomp) ++ fi]) ++ fi + ]) # MAN_LIBSECCOMP +-- +2.16.1 + diff --git a/sys-apps/man-db/man-db-2.8.0.ebuild b/sys-apps/man-db/man-db-2.8.0.ebuild new file mode 100644 index 000000000000..10c1e80763d9 --- /dev/null +++ b/sys-apps/man-db/man-db-2.8.0.ebuild @@ -0,0 +1,128 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools ltprune user versionator + +DESCRIPTION="a man replacement that utilizes berkdb instead of flat files" +HOMEPAGE="http://www.nongnu.org/man-db/" +SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" +IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" + +CDEPEND=" + !sys-apps/man + >=dev-libs/libpipeline-1.5.0 + sys-apps/groff + berkdb? ( sys-libs/db:= ) + gdbm? ( sys-libs/gdbm:= ) + !berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) + zlib? ( sys-libs/zlib ) +" +DEPEND=" + ${CDEPEND} + app-arch/xz-utils + virtual/pkgconfig + nls? ( + >=app-text/po4a-0.45 + sys-devel/gettext + ) +" +RDEPEND=" + ${CDEPEND} + selinux? ( sec-policy/selinux-mandb ) +" +PDEPEND="manpager? ( app-text/manpager )" + +PATCHES=( + "${FILESDIR}/${PN}-2.8.0-libseccomp_automagic.patch" +) + +pkg_setup() { + # Create user now as Makefile in src_install does setuid/chown + enewgroup man 15 + enewuser man 13 -1 /usr/share/man man + + if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150 + ewarn "Defaulting to USE=gdbm due to ambiguous berkdb/gdbm USE flag settings" + fi +} + +src_prepare() { + default + eautoreconf +} + +src_configure() { + export ac_cv_lib_z_gzopen=$(usex zlib) + local myeconfargs=( + --docdir='$(datarootdir)'/doc/${PF} + --with-systemdtmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d + --enable-setuid + --enable-cache-owner=man + --with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" + $(use_enable nls) + $(use_enable static-libs static) + # fails to show any man page with this error message: + # man: /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE: Bad system call + # This will be made optional or hard enabled once the issue has been resolved. + --without-libseccomp + --with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) + ) + econf "${myeconfargs[@]}" + + # Disable color output from groff so that the manpager can add it. #184604 + sed -i \ + -e '/^#DEFINE.*\<[nt]roff\>/{s:^#::;s:$: -c:}' \ + src/man_db.conf || die +} + +src_install() { + default + dodoc docs/{HACKING,TODO} + prune_libtool_files + + exeinto /etc/cron.daily + newexe "${FILESDIR}"/man-db.cron man-db #289884 +} + +pkg_preinst() { + local cachedir="${EROOT}var/cache/man" + # If the system was already exploited, and the attacker is hiding in the + # cachedir of the old man-db, let's wipe them out. + # see bug #602588 comment 18 + local _replacing_version= + local _setgid_vuln=0 + for _replacing_version in ${REPLACING_VERSIONS}; do + if version_is_at_least '2.7.6.1-r2' "${_replacing_version}"; then + debug-print "Skipping security bug #602588 ... existing installation (${_replacing_version}) should not be affected!" + else + _setgid_vuln=1 + debug-print "Applying cleanup for security bug #602588" + fi + done + [[ ${_setgid_vuln} -eq 1 ]] && rm -rf "${cachedir}" + + # Fall back to recreating the cachedir + if [[ ! -d ${cachedir} ]] ; then + mkdir -p "${cachedir}" || die + chown man:man "${cachedir}" || die + fi + + # Update the whatis cache + if [[ -f ${cachedir}/whatis ]] ; then + einfo "Cleaning ${cachedir} from sys-apps/man" + find "${cachedir}" -type f '!' '(' -name index.bt -o -name index.db ')' -delete + fi +} + +pkg_postinst() { + if [[ $(get_version_component_range 2 ${REPLACING_VERSIONS}) -lt 7 ]] ; then + einfo "Rebuilding man-db from scratch with new database format!" + mandb --quiet --create + fi +} |