Browse code

proper fix for apache bcrypt ddos

Hanno Böck authored on 10/01/2017 13:07:29
Showing 6 changed files
1 1
new file mode 100644
... ...
@@ -0,0 +1,6 @@
1
+AUX apr-util-1.5-limit-dos.diff 975 SHA256 32b14b12bc61d854d65911cbffb967acf7c955862739f0b0c61989c9b21ca273 SHA512 ccd0ab356e026d8d5d6d386f96a12b52550739a3ccbd3eb0a3c816c1586d8eb4a93064054157da0bc7d8027ff29f7460424d8c4f539b2c4b1468b996c3693e64 WHIRLPOOL 5428582928bf62989d463a003cbf42c998b7d314babb920a4e61bec01b90b41f5370cf7e49213f7beba33aca9efc6843b02648bb21a7f5f2a59f8fd8a4047daa
2
+AUX apr-util-1.5.3-sysroot.patch 1234 SHA256 752ee44d3e9e39e4cba824556f829776a46e4f5e64d4f359de781d3bfd3a414f SHA512 44ee2a9cf61587f05d43976d40023f6313b310c3eeb37299840445e3faec7f0352367875f515b21d3b1fcdc8c082d8584a21cf8187deb1f6f69187c14f84f0b7 WHIRLPOOL 2017ccccfade6e99a490781100a7ca2ee1901a93b791db78291e3d7850e9916d183084abc6f46b2a80ffb451dfb5f1e999189f9ce6f994b51146563bef52a7af
3
+DIST apr-util-1.5.4.tar.bz2 694427 SHA256 a6cf327189ca0df2fb9d5633d7326c460fe2b61684745fd7963e79a6dd0dc82e SHA512 ca877d8e444218c4ba0f28063ee075ddcd6c0a487b692dc80ef442fe775ec4eeb337c6957853772e8082e27edcb450d7e909c2c6c3ab4a95bbf0a5ee5ea4a2d1 WHIRLPOOL bc4ce82785513f4bf2207bb26758abc79e6bfef62a57d3e2ead570abc618b321c302390b9dcd8eab1ec44a9e5d398c2cc4d35af2549636e20d7c20678725ac2e
4
+EBUILD apr-util-1.5.4-r1.ebuild 3415 SHA256 08900f60c8baec189e90d56142d920611b2c953d460effe48ba05e3a7c14f87b SHA512 3acf7ae85631709b7dd2c7bc705a4bc6a12cc6911208e8b735e4c99dae5091d2113c3cd97b108fb32bcf1fec0e26b88146449b6150a7c288c3cf1787ca2a7ab9 WHIRLPOOL a9966791fc8e9f4c5a9df501a9aa5519d77ea8a06147601f187731d9b369b57aa33ca0a1b68d37fe11bd100b03bf0486244ab4da694fa10f5474551c6a320802
5
+EBUILD apr-util-1.5.4.ebuild 3343 SHA256 be16b2aec6cca0508ab61c60ff59b2dc2999e112397127bb76f0c31d729cbb7b SHA512 9852e950fb70c8b79fee8dbe261e43eab0d977dff0f48785c69fb775dd91e43edb7aa96b3a9bbccdf3a4ed0f4c618dae08fb6439a82d45a086085fc3eb19834a WHIRLPOOL 7a0bab54f3a9cf1435afcf5dd98d7d546987666a11ace8ed5388b6bc6b5ffaebfba1ad0f6c126cf90cfe43a82c88653ab1d20914ca80e95063792b8a399d765e
6
+MISC metadata.xml 515 SHA256 d5226f9f0b532aa0adf1cbc7e4b5333dae3411f0c12e6df483a4036d7150133a SHA512 af8e2bbded13ef475d1577eb4faa27e17a045804f1de3e79c4c3d736871db304872fc65db0d606c243292392fb4ac773711ad9e153369714689138249d469158 WHIRLPOOL 0d9a6906df5f22918414a41f8a0806e502ef38696d9c5fc5c9949c13c988fa57d3acae1c99ef1ca2279ca7ec970044bf3e1c704c460cd397262b1a6e34f0de7b
0 7
new file mode 100644
... ...
@@ -0,0 +1,117 @@
1
+# Copyright 1999-2015 Gentoo Foundation
2
+# Distributed under the terms of the GNU General Public License v2
3
+# $Id$
4
+
5
+EAPI="4"
6
+
7
+# Usually apr-util has the same PV as apr, but in case of security fixes, this may change.
8
+# APR_PV="${PV}"
9
+APR_PV="1.4.6"
10
+
11
+inherit autotools db-use eutils libtool multilib toolchain-funcs
12
+
13
+DESCRIPTION="Apache Portable Runtime Utility Library"
14
+HOMEPAGE="http://apr.apache.org/"
15
+SRC_URI="mirror://apache/apr/${P}.tar.bz2"
16
+
17
+LICENSE="Apache-2.0"
18
+SLOT="1"
19
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
20
+IUSE="berkdb doc freetds gdbm ldap libressl mysql nss odbc openssl postgres sqlite static-libs"
21
+#RESTRICT="test"
22
+
23
+RDEPEND="dev-libs/expat
24
+	>=dev-libs/apr-${APR_PV}:1
25
+	berkdb? ( >=sys-libs/db-4 )
26
+	freetds? ( dev-db/freetds )
27
+	gdbm? ( sys-libs/gdbm )
28
+	ldap? ( =net-nds/openldap-2* )
29
+	mysql? ( =virtual/mysql-5* )
30
+	nss? ( dev-libs/nss )
31
+	odbc? ( dev-db/unixODBC )
32
+	openssl? (
33
+		!libressl? ( dev-libs/openssl:0 )
34
+		libressl? ( dev-libs/libressl )
35
+	)
36
+	postgres? ( dev-db/postgresql )
37
+	sqlite? ( dev-db/sqlite:3 )"
38
+DEPEND="${RDEPEND}
39
+	>=sys-devel/libtool-2.4.2
40
+	doc? ( app-doc/doxygen )"
41
+
42
+DOCS=(CHANGES NOTICE README)
43
+
44
+src_prepare() {
45
+	epatch "${FILESDIR}"/${PN}-1.5.3-sysroot.patch #385775
46
+	epatch "${FILESDIR}"/apr-util-1.5-limit-dos.diff
47
+	eautoreconf
48
+	elibtoolize
49
+}
50
+
51
+src_configure() {
52
+	local myconf=()
53
+
54
+	tc-is-static-only && myconf+=( --disable-util-dso )
55
+
56
+	if use berkdb; then
57
+		local db_version
58
+		db_version="$(db_findver sys-libs/db)" || die "Unable to find Berkeley DB version"
59
+		db_version="$(db_ver_to_slot "${db_version}")"
60
+		db_version="${db_version/\./}"
61
+		myconf+=(
62
+			--with-dbm=db${db_version}
63
+			# We use $T for the libdir because otherwise it'd simply be the normal
64
+			# system libdir.  That's pointless as the compiler will search it for
65
+			# us already.  This makes cross-compiling and such easier.
66
+			--with-berkeley-db="${SYSROOT}$(db_includedir 2>/dev/null):${T}"
67
+		)
68
+	else
69
+		myconf+=( --without-berkeley-db )
70
+	fi
71
+
72
+	if use nss || use openssl ; then
73
+		myconf+=( --with-crypto ) # 518708
74
+	fi
75
+
76
+	econf \
77
+		--datadir="${EPREFIX}"/usr/share/apr-util-1 \
78
+		--with-apr="${SYSROOT}${EPREFIX}"/usr \
79
+		--with-expat="${EPREFIX}"/usr \
80
+		--without-sqlite2 \
81
+		$(use_with freetds) \
82
+		$(use_with gdbm) \
83
+		$(use_with ldap) \
84
+		$(use_with mysql) \
85
+		$(use_with nss) \
86
+		$(use_with odbc) \
87
+		$(use_with openssl) \
88
+		$(use_with postgres pgsql) \
89
+		$(use_with sqlite sqlite3) \
90
+		"${myconf[@]}"
91
+	# Use the current env build settings rather than whatever apr was built with.
92
+	sed -i -r \
93
+		-e "/^(apr_builddir|apr_builders|top_builddir)=/s:=:=${SYSROOT}:" \
94
+		-e "/^CC=/s:=.*:=$(tc-getCC):" \
95
+		-e '/^(C|CPP|CXX|LD)FLAGS=/d' \
96
+		-e '/^LTFLAGS/s:--silent::' \
97
+		build/rules.mk || die
98
+}
99
+
100
+src_compile() {
101
+	emake
102
+	use doc && emake dox
103
+}
104
+
105
+src_install() {
106
+	default
107
+
108
+	find "${ED}" -name "*.la" -delete
109
+	find "${ED}usr/$(get_libdir)/apr-util-${SLOT}" -name "*.a" -delete
110
+	use static-libs || find "${ED}" -name "*.a" -delete
111
+
112
+	use doc && dohtml -r docs/dox/html/*
113
+
114
+	# This file is only used on AIX systems, which Gentoo is not,
115
+	# and causes collisions between the SLOTs, so remove it.
116
+	rm -f "${ED}usr/$(get_libdir)/aprutil.exp"
117
+}
0 118
new file mode 100644
... ...
@@ -0,0 +1,114 @@
1
+# Copyright 1999-2015 Gentoo Foundation
2
+# Distributed under the terms of the GNU General Public License v2
3
+# $Id$
4
+
5
+EAPI="4"
6
+
7
+# Usually apr-util has the same PV as apr, but in case of security fixes, this may change.
8
+# APR_PV="${PV}"
9
+APR_PV="1.4.6"
10
+
11
+inherit autotools db-use eutils libtool multilib toolchain-funcs
12
+
13
+DESCRIPTION="Apache Portable Runtime Utility Library"
14
+HOMEPAGE="http://apr.apache.org/"
15
+SRC_URI="mirror://apache/apr/${P}.tar.bz2"
16
+
17
+LICENSE="Apache-2.0"
18
+SLOT="1"
19
+KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
20
+IUSE="berkdb doc freetds gdbm ldap mysql nss odbc openssl postgres sqlite static-libs"
21
+#RESTRICT="test"
22
+
23
+RDEPEND="dev-libs/expat
24
+	>=dev-libs/apr-${APR_PV}:1
25
+	berkdb? ( >=sys-libs/db-4 )
26
+	freetds? ( dev-db/freetds )
27
+	gdbm? ( sys-libs/gdbm )
28
+	ldap? ( =net-nds/openldap-2* )
29
+	mysql? ( =virtual/mysql-5* )
30
+	nss? ( dev-libs/nss )
31
+	odbc? ( dev-db/unixODBC )
32
+	openssl? ( dev-libs/openssl )
33
+	postgres? ( dev-db/postgresql )
34
+	sqlite? ( dev-db/sqlite:3 )"
35
+DEPEND="${RDEPEND}
36
+	>=sys-devel/libtool-2.4.2
37
+	doc? ( app-doc/doxygen )"
38
+
39
+DOCS=(CHANGES NOTICE README)
40
+
41
+src_prepare() {
42
+	epatch "${FILESDIR}"/${PN}-1.5.3-sysroot.patch #385775
43
+	epatch "${FILESDIR}"/apr-util-1.5-limit-dos.diff
44
+	eautoreconf
45
+	elibtoolize
46
+}
47
+
48
+src_configure() {
49
+	local myconf=()
50
+
51
+	tc-is-static-only && myconf+=( --disable-util-dso )
52
+
53
+	if use berkdb; then
54
+		local db_version
55
+		db_version="$(db_findver sys-libs/db)" || die "Unable to find Berkeley DB version"
56
+		db_version="$(db_ver_to_slot "${db_version}")"
57
+		db_version="${db_version/\./}"
58
+		myconf+=(
59
+			--with-dbm=db${db_version}
60
+			# We use $T for the libdir because otherwise it'd simply be the normal
61
+			# system libdir.  That's pointless as the compiler will search it for
62
+			# us already.  This makes cross-compiling and such easier.
63
+			--with-berkeley-db="${SYSROOT}$(db_includedir 2>/dev/null):${T}"
64
+		)
65
+	else
66
+		myconf+=( --without-berkeley-db )
67
+	fi
68
+
69
+	if use nss || use openssl ; then
70
+		myconf+=( --with-crypto ) # 518708
71
+	fi
72
+
73
+	econf \
74
+		--datadir="${EPREFIX}"/usr/share/apr-util-1 \
75
+		--with-apr="${SYSROOT}${EPREFIX}"/usr \
76
+		--with-expat="${EPREFIX}"/usr \
77
+		--without-sqlite2 \
78
+		$(use_with freetds) \
79
+		$(use_with gdbm) \
80
+		$(use_with ldap) \
81
+		$(use_with mysql) \
82
+		$(use_with nss) \
83
+		$(use_with odbc) \
84
+		$(use_with openssl) \
85
+		$(use_with postgres pgsql) \
86
+		$(use_with sqlite sqlite3) \
87
+		"${myconf[@]}"
88
+	# Use the current env build settings rather than whatever apr was built with.
89
+	sed -i -r \
90
+		-e "/^(apr_builddir|apr_builders|top_builddir)=/s:=:=${SYSROOT}:" \
91
+		-e "/^CC=/s:=.*:=$(tc-getCC):" \
92
+		-e '/^(C|CPP|CXX|LD)FLAGS=/d' \
93
+		-e '/^LTFLAGS/s:--silent::' \
94
+		build/rules.mk || die
95
+}
96
+
97
+src_compile() {
98
+	emake
99
+	use doc && emake dox
100
+}
101
+
102
+src_install() {
103
+	default
104
+
105
+	find "${ED}" -name "*.la" -delete
106
+	find "${ED}usr/$(get_libdir)/apr-util-${SLOT}" -name "*.a" -delete
107
+	use static-libs || find "${ED}" -name "*.a" -delete
108
+
109
+	use doc && dohtml -r docs/dox/html/*
110
+
111
+	# This file is only used on AIX systems, which Gentoo is not,
112
+	# and causes collisions between the SLOTs, so remove it.
113
+	rm -f "${ED}usr/$(get_libdir)/aprutil.exp"
114
+}
0 115
new file mode 100644
... ...
@@ -0,0 +1,23 @@
1
+--- a/crypto/crypt_blowfish.c	2012-07-06 13:41:24.000000000 +0200
2
+@@ -675,9 +675,9 @@
3
+ 	    setting[2] < 'a' || setting[2] > 'z' ||
4
+ 	    !flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a'] ||
5
+ 	    setting[3] != '$' ||
6
+-	    setting[4] < '0' || setting[4] > '3' ||
7
++	    setting[4] < '0' || setting[4] > '1' ||
8
+ 	    setting[5] < '0' || setting[5] > '9' ||
9
+-	    (setting[4] == '3' && setting[5] > '1') ||
10
++	    (setting[4] == '1' && setting[5] > '7') ||
11
+ 	    setting[6] != '$') {
12
+ 		__set_errno(EINVAL);
13
+ 		return NULL;
14
+@@ -877,7 +877,7 @@
15
+ 	const char *input, int size, char *output, int output_size)
16
+ {
17
+ 	if (size < 16 || output_size < 7 + 22 + 1 ||
18
+-	    (count && (count < 4 || count > 31)) ||
19
++	    (count && (count < 4 || count > 17)) ||
20
+ 	    prefix[0] != '$' || prefix[1] != '2' ||
21
+ 	    (prefix[2] != 'a' && prefix[2] != 'y')) {
22
+ 		if (output_size > 0) output[0] = '\0';
0 23
new file mode 100644
... ...
@@ -0,0 +1,36 @@
1
+https://bugs.gentoo.org/385775
2
+
3
+utilize $SYSROOT to find the right includedir tree
4
+
5
+drop the -L/-R paths since we know our libdir is the standard path which
6
+the compiler already knows how to locate
7
+
8
+--- a/apu-config.in
9
+@@ -25,7 +25,7 @@ prefix="@prefix@"
10
+ exec_prefix="@exec_prefix@"
11
+ bindir="@bindir@"
12
+ libdir="@libdir@"
13
+-includedir="@includedir@"
14
++includedir="${SYSROOT}@includedir@"
15
+ 
16
+ LIBS="@APRUTIL_EXPORT_LIBS@"
17
+ INCLUDES="@APRUTIL_INCLUDES@"
18
+@@ -166,7 +166,7 @@ while test $# -gt 0; do
19
+     --link-ld)
20
+     if test "$location" = "installed"; then
21
+         ### avoid using -L if libdir is a "standard" location like /usr/lib
22
+-        flags="$flags -L$libdir -l$APRUTIL_LIBNAME"
23
++        flags="$flags -l$APRUTIL_LIBNAME"
24
+     else
25
+         flags="$flags -L$APU_BUILD_DIR -l$APRUTIL_LIBNAME"
26
+     fi
27
+@@ -182,7 +182,7 @@ while test $# -gt 0; do
28
+         ### avoid using -L if libdir is a "standard" location like /usr/lib
29
+         # Since the user is specifying they are linking with libtool, we
30
+         # *know* that -R will be recognized by libtool.
31
+-        flags="$flags -L$libdir -R$libdir -l$APRUTIL_LIBNAME"
32
++        flags="$flags -l$APRUTIL_LIBNAME"
33
+     else
34
+         flags="$flags $LA_FILE"
35
+     fi
0 36
new file mode 100644
... ...
@@ -0,0 +1,14 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
3
+<pkgmetadata>
4
+	<maintainer type="person">
5
+		<email>polynomial-c@gentoo.org</email>
6
+		<name>Lars Wendler</name>
7
+	</maintainer>
8
+	<use>
9
+		<flag name="libressl">Use <pkg>dev-libs/libressl</pkg> instead of
10
+			<pkg>dev-libs/openssl</pkg> for 'openssl' USE flag</flag>
11
+		<flag name="nss">Install apr_crypto_nss module</flag>
12
+		<flag name="openssl">Install apr_crypto_openssl module</flag>
13
+	</use>
14
+</pkgmetadata>