deepcrayon/buildroot
deepcrayon/buildroot
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

package/linux-pam: bump version to 1.2.1

Browse source 
Move to the latest release of linux-pam. This allows us to remove
a number of patches and consolidate the existing ones :

- 0001-configure.patch
- 0007-rhosts.patch

these two patches deal with the ruserok function, which is not
usable with uclibc. Consolidated into
0002-Conditionally-compile-per-ruserok-availability.patch.

- 0003-group.patch
- 0005-succeed.patch
- 0006-time.patch

these three patches deal with the innetgr function, which is not
usable with uclibc. Consolidated into
0003-Conditionally-compile-per-innetgr-availability.patch.

- 0004-mkdir.patch

Fixed in upstream, no longer required.

- 0002-doc-makefile-am.patch

renamed to 0001-doc-makefile-am.patch.

- 0008-fix-CVE-2014-2583.patch
- 0009-fix-CVE-2013-7041.patch

These patches are already included in the new release and so
can be safely deleted.

Signed-off-by: Brendan Heading <brendanheading@gmail.com>
Tested-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
Brendan Heading 2015-08-23 20:02:58 +01:00 committed by Thomas Petazzoni
parent 80470c9f1a
commit 2bf63505eb
13 changed files with 138 additions and 248 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
package/linux-pam/0001-configure.patch
View file

@ -1,19 +0,0 @@
Add check for ruserok
ruserok is not available/functional in uclibc, provide conditions for compilation
where needed.
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
diff -urN a/configure.in b/configure.in
--- a/configure.in 2012-08-17 03:48:24.000000000 -0500
+++ b/configure.in 2013-07-17 09:49:23.760254684 -0500
@@ -526,7 +526,7 @@
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])

3
package/linux-pam/0002-doc-makefile-am.patch → package/linux-pam/0001-doc-makefile-am.patch
View file

@ -3,6 +3,9 @@ Disable generation of documentation
Generation of documentation is not necessary in Buildroot, disable it completely.
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
Signed-off-by: Brendan Heading <brendanheading@gmail.com>
Upstream-status: inappropriate
diff -urN a/doc/Makefile.am b/doc/Makefile.am
--- a/doc/Makefile.am 2012-08-15 06:08:43.000000000 -0500

49
package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch Normal file
View file

@ -0,0 +1,49 @@
ruserok is not available/functional in uclibc, provide conditions
for compilation where needed.
Patch originally by Dmitry Golubovsky <golubovsky@gmail.com> -
porting to linux-pam 1.2.1.
Signed-off-by: Brendan Heading <brendanheading@gmail.com>
Upstream-status: pending
---
configure.ac | 2 +-
modules/pam_rhosts/pam_rhosts.c | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 08e4530..fd2fd23 100644
--- a/configure.ac
+++ b/configure.ac
@@ -542,7 +542,7 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
index bc9e76f..909db29 100644
--- a/modules/pam_rhosts/pam_rhosts.c
+++ b/modules/pam_rhosts/pam_rhosts.c
@@ -114,8 +114,12 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
#ifdef HAVE_RUSEROK_AF
retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
#else
+ #ifdef HAVE_RUSEROK
retval = ruserok (rhost, as_root, ruser, luser);
-#endif
+ #else
+ retval = -1;
+ #endif /* HAVE_RUSEROK */
+#endif /*HAVE_RUSEROK_AF */
if (retval != 0) {
if (!opt_silent || opt_debug)
pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
--
2.4.3

84
package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch Normal file
View file

@ -0,0 +1,84 @@
innetgr is not available/functional in uclibc, provide conditions for
compilation.
Patch originally by Dmitry Golubovsky <golubovsky@gmail.com> - porting
to linux-pam 1.2.1.
Signed-off-by: Brendan Heading <brendanheading@gmail.com>
Upstream-status: pending
---
modules/pam_group/pam_group.c | 8 +++++++-
modules/pam_succeed_if/pam_succeed_if.c | 4 ++++
modules/pam_time/pam_time.c | 8 +++++++-
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index be5f20f..0982de8 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -655,8 +655,14 @@ static int check_account(pam_handle_t *pamh, const char *service,
continue;
}
/* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
+ if (buffer[0] == '@') {
+#ifdef HAVE_INNETGR
good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ good = 0;
+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
+#endif /* HAVE_INNETGR */
+ }
/* otherwise, if the buffer starts with %, it's a UNIX group */
else if (buffer[0] == '%')
good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index aa828fc..c09d669 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -233,16 +233,20 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
static int
evaluate_innetgr(const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 1)
return PAM_SUCCESS;
+#endif /* HAVE_INNETGR */
return PAM_AUTH_ERR;
}
/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
static int
evaluate_notinnetgr(const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 0)
return PAM_SUCCESS;
+#endif /* HAVE_INNETGR */
return PAM_AUTH_ERR;
}
diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
index c94737c..4898fd2 100644
--- a/modules/pam_time/pam_time.c
+++ b/modules/pam_time/pam_time.c
@@ -554,8 +554,14 @@ check_account(pam_handle_t *pamh, const char *service,
continue;
}
/* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
+ if (buffer[0] == '@') {
+#ifdef HAVE_INNETGR
good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ good = 0;
+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
+#endif /* HAVE_INNETGR */
+ }
else
good &= logic_field(pamh, user, buffer, count, is_same);
D(("with user: %s", good ? "passes":"fails" ));
--
2.4.3

26
package/linux-pam/0003-group.patch
View file

@ -1,26 +0,0 @@
Conditionally compile per innetgr availability
innetgr is not available/functional in uclibc, provide conditions for compilation.
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
Index: linux-pam-1.1.4/modules/pam_group/pam_group.c
============================================================================
--- linux-pam-1.1.4/modules/pam_group/pam_group.c 2011-06-21 05:04:56.000000000 -0400
+++ linux-pam-1.1.4/modules/pam_group/pam_group.c 2012-08-09 21:35:06.000000000 -0400
@@ -655,8 +655,14 @@
continue;
}
/* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
+ if (buffer[0] == '@') {
+#ifdef HAVE_INNETGR
good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ good = 0;
+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
+#endif /* HAVE_INNETGR */
+ }
/* otherwise, if the buffer starts with %, it's a UNIX group */
else if (buffer[0] == '%')
good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);

17
package/linux-pam/0004-mkdir.patch
View file

@ -1,17 +0,0 @@
$(mkdir_p) is obsolete for newer automake, use $(MKDIR_P) instead.
Upstream should really gettextize with a newer version before packing up.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff -Nura Linux-PAM-1.1.7.orig/po/Makefile.in.in Linux-PAM-1.1.7/po/Makefile.in.in
--- Linux-PAM-1.1.7.orig/po/Makefile.in.in 2013-09-11 20:45:16.610770002 -0300
+++ Linux-PAM-1.1.7/po/Makefile.in.in 2013-09-11 20:45:28.030145316 -0300
@@ -31,7 +31,7 @@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
mkinstalldirs = $(SHELL) @install_sh@ -d
-mkdir_p = @mkdir_p@
+mkdir_p = @MKDIR_P@
GMSGFMT_ = @GMSGFMT@
GMSGFMT_no = @GMSGFMT@

31
package/linux-pam/0005-succeed.patch
View file

@ -1,31 +0,0 @@
Conditionally compile per innetgr availability
innetgr is not available/functional in uclibc, provide conditions for compilation.
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
Index: linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c
============================================================================
--- linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c 2011-06-21 05:04:56.000000000 -0400
+++ linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c 2012-08-09 21:05:02.000000000 -0400
@@ -233,16 +233,20 @@
static int
evaluate_innetgr(const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 1)
return PAM_SUCCESS;
+#endif /* HAVE_INNETGR */
return PAM_AUTH_ERR;
}
/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
static int
evaluate_notinnetgr(const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 0)
return PAM_SUCCESS;
+#endif /* HAVE_INNETGR */
return PAM_AUTH_ERR;
}

26
package/linux-pam/0006-time.patch
View file

@ -1,26 +0,0 @@
Conditionally compile per innetgr availability
innetgr is not available/functional in uclibc, provide conditions for compilation.
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
Index: linux-pam-1.1.4/modules/pam_time/pam_time.c
============================================================================
--- linux-pam-1.1.4/modules/pam_time/pam_time.c 2011-06-21 05:04:56.000000000 -0400
+++ linux-pam-1.1.4/modules/pam_time/pam_time.c 2012-08-09 21:02:29.000000000 -0400
@@ -554,8 +554,14 @@
continue;
}
/* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
+ if (buffer[0] == '@') {
+#ifdef HAVE_INNETGR
good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ good = 0;
+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
+#endif /* HAVE_INNETGR */
+ }
else
good &= logic_field(pamh, user, buffer, count, is_same);
D(("with user: %s", good ? "passes":"fails" ));

24
package/linux-pam/0007-rhosts.patch
View file

@ -1,24 +0,0 @@
Conditionally compile per ruserok availability
ruserok is not available/functional in uclibc, provide conditions for compilation.
Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
Index: linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c
============================================================================
--- linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c 2011-06-21 05:04:56.000000000 -0400
+++ linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c 2012-08-09 21:19:34.000000000 -0400
@@ -114,8 +114,12 @@
#ifdef HAVE_RUSEROK_AF
retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
#else
+ #ifdef HAVE_RUSEROK
retval = ruserok (rhost, as_root, ruser, luser);
-#endif
+ #else
+ retval = -1;
+ #endif /* HAVE_RUSEROK */
+#endif /*HAVE_RUSEROK_AF */
if (retval != 0) {
if (!opt_silent || opt_debug)
pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",

53
package/linux-pam/0008-fix-CVE-2014-2583.patch
View file

@ -1,53 +0,0 @@
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Wed, 26 Mar 2014 22:17:23 +0000
Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
the timestamp pathname it creates, so extra care should be taken to
avoid potential directory traversal issues.
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
"." and ".." tty values as invalid.
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
value containing '/', as invalid.
Fixes CVE-2014-2583.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index 5193733..b3f08b1 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -158,7 +158,7 @@ check_tty(const char *tty)
tty = strrchr(tty, '/') + 1;
}
/* Make sure the tty wasn't actually a directory (no basename). */
- if (strlen(tty) == 0) {
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
return NULL;
}
return tty;
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
if (pwd != NULL) {
ruser = pwd->pw_name;
}
+ } else {
+ /*
+ * This ruser is used by format_timestamp_name as a component
+ * of constructed timestamp pathname, so ".", "..", and '/'
+ * are disallowed to avoid potential path traversal issues.
+ */
+ if (!strcmp(ruser, ".") ||
+ !strcmp(ruser, "..") ||
+ strchr(ruser, '/')) {
+ ruser = NULL;
+ }
}
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
*ruserbuf = '\0';
--
cgit v0.10.2

50
package/linux-pam/0009-fix-CVE-2013-7041.patch
View file

@ -1,50 +0,0 @@
From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Fri, 24 Jan 2014 22:18:32 +0000
Subject: pam_userdb: fix password hash comparison
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
passwords support in pam_userdb, hashes are compared case-insensitively.
This bug leads to accepting hashes for completely different passwords in
addition to those that should be accepted.
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
modern password hashes with different lengths and settings, did not
update the hash comparison accordingly, which leads to accepting
computed hashes longer than stored hashes when the latter is a prefix
of the former.
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
hash whose length differs from the stored hash length.
Compare computed and stored hashes case-sensitively.
Fixes CVE-2013-7041.
Bug-Debian: http://bugs.debian.org/731368
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index de8b5b1..ff040e6 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
} else {
cryptpw = crypt (pass, data.dptr);
- if (cryptpw) {
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
} else {
compare = -2;
if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ if (cryptpw)
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
+ else
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
}
};
--
cgit v0.10.2

2
package/linux-pam/linux-pam.hash
View file

@ -1,2 +1,2 @@
# Locally computed hashes, not provided by upstream
sha256 c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55 Linux-PAM-1.1.8.tar.bz2
sha256 342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9 Linux-PAM-1.2.1.tar.bz2

2
package/linux-pam/linux-pam.mk
View file

@ -4,7 +4,7 @@
#
################################################################################
LINUX_PAM_VERSION = 1.1.8
LINUX_PAM_VERSION = 1.2.1
LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
LINUX_PAM_SITE = http://linux-pam.org/library
LINUX_PAM_INSTALL_STAGING = YES