From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1043611-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 37D08138334
	for <garchives@archives.gentoo.org>; Thu, 23 Aug 2018 00:18:18 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 095F7E099E;
	Thu, 23 Aug 2018 00:18:17 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id BB6F6E099E
	for <gentoo-commits@lists.gentoo.org>; Thu, 23 Aug 2018 00:18:15 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 92558335CB7
	for <gentoo-commits@lists.gentoo.org>; Thu, 23 Aug 2018 00:18:12 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 97B822BA
	for <gentoo-commits@lists.gentoo.org>; Thu, 23 Aug 2018 00:18:10 +0000 (UTC)
From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" <blueness@gentoo.org>
Message-ID: <1534983451.33e9f4c81de754bbf76b893ea1133ed023f2a0e5.blueness@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/libcgroup/, dev-libs/libcgroup/files/
X-VCS-Repository: repo/gentoo
X-VCS-Files: dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch dev-libs/libcgroup/libcgroup-0.41-r5.ebuild
X-VCS-Directories: dev-libs/libcgroup/ dev-libs/libcgroup/files/
X-VCS-Committer: blueness
X-VCS-Committer-Name: Anthony G. Basile
X-VCS-Revision: 33e9f4c81de754bbf76b893ea1133ed023f2a0e5
X-VCS-Branch: master
Date: Thu, 23 Aug 2018 00:18:10 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 9993872d-aba2-4b9a-86ce-fb46d3617e42
X-Archives-Hash: 23fad6120fab28d332d379bd9ea5cb47

commit:     33e9f4c81de754bbf76b893ea1133ed023f2a0e5
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 23 00:17:31 2018 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Aug 23 00:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33e9f4c8

dev-libs/libcgroup: address CVE-2018-14348, bug #664324

Package-Manager: Portage-2.3.40, Repoman-2.3.9

 .../files/libcgroup-0.41-remove-umask.patch        | 28 +++++++
 dev-libs/libcgroup/libcgroup-0.41-r5.ebuild        | 96 ++++++++++++++++++++++
 2 files changed, 124 insertions(+)

diff --git a/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch b/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch
new file mode 100644
index 00000000000..42286ae8785
--- /dev/null
+++ b/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch
@@ -0,0 +1,28 @@
+commit 0d88b73d189ea3440ccaab00418d6469f76fa590
+Author: Michal Hocko <mhocko@suse.com>
+Date:   Wed Jul 18 11:24:29 2018 +0200
+
+    cgrulesengd: remove umask(0)
+    
+    One of our partners has noticed that cgred daemon is creating a log file
+    (/var/log/cgred) with too wide permissions (0666) and that is seen as
+    a security bug because an untrusted user can write to otherwise
+    restricted area. CVE-2018-14348 has been assigned to this issue.
+    
+    Signed-off-by: Michal Hocko <mhocko@suse.com>
+    Acked-by: Balbir Singh <bsingharora@gmail.com>
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index ea51f11..0d288f3 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -889,9 +889,6 @@ int cgre_start_daemon(const char *logp, const int logf,
+ 		} else if (pid > 0) {
+ 			exit(EXIT_SUCCESS);
+ 		}
+-
+-		/* Change the file mode mask. */
+-		umask(0);
+ 	} else {
+ 		flog(LOG_DEBUG, "Not using daemon mode\n");
+ 		pid = getpid();

diff --git a/dev-libs/libcgroup/libcgroup-0.41-r5.ebuild b/dev-libs/libcgroup/libcgroup-0.41-r5.ebuild
new file mode 100644
index 00000000000..a17306a01ae
--- /dev/null
+++ b/dev-libs/libcgroup/libcgroup-0.41-r5.ebuild
@@ -0,0 +1,96 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools flag-o-matic linux-info pam
+
+DESCRIPTION="Tools and libraries to configure and manage kernel control groups"
+HOMEPAGE="http://libcg.sourceforge.net/"
+SRC_URI="mirror://sourceforge/project/libcg/${PN}/v${PV}/${P}.tar.bz2"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+IUSE="+daemon elibc_musl pam static-libs +tools"
+
+RDEPEND="pam? ( virtual/pam )"
+
+DEPEND="
+	${RDEPEND}
+	sys-devel/bison
+	sys-devel/flex
+	elibc_musl? ( sys-libs/fts-standalone )
+	"
+REQUIRED_USE="daemon? ( tools )"
+
+DOCS=(README_daemon README README_systemd INSTALL)
+pkg_setup() {
+	local CONFIG_CHECK="~CGROUPS"
+	if use daemon; then
+		CONFIG_CHECK="${CONFIG_CHECK} ~CONNECTOR ~PROC_EVENTS"
+	fi
+	linux-info_pkg_setup
+}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-replace_DECLS.patch
+	"${FILESDIR}"/${P}-replace_INLCUDES.patch
+	"${FILESDIR}"/${P}-reorder-headers.patch
+	"${FILESDIR}"/${P}-remove-umask.patch
+)
+
+src_prepare() {
+	default
+	# Change rules file location
+	sed -e 's:/etc/cgrules.conf:/etc/cgroup/cgrules.conf:' \
+		-i src/libcgroup-internal.h || die "sed failed"
+	sed -e 's:/etc/cgconfig.conf:/etc/cgroup/cgconfig.conf:' \
+		-i src/libcgroup-internal.h || die "sed failed"
+	sed -e 's:\(pam_cgroup_la_LDFLAGS.*\):\1\ -avoid-version:' \
+		-i src/pam/Makefile.am || die "sed failed"
+	sed -e 's#/var/run#/run#g' -i configure.in || die "sed failed"
+
+	eautoreconf
+}
+
+src_configure() {
+	local my_conf
+
+	if use pam; then
+		my_conf=" --enable-pam-module-dir=$(getpam_mod_dir) "
+	fi
+
+	use elibc_musl && append-ldflags "-lfts"
+	econf \
+		$(use_enable static-libs static) \
+		$(use_enable daemon) \
+		$(use_enable pam) \
+		$(use_enable tools) \
+		${my_conf}
+}
+
+src_test() {
+	# Use mount cgroup to build directory
+	# sandbox restricted to trivial build,
+	# possible kill Diego tanderbox ;)
+	true
+}
+
+src_install() {
+	default
+	prune_libtool_files --all
+
+	insinto /etc/cgroup
+	doins samples/*.conf || die
+
+	if use tools; then
+		newconfd "${FILESDIR}"/cgconfig.confd-r1 cgconfig || die
+		newinitd "${FILESDIR}"/cgconfig.initd-r1 cgconfig || die
+	fi
+
+	if use daemon; then
+		newconfd "${FILESDIR}"/cgred.confd-r2 cgred || die
+		newinitd "${FILESDIR}"/cgred.initd-r1 cgred || die
+	fi
+}