From 7c64231d37ba906f77ddc02e8f67b6d784e69b1f Mon Sep 17 00:00:00 2001 From: Lars Wendler Date: Tue, 16 Feb 2016 21:57:56 +0100 Subject: sys-auth/libfprint: Security revbump fixing broken udev rule (bug #562218). Package-Manager: portage-2.2.27 Signed-off-by: Lars Wendler --- .../files/libfprint-0.6.0-fix-udev-rules.patch | 23 +++++++++ sys-auth/libfprint/libfprint-0.6.0-r2.ebuild | 60 ++++++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 sys-auth/libfprint/files/libfprint-0.6.0-fix-udev-rules.patch create mode 100644 sys-auth/libfprint/libfprint-0.6.0-r2.ebuild (limited to 'sys-auth') diff --git a/sys-auth/libfprint/files/libfprint-0.6.0-fix-udev-rules.patch b/sys-auth/libfprint/files/libfprint-0.6.0-fix-udev-rules.patch new file mode 100644 index 000000000000..128ac8ce311b --- /dev/null +++ b/sys-auth/libfprint/files/libfprint-0.6.0-fix-udev-rules.patch @@ -0,0 +1,23 @@ +Remove spurious \n to fix udev rule generation + +Steven Newbury : +libfprint generates 60-fprint-autosuspend.rules for all supported devices, +however there's a spurious \n before the ', MODE="0666"' which results in it +appearing on a new line after the match criteria. At least on current +systemd/udev this results in MODE="0666" being applied unconditionally to all +device nodes. This is an extremely serious security problem and effectively +gives root access to all users simply by having the ebuild emerged. + +https://bugs.gentoo.org/562218 + +--- a/libfprint/fprint-list-udev-rules.c ++++ b/libfprint/fprint-list-udev-rules.c +@@ -74,7 +74,7 @@ + if (num_printed == 0) + printf ("# %s\n", driver->full_name); + +- printf ("SUBSYSTEM==\"usb\", ATTRS{idVendor}==\"%04x\", ATTRS{idProduct}==\"%04x\", ATTRS{dev}==\"*\", TEST==\"power/control\", ATTR{power/control}=\"auto\"\n, MODE=\"0666\"\n", driver->id_table[i].vendor, driver->id_table[i].product); ++ printf ("SUBSYSTEM==\"usb\", ATTRS{idVendor}==\"%04x\", ATTRS{idProduct}==\"%04x\", ATTRS{dev}==\"*\", TEST==\"power/control\", ATTR{power/control}=\"auto\", MODE=\"0666\"\n", driver->id_table[i].vendor, driver->id_table[i].product); + printf ("SUBSYSTEM==\"usb\", ATTRS{idVendor}==\"%04x\", ATTRS{idProduct}==\"%04x\", ENV{LIBFPRINT_DRIVER}=\"%s\"\n", driver->id_table[i].vendor, driver->id_table[i].product, driver->full_name); + num_printed++; + } diff --git a/sys-auth/libfprint/libfprint-0.6.0-r2.ebuild b/sys-auth/libfprint/libfprint-0.6.0-r2.ebuild new file mode 100644 index 000000000000..4597a21ead14 --- /dev/null +++ b/sys-auth/libfprint/libfprint-0.6.0-r2.ebuild @@ -0,0 +1,60 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 + +inherit autotools eutils udev vcs-snapshot + +MY_PV="V_${PV//./_}" +DESCRIPTION="library to add support for consumer fingerprint readers" +HOMEPAGE="http://cgit.freedesktop.org/libfprint/libfprint/" +SRC_URI="http://cgit.freedesktop.org/${PN}/${PN}/snapshot/${MY_PV}.tar.bz2 -> ${P}.tar.bz2 + https://dev.gentoo.org/~xmw/${P}_vfs0050.patch.gz" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~ppc64 ~x86" +IUSE="debug static-libs vanilla" + +RDEPEND="virtual/libusb:1 + dev-libs/glib:2 + dev-libs/nss + x11-libs/pixman" +DEPEND="${RDEPEND} + virtual/pkgconfig" + +PATCHES=( + "${FILESDIR}/${P}-fix-udev-rules.patch" +) + +src_prepare() { + if ! use vanilla ; then + eapply "${WORKDIR}"/${P}_vfs0050.patch + fi + + default + + # upeke2 and fdu2000 were missing from all_drivers. + sed -e '/^all_drivers=/s:"$: upeke2 fdu2000":' \ + -i configure.ac || die + + eautoreconf +} + +src_configure() { + econf \ + --with-drivers=all \ + $(use_enable debug debug-log) \ + $(use_enable static-libs static) \ + -enable-udev-rules \ + --with-udev-rules-dir=$(get_udevdir)/rules.d +} + +src_install() { + default + + prune_libtool_files + + dodoc AUTHORS HACKING NEWS README THANKS TODO +} -- cgit v1.2.3-65-gdbad