From 2bf63505eb7068d9db182b4f8eb3a10e9c06057d Mon Sep 17 00:00:00 2001 From: Brendan Heading Date: Sun, 23 Aug 2015 20:02:58 +0100 Subject: [PATCH] package/linux-pam: bump version to 1.2.1 Move to the latest release of linux-pam. This allows us to remove a number of patches and consolidate the existing ones : - 0001-configure.patch - 0007-rhosts.patch these two patches deal with the ruserok function, which is not usable with uclibc. Consolidated into 0002-Conditionally-compile-per-ruserok-availability.patch. - 0003-group.patch - 0005-succeed.patch - 0006-time.patch these three patches deal with the innetgr function, which is not usable with uclibc. Consolidated into 0003-Conditionally-compile-per-innetgr-availability.patch. - 0004-mkdir.patch Fixed in upstream, no longer required. - 0002-doc-makefile-am.patch renamed to 0001-doc-makefile-am.patch. - 0008-fix-CVE-2014-2583.patch - 0009-fix-CVE-2013-7041.patch These patches are already included in the new release and so can be safely deleted. Signed-off-by: Brendan Heading Tested-by: Carlos Santos Signed-off-by: Thomas Petazzoni --- package/linux-pam/0001-configure.patch | 19 ----- ...le-am.patch => 0001-doc-makefile-am.patch} | 3 + ...lly-compile-per-ruserok-availability.patch | 49 +++++++++++ ...lly-compile-per-innetgr-availability.patch | 84 +++++++++++++++++++ package/linux-pam/0003-group.patch | 26 ------ package/linux-pam/0004-mkdir.patch | 17 ---- package/linux-pam/0005-succeed.patch | 31 ------- package/linux-pam/0006-time.patch | 26 ------ package/linux-pam/0007-rhosts.patch | 24 ------ .../linux-pam/0008-fix-CVE-2014-2583.patch | 53 ------------ .../linux-pam/0009-fix-CVE-2013-7041.patch | 50 ----------- package/linux-pam/linux-pam.hash | 2 +- package/linux-pam/linux-pam.mk | 2 +- 13 files changed, 138 insertions(+), 248 deletions(-) delete mode 100644 package/linux-pam/0001-configure.patch rename package/linux-pam/{0002-doc-makefile-am.patch => 0001-doc-makefile-am.patch} (91%) create mode 100644 package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch create mode 100644 package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch delete mode 100644 package/linux-pam/0003-group.patch delete mode 100644 package/linux-pam/0004-mkdir.patch delete mode 100644 package/linux-pam/0005-succeed.patch delete mode 100644 package/linux-pam/0006-time.patch delete mode 100644 package/linux-pam/0007-rhosts.patch delete mode 100644 package/linux-pam/0008-fix-CVE-2014-2583.patch delete mode 100644 package/linux-pam/0009-fix-CVE-2013-7041.patch diff --git a/package/linux-pam/0001-configure.patch b/package/linux-pam/0001-configure.patch deleted file mode 100644 index d39261f74e..0000000000 --- a/package/linux-pam/0001-configure.patch +++ /dev/null @@ -1,19 +0,0 @@ -Add check for ruserok - -ruserok is not available/functional in uclibc, provide conditions for compilation -where needed. - -Signed-off-by: Dmitry Golubovsky - -diff -urN a/configure.in b/configure.in ---- a/configure.in 2012-08-17 03:48:24.000000000 -0500 -+++ b/configure.in 2013-07-17 09:49:23.760254684 -0500 -@@ -526,7 +526,7 @@ - AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) - AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) - AC_CHECK_FUNCS(getgrouplist getline getdelim) --AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af) -+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok) - - AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) - AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) diff --git a/package/linux-pam/0002-doc-makefile-am.patch b/package/linux-pam/0001-doc-makefile-am.patch similarity index 91% rename from package/linux-pam/0002-doc-makefile-am.patch rename to package/linux-pam/0001-doc-makefile-am.patch index 8fa2dda2fc..ac3ff2b223 100644 --- a/package/linux-pam/0002-doc-makefile-am.patch +++ b/package/linux-pam/0001-doc-makefile-am.patch @@ -3,6 +3,9 @@ Disable generation of documentation Generation of documentation is not necessary in Buildroot, disable it completely. Signed-off-by: Dmitry Golubovsky +Signed-off-by: Brendan Heading + +Upstream-status: inappropriate diff -urN a/doc/Makefile.am b/doc/Makefile.am --- a/doc/Makefile.am 2012-08-15 06:08:43.000000000 -0500 diff --git a/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch b/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch new file mode 100644 index 0000000000..cec642d845 --- /dev/null +++ b/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch @@ -0,0 +1,49 @@ +ruserok is not available/functional in uclibc, provide conditions +for compilation where needed. + +Patch originally by Dmitry Golubovsky - +porting to linux-pam 1.2.1. + +Signed-off-by: Brendan Heading + +Upstream-status: pending + +--- + configure.ac | 2 +- + modules/pam_rhosts/pam_rhosts.c | 6 +++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 08e4530..fd2fd23 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -542,7 +542,7 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec + AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) + AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) + AC_CHECK_FUNCS(getgrouplist getline getdelim) +-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af) ++AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok) + + AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) + AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) +diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c +index bc9e76f..909db29 100644 +--- a/modules/pam_rhosts/pam_rhosts.c ++++ b/modules/pam_rhosts/pam_rhosts.c +@@ -114,8 +114,12 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, + #ifdef HAVE_RUSEROK_AF + retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC); + #else ++ #ifdef HAVE_RUSEROK + retval = ruserok (rhost, as_root, ruser, luser); +-#endif ++ #else ++ retval = -1; ++ #endif /* HAVE_RUSEROK */ ++#endif /*HAVE_RUSEROK_AF */ + if (retval != 0) { + if (!opt_silent || opt_debug) + pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s", +-- +2.4.3 + diff --git a/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch b/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch new file mode 100644 index 0000000000..4b516fa986 --- /dev/null +++ b/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch @@ -0,0 +1,84 @@ +innetgr is not available/functional in uclibc, provide conditions for +compilation. + +Patch originally by Dmitry Golubovsky - porting +to linux-pam 1.2.1. + +Signed-off-by: Brendan Heading + +Upstream-status: pending + +--- + modules/pam_group/pam_group.c | 8 +++++++- + modules/pam_succeed_if/pam_succeed_if.c | 4 ++++ + modules/pam_time/pam_time.c | 8 +++++++- + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c +index be5f20f..0982de8 100644 +--- a/modules/pam_group/pam_group.c ++++ b/modules/pam_group/pam_group.c +@@ -655,8 +655,14 @@ static int check_account(pam_handle_t *pamh, const char *service, + continue; + } + /* If buffer starts with @, we are using netgroups */ +- if (buffer[0] == '@') ++ if (buffer[0] == '@') { ++#ifdef HAVE_INNETGR + good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ good = 0; ++ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); ++#endif /* HAVE_INNETGR */ ++ } + /* otherwise, if the buffer starts with %, it's a UNIX group */ + else if (buffer[0] == '%') + good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); +diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c +index aa828fc..c09d669 100644 +--- a/modules/pam_succeed_if/pam_succeed_if.c ++++ b/modules/pam_succeed_if/pam_succeed_if.c +@@ -233,16 +233,20 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group) + static int + evaluate_innetgr(const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 1) + return PAM_SUCCESS; ++#endif /* HAVE_INNETGR */ + return PAM_AUTH_ERR; + } + /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ + static int + evaluate_notinnetgr(const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 0) + return PAM_SUCCESS; ++#endif /* HAVE_INNETGR */ + return PAM_AUTH_ERR; + } + +diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c +index c94737c..4898fd2 100644 +--- a/modules/pam_time/pam_time.c ++++ b/modules/pam_time/pam_time.c +@@ -554,8 +554,14 @@ check_account(pam_handle_t *pamh, const char *service, + continue; + } + /* If buffer starts with @, we are using netgroups */ +- if (buffer[0] == '@') ++ if (buffer[0] == '@') { ++#ifdef HAVE_INNETGR + good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ good = 0; ++ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); ++#endif /* HAVE_INNETGR */ ++ } + else + good &= logic_field(pamh, user, buffer, count, is_same); + D(("with user: %s", good ? "passes":"fails" )); +-- +2.4.3 + diff --git a/package/linux-pam/0003-group.patch b/package/linux-pam/0003-group.patch deleted file mode 100644 index a94cf9e3db..0000000000 --- a/package/linux-pam/0003-group.patch +++ /dev/null @@ -1,26 +0,0 @@ -Conditionally compile per innetgr availability - -innetgr is not available/functional in uclibc, provide conditions for compilation. - -Signed-off-by: Dmitry Golubovsky - -Index: linux-pam-1.1.4/modules/pam_group/pam_group.c -============================================================================ ---- linux-pam-1.1.4/modules/pam_group/pam_group.c 2011-06-21 05:04:56.000000000 -0400 -+++ linux-pam-1.1.4/modules/pam_group/pam_group.c 2012-08-09 21:35:06.000000000 -0400 -@@ -655,8 +655,14 @@ - continue; - } - /* If buffer starts with @, we are using netgroups */ -- if (buffer[0] == '@') -+ if (buffer[0] == '@') { -+#ifdef HAVE_INNETGR - good &= innetgr (&buffer[1], NULL, user, NULL); -+#else -+ good = 0; -+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); -+#endif /* HAVE_INNETGR */ -+ } - /* otherwise, if the buffer starts with %, it's a UNIX group */ - else if (buffer[0] == '%') - good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); diff --git a/package/linux-pam/0004-mkdir.patch b/package/linux-pam/0004-mkdir.patch deleted file mode 100644 index 00056daf3d..0000000000 --- a/package/linux-pam/0004-mkdir.patch +++ /dev/null @@ -1,17 +0,0 @@ -$(mkdir_p) is obsolete for newer automake, use $(MKDIR_P) instead. -Upstream should really gettextize with a newer version before packing up. - -Signed-off-by: Gustavo Zacarias - -diff -Nura Linux-PAM-1.1.7.orig/po/Makefile.in.in Linux-PAM-1.1.7/po/Makefile.in.in ---- Linux-PAM-1.1.7.orig/po/Makefile.in.in 2013-09-11 20:45:16.610770002 -0300 -+++ Linux-PAM-1.1.7/po/Makefile.in.in 2013-09-11 20:45:28.030145316 -0300 -@@ -31,7 +31,7 @@ - INSTALL = @INSTALL@ - INSTALL_DATA = @INSTALL_DATA@ - mkinstalldirs = $(SHELL) @install_sh@ -d --mkdir_p = @mkdir_p@ -+mkdir_p = @MKDIR_P@ - - GMSGFMT_ = @GMSGFMT@ - GMSGFMT_no = @GMSGFMT@ diff --git a/package/linux-pam/0005-succeed.patch b/package/linux-pam/0005-succeed.patch deleted file mode 100644 index 8a675efa20..0000000000 --- a/package/linux-pam/0005-succeed.patch +++ /dev/null @@ -1,31 +0,0 @@ -Conditionally compile per innetgr availability - -innetgr is not available/functional in uclibc, provide conditions for compilation. - -Signed-off-by: Dmitry Golubovsky - -Index: linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c -============================================================================ ---- linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c 2011-06-21 05:04:56.000000000 -0400 -+++ linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c 2012-08-09 21:05:02.000000000 -0400 -@@ -233,16 +233,20 @@ - static int - evaluate_innetgr(const char *host, const char *user, const char *group) - { -+#ifdef HAVE_INNETGR - if (innetgr(group, host, user, NULL) == 1) - return PAM_SUCCESS; -+#endif /* HAVE_INNETGR */ - return PAM_AUTH_ERR; - } - /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ - static int - evaluate_notinnetgr(const char *host, const char *user, const char *group) - { -+#ifdef HAVE_INNETGR - if (innetgr(group, host, user, NULL) == 0) - return PAM_SUCCESS; -+#endif /* HAVE_INNETGR */ - return PAM_AUTH_ERR; - } - diff --git a/package/linux-pam/0006-time.patch b/package/linux-pam/0006-time.patch deleted file mode 100644 index 58d7c9f024..0000000000 --- a/package/linux-pam/0006-time.patch +++ /dev/null @@ -1,26 +0,0 @@ -Conditionally compile per innetgr availability - -innetgr is not available/functional in uclibc, provide conditions for compilation. - -Signed-off-by: Dmitry Golubovsky - -Index: linux-pam-1.1.4/modules/pam_time/pam_time.c -============================================================================ ---- linux-pam-1.1.4/modules/pam_time/pam_time.c 2011-06-21 05:04:56.000000000 -0400 -+++ linux-pam-1.1.4/modules/pam_time/pam_time.c 2012-08-09 21:02:29.000000000 -0400 -@@ -554,8 +554,14 @@ - continue; - } - /* If buffer starts with @, we are using netgroups */ -- if (buffer[0] == '@') -+ if (buffer[0] == '@') { -+#ifdef HAVE_INNETGR - good &= innetgr (&buffer[1], NULL, user, NULL); -+#else -+ good = 0; -+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); -+#endif /* HAVE_INNETGR */ -+ } - else - good &= logic_field(pamh, user, buffer, count, is_same); - D(("with user: %s", good ? "passes":"fails" )); diff --git a/package/linux-pam/0007-rhosts.patch b/package/linux-pam/0007-rhosts.patch deleted file mode 100644 index 58f9adbb1a..0000000000 --- a/package/linux-pam/0007-rhosts.patch +++ /dev/null @@ -1,24 +0,0 @@ -Conditionally compile per ruserok availability - -ruserok is not available/functional in uclibc, provide conditions for compilation. - -Signed-off-by: Dmitry Golubovsky - -Index: linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c -============================================================================ ---- linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c 2011-06-21 05:04:56.000000000 -0400 -+++ linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c 2012-08-09 21:19:34.000000000 -0400 -@@ -114,8 +114,12 @@ - #ifdef HAVE_RUSEROK_AF - retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC); - #else -+ #ifdef HAVE_RUSEROK - retval = ruserok (rhost, as_root, ruser, luser); --#endif -+ #else -+ retval = -1; -+ #endif /* HAVE_RUSEROK */ -+#endif /*HAVE_RUSEROK_AF */ - if (retval != 0) { - if (!opt_silent || opt_debug) - pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s", diff --git a/package/linux-pam/0008-fix-CVE-2014-2583.patch b/package/linux-pam/0008-fix-CVE-2014-2583.patch deleted file mode 100644 index a8b5f7bb71..0000000000 --- a/package/linux-pam/0008-fix-CVE-2014-2583.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Wed, 26 Mar 2014 22:17:23 +0000 -Subject: pam_timestamp: fix potential directory traversal issue (ticket #27) - -pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of -the timestamp pathname it creates, so extra care should be taken to -avoid potential directory traversal issues. - -* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat -"." and ".." tty values as invalid. -(get_ruser): Treat "." and ".." ruser values, as well as any ruser -value containing '/', as invalid. - -Fixes CVE-2014-2583. - -Reported-by: Sebastian Krahmer -Signed-off-by: Gustavo Zacarias - -diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c -index 5193733..b3f08b1 100644 ---- a/modules/pam_timestamp/pam_timestamp.c -+++ b/modules/pam_timestamp/pam_timestamp.c -@@ -158,7 +158,7 @@ check_tty(const char *tty) - tty = strrchr(tty, '/') + 1; - } - /* Make sure the tty wasn't actually a directory (no basename). */ -- if (strlen(tty) == 0) { -+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { - return NULL; - } - return tty; -@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) - if (pwd != NULL) { - ruser = pwd->pw_name; - } -+ } else { -+ /* -+ * This ruser is used by format_timestamp_name as a component -+ * of constructed timestamp pathname, so ".", "..", and '/' -+ * are disallowed to avoid potential path traversal issues. -+ */ -+ if (!strcmp(ruser, ".") || -+ !strcmp(ruser, "..") || -+ strchr(ruser, '/')) { -+ ruser = NULL; -+ } - } - if (ruser == NULL || strlen(ruser) >= ruserbuflen) { - *ruserbuf = '\0'; --- -cgit v0.10.2 - diff --git a/package/linux-pam/0009-fix-CVE-2013-7041.patch b/package/linux-pam/0009-fix-CVE-2013-7041.patch deleted file mode 100644 index ed58807356..0000000000 --- a/package/linux-pam/0009-fix-CVE-2013-7041.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Fri, 24 Jan 2014 22:18:32 +0000 -Subject: pam_userdb: fix password hash comparison - -Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed -passwords support in pam_userdb, hashes are compared case-insensitively. -This bug leads to accepting hashes for completely different passwords in -addition to those that should be accepted. - -Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for -modern password hashes with different lengths and settings, did not -update the hash comparison accordingly, which leads to accepting -computed hashes longer than stored hashes when the latter is a prefix -of the former. - -* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed -hash whose length differs from the stored hash length. -Compare computed and stored hashes case-sensitively. -Fixes CVE-2013-7041. - -Bug-Debian: http://bugs.debian.org/731368 -Signed-off-by: Gustavo Zacarias - -diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c -index de8b5b1..ff040e6 100644 ---- a/modules/pam_userdb/pam_userdb.c -+++ b/modules/pam_userdb/pam_userdb.c -@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, - } else { - cryptpw = crypt (pass, data.dptr); - -- if (cryptpw) { -- compare = strncasecmp (data.dptr, cryptpw, data.dsize); -+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { -+ compare = memcmp(data.dptr, cryptpw, data.dsize); - } else { - compare = -2; - if (ctrl & PAM_DEBUG_ARG) { -- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); -+ if (cryptpw) -+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); -+ else -+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); - } - }; - --- -cgit v0.10.2 - diff --git a/package/linux-pam/linux-pam.hash b/package/linux-pam/linux-pam.hash index 3f420c2ba0..a6a26d1997 100644 --- a/package/linux-pam/linux-pam.hash +++ b/package/linux-pam/linux-pam.hash @@ -1,2 +1,2 @@ # Locally computed hashes, not provided by upstream -sha256 c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55 Linux-PAM-1.1.8.tar.bz2 +sha256 342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9 Linux-PAM-1.2.1.tar.bz2 diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk index 26b627e7f5..cf1b5b7b11 100644 --- a/package/linux-pam/linux-pam.mk +++ b/package/linux-pam/linux-pam.mk @@ -4,7 +4,7 @@ # ################################################################################ -LINUX_PAM_VERSION = 1.1.8 +LINUX_PAM_VERSION = 1.2.1 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2 LINUX_PAM_SITE = http://linux-pam.org/library LINUX_PAM_INSTALL_STAGING = YES -- 2.30.2