summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Palimaka <kensington@gentoo.org>2018-10-11 23:18:35 +1100
committerMichael Palimaka <kensington@gentoo.org>2018-10-11 23:18:54 +1100
commit73e4184262bdb92c08fe83d2b9cd06f6a12ccb73 (patch)
tree46e03c0a43ad06fbe3fcc3788921578f897f7c1e
parentx11-misc/albert: fix build with Qt 5.11 (diff)
downloadgentoo-73e4184262bdb92c08fe83d2b9cd06f6a12ccb73.tar.gz
gentoo-73e4184262bdb92c08fe83d2b9cd06f6a12ccb73.tar.bz2
gentoo-73e4184262bdb92c08fe83d2b9cd06f6a12ccb73.zip
net-irc/unrealircd: revision bump to resolve CVE-2017-13649
Bug: https://bugs.gentoo.org/628434 Signed-off-by: Michael Palimaka <kensington@gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.11
-rw-r--r--net-irc/unrealircd/files/unrealircd.confd-r332
-rw-r--r--net-irc/unrealircd/files/unrealircd.initd-r238
-rw-r--r--net-irc/unrealircd/unrealircd-4.0.18-r1.ebuild184
3 files changed, 254 insertions, 0 deletions
diff --git a/net-irc/unrealircd/files/unrealircd.confd-r3 b/net-irc/unrealircd/files/unrealircd.confd-r3
new file mode 100644
index 00000000000..66d9878f014
--- /dev/null
+++ b/net-irc/unrealircd/files/unrealircd.confd-r3
@@ -0,0 +1,32 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# Which configuration file to load instead of unrealircd.conf. If you
+# want to run multiple instances of unrealircd, you must edit
+# files::pidfile to match UNREALIRCD_PIDFILE. You should also ensure
+# that files::tunefile is different for each unrealircd instance. See
+# https://www.unrealircd.org/docs/Configuration#Files_block
+#
+# To support multiple instances of unrealircd, you may create symlinks
+# in /etc/init.d pointing to /etc/init.d/unrealircd. It is recommended
+# that the scheme unrealircd.${instance_name} be used. For each
+# instance, you may make a copy of this file with the appropriate name
+# to override default options specific to that instance.
+UNREALIRCD_CONF="/etc/unrealircd/${SVCNAME}.conf"
+
+# The path where unrealircd is configured to create its pidfile.
+UNREALIRCD_PIDFILE="/run/unrealircd/${SVCNAME#unreal}.pid"
+
+# extra options to pass to unrealircd ...
+# You should not specify the -f option here; use
+# UNREALIRCD_CONF instead.
+#
+# [-h servername]
+# [-p portnumber]
+# [-x loglevel]
+# [-t] (to enable debug output)
+UNREALIRCD_OPTS=""
+
+# Extra flags to pass to start-stop-daemon. When initially
+# debugging, removing --quiet may help.
+UNREALIRCD_SSD_OPTS="--quiet"
diff --git a/net-irc/unrealircd/files/unrealircd.initd-r2 b/net-irc/unrealircd/files/unrealircd.initd-r2
new file mode 100644
index 00000000000..7d733a6e185
--- /dev/null
+++ b/net-irc/unrealircd/files/unrealircd.initd-r2
@@ -0,0 +1,38 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# Defaults
+: ${UNREALIRCD_CONF:=/etc/unrealircd/${SVCNAME}.conf}
+: ${UNREALIRCD_PIDFILE:=/run/unrealircd/${SVCNAME#unreal}.pid}
+
+command="/usr/bin/unrealircd"
+# Run the daemon in the foreground and let OpenRC background it.
+# This way the PID file is created securely, as root.
+command_args="-F -f ${UNREALIRCD_CONF} ${UNREALIRCD_OPTS}"
+command_user=unrealircd
+command_background=true
+pidfile="${UNREALIRCD_PIDFILE}"
+start_stop_daemon_args="${UNREALIRCD_SSD_OPTS}"
+extra_started_commands="reload"
+
+depend() {
+ use dns net
+ provide ircd
+}
+
+# It is unsafe for the unrealircd user to be able to write to its own
+# PID file, since root will be sending e.g. kill signals to the PID
+# listed in that file. Ensure that we overwrite the ownership and
+# permissions on /run/unrealircd from previous init scripts.
+start_pre() {
+ checkpath --directory --owner root:root --mode 0700 /run/unrealircd
+}
+
+reload() {
+ ebegin "Reloading ${RC_SVCNAME}"
+ start-stop-daemon --signal HUP \
+ --pidfile "${pidfile}" \
+ ${UNREALIRCD_SSD_OPTS}
+ eend $?
+}
diff --git a/net-irc/unrealircd/unrealircd-4.0.18-r1.ebuild b/net-irc/unrealircd/unrealircd-4.0.18-r1.ebuild
new file mode 100644
index 00000000000..5c496d96d30
--- /dev/null
+++ b/net-irc/unrealircd/unrealircd-4.0.18-r1.ebuild
@@ -0,0 +1,184 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+SSL_CERT_MANDATORY=1
+inherit ssl-cert user versionator
+
+DESCRIPTION="An advanced Internet Relay Chat daemon"
+HOMEPAGE="https://www.unrealircd.org/"
+SRC_URI="https://www.unrealircd.org/${PN}$(get_version_component_range 1)/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86 ~x86-fbsd ~amd64-linux"
+IUSE="class-nofakelag curl +extban-stacking +operoverride operoverride-verify +prefixaq
+ showlistmodes shunnotices topicisnuhost +usermod"
+
+RDEPEND="
+ dev-libs/openssl:0=
+ dev-libs/libpcre2
+ dev-libs/tre
+ >=net-dns/c-ares-1.7:=
+ sys-libs/zlib
+ curl? ( net-misc/curl[adns] )
+"
+DEPEND="${RDEPEND}
+ virtual/pkgconfig
+"
+
+DOCS=( doc/{Authors,Donation,RELEASE-NOTES{,.old},tao.of.irc,technical/,translations.txt} )
+
+pkg_pretend() {
+ local v
+ for v in ${REPLACING_VERSIONS}; do
+ version_is_at_least 4 "${v}" && continue
+ ewarn "The configuration file format has changed since ${v}."
+ ewarn "Please be prepared to manually update them and visit:"
+ ewarn "https://www.unrealircd.org/docs/Upgrading_from_3.2.x"
+ break
+ done
+}
+
+pkg_setup() {
+ enewuser unrealircd
+}
+
+src_prepare() {
+ # QA check against bundled pkgs
+ rm -r extras || die
+
+ if use class-nofakelag; then
+ sed -i -e 's:#undef\( FAKELAG_CONFIGURABLE\):#define\1:' include/config.h || die
+ fi
+
+ # By default looks in /etc/unrealircd/ssl/curl-ca-bundle.crt. Fix
+ # that to look for ca-certificates-provided file instead. %s is
+ # CONFDIR. #618066
+ sed -i -e 's:%s/ssl/curl-ca-bundle.crt:%s/../ssl/certs/ca-certificates.crt:' src/s_conf.c || die
+
+ eapply_user
+}
+
+src_configure() {
+ # Default value for privatelibdir adds a build path to -Wl,-rpath.
+ econf \
+ --with-bindir="${EPREFIX}"/usr/bin \
+ --with-cachedir="${EPREFIX}"/var/lib/${PN} \
+ --with-confdir="${EPREFIX}"/etc/${PN} \
+ --with-datadir="${EPREFIX}"/var/lib/${PN} \
+ --with-docdir="${EPREFIX}"/usr/share/doc/${PF} \
+ --with-logdir="${EPREFIX}"/var/log/${PN} \
+ --with-modulesdir="${EPREFIX}"/usr/"$(get_libdir)"/${PN}/modules \
+ --without-privatelibdir \
+ --with-pidfile="${EPREFIX}"/run/${PN}/ircd.pid \
+ --with-tmpdir="${EPREFIX}"/var/lib/${PN}/tmp \
+ --with-nick-history=2000 \
+ --with-sendq=3000000 \
+ --with-permissions=0640 \
+ --with-fd-setsize=1024 \
+ --with-system-cares \
+ --with-system-pcre2 \
+ --with-system-tre \
+ --enable-dynamic-linking \
+ --enable-ssl="${EPREFIX}"/usr \
+ $(use_enable curl libcurl "${EPREFIX}"/usr) \
+ $(use_enable prefixaq) \
+ $(use_with showlistmodes) \
+ $(use_with topicisnuhost) \
+ $(use_with shunnotices) \
+ $(use_with !operoverride no-operoverride) \
+ $(use_with operoverride-verify) \
+ $(use_with !usermod disableusermod) \
+ $(use_with !extban-stacking disable-extendedban-stacking)
+}
+
+src_install() {
+ keepdir /var/log/${PN}
+ keepdir /var/lib/${PN}/tmp
+
+ newbin src/ircd ${PN}
+
+ (
+ cd src/modules || die
+ for subdir in $(find . -type d -print); do
+ if [[ -n $(shopt -s nullglob; echo ${subdir}/*.so) ]]; then
+ exeinto /usr/$(get_libdir)/${PN}/modules/"${subdir}"
+ doexe "${subdir}"/*.so
+ fi
+ done
+ )
+
+ insinto /etc/${PN}
+ # Purposefully omitting the examples/ and ssl/ subdirectories. ssl
+ # is redundant with app-misc/ca-certificates and examples will all
+ # be in docs anyway.
+ doins -r doc/conf/{aliases,help}
+ doins doc/conf/*.conf
+ newins doc/conf/examples/example.conf ${PN}.conf
+ keepdir /etc/${PN}/ssl
+
+ einstalldocs
+
+ newinitd "${FILESDIR}"/${PN}.initd-r2 ${PN}
+ newconfd "${FILESDIR}"/${PN}.confd-r3 ${PN}
+
+ # config should be read-only
+ fperms -R 0640 /etc/${PN}
+ fperms 0750 /etc/${PN}{,/aliases,/help}
+ fperms 0750 /etc/${PN}/ssl
+ # state is editable but not owned by unrealircd directly
+ fperms 0770 /var/log/${PN}
+ fperms 0770 /var/lib/${PN}{,/tmp}
+ fowners -R root:unrealircd /{etc,var/{lib,log}}/${PN}
+}
+
+pkg_postinst() {
+ # Move docert call from src_install() to install_cert in pkg_postinst for
+ # bug #201682
+ if [[ ! -f "${EROOT}"etc/${PN}/ssl/server.cert.key ]]; then
+ if [[ -f "${EROOT}"etc/${PN}/server.cert.key ]]; then
+ ewarn "The location ${PN} looks for SSL certificates has changed"
+ ewarn "from ${EROOT}etc/${PN} to ${EROOT}etc/${PN}/ssl."
+ ewarn "Please move your existing certificates."
+ else
+ (
+ umask 0037
+ install_cert /etc/${PN}/ssl/server.cert
+ chown unrealircd "${EROOT}"etc/${PN}/ssl/server.cert.*
+ ln -snf server.cert.key "${EROOT}"etc/${PN}/ssl/server.key.pem
+ )
+ fi
+ fi
+
+ local unrealircd_conf="${EROOT}"etc/${PN}/${PN}.conf
+ # Fix up the default cloak keys.
+ if grep -qe '"and another one";$' "${unrealircd_conf}" && grep -qe '"aoAr1HnR6gl3sJ7hVz4Zb7x4YwpW";$' "${unrealircd_conf}"; then
+ ebegin "Generating cloak-keys"
+ local keys=(
+ $(su ${PN} -s /bin/sh -c "${PN} -k 2>&1 | tail -n 3")
+ )
+ [[ -n ${keys[0]} || -n ${keys[1]} || -n ${keys[2]} ]]
+ eend $?
+
+ ebegin "Substituting cloak-keys into ${unrealircd_conf}"
+ sed -i \
+ -e '/cloak-keys/ {
+n
+s/"aoAr1HnR6gl3sJ7hVz4Zb7x4YwpW";/"'"${keys[0]}"'";/
+n
+s/"and another one";/"'"${keys[1]}"'";/
+n
+s/"and another one";/"'"${keys[2]}"'";/
+}' \
+ "${unrealircd_conf}"
+ eend $?
+ fi
+
+ elog "UnrealIRCd will not run until you've set up /etc/unrealircd/unrealircd.conf"
+ elog
+ elog "You can also configure ${PN} start at boot with rc-update(1)."
+ elog "It is recommended to run unrealircd as an unprivileged user."
+ elog "The provided init.d script does this for you."
+}