From patchwork Sun Aug 23 19:02:58 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brendan Heading X-Patchwork-Id: 509872 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ozlabs.org (Postfix) with ESMTP id DF0DE1402A0 for ; Mon, 24 Aug 2015 05:03:18 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=uwbnGW+y; dkim-atps=neutral Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 1DFBF3136D; Sun, 23 Aug 2015 19:03:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdIHElzDfL3G; Sun, 23 Aug 2015 19:03:08 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 18EE02FB6B; Sun, 23 Aug 2015 19:03:08 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 4EC7E1C1567 for ; Sun, 23 Aug 2015 19:03:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 47CEB2FB57 for ; Sun, 23 Aug 2015 19:03:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lq0gDA48FnMh for ; Sun, 23 Aug 2015 19:03:03 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by silver.osuosl.org (Postfix) with ESMTPS id 118CE2F9BD for ; Sun, 23 Aug 2015 19:03:03 +0000 (UTC) Received: by widdq5 with SMTP id dq5so31608935wid.1 for ; Sun, 23 Aug 2015 12:03:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=V/S+cit1uoQYNI5EfwupZlZ5faEyJssr4wbnICqKu6E=; b=uwbnGW+y1pd7QpsWRvujtauBSVcRjytYZJKvkm7CvteS2iWQDV7U5NUS4VKFk5buoY KwAmnmRbU/DLnVYiwdI4U/ydN0CckFjAA49gSV3T69K/3QL9yxUsjXznjU67LEEVlIiL ZP1ViSOg/cKUzLVtheBrx2W+K/hrrVXud+dFG8gGYalUImLvKUKpneyGXfEQxA5bfUzG dX8W+m83ThR/d4A798xuojV00mrIdFGUMA28Iy23H5IRa8sRkxpIL0Sm/C41/zxQ85S8 4/C/N1OwlnQox44WUn4wN5RCe5nLCvHFpWoxoEtDyrHvDZV3gcyW+bKqW5h2hmyo4QvQ mL6Q== X-Received: by 10.180.99.71 with SMTP id eo7mr23339804wib.25.1440356581580; Sun, 23 Aug 2015 12:03:01 -0700 (PDT) Received: from bhfedora.localdomain ([82.15.84.251]) by smtp.gmail.com with ESMTPSA id xs1sm19754278wjc.7.2015.08.23.12.03.00 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Aug 2015 12:03:01 -0700 (PDT) From: Brendan Heading To: buildroot@buildroot.org Date: Sun, 23 Aug 2015 20:02:58 +0100 Message-Id: <1440356578-2205-1-git-send-email-brendanheading@gmail.com> X-Mailer: git-send-email 2.4.3 Cc: Brendan Heading Subject: [Buildroot] [PATCH 1/1] packages/linux-pam: bump version to 1.1.8 -> 1.2.1 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Move to the latest release of linux-pam. This allows us to remove a number of patches and consolidate the existing ones : - 0001-configure.patch - 0007-rhosts.patch these two patches deal with the ruserok function, which is not usable with uclibc. Consolidated into 0002-Conditionally-compile-per-ruserok-availability.patch. - 0003-group.patch - 0005-succeed.patch - 0006-time.patch these three patches deal with the innetgr function, which is not usable with uclibc. Consolidated into 0003-Conditionally-compile-per-innetgr-availability.patch. - 0004-mkdir.patch Fixed in upstream, no longer required. - 0002-doc-makefile-am.patch renamed to 0001-doc-makefile-am.patch. - 0008-fix-CVE-2014-2583.patch - 0009-fix-CVE-2013-7041.patch These patches are already included in the new release and so can be safely deleted. Tested-by: Carlos Santos --- v1 - I thought rather than patching linux-pam 1.1.8 to fix the musl compilation issues, we may as well bump to the newer version first. I have the musl patches waiting, but thought it better to submit this first. This patch includes only the changes necessary to get linux-pam 1.2.1 building under uclibc and glibc (ie just the version bump). The original set of patches seemed unnecessarily fragmented so I've consolidated them into larger patches based on which aspect they were fixing. Makes dealing with the set of patches a little more convenient. Also added Upstream-status indications which were not originally present. Once we are happy here I will look at submitting these where appropriate. --- Signed-off-by: Brendan Heading --- package/linux-pam/0001-configure.patch | 19 ----- ...akefile-am.patch => 0001-doc-makefile-am.patch} | 3 + ...tionally-compile-per-ruserok-availability.patch | 49 +++++++++++++ ...tionally-compile-per-innetgr-availability.patch | 84 ++++++++++++++++++++++ package/linux-pam/0003-group.patch | 26 ------- package/linux-pam/0004-mkdir.patch | 17 ----- package/linux-pam/0005-succeed.patch | 31 -------- package/linux-pam/0006-time.patch | 26 ------- package/linux-pam/0007-rhosts.patch | 24 ------- package/linux-pam/0008-fix-CVE-2014-2583.patch | 53 -------------- package/linux-pam/0009-fix-CVE-2013-7041.patch | 50 ------------- package/linux-pam/linux-pam.hash | 2 +- package/linux-pam/linux-pam.mk | 2 +- 13 files changed, 138 insertions(+), 248 deletions(-) delete mode 100644 package/linux-pam/0001-configure.patch rename package/linux-pam/{0002-doc-makefile-am.patch => 0001-doc-makefile-am.patch} (91%) create mode 100644 package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch create mode 100644 package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch delete mode 100644 package/linux-pam/0003-group.patch delete mode 100644 package/linux-pam/0004-mkdir.patch delete mode 100644 package/linux-pam/0005-succeed.patch delete mode 100644 package/linux-pam/0006-time.patch delete mode 100644 package/linux-pam/0007-rhosts.patch delete mode 100644 package/linux-pam/0008-fix-CVE-2014-2583.patch delete mode 100644 package/linux-pam/0009-fix-CVE-2013-7041.patch diff --git a/package/linux-pam/0001-configure.patch b/package/linux-pam/0001-configure.patch deleted file mode 100644 index d39261f..0000000 --- a/package/linux-pam/0001-configure.patch +++ /dev/null @@ -1,19 +0,0 @@ -Add check for ruserok - -ruserok is not available/functional in uclibc, provide conditions for compilation -where needed. - -Signed-off-by: Dmitry Golubovsky - -diff -urN a/configure.in b/configure.in ---- a/configure.in 2012-08-17 03:48:24.000000000 -0500 -+++ b/configure.in 2013-07-17 09:49:23.760254684 -0500 -@@ -526,7 +526,7 @@ - AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) - AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) - AC_CHECK_FUNCS(getgrouplist getline getdelim) --AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af) -+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok) - - AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) - AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) diff --git a/package/linux-pam/0002-doc-makefile-am.patch b/package/linux-pam/0001-doc-makefile-am.patch similarity index 91% rename from package/linux-pam/0002-doc-makefile-am.patch rename to package/linux-pam/0001-doc-makefile-am.patch index 8fa2dda..ac3ff2b 100644 --- a/package/linux-pam/0002-doc-makefile-am.patch +++ b/package/linux-pam/0001-doc-makefile-am.patch @@ -3,6 +3,9 @@ Disable generation of documentation Generation of documentation is not necessary in Buildroot, disable it completely. Signed-off-by: Dmitry Golubovsky +Signed-off-by: Brendan Heading + +Upstream-status: inappropriate diff -urN a/doc/Makefile.am b/doc/Makefile.am --- a/doc/Makefile.am 2012-08-15 06:08:43.000000000 -0500 diff --git a/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch b/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch new file mode 100644 index 0000000..cec642d --- /dev/null +++ b/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch @@ -0,0 +1,49 @@ +ruserok is not available/functional in uclibc, provide conditions +for compilation where needed. + +Patch originally by Dmitry Golubovsky - +porting to linux-pam 1.2.1. + +Signed-off-by: Brendan Heading + +Upstream-status: pending + +--- + configure.ac | 2 +- + modules/pam_rhosts/pam_rhosts.c | 6 +++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 08e4530..fd2fd23 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -542,7 +542,7 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec + AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) + AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) + AC_CHECK_FUNCS(getgrouplist getline getdelim) +-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af) ++AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok) + + AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) + AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) +diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c +index bc9e76f..909db29 100644 +--- a/modules/pam_rhosts/pam_rhosts.c ++++ b/modules/pam_rhosts/pam_rhosts.c +@@ -114,8 +114,12 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, + #ifdef HAVE_RUSEROK_AF + retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC); + #else ++ #ifdef HAVE_RUSEROK + retval = ruserok (rhost, as_root, ruser, luser); +-#endif ++ #else ++ retval = -1; ++ #endif /* HAVE_RUSEROK */ ++#endif /*HAVE_RUSEROK_AF */ + if (retval != 0) { + if (!opt_silent || opt_debug) + pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s", +-- +2.4.3 + diff --git a/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch b/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch new file mode 100644 index 0000000..4b516fa --- /dev/null +++ b/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch @@ -0,0 +1,84 @@ +innetgr is not available/functional in uclibc, provide conditions for +compilation. + +Patch originally by Dmitry Golubovsky - porting +to linux-pam 1.2.1. + +Signed-off-by: Brendan Heading + +Upstream-status: pending + +--- + modules/pam_group/pam_group.c | 8 +++++++- + modules/pam_succeed_if/pam_succeed_if.c | 4 ++++ + modules/pam_time/pam_time.c | 8 +++++++- + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c +index be5f20f..0982de8 100644 +--- a/modules/pam_group/pam_group.c ++++ b/modules/pam_group/pam_group.c +@@ -655,8 +655,14 @@ static int check_account(pam_handle_t *pamh, const char *service, + continue; + } + /* If buffer starts with @, we are using netgroups */ +- if (buffer[0] == '@') ++ if (buffer[0] == '@') { ++#ifdef HAVE_INNETGR + good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ good = 0; ++ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); ++#endif /* HAVE_INNETGR */ ++ } + /* otherwise, if the buffer starts with %, it's a UNIX group */ + else if (buffer[0] == '%') + good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); +diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c +index aa828fc..c09d669 100644 +--- a/modules/pam_succeed_if/pam_succeed_if.c ++++ b/modules/pam_succeed_if/pam_succeed_if.c +@@ -233,16 +233,20 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group) + static int + evaluate_innetgr(const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 1) + return PAM_SUCCESS; ++#endif /* HAVE_INNETGR */ + return PAM_AUTH_ERR; + } + /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ + static int + evaluate_notinnetgr(const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 0) + return PAM_SUCCESS; ++#endif /* HAVE_INNETGR */ + return PAM_AUTH_ERR; + } + +diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c +index c94737c..4898fd2 100644 +--- a/modules/pam_time/pam_time.c ++++ b/modules/pam_time/pam_time.c +@@ -554,8 +554,14 @@ check_account(pam_handle_t *pamh, const char *service, + continue; + } + /* If buffer starts with @, we are using netgroups */ +- if (buffer[0] == '@') ++ if (buffer[0] == '@') { ++#ifdef HAVE_INNETGR + good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ good = 0; ++ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); ++#endif /* HAVE_INNETGR */ ++ } + else + good &= logic_field(pamh, user, buffer, count, is_same); + D(("with user: %s", good ? "passes":"fails" )); +-- +2.4.3 + diff --git a/package/linux-pam/0003-group.patch b/package/linux-pam/0003-group.patch deleted file mode 100644 index a94cf9e..0000000 --- a/package/linux-pam/0003-group.patch +++ /dev/null @@ -1,26 +0,0 @@ -Conditionally compile per innetgr availability - -innetgr is not available/functional in uclibc, provide conditions for compilation. - -Signed-off-by: Dmitry Golubovsky - -Index: linux-pam-1.1.4/modules/pam_group/pam_group.c -============================================================================ ---- linux-pam-1.1.4/modules/pam_group/pam_group.c 2011-06-21 05:04:56.000000000 -0400 -+++ linux-pam-1.1.4/modules/pam_group/pam_group.c 2012-08-09 21:35:06.000000000 -0400 -@@ -655,8 +655,14 @@ - continue; - } - /* If buffer starts with @, we are using netgroups */ -- if (buffer[0] == '@') -+ if (buffer[0] == '@') { -+#ifdef HAVE_INNETGR - good &= innetgr (&buffer[1], NULL, user, NULL); -+#else -+ good = 0; -+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); -+#endif /* HAVE_INNETGR */ -+ } - /* otherwise, if the buffer starts with %, it's a UNIX group */ - else if (buffer[0] == '%') - good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); diff --git a/package/linux-pam/0004-mkdir.patch b/package/linux-pam/0004-mkdir.patch deleted file mode 100644 index 00056da..0000000 --- a/package/linux-pam/0004-mkdir.patch +++ /dev/null @@ -1,17 +0,0 @@ -$(mkdir_p) is obsolete for newer automake, use $(MKDIR_P) instead. -Upstream should really gettextize with a newer version before packing up. - -Signed-off-by: Gustavo Zacarias - -diff -Nura Linux-PAM-1.1.7.orig/po/Makefile.in.in Linux-PAM-1.1.7/po/Makefile.in.in ---- Linux-PAM-1.1.7.orig/po/Makefile.in.in 2013-09-11 20:45:16.610770002 -0300 -+++ Linux-PAM-1.1.7/po/Makefile.in.in 2013-09-11 20:45:28.030145316 -0300 -@@ -31,7 +31,7 @@ - INSTALL = @INSTALL@ - INSTALL_DATA = @INSTALL_DATA@ - mkinstalldirs = $(SHELL) @install_sh@ -d --mkdir_p = @mkdir_p@ -+mkdir_p = @MKDIR_P@ - - GMSGFMT_ = @GMSGFMT@ - GMSGFMT_no = @GMSGFMT@ diff --git a/package/linux-pam/0005-succeed.patch b/package/linux-pam/0005-succeed.patch deleted file mode 100644 index 8a675ef..0000000 --- a/package/linux-pam/0005-succeed.patch +++ /dev/null @@ -1,31 +0,0 @@ -Conditionally compile per innetgr availability - -innetgr is not available/functional in uclibc, provide conditions for compilation. - -Signed-off-by: Dmitry Golubovsky - -Index: linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c -============================================================================ ---- linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c 2011-06-21 05:04:56.000000000 -0400 -+++ linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c 2012-08-09 21:05:02.000000000 -0400 -@@ -233,16 +233,20 @@ - static int - evaluate_innetgr(const char *host, const char *user, const char *group) - { -+#ifdef HAVE_INNETGR - if (innetgr(group, host, user, NULL) == 1) - return PAM_SUCCESS; -+#endif /* HAVE_INNETGR */ - return PAM_AUTH_ERR; - } - /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ - static int - evaluate_notinnetgr(const char *host, const char *user, const char *group) - { -+#ifdef HAVE_INNETGR - if (innetgr(group, host, user, NULL) == 0) - return PAM_SUCCESS; -+#endif /* HAVE_INNETGR */ - return PAM_AUTH_ERR; - } - diff --git a/package/linux-pam/0006-time.patch b/package/linux-pam/0006-time.patch deleted file mode 100644 index 58d7c9f..0000000 --- a/package/linux-pam/0006-time.patch +++ /dev/null @@ -1,26 +0,0 @@ -Conditionally compile per innetgr availability - -innetgr is not available/functional in uclibc, provide conditions for compilation. - -Signed-off-by: Dmitry Golubovsky - -Index: linux-pam-1.1.4/modules/pam_time/pam_time.c -============================================================================ ---- linux-pam-1.1.4/modules/pam_time/pam_time.c 2011-06-21 05:04:56.000000000 -0400 -+++ linux-pam-1.1.4/modules/pam_time/pam_time.c 2012-08-09 21:02:29.000000000 -0400 -@@ -554,8 +554,14 @@ - continue; - } - /* If buffer starts with @, we are using netgroups */ -- if (buffer[0] == '@') -+ if (buffer[0] == '@') { -+#ifdef HAVE_INNETGR - good &= innetgr (&buffer[1], NULL, user, NULL); -+#else -+ good = 0; -+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); -+#endif /* HAVE_INNETGR */ -+ } - else - good &= logic_field(pamh, user, buffer, count, is_same); - D(("with user: %s", good ? "passes":"fails" )); diff --git a/package/linux-pam/0007-rhosts.patch b/package/linux-pam/0007-rhosts.patch deleted file mode 100644 index 58f9adb..0000000 --- a/package/linux-pam/0007-rhosts.patch +++ /dev/null @@ -1,24 +0,0 @@ -Conditionally compile per ruserok availability - -ruserok is not available/functional in uclibc, provide conditions for compilation. - -Signed-off-by: Dmitry Golubovsky - -Index: linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c -============================================================================ ---- linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c 2011-06-21 05:04:56.000000000 -0400 -+++ linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c 2012-08-09 21:19:34.000000000 -0400 -@@ -114,8 +114,12 @@ - #ifdef HAVE_RUSEROK_AF - retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC); - #else -+ #ifdef HAVE_RUSEROK - retval = ruserok (rhost, as_root, ruser, luser); --#endif -+ #else -+ retval = -1; -+ #endif /* HAVE_RUSEROK */ -+#endif /*HAVE_RUSEROK_AF */ - if (retval != 0) { - if (!opt_silent || opt_debug) - pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s", diff --git a/package/linux-pam/0008-fix-CVE-2014-2583.patch b/package/linux-pam/0008-fix-CVE-2014-2583.patch deleted file mode 100644 index a8b5f7b..0000000 --- a/package/linux-pam/0008-fix-CVE-2014-2583.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Wed, 26 Mar 2014 22:17:23 +0000 -Subject: pam_timestamp: fix potential directory traversal issue (ticket #27) - -pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of -the timestamp pathname it creates, so extra care should be taken to -avoid potential directory traversal issues. - -* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat -"." and ".." tty values as invalid. -(get_ruser): Treat "." and ".." ruser values, as well as any ruser -value containing '/', as invalid. - -Fixes CVE-2014-2583. - -Reported-by: Sebastian Krahmer -Signed-off-by: Gustavo Zacarias - -diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c -index 5193733..b3f08b1 100644 ---- a/modules/pam_timestamp/pam_timestamp.c -+++ b/modules/pam_timestamp/pam_timestamp.c -@@ -158,7 +158,7 @@ check_tty(const char *tty) - tty = strrchr(tty, '/') + 1; - } - /* Make sure the tty wasn't actually a directory (no basename). */ -- if (strlen(tty) == 0) { -+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { - return NULL; - } - return tty; -@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) - if (pwd != NULL) { - ruser = pwd->pw_name; - } -+ } else { -+ /* -+ * This ruser is used by format_timestamp_name as a component -+ * of constructed timestamp pathname, so ".", "..", and '/' -+ * are disallowed to avoid potential path traversal issues. -+ */ -+ if (!strcmp(ruser, ".") || -+ !strcmp(ruser, "..") || -+ strchr(ruser, '/')) { -+ ruser = NULL; -+ } - } - if (ruser == NULL || strlen(ruser) >= ruserbuflen) { - *ruserbuf = '\0'; --- -cgit v0.10.2 - diff --git a/package/linux-pam/0009-fix-CVE-2013-7041.patch b/package/linux-pam/0009-fix-CVE-2013-7041.patch deleted file mode 100644 index ed58807..0000000 --- a/package/linux-pam/0009-fix-CVE-2013-7041.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Fri, 24 Jan 2014 22:18:32 +0000 -Subject: pam_userdb: fix password hash comparison - -Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed -passwords support in pam_userdb, hashes are compared case-insensitively. -This bug leads to accepting hashes for completely different passwords in -addition to those that should be accepted. - -Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for -modern password hashes with different lengths and settings, did not -update the hash comparison accordingly, which leads to accepting -computed hashes longer than stored hashes when the latter is a prefix -of the former. - -* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed -hash whose length differs from the stored hash length. -Compare computed and stored hashes case-sensitively. -Fixes CVE-2013-7041. - -Bug-Debian: http://bugs.debian.org/731368 -Signed-off-by: Gustavo Zacarias - -diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c -index de8b5b1..ff040e6 100644 ---- a/modules/pam_userdb/pam_userdb.c -+++ b/modules/pam_userdb/pam_userdb.c -@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, - } else { - cryptpw = crypt (pass, data.dptr); - -- if (cryptpw) { -- compare = strncasecmp (data.dptr, cryptpw, data.dsize); -+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { -+ compare = memcmp(data.dptr, cryptpw, data.dsize); - } else { - compare = -2; - if (ctrl & PAM_DEBUG_ARG) { -- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); -+ if (cryptpw) -+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); -+ else -+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); - } - }; - --- -cgit v0.10.2 - diff --git a/package/linux-pam/linux-pam.hash b/package/linux-pam/linux-pam.hash index 3f420c2..a6a26d1 100644 --- a/package/linux-pam/linux-pam.hash +++ b/package/linux-pam/linux-pam.hash @@ -1,2 +1,2 @@ # Locally computed hashes, not provided by upstream -sha256 c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55 Linux-PAM-1.1.8.tar.bz2 +sha256 342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9 Linux-PAM-1.2.1.tar.bz2 diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk index 26b627e..cf1b5b7 100644 --- a/package/linux-pam/linux-pam.mk +++ b/package/linux-pam/linux-pam.mk @@ -4,7 +4,7 @@ # ################################################################################ -LINUX_PAM_VERSION = 1.1.8 +LINUX_PAM_VERSION = 1.2.1 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2 LINUX_PAM_SITE = http://linux-pam.org/library LINUX_PAM_INSTALL_STAGING = YES