commit: 0fd94449ab622b0de7e70b8c47cada64dd0349e7 Author: Jeremi Piotrowski <jpiotrowski <AT> microsoft <DOT> com> AuthorDate: Tue Aug 24 13:26:41 2021 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Sep 18 23:43:51 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fd94449
sys-auth/sssd: add patch for CVE-2021-3621 for 2.3.1 This is a backport of https://github.com/SSSD/sssd/pull/5748 adapted to 2.3.1. A change was necessary: src/tools/sssctl/sssctl_logs.c wasn't passing '--no-create' to truncate in 2.3.1 yet. [sam@: moved file to devspace due to patch size] Bug: https://bugs.gentoo.org/808911 Signed-off-by: Jeremi Piotrowski <jpiotrowski <AT> microsoft.com> Closes: https://github.com/gentoo/gentoo/pull/22159 Signed-off-by: Sam James <sam <AT> gentoo.org> sys-auth/sssd/Manifest | 1 + sys-auth/sssd/sssd-2.3.1-r3.ebuild | 290 +++++++++++++++++++++++++++++++++++++ 2 files changed, 291 insertions(+) diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest index 3143bfe9821..cb3f830192c 100644 --- a/sys-auth/sssd/Manifest +++ b/sys-auth/sssd/Manifest @@ -1,2 +1,3 @@ +DIST sssd-2.3.1-CVE-2021-3621.patch.bz2 3174 BLAKE2B 201c51fff92dd17d9517834e59a12422850ee3c5aab1efff51bcdc5b82521516589271222b6be36d12da2a388d122d37e9f455d593f22551ba9ea58ead694b49 SHA512 faffe46b710e3f8b2db54fc4f637b176b72f6bc31a2d5d1cae7a5ffc81609c4faa5decee1d6db4b2bf87451677c8eda068e153e38755f013afbce982daf58f65 DIST sssd-2.3.1.tar.gz 7186526 BLAKE2B 6d630fe75b9b426ef54adbe1704fde8e01fc34df7861028c07ce2985db8a151ce743d633061386fea6460fe8eabb89242b816d4bac87975bb9b7b2064ad1d547 SHA512 6aeb52d5222c5992d581296996749327bcaf276e4eb4413a6a32ea6529343432cfe413006aca4245c19b38b515be1c4c2ef88a157c617d889274179253355bc6 DIST sssd-2.5.2.tar.gz 7579208 BLAKE2B ec5d9aeaf5b5e05b56c01f9137f6f24db05544dbd48458d742285b60e7beb6d48af865f3415e11ce89e187f4643bbecf15bbb321859ec80cfe458eb781cea6c9 SHA512 a9bac7b2cc23022dce3bcda314c9c26a0a0914c448f6d5a51c5ba18670f04c1fd1a94cb20173235b6285df1dcc9251cb6b3f3e71a220037b4eb66668e6f33c48 diff --git a/sys-auth/sssd/sssd-2.3.1-r3.ebuild b/sys-auth/sssd/sssd-2.3.1-r3.ebuild new file mode 100644 index 00000000000..4df7454beca --- /dev/null +++ b/sys-auth/sssd/sssd-2.3.1-r3.ebuild @@ -0,0 +1,290 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{7,8,9} ) + +inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs + +DESCRIPTION="System Security Services Daemon provides access to identity and authentication" +HOMEPAGE="https://github.com/SSSD/sssd"; +SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz"; +SRC_URI+=" https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-CVE-2021-3621.patch.bz2"; + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" +IUSE="acl doc +locator +netlink nfsv4 nls +man pac python samba selinux sudo systemd test valgrind" +RESTRICT="!test? ( test )" + +REQUIRED_USE="pac? ( samba ) + python? ( ${PYTHON_REQUIRED_USE} )" + +DEPEND=" + >=app-crypt/mit-krb5-1.10.3 + app-crypt/p11-kit + >=dev-libs/ding-libs-0.2 + dev-libs/glib:2 + >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos] + >=dev-libs/libpcre-8.30:= + >=dev-libs/popt-1.16 + >=dev-libs/openssl-1.0.2:0= + >=net-dns/bind-tools-9.9[gssapi] + >=net-dns/c-ares-1.7.4 + >=net-nds/openldap-2.4.30[sasl] + >=sys-apps/dbus-1.6 + >=sys-apps/keyutils-1.5:= + >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] + >=sys-libs/talloc-2.0.7 + >=sys-libs/tdb-1.2.9 + >=sys-libs/tevent-0.9.16 + >=sys-libs/ldb-1.1.17-r1:= + virtual/libintl + locator? ( + >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}] + >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}] + ) + acl? ( net-fs/cifs-utils[acl] ) + netlink? ( dev-libs/libnl:3 ) + nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) ) + nls? ( >=sys-devel/gettext-0.18 ) + pac? ( + app-crypt/mit-krb5[${MULTILIB_USEDEP}] + net-fs/samba + ) + python? ( ${PYTHON_DEPS} ) + samba? ( >=net-fs/samba-4.10.2[winbind] ) + selinux? ( + >=sys-libs/libselinux-2.1.9 + >=sys-libs/libsemanage-2.1 + ) + systemd? ( + dev-libs/jansson:0= + net-libs/http-parser:0= + net-misc/curl:0= + )" +RDEPEND="${DEPEND} + >=sys-libs/glibc-2.17[nscd] + selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )" +BDEPEND=">=sys-devel/autoconf-2.69-r5 + virtual/pkgconfig + doc? ( app-doc/doxygen ) + test? ( + dev-libs/check + dev-libs/softhsm:2 + dev-util/cmocka + net-libs/gnutls[pkcs11,tools] + sys-libs/libfaketime + sys-libs/nss_wrapper + sys-libs/pam_wrapper + sys-libs/uid_wrapper + valgrind? ( dev-util/valgrind ) + ) + man? ( + app-text/docbook-xml-dtd:4.4 + >=dev-libs/libxslt-1.1.26 + nls? ( app-text/po4a ) + )" + +CONFIG_CHECK="~KEYS" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/ipa_hbac.h + /usr/include/sss_idmap.h + /usr/include/sss_nss_idmap.h + # --with-ifp + /usr/include/sss_sifp.h + /usr/include/sss_sifp_dbus.h + # from 1.15.3 + /usr/include/sss_certmap.h +) + +PATCHES=( + "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch + "${WORKDIR}"/${P}-CVE-2021-3621.patch +) + +pkg_setup() { + linux-info_pkg_setup +} + +src_prepare() { + sed -i 's:/var/run:/run:' \ + "${S}"/src/examples/logrotate || die + + default + eautoreconf + multilib_copy_sources + if use python && multilib_is_native_abi; then + python_setup + fi +} + +src_configure() { + local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1) + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=() + + myconf+=( + --localstatedir="${EPREFIX}"/var + --runstatedir="${EPREFIX}"/run + --with-pid-path="${EPREFIX}"/run + --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd + --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) + --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb + --with-db-path="${EPREFIX}"/var/lib/sss/db + --with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache + --with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf + --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes + --with-mcache-path="${EPREFIX}"/var/lib/sss/mc + --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets + --with-log-path="${EPREFIX}"/var/log/sssd + --with-os=gentoo + --with-nscd="${EPREFIX}"/usr/sbin/nscd + --with-unicode-lib="glib2" + --disable-rpath + --sbindir=/usr/sbin + --with-crypto="libcrypto" + --enable-local-provider + $(multilib_native_use_with systemd kcm) + $(multilib_native_use_with systemd secrets) + $(use_with samba) + --with-smb-idmap-interface-version=6 + $(multilib_native_use_enable acl cifs-idmap-plugin) + $(multilib_native_use_with selinux) + $(multilib_native_use_with selinux semanage) + $(use_enable locator krb5-locator-plugin) + $(use_enable pac pac-responder) + $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) + $(use_enable nls) + $(multilib_native_use_with netlink libnl) + $(multilib_native_use_with man manpages) + $(multilib_native_use_with sudo) + $(multilib_native_with autofs) + $(multilib_native_with ssh) + $(use_enable valgrind) + --without-python2-bindings + $(multilib_native_use_with python python3-bindings) + ) + + # Annoyingly configure requires that you pick systemd XOR sysv + if use systemd; then + myconf+=( + --with-initscript="systemd" + --with-systemdunitdir=$(systemd_get_systemunitdir) + ) + else + myconf+=(--with-initscript="sysv") + fi + + if ! multilib_is_native_abi; then + # work-around all the libraries that are used for CLI and server + myconf+=( + {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' ' + # ldb headers are fine since native needs it + # ldb lib fails... but it does not seem to bother + {DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' ' + {PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' ' + {NDR_NBT,SMBCLIENT,NDR_KRB5PAC}_{CFLAGS,LIBS}=' ' + + # use native include path for dbus (needed for build) + DBUS_CFLAGS="${native_dbus_cflags}" + + # non-pkgconfig checks + ac_cv_lib_ldap_ldap_search=yes + --without-secrets + --without-kcm + ) + fi + + econf "${myconf[@]}" +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + use doc && emake docs + if use man || use nls; then + emake update-po + fi + else + emake libnss_sss.la pam_sss.la + use locator && emake sssd_krb5_locator_plugin.la + use pac && emake sssd_pac_plugin.la + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake -j1 DESTDIR="${D}" "${_at_args[@]}" install + if use python; then + python_optimize + python_fix_shebang "${ED}" + fi + + else + # easier than playing with automake... + dopammod .libs/pam_sss.so + + into / + dolib.so .libs/libnss_sss.so* + + if use locator; then + exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5 + doexe .libs/sssd_krb5_locator_plugin.so + fi + + if use pac; then + exeinto /usr/$(get_libdir)/krb5/plugins/authdata + doexe .libs/sssd_pac_plugin.so + fi + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + + insinto /etc/sssd + insopts -m600 + doins "${S}"/src/examples/sssd-example.conf + + insinto /etc/logrotate.d + insopts -m644 + newins "${S}"/src/examples/logrotate sssd + + newconfd "${FILESDIR}"/sssd.conf sssd + + keepdir /var/lib/sss/db + keepdir /var/lib/sss/deskprofile + keepdir /var/lib/sss/gpo_cache + keepdir /var/lib/sss/keytabs + keepdir /var/lib/sss/mc + keepdir /var/lib/sss/pipes/private + keepdir /var/lib/sss/pubconf/krb5.include.d + keepdir /var/lib/sss/secrets + keepdir /var/log/sssd + + # strip empty dirs + if ! use doc ; then + rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die + rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap,sss_simpleifp}_doc || die + fi + + rm -r "${ED}"/run || die +} + +multilib_src_test() { + multilib_is_native_abi && emake check +} + +pkg_postinst() { + elog "You must set up sssd.conf (default installed into /etc/sssd)" + elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" + elog "features. Please see howto in https://sssd.io/docs/design_pages/smartcard_authentication_require.html"; +}
