commit: 56242b0f136e683c90c0fd1c704a39d1c2869366
Author: Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 23 23:29:50 2016 +0000
Commit: Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
CommitDate: Thu Mar 24 00:24:33 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56242b0f
net-dns/opendnssec: revbump 1.3.18-r1 to fix bug #445172
Package-Manager: portage-2.2.28
...nssec-1.3.18-eppclient-curl-CVE-2012-5582.patch | 12 ++
net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild | 204 +++++++++++++++++++++
2 files changed, 216 insertions(+)
diff --git
a/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch
b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch
new file mode 100644
index 0000000..a0676dd
--- /dev/null
+++
b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch
@@ -0,0 +1,12 @@
+diff -urN opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c
opendnssec-1.3.18/plugins/eppclient/src/epp.c
+--- opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c 2014-07-21
11:16:10.000000000 +0200
++++ opendnssec-1.3.18/plugins/eppclient/src/epp.c 2016-03-23
22:25:18.679354984 +0100
+@@ -390,7 +390,7 @@
+ curl_easy_setopt(curl, CURLOPT_URL, url);
+ curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1L);
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
+- curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
++ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);
+ curl_easy_setopt(curl, CURLOPT_USE_SSL, CURLUSESSL_ALL);
+ curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curlerr);
+ curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L);
diff --git a/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild
b/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild
new file mode 100644
index 0000000..0f38b64
--- /dev/null
+++ b/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild
@@ -0,0 +1,204 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+MY_P="${P/_}"
+PKCS11_IUSE="+softhsm opensc external-hsm"
+inherit base autotools multilib user
+
+DESCRIPTION="An open-source turn-key solution for DNSSEC"
+HOMEPAGE="http://www.opendnssec.org/";
+SRC_URI="http://www.${PN}.org/files/source/${MY_P}.tar.gz";
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="-auditor +curl debug doc eppclient mysql +signer +sqlite test
${PKCS11_IUSE}"
+
+RDEPEND="
+ dev-lang/perl
+ dev-libs/libxml2
+ dev-libs/libxslt
+ net-libs/ldns
+ curl? ( net-misc/curl )
+ mysql? (
+ virtual/mysql
+ dev-perl/DBD-mysql
+ )
+ opensc? ( dev-libs/opensc )
+ softhsm? ( dev-libs/softhsm )
+ sqlite? (
+ dev-db/sqlite:3
+ dev-perl/DBD-SQLite
+ )
+"
+DEPEND="${RDEPEND}
+ doc? ( app-doc/doxygen )
+ test? (
+ app-text/trang
+ )
+"
+# test? dev-util/cunit # Requires running test DB
+
+REQUIRED_USE="
+ ^^ ( mysql sqlite )
+ ^^ ( softhsm opensc external-hsm )
+ eppclient? ( curl )
+"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-fix-localstatedir.patch"
+ "${FILESDIR}/${PN}-fix-run-dir.patch"
+ "${FILESDIR}/${PN}-1.3.14-drop-privileges.patch"
+ "${FILESDIR}/${PN}-1.3.14-use-system-trang.patch"
+ "${FILESDIR}/${PN}-1.3.18-eppclient-curl-CVE-2012-5582.patch"
+)
+
+S="${WORKDIR}/${MY_P}"
+
+DOCS=( MIGRATION NEWS )
+
+check_pkcs11_setup() {
+ # PKCS#11 HSM's are often only available with proprietary drivers not
+ # available in portage tree.
+
+ if use softhsm; then
+ PKCS11_LIB=softhsm
+ if has_version ">=dev-libs/softhsm-1.3.1"; then
+ PKCS11_PATH=/usr/$(get_libdir)/softhsm/libsofthsm.so
+ else
+ PKCS11_PATH=/usr/$(get_libdir)/libsofthsm.so
+ fi
+ elog "Building with SoftHSM PKCS#11 library support."
+ fi
+ if use opensc; then
+ PKCS11_LIB=opensc
+ PKCS11_PATH=/usr/$(get_libdir)/opensc-pkcs11.so
+ elog "Building with OpenSC PKCS#11 library support."
+ fi
+ if use external-hsm; then
+ if [[ -n ${PKCS11_SCA6000} ]]; then
+ PKCS11_LIB=sca6000
+ PKCS11_PATH=${PKCS11_SCA6000}
+ elif [[ -n ${PKCS11_ETOKEN} ]]; then
+ PKCS11_LIB=etoken
+ PKCS11_PATH=${PKCS11_ETOKEN}
+ elif [[ -n ${PKCS11_NCIPHER} ]]; then
+ PKCS11_LIB=ncipher
+ PKCS11_PATH=${PKCS11_NCIPHER}
+ elif [[ -n ${PKCS11_AEPKEYPER} ]]; then
+ PKCS11_LIB=aepkeyper
+ PKCS11_PATH=${PKCS11_AEPKEYPER}
+ else
+ ewarn "You enabled USE flag 'external-hsm' but did not
specify a path to a PKCS#11"
+ ewarn "library. To set a path, set one of the following
environment variables:"
+ ewarn " for Sun Crypto Accelerator 6000, set:
PKCS11_SCA6000=<path>"
+ ewarn " for Aladdin eToken, set: PKCS11_ETOKEN=<path>"
+ ewarn " for Thales/nCipher netHSM, set:
PKCS11_NCIPHER=<path>"
+ ewarn " for AEP Keyper, set: PKCS11_AEPKEYPER=<path>"
+ ewarn "Example:"
+ ewarn "
PKCS11_ETOKEN=\"/opt/etoken/lib/libeTPkcs11.so\" emerge -pv opendnssec"
+ ewarn "or store the variable into /etc/make.conf"
+ die "USE flag 'external-hsm' set but no PKCS#11 library
path specified."
+ fi
+ elog "Building with external PKCS#11 library support
($PKCS11_LIB): ${PKCS11_PATH}"
+ fi
+}
+
+pkg_pretend() {
+ local i
+
+ for i in eppclient mysql; do
+ if use ${i}; then
+ ewarn
+ ewarn "Usage of ${i} is considered experimental."
+ ewarn "Do not report bugs against this feature."
+ ewarn
+ fi
+ done
+
+ check_pkcs11_setup
+}
+
+pkg_setup() {
+ enewgroup opendnssec
+ enewuser opendnssec -1 -1 -1 opendnssec
+
+ # pretend does not preserve variables so we need to run this once more
+ check_pkcs11_setup
+}
+
+src_prepare() {
+ base_src_prepare
+ eautoreconf
+}
+
+src_configure() {
+ # $(use_with test cunit "${EPREFIX}/usr/") \
+ econf \
+ --without-cunit \
+ --localstatedir="${EPREFIX}/var/" \
+ --disable-static \
+ --with-database-backend=$(use mysql && echo "mysql")$(use
sqlite && echo "sqlite3") \
+ --with-pkcs11-${PKCS11_LIB}=${PKCS11_PATH} \
+ --disable-auditor \
+ $(use_with curl) \
+ $(use_enable debug timeshift) \
+ $(use_enable eppclient) \
+ $(use_enable signer)
+}
+
+src_compile() {
+ default
+ use doc && emake docs
+}
+
+src_install() {
+ default
+
+ # remove useless .la files
+ find "${ED}" -name '*.la' -delete
+
+ # Remove subversion tags from config files to avoid useless config
updates
+ sed -i \
+ -e '/<!-- \$Id:/ d' \
+ "${ED}"/etc/opendnssec/* || die
+
+ # install update scripts
+ insinto /usr/share/opendnssec
+ use sqlite && doins enforcer/utils/migrate_keyshare_sqlite3.pl
+ use mysql && doins enforcer/utils/migrate_keyshare_mysql.pl
+
+ # fix permissions
+ fowners root:opendnssec /etc/opendnssec
+ fowners root:opendnssec
/etc/opendnssec/{conf,kasp,zonelist,zonefetch}.xml
+ use eppclient && fowners root:opendnssec /etc/opendnssec/eppclientd.conf
+
+ fowners opendnssec:opendnssec
/var/lib/opendnssec/{,signconf,unsigned,signed,tmp}
+
+ # install conf/init script
+ newinitd "${FILESDIR}"/opendnssec.initd-1.3.x opendnssec
+ newconfd "${FILESDIR}"/opendnssec.confd-1.3.x opendnssec
+ use auditor || sed -i 's/^CHECKCONFIG_BIN=.*/CHECKCONFIG_BIN=/'
"${D}"/etc/conf.d/opendnssec
+}
+
+pkg_postinst() {
+ if use softhsm; then
+ elog "Please make sure that you create your softhsm database in
a location writeable"
+ elog "by the opendnssec user. You can set its location in
/etc/softhsm.conf."
+ elog "Suggested configuration is:"
+ elog " echo \"0:/var/lib/opendnssec/softhsm_slot0.db\" >>
/etc/softhsm.conf"
+ elog " softhsm --init-token --slot 0 --label OpenDNSSEC"
+ elog " chown opendnssec:opendnssec
/var/lib/opendnssec/softhsm_slot0.db"
+ fi
+ if use auditor; then
+ ewarn
+ ewarn "Please note that auditor support has been disabled in
this version since it"
+ ewarn "it depends on ruby 1.8 which has been removed from the
portage tree."
+ ewarn "USE=auditor is only provided for this warning but will
not install the"
+ ewarn "auditor anymore."
+ ewarn
+ fi
+}
