Fix bug #286102, symlink permission error (CVE-2009-3289), new revision.

(Portage version: 2.2_rc48/cvs/Linux x86_64)

3 files changed, 208 insertions, 1 deletions

diff --git a/dev-libs/glib/ChangeLog b/dev-libs/glib/ChangeLog
index b228a486b4ba..ea4cbefc8ca0 100644
--- a/dev-libs/glib/ChangeLog
+++ b/dev-libs/glib/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-libs/glib
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/glib/ChangeLog,v 1.384 2009/11/02 00:12:23 eva Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/glib/ChangeLog,v 1.385 2009/11/06 19:53:15 mrpouet Exp $
+
+*glib-2.20.5-r1 (06 Nov 2009)
+
+  06 Nov 2009; Romain Perier <mrpouet@gentoo.org>
+  +glib-2.20.5-r1.ebuild,
+  +files/glib2-CVE-2009-3289.patch:
+  Fix bug #286102, symlink permission error (CVE-2009-3289), new revision.
 
   02 Nov 2009; Gilles Dartiguelongue <eva@gentoo.org> glib-2.22.2.ebuild:
   Remove virtual/libc again.
diff --git a/dev-libs/glib/files/glib2-CVE-2009-3289.patch b/dev-libs/glib/files/glib2-CVE-2009-3289.patch
new file mode 100644
index 000000000000..4adf30961d99
--- /dev/null
+++ b/dev-libs/glib/files/glib2-CVE-2009-3289.patch
@@ -0,0 +1,103 @@
+Patch for bug 286102 from upstream git. It includes the following 5 commits:
+
+commit 3826963e65d8c4c68bcd3e4066505f63ef734b95
+Author: Benjamin Otte <otte@gnome.org>
+Date:   Tue Sep 1 21:53:35 2009 +0200
+
+commit 48e0af0157f52ac12b904bd92540432a18b139c7
+Author: Benjamin Otte <otte@gnome.org>
+Date:   Tue Sep 1 21:26:08 2009 +0200
+
+commit bb7852e34b1845e516290e1b45a960a345ee8a43
+Author: Benjamin Otte <otte@gnome.org>
+Date:   Tue Sep 1 20:36:31 2009 +0200
+
+commit fc44bf40a4eff8e122b223e97ee5efcbc548be03
+Author: Benjamin Otte <otte@gnome.org>
+Date:   Tue Sep 1 12:48:55 2009 +0200
+
+commit e695c0932f5d02f3b222f0b7a3de1f8c00ba7b81
+Author: Benjamin Otte <otte@gnome.org>
+Date:   Tue Sep 1 11:54:48 2009 +0200
+
+Patch generated by a3li@gentoo.org,
+CVE available for 2.20.5 only (see timeline).
+
+diff --git a/configure.in b/configure.in
+index 7bda924..e2a33b5 100644
+--- a/configure.in
++++ b/configure.in
+@@ -952,7 +952,7 @@ AC_MSG_RESULT(unsigned $glib_size_type)
+ 
+ # Check for some functions
+ AC_CHECK_FUNCS(lstat strerror strsignal memmove vsnprintf stpcpy strcasecmp strncasecmp poll getcwd vasprintf setenv unsetenv getc_unlocked readlink symlink fdwalk)
+-AC_CHECK_FUNCS(chown lchown fchmod fchown link statvfs statfs utimes getgrgid getpwuid)
++AC_CHECK_FUNCS(chown lchmod lchown fchmod fchown link statvfs statfs utimes getgrgid getpwuid)
+ AC_CHECK_FUNCS(getmntent_r setmntent endmntent hasmntopt getmntinfo)
+ # Check for high-resolution sleep functions
+ AC_CHECK_FUNCS(nanosleep nsleep)
+diff --git a/gio/glocalfileinfo.c b/gio/glocalfileinfo.c
+index 72a59b5..a61cc55 100644
+--- a/gio/glocalfileinfo.c
++++ b/gio/glocalfileinfo.c
+@@ -1869,15 +1869,40 @@ get_string (const GFileAttributeValue  *value,
+ 
+ static gboolean
+ set_unix_mode (char                       *filename,
++               GFileQueryInfoFlags         flags,
+ 	       const GFileAttributeValue  *value,
+ 	       GError                    **error)
+ {
+   guint32 val;
++  int res = 0;
+   
+   if (!get_uint32 (value, &val, error))
+     return FALSE;
+-  
+-  if (g_chmod (filename, val) == -1)
++
++#ifdef HAVE_SYMLINK
++  if (flags & G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS) {
++#ifdef HAVE_LCHMOD
++    res = lchmod (filename, val);
++#else
++    struct stat statbuf;
++    /* Calling chmod on a symlink changes permissions on the symlink.
++     * We don't want to do this, so we need to check for a symlink */
++    res = g_lstat (filename, &statbuf);
++    if (res == 0 && S_ISLNK (statbuf.st_mode))
++      {
++        g_set_error_literal (error, G_IO_ERROR,
++                             G_IO_ERROR_NOT_SUPPORTED,
++                             _("Cannot set permissions on symlinks"));
++        return FALSE;
++      }
++    else if (res == 0)
++      res = g_chmod (filename, val);
++#endif
++  } else
++#endif
++    res = g_chmod (filename, val);
++
++  if (res == -1)
+     {
+       int errsv = errno;
+ 
+@@ -2172,7 +2197,7 @@ _g_local_file_info_set_attribute (char                 *filename,
+   _g_file_attribute_value_set_from_pointer (&value, type, value_p, FALSE);
+   
+   if (strcmp (attribute, G_FILE_ATTRIBUTE_UNIX_MODE) == 0)
+-    return set_unix_mode (filename, &value, error);
++    return set_unix_mode (filename, flags, &value, error);
+   
+ #ifdef HAVE_CHOWN
+   else if (strcmp (attribute, G_FILE_ATTRIBUTE_UNIX_UID) == 0)
+@@ -2316,7 +2341,7 @@ _g_local_file_info_set_attributes  (char                 *filename,
+   value = _g_file_info_get_attribute_value (info, G_FILE_ATTRIBUTE_UNIX_MODE);
+   if (value)
+     {
+-      if (!set_unix_mode (filename, value, error))
++      if (!set_unix_mode (filename, flags, value, error))
+ 	{
+ 	  value->status = G_FILE_ATTRIBUTE_STATUS_ERROR_SETTING;
+ 	  res = FALSE;
diff --git a/dev-libs/glib/glib-2.20.5-r1.ebuild b/dev-libs/glib/glib-2.20.5-r1.ebuild
new file mode 100644
index 000000000000..93e8d9b8ebd9
--- /dev/null
+++ b/dev-libs/glib/glib-2.20.5-r1.ebuild
@@ -0,0 +1,97 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/glib/glib-2.20.5-r1.ebuild,v 1.1 2009/11/06 19:53:15 mrpouet Exp $
+
+EAPI="2"
+
+inherit gnome.org libtool eutils flag-o-matic autotools
+
+DESCRIPTION="The GLib library of C routines"
+HOMEPAGE="http://www.gtk.org/"
+
+LICENSE="LGPL-2"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="debug doc fam hardened selinux xattr"
+
+RDEPEND="virtual/libiconv
+	xattr? ( sys-apps/attr )
+	fam? ( virtual/fam )"
+DEPEND="${RDEPEND}
+	>=dev-util/pkgconfig-0.16
+	>=sys-devel/gettext-0.11
+	doc? (
+		>=dev-libs/libxslt-1.0
+		>=dev-util/gtk-doc-1.11
+		~app-text/docbook-xml-dtd-4.1.2 )"
+
+src_prepare() {
+	if use ppc64 && use hardened ; then
+		replace-flags -O[2-3] -O1
+		epatch "${FILESDIR}/glib-2.6.3-testglib-ssp.patch"
+	fi
+
+	if use ia64 ; then
+		# Only apply for < 4.1
+		local major=$(gcc-major-version)
+		local minor=$(gcc-minor-version)
+		if (( major < 4 || ( major == 4 && minor == 0 ) )); then
+			epatch "${FILESDIR}/glib-2.10.3-ia64-atomic-ops.patch"
+		fi
+	fi
+
+	# Don't fail gio tests when ran without userpriv, upstream bug 552912
+	# This is only a temporary workaround, remove as soon as possible
+	epatch "${FILESDIR}/${PN}-2.18.1-workaround-gio-test-failure-without-userpriv.patch"
+
+	# Fix gmodule issues on fbsd; bug #184301
+	epatch "${FILESDIR}"/${PN}-2.12.12-fbsd.patch
+
+	# Fix bug 286102, symlink permission error (CVE-2009-3289)
+	epatch "${FILESDIR}"/${PN}2-CVE-2009-3289.patch
+
+	eautoreconf
+
+	[[ ${CHOST} == *-freebsd* ]] && elibtoolize
+}
+
+src_configure() {
+	local myconf
+
+	epunt_cxx
+
+	# Building with --disable-debug highly unrecommended.  It will build glib in
+	# an unusable form as it disables some commonly used API.  Please do not
+	# convert this to the use_enable form, as it results in a broken build.
+	# -- compnerd (3/27/06)
+	use debug && myconf="--enable-debug"
+
+	# Always build static libs, see #153807
+	# Always use internal libpcre, bug #254659
+	econf ${myconf}                 \
+		  $(use_enable xattr)       \
+		  $(use_enable doc man)     \
+		  $(use_enable doc gtk-doc) \
+		  $(use_enable fam)         \
+		  $(use_enable selinux)     \
+		  --enable-static           \
+		  --enable-regex            \
+		  --with-pcre=internal      \
+		  --with-threads=posix
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "Installation failed"
+
+	# Do not install charset.alias even if generated, leave it to libiconv
+	rm -f "${D}/usr/lib/charset.alias"
+
+	dodoc AUTHORS ChangeLog* NEWS* README || die "dodoc failed"
+}
+
+src_test() {
+	unset DBUS_SESSION_BUS_ADDRESS
+	export XDG_CONFIG_DIRS=/etc/xdg
+	export XDG_DATA_DIRS=/usr/local/share:/usr/share
+	emake check || die "tests failed"
+}