sys-auth/libfprint: Security revbump fixing broken udev rule (bug #562218).

Package-Manager: portage-2.2.27
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

2 files changed, 83 insertions, 0 deletions

diff --git a/sys-auth/libfprint/files/libfprint-0.6.0-fix-udev-rules.patch b/sys-auth/libfprint/files/libfprint-0.6.0-fix-udev-rules.patch
new file mode 100644
index 000000000000..128ac8ce311b
--- /dev/null
+++ b/sys-auth/libfprint/files/libfprint-0.6.0-fix-udev-rules.patch
@@ -0,0 +1,23 @@
+Remove spurious \n to fix udev rule generation
+
+Steven Newbury <steve@snewbury.org.uk>:
+libfprint generates 60-fprint-autosuspend.rules for all supported devices, 
+however there's a spurious \n before the ', MODE="0666"' which results in it 
+appearing on a new line after the match criteria.  At least on current 
+systemd/udev this results in MODE="0666" being applied unconditionally to all 
+device nodes.  This is an extremely serious security problem and effectively 
+gives root access to all users simply by having the ebuild emerged.
+
+https://bugs.gentoo.org/562218
+
+--- a/libfprint/fprint-list-udev-rules.c
++++ b/libfprint/fprint-list-udev-rules.c
+@@ -74,7 +74,7 @@
+ 	if (num_printed == 0)
+ 	    printf ("# %s\n", driver->full_name);
+ 
+-	printf ("SUBSYSTEM==\"usb\", ATTRS{idVendor}==\"%04x\", ATTRS{idProduct}==\"%04x\", ATTRS{dev}==\"*\", TEST==\"power/control\", ATTR{power/control}=\"auto\"\n, MODE=\"0666\"\n", driver->id_table[i].vendor, driver->id_table[i].product);
++	printf ("SUBSYSTEM==\"usb\", ATTRS{idVendor}==\"%04x\", ATTRS{idProduct}==\"%04x\", ATTRS{dev}==\"*\", TEST==\"power/control\", ATTR{power/control}=\"auto\", MODE=\"0666\"\n", driver->id_table[i].vendor, driver->id_table[i].product);
+ 	printf ("SUBSYSTEM==\"usb\", ATTRS{idVendor}==\"%04x\", ATTRS{idProduct}==\"%04x\", ENV{LIBFPRINT_DRIVER}=\"%s\"\n", driver->id_table[i].vendor, driver->id_table[i].product, driver->full_name);
+ 	num_printed++;
+     }
diff --git a/sys-auth/libfprint/libfprint-0.6.0-r2.ebuild b/sys-auth/libfprint/libfprint-0.6.0-r2.ebuild
new file mode 100644
index 000000000000..4597a21ead14
--- /dev/null
+++ b/sys-auth/libfprint/libfprint-0.6.0-r2.ebuild
@@ -0,0 +1,60 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit autotools eutils udev vcs-snapshot
+
+MY_PV="V_${PV//./_}"
+DESCRIPTION="library to add support for consumer fingerprint readers"
+HOMEPAGE="http://cgit.freedesktop.org/libfprint/libfprint/"
+SRC_URI="http://cgit.freedesktop.org/${PN}/${PN}/snapshot/${MY_PV}.tar.bz2 -> ${P}.tar.bz2
+	https://dev.gentoo.org/~xmw/${P}_vfs0050.patch.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~ppc64 ~x86"
+IUSE="debug static-libs vanilla"
+
+RDEPEND="virtual/libusb:1
+	dev-libs/glib:2
+	dev-libs/nss
+	x11-libs/pixman"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+PATCHES=(
+	"${FILESDIR}/${P}-fix-udev-rules.patch"
+)
+
+src_prepare() {
+	if ! use vanilla ; then
+		eapply "${WORKDIR}"/${P}_vfs0050.patch
+	fi
+
+	default
+
+	# upeke2 and fdu2000 were missing from all_drivers.
+	sed -e '/^all_drivers=/s:"$: upeke2 fdu2000":' \
+		-i configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--with-drivers=all \
+		$(use_enable debug debug-log) \
+		$(use_enable static-libs static) \
+		-enable-udev-rules \
+		--with-udev-rules-dir=$(get_udevdir)/rules.d
+}
+
+src_install() {
+	default
+
+	prune_libtool_files
+
+	dodoc AUTHORS HACKING NEWS README THANKS TODO
+}