From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 63DB5138334 for ; Fri, 5 Apr 2019 17:13:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 47D60E0903; Fri, 5 Apr 2019 17:13:58 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 07A49E0903 for ; Fri, 5 Apr 2019 17:13:57 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 99743335D04 for ; Fri, 5 Apr 2019 17:13:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 413F457F for ; Fri, 5 Apr 2019 17:13:55 +0000 (UTC) From: "Michał Górny" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michał Górny" Message-ID: <1554484425.e0e0415382f55c1c392facd407a21555b6b55c8c.mgorny@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/aria2/files/, net-misc/aria2/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-misc/aria2/aria2-1.34.0-r1.ebuild net-misc/aria2/files/aria2-1.34.0-mask-headers.patch X-VCS-Directories: net-misc/aria2/ net-misc/aria2/files/ X-VCS-Committer: mgorny X-VCS-Committer-Name: Michał Górny X-VCS-Revision: e0e0415382f55c1c392facd407a21555b6b55c8c X-VCS-Branch: master Date: Fri, 5 Apr 2019 17:13:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 5a1b1380-f7d7-4974-8680-1301a73a61c7 X-Archives-Hash: 2264e924521b845fe048d1588abc5a00 commit: e0e0415382f55c1c392facd407a21555b6b55c8c Author: Michał Górny gentoo org> AuthorDate: Fri Apr 5 17:13:34 2019 +0000 Commit: Michał Górny gentoo org> CommitDate: Fri Apr 5 17:13:45 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0e04153 net-misc/aria2: Backport the fix for CVE-2019-3500 Backport fix for potential password leakage in logs (CVE-2019-3500). Ideally this would be a fresh snapshot but autoreconf fails on aria2 git. Bug: https://bugs.gentoo.org/674622 Signed-off-by: Michał Górny gentoo.org> net-misc/aria2/aria2-1.34.0-r1.ebuild | 155 +++++++++++++++++++++ .../aria2/files/aria2-1.34.0-mask-headers.patch | 46 ++++++ 2 files changed, 201 insertions(+) diff --git a/net-misc/aria2/aria2-1.34.0-r1.ebuild b/net-misc/aria2/aria2-1.34.0-r1.ebuild new file mode 100644 index 00000000000..1522945364e --- /dev/null +++ b/net-misc/aria2/aria2-1.34.0-r1.ebuild @@ -0,0 +1,155 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit bash-completion-r1 + +DESCRIPTION="A download utility with segmented downloading with BitTorrent support" +HOMEPAGE="https://aria2.github.io/" +SRC_URI="https://github.com/aria2/${PN}/releases/download/release-${PV}/${P}.tar.xz" + +LICENSE="GPL-2" +KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux" +SLOT="0" +IUSE="adns bittorrent +gnutls jemalloc libuv +libxml2 metalink +nettle nls sqlite scripts ssh ssl tcmalloc test xmlrpc" + +CDEPEND="sys-libs/zlib:0= + ssl? ( + app-misc/ca-certificates + gnutls? ( >=net-libs/gnutls-1.2.9:0= ) + !gnutls? ( dev-libs/openssl:0= ) ) + adns? ( >=net-dns/c-ares-1.5.0:0= ) + bittorrent? ( + ssl? ( + gnutls? ( + nettle? ( >=dev-libs/nettle-2.4:0=[gmp] >=dev-libs/gmp-6:0= ) + !nettle? ( >=dev-libs/libgcrypt-1.2.2:0= ) ) ) + !ssl? ( + nettle? ( >=dev-libs/nettle-2.4:0=[gmp] >=dev-libs/gmp-6:0= ) + !nettle? ( >=dev-libs/libgcrypt-1.2.2:0= ) ) ) + jemalloc? ( dev-libs/jemalloc ) + libuv? ( >=dev-libs/libuv-1.13:0= ) + metalink? ( + libxml2? ( >=dev-libs/libxml2-2.6.26:2= ) + !libxml2? ( dev-libs/expat:0= ) ) + sqlite? ( dev-db/sqlite:3= ) + ssh? ( net-libs/libssh2:= ) + tcmalloc? ( dev-util/google-perftools ) + xmlrpc? ( + libxml2? ( >=dev-libs/libxml2-2.6.26:2= ) + !libxml2? ( dev-libs/expat:0= ) )" + +DEPEND="${CDEPEND} + app-arch/xz-utils + virtual/pkgconfig + nls? ( sys-devel/gettext ) + test? ( >=dev-util/cppunit-1.12.0:0 )" +RDEPEND="${CDEPEND} + nls? ( virtual/libiconv virtual/libintl ) + scripts? ( dev-lang/ruby )" + +# xmlrpc has no explicit switch, it's turned out by any XML library +# so metalink implicitly forces it on +REQUIRED_USE="?? ( jemalloc tcmalloc ) + metalink? ( xmlrpc )" +RESTRICT="!test? ( test )" + +pkg_setup() { + if use scripts && ! use xmlrpc; then + ewarn "Please note that you may need to enable USE=xmlrpc to run the aria2rpc" + ewarn "and aria2mon scripts against the local aria2." + fi +} + +src_prepare() { + eapply "${FILESDIR}"/${P}-make_unique.patch + # https://bugs.gentoo.org/674622 (CVE-2019-3500) + eapply "${FILESDIR}"/${P}-mask-headers.patch + default + sed -i -e "s|/tmp|${T}|" test/*.cc test/*.txt || die "sed failed" +} + +src_configure() { + local myconf=( + # threads, epoll: check for best portability + + # do not try to compile and run a test LIBXML program + --disable-xmltest + # enable the shared library + --enable-libaria2 + # zlib should always be available anyway + --with-libz + --with-ca-bundle="${EPREFIX}/etc/ssl/certs/ca-certificates.crt" + + # optional features + $(use_enable bittorrent) + $(use_enable metalink) + $(use_enable nls) + $(use_with adns libcares) + $(use_with jemalloc) + $(use_with libuv) + $(use_with sqlite sqlite3) + $(use_with ssh libssh2) + $(use_with tcmalloc) + ) + + # SSL := gnutls / openssl + # USE=ssl + # + USE=gnutls -> gnutls + # + USE=-gnutls -> openssl + + if use ssl; then + myconf+=( $(use_with gnutls) $(use_with !gnutls openssl) ) + else + myconf+=( --without-gnutls --without-openssl ) + fi + + # message-digest := nettle / gcrypt / openssl + # bignum := nettle+gmp / gcrypt / openssl + # bittorrent := message-digest + bignum + # USE=bittorrent + # + USE=(ssl -gnutls) -> openssl + # + USE=nettle -> nettle+gmp + # + USE=-nettle -> gcrypt + + if use !bittorrent || use ssl && use !gnutls; then + myconf+=( --without-libgcrypt --without-libnettle --without-libgmp ) + else + myconf+=( $(use_with !nettle libgcrypt) + $(use_with nettle libnettle) $(use_with nettle libgmp) ) + fi + + # metalink+xmlrpc := libxml2 / expat + # USE=(metalink || xmlrpc) + # + USE=libxml2 -> libxml2 + # + USE=-libxml2 -> expat + + if use metalink || use xmlrpc; then + myconf+=( $(use_with !libxml2 libexpat) $(use_with libxml2) ) + else + myconf+=( --without-libexpat --without-libxml2 ) + fi + + # Note: + # - always enable gzip/http compression since zlib should always be available anyway + # - always enable epoll since we can assume kernel 2.6.x + # - other options for threads: solaris, pth, win32 + econf "${myconf[@]}" +} + +src_install() { + default + rm -rf "${D}"/usr/share/doc/aria2 \ + "${D}"/usr/share/doc/${PF}/README{,.html} + + dobashcomp doc/bash_completion/aria2c + use scripts && dobin doc/xmlrpc/aria2{mon,rpc} +} + +pkg_postinst() { + if use xmlrpc; then + elog "If you would like to use the additional aria2mon and aria2rpc tools," + elog "you need to have \033[1mdev-lang/ruby\033[0m installed." + fi +} diff --git a/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch b/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch new file mode 100644 index 00000000000..694681d8885 --- /dev/null +++ b/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch @@ -0,0 +1,46 @@ +From 37368130ca7de5491a75fd18a20c5c5cc641824a Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 5 Jan 2019 09:32:40 +0900 +Subject: [PATCH] Mask headers + +--- + src/HttpConnection.cc | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/HttpConnection.cc b/src/HttpConnection.cc +index 77cb9d27a..be5b97723 100644 +--- a/src/HttpConnection.cc ++++ b/src/HttpConnection.cc +@@ -102,11 +102,17 @@ std::string HttpConnection::eraseConfidentialInfo(const std::string& request) + std::string result; + std::string line; + while (getline(istr, line)) { +- if (util::startsWith(line, "Authorization: Basic")) { +- result += "Authorization: Basic ********\n"; ++ if (util::istartsWith(line, "Authorization: ")) { ++ result += "Authorization: \n"; + } +- else if (util::startsWith(line, "Proxy-Authorization: Basic")) { +- result += "Proxy-Authorization: Basic ********\n"; ++ else if (util::istartsWith(line, "Proxy-Authorization: ")) { ++ result += "Proxy-Authorization: \n"; ++ } ++ else if (util::istartsWith(line, "Cookie: ")) { ++ result += "Cookie: \n"; ++ } ++ else if (util::istartsWith(line, "Set-Cookie: ")) { ++ result += "Set-Cookie: \n"; + } + else { + result += line; +@@ -154,8 +160,8 @@ std::unique_ptr HttpConnection::receiveResponse() + const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor(); + if (proc->parse(socketRecvBuffer_->getBuffer(), + socketRecvBuffer_->getBufferLength())) { +- A2_LOG_INFO( +- fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str())); ++ A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_, ++ eraseConfidentialInfo(proc->getHeaderString()).c_str())); + auto result = proc->getResult(); + if (result->getStatusCode() / 100 == 1) { + socketRecvBuffer_->drain(proc->getLastBytesProcessed());