net-misc/aria2: Backport the fix for CVE-2019-3500

Backport fix for potential password leakage in logs (CVE-2019-3500).
Ideally this would be a fresh snapshot but autoreconf fails on aria2
git.

Bug: https://bugs.gentoo.org/674622
Signed-off-by: Michał Górny <mgorny@gentoo.org>

2 files changed, 201 insertions, 0 deletions

diff --git a/net-misc/aria2/aria2-1.34.0-r1.ebuild b/net-misc/aria2/aria2-1.34.0-r1.ebuild
new file mode 100644
index 000000000000..1522945364e2
--- /dev/null
+++ b/net-misc/aria2/aria2-1.34.0-r1.ebuild
@@ -0,0 +1,155 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit bash-completion-r1
+
+DESCRIPTION="A download utility with segmented downloading with BitTorrent support"
+HOMEPAGE="https://aria2.github.io/"
+SRC_URI="https://github.com/aria2/${PN}/releases/download/release-${PV}/${P}.tar.xz"
+
+LICENSE="GPL-2"
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux"
+SLOT="0"
+IUSE="adns bittorrent +gnutls jemalloc libuv +libxml2 metalink +nettle nls sqlite scripts ssh ssl tcmalloc test xmlrpc"
+
+CDEPEND="sys-libs/zlib:0=
+	ssl? (
+		app-misc/ca-certificates
+		gnutls? ( >=net-libs/gnutls-1.2.9:0= )
+		!gnutls? ( dev-libs/openssl:0= ) )
+	adns? ( >=net-dns/c-ares-1.5.0:0= )
+	bittorrent? (
+		ssl? (
+			gnutls? (
+				nettle? ( >=dev-libs/nettle-2.4:0=[gmp] >=dev-libs/gmp-6:0= )
+				!nettle? ( >=dev-libs/libgcrypt-1.2.2:0= ) ) )
+		!ssl? (
+			nettle? ( >=dev-libs/nettle-2.4:0=[gmp] >=dev-libs/gmp-6:0= )
+			!nettle? ( >=dev-libs/libgcrypt-1.2.2:0= ) ) )
+	jemalloc? ( dev-libs/jemalloc )
+	libuv? ( >=dev-libs/libuv-1.13:0= )
+	metalink? (
+		libxml2? ( >=dev-libs/libxml2-2.6.26:2= )
+		!libxml2? ( dev-libs/expat:0= ) )
+	sqlite? ( dev-db/sqlite:3= )
+	ssh? ( net-libs/libssh2:= )
+	tcmalloc? ( dev-util/google-perftools )
+	xmlrpc? (
+		libxml2? ( >=dev-libs/libxml2-2.6.26:2= )
+		!libxml2? ( dev-libs/expat:0= ) )"
+
+DEPEND="${CDEPEND}
+	app-arch/xz-utils
+	virtual/pkgconfig
+	nls? ( sys-devel/gettext )
+	test? ( >=dev-util/cppunit-1.12.0:0 )"
+RDEPEND="${CDEPEND}
+	nls? ( virtual/libiconv virtual/libintl )
+	scripts? ( dev-lang/ruby )"
+
+# xmlrpc has no explicit switch, it's turned out by any XML library
+# so metalink implicitly forces it on
+REQUIRED_USE="?? ( jemalloc tcmalloc )
+	metalink? ( xmlrpc )"
+RESTRICT="!test? ( test )"
+
+pkg_setup() {
+	if use scripts && ! use xmlrpc; then
+		ewarn "Please note that you may need to enable USE=xmlrpc to run the aria2rpc"
+		ewarn "and aria2mon scripts against the local aria2."
+	fi
+}
+
+src_prepare() {
+	eapply "${FILESDIR}"/${P}-make_unique.patch
+	# https://bugs.gentoo.org/674622 (CVE-2019-3500)
+	eapply "${FILESDIR}"/${P}-mask-headers.patch
+	default
+	sed -i -e "s|/tmp|${T}|" test/*.cc test/*.txt || die "sed failed"
+}
+
+src_configure() {
+	local myconf=(
+		# threads, epoll: check for best portability
+
+		# do not try to compile and run a test LIBXML program
+		--disable-xmltest
+		# enable the shared library
+		--enable-libaria2
+		# zlib should always be available anyway
+		--with-libz
+		--with-ca-bundle="${EPREFIX}/etc/ssl/certs/ca-certificates.crt"
+
+		# optional features
+		$(use_enable bittorrent)
+		$(use_enable metalink)
+		$(use_enable nls)
+		$(use_with adns libcares)
+		$(use_with jemalloc)
+		$(use_with libuv)
+		$(use_with sqlite sqlite3)
+		$(use_with ssh libssh2)
+		$(use_with tcmalloc)
+	)
+
+	# SSL := gnutls / openssl
+	# USE=ssl
+	#  + USE=gnutls -> gnutls
+	#  + USE=-gnutls -> openssl
+
+	if use ssl; then
+		myconf+=( $(use_with gnutls) $(use_with !gnutls openssl) )
+	else
+		myconf+=( --without-gnutls --without-openssl )
+	fi
+
+	# message-digest := nettle / gcrypt / openssl
+	# bignum := nettle+gmp / gcrypt / openssl
+	# bittorrent := message-digest + bignum
+	# USE=bittorrent
+	#  + USE=(ssl -gnutls) -> openssl
+	#  + USE=nettle -> nettle+gmp
+	#  + USE=-nettle -> gcrypt
+
+	if use !bittorrent || use ssl && use !gnutls; then
+		myconf+=( --without-libgcrypt --without-libnettle --without-libgmp )
+	else
+		myconf+=( $(use_with !nettle libgcrypt)
+			$(use_with nettle libnettle) $(use_with nettle libgmp) )
+	fi
+
+	# metalink+xmlrpc := libxml2 / expat
+	# USE=(metalink || xmlrpc)
+	#  + USE=libxml2 -> libxml2
+	#  + USE=-libxml2 -> expat
+
+	if use metalink || use xmlrpc; then
+		myconf+=( $(use_with !libxml2 libexpat) $(use_with libxml2) )
+	else
+		myconf+=( --without-libexpat --without-libxml2 )
+	fi
+
+	# Note:
+	# - always enable gzip/http compression since zlib should always be available anyway
+	# - always enable epoll since we can assume kernel 2.6.x
+	# - other options for threads: solaris, pth, win32
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	default
+	rm -rf "${D}"/usr/share/doc/aria2 \
+		"${D}"/usr/share/doc/${PF}/README{,.html}
+
+	dobashcomp doc/bash_completion/aria2c
+	use scripts && dobin doc/xmlrpc/aria2{mon,rpc}
+}
+
+pkg_postinst() {
+	if use xmlrpc; then
+		elog "If you would like to use the additional aria2mon and aria2rpc tools,"
+		elog "you need to have \033[1mdev-lang/ruby\033[0m installed."
+	fi
+}
diff --git a/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch b/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch
new file mode 100644
index 000000000000..694681d88859
--- /dev/null
+++ b/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch
@@ -0,0 +1,46 @@
+From 37368130ca7de5491a75fd18a20c5c5cc641824a Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 5 Jan 2019 09:32:40 +0900
+Subject: [PATCH] Mask headers
+
+---
+ src/HttpConnection.cc | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/HttpConnection.cc b/src/HttpConnection.cc
+index 77cb9d27a..be5b97723 100644
+--- a/src/HttpConnection.cc
++++ b/src/HttpConnection.cc
+@@ -102,11 +102,17 @@ std::string HttpConnection::eraseConfidentialInfo(const std::string& request)
+   std::string result;
+   std::string line;
+   while (getline(istr, line)) {
+-    if (util::startsWith(line, "Authorization: Basic")) {
+-      result += "Authorization: Basic ********\n";
++    if (util::istartsWith(line, "Authorization: ")) {
++      result += "Authorization: <snip>\n";
+     }
+-    else if (util::startsWith(line, "Proxy-Authorization: Basic")) {
+-      result += "Proxy-Authorization: Basic ********\n";
++    else if (util::istartsWith(line, "Proxy-Authorization: ")) {
++      result += "Proxy-Authorization: <snip>\n";
++    }
++    else if (util::istartsWith(line, "Cookie: ")) {
++      result += "Cookie: <snip>\n";
++    }
++    else if (util::istartsWith(line, "Set-Cookie: ")) {
++      result += "Set-Cookie: <snip>\n";
+     }
+     else {
+       result += line;
+@@ -154,8 +160,8 @@ std::unique_ptr<HttpResponse> HttpConnection::receiveResponse()
+   const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor();
+   if (proc->parse(socketRecvBuffer_->getBuffer(),
+                   socketRecvBuffer_->getBufferLength())) {
+-    A2_LOG_INFO(
+-        fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str()));
++    A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_,
++                    eraseConfidentialInfo(proc->getHeaderString()).c_str()));
+     auto result = proc->getResult();
+     if (result->getStatusCode() / 100 == 1) {
+       socketRecvBuffer_->drain(proc->getLastBytesProcessed());