Source: p11-kit Version: 0.23.1-2 Severity: important Tags: patch User: debian-h...@lists.debian.org Usertags: hurd
Hi, currently, p11-kit fails to compile on hurd-i386 [1]. The first problem is in path 30_nogetauxvalonbsd.diff, due to the usage of issetugid() in secure_getenv() when getauxval() is not present; since that patch itself provides a _p11_getauxval() helper, then just use it. The second issue is due to the different semantics of __libc_enable_secure, as used for the getauxval() reimplementation. More details in the description of attached hurd_enable_secure.diff, which makes the getauxval() reimplementation behave as p11-kit expects. Side note: I took the liberty to change patch 30_nogetauxvalonbsd.diff so it does not duplicate the AC_CHECK_FUNCS; this part can be left out, if deemed not necessary. [1] https://buildd.debian.org/status/fetch.php?pkg=p11-kit&arch=hurd-i386&ver=0.23.1-2&stamp=1430116334 Thanks, -- Pino
Description: Do not use getauxval on !linux. Origin: vendor Bug-Debian: http://bugs.debian.org/718285 Author: Andreas Metzler <ametz...@debian.org> Last-Update: 2015-07-11 --- a/common/compat.c +++ b/common/compat.c @@ -800,7 +800,7 @@ #ifndef HAVE_GETAUXVAL unsigned long -getauxval (unsigned long type) +_p11_getauxval (unsigned long type) { static unsigned long secure = 0UL; static bool check_secure_initialized = false; @@ -848,7 +848,7 @@ char * secure_getenv (const char *name) { - if (getauxval (AT_SECURE)) + if (_p11_getauxval (AT_SECURE)) return NULL; return getenv (name); } --- a/common/compat.h +++ b/common/compat.h @@ -312,10 +312,11 @@ #ifdef HAVE_GETAUXVAL #include <sys/auxv.h> +#define _p11_getauxval(X) getauxval(X) #else /* !HAVE_GETAUXVAL */ -unsigned long getauxval (unsigned long type); +unsigned long _p11_getauxval (unsigned long type); #define AT_SECURE 23 --- a/common/path.c +++ b/common/path.c @@ -106,7 +106,7 @@ { const char *env; - if (getauxval (AT_SECURE)) { + if (_p11_getauxval (AT_SECURE)) { errno = EPERM; return NULL; } --- a/common/frob-getauxval.c +++ b/common/frob-getauxval.c @@ -55,7 +55,7 @@ abort (); } - ret = getauxval (type); + ret = _p11_getauxval (type); printf ("getauxval(%lu) == %lu\n", type, ret); return (int)ret; } --- a/configure.ac +++ b/configure.ac @@ -51,6 +51,12 @@ os_win32=yes os_unix=no ;; + *-*-linux*) + AC_DEFINE_UNQUOTED(OS_UNIX, 1, [Building for unix]) + os_win32=no + os_unix=yes + os_linux=yes + ;; *) AC_DEFINE_UNQUOTED(OS_UNIX, 1, [Building for unix]) os_win32=no @@ -88,7 +94,11 @@ AC_CHECK_HEADERS([sys/resource.h]) AC_CHECK_MEMBERS([struct dirent.d_type],,,[#include <dirent.h>]) AC_CHECK_FUNCS([getprogname getexecname basename mkstemp mkdtemp]) - AC_CHECK_FUNCS([getauxval issetugid getresuid secure_getenv]) + AC_CHECK_FUNCS([issetugid getresuid secure_getenv]) + if test "$os_linux" = "yes"; then + # Use getauxval on Linux only. + AC_CHECK_FUNCS([getauxval]) + fi AC_CHECK_FUNCS([strnstr memdup strndup strerror_r]) AC_CHECK_FUNCS([asprintf vasprintf vsnprintf]) AC_CHECK_FUNCS([timegm]) --- a/p11-kit/conf.c +++ b/p11-kit/conf.c @@ -228,7 +228,7 @@ goto finished; } - if (mode != CONF_USER_NONE && getauxval (AT_SECURE)) { + if (mode != CONF_USER_NONE && _p11_getauxval (AT_SECURE)) { p11_debug ("skipping user config in setuid or setgid program"); mode = CONF_USER_NONE; } --- a/p11-kit/frob-setuid.c +++ b/p11-kit/frob-setuid.c @@ -70,7 +70,7 @@ printf ("'setting' on module 'one': %s\n", field ? field : "(null)"); assert (field != NULL); - if (getauxval (AT_SECURE)) + if (_p11_getauxval (AT_SECURE)) assert (strcmp (field, "system1") == 0); else assert (strcmp (field, "user1") == 0);
Author: Pino Toscano <toscano.p...@tiscali.it> Description: Disable __libc_enable_secure usage on Hurd __libc_enable_secure is not set as 1 when executing something as sgid and the differet gid is still part of the user's own groups. See also: - http://lists.gnu.org/archive/html/bug-hurd/2015-06/msg00051.html - http://lists.gnu.org/archive/html/bug-hurd/2015-07/msg00000.html . The rest of the getauxval reimplementation will do its job according to what p11-kit expects. Last-Update: 2015-07-11 --- a/common/compat.c +++ b/common/compat.c @@ -812,7 +812,7 @@ assert (type == AT_SECURE); if (!check_secure_initialized) { -#if defined(HAVE___LIBC_ENABLE_SECURE) +#if defined(HAVE___LIBC_ENABLE_SECURE) && !defined(__GNU__) extern int __libc_enable_secure; secure = __libc_enable_secure;