diff options
author | Jackie Huang <jackie.huang@windriver.com> | 2017-07-28 10:00:56 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2017-08-13 08:26:14 -0700 |
commit | 1c3afde094d6cb7951957a67f4127dc06abecaa5 (patch) | |
tree | d4d66bc01b4abb7531b8d7ad1625f28ebb0f0746 /recipes-security | |
parent | 2f30963b822b508bf53795950ea6e8198f464807 (diff) | |
download | meta-security-1c3afde094d6cb7951957a67f4127dc06abecaa5.tar.gz |
libgssglue: add new recipe
libgssglue exports a gssapi interface which calls
other gssapi libraries.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'recipes-security')
6 files changed, 223 insertions, 0 deletions
diff --git a/recipes-security/libgssglue/files/libgssglue-canon-name.patch b/recipes-security/libgssglue/files/libgssglue-canon-name.patch new file mode 100644 index 0000000..cb7c47b --- /dev/null +++ b/recipes-security/libgssglue/files/libgssglue-canon-name.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | fix the bug: | ||
2 | g_canon_name.c:125:5: warning: passing argument 2 of '__gss_copy_namebuf' from incompatible pointer type [enabled by default] | ||
3 | |||
4 | the 2nd argument of __gss_copy_namebuf should be address of *gss_buffer_t, \ | ||
5 | but a *gss_buffer_t is assigned. | ||
6 | |||
7 | what __gss_copy_namebuf does is to alloc memory for a gss_buffer_desc and \ | ||
8 | copy from src and return its address. | ||
9 | |||
10 | if following code failed, gss_release_name will free \ | ||
11 | union_canon_name->external_name.value if it is not NULL. | ||
12 | |||
13 | OM_uint32 __gss_copy_namebuf(src, dest) | ||
14 | gss_buffer_t src; | ||
15 | gss_buffer_t *dest; | ||
16 | |||
17 | typedef struct gss_union_name_t { | ||
18 | gss_mechanism gss_mech; | ||
19 | gss_OID name_type; | ||
20 | gss_buffer_desc external_name; | ||
21 | /* | ||
22 | * These last two fields are only filled in for mechanism | ||
23 | * names. | ||
24 | */ | ||
25 | gss_OID mech_type; | ||
26 | gss_name_t mech_name; | ||
27 | } gss_union_name_desc, *gss_union_name_t; | ||
28 | |||
29 | typedef struct gss_buffer_desc_struct { | ||
30 | size_t length; | ||
31 | void FAR *value; | ||
32 | } gss_buffer_desc, FAR *gss_buffer_t; | ||
33 | |||
34 | Upstream-Status: Pending | ||
35 | Signed-off-by: Yao Zhao <yao.zhao@windriver.com> | ||
36 | |||
37 | --- a/src/g_canon_name.c | ||
38 | +++ b/src/g_canon_name.c | ||
39 | @@ -121,11 +121,17 @@ gss_canonicalize_name (OM_uint32 *minor_ | ||
40 | |||
41 | union_canon_name->mech_name = mech_name; | ||
42 | |||
43 | - status = __gss_copy_namebuf(&union_input_name->external_name, | ||
44 | - &union_canon_name->external_name); | ||
45 | - if (status != GSS_S_COMPLETE) | ||
46 | - goto failure; | ||
47 | + union_canon_name->external_name.value = (void*) malloc( | ||
48 | + union_input_name->external_name.length + 1); | ||
49 | + if (!union_canon_name->external_name.value) | ||
50 | + goto failure; | ||
51 | |||
52 | + memcpy(union_canon_name->external_name.value, | ||
53 | + union_input_name->external_name.value, | ||
54 | + union_input_name->external_name.length); | ||
55 | + union_canon_name->external_name.length = | ||
56 | + union_input_name->external_name.length; | ||
57 | + | ||
58 | if (union_input_name->name_type != GSS_C_NO_OID) { | ||
59 | status = generic_gss_copy_oid(minor_status, | ||
60 | union_input_name->name_type, | ||
diff --git a/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch b/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch new file mode 100644 index 0000000..6aa1a65 --- /dev/null +++ b/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | Use secure_getenv instead of getenv for setuid programs | ||
2 | |||
3 | (bnc#694598 CVE-2011-2709 bnc#831805) | ||
4 | |||
5 | import from: | ||
6 | https://build.opensuse.org/package/view_file/openSUSE:Factory/libgssglue/secure-getenv.patch | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
11 | |||
12 | diff --git a/src/g_initialize.c b/src/g_initialize.c | ||
13 | index 200f173..935a9fa 100644 | ||
14 | --- a/src/g_initialize.c | ||
15 | +++ b/src/g_initialize.c | ||
16 | @@ -26,6 +26,7 @@ | ||
17 | * This function will initialize the gssapi mechglue library | ||
18 | */ | ||
19 | |||
20 | +#define _GNU_SOURCE | ||
21 | #include "mglueP.h" | ||
22 | #include <stdlib.h> | ||
23 | |||
24 | @@ -197,8 +198,7 @@ static void solaris_initialize () | ||
25 | void *dl; | ||
26 | gss_mechanism (*sym)(void), mech; | ||
27 | |||
28 | - if ((getuid() != geteuid()) || | ||
29 | - ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) | ||
30 | + if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) | ||
31 | filename = MECH_CONF; | ||
32 | |||
33 | if ((conffile = fopen(filename, "r")) == NULL) { | ||
34 | @@ -274,8 +274,7 @@ static void linux_initialize () | ||
35 | void *dl; | ||
36 | gss_mechanism (*sym)(void), mech; | ||
37 | |||
38 | - if ((getuid() != geteuid()) || | ||
39 | - ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) | ||
40 | + if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) | ||
41 | filename = MECH_CONF; | ||
42 | |||
43 | if ((conffile = fopen(filename, "r")) == NULL) { | ||
diff --git a/recipes-security/libgssglue/files/libgssglue-g-initialize.patch b/recipes-security/libgssglue/files/libgssglue-g-initialize.patch new file mode 100644 index 0000000..4a9ba33 --- /dev/null +++ b/recipes-security/libgssglue/files/libgssglue-g-initialize.patch | |||
@@ -0,0 +1,21 @@ | |||
1 | Fix the warning for getuid, geteuid | ||
2 | g_initialize.c: In function 'linux_initialize': | ||
3 | g_initialize.c:275:5: warning: implicit declaration of function 'getuid' [-Wimplicit-function-declaration] | ||
4 | g_initialize.c:275:5: warning: implicit declaration of function 'geteuid' [-Wimplicit-function-declaration] | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | Signed-off-by: Yao Zhao <yao.zhao@windriver.com> | ||
8 | |||
9 | diff --git a/src/g_initialize.c b/src1/g_initialize.c | ||
10 | index 82fcce1..200f173 100644 | ||
11 | --- a/src/g_initialize.c | ||
12 | +++ b/src/g_initialize.c | ||
13 | @@ -29,6 +29,8 @@ | ||
14 | #include "mglueP.h" | ||
15 | #include <stdlib.h> | ||
16 | |||
17 | +#include <unistd.h> /*getuid, geteuid */ | ||
18 | +#include <sys/types.h> | ||
19 | #include <stdio.h> | ||
20 | #include <string.h> | ||
21 | #include <ctype.h> | ||
diff --git a/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch b/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch new file mode 100644 index 0000000..6dce3e7 --- /dev/null +++ b/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | 1) add free if malloc failed for (*mechanisms)->elements | ||
2 | 2) g_inq_cred.c: In function 'gss_inquire_cred': | ||
3 | g_inq_cred.c:161:8: warning: passing argument 3 of 'generic_gss_copy_oid' from incompatible pointer type [enabled by default] | ||
4 | |||
5 | Upstream-Status: Pending | ||
6 | Signed-off-by: Yao Zhao <yao.zhao@windriver.com> | ||
7 | |||
8 | --- a/src/g_inq_cred.c | ||
9 | +++ b/src/g_inq_cred.c | ||
10 | @@ -152,13 +152,15 @@ gss_OID_set * mechanisms; | ||
11 | union_cred->count); | ||
12 | if ((*mechanisms)->elements == NULL) { | ||
13 | *minor_status = ENOMEM; | ||
14 | + free(*mechanisms); | ||
15 | + *mechanisms = GSS_C_NO_OID_SET; | ||
16 | return (GSS_S_FAILURE); | ||
17 | } | ||
18 | |||
19 | for (i=0; i < union_cred->count; i++) { | ||
20 | - status = generic_gss_copy_oid(minor_status, | ||
21 | + status = generic_gss_add_oid_set_member(minor_status, | ||
22 | &union_cred->mechs_array[i], | ||
23 | - &((*mechanisms)->elements[i])); | ||
24 | + mechanisms); | ||
25 | if (status != GSS_S_COMPLETE) | ||
26 | break; | ||
27 | } | ||
diff --git a/recipes-security/libgssglue/files/libgssglue-mglueP.patch b/recipes-security/libgssglue/files/libgssglue-mglueP.patch new file mode 100644 index 0000000..6c9ebf0 --- /dev/null +++ b/recipes-security/libgssglue/files/libgssglue-mglueP.patch | |||
@@ -0,0 +1,21 @@ | |||
1 | fix the warning: | ||
2 | warning: implicit declaration of function 'generic_gss_copy_oid_set' [-Wimplicit-function-declaration] | ||
3 | |||
4 | Upstream-Status: Pending | ||
5 | Signed-off-by: Yao Zhao <yao.zhao@windriver.com> | ||
6 | |||
7 | --- a/src/mglueP.h | ||
8 | +++ b/src/mglueP.h | ||
9 | @@ -447,6 +447,12 @@ OM_uint32 generic_gss_copy_oid | ||
10 | gss_OID * /* new_oid */ | ||
11 | ); | ||
12 | |||
13 | +OM_uint32 generic_gss_copy_oid_set | ||
14 | + (OM_uint32 *minor_status, /* minor_status */ | ||
15 | + const gss_OID_set_desc * const oidset, /* oid */ | ||
16 | + gss_OID_set *new_oidset /* new_oid */ | ||
17 | + ); | ||
18 | + | ||
19 | OM_uint32 generic_gss_create_empty_oid_set | ||
20 | (OM_uint32 *, /* minor_status */ | ||
21 | gss_OID_set * /* oid_set */ | ||
diff --git a/recipes-security/libgssglue/libgssglue_0.4.bb b/recipes-security/libgssglue/libgssglue_0.4.bb new file mode 100644 index 0000000..f7859a7 --- /dev/null +++ b/recipes-security/libgssglue/libgssglue_0.4.bb | |||
@@ -0,0 +1,51 @@ | |||
1 | SUMMARY = "Exports a gssapi interface which calls other gssapi libraries" | ||
2 | DESCRIPTION = "\ | ||
3 | This library exports a gssapi interface, but does not implement any gssapi \ | ||
4 | mechanisms itself; instead it calls gssapi routines in other libraries, \ | ||
5 | depending on the mechanism. \ | ||
6 | " | ||
7 | |||
8 | HOMEPAGE = "http://www.citi.umich.edu/projects/nfsv4/linux/" | ||
9 | SECTION = "libs" | ||
10 | |||
11 | LICENSE = "BSD-3-Clause | HPND" | ||
12 | |||
13 | #Copyright (c) 1996, by Sun Microsystems, Inc. HPND | ||
14 | #Copyright (c) 2007 The Regents of the University of Michigan. BSD-3-Clause | ||
15 | #Copyright 1995 by the Massachusetts Institute of Technology. HPND without Disclaimer | ||
16 | #Copyright 1993 by OpenVision Technologies, Inc. HPND | ||
17 | LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \ | ||
18 | file://src/g_accept_sec_context.c;beginline=3;endline=23;md5=8a7f4017cb7f4be49f8981cb8c472690 \ | ||
19 | file://src/g_ccache_name.c;beginline=1;endline=32;md5=208d4de05d5c8273963a8332f084faa7 \ | ||
20 | file://src/oid_ops.c;beginline=1;endline=26;md5=1f194d148b396972da26759a8ec399f0 \ | ||
21 | file://src/oid_ops.c;beginline=378;endline=398;md5=e02c165cb8383e950214baca2fbd664b \ | ||
22 | " | ||
23 | |||
24 | SRC_URI = "http://www.citi.umich.edu/projects/nfsv4/linux/${BPN}/${BP}.tar.gz \ | ||
25 | file://libgssglue-canon-name.patch \ | ||
26 | file://libgssglue-gss-inq-cred.patch \ | ||
27 | file://libgssglue-mglueP.patch \ | ||
28 | file://libgssglue-g-initialize.patch \ | ||
29 | file://libgssglue-fix-CVE-2011-2709.patch \ | ||
30 | " | ||
31 | |||
32 | SRC_URI[md5sum] = "088797f3180702fa54e786496b32e750" | ||
33 | SRC_URI[sha256sum] = "3f791a75502ba723e5e85e41e5e0c711bb89e2716b7c0ec6e74bd1df6739043a" | ||
34 | |||
35 | # gssglue can use krb5, spkm3... as gssapi library, configurable | ||
36 | RRECOMMENDS_${PN} += "krb5" | ||
37 | |||
38 | inherit autotools | ||
39 | |||
40 | do_install_append() { | ||
41 | # install some docs | ||
42 | install -d -m 0755 ${D}${docdir}/${BPN} | ||
43 | install -m 0644 ${S}/AUTHORS ${S}/ChangeLog ${S}/NEWS ${S}/README ${D}${docdir}/${BPN} | ||
44 | |||
45 | # install the gssapi_mech.conf | ||
46 | install -d -m 0755 ${D}${sysconfdir} | ||
47 | install -m 0644 ${S}/doc/gssapi_mech.conf ${D}${sysconfdir} | ||
48 | |||
49 | # change the libgssapi_krb5.so path and name(it is .so.2) | ||
50 | sed -i -e "s:/usr/lib/libgssapi_krb5.so:libgssapi_krb5.so.2:" ${D}${sysconfdir}/gssapi_mech.conf | ||
51 | } | ||