From 2b588317631794ae65bd1eb7580c4c1741cdf3da Mon Sep 17 00:00:00 2001 From: Yixun Lan Date: Wed, 3 May 2017 09:40:40 +0800 Subject: app-emulation/xen: security bump Fix XSA-213, 214, 215 Gentoo-Bug: 615980 Package-Manager: Portage-2.3.5, Repoman-2.3.2 --- app-emulation/xen/Manifest | 1 + app-emulation/xen/xen-4.7.2-r1.ebuild | 192 ++++++++++++++++++++++++++++++++++ app-emulation/xen/xen-4.8.1-r1.ebuild | 192 ++++++++++++++++++++++++++++++++++ 3 files changed, 385 insertions(+) create mode 100644 app-emulation/xen/xen-4.7.2-r1.ebuild create mode 100644 app-emulation/xen/xen-4.8.1-r1.ebuild (limited to 'app-emulation') diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest index 23f14229412e..308b690f4dd8 100644 --- a/app-emulation/xen/Manifest +++ b/app-emulation/xen/Manifest @@ -8,3 +8,4 @@ DIST xen-4.8.1.tar.gz 22516631 SHA256 1d69153b94561429293015f66463ee17c26404d1c0 DIST xen-security-patches-21.tar.xz 6888 SHA256 76e43fb4c41a606cb1a5e56045dedff0ed3c94b535d89a736664965ee4a44699 SHA512 eb889d90630b6a7c4b9785bf8c2db1d83c7878cec3aa125601b38f75f70a965e52aa5003024feec40d35ee940975dfd766eeb806cdcff717991876d50ce0839b WHIRLPOOL 9039cc7410fbb0e36e1ab74d597c7b1075f92e43b9d22bcb198c0594a0802fca50f86a9fa4343cea83a68eacd6acb6fa0ef73fbd20c19a27f5e92c3f32711af8 DIST xen-security-patches-24.tar.xz 8848 SHA256 1aa2be3a15771473d3b043ccd703f7893618473a77193feb1703bf552aa777fa SHA512 d9ccee8ad3ffe2e035de9e95bf7ef850f31cf368dd228e62acf867ff6a8948e8c2882e64f341ff3458349f8317185241a40178f30f804edfa51b2b7cf6c6cda0 WHIRLPOOL cd632b7bf95e929f5037be6a16a59d3fcde50e47cc034cc0d44c29bc16c42a9a01c720a4401804fa9df8fa908f4fc8e75f2fcbef3d56381b7dca81d45618e773 DIST xen-security-patches-25.tar.xz 9208 SHA256 ceaa520d4d98ab7b6ce5b58c380499372cb513dda0c8236106cdf878385d4458 SHA512 18539c1f42bc95a06f7b06855614fafb4ed7c07a145d9ab90e02954ba405d21fc4c379908e3233ddfb85ccaa04515b261ac4bbf3987ce00e4479158f03edd917 WHIRLPOOL 4cff34c29a5c38e6a5bd0d4f4fe89d8daf944740934b05cd61f4b8a345ddb4d8a8b2de6db27a723154169e3f28d5b34a43eddd08c909cfa3d6d5aee26fcae693 +DIST xen-security-patches-26.tar.xz 8276 SHA256 2a21ec429f8952875f7d95f24697600e606326f1a16d5622cee73628cd0401c1 SHA512 f54fc7e720a70258263d29cc482b8269386818ad75792de87b0d0357fdb6af81f2102e5983100db47563435fa28f875a84e8c6d73d44797aadaf0c469d9fb0ec WHIRLPOOL b31667d8415dc1fbcd60160fdbc2fe0ad4de9bd2171fda875f5585b8d7821c4c035b029dbf382abacf4b6be745aeeb708f419fdcabdd86f78ff1c13703802e3f diff --git a/app-emulation/xen/xen-4.7.2-r1.ebuild b/app-emulation/xen/xen-4.7.2-r1.ebuild new file mode 100644 index 000000000000..b209a889e33c --- /dev/null +++ b/app-emulation/xen/xen-4.7.2-r1.ebuild @@ -0,0 +1,192 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +inherit eutils multilib mount-boot flag-o-matic python-any-r1 toolchain-funcs + +MY_PV=${PV/_/-} +MY_P=${PN}-${PV/_/-} + +if [[ $PV == *9999 ]]; then + inherit git-r3 + KEYWORDS="amd64" + EGIT_REPO_URI="git://xenbits.xen.org/xen.git" + SRC_URI="" +else + KEYWORDS="~amd64 ~arm -x86" + UPSTREAM_VER=0 + SECURITY_VER=26 + GENTOO_VER= + + [[ -n ${UPSTREAM_VER} ]] && \ + UPSTREAM_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz" + [[ -n ${SECURITY_VER} ]] && \ + SECURITY_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-security-patches-${SECURITY_VER}.tar.xz" + [[ -n ${GENTOO_VER} ]] && \ + GENTOO_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-gentoo-patches-${GENTOO_VER}.tar.xz" + SRC_URI="http://bits.xensource.com/oss-xen/release/${MY_PV}/${MY_P}.tar.gz + ${UPSTREAM_PATCHSET_URI} + ${SECURITY_PATCHSET_URI} + ${GENTOO_PATCHSET_URI}" +fi + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +IUSE="custom-cflags debug efi flask" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22 )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +# no tests are available for the hypervisor +# prevent the silliness of /usr/lib/debug/usr/lib/debug files +# prevent stripping of the debug info from the /usr/lib/debug/xen-syms +RESTRICT="test splitdebug strip" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE="arm? ( debug )" + +S="${WORKDIR}/${MY_P}" + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use amd64; then + export XEN_TARGET_ARCH="x86_64" + elif use arm; then + export XEN_TARGET_ARCH="arm32" + elif use arm64; then + export XEN_TARGET_ARCH="arm64" + else + die "Unsupported architecture!" + fi + fi + + if use flask ; then + export "XSM_ENABLE=y" + export "FLASK_ENABLE=y" + fi +} + +src_prepare() { + # Upstream's patchset + if [[ -n ${UPSTREAM_VER} ]]; then + EPATCH_SUFFIX="patch" \ + EPATCH_FORCE="yes" \ + EPATCH_OPTS="-p1" \ + epatch "${WORKDIR}"/patches-upstream + fi + + # Security patchset + if [[ -n ${SECURITY_VER} ]]; then + einfo "Try to apply Xen Security patch set" + # apply main xen patches + # Two parallel systems, both work side by side + # Over time they may concdense into one. This will suffice for now + EPATCH_SUFFIX="patch" + EPATCH_FORCE="yes" + + source "${WORKDIR}"/patches-security/${PV}.conf + + for i in ${XEN_SECURITY_MAIN}; do + epatch "${WORKDIR}"/patches-security/xen/$i + done + fi + + # Gentoo's patchset + if [[ -n ${GENTOO_VER} ]]; then + EPATCH_SUFFIX="patch" \ + EPATCH_FORCE="yes" \ + epatch "${WORKDIR}"/patches-gentoo + fi + + epatch "${FILESDIR}"/${PN}-4.6-efi.patch + + # Drop .config + sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't drop" + + if use efi; then + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="boot" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; || die "failed to re-set custom-cflags" + fi + + # remove -Werror for gcc-4.6's sake + find "${S}" -name 'Makefile*' -o -name '*.mk' -o -name 'common.make' | \ + xargs sed -i 's/ *-Werror */ /' + # not strictly necessary to fix this + sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + # Bug #575868 converted to a sed statement, typo of one char + sed -e "s:granter’s:granter's:" -i xen/include/public/grant_table.h || die + + epatch_user +} + +src_configure() { + use arm && myopt="${myopt} CONFIG_EARLY_PRINTK=sun7i" + + use debug && myopt="${myopt} debug=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + unset LDFLAGS + unset ASFLAGS + fi +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake V=1 CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install + + # make install likes to throw in some extra EFI bits if it built + use efi || rm -rf "${D}/usr/$(get_libdir)/efi" +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " https://wiki.gentoo.org/wiki/Xen" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + use efi && einfo "The efi executable is installed in boot/efi/gentoo" + + elog "You can optionally block the installation of /boot/xen-syms by an entry" + elog "in folder /etc/portage/env using the portage's feature INSTALL_MASK" + elog "e.g. echo ${msg} > /etc/portage/env/xen.conf" +} diff --git a/app-emulation/xen/xen-4.8.1-r1.ebuild b/app-emulation/xen/xen-4.8.1-r1.ebuild new file mode 100644 index 000000000000..777573731be2 --- /dev/null +++ b/app-emulation/xen/xen-4.8.1-r1.ebuild @@ -0,0 +1,192 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +inherit eutils multilib mount-boot flag-o-matic python-any-r1 toolchain-funcs + +MY_PV=${PV/_/-} +MY_P=${PN}-${PV/_/-} + +if [[ $PV == *9999 ]]; then + inherit git-r3 + KEYWORDS="" + EGIT_REPO_URI="git://xenbits.xen.org/xen.git" + SRC_URI="" +else + KEYWORDS="~amd64 ~arm -x86" + UPSTREAM_VER= + SECURITY_VER=26 + GENTOO_VER= + + [[ -n ${UPSTREAM_VER} ]] && \ + UPSTREAM_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz" + [[ -n ${SECURITY_VER} ]] && \ + SECURITY_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-security-patches-${SECURITY_VER}.tar.xz" + [[ -n ${GENTOO_VER} ]] && \ + GENTOO_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-gentoo-patches-${GENTOO_VER}.tar.xz" + SRC_URI="http://bits.xensource.com/oss-xen/release/${MY_PV}/${MY_P}.tar.gz + ${UPSTREAM_PATCHSET_URI} + ${SECURITY_PATCHSET_URI} + ${GENTOO_PATCHSET_URI}" +fi + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +IUSE="custom-cflags debug efi flask" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22 )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +# no tests are available for the hypervisor +# prevent the silliness of /usr/lib/debug/usr/lib/debug files +# prevent stripping of the debug info from the /usr/lib/debug/xen-syms +RESTRICT="test splitdebug strip" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE="arm? ( debug )" + +S="${WORKDIR}/${MY_P}" + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use amd64; then + export XEN_TARGET_ARCH="x86_64" + elif use arm; then + export XEN_TARGET_ARCH="arm32" + elif use arm64; then + export XEN_TARGET_ARCH="arm64" + else + die "Unsupported architecture!" + fi + fi + + if use flask ; then + export "XSM_ENABLE=y" + export "FLASK_ENABLE=y" + fi +} + +src_prepare() { + # Upstream's patchset + if [[ -n ${UPSTREAM_VER} ]]; then + EPATCH_SUFFIX="patch" \ + EPATCH_FORCE="yes" \ + EPATCH_OPTS="-p1" \ + epatch "${WORKDIR}"/patches-upstream + fi + + # Security patchset + if [[ -n ${SECURITY_VER} ]]; then + einfo "Try to apply Xen Security patch set" + # apply main xen patches + # Two parallel systems, both work side by side + # Over time they may concdense into one. This will suffice for now + EPATCH_SUFFIX="patch" + EPATCH_FORCE="yes" + + source "${WORKDIR}"/patches-security/${PV}.conf + + for i in ${XEN_SECURITY_MAIN}; do + epatch "${WORKDIR}"/patches-security/xen/$i + done + fi + + # Gentoo's patchset + if [[ -n ${GENTOO_VER} ]]; then + EPATCH_SUFFIX="patch" \ + EPATCH_FORCE="yes" \ + epatch "${WORKDIR}"/patches-gentoo + fi + + epatch "${FILESDIR}"/${PN}-4.6-efi.patch + + # Drop .config + sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't drop" + + if use efi; then + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="boot" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; || die "failed to re-set custom-cflags" + fi + + # remove -Werror for gcc-4.6's sake + find "${S}" -name 'Makefile*' -o -name '*.mk' -o -name 'common.make' | \ + xargs sed -i 's/ *-Werror */ /' + # not strictly necessary to fix this + sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + # Bug #575868 converted to a sed statement, typo of one char + sed -e "s:granter’s:granter's:" -i xen/include/public/grant_table.h || die + + epatch_user +} + +src_configure() { + use arm && myopt="${myopt} CONFIG_EARLY_PRINTK=sun7i" + + use debug && myopt="${myopt} debug=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + unset LDFLAGS + unset ASFLAGS + fi +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake V=1 CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install + + # make install likes to throw in some extra EFI bits if it built + use efi || rm -rf "${D}/usr/$(get_libdir)/efi" +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " https://wiki.gentoo.org/wiki/Xen" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + use efi && einfo "The efi executable is installed in boot/efi/gentoo" + + elog "You can optionally block the installation of /boot/xen-syms by an entry" + elog "in folder /etc/portage/env using the portage's feature INSTALL_MASK" + elog "e.g. echo ${msg} > /etc/portage/env/xen.conf" +} -- cgit v1.2.3-65-gdbad