sys-apps/man-db: Bump to version 2.8.5

Attempt to fix root privilege escalation.

Bug: https://bugs.gentoo.org/662438
Closes: https://bugs.gentoo.org/666404
Package-Manager: Portage-2.3.54, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

3 files changed, 133 insertions, 0 deletions

diff --git a/sys-apps/man-db/Manifest b/sys-apps/man-db/Manifest
index 0b3bc1785ef0..e4cc0f176a52 100644
--- a/sys-apps/man-db/Manifest
+++ b/sys-apps/man-db/Manifest
@@ -1,3 +1,4 @@
 DIST man-db-2.7.6.1.tar.xz 1541316 BLAKE2B ea3aa7e90ea8af4882bd99d99374cc37d9c0c7f70bb970973eb3f2178aa4323bcdebc7f39f142ec0144dbe55a9f86aba15d9fe281d2662d280b8e6dca9452f24 SHA512 623c5e7f8b7c289908b2c926f8777293b8d39aeceef0d2509d701a8b0bfa81408650f655c8608318221786c751a79ee91124b07993de5298cd7fa6d8bb737301
 DIST man-db-2.8.3.tar.xz 1624280 BLAKE2B 6158608a5a6ecd361391a17642a4bbc9275a8a3105a39d6f6c3971aceb275cfb16670c51dfa8f1d7fc0136fc1b5e96e39c88e8c1d91e9a47d7a1351d16623a93 SHA512 35d5dda7a2bda94978d10770d24d4c78b3c62c71a68cfeb400df61b0df289ed17aa8aa223d4ae3ffa094d76df8d9172b878230fd7b0397ce7728b9c8ac0b1745
 DIST man-db-2.8.4.tar.xz 1779488 BLAKE2B c5f9b06c4b24e046e4b8fbcf4f43015133d18d875edd79f0aad992d884e83fc28a8c3b7d82ded187293d858dfadae48eb088722c3ffc91eec64b71cdf46750be SHA512 3cc160a5a8a0a4e918f6f6546582d1e5fe9851a13c5bd8dc94e3fcbf4ec28cb3cd1524b1ae30722931c84981fa8ca9ac64c9c4d9544c2d0bea80ac9f39cb5e66
+DIST man-db-2.8.5.tar.xz 1787244 BLAKE2B b908a6fb0187d42f8d1f842063e0afdf1e052244ea727f0aaaf4d658bb8954a216c0555df5511b27246fd12c2a388c44dcfccf243449d25d6e741c5c3466d3be SHA512 8d1524c3b6459c9ac02d969149c18c198cb171bcd6acc493e863a466c01309958ee9f5ac52df4d7d27da29d35cb7c64132732f5b969181ab336500df2e6dad69
diff --git a/sys-apps/man-db/files/man-db.cron-r1 b/sys-apps/man-db/files/man-db.cron-r1
new file mode 100644
index 000000000000..7f7932360cb8
--- /dev/null
+++ b/sys-apps/man-db/files/man-db.cron-r1
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Use same perms/settings as the ebuild.
+cachedir="/var/cache/man"
+if [ ! -d "${cachedir}" ]; then
+	mkdir -p "${cachedir}"
+	chown man:man "${cachedir}"
+	chmod 0755 "${cachedir}"
+fi
+
+exec su man -s /bin/sh -c 'nice mandb --quiet' 2>/dev/null
diff --git a/sys-apps/man-db/man-db-2.8.5.ebuild b/sys-apps/man-db/man-db-2.8.5.ebuild
new file mode 100644
index 000000000000..c6db5d3398e6
--- /dev/null
+++ b/sys-apps/man-db/man-db-2.8.5.ebuild
@@ -0,0 +1,121 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user eapi7-ver
+
+DESCRIPTION="a man replacement that utilizes berkdb instead of flat files"
+HOMEPAGE="http://www.nongnu.org/man-db/"
+if [[ "${PV}" = 9999* ]] ; then
+	inherit git-r3
+	EGIT_REPO_URI="https://git.savannah.gnu.org/git/man-db.git"
+else
+	SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux"
+fi
+
+LICENSE="GPL-3"
+SLOT="0"
+IUSE="berkdb +gdbm +manpager nls +seccomp selinux static-libs zlib"
+
+CDEPEND="
+	!sys-apps/man
+	>=dev-libs/libpipeline-1.5.0
+	sys-apps/groff
+	berkdb? ( sys-libs/db:= )
+	gdbm? ( sys-libs/gdbm:= )
+	!berkdb? ( !gdbm? ( sys-libs/gdbm:= ) )
+	seccomp? ( sys-libs/libseccomp )
+	zlib? ( sys-libs/zlib )
+"
+DEPEND="
+	${CDEPEND}
+	app-arch/xz-utils
+	virtual/pkgconfig
+	nls? (
+		>=app-text/po4a-0.45
+		sys-devel/gettext
+	)
+"
+RDEPEND="
+	${CDEPEND}
+	selinux? ( sec-policy/selinux-mandb )
+"
+PDEPEND="manpager? ( app-text/manpager )"
+
+pkg_setup() {
+	# Create user now as Makefile in src_install does setuid/chown
+	enewgroup man 15
+	enewuser man 13 -1 /usr/share/man man
+
+	if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150
+		ewarn "Defaulting to USE=gdbm due to ambiguous berkdb/gdbm USE flag settings"
+	fi
+}
+
+src_configure() {
+	export ac_cv_lib_z_gzopen=$(usex zlib)
+	local myeconfargs=(
+		--with-systemdtmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d
+		--disable-setuid #662438
+		--enable-cache-owner=man
+		--with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x"
+		$(use_enable nls)
+		$(use_enable static-libs static)
+		$(use_with seccomp libseccomp)
+		--with-db=$(usex gdbm gdbm $(usex berkdb db gdbm))
+	)
+	econf "${myeconfargs[@]}"
+
+	# Disable color output from groff so that the manpager can add it. #184604
+	sed -i \
+		-e '/^#DEFINE.*\<[nt]roff\>/{s:^#::;s:$: -c:}' \
+		src/man_db.conf || die
+}
+
+src_install() {
+	default
+	dodoc docs/{HACKING,TODO}
+	find "${ED}" -name "*.la" -delete || die
+
+	exeinto /etc/cron.daily
+	newexe "${FILESDIR}"/man-db.cron-r1 man-db #289884
+}
+
+pkg_preinst() {
+	local cachedir="${EROOT}var/cache/man"
+	# If the system was already exploited, and the attacker is hiding in the
+	# cachedir of the old man-db, let's wipe them out.
+	# see bug  #602588 comment 18
+	local _replacing_version=
+	local _setgid_vuln=0
+	for _replacing_version in ${REPLACING_VERSIONS}; do
+		if version_is_at_least '2.7.6.1-r2' "${_replacing_version}"; then
+			debug-print "Skipping security bug #602588 ... existing installation (${_replacing_version}) should not be affected!"
+		else
+			_setgid_vuln=1
+			debug-print "Applying cleanup for security bug #602588"
+		fi
+	done
+	[[ ${_setgid_vuln} -eq 1 ]] && rm -rf "${cachedir}"
+
+	# Fall back to recreating the cachedir
+	if [[ ! -d ${cachedir} ]] ; then
+		mkdir -p "${cachedir}" || die
+		chown man:man "${cachedir}" || die
+	fi
+
+	# Update the whatis cache
+	if [[ -f ${cachedir}/whatis ]] ; then
+		einfo "Cleaning ${cachedir} from sys-apps/man"
+		find "${cachedir}" -type f '!' '(' -name index.bt -o -name index.db ')' -delete
+	fi
+}
+
+pkg_postinst() {
+	if [[ $(ver_cut 2 ${REPLACING_VERSIONS}) -lt 7 ]] ; then
+		einfo "Rebuilding man-db from scratch with new database format!"
+		su man -s /bin/sh -c 'mandb --quiet --create' 2>/dev/null
+	fi
+}