gentoo resync : 29.10.2017

4 files changed, 183 insertions, 17 deletions

diff --git a/sys-apps/pacman/Manifest b/sys-apps/pacman/Manifest
index aead3f0385a1..66673cad829e 100644
--- a/sys-apps/pacman/Manifest
+++ b/sys-apps/pacman/Manifest
@@ -1,5 +1,6 @@
+AUX pacman-5.0.2-CVE-2016-5434.patch 3938 SHA256 e09d8db1c0d7f9c3517a46693b987899e812eed6b264149f736f87d23219fd28 SHA512 432922e485a2aa1d82d7654c615333bfd8ff74c89fcb3fa5728618d8947175172e043ae231c7bf04387a0770421ccf96bb0d492a061b4da12ea7f212fe07ca30 WHIRLPOOL 247c7930f58f7e4f0e682826cfb762afbece8b14cd0bd3ae04619712f986bf414b202d91c548ae72c78992dd40ba52089c86654705ffeeb861dc22fce7caf593
 DIST pacman-5.0.2.tar.gz 3361701 SHA256 dfd36086ad68564bcd977f4a1fafe51dd328acd4a95093ac4bf1249be9c41f0e SHA512 94a8cce1a52d2365a993c72f16537f4dbea6100feb8f22e8782cc7d2c1ef8a525a63f3c40bb183294c0faedcc743e3d806d2fc3c50a21ab9b03df2910039d628 WHIRLPOOL 2419486287d1ce26d97b3ad53513b4699d876cf5823f65b10d60d8f1df6b2150bc1b742677a60891dccc32bb2105a9a9bb10b58950f5403d0bd64859b0b8640b
-EBUILD pacman-5.0.2.ebuild 2282 SHA256 5a8fce3bd79e1b0fd3253920e875bf84ec0e84acd62c73140a2fdfa03da9d19c SHA512 0c881114145f65dee9b9bf8d85a7fd1310a7831c4177a9908f5ca5f3aa146e13d0e21e95acf9c1115c4c6e43acaa2d1fd558174826a74d218f4e87f84ae06f80 WHIRLPOOL a74b8fa87187d3ee22d937b70e2d71f1579cd3e48c876b361b3c48ee583b73130b7f4493b8d47d95c6788dfc49d3e34f95c5fce81622b7851fa663e1261d37ec
+EBUILD pacman-5.0.2-r1.ebuild 2952 SHA256 4d3361d5cf06380b932efbeeed12b3026526613e0965bbbb6758df87afe78496 SHA512 451a898cef0974bd1ec2967dfc6d121021cf3176fc3632f4fa4851875d0ea16bb8bebb221cc759f9c9c18b8d9682ca000204da0ad106b83e35ed5c1b6e050695 WHIRLPOOL ade67e691038337a83e12830506b22df46c0cd975d3f335f18ae1a45ffffbdc390b18f9af3902347dfb019bc02e5a08c555f9e81994105a95be71cc9ae808301
 MISC ChangeLog 2435 SHA256 26810ec8f60f84ae82db2eb984c5baaad1dd9e4076186e8828a69a94e77cda49 SHA512 06cb7f8b965bc7f68defd5c8aece4e42a7e36fd683d0ada55cc2763f51edf04bd0b088eead32bdba7c64a226d76adc19f173753309e90ec38655794fd2bcd55a WHIRLPOOL 7c47e10bb06b7816a5664b7b2ed7fd8616a19650f01c89eb36e09155392330fa221fbad95bf51ebe53fe98df889d210af40b06ed7b3f65437e608e1f64ed71fc
 MISC ChangeLog-2015 2764 SHA256 81556673523a44e3506ece515916d6817fb2da67e2bf66a1b9b73070e5936c5b SHA512 050bc1d6055e9d7658f685cf20c5896da296641ea801c4bde46e24ef66912b9066ee308f7121bc4136dafc528a18f43908c131575e1e3017dd435402b62b11ae WHIRLPOOL b2be033315bfbad356fe5812ca716838f543cb08e670985223dea36b81e85aec26080060b56dad43f8d666c60837f1bace8dd60239a9b98399fb9a8076eaf845
-MISC metadata.xml 799 SHA256 e11079a73d41829033ae30503ae71485a8019dfd84705627fd92f0aa1dfd03b6 SHA512 268cdde83c8ed3c9ca7729c8e0348e4fe18cff5bc5e56a492d87c73aaadf50a02afebbf80370a8ae5b570cc6f6d12ea385669747ddedc173506db778c2538533 WHIRLPOOL 593539e3423fdf49606d5ed76ae8f4fc855e0d56e7c7772dc4ac282d1483d95e62b3b43e5996375ad8bbfd0868dd7eacfb07c29eccf805b964f47d982e3ed1f3
+MISC metadata.xml 874 SHA256 cc1e76531c3680df302be7023c0deb7bb1ae0bffa84f5afe7f8123694d35ef2c SHA512 ae1e64b32f52880904150c58367e119313a679e49504e9ad19b3d1fbe59b9f6a008ff7319802197002102f1112a43ab17cb1c78b3babacae12e38c9a04e481c3 WHIRLPOOL d748166334074fb5c26719e2a768f561ccfa40d9a3a3e42aaa80e2365ee55ee2fcaa82e52bba7820d96eb148569022e0399ec83aee6521c66c7fcb54c9a4f3c2
diff --git a/sys-apps/pacman/files/pacman-5.0.2-CVE-2016-5434.patch b/sys-apps/pacman/files/pacman-5.0.2-CVE-2016-5434.patch
new file mode 100644
index 000000000000..c245cb78dcbc
--- /dev/null
+++ b/sys-apps/pacman/files/pacman-5.0.2-CVE-2016-5434.patch
@@ -0,0 +1,136 @@
+From bf84fd00d3ac1ae2a43dac57f7ef689ef2e8b8aa Mon Sep 17 00:00:00 2001
+From: Nils Freydank <holgersson@posteo.de>
+Date: Fri, 20 Oct 2017 22:30:33 +0200
+Subject: [PATCH] Fix CVE-2016-5434 (DoS/loop and out of boundary read)
+
+This is a rewrite of Tobias Stoeckmann’s patch from June 2016[1] using
+functions instead of macros. (Thanks to Tobias for explanations of his patch.)
+A short question on Freenode IRC showed that macros are generally discouraged
+and functions should be used.
+
+The patch introduces a static size_t length_check() in libalpm/signing.c.
+
+[1] Original patch:
+https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html
+CVE request (and assignment):
+http://seclists.org/oss-sec/2016/q2/526
+---
+ This patch is provided to upstream, but not merged (2017-10-25).
+
+ lib/libalpm/signing.c | 48 ++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 44 insertions(+), 4 deletions(-)
+
+diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c
+index 95cb3280..51b11df6 100644
+--- a/lib/libalpm/signing.c
++++ b/lib/libalpm/signing.c
+@@ -986,6 +986,19 @@ int SYMEXPORT alpm_siglist_cleanup(alpm_siglist_t *siglist)
+ 	return 0;
+ }
+ 
++/* Check to avoid out of boundary reads */
++static size_t length_check(size_t length, size_t position, size_t a,
++		alpm_handle_t *handle, const char *identifier)
++{
++	if( a == 0 || length - position <= a) {
++		_alpm_log(handle, ALPM_LOG_ERROR,
++		_("%s: signature format error"), identifier);
++		return -1;
++	} else {
++		return 0;
++	}
++}
++
+ /**
+  * Extract the Issuer Key ID from a signature
+  * @param sig PGP signature
+@@ -1022,16 +1035,25 @@ int SYMEXPORT alpm_extract_keyid(alpm_handle_t *handle, const char *identifier,
+ 
+ 		switch(sig[pos] & 0x03) {
+ 			case 0:
++				if(length_check(len, pos, 2, handle, identifier) != 0) {
++					return -1;
++				}
+ 				blen = sig[pos + 1];
+ 				pos = pos + 2;
+ 				break;
+ 
+ 			case 1:
++				if(length_check(len, pos, 3, handle, identifier)) {
++					return -1;
++				}
+ 				blen = (sig[pos + 1] << 8) | sig[pos + 2];
+ 				pos = pos + 3;
+ 				break;
+ 
+ 			case 2:
++				if(length_check(len, pos, 5, handle, identifier)) {
++					return -1;
++				}
+ 				blen = (sig[pos + 1] << 24) | (sig[pos + 2] << 16) | (sig[pos + 3] << 8) | sig[pos + 4];
+ 				pos = pos + 5;
+ 				break;
+@@ -1059,7 +1081,16 @@ int SYMEXPORT alpm_extract_keyid(alpm_handle_t *handle, const char *identifier,
+ 
+ 		pos = pos + 4;
+ 
++		/* pos got changed above, so an explicit check is necessary
++		 * check for 2 as that catches another some lines down */
++		if(length_check(len, pos, 2, handle, identifier)) {
++			return -1;
++		}
+ 		hlen = (sig[pos] << 8) | sig[pos + 1];
++
++		if(length_check(len, pos, hlen + 2, handle, identifier)) {
++			return -1;
++		}
+ 		pos = pos + hlen + 2;
+ 
+ 		ulen = (sig[pos] << 8) | sig[pos + 1];
+@@ -1072,30 +1103,39 @@ int SYMEXPORT alpm_extract_keyid(alpm_handle_t *handle, const char *identifier,
+ 				slen = sig[spos];
+ 				spos = spos + 1;
+ 			} else if(sig[spos] < 255) {
++				if(length_check(pos + ulen, spos, 2, handle, identifier)){
++					return -1;
++				}
+ 				slen = (sig[spos] << 8) | sig[spos + 1];
+ 				spos = spos + 2;
+ 			} else {
++				/* check for pos and spos, as spos is still pos */
++				if(length_check(len, pos, 5, handle, identifier)) {
++					return -1;
++				}
+ 				slen = (sig[spos + 1] << 24) | (sig[spos + 2] << 16) | (sig[spos + 3] << 8) | sig[spos + 4];
+ 				spos = spos + 5;
+ 			}
+-
+ 			if(sig[spos] == 16) {
+ 				/* issuer key ID */
+ 				char key[17];
+ 				size_t i;
++				if(length_check(pos + ulen, spos, 8, handle, identifier)) {
++					return -1;
++				}
+ 				for (i = 0; i < 8; i++) {
+ 					sprintf(&key[i * 2], "%02X", sig[spos + i + 1]);
+ 				}
+ 				*keys = alpm_list_add(*keys, strdup(key));
+ 				break;
+ 			}
+-
++			if(length_check(pos + ulen + 1, spos, slen, handle, identifier)) {
++				return -1;
++			}
+ 			spos = spos + slen;
+ 		}
+-
+ 		pos = pos + (blen - hlen - 8);
+ 	}
+-
+ 	return 0;
+ }
+ 
+-- 
+2.14.2
+
diff --git a/sys-apps/pacman/metadata.xml b/sys-apps/pacman/metadata.xml
index 24ba8965c722..2eb4eff00bb6 100644
--- a/sys-apps/pacman/metadata.xml
+++ b/sys-apps/pacman/metadata.xml
@@ -14,6 +14,9 @@
 		<email>proxy-maint@gentoo.org</email>
 		<name>Proxy Maintainers</name>
 	</maintainer>
+	<slots>
+		<subslots>Reflect major ABI of libalpm.so.</subslots>
+	</slots>
 	<use>
 		<flag name="doc">Install extended documentation using <pkg>app-doc/doxygen</pkg>. (Man pages are included by default.)</flag>
 		<flag name="gpg">Enable GPG signature verification using <pkg>app-crypt/gpgme</pkg></flag>
diff --git a/sys-apps/pacman/pacman-5.0.2.ebuild b/sys-apps/pacman/pacman-5.0.2-r1.ebuild
index 2cea26f9fc53..f60a609779c2 100644
--- a/sys-apps/pacman/pacman-5.0.2.ebuild
+++ b/sys-apps/pacman/pacman-5.0.2-r1.ebuild
@@ -5,9 +5,13 @@ EAPI="6"
 
 PYTHON_COMPAT=( python2_7 )
 
+inherit autotools
+
 DESCRIPTION="Archlinux's binary package manager"
 HOMEPAGE="https://archlinux.org/pacman/"
 
+PATCHES=()
+
 if [[ ${PV} == "9999" ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="https://git.archlinux.org/pacman.git"
@@ -16,12 +20,14 @@ else
 	# Do *not* re-add ~x86!
 	# https://www.archlinux.org/news/phasing-out-i686-support/
 	KEYWORDS="~amd64"
+
+	PATCHES+=( "${FILESDIR}"/${PN}-5.0.2-CVE-2016-5434.patch )
 fi
 
 LICENSE="GPL-2"
-SLOT="0"
+SLOT="0/10"
 
-IUSE="curl debug doc +gpg"
+IUSE="curl debug doc +gpg test"
 COMMON_DEPEND="app-arch/libarchive:=[lzma]
 	gpg? ( >=app-crypt/gpgme-1.4.0:= )
 	dev-libs/openssl:0=
@@ -29,17 +35,23 @@ COMMON_DEPEND="app-arch/libarchive:=[lzma]
 	virtual/libiconv
 	virtual/libintl"
 RDEPEND="${COMMON_DEPEND}"
-# create manpages *everytime*
+
 DEPEND="${COMMON_DEPEND}
 	app-text/asciidoc
-	doc? ( app-doc/doxygen )"
+	doc? ( app-doc/doxygen )
+	test? ( sys-apps/fakeroot
+	sys-apps/fakechroot )"
+
+# workaround until tests are fixed/sorted out
+RESTRICT="test"
 
 src_prepare() {
-	# Remove a line that adds -Werror in ./configure when --enable-debug
-	# is passed:
+	# Remove a line that adds "-Werror" in ./configure when
+	# "--enable-debug" is passed:
 	sed -i -e '/-Werror/d' configure.ac || die
 
 	default
+	eautoreconf
 }
 
 src_configure() {
@@ -51,8 +63,6 @@ src_configure() {
 		# in its foot.
 		--with-root-dir="${EPREFIX}/var/chroot/archlinux"
 		$(use_enable debug)
-		# build always manpages
-		--with-doc
 		# full doc with doxygen
 		$(use_enable doc doxygen)
 		$(use_with curl libcurl)
@@ -60,27 +70,43 @@ src_configure() {
 	)
 	econf "${myeconfargs[@]}"
 }
+
+src_compile() {
+	default
+
+	emake -C contrib
+}
+
 src_install() {
 	dodir /etc/pacman.d/
+	# contributed parts, i.e. not pacman itself, but useful helpers and some templates and basic docs
+	dobin "${S}"/contrib/{bacman,checkupdates,pac{cache,diff,list,log-pkglist,scripts,search},rankmirrors,updpkgsums}
+	newdoc "${S}"/contrib/README contrib-README
+	dodoc "${S}"/contrib/PKGBUILD.vim
+	# create /var/chroot/archlinux
+	# see bug #631754
+	dodir /var/chroot/archlinux
+
 	default
+	# avoid creating stuff inside /var/cache/
+	# see bug #633742 for more information
+	rm -r "${D}"/var/cache/pacman
 }
 
 pkg_postinst() {
 	einfo ""
 	einfo "The default root dir was set to ${EPREFIX}/var/chroot/archlinux"
 	einfo "to avoid breaking Gentoo systems due to oscitancy."
-	einfo "You need to create this path by yourself (or choose another via"
+	einfo "If you prefer another directory, take a look at"
 	einfo "pacman’s parameter -r|--root)."
 	einfo ""
-	einfo ""
 	einfo "You will need to setup at least one mirror in /etc/pacman.d/mirrorlist."
 	einfo "Please generate it manually according to the Archlinux documentation:"
 	einfo "https://wiki.archlinux.org/index.php/Mirror"
 	einfo ""
-	einfo ""
-	einfo "Archlinux is dropping support for x86 (i686 called there) entirely"
-	einfo "in Nov 2017. Keep this in mind when setting up new systems."
-	einfo "For more details see"
-	einfo "https://www.archlinux.org/news/phasing-out-i686-support"
+	ewarn "Archlinux is dropping support for x86 (i686 called there) entirely"
+	ewarn "in Nov 2017. Please keep this in mind when setting up new systems."
+	ewarn "For more details see"
+	ewarn "https://www.archlinux.org/news/phasing-out-i686-support"
 	einfo ""
 }