summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2018-07-27 16:04:34 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-07-30 12:44:35 +0100
commitffb63803eac6ba97d1b9e1f3d648bc4d81bf0276 (patch)
treed29c106cf81ae93e47b30aaaf87e10bbcdfc10eb
parent96f011e628fe360644bfdd7650145b996d61740c (diff)
downloadpoky-ffb63803eac6ba97d1b9e1f3d648bc4d81bf0276.tar.gz
shadow: upgrade 4.2.1 -> 4.6
The following patches are removed because problems have been fixed in this version. 0001-shadow-CVE-2017-12424 fix-installation-failure-with-subids-disabled.patch usermod-fix-compilation-failure-with-subids-disabled.patch CVE-2017-2616.patch check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch 0001-Do-not-read-login.defs-before-doing-chroot.patch The following patches are rebased. 0001-Disable-use-of-syslog-for-sysroot.patch 0001-useradd-copy-extended-attributes-of-home.patch 0001-useradd.c-create-parent-directories-when-necessary.patch allow-for-setting-password-in-clear-text.patch (From OE-Core rev: 79dd22729d5b8a2f2cf4294ff6b261c9d6ecd977) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch21
-rw-r--r--meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch46
-rw-r--r--meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-1242446
-rw-r--r--meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch28
-rw-r--r--meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch83
-rw-r--r--meta/recipes-extended/shadow/files/CVE-2017-2616.patch64
-rw-r--r--meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch181
-rw-r--r--meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch41
-rw-r--r--meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch28
-rw-r--r--meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch33
-rw-r--r--meta/recipes-extended/shadow/shadow-securetty_4.6.bb (renamed from meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb)0
-rw-r--r--meta/recipes-extended/shadow/shadow-sysroot_4.6.bb (renamed from meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb)0
-rw-r--r--meta/recipes-extended/shadow/shadow.inc13
-rw-r--r--meta/recipes-extended/shadow/shadow_4.6.bb (renamed from meta/recipes-extended/shadow/shadow_4.2.1.bb)0
14 files changed, 209 insertions, 375 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
index a6f604b652..aac2d42b12 100644
--- a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
+++ b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
@@ -11,6 +11,7 @@ Upstream-Status: Inappropriate [disable feature]
11 11
12Signed-off-by: Scott Garman <scott.a.garman@intel.com> 12Signed-off-by: Scott Garman <scott.a.garman@intel.com>
13Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> 13Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
14Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
14--- 15---
15 src/groupadd.c | 3 +++ 16 src/groupadd.c | 3 +++
16 src/groupdel.c | 3 +++ 17 src/groupdel.c | 3 +++
@@ -22,7 +23,7 @@ Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
22 7 files changed, 21 insertions(+) 23 7 files changed, 21 insertions(+)
23 24
24diff --git a/src/groupadd.c b/src/groupadd.c 25diff --git a/src/groupadd.c b/src/groupadd.c
25index 39b4ec0..f716f57 100644 26index 63e1c48..a596c49 100644
26--- a/src/groupadd.c 27--- a/src/groupadd.c
27+++ b/src/groupadd.c 28+++ b/src/groupadd.c
28@@ -34,6 +34,9 @@ 29@@ -34,6 +34,9 @@
@@ -36,7 +37,7 @@ index 39b4ec0..f716f57 100644
36 #include <fcntl.h> 37 #include <fcntl.h>
37 #include <getopt.h> 38 #include <getopt.h>
38diff --git a/src/groupdel.c b/src/groupdel.c 39diff --git a/src/groupdel.c b/src/groupdel.c
39index da99347..46a679c 100644 40index 70bed01..ababd81 100644
40--- a/src/groupdel.c 41--- a/src/groupdel.c
41+++ b/src/groupdel.c 42+++ b/src/groupdel.c
42@@ -34,6 +34,9 @@ 43@@ -34,6 +34,9 @@
@@ -50,7 +51,7 @@ index da99347..46a679c 100644
50 #include <fcntl.h> 51 #include <fcntl.h>
51 #include <grp.h> 52 #include <grp.h>
52diff --git a/src/groupmems.c b/src/groupmems.c 53diff --git a/src/groupmems.c b/src/groupmems.c
53index e4f107f..95cb073 100644 54index fc91c8b..2842514 100644
54--- a/src/groupmems.c 55--- a/src/groupmems.c
55+++ b/src/groupmems.c 56+++ b/src/groupmems.c
56@@ -32,6 +32,9 @@ 57@@ -32,6 +32,9 @@
@@ -64,7 +65,7 @@ index e4f107f..95cb073 100644
64 #include <getopt.h> 65 #include <getopt.h>
65 #include <grp.h> 66 #include <grp.h>
66diff --git a/src/groupmod.c b/src/groupmod.c 67diff --git a/src/groupmod.c b/src/groupmod.c
67index d9d3807..6229737 100644 68index 72daf2c..8965f9d 100644
68--- a/src/groupmod.c 69--- a/src/groupmod.c
69+++ b/src/groupmod.c 70+++ b/src/groupmod.c
70@@ -34,6 +34,9 @@ 71@@ -34,6 +34,9 @@
@@ -78,7 +79,7 @@ index d9d3807..6229737 100644
78 #include <fcntl.h> 79 #include <fcntl.h>
79 #include <getopt.h> 80 #include <getopt.h>
80diff --git a/src/useradd.c b/src/useradd.c 81diff --git a/src/useradd.c b/src/useradd.c
81index e1ebf50..25679d8 100644 82index 3aaf45c..1ab9174 100644
82--- a/src/useradd.c 83--- a/src/useradd.c
83+++ b/src/useradd.c 84+++ b/src/useradd.c
84@@ -34,6 +34,9 @@ 85@@ -34,6 +34,9 @@
@@ -92,7 +93,7 @@ index e1ebf50..25679d8 100644
92 #include <ctype.h> 93 #include <ctype.h>
93 #include <errno.h> 94 #include <errno.h>
94diff --git a/src/userdel.c b/src/userdel.c 95diff --git a/src/userdel.c b/src/userdel.c
95index 19b12bc..a083929 100644 96index c8de1d3..24d3ea9 100644
96--- a/src/userdel.c 97--- a/src/userdel.c
97+++ b/src/userdel.c 98+++ b/src/userdel.c
98@@ -34,6 +34,9 @@ 99@@ -34,6 +34,9 @@
@@ -102,11 +103,11 @@ index 19b12bc..a083929 100644
102+/* Disable use of syslog since we're running this command against a sysroot */ 103+/* Disable use of syslog since we're running this command against a sysroot */
103+#undef USE_SYSLOG 104+#undef USE_SYSLOG
104+ 105+
106 #include <assert.h>
105 #include <errno.h> 107 #include <errno.h>
106 #include <fcntl.h> 108 #include <fcntl.h>
107 #include <getopt.h>
108diff --git a/src/usermod.c b/src/usermod.c 109diff --git a/src/usermod.c b/src/usermod.c
109index 685b50a..28e5cfc 100644 110index ccfbb99..24fb60d 100644
110--- a/src/usermod.c 111--- a/src/usermod.c
111+++ b/src/usermod.c 112+++ b/src/usermod.c
112@@ -34,6 +34,9 @@ 113@@ -34,6 +34,9 @@
@@ -116,9 +117,9 @@ index 685b50a..28e5cfc 100644
116+/* Disable use of syslog since we're running this command against a sysroot */ 117+/* Disable use of syslog since we're running this command against a sysroot */
117+#undef USE_SYSLOG 118+#undef USE_SYSLOG
118+ 119+
120 #include <assert.h>
119 #include <ctype.h> 121 #include <ctype.h>
120 #include <errno.h> 122 #include <errno.h>
121 #include <fcntl.h>
122-- 123--
1232.1.0 1242.11.0
124 125
diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch b/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch
deleted file mode 100644
index 828b95a572..0000000000
--- a/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From 170c25c8e0b5c3dc2615d1db94c8d24a13ff99bf Mon Sep 17 00:00:00 2001
2From: Peter Kjellerstedt <pkj@axis.com>
3Date: Thu, 11 Sep 2014 15:11:23 +0200
4Subject: [PATCH] Do not read login.defs before doing chroot()
5
6If "useradd --root <root> ..." was used, the login.defs file would still
7be read from /etc/login.defs instead of <root>/etc/login.defs. This was
8due to getdef_ulong() being called before process_root_flag().
9
10Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2014-September/010446.html]
11
12Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
13---
14 src/useradd.c | 8 ++++++--
15 1 file changed, 6 insertions(+), 2 deletions(-)
16
17diff --git a/src/useradd.c b/src/useradd.c
18index a8a1f76..e1ebf50 100644
19--- a/src/useradd.c
20+++ b/src/useradd.c
21@@ -1993,9 +1993,11 @@ int main (int argc, char **argv)
22 #endif /* USE_PAM */
23 #endif /* ACCT_TOOLS_SETUID */
24
25+#ifdef ENABLE_SUBIDS
26 /* Needed for userns check */
27- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
28- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
29+ uid_t uid_min;
30+ uid_t uid_max;
31+#endif
32
33 /*
34 * Get my name so that I can use it to report errors.
35@@ -2026,6 +2028,8 @@ int main (int argc, char **argv)
36 is_shadow_grp = sgr_file_present ();
37 #endif
38 #ifdef ENABLE_SUBIDS
39+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
40+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
41 is_sub_uid = sub_uid_file_present () && !rflg &&
42 (!user_id || (user_id <= uid_max && user_id >= uid_min));
43 is_sub_gid = sub_gid_file_present () && !rflg &&
44--
451.9.0
46
diff --git a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 b/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
deleted file mode 100644
index 4d3e1e016c..0000000000
--- a/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424
+++ /dev/null
@@ -1,46 +0,0 @@
1From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
2From: Tomas Mraz <tmraz@fedoraproject.org>
3Date: Fri, 31 Mar 2017 16:25:06 +0200
4Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
5
6If ptr->line == NULL for an entry, the first cycle will exit,
7but the second one will happily write past entries buffer.
8We actually do not want to exit the first cycle prematurely
9on ptr->line == NULL.
10Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
11
12CVE: CVE-2017-12424
13Upstream-Status: Backport
14Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
15---
16 lib/commonio.c | 8 ++++----
17 1 file changed, 4 insertions(+), 4 deletions(-)
18
19diff --git a/lib/commonio.c b/lib/commonio.c
20index b10da06..31edbaa 100644
21--- a/lib/commonio.c
22+++ b/lib/commonio.c
23@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
24 for (ptr = db->head;
25 (NULL != ptr)
26 #if KEEP_NIS_AT_END
27- && (NULL != ptr->line)
28- && ( ('+' != ptr->line[0])
29- && ('-' != ptr->line[0]))
30+ && ((NULL == ptr->line)
31+ || (('+' != ptr->line[0])
32+ && ('-' != ptr->line[0])))
33 #endif
34 ;
35 ptr = ptr->next) {
36 n++;
37 }
38 #if KEEP_NIS_AT_END
39- if ((NULL != ptr) && (NULL != ptr->line)) {
40+ if (NULL != ptr) {
41 nis = ptr;
42 }
43 #endif
44--
452.1.0
46
diff --git a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
index 60a46e1257..474b3a257e 100644
--- a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
+++ b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
@@ -1,47 +1,41 @@
1From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
3Date: Tue, 7 Mar 2017 16:03:03 +0100
4Subject: [PATCH] useradd: copy extended attributes of home 1Subject: [PATCH] useradd: copy extended attributes of home
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8 2
9The Home directory wasn't getting the extended attributes 3The Home directory wasn't getting the extended attributes
10of /etc/skel. This patch fixes that issue and adds the copy 4of /etc/skel. This patch fixes that issue and adds the copy
11of the extended attributes of the root of the home directory. 5of the extended attributes of the root of the home directory.
12 6
13Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html] 7Upstream-Status: Pending
14 8
15Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b
16Signed-off-by: José Bollo <jose.bollo@iot.bzh> 9Signed-off-by: José Bollo <jose.bollo@iot.bzh>
10Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
17--- 11---
18 src/useradd.c | 6 ++++++ 12 src/useradd.c | 6 ++++++
19 1 file changed, 6 insertions(+) 13 1 file changed, 6 insertions(+)
20 14
21diff --git a/src/useradd.c b/src/useradd.c 15diff --git a/src/useradd.c b/src/useradd.c
22index a8a1f76..8aefb9c 100644 16index e721e52..c74e491 100644
23--- a/src/useradd.c 17--- a/src/useradd.c
24+++ b/src/useradd.c 18+++ b/src/useradd.c
25@@ -52,6 +52,9 @@ 19@@ -54,6 +54,9 @@
26 #include <sys/stat.h> 20 #include <sys/wait.h>
27 #include <sys/types.h>
28 #include <time.h> 21 #include <time.h>
22 #include <unistd.h>
29+#ifdef WITH_ATTR 23+#ifdef WITH_ATTR
30+#include <attr/libattr.h> 24+#include <attr/libattr.h>
31+#endif 25+#endif
32 #include "chkname.h" 26 #include "chkname.h"
33 #include "defines.h" 27 #include "defines.h"
34 #include "faillog.h" 28 #include "faillog.h"
35@@ -1915,6 +1918,9 @@ static void create_home (void) 29@@ -2042,6 +2045,9 @@ static void create_home (void)
36 chown (user_home, user_id, user_gid); 30 (void) chown (prefix_user_home, user_id, user_gid);
37 chmod (user_home, 31 chmod (prefix_user_home,
38 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); 32 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
39+#ifdef WITH_ATTR 33+#ifdef WITH_ATTR
40+ attr_copy_file (def_template, user_home, NULL, NULL); 34+ attr_copy_file (def_template, user_home, NULL, NULL);
41+#endif 35+#endif
42 home_added = true; 36 home_added = true;
43 #ifdef WITH_AUDIT 37 #ifdef WITH_AUDIT
44 audit_logger (AUDIT_ADD_USER, Prog, 38 audit_logger (AUDIT_ADD_USER, Prog,
45-- 39--
462.9.3 402.11.0
47 41
diff --git a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
index 2f084b4e9b..7024136593 100644
--- a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
+++ b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
@@ -1,17 +1,17 @@
1Upstream-Status: Inappropriate [OE specific] 1Subject: [PATCH] useradd.c: create parent directories when necessary
2 2
3Subject: useradd.c: create parent directories when necessary 3Upstream-Status: Inappropriate [OE specific]
4 4
5Signed-off-by: Chen Qi <Qi.Chen@windriver.com> 5Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
6--- 6---
7 src/useradd.c | 72 +++++++++++++++++++++++++++++++++++++++------------------ 7 src/useradd.c | 82 +++++++++++++++++++++++++++++++++++++++--------------------
8 1 file changed, 49 insertions(+), 23 deletions(-) 8 1 file changed, 54 insertions(+), 28 deletions(-)
9 9
10diff --git a/src/useradd.c b/src/useradd.c 10diff --git a/src/useradd.c b/src/useradd.c
11index 4bd969d..cb5dd6c 100644 11index 7214e72..3aaf45c 100644
12--- a/src/useradd.c 12--- a/src/useradd.c
13+++ b/src/useradd.c 13+++ b/src/useradd.c
14@@ -1896,6 +1896,35 @@ static void usr_update (void) 14@@ -2021,6 +2021,35 @@ static void usr_update (void)
15 } 15 }
16 16
17 /* 17 /*
@@ -47,63 +47,68 @@ index 4bd969d..cb5dd6c 100644
47 * create_home - create the user's home directory 47 * create_home - create the user's home directory
48 * 48 *
49 * create_home() creates the user's home directory if it does not 49 * create_home() creates the user's home directory if it does not
50@@ -1910,39 +1939,36 @@ static void create_home (void) 50@@ -2038,42 +2067,39 @@ static void create_home (void)
51 fail_exit (E_HOMEDIR); 51 fail_exit (E_HOMEDIR);
52 } 52 }
53 #endif 53 #endif
54- /* XXX - create missing parent directories. --marekm */ 54- /* XXX - create missing parent directories. --marekm */
55- if (mkdir (user_home, 0) != 0) { 55- if (mkdir (prefix_user_home, 0) != 0) {
56- fprintf (stderr, 56- fprintf (stderr,
57- _("%s: cannot create directory %s\n"), 57- _("%s: cannot create directory %s\n"),
58- Prog, user_home); 58- Prog, prefix_user_home);
59-#ifdef WITH_AUDIT 59+ mkdir_p(user_home);
60+ }
61+ if (access (prefix_user_home, F_OK) != 0) {
62 #ifdef WITH_AUDIT
60- audit_logger (AUDIT_ADD_USER, Prog, 63- audit_logger (AUDIT_ADD_USER, Prog,
61- "adding home directory", 64- "adding home directory",
62- user_name, (unsigned int) user_id, 65- user_name, (unsigned int) user_id,
63- SHADOW_AUDIT_FAILURE); 66- SHADOW_AUDIT_FAILURE);
64-#endif 67+ audit_logger (AUDIT_ADD_USER, Prog,
65- fail_exit (E_HOMEDIR); 68+ "adding home directory",
66- } 69+ user_name, (unsigned int) user_id,
67- chown (user_home, user_id, user_gid); 70+ SHADOW_AUDIT_FAILURE);
68- chmod (user_home,
69- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
70-#ifdef WITH_ATTR
71- attr_copy_file (def_template, user_home, NULL, NULL);
72-#endif
73- home_added = true;
74+ mkdir_p(user_home);
75+ }
76+ if (access (user_home, F_OK) != 0) {
77 #ifdef WITH_AUDIT
78 audit_logger (AUDIT_ADD_USER, Prog,
79 "adding home directory",
80 user_name, (unsigned int) user_id,
81- SHADOW_AUDIT_SUCCESS);
82+ SHADOW_AUDIT_FAILURE);
83 #endif 71 #endif
84-#ifdef WITH_SELINUX
85- /* Reset SELinux to create files with default contexts */
86- if (reset_selinux_file_context () != 0) {
87- fail_exit (E_HOMEDIR); 72- fail_exit (E_HOMEDIR);
88- } 73- }
74- (void) chown (prefix_user_home, user_id, user_gid);
75- chmod (prefix_user_home,
76- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
89+ fail_exit (E_HOMEDIR); 77+ fail_exit (E_HOMEDIR);
90+ } 78+ }
91+ chown (user_home, user_id, user_gid); 79+ (void) chown (prefix_user_home, user_id, user_gid);
92+ chmod (user_home, 80+ chmod (prefix_user_home,
93+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); 81+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
94+#ifdef WITH_ATTR 82 #ifdef WITH_ATTR
83- attr_copy_file (def_template, user_home, NULL, NULL);
95+ attr_copy_file (def_template, user_home, NULL, NULL); 84+ attr_copy_file (def_template, user_home, NULL, NULL);
96+#endif 85 #endif
86- home_added = true;
97+ home_added = true; 87+ home_added = true;
98+#ifdef WITH_AUDIT 88 #ifdef WITH_AUDIT
89- audit_logger (AUDIT_ADD_USER, Prog,
90- "adding home directory",
91- user_name, (unsigned int) user_id,
92- SHADOW_AUDIT_SUCCESS);
99+ audit_logger (AUDIT_ADD_USER, Prog, 93+ audit_logger (AUDIT_ADD_USER, Prog,
100+ "adding home directory", 94+ "adding home directory",
101+ user_name, (unsigned int) user_id, 95+ user_name, (unsigned int) user_id,
102+ SHADOW_AUDIT_SUCCESS); 96+ SHADOW_AUDIT_SUCCESS);
103 #endif 97 #endif
104+#ifdef WITH_SELINUX 98 #ifdef WITH_SELINUX
99- /* Reset SELinux to create files with default contexts */
100- if (reset_selinux_file_context () != 0) {
101- fprintf (stderr,
102- _("%s: cannot reset SELinux file creation context\n"),
103- Prog);
104- fail_exit (E_HOMEDIR);
105- }
106-#endif
105+ /* Reset SELinux to create files with default contexts */ 107+ /* Reset SELinux to create files with default contexts */
106+ if (reset_selinux_file_context () != 0) { 108+ if (reset_selinux_file_context () != 0) {
109+ fprintf (stderr,
110+ _("%s: cannot reset SELinux file creation context\n"),
111+ Prog);
107+ fail_exit (E_HOMEDIR); 112+ fail_exit (E_HOMEDIR);
108 } 113 }
109+#endif 114+#endif
@@ -111,5 +116,5 @@ index 4bd969d..cb5dd6c 100644
111 116
112 /* 117 /*
113-- 118--
1141.7.9.5 1192.11.0
115 120
diff --git a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
deleted file mode 100644
index ee728f0952..0000000000
--- a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
+++ /dev/null
@@ -1,64 +0,0 @@
1shadow-4.2.1: Fix CVE-2017-2616
2
3[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943
4
5su: properly clear child PID
6
7If su is compiled with PAM support, it is possible for any local user
8to send SIGKILL to other processes with root privileges. There are
9only two conditions. First, the user must be able to perform su with
10a successful login. This does NOT have to be the root user, even using
11su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
12can only be sent to processes which were executed after the su process.
13It is not possible to send SIGKILL to processes which were already
14running. I consider this as a security vulnerability, because I was
15able to write a proof of concept which unlocked a screen saver of
16another user this way.
17
18Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686]
19CVE: CVE-2017-2616
20bug: 855943
21Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
22
23diff --git a/src/su.c b/src/su.c
24index 3704217..1efcd61 100644
25--- a/src/su.c
26+++ b/src/su.c
27@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
28 /* wake child when resumed */
29 kill (pid, SIGCONT);
30 stop = false;
31+ } else {
32+ pid_child = 0;
33 }
34 } while (!stop);
35 }
36
37- if (0 != caught) {
38+ if (0 != caught && 0 != pid_child) {
39 (void) fputs ("\n", stderr);
40 (void) fputs (_("Session terminated, terminating shell..."),
41 stderr);
42 (void) kill (-pid_child, caught);
43
44 (void) signal (SIGALRM, kill_child);
45+ (void) signal (SIGCHLD, catch_signals);
46 (void) alarm (2);
47
48- (void) wait (&status);
49+ sigemptyset (&ourset);
50+ if ((sigaddset (&ourset, SIGALRM) != 0)
51+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
52+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
53+ kill_child (0);
54+ } else {
55+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
56+ sigsuspend (&ourset);
57+ }
58+ pid_child = 0;
59+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
60+ }
61+
62 (void) fputs (_(" ...terminated.\n"), stderr);
63 }
64
diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
index 615c6e002d..fa7eb07aa5 100644
--- a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
+++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
@@ -1,21 +1,21 @@
1Upstream-Status: Inappropriate [OE specific] 1Subject: [PATCH] Allow for setting password in clear text
2 2
3Allow for setting password in clear text. 3Upstream-Status: Inappropriate [OE specific]
4 4
5Signed-off-by: Chen Qi <Qi.Chen@windriver.com> 5Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
6--- 6---
7 src/Makefile.am | 8 ++++---- 7 src/Makefile.am | 8 ++++----
8 src/groupadd.c | 8 +++++++- 8 src/groupadd.c | 20 +++++++++++++++-----
9 src/groupmod.c | 8 +++++++- 9 src/groupmod.c | 20 +++++++++++++++-----
10 src/useradd.c | 9 +++++++-- 10 src/useradd.c | 21 +++++++++++++++------
11 src/usermod.c | 8 +++++++- 11 src/usermod.c | 20 +++++++++++++++-----
12 5 files changed, 32 insertions(+), 9 deletions(-) 12 5 files changed, 64 insertions(+), 25 deletions(-)
13 13
14diff --git a/src/Makefile.am b/src/Makefile.am 14diff --git a/src/Makefile.am b/src/Makefile.am
15index 25e288d..856b087 100644 15index 3c98a8d..b8093d5 100644
16--- a/src/Makefile.am 16--- a/src/Makefile.am
17+++ b/src/Makefile.am 17+++ b/src/Makefile.am
18@@ -88,10 +88,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) 18@@ -93,10 +93,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
19 chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) 19 chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
20 chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) 20 chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
21 gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) 21 gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
@@ -28,9 +28,9 @@ index 25e288d..856b087 100644
28 grpck_LDADD = $(LDADD) $(LIBSELINUX) 28 grpck_LDADD = $(LDADD) $(LIBSELINUX)
29 grpconv_LDADD = $(LDADD) $(LIBSELINUX) 29 grpconv_LDADD = $(LDADD) $(LIBSELINUX)
30 grpunconv_LDADD = $(LDADD) $(LIBSELINUX) 30 grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
31@@ -111,9 +111,9 @@ su_SOURCES = \ 31@@ -117,9 +117,9 @@ su_SOURCES = \
32 suauth.c 32 suauth.c
33 su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) 33 su_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
34 sulogin_LDADD = $(LDADD) $(LIBCRYPT) 34 sulogin_LDADD = $(LDADD) $(LIBCRYPT)
35-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) 35-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR)
36+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) 36+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT)
@@ -41,33 +41,39 @@ index 25e288d..856b087 100644
41 41
42 install-am: all-am 42 install-am: all-am
43diff --git a/src/groupadd.c b/src/groupadd.c 43diff --git a/src/groupadd.c b/src/groupadd.c
44index f716f57..4e28c26 100644 44index b57006c..63e1c48 100644
45--- a/src/groupadd.c 45--- a/src/groupadd.c
46+++ b/src/groupadd.c 46+++ b/src/groupadd.c
47@@ -124,6 +124,7 @@ static /*@noreturn@*/void usage (int status) 47@@ -123,9 +123,10 @@ static /*@noreturn@*/void usage (int status)
48 (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" 48 (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n"
49 " (non-unique) GID\n"), usageout); 49 " (non-unique) GID\n"), usageout);
50 (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); 50 (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout);
51+ (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); 51+ (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout);
52 (void) fputs (_(" -r, --system create a system account\n"), usageout); 52 (void) fputs (_(" -r, --system create a system account\n"), usageout);
53 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); 53 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
54- (void) fputs (_(" -P, --prefix PREFIX_DIR directory prefix\n"), usageout);
55+ (void) fputs (_(" -A, --prefix PREFIX_DIR directory prefix\n"), usageout);
54 (void) fputs ("\n", usageout); 56 (void) fputs ("\n", usageout);
55@@ -387,12 +388,13 @@ static void process_flags (int argc, char **argv) 57 exit (status);
58 }
59@@ -387,13 +388,14 @@ static void process_flags (int argc, char **argv)
56 {"key", required_argument, NULL, 'K'}, 60 {"key", required_argument, NULL, 'K'},
57 {"non-unique", no_argument, NULL, 'o'}, 61 {"non-unique", no_argument, NULL, 'o'},
58 {"password", required_argument, NULL, 'p'}, 62 {"password", required_argument, NULL, 'p'},
59+ {"clear-password", required_argument, NULL, 'P'}, 63+ {"clear-password", required_argument, NULL, 'P'},
60 {"system", no_argument, NULL, 'r'}, 64 {"system", no_argument, NULL, 'r'},
61 {"root", required_argument, NULL, 'R'}, 65 {"root", required_argument, NULL, 'R'},
66- {"prefix", required_argument, NULL, 'P'},
67+ {"prefix", required_argument, NULL, 'A'},
62 {NULL, 0, NULL, '\0'} 68 {NULL, 0, NULL, '\0'}
63 }; 69 };
64 70
65- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:", 71- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:P:",
66+ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:", 72+ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:A:",
67 long_options, NULL)) != -1) { 73 long_options, NULL)) != -1) {
68 switch (c) { 74 switch (c) {
69 case 'f': 75 case 'f':
70@@ -444,6 +446,10 @@ static void process_flags (int argc, char **argv) 76@@ -445,12 +447,20 @@ static void process_flags (int argc, char **argv)
71 pflg = true; 77 pflg = true;
72 group_passwd = optarg; 78 group_passwd = optarg;
73 break; 79 break;
@@ -78,32 +84,57 @@ index f716f57..4e28c26 100644
78 case 'r': 84 case 'r':
79 rflg = true; 85 rflg = true;
80 break; 86 break;
87 case 'R': /* no-op, handled in process_root_flag () */
88 break;
89- case 'P': /* no-op, handled in process_prefix_flag () */
90+ case 'A': /* no-op, handled in process_prefix_flag () */
91+ fprintf (stderr,
92+ _("%s: -A is deliberately not supported \n"),
93+ Prog);
94+ exit (E_BAD_ARG);
95 break;
96 default:
97 usage (E_USAGE);
98@@ -584,7 +594,7 @@ int main (int argc, char **argv)
99 (void) textdomain (PACKAGE);
100
101 process_root_flag ("-R", argc, argv);
102- prefix = process_prefix_flag ("-P", argc, argv);
103+ prefix = process_prefix_flag ("-A", argc, argv);
104
105 OPENLOG ("groupadd");
106 #ifdef WITH_AUDIT
81diff --git a/src/groupmod.c b/src/groupmod.c 107diff --git a/src/groupmod.c b/src/groupmod.c
82index d9d3807..68f49d1 100644 108index b293b98..72daf2c 100644
83--- a/src/groupmod.c 109--- a/src/groupmod.c
84+++ b/src/groupmod.c 110+++ b/src/groupmod.c
85@@ -127,6 +127,7 @@ static void usage (int status) 111@@ -134,8 +134,9 @@ static void usage (int status)
86 (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); 112 (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout);
87 (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" 113 (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n"
88 " PASSWORD\n"), usageout); 114 " PASSWORD\n"), usageout);
89+ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); 115+ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout);
90 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); 116 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
117- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
118+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
91 (void) fputs ("\n", usageout); 119 (void) fputs ("\n", usageout);
92 exit (status); 120 exit (status);
93@@ -375,10 +376,11 @@ static void process_flags (int argc, char **argv) 121 }
122@@ -383,11 +384,12 @@ static void process_flags (int argc, char **argv)
94 {"new-name", required_argument, NULL, 'n'}, 123 {"new-name", required_argument, NULL, 'n'},
95 {"non-unique", no_argument, NULL, 'o'}, 124 {"non-unique", no_argument, NULL, 'o'},
96 {"password", required_argument, NULL, 'p'}, 125 {"password", required_argument, NULL, 'p'},
97+ {"clear-password", required_argument, NULL, 'P'}, 126+ {"clear-password", required_argument, NULL, 'P'},
98 {"root", required_argument, NULL, 'R'}, 127 {"root", required_argument, NULL, 'R'},
128- {"prefix", required_argument, NULL, 'P'},
129+ {"prefix", required_argument, NULL, 'A'},
99 {NULL, 0, NULL, '\0'} 130 {NULL, 0, NULL, '\0'}
100 }; 131 };
101- while ((c = getopt_long (argc, argv, "g:hn:op:R:", 132- while ((c = getopt_long (argc, argv, "g:hn:op:R:P:",
102+ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:", 133+ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:A:",
103 long_options, NULL)) != -1) { 134 long_options, NULL)) != -1) {
104 switch (c) { 135 switch (c) {
105 case 'g': 136 case 'g':
106@@ -405,6 +407,10 @@ static void process_flags (int argc, char **argv) 137@@ -414,9 +416,17 @@ static void process_flags (int argc, char **argv)
107 group_passwd = optarg; 138 group_passwd = optarg;
108 pflg = true; 139 pflg = true;
109 break; 140 break;
@@ -113,40 +144,65 @@ index d9d3807..68f49d1 100644
113+ break; 144+ break;
114 case 'R': /* no-op, handled in process_root_flag () */ 145 case 'R': /* no-op, handled in process_root_flag () */
115 break; 146 break;
147- case 'P': /* no-op, handled in process_prefix_flag () */
148+ case 'A': /* no-op, handled in process_prefix_flag () */
149+ fprintf (stderr,
150+ _("%s: -A is deliberately not supported \n"),
151+ Prog);
152+ exit (E_BAD_ARG);
153 break;
116 default: 154 default:
155 usage (E_USAGE);
156@@ -757,7 +767,7 @@ int main (int argc, char **argv)
157 (void) textdomain (PACKAGE);
158
159 process_root_flag ("-R", argc, argv);
160- prefix = process_prefix_flag ("-P", argc, argv);
161+ prefix = process_prefix_flag ("-A", argc, argv);
162
163 OPENLOG ("groupmod");
164 #ifdef WITH_AUDIT
117diff --git a/src/useradd.c b/src/useradd.c 165diff --git a/src/useradd.c b/src/useradd.c
118index b3bd451..4416f90 100644 166index c74e491..7214e72 100644
119--- a/src/useradd.c 167--- a/src/useradd.c
120+++ b/src/useradd.c 168+++ b/src/useradd.c
121@@ -776,6 +776,7 @@ static void usage (int status) 169@@ -829,9 +829,10 @@ static void usage (int status)
122 (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" 170 (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n"
123 " (non-unique) UID\n"), usageout); 171 " (non-unique) UID\n"), usageout);
124 (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); 172 (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout);
125+ (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); 173+ (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout);
126 (void) fputs (_(" -r, --system create a system account\n"), usageout); 174 (void) fputs (_(" -r, --system create a system account\n"), usageout);
127 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); 175 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
176- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
177+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
128 (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); 178 (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout);
129@@ -1050,6 +1051,7 @@ static void process_flags (int argc, char **argv) 179 (void) fputs (_(" -u, --uid UID user ID of the new account\n"), usageout);
180 (void) fputs (_(" -U, --user-group create a group with the same name as the user\n"), usageout);
181@@ -1104,9 +1105,10 @@ static void process_flags (int argc, char **argv)
130 {"no-user-group", no_argument, NULL, 'N'}, 182 {"no-user-group", no_argument, NULL, 'N'},
131 {"non-unique", no_argument, NULL, 'o'}, 183 {"non-unique", no_argument, NULL, 'o'},
132 {"password", required_argument, NULL, 'p'}, 184 {"password", required_argument, NULL, 'p'},
133+ {"clear-password", required_argument, NULL, 'P'}, 185+ {"clear-password", required_argument, NULL, 'P'},
134 {"system", no_argument, NULL, 'r'}, 186 {"system", no_argument, NULL, 'r'},
135 {"root", required_argument, NULL, 'R'}, 187 {"root", required_argument, NULL, 'R'},
188- {"prefix", required_argument, NULL, 'P'},
189+ {"prefix", required_argument, NULL, 'A'},
136 {"shell", required_argument, NULL, 's'}, 190 {"shell", required_argument, NULL, 's'},
137@@ -1062,9 +1064,9 @@ static void process_flags (int argc, char **argv) 191 {"uid", required_argument, NULL, 'u'},
192 {"user-group", no_argument, NULL, 'U'},
193@@ -1117,9 +1119,9 @@ static void process_flags (int argc, char **argv)
138 }; 194 };
139 while ((c = getopt_long (argc, argv, 195 while ((c = getopt_long (argc, argv,
140 #ifdef WITH_SELINUX 196 #ifdef WITH_SELINUX
141- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", 197- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
142+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:UZ:", 198+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:UZ:",
143 #else /* !WITH_SELINUX */ 199 #else /* !WITH_SELINUX */
144- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", 200- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
145+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:U", 201+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:U",
146 #endif /* !WITH_SELINUX */ 202 #endif /* !WITH_SELINUX */
147 long_options, NULL)) != -1) { 203 long_options, NULL)) != -1) {
148 switch (c) { 204 switch (c) {
149@@ -1230,6 +1232,9 @@ static void process_flags (int argc, char **argv) 205@@ -1285,12 +1287,19 @@ static void process_flags (int argc, char **argv)
150 } 206 }
151 user_pass = optarg; 207 user_pass = optarg;
152 break; 208 break;
@@ -156,36 +212,62 @@ index b3bd451..4416f90 100644
156 case 'r': 212 case 'r':
157 rflg = true; 213 rflg = true;
158 break; 214 break;
215 case 'R': /* no-op, handled in process_root_flag () */
216 break;
217- case 'P': /* no-op, handled in process_prefix_flag () */
218+ case 'A': /* no-op, handled in process_prefix_flag () */
219+ fprintf (stderr,
220+ _("%s: -A is deliberately not supported \n"),
221+ Prog);
222+ exit (E_BAD_ARG);
223 break;
224 case 's':
225 if ( ( !VALID (optarg) )
226@@ -2148,7 +2157,7 @@ int main (int argc, char **argv)
227
228 process_root_flag ("-R", argc, argv);
229
230- prefix = process_prefix_flag("-P", argc, argv);
231+ prefix = process_prefix_flag("-A", argc, argv);
232
233 OPENLOG ("useradd");
234 #ifdef WITH_AUDIT
159diff --git a/src/usermod.c b/src/usermod.c 235diff --git a/src/usermod.c b/src/usermod.c
160index e7d4351..b79f7a3 100644 236index e571426..ccfbb99 100644
161--- a/src/usermod.c 237--- a/src/usermod.c
162+++ b/src/usermod.c 238+++ b/src/usermod.c
163@@ -419,6 +419,7 @@ static /*@noreturn@*/void usage (int status) 239@@ -424,8 +424,9 @@ static /*@noreturn@*/void usage (int status)
164 " new location (use only with -d)\n"), usageout); 240 " new location (use only with -d)\n"), usageout);
165 (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); 241 (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout);
166 (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); 242 (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout);
167+ (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); 243+ (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout);
168 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); 244 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
245- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
246+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
169 (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); 247 (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout);
170 (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); 248 (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout);
171@@ -996,6 +997,7 @@ static void process_flags (int argc, char **argv) 249 (void) fputs (_(" -U, --unlock unlock the user account\n"), usageout);
250@@ -1002,8 +1003,9 @@ static void process_flags (int argc, char **argv)
172 {"move-home", no_argument, NULL, 'm'}, 251 {"move-home", no_argument, NULL, 'm'},
173 {"non-unique", no_argument, NULL, 'o'}, 252 {"non-unique", no_argument, NULL, 'o'},
174 {"password", required_argument, NULL, 'p'}, 253 {"password", required_argument, NULL, 'p'},
175+ {"clear-password", required_argument, NULL, 'P'}, 254+ {"clear-password", required_argument, NULL, 'P'},
176 {"root", required_argument, NULL, 'R'}, 255 {"root", required_argument, NULL, 'R'},
256- {"prefix", required_argument, NULL, 'P'},
257+ {"prefix", required_argument, NULL, 'A'},
177 {"shell", required_argument, NULL, 's'}, 258 {"shell", required_argument, NULL, 's'},
178 {"uid", required_argument, NULL, 'u'}, 259 {"uid", required_argument, NULL, 'u'},
179@@ -1012,7 +1014,7 @@ static void process_flags (int argc, char **argv) 260 {"unlock", no_argument, NULL, 'U'},
261@@ -1019,7 +1021,7 @@ static void process_flags (int argc, char **argv)
180 {NULL, 0, NULL, '\0'} 262 {NULL, 0, NULL, '\0'}
181 }; 263 };
182 while ((c = getopt_long (argc, argv, 264 while ((c = getopt_long (argc, argv,
183- "ac:d:e:f:g:G:hl:Lmop:R:s:u:U" 265- "ac:d:e:f:g:G:hl:Lmop:R:s:u:UP:"
184+ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U" 266+ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:UA:"
185 #ifdef ENABLE_SUBIDS 267 #ifdef ENABLE_SUBIDS
186 "v:w:V:W:" 268 "v:w:V:W:"
187 #endif /* ENABLE_SUBIDS */ 269 #endif /* ENABLE_SUBIDS */
188@@ -1112,6 +1114,10 @@ static void process_flags (int argc, char **argv) 270@@ -1119,9 +1121,17 @@ static void process_flags (int argc, char **argv)
189 user_pass = optarg; 271 user_pass = optarg;
190 pflg = true; 272 pflg = true;
191 break; 273 break;
@@ -195,7 +277,24 @@ index e7d4351..b79f7a3 100644
195+ break; 277+ break;
196 case 'R': /* no-op, handled in process_root_flag () */ 278 case 'R': /* no-op, handled in process_root_flag () */
197 break; 279 break;
280- case 'P': /* no-op, handled in process_prefix_flag () */
281+ case 'A': /* no-op, handled in process_prefix_flag () */
282+ fprintf (stderr,
283+ _("%s: -A is deliberately not supported \n"),
284+ Prog);
285+ exit (E_BAD_ARG);
286 break;
198 case 's': 287 case 's':
288 if (!VALID (optarg)) {
289@@ -2098,7 +2108,7 @@ int main (int argc, char **argv)
290 (void) textdomain (PACKAGE);
291
292 process_root_flag ("-R", argc, argv);
293- prefix = process_prefix_flag ("-P", argc, argv);
294+ prefix = process_prefix_flag ("-A", argc, argv);
295
296 OPENLOG ("usermod");
297 #ifdef WITH_AUDIT
199-- 298--
2001.7.9.5 2992.11.0
201 300
diff --git a/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch b/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch
deleted file mode 100644
index 185590cabd..0000000000
--- a/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001
2From: James Le Cuirot <chewi@aura-online.co.uk>
3Date: Sat, 23 Aug 2014 09:46:39 +0100
4Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF
5
6This built-in check is simpler than the previous method and, most
7importantly, works when cross-compiling.
8
9Upstream-Status: Accepted
10[https://github.com/shadow-maint/shadow/commit/2cb54158b80cdbd97ca3b36df83f9255e923ae3f]
11
12Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
13---
14 configure.in | 14 ++++----------
15 1 file changed, 4 insertions(+), 10 deletions(-)
16
17diff --git a/configure.in b/configure.in
18index 1a3f841..4a4d6d0 100644
19--- a/configure.in
20+++ b/configure.in
21@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then
22 dnl
23 dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
24 dnl
25- AC_RUN_IFELSE([AC_LANG_SOURCE([
26-#include <sys/types.h>
27-int main(void) {
28- uid_t u;
29- gid_t g;
30- return (sizeof u < 4) || (sizeof g < 4);
31-}
32- ])], [id32bit="yes"], [id32bit="no"])
33-
34- if test "x$id32bit" = "xyes"; then
35+ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
36+ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
37+
38+ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
39 AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
40 enable_subids="yes"
41 else
diff --git a/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch b/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch
deleted file mode 100644
index 02cb91aafd..0000000000
--- a/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch
+++ /dev/null
@@ -1,28 +0,0 @@
1Upstream-Status: Pending
2
3Subject: fix installation failure with subids disabled
4
5Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
6---
7 src/Makefile.am | 5 ++++-
8 1 file changed, 4 insertions(+), 1 deletion(-)
9
10diff --git a/src/Makefile.am b/src/Makefile.am
11index 25e288d..076f8ef 100644
12--- a/src/Makefile.am
13+++ b/src/Makefile.am
14@@ -52,7 +52,10 @@ usbin_PROGRAMS = \
15 noinst_PROGRAMS = id sulogin
16
17 suidbins = su
18-suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap
19+suidubins = chage chfn chsh expiry gpasswd newgrp passwd
20+if ENABLE_SUBIDS
21+suidubins += newgidmap newuidmap
22+endif
23 if ACCT_TOOLS_SETUID
24 suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
25 endif
26--
271.7.9.5
28
diff --git a/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch b/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch
deleted file mode 100644
index 37dc153fca..0000000000
--- a/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1Upstream-Status: Pending
2
3usermod: fix compilation failure with subids disabled
4
5Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
6---
7 src/usermod.c | 3 ++-
8 1 file changed, 2 insertions(+), 1 deletion(-)
9
10diff --git a/src/usermod.c b/src/usermod.c
11index e7d4351..685b50a 100644
12--- a/src/usermod.c
13+++ b/src/usermod.c
14@@ -1360,7 +1360,7 @@ static void process_flags (int argc, char **argv)
15 Prog, (unsigned long) user_newid);
16 exit (E_UID_IN_USE);
17 }
18-
19+#ifdef ENABLE_SUBIDS
20 if ( (vflg || Vflg)
21 && !is_sub_uid) {
22 fprintf (stderr,
23@@ -1376,6 +1376,7 @@ static void process_flags (int argc, char **argv)
24 Prog, sub_gid_dbname (), "-w", "-W");
25 exit (E_USAGE);
26 }
27+#endif
28 }
29
30 /*
31--
321.7.9.5
33
diff --git a/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb b/meta/recipes-extended/shadow/shadow-securetty_4.6.bb
index c78f888cf4..c78f888cf4 100644
--- a/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb
+++ b/meta/recipes-extended/shadow/shadow-securetty_4.6.bb
diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
index ef014628f6..ef014628f6 100644
--- a/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb
+++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 6efe4a9119..0fa80a282a 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -9,16 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \
9DEPENDS = "virtual/crypt" 9DEPENDS = "virtual/crypt"
10 10
11UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases" 11UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases"
12 12SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \
13SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
14 file://shadow-4.1.3-dots-in-usernames.patch \ 13 file://shadow-4.1.3-dots-in-usernames.patch \
15 file://usermod-fix-compilation-failure-with-subids-disabled.patch \
16 file://fix-installation-failure-with-subids-disabled.patch \
17 file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
18 file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
19 file://0001-useradd-copy-extended-attributes-of-home.patch \ 14 file://0001-useradd-copy-extended-attributes-of-home.patch \
20 file://0001-shadow-CVE-2017-12424 \
21 file://CVE-2017-2616.patch \
22 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ 15 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
23 " 16 "
24 17
@@ -38,8 +31,8 @@ SRC_URI_append_class-nativesdk = " \
38 file://0001-Disable-use-of-syslog-for-sysroot.patch \ 31 file://0001-Disable-use-of-syslog-for-sysroot.patch \
39 " 32 "
40 33
41SRC_URI[md5sum] = "2bfafe7d4962682d31b5eba65dba4fc8" 34SRC_URI[md5sum] = "36feb15665338ae3de414f2a88e434db"
42SRC_URI[sha256sum] = "3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41" 35SRC_URI[sha256sum] = "4668f99bd087399c4a586084dc3b046b75f560720d83e92fd23bf7a89dda4d31"
43 36
44# Additional Policy files for PAM 37# Additional Policy files for PAM
45PAM_SRC_URI = "file://pam.d/chfn \ 38PAM_SRC_URI = "file://pam.d/chfn \
diff --git a/meta/recipes-extended/shadow/shadow_4.2.1.bb b/meta/recipes-extended/shadow/shadow_4.6.bb
index 5675cb8cc9..5675cb8cc9 100644
--- a/meta/recipes-extended/shadow/shadow_4.2.1.bb
+++ b/meta/recipes-extended/shadow/shadow_4.6.bb