sudo: handle glibc 2.17 crypt semantics

Staring from glibc 2.17 the crypt() function will error out and return NULL if the seed or "correct" is invalid. The failure case for this is the sudo user having a locked account in /etc/shadow, so their password is "!", which is an invalid hash. crypt() never returned NULL previously so this is crashing in strcmp(). [ YOCTO #4241 ] (From OE-Core rev: 06d7078f7631b92e8b789f8e94a3a346d8181ce6) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2013-04-11 15:57:58 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2013-04-11 16:12:30 +0100
commit: 83cc3abf34ddffd6b59d6f7ec8da077532a32f2f (patch)
tree: 5f2caebb38ef1420f0b95f95554ec7dc09f06589
parent: ce960f42005ceca90cf449931291c8cab995111a (diff)
download: poky-83cc3abf34ddffd6b59d6f7ec8da077532a32f2f.tar.gz
2 files changed, 25 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/crypt.patch b/meta/recipes-extended/sudo/files/crypt.patch
new file mode 100644
index 0000000000..53a257f52c
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/crypt.patch
@@ -0,0 +1,24 @@
+Staring from glibc 2.17 the crypt() function will error out and return NULL if
+the seed or "correct" is invalid. The failure case for this is the sudo user
+having a locked account in /etc/shadow, so their password is "!", which is an
+invalid hash.  crypt() never returned NULL previously so this is crashing in
+strcmp().
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+Index: sudo-1.8.6p7/plugins/sudoers/auth/passwd.c
+===================================================================
+--- sudo-1.8.6p7.orig/plugins/sudoers/auth/passwd.c     2013-04-11 15:26:28.456416867 +0100
+++ sudo-1.8.6p7/plugins/sudoers/auth/passwd.c  2013-04-11 15:31:31.156421718 +0100
+@@ -96,7 +96,9 @@
+      */
+     epass = (char *) crypt(pass, pw_epasswd);
+     pass[8] = sav;
+-    if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+    if (epass == NULL)
+       error = AUTH_FAILURE;
+    else if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+        error = strncmp(pw_epasswd, epass, DESLEN);
+     else
+        error = strcmp(pw_epasswd, epass);
diff --git a/meta/recipes-extended/sudo/sudo_1.8.6p7.bb b/meta/recipes-extended/sudo/sudo_1.8.6p7.bb
index b79d0d58d8..7198fd3c14 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.6p7.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.6p7.bb
@@ -4,6 +4,7 @@ PR = "r0"
 SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
           file://libtool.patch \
+           file://crypt.patch \
           ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
 PAM_SRC_URI = "file://sudo.pam"
author	Ross Burton <ross.burton@intel.com>	2013-04-11 15:57:58 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2013-04-11 16:12:30 +0100
commit	83cc3abf34ddffd6b59d6f7ec8da077532a32f2f (patch)
tree	5f2caebb38ef1420f0b95f95554ec7dc09f06589
parent	ce960f42005ceca90cf449931291c8cab995111a (diff)
download	poky-83cc3abf34ddffd6b59d6f7ec8da077532a32f2f.tar.gz

diff --git a/meta/recipes-extended/sudo/files/crypt.patch b/meta/recipes-extended/sudo/files/crypt.patch new file mode 100644 index 0000000000..53a257f52c --- /dev/null +++ b/meta/recipes-extended/sudo/files/crypt.patch
@@ -0,0 +1,24 @@
		1	Staring from glibc 2.17 the crypt() function will error out and return NULL if
		2	the seed or "correct" is invalid. The failure case for this is the sudo user
		3	having a locked account in /etc/shadow, so their password is "!", which is an
		4	invalid hash. crypt() never returned NULL previously so this is crashing in
		5	strcmp().
		6
		7	Upstream-Status: Pending
		8	Signed-off-by: Ross Burton <ross.burton@intel.com>
		9
		10	Index: sudo-1.8.6p7/plugins/sudoers/auth/passwd.c
		11	===================================================================
		12	--- sudo-1.8.6p7.orig/plugins/sudoers/auth/passwd.c 2013-04-11 15:26:28.456416867 +0100
		13	+++ sudo-1.8.6p7/plugins/sudoers/auth/passwd.c 2013-04-11 15:31:31.156421718 +0100
		14	@@ -96,7 +96,9 @@
		15	*/
		16	epass = (char *) crypt(pass, pw_epasswd);
		17	pass[8] = sav;
		18	- if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
		19	+ if (epass == NULL)
		20	+ error = AUTH_FAILURE;
		21	+ else if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
		22	error = strncmp(pw_epasswd, epass, DESLEN);
		23	else
		24	error = strcmp(pw_epasswd, epass);


diff --git a/meta/recipes-extended/sudo/sudo_1.8.6p7.bb b/meta/recipes-extended/sudo/sudo_1.8.6p7.bb index b79d0d58d8..7198fd3c14 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.6p7.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.6p7.bb
@@ -4,6 +4,7 @@ PR = "r0"
4		4
5	SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \	5	SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
6	file://libtool.patch \	6	file://libtool.patch \
		7	file://crypt.patch \
7	${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"	8	${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
8		9
9	PAM_SRC_URI = "file://sudo.pam"	10	PAM_SRC_URI = "file://sudo.pam"