diff options
author | Amarnath Valluri <amarnath.valluri@intel.com> | 2015-07-17 11:53:24 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-07-20 10:40:42 +0100 |
commit | 88dd997d9941b63ae9eead6690ecf2b785c0740c (patch) | |
tree | fe531585f3741dcb457bcf74683db6f60a0a2bce /meta/recipes-extended/pam | |
parent | e9b9f8c0c5a208c02453839442099527fe6b13de (diff) | |
download | poky-88dd997d9941b63ae9eead6690ecf2b785c0740c.tar.gz |
libpam: Upgrade v1.1.6 -> v1.2.1
Dropped upstreamed patches(commit-id):
- add-checks-for-crypt-returning-NULL.patch(8dc056c)
- destdirfix.patch(d7e6b92)
- libpam-fix-for-CVE-2010-4708.patch(4c430f6)
Dropped backported patches(commit-id):
- pam_timestamp-fix-potential-directory-traversal-issu.patch(9dcead8)
- reflect-the-enforce_for_root-semantics-change-in-pam.patch(bd07ad3)
Forward ported patches:
- pam-unix-nullok-secure.patch
- crypt_configure.patch
(From OE-Core rev: 8683206f7ba85f693751415f896a0cc62931e3c4)
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/pam')
-rw-r--r-- | meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch | 63 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/crypt_configure.patch | 4 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/destdirfix.patch | 24 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch | 41 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | 226 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch | 63 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch | 35 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam_1.2.1.bb (renamed from meta/recipes-extended/pam/libpam_1.1.6.bb) | 10 |
8 files changed, 127 insertions, 339 deletions
diff --git a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch b/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch deleted file mode 100644 index d364cea97e..0000000000 --- a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | Backport from linux-pam git repo. | ||
2 | |||
3 | [YOCTO #4107] | ||
4 | |||
5 | Upstream-Status: Backport | ||
6 | |||
7 | Signed-off-by: Kang Kai <kai.kang@windriver.com> | ||
8 | |||
9 | From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001 | ||
10 | From: Tomas Mraz <tmraz@fedoraproject.org> | ||
11 | Date: Fri, 8 Feb 2013 15:04:26 +0100 | ||
12 | Subject: [PATCH] Add checks for crypt() returning NULL. | ||
13 | |||
14 | modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return. | ||
15 | modules/pam_unix/bigcrypt.c (bigcrypt): Likewise. | ||
16 | --- | ||
17 | modules/pam_pwhistory/opasswd.c | 2 +- | ||
18 | modules/pam_unix/bigcrypt.c | 9 +++++++++ | ||
19 | 2 files changed, 10 insertions(+), 1 deletions(-) | ||
20 | |||
21 | diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c | ||
22 | index 274fdb9..836d713 100644 | ||
23 | --- a/modules/pam_pwhistory/opasswd.c | ||
24 | +++ b/modules/pam_pwhistory/opasswd.c | ||
25 | @@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass) | ||
26 | outval = crypt (newpass, oldpass); | ||
27 | #endif | ||
28 | |||
29 | - return strcmp(outval, oldpass) == 0; | ||
30 | + return outval != NULL && strcmp(outval, oldpass) == 0; | ||
31 | } | ||
32 | |||
33 | /* Check, if the new password is already in the opasswd file. */ | ||
34 | diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c | ||
35 | index e10d1c5..e1d57a0 100644 | ||
36 | --- a/modules/pam_unix/bigcrypt.c | ||
37 | +++ b/modules/pam_unix/bigcrypt.c | ||
38 | @@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt) | ||
39 | #else | ||
40 | tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */ | ||
41 | #endif | ||
42 | + if (tmp_ptr == NULL) { | ||
43 | + free(dec_c2_cryptbuf); | ||
44 | + return NULL; | ||
45 | + } | ||
46 | /* and place in the static area */ | ||
47 | strncpy(cipher_ptr, tmp_ptr, 13); | ||
48 | cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; | ||
49 | @@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt) | ||
50 | #else | ||
51 | tmp_ptr = crypt(plaintext_ptr, salt_ptr); | ||
52 | #endif | ||
53 | + if (tmp_ptr == NULL) { | ||
54 | + _pam_overwrite(dec_c2_cryptbuf); | ||
55 | + free(dec_c2_cryptbuf); | ||
56 | + return NULL; | ||
57 | + } | ||
58 | |||
59 | /* skip the salt for seg!=0 */ | ||
60 | strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE); | ||
61 | -- | ||
62 | 1.7.5.4 | ||
63 | |||
diff --git a/meta/recipes-extended/pam/libpam/crypt_configure.patch b/meta/recipes-extended/pam/libpam/crypt_configure.patch index efa82fb9b9..bec82a5f10 100644 --- a/meta/recipes-extended/pam/libpam/crypt_configure.patch +++ b/meta/recipes-extended/pam/libpam/crypt_configure.patch | |||
@@ -16,8 +16,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> | |||
16 | 16 | ||
17 | Index: Linux-PAM-1.1.6/configure.in | 17 | Index: Linux-PAM-1.1.6/configure.in |
18 | =================================================================== | 18 | =================================================================== |
19 | --- Linux-PAM-1.1.6.org/configure.in | 19 | --- Linux-PAM-1.1.6.org/configure.ac |
20 | +++ Linux-PAM-1.1.6/configure.in | 20 | +++ Linux-PAM-1.1.6/configure.ac |
21 | @@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = | 21 | @@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = |
22 | [crypt_libs="crypt"]) | 22 | [crypt_libs="crypt"]) |
23 | 23 | ||
diff --git a/meta/recipes-extended/pam/libpam/destdirfix.patch b/meta/recipes-extended/pam/libpam/destdirfix.patch deleted file mode 100644 index 52145ecb34..0000000000 --- a/meta/recipes-extended/pam/libpam/destdirfix.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | Avoid the failure: | ||
2 | |||
3 | | mkdir -p /etc/security/namespace.d | ||
4 | | mkdir: cannot create directory `/etc/security/namespace.d': Permission denied | ||
5 | |||
6 | if /etc/security/namespace.d doesn't exist. The DESTDIR prefix is missing. | ||
7 | |||
8 | RP 2012/8/19 | ||
9 | |||
10 | Upstream-Status: Pending | ||
11 | |||
12 | Index: Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am | ||
13 | =================================================================== | ||
14 | --- Linux-PAM-1.1.6.orig/modules/pam_namespace/Makefile.am 2012-08-15 11:08:43.000000000 +0000 | ||
15 | +++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am 2012-08-19 12:25:32.311038943 +0000 | ||
16 | @@ -40,7 +40,7 @@ | ||
17 | secureconf_SCRIPTS = namespace.init | ||
18 | |||
19 | install-data-local: | ||
20 | - mkdir -p $(namespaceddir) | ||
21 | + mkdir -p $(DESTDIR)$(namespaceddir) | ||
22 | endif | ||
23 | |||
24 | |||
diff --git a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch b/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch deleted file mode 100644 index 5d2b69aae0..0000000000 --- a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Fix for CVE-2010-4708 | ||
4 | |||
5 | Change default for user_readenv to 0 and document the | ||
6 | new default for user_readenv. | ||
7 | |||
8 | This fix is got from: | ||
9 | http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env | ||
10 | /pam_env.c?r1=1.22&r2=1.23&view=patch | ||
11 | http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env | ||
12 | /pam_env.8.xml?r1=1.7&r2=1.8&view=patch | ||
13 | |||
14 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
15 | |||
16 | --- | ||
17 | --- a/modules/pam_env/pam_env.c 2012-09-05 13:57:47.000000000 +0800 | ||
18 | +++ b/modules/pam_env/pam_env.c 2012-09-05 13:58:05.000000000 +0800 | ||
19 | @@ -10,7 +10,7 @@ | ||
20 | #define DEFAULT_READ_ENVFILE 1 | ||
21 | |||
22 | #define DEFAULT_USER_ENVFILE ".pam_environment" | ||
23 | -#define DEFAULT_USER_READ_ENVFILE 1 | ||
24 | +#define DEFAULT_USER_READ_ENVFILE 0 | ||
25 | |||
26 | #include "config.h" | ||
27 | |||
28 | --- a/modules/pam_env/pam_env.8.xml 2012-09-05 13:58:24.000000000 +0800 | ||
29 | +++ b/modules/pam_env/pam_env.8.xml 2012-09-05 13:59:36.000000000 +0800 | ||
30 | @@ -147,7 +147,10 @@ | ||
31 | <listitem> | ||
32 | <para> | ||
33 | Turns on or off the reading of the user specific environment | ||
34 | - file. 0 is off, 1 is on. By default this option is on. | ||
35 | + file. 0 is off, 1 is on. By default this option is off as user | ||
36 | + supplied environment variables in the PAM environment could affect | ||
37 | + behavior of subsequent modules in the stack without the consent | ||
38 | + of the system administrator. | ||
39 | </para> | ||
40 | </listitem> | ||
41 | </varlistentry> | ||
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch index b285e96c27..423267f707 100644 --- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch +++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | |||
@@ -1,6 +1,9 @@ | |||
1 | Debian patch to add a new 'nullok_secure' option to pam_unix, which | 1 | From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001 |
2 | accepts users with null passwords only when the applicant is connected | 2 | From: Amarnath Valluri <amarnath.valluri@intel.com> |
3 | from a tty listed in /etc/securetty. | 3 | Date: Wed, 15 Jul 2015 13:07:20 +0300 |
4 | Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix, | ||
5 | which accepts users with null passwords only when the applicant is connected | ||
6 | from a tty listed in /etc/securetty. | ||
4 | 7 | ||
5 | Authors: Sam Hartman <hartmans@debian.org>, | 8 | Authors: Sam Hartman <hartmans@debian.org>, |
6 | Steve Langasek <vorlon@debian.org> | 9 | Steve Langasek <vorlon@debian.org> |
@@ -8,10 +11,24 @@ Authors: Sam Hartman <hartmans@debian.org>, | |||
8 | Upstream-Status: Pending | 11 | Upstream-Status: Pending |
9 | 12 | ||
10 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | 13 | Signed-off-by: Ming Liu <ming.liu@windriver.com> |
11 | =================================================================== | 14 | |
12 | diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am | 15 | v2: |
13 | --- a/modules/pam_unix/Makefile.am 2013-07-05 09:51:31.014483164 +0800 | 16 | - Forward ported from v1.1.6 to v1.2.1 |
14 | +++ b/modules/pam_unix/Makefile.am 2013-07-05 10:26:12.884484000 +0800 | 17 | |
18 | Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> | ||
19 | --- | ||
20 | modules/pam_unix/Makefile.am | 3 ++- | ||
21 | modules/pam_unix/README | 11 ++++++++++- | ||
22 | modules/pam_unix/pam_unix.8 | 9 ++++++++- | ||
23 | modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++- | ||
24 | modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++----- | ||
25 | modules/pam_unix/support.h | 8 ++++++-- | ||
26 | 6 files changed, 79 insertions(+), 11 deletions(-) | ||
27 | |||
28 | diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am | ||
29 | index 56ed591..9a372ac 100644 | ||
30 | --- a/modules/pam_unix/Makefile.am | ||
31 | +++ b/modules/pam_unix/Makefile.am | ||
15 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING | 32 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING |
16 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map | 33 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map |
17 | endif | 34 | endif |
@@ -22,10 +39,33 @@ diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am | |||
22 | 39 | ||
23 | securelib_LTLIBRARIES = pam_unix.la | 40 | securelib_LTLIBRARIES = pam_unix.la |
24 | 41 | ||
25 | diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 | 42 | diff --git a/modules/pam_unix/README b/modules/pam_unix/README |
26 | --- a/modules/pam_unix/pam_unix.8 2013-07-05 09:52:16.825108201 +0800 | 43 | index 3935dba..7880d91 100644 |
27 | +++ b/modules/pam_unix/pam_unix.8 2013-07-05 10:28:34.724483774 +0800 | 44 | --- a/modules/pam_unix/README |
28 | @@ -220,7 +220,14 @@ A little more extreme than debug\&. | 45 | +++ b/modules/pam_unix/README |
46 | @@ -67,7 +67,16 @@ nullok | ||
47 | |||
48 | The default action of this module is to not permit the user access to a | ||
49 | service if their official password is blank. The nullok argument overrides | ||
50 | - this default. | ||
51 | + this default and allows any user with a blank password to access the | ||
52 | + service. | ||
53 | + | ||
54 | +nullok_secure | ||
55 | + | ||
56 | + The default action of this module is to not permit the user access to a | ||
57 | + service if their official password is blank. The nullok_secure argument | ||
58 | + overrides this default and allows any user with a blank password to access | ||
59 | + the service as long as the value of PAM_TTY is set to one of the values | ||
60 | + found in /etc/securetty. | ||
61 | |||
62 | try_first_pass | ||
63 | |||
64 | diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 | ||
65 | index 339178b..a4bd906 100644 | ||
66 | --- a/modules/pam_unix/pam_unix.8 | ||
67 | +++ b/modules/pam_unix/pam_unix.8 | ||
68 | @@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi | ||
29 | .RS 4 | 69 | .RS 4 |
30 | The default action of this module is to not permit the user access to a service if their official password is blank\&. The | 70 | The default action of this module is to not permit the user access to a service if their official password is blank\&. The |
31 | \fBnullok\fR | 71 | \fBnullok\fR |
@@ -41,10 +81,11 @@ diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 | |||
41 | .RE | 81 | .RE |
42 | .PP | 82 | .PP |
43 | \fBtry_first_pass\fR | 83 | \fBtry_first_pass\fR |
44 | diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml | 84 | diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml |
45 | --- a/modules/pam_unix/pam_unix.8.xml 2013-07-05 09:52:38.775108523 +0800 | 85 | index a8b64bb..1ced6f4 100644 |
46 | +++ b/modules/pam_unix/pam_unix.8.xml 2013-07-05 10:30:23.084483630 +0800 | 86 | --- a/modules/pam_unix/pam_unix.8.xml |
47 | @@ -135,7 +135,24 @@ | 87 | +++ b/modules/pam_unix/pam_unix.8.xml |
88 | @@ -159,7 +159,24 @@ | ||
48 | <para> | 89 | <para> |
49 | The default action of this module is to not permit the | 90 | The default action of this module is to not permit the |
50 | user access to a service if their official password is blank. | 91 | user access to a service if their official password is blank. |
@@ -70,36 +111,15 @@ diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml | |||
70 | </para> | 111 | </para> |
71 | </listitem> | 112 | </listitem> |
72 | </varlistentry> | 113 | </varlistentry> |
73 | diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README | 114 | diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c |
74 | --- a/modules/pam_unix/README 2013-07-05 09:51:52.205107846 +0800 | 115 | index abccd82..2361957 100644 |
75 | +++ b/modules/pam_unix/README 2013-07-05 10:27:10.774484537 +0800 | 116 | --- a/modules/pam_unix/support.c |
76 | @@ -57,7 +57,16 @@ nullok | 117 | +++ b/modules/pam_unix/support.c |
77 | 118 | @@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, | |
78 | The default action of this module is to not permit the user access to a | ||
79 | service if their official password is blank. The nullok argument overrides | ||
80 | - this default. | ||
81 | + this default and allows any user with a blank password to access the | ||
82 | + service. | ||
83 | + | ||
84 | +nullok_secure | ||
85 | + | ||
86 | + The default action of this module is to not permit the user access to a | ||
87 | + service if their official password is blank. The nullok_secure argument | ||
88 | + overrides this default and allows any user with a blank password to access | ||
89 | + the service as long as the value of PAM_TTY is set to one of the values | ||
90 | + found in /etc/securetty. | ||
91 | |||
92 | try_first_pass | ||
93 | |||
94 | diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c | ||
95 | --- a/modules/pam_unix/support.c 2013-07-05 09:50:49.134482523 +0800 | ||
96 | +++ b/modules/pam_unix/support.c 2013-07-05 09:56:26.924484267 +0800 | ||
97 | @@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl | ||
98 | /* now parse the arguments to this module */ | 119 | /* now parse the arguments to this module */ |
99 | 120 | ||
100 | for (; argc-- > 0; ++argv) { | 121 | for (; argc-- > 0; ++argv) { |
101 | - int j; | 122 | + int sl; |
102 | + int j, sl; | ||
103 | 123 | ||
104 | D(("pam_unix arg: %s", *argv)); | 124 | D(("pam_unix arg: %s", *argv)); |
105 | 125 | ||
@@ -108,48 +128,46 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c | |||
108 | - && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { | 128 | - && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { |
109 | - break; | 129 | - break; |
110 | + if (unix_args[j].token) { | 130 | + if (unix_args[j].token) { |
111 | + sl = strlen(unix_args[j].token); | 131 | + sl = strlen(unix_args[j].token); |
112 | + if (unix_args[j].token[sl-1] == '=') { | 132 | + if (unix_args[j].token[sl-1] == '=') { |
113 | + /* exclude argument from comparison */ | 133 | + /* exclude argument from comparison */ |
114 | + if (!strncmp(*argv, unix_args[j].token, sl)) | 134 | + if (!strncmp(*argv, unix_args[j].token, sl)) |
115 | + break; | 135 | + break; |
116 | + } else { | 136 | + } else { |
117 | + /* compare full strings */ | 137 | + /* compare full strings */ |
118 | + if (!strcmp(*argv, unix_args[j].token)) | 138 | + if (!strcmp(*argv, unix_args[j].token)) |
119 | + break; | 139 | + break; |
120 | + } | 140 | + } |
121 | } | 141 | } |
122 | } | 142 | } |
123 | 143 | ||
124 | @@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h | 144 | @@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, |
125 | child = fork(); | ||
126 | if (child == 0) { | 145 | if (child == 0) { |
127 | int i=0; | ||
128 | + int nullok = off(UNIX__NONULL, ctrl); | ||
129 | struct rlimit rlim; | ||
130 | static char *envp[] = { NULL }; | 146 | static char *envp[] = { NULL }; |
131 | char *args[] = { NULL, NULL, NULL, NULL }; | 147 | const char *args[] = { NULL, NULL, NULL, NULL }; |
132 | @@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h | 148 | + int nullok = off(UNIX__NONULL, ctrl); |
149 | |||
150 | /* XXX - should really tidy up PAM here too */ | ||
151 | |||
152 | @@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, | ||
133 | /* exec binary helper */ | 153 | /* exec binary helper */ |
134 | args[0] = strdup(CHKPWD_HELPER); | 154 | args[0] = CHKPWD_HELPER; |
135 | args[1] = x_strdup(user); | 155 | args[1] = user; |
136 | - if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ | 156 | - if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ |
137 | + | ||
138 | + if (on(UNIX_NULLOK_SECURE, ctrl)) { | 157 | + if (on(UNIX_NULLOK_SECURE, ctrl)) { |
139 | + const void *uttyname; | 158 | + const void *uttyname; |
140 | + retval = pam_get_item(pamh, PAM_TTY, &uttyname); | 159 | + retval = pam_get_item(pamh, PAM_TTY, &uttyname); |
141 | + if (retval != PAM_SUCCESS || uttyname == NULL | 160 | + if (retval != PAM_SUCCESS || uttyname == NULL |
142 | + || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) | 161 | + || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) { |
143 | + { | 162 | + nullok = 0; |
144 | + nullok = 0; | 163 | + } |
145 | + } | ||
146 | + } | 164 | + } |
147 | + | 165 | + |
148 | + if (nullok) { | 166 | + if (nullok) { |
149 | args[2]=strdup("nullok"); | 167 | args[2]="nullok"; |
150 | } else { | 168 | } else { |
151 | args[2]=strdup("nonull"); | 169 | args[2]="nonull"; |
152 | @@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u | 170 | @@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) |
153 | if (on(UNIX__NONULL, ctrl)) | 171 | if (on(UNIX__NONULL, ctrl)) |
154 | return 0; /* will fail but don't let on yet */ | 172 | return 0; /* will fail but don't let on yet */ |
155 | 173 | ||
@@ -167,56 +185,56 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c | |||
167 | /* UNIX passwords area */ | 185 | /* UNIX passwords area */ |
168 | 186 | ||
169 | retval = get_pwd_hash(pamh, name, &pwd, &salt); | 187 | retval = get_pwd_hash(pamh, name, &pwd, &salt); |
170 | @@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t * | 188 | @@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name |
171 | } | 189 | } |
172 | } | 190 | } |
173 | } else { | 191 | } else { |
174 | - retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); | 192 | - retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); |
175 | + retval = verify_pwd_hash(p, salt, | 193 | + retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name)); |
176 | + _unix_blankpasswd(pamh, ctrl, name)); | ||
177 | } | 194 | } |
178 | 195 | ||
179 | if (retval == PAM_SUCCESS) { | 196 | if (retval == PAM_SUCCESS) { |
180 | diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h | 197 | diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h |
181 | --- a/modules/pam_unix/support.h 2013-07-05 09:51:10.385107934 +0800 | 198 | index 3729ce0..43cdbea 100644 |
182 | +++ b/modules/pam_unix/support.h 2013-07-05 10:23:54.815107842 +0800 | 199 | --- a/modules/pam_unix/support.h |
183 | @@ -90,8 +90,9 @@ typedef struct { | 200 | +++ b/modules/pam_unix/support.h |
184 | password hash algorithms */ | 201 | @@ -99,8 +99,9 @@ typedef struct { |
185 | #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ | ||
186 | #define UNIX_MIN_PASS_LEN 27 /* min length for password */ | 202 | #define UNIX_MIN_PASS_LEN 27 /* min length for password */ |
187 | +#define UNIX_NULLOK_SECURE 28 /* NULL passwords allowed only on secure ttys */ | 203 | #define UNIX_QUIET 28 /* Don't print informational messages */ |
204 | #define UNIX_DES 29 /* DES, default */ | ||
205 | +#define UNIX_NULLOK_SECURE 30 /* NULL passwords allowed only on secure ttys */ | ||
188 | /* -------------- */ | 206 | /* -------------- */ |
189 | -#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ | 207 | -#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ |
190 | +#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ | 208 | +#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ |
191 | 209 | ||
192 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) | 210 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) |
193 | 211 | ||
194 | @@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C | 212 | @@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = |
195 | /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100}, | 213 | /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0}, |
196 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200}, | 214 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, |
197 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400}, | 215 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, |
198 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000}, | 216 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, |
199 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200}, | 217 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0200, 0}, |
200 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000}, | 218 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, |
201 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000}, | 219 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, |
202 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000}, | 220 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, |
203 | @@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C | 221 | @@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = |
204 | /* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000}, | 222 | /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, |
205 | /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000}, | 223 | /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, |
206 | /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000}, | 224 | /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, |
207 | -/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, | 225 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000, 0}, |
208 | +/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, | ||
209 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000}, | ||
210 | }; | 226 | }; |
211 | 227 | ||
212 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) | 228 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) |
213 | @@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl | 229 | @@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh |
230 | ,const char *prompt2 | ||
214 | ,const char *data_name | 231 | ,const char *data_name |
215 | ,const void **pass); | 232 | ,const void **pass); |
216 | |||
217 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | 233 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, |
218 | + const char *uttyname); | 234 | + const char *uttyname); |
219 | + | 235 | |
220 | extern int _unix_run_verify_binary(pam_handle_t *pamh, | 236 | extern int _unix_run_verify_binary(pam_handle_t *pamh, |
221 | unsigned int ctrl, const char *user, int *daysleft); | 237 | unsigned int ctrl, const char *user, int *daysleft); |
222 | #endif /* _PAM_UNIX_SUPPORT_H */ | 238 | -- |
239 | 2.1.4 | ||
240 | |||
diff --git a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch b/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch deleted file mode 100644 index 06cca13abe..0000000000 --- a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 | ||
2 | From: "Dmitry V. Levin" <ldv@altlinux.org> | ||
3 | Date: Wed, 26 Mar 2014 22:17:23 +0000 | ||
4 | Subject: [PATCH] pam_timestamp: fix potential directory traversal issue | ||
5 | (ticket #27) | ||
6 | |||
7 | commit 9dcead87e6d7f66d34e7a56d11a30daca367dffb upstream | ||
8 | |||
9 | pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of | ||
10 | the timestamp pathname it creates, so extra care should be taken to | ||
11 | avoid potential directory traversal issues. | ||
12 | |||
13 | * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat | ||
14 | "." and ".." tty values as invalid. | ||
15 | (get_ruser): Treat "." and ".." ruser values, as well as any ruser | ||
16 | value containing '/', as invalid. | ||
17 | |||
18 | Fixes CVE-2014-2583. | ||
19 | |||
20 | Reported-by: Sebastian Krahmer <krahmer@suse.de> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | |||
24 | Signed-off-by: Yue Tao <Yue.Tao@windriver.com> | ||
25 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
26 | --- | ||
27 | modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- | ||
28 | 1 files changed, 12 insertions(+), 1 deletions(-) | ||
29 | |||
30 | diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c | ||
31 | index 5193733..b3f08b1 100644 | ||
32 | --- a/modules/pam_timestamp/pam_timestamp.c | ||
33 | +++ b/modules/pam_timestamp/pam_timestamp.c | ||
34 | @@ -158,7 +158,7 @@ check_tty(const char *tty) | ||
35 | tty = strrchr(tty, '/') + 1; | ||
36 | } | ||
37 | /* Make sure the tty wasn't actually a directory (no basename). */ | ||
38 | - if (strlen(tty) == 0) { | ||
39 | + if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { | ||
40 | return NULL; | ||
41 | } | ||
42 | return tty; | ||
43 | @@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) | ||
44 | if (pwd != NULL) { | ||
45 | ruser = pwd->pw_name; | ||
46 | } | ||
47 | + } else { | ||
48 | + /* | ||
49 | + * This ruser is used by format_timestamp_name as a component | ||
50 | + * of constructed timestamp pathname, so ".", "..", and '/' | ||
51 | + * are disallowed to avoid potential path traversal issues. | ||
52 | + */ | ||
53 | + if (!strcmp(ruser, ".") || | ||
54 | + !strcmp(ruser, "..") || | ||
55 | + strchr(ruser, '/')) { | ||
56 | + ruser = NULL; | ||
57 | + } | ||
58 | } | ||
59 | if (ruser == NULL || strlen(ruser) >= ruserbuflen) { | ||
60 | *ruserbuf = '\0'; | ||
61 | -- | ||
62 | 1.7.5.4 | ||
63 | |||
diff --git a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch b/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch deleted file mode 100644 index c13535ecc2..0000000000 --- a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch +++ /dev/null | |||
@@ -1,35 +0,0 @@ | |||
1 | Backport from linux-pam git repo. | ||
2 | |||
3 | [YOCTO #4107] | ||
4 | |||
5 | Upstream-Status: Backport | ||
6 | |||
7 | Signed-off-by: Kang Kai <kai.kang@windriver.com> | ||
8 | |||
9 | From bd07ad3adc626f842a4391d256541883426fd389 Mon Sep 17 00:00:00 2001 | ||
10 | From: Tomas Mraz <tmraz@fedoraproject.org> | ||
11 | Date: Tue, 13 Nov 2012 09:19:05 +0100 | ||
12 | Subject: [PATCH] Reflect the enforce_for_root semantics change in | ||
13 | pam_pwhistory xtest. | ||
14 | |||
15 | xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is | ||
16 | running with real uid == 0. | ||
17 | --- | ||
18 | xtests/tst-pam_pwhistory1.pamd | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/xtests/tst-pam_pwhistory1.pamd b/xtests/tst-pam_pwhistory1.pamd | ||
22 | index 68e1b94..d60db7c 100644 | ||
23 | --- a/xtests/tst-pam_pwhistory1.pamd | ||
24 | +++ b/xtests/tst-pam_pwhistory1.pamd | ||
25 | @@ -1,6 +1,6 @@ | ||
26 | #%PAM-1.0 | ||
27 | auth required pam_permit.so | ||
28 | account required pam_permit.so | ||
29 | -password required pam_pwhistory.so remember=10 retry=1 | ||
30 | +password required pam_pwhistory.so remember=10 retry=1 enforce_for_root | ||
31 | password required pam_unix.so use_authtok md5 | ||
32 | session required pam_permit.so | ||
33 | -- | ||
34 | 1.7.11.7 | ||
35 | |||
diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.2.1.bb index d347bdc43b..ac3097ef7c 100644 --- a/meta/recipes-extended/pam/libpam_1.1.6.bb +++ b/meta/recipes-extended/pam/libpam_1.2.1.bb | |||
@@ -18,19 +18,15 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ | |||
18 | file://pam.d/common-session-noninteractive \ | 18 | file://pam.d/common-session-noninteractive \ |
19 | file://pam.d/other \ | 19 | file://pam.d/other \ |
20 | file://libpam-xtests.patch \ | 20 | file://libpam-xtests.patch \ |
21 | file://destdirfix.patch \ | ||
22 | file://fixsepbuild.patch \ | 21 | file://fixsepbuild.patch \ |
23 | file://reflect-the-enforce_for_root-semantics-change-in-pam.patch \ | ||
24 | file://add-checks-for-crypt-returning-NULL.patch \ | ||
25 | file://libpam-fix-for-CVE-2010-4708.patch \ | ||
26 | file://pam-security-abstract-securetty-handling.patch \ | 22 | file://pam-security-abstract-securetty-handling.patch \ |
27 | file://pam-unix-nullok-secure.patch \ | 23 | file://pam-unix-nullok-secure.patch \ |
28 | file://pam_timestamp-fix-potential-directory-traversal-issu.patch \ | ||
29 | file://libpam-xtests-remove-bash-dependency.patch \ | 24 | file://libpam-xtests-remove-bash-dependency.patch \ |
30 | file://crypt_configure.patch \ | 25 | file://crypt_configure.patch \ |
31 | " | 26 | " |
32 | SRC_URI[md5sum] = "7b73e58b7ce79ffa321d408de06db2c4" | 27 | |
33 | SRC_URI[sha256sum] = "bab887d6280f47fc3963df3b95735a27a16f0f663636163ddf3acab5f1149fc2" | 28 | SRC_URI[md5sum] = "9dc53067556d2dd567808fd509519dd6" |
29 | SRC_URI[sha256sum] = "342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9" | ||
34 | 30 | ||
35 | SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch" | 31 | SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch" |
36 | SRC_URI_append_libc-musl = " file://pam-no-innetgr.patch" | 32 | SRC_URI_append_libc-musl = " file://pam-no-innetgr.patch" |