package/linux-pam: bump version to 1.2.1
Move to the latest release of linux-pam. This allows us to remove a number of patches and consolidate the existing ones : - 0001-configure.patch - 0007-rhosts.patch these two patches deal with the ruserok function, which is not usable with uclibc. Consolidated into 0002-Conditionally-compile-per-ruserok-availability.patch. - 0003-group.patch - 0005-succeed.patch - 0006-time.patch these three patches deal with the innetgr function, which is not usable with uclibc. Consolidated into 0003-Conditionally-compile-per-innetgr-availability.patch. - 0004-mkdir.patch Fixed in upstream, no longer required. - 0002-doc-makefile-am.patch renamed to 0001-doc-makefile-am.patch. - 0008-fix-CVE-2014-2583.patch - 0009-fix-CVE-2013-7041.patch These patches are already included in the new release and so can be safely deleted. Signed-off-by: Brendan Heading <brendanheading@gmail.com> Tested-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
parent
80470c9f1a
commit
2bf63505eb
@ -1,19 +0,0 @@
|
||||
Add check for ruserok
|
||||
|
||||
ruserok is not available/functional in uclibc, provide conditions for compilation
|
||||
where needed.
|
||||
|
||||
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
|
||||
|
||||
diff -urN a/configure.in b/configure.in
|
||||
--- a/configure.in 2012-08-17 03:48:24.000000000 -0500
|
||||
+++ b/configure.in 2013-07-17 09:49:23.760254684 -0500
|
||||
@@ -526,7 +526,7 @@
|
||||
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
|
||||
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
|
||||
AC_CHECK_FUNCS(getgrouplist getline getdelim)
|
||||
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
|
||||
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
|
||||
|
||||
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
|
||||
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
|
@ -3,6 +3,9 @@ Disable generation of documentation
|
||||
Generation of documentation is not necessary in Buildroot, disable it completely.
|
||||
|
||||
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
|
||||
Signed-off-by: Brendan Heading <brendanheading@gmail.com>
|
||||
|
||||
Upstream-status: inappropriate
|
||||
|
||||
diff -urN a/doc/Makefile.am b/doc/Makefile.am
|
||||
--- a/doc/Makefile.am 2012-08-15 06:08:43.000000000 -0500
|
@ -0,0 +1,49 @@
|
||||
ruserok is not available/functional in uclibc, provide conditions
|
||||
for compilation where needed.
|
||||
|
||||
Patch originally by Dmitry Golubovsky <golubovsky@gmail.com> -
|
||||
porting to linux-pam 1.2.1.
|
||||
|
||||
Signed-off-by: Brendan Heading <brendanheading@gmail.com>
|
||||
|
||||
Upstream-status: pending
|
||||
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
modules/pam_rhosts/pam_rhosts.c | 6 +++++-
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 08e4530..fd2fd23 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -542,7 +542,7 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
|
||||
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
|
||||
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
|
||||
AC_CHECK_FUNCS(getgrouplist getline getdelim)
|
||||
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
|
||||
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
|
||||
|
||||
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
|
||||
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
|
||||
diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
|
||||
index bc9e76f..909db29 100644
|
||||
--- a/modules/pam_rhosts/pam_rhosts.c
|
||||
+++ b/modules/pam_rhosts/pam_rhosts.c
|
||||
@@ -114,8 +114,12 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
|
||||
#ifdef HAVE_RUSEROK_AF
|
||||
retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
|
||||
#else
|
||||
+ #ifdef HAVE_RUSEROK
|
||||
retval = ruserok (rhost, as_root, ruser, luser);
|
||||
-#endif
|
||||
+ #else
|
||||
+ retval = -1;
|
||||
+ #endif /* HAVE_RUSEROK */
|
||||
+#endif /*HAVE_RUSEROK_AF */
|
||||
if (retval != 0) {
|
||||
if (!opt_silent || opt_debug)
|
||||
pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
|
||||
--
|
||||
2.4.3
|
||||
|
@ -0,0 +1,84 @@
|
||||
innetgr is not available/functional in uclibc, provide conditions for
|
||||
compilation.
|
||||
|
||||
Patch originally by Dmitry Golubovsky <golubovsky@gmail.com> - porting
|
||||
to linux-pam 1.2.1.
|
||||
|
||||
Signed-off-by: Brendan Heading <brendanheading@gmail.com>
|
||||
|
||||
Upstream-status: pending
|
||||
|
||||
---
|
||||
modules/pam_group/pam_group.c | 8 +++++++-
|
||||
modules/pam_succeed_if/pam_succeed_if.c | 4 ++++
|
||||
modules/pam_time/pam_time.c | 8 +++++++-
|
||||
3 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
|
||||
index be5f20f..0982de8 100644
|
||||
--- a/modules/pam_group/pam_group.c
|
||||
+++ b/modules/pam_group/pam_group.c
|
||||
@@ -655,8 +655,14 @@ static int check_account(pam_handle_t *pamh, const char *service,
|
||||
continue;
|
||||
}
|
||||
/* If buffer starts with @, we are using netgroups */
|
||||
- if (buffer[0] == '@')
|
||||
+ if (buffer[0] == '@') {
|
||||
+#ifdef HAVE_INNETGR
|
||||
good &= innetgr (&buffer[1], NULL, user, NULL);
|
||||
+#else
|
||||
+ good = 0;
|
||||
+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
|
||||
+#endif /* HAVE_INNETGR */
|
||||
+ }
|
||||
/* otherwise, if the buffer starts with %, it's a UNIX group */
|
||||
else if (buffer[0] == '%')
|
||||
good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
|
||||
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
|
||||
index aa828fc..c09d669 100644
|
||||
--- a/modules/pam_succeed_if/pam_succeed_if.c
|
||||
+++ b/modules/pam_succeed_if/pam_succeed_if.c
|
||||
@@ -233,16 +233,20 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
|
||||
static int
|
||||
evaluate_innetgr(const char *host, const char *user, const char *group)
|
||||
{
|
||||
+#ifdef HAVE_INNETGR
|
||||
if (innetgr(group, host, user, NULL) == 1)
|
||||
return PAM_SUCCESS;
|
||||
+#endif /* HAVE_INNETGR */
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
|
||||
static int
|
||||
evaluate_notinnetgr(const char *host, const char *user, const char *group)
|
||||
{
|
||||
+#ifdef HAVE_INNETGR
|
||||
if (innetgr(group, host, user, NULL) == 0)
|
||||
return PAM_SUCCESS;
|
||||
+#endif /* HAVE_INNETGR */
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
|
||||
diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
|
||||
index c94737c..4898fd2 100644
|
||||
--- a/modules/pam_time/pam_time.c
|
||||
+++ b/modules/pam_time/pam_time.c
|
||||
@@ -554,8 +554,14 @@ check_account(pam_handle_t *pamh, const char *service,
|
||||
continue;
|
||||
}
|
||||
/* If buffer starts with @, we are using netgroups */
|
||||
- if (buffer[0] == '@')
|
||||
+ if (buffer[0] == '@') {
|
||||
+#ifdef HAVE_INNETGR
|
||||
good &= innetgr (&buffer[1], NULL, user, NULL);
|
||||
+#else
|
||||
+ good = 0;
|
||||
+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
|
||||
+#endif /* HAVE_INNETGR */
|
||||
+ }
|
||||
else
|
||||
good &= logic_field(pamh, user, buffer, count, is_same);
|
||||
D(("with user: %s", good ? "passes":"fails" ));
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,26 +0,0 @@
|
||||
Conditionally compile per innetgr availability
|
||||
|
||||
innetgr is not available/functional in uclibc, provide conditions for compilation.
|
||||
|
||||
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
|
||||
|
||||
Index: linux-pam-1.1.4/modules/pam_group/pam_group.c
|
||||
============================================================================
|
||||
--- linux-pam-1.1.4/modules/pam_group/pam_group.c 2011-06-21 05:04:56.000000000 -0400
|
||||
+++ linux-pam-1.1.4/modules/pam_group/pam_group.c 2012-08-09 21:35:06.000000000 -0400
|
||||
@@ -655,8 +655,14 @@
|
||||
continue;
|
||||
}
|
||||
/* If buffer starts with @, we are using netgroups */
|
||||
- if (buffer[0] == '@')
|
||||
+ if (buffer[0] == '@') {
|
||||
+#ifdef HAVE_INNETGR
|
||||
good &= innetgr (&buffer[1], NULL, user, NULL);
|
||||
+#else
|
||||
+ good = 0;
|
||||
+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
|
||||
+#endif /* HAVE_INNETGR */
|
||||
+ }
|
||||
/* otherwise, if the buffer starts with %, it's a UNIX group */
|
||||
else if (buffer[0] == '%')
|
||||
good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
|
@ -1,17 +0,0 @@
|
||||
$(mkdir_p) is obsolete for newer automake, use $(MKDIR_P) instead.
|
||||
Upstream should really gettextize with a newer version before packing up.
|
||||
|
||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
||||
|
||||
diff -Nura Linux-PAM-1.1.7.orig/po/Makefile.in.in Linux-PAM-1.1.7/po/Makefile.in.in
|
||||
--- Linux-PAM-1.1.7.orig/po/Makefile.in.in 2013-09-11 20:45:16.610770002 -0300
|
||||
+++ Linux-PAM-1.1.7/po/Makefile.in.in 2013-09-11 20:45:28.030145316 -0300
|
||||
@@ -31,7 +31,7 @@
|
||||
INSTALL = @INSTALL@
|
||||
INSTALL_DATA = @INSTALL_DATA@
|
||||
mkinstalldirs = $(SHELL) @install_sh@ -d
|
||||
-mkdir_p = @mkdir_p@
|
||||
+mkdir_p = @MKDIR_P@
|
||||
|
||||
GMSGFMT_ = @GMSGFMT@
|
||||
GMSGFMT_no = @GMSGFMT@
|
@ -1,31 +0,0 @@
|
||||
Conditionally compile per innetgr availability
|
||||
|
||||
innetgr is not available/functional in uclibc, provide conditions for compilation.
|
||||
|
||||
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
|
||||
|
||||
Index: linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c
|
||||
============================================================================
|
||||
--- linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c 2011-06-21 05:04:56.000000000 -0400
|
||||
+++ linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c 2012-08-09 21:05:02.000000000 -0400
|
||||
@@ -233,16 +233,20 @@
|
||||
static int
|
||||
evaluate_innetgr(const char *host, const char *user, const char *group)
|
||||
{
|
||||
+#ifdef HAVE_INNETGR
|
||||
if (innetgr(group, host, user, NULL) == 1)
|
||||
return PAM_SUCCESS;
|
||||
+#endif /* HAVE_INNETGR */
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
|
||||
static int
|
||||
evaluate_notinnetgr(const char *host, const char *user, const char *group)
|
||||
{
|
||||
+#ifdef HAVE_INNETGR
|
||||
if (innetgr(group, host, user, NULL) == 0)
|
||||
return PAM_SUCCESS;
|
||||
+#endif /* HAVE_INNETGR */
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
|
@ -1,26 +0,0 @@
|
||||
Conditionally compile per innetgr availability
|
||||
|
||||
innetgr is not available/functional in uclibc, provide conditions for compilation.
|
||||
|
||||
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
|
||||
|
||||
Index: linux-pam-1.1.4/modules/pam_time/pam_time.c
|
||||
============================================================================
|
||||
--- linux-pam-1.1.4/modules/pam_time/pam_time.c 2011-06-21 05:04:56.000000000 -0400
|
||||
+++ linux-pam-1.1.4/modules/pam_time/pam_time.c 2012-08-09 21:02:29.000000000 -0400
|
||||
@@ -554,8 +554,14 @@
|
||||
continue;
|
||||
}
|
||||
/* If buffer starts with @, we are using netgroups */
|
||||
- if (buffer[0] == '@')
|
||||
+ if (buffer[0] == '@') {
|
||||
+#ifdef HAVE_INNETGR
|
||||
good &= innetgr (&buffer[1], NULL, user, NULL);
|
||||
+#else
|
||||
+ good = 0;
|
||||
+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
|
||||
+#endif /* HAVE_INNETGR */
|
||||
+ }
|
||||
else
|
||||
good &= logic_field(pamh, user, buffer, count, is_same);
|
||||
D(("with user: %s", good ? "passes":"fails" ));
|
@ -1,24 +0,0 @@
|
||||
Conditionally compile per ruserok availability
|
||||
|
||||
ruserok is not available/functional in uclibc, provide conditions for compilation.
|
||||
|
||||
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
|
||||
|
||||
Index: linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c
|
||||
============================================================================
|
||||
--- linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c 2011-06-21 05:04:56.000000000 -0400
|
||||
+++ linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c 2012-08-09 21:19:34.000000000 -0400
|
||||
@@ -114,8 +114,12 @@
|
||||
#ifdef HAVE_RUSEROK_AF
|
||||
retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
|
||||
#else
|
||||
+ #ifdef HAVE_RUSEROK
|
||||
retval = ruserok (rhost, as_root, ruser, luser);
|
||||
-#endif
|
||||
+ #else
|
||||
+ retval = -1;
|
||||
+ #endif /* HAVE_RUSEROK */
|
||||
+#endif /*HAVE_RUSEROK_AF */
|
||||
if (retval != 0) {
|
||||
if (!opt_silent || opt_debug)
|
||||
pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
|
@ -1,53 +0,0 @@
|
||||
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Wed, 26 Mar 2014 22:17:23 +0000
|
||||
Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
|
||||
|
||||
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
|
||||
the timestamp pathname it creates, so extra care should be taken to
|
||||
avoid potential directory traversal issues.
|
||||
|
||||
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
|
||||
"." and ".." tty values as invalid.
|
||||
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
|
||||
value containing '/', as invalid.
|
||||
|
||||
Fixes CVE-2014-2583.
|
||||
|
||||
Reported-by: Sebastian Krahmer <krahmer@suse.de>
|
||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
||||
|
||||
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||
index 5193733..b3f08b1 100644
|
||||
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||
@@ -158,7 +158,7 @@ check_tty(const char *tty)
|
||||
tty = strrchr(tty, '/') + 1;
|
||||
}
|
||||
/* Make sure the tty wasn't actually a directory (no basename). */
|
||||
- if (strlen(tty) == 0) {
|
||||
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
|
||||
return NULL;
|
||||
}
|
||||
return tty;
|
||||
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
|
||||
if (pwd != NULL) {
|
||||
ruser = pwd->pw_name;
|
||||
}
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * This ruser is used by format_timestamp_name as a component
|
||||
+ * of constructed timestamp pathname, so ".", "..", and '/'
|
||||
+ * are disallowed to avoid potential path traversal issues.
|
||||
+ */
|
||||
+ if (!strcmp(ruser, ".") ||
|
||||
+ !strcmp(ruser, "..") ||
|
||||
+ strchr(ruser, '/')) {
|
||||
+ ruser = NULL;
|
||||
+ }
|
||||
}
|
||||
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
|
||||
*ruserbuf = '\0';
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
@ -1,50 +0,0 @@
|
||||
From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Fri, 24 Jan 2014 22:18:32 +0000
|
||||
Subject: pam_userdb: fix password hash comparison
|
||||
|
||||
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
|
||||
passwords support in pam_userdb, hashes are compared case-insensitively.
|
||||
This bug leads to accepting hashes for completely different passwords in
|
||||
addition to those that should be accepted.
|
||||
|
||||
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
|
||||
modern password hashes with different lengths and settings, did not
|
||||
update the hash comparison accordingly, which leads to accepting
|
||||
computed hashes longer than stored hashes when the latter is a prefix
|
||||
of the former.
|
||||
|
||||
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
|
||||
hash whose length differs from the stored hash length.
|
||||
Compare computed and stored hashes case-sensitively.
|
||||
Fixes CVE-2013-7041.
|
||||
|
||||
Bug-Debian: http://bugs.debian.org/731368
|
||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
||||
|
||||
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
|
||||
index de8b5b1..ff040e6 100644
|
||||
--- a/modules/pam_userdb/pam_userdb.c
|
||||
+++ b/modules/pam_userdb/pam_userdb.c
|
||||
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
||||
} else {
|
||||
cryptpw = crypt (pass, data.dptr);
|
||||
|
||||
- if (cryptpw) {
|
||||
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
|
||||
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
||||
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
|
||||
} else {
|
||||
compare = -2;
|
||||
if (ctrl & PAM_DEBUG_ARG) {
|
||||
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||
+ if (cryptpw)
|
||||
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
||||
+ else
|
||||
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||
}
|
||||
};
|
||||
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
@ -1,2 +1,2 @@
|
||||
# Locally computed hashes, not provided by upstream
|
||||
sha256 c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55 Linux-PAM-1.1.8.tar.bz2
|
||||
sha256 342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9 Linux-PAM-1.2.1.tar.bz2
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
################################################################################
|
||||
|
||||
LINUX_PAM_VERSION = 1.1.8
|
||||
LINUX_PAM_VERSION = 1.2.1
|
||||
LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
|
||||
LINUX_PAM_SITE = http://linux-pam.org/library
|
||||
LINUX_PAM_INSTALL_STAGING = YES
|
||||
|
Loading…
Reference in New Issue
Block a user