diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2017-02-21 13:45:35 -0800 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2017-02-21 13:46:15 -0800 |
commit | aaa42799b39bd2ad5a345ab28c71dac1a7a94664 (patch) | |
tree | 568924938a24c7ba3916f440ed30b333da908dd6 /sys-apps/man-db | |
parent | www-client/vivaldi: Old. (diff) | |
download | gentoo-aaa42799b39bd2ad5a345ab28c71dac1a7a94664.tar.gz gentoo-aaa42799b39bd2ad5a345ab28c71dac1a7a94664.tar.bz2 gentoo-aaa42799b39bd2ad5a345ab28c71dac1a7a94664.zip |
sys-apps/man-db: re-fix security bug #602588 because of comment #18.
Package-Manager: portage-2.3.3
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Diffstat (limited to 'sys-apps/man-db')
-rw-r--r-- | sys-apps/man-db/files/man-db.cron | 9 | ||||
-rw-r--r-- | sys-apps/man-db/man-db-2.7.6.1-r2.ebuild | 109 |
2 files changed, 114 insertions, 4 deletions
diff --git a/sys-apps/man-db/files/man-db.cron b/sys-apps/man-db/files/man-db.cron index ced63900fca6..d94e594d1acf 100644 --- a/sys-apps/man-db/files/man-db.cron +++ b/sys-apps/man-db/files/man-db.cron @@ -1,10 +1,11 @@ #!/bin/sh # Use same perms/settings as the ebuild. -if [ ! -d /var/cache/man ]; then - mkdir -p /var/cache/man - chown man:root /var/cache/man - chmod 2755 /var/cache/man +cachedir="/var/cache/man" +if [ ! -d ${cachedir} ]; then + mkdir -p "${cachedir}" + chown man:man "${cachedir}" + chmod 0755 "${cachedir}" fi exec nice mandb --quiet diff --git a/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild b/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild new file mode 100644 index 000000000000..176e09719ea2 --- /dev/null +++ b/sys-apps/man-db/man-db-2.7.6.1-r2.ebuild @@ -0,0 +1,109 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit eutils user versionator + +DESCRIPTION="a man replacement that utilizes berkdb instead of flat files" +HOMEPAGE="http://www.nongnu.org/man-db/" +SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" +IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" + +CDEPEND=">=dev-libs/libpipeline-1.4.0 + berkdb? ( sys-libs/db:= ) + gdbm? ( sys-libs/gdbm ) + !berkdb? ( !gdbm? ( sys-libs/gdbm ) ) + sys-apps/groff + zlib? ( sys-libs/zlib ) + !sys-apps/man" +DEPEND="${CDEPEND} + app-arch/xz-utils + virtual/pkgconfig + nls? ( + >=app-text/po4a-0.45 + sys-devel/gettext + )" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-mandb ) +" +PDEPEND="manpager? ( app-text/manpager )" + +pkg_setup() { + # Create user now as Makefile in src_install does setuid/chown + enewgroup man 15 + enewuser man 13 -1 /usr/share/man man + + if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150 + ewarn "Defaulting to USE=gdbm due to ambiguous berkdb/gdbm USE flag settings" + fi +} + +src_configure() { + export ac_cv_lib_z_gzopen=$(usex zlib) + econf \ + --docdir='$(datarootdir)'/doc/${PF} \ + --with-systemdtmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d \ + --enable-setuid \ + --enable-cache-owner=man \ + --with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" \ + $(use_enable nls) \ + $(use_enable static-libs static) \ + --with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) + + # Disable color output from groff so that the manpager can add it. #184604 + sed -i \ + -e '/^#DEFINE.*\<[nt]roff\>/{s:^#::;s:$: -c:}' \ + src/man_db.conf || die +} + +src_install() { + default + dodoc docs/{HACKING,TODO} + prune_libtool_files + + exeinto /etc/cron.daily + newexe "${FILESDIR}"/man-db.cron man-db #289884 +} + +pkg_preinst() { + local cachedir="${EROOT}var/cache/man" + # If the system was already exploited, and the attacker is hiding in the + # cachedir of the old man-db, let's wipe them out. + # see bug #602588 comment 18 + local _replacing_version= + local _setgid_vuln=0 + for _replacing_version in ${REPLACING_VERSIONS}; do + if version_is_at_least '2.7.6.1-r2' "${_replacing_version}"; then + debug-print "Skipping security bug #602588 ... existing installation (${_replacing_version}) should not be affected!" + else + _setgid_vuln=1 + debug-print "Applying cleanup for security bug #602588" + fi + done + [[ ${_setgid_vuln} -eq 1 ]] && rm -rf "${cachedir}" + + # Fall back to recreating the cachedir + if [[ ! -d ${cachedir} ]] ; then + mkdir -p "${cachedir}" || die + chown man:man "${cachedir}" || die + fi + + # Update the whatis cache + if [[ -f ${cachedir}/whatis ]] ; then + einfo "Cleaning ${cachedir} from sys-apps/man" + find "${cachedir}" -type f '!' '(' -name index.bt -o -name index.db ')' -delete + fi +} + +pkg_postinst() { + if [[ $(get_version_component_range 2 ${REPLACING_VERSIONS}) -lt 7 ]] ; then + einfo "Rebuilding man-db from scratch with new database format!" + mandb --quiet --create + fi +} |