diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2023-06-25 23:22:32 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-06-27 16:23:40 +0100 |
commit | 084ef1d41a4de6b2c569e63256ec07efd49036e8 (patch) | |
tree | 59a90bfbe2802b5f598abee4c53beae38a73af91 /meta/recipes-extended/pam | |
parent | 45ff515d34a6647f1d75df0224b82a853a0f1a78 (diff) | |
download | poky-084ef1d41a4de6b2c569e63256ec07efd49036e8.tar.gz |
libpam: update 1.5.2 -> 1.5.3
(From OE-Core rev: ddb5e0f8a2cc7c48e1fb53b665e2fd5ed263bb19)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/pam')
-rw-r--r-- | meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch | 108 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch | 65 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch | 205 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam_1.5.3.bb (renamed from meta/recipes-extended/pam/libpam_1.5.2.bb) | 5 |
4 files changed, 1 insertions, 382 deletions
diff --git a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch b/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch deleted file mode 100644 index 94dcb04f0a..0000000000 --- a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch +++ /dev/null | |||
@@ -1,108 +0,0 @@ | |||
1 | From 42404548721c653317c911c83d885e2fc7fbca70 Mon Sep 17 00:00:00 2001 | ||
2 | From: Per Jessen <per@jessen.ch> | ||
3 | Date: Fri, 22 Apr 2022 18:15:36 +0200 | ||
4 | Subject: [PATCH] pam_motd: do not rely on all filesystems providing a filetype | ||
5 | |||
6 | When using scandir() to look for MOTD files to display, we wrongly | ||
7 | relied on all filesystems providing a filetype. This is a fix to divert | ||
8 | to lstat() when we have no filetype. To maintain MT safety, it isn't | ||
9 | possible to use lstat() in the scandir() filter function, so all of the | ||
10 | filtering has been moved to an additional loop after scanning all the | ||
11 | motd dirs. | ||
12 | Also, remove superfluous alphasort from scandir(), we are doing | ||
13 | a qsort() later. | ||
14 | |||
15 | Resolves: https://github.com/linux-pam/linux-pam/issues/455 | ||
16 | |||
17 | Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/42404548721c653317c911c83d885e2fc7fbca70] | ||
18 | |||
19 | Signed-off-by: Per Jessen <per@jessen.ch> | ||
20 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
21 | --- | ||
22 | modules/pam_motd/pam_motd.c | 49 ++++++++++++++++++++++++++++++------- | ||
23 | 1 file changed, 40 insertions(+), 9 deletions(-) | ||
24 | |||
25 | diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c | ||
26 | index 6ac8cba2..5ca486e4 100644 | ||
27 | --- a/modules/pam_motd/pam_motd.c | ||
28 | +++ b/modules/pam_motd/pam_motd.c | ||
29 | @@ -166,11 +166,6 @@ static int compare_strings(const void *a, const void *b) | ||
30 | } | ||
31 | } | ||
32 | |||
33 | -static int filter_dirents(const struct dirent *d) | ||
34 | -{ | ||
35 | - return (d->d_type == DT_REG || d->d_type == DT_LNK); | ||
36 | -} | ||
37 | - | ||
38 | static void try_to_display_directories_with_overrides(pam_handle_t *pamh, | ||
39 | char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing) | ||
40 | { | ||
41 | @@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, | ||
42 | |||
43 | for (i = 0; i < num_motd_dirs; i++) { | ||
44 | int rv; | ||
45 | - rv = scandir(motd_dir_path_split[i], &(dirscans[i]), | ||
46 | - filter_dirents, alphasort); | ||
47 | + rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL); | ||
48 | if (rv < 0) { | ||
49 | if (errno != ENOENT || report_missing) { | ||
50 | pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m", | ||
51 | @@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, | ||
52 | if (dirscans_size_total == 0) | ||
53 | goto out; | ||
54 | |||
55 | + /* filter out unwanted names, directories, and complement data with lstat() */ | ||
56 | + for (i = 0; i < num_motd_dirs; i++) { | ||
57 | + struct dirent **d = dirscans[i]; | ||
58 | + for (unsigned int j = 0; j < dirscans_sizes[i]; j++) { | ||
59 | + int rc; | ||
60 | + char *fullpath; | ||
61 | + struct stat s; | ||
62 | + | ||
63 | + switch(d[j]->d_type) { /* the filetype determines how to proceed */ | ||
64 | + case DT_REG: /* regular files and */ | ||
65 | + case DT_LNK: /* symlinks */ | ||
66 | + continue; /* are good. */ | ||
67 | + case DT_UNKNOWN: /* for file systems that do not provide */ | ||
68 | + /* a filetype, we use lstat() */ | ||
69 | + if (join_dir_strings(&fullpath, motd_dir_path_split[i], | ||
70 | + d[j]->d_name) <= 0) | ||
71 | + break; | ||
72 | + rc = lstat(fullpath, &s); | ||
73 | + _pam_drop(fullpath); /* free the memory alloc'ed by join_dir_strings */ | ||
74 | + if (rc != 0) /* if the lstat() somehow failed */ | ||
75 | + break; | ||
76 | + | ||
77 | + if (S_ISREG(s.st_mode) || /* regular files and */ | ||
78 | + S_ISLNK(s.st_mode)) continue; /* symlinks are good */ | ||
79 | + break; | ||
80 | + case DT_DIR: /* We don't want directories */ | ||
81 | + default: /* nor anything else */ | ||
82 | + break; | ||
83 | + } | ||
84 | + _pam_drop(d[j]); /* free memory */ | ||
85 | + d[j] = NULL; /* indicate this one was dropped */ | ||
86 | + dirscans_size_total--; | ||
87 | + } | ||
88 | + } | ||
89 | + | ||
90 | /* Allocate space for all file names found in the directories, including duplicates. */ | ||
91 | if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) { | ||
92 | pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array"); | ||
93 | @@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, | ||
94 | unsigned int j; | ||
95 | |||
96 | for (j = 0; j < dirscans_sizes[i]; j++) { | ||
97 | - dirnames_all[i_dirnames] = dirscans[i][j]->d_name; | ||
98 | - i_dirnames++; | ||
99 | + if (NULL != dirscans[i][j]) { | ||
100 | + dirnames_all[i_dirnames] = dirscans[i][j]->d_name; | ||
101 | + i_dirnames++; | ||
102 | + } | ||
103 | } | ||
104 | } | ||
105 | |||
106 | -- | ||
107 | 2.39.0 | ||
108 | |||
diff --git a/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch b/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch deleted file mode 100644 index 40040a873a..0000000000 --- a/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch +++ /dev/null | |||
@@ -1,65 +0,0 @@ | |||
1 | From e8e8ccfd57e0274b431bc5717bf37c488285b07b Mon Sep 17 00:00:00 2001 | ||
2 | From: Mingli Yu <mingli.yu@windriver.com> | ||
3 | Date: Wed, 27 Oct 2021 10:30:46 +0800 | ||
4 | Subject: [PATCH] run-xtests.sh: check whether files exist | ||
5 | |||
6 | Fixes: | ||
7 | # ./run-xtests.sh . tst-pam_access1 | ||
8 | mv: cannot stat '/etc/security/opasswd': No such file or directory | ||
9 | PASS: tst-pam_access1 | ||
10 | mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory | ||
11 | ================== | ||
12 | 1 tests passed | ||
13 | 0 tests not run | ||
14 | ================== | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/e8e8ccfd57e0274b431bc5717bf37c488285b07b] | ||
17 | |||
18 | Signed-off-by: Mingli Yu <mingli.yu@windriver.com> | ||
19 | --- | ||
20 | xtests/run-xtests.sh | 20 +++++++++++++------- | ||
21 | 1 file changed, 13 insertions(+), 7 deletions(-) | ||
22 | |||
23 | diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh | ||
24 | index 14f585d9..ff9a4dc1 100755 | ||
25 | --- a/xtests/run-xtests.sh | ||
26 | +++ b/xtests/run-xtests.sh | ||
27 | @@ -18,10 +18,12 @@ all=0 | ||
28 | |||
29 | mkdir -p /etc/security | ||
30 | for config in access.conf group.conf time.conf limits.conf ; do | ||
31 | - cp /etc/security/$config /etc/security/$config-pam-xtests | ||
32 | + [ -f "/etc/security/$config" ] && | ||
33 | + mv /etc/security/$config /etc/security/$config-pam-xtests | ||
34 | install -m 644 "${SRCDIR}"/$config /etc/security/$config | ||
35 | done | ||
36 | -mv /etc/security/opasswd /etc/security/opasswd-pam-xtests | ||
37 | +[ -f /etc/security/opasswd ] && | ||
38 | + mv /etc/security/opasswd /etc/security/opasswd-pam-xtests | ||
39 | |||
40 | for testname in $XTESTS ; do | ||
41 | for cfg in "${SRCDIR}"/$testname*.pamd ; do | ||
42 | @@ -47,11 +49,15 @@ for testname in $XTESTS ; do | ||
43 | all=`expr $all + 1` | ||
44 | rm -f /etc/pam.d/$testname* | ||
45 | done | ||
46 | -mv /etc/security/access.conf-pam-xtests /etc/security/access.conf | ||
47 | -mv /etc/security/group.conf-pam-xtests /etc/security/group.conf | ||
48 | -mv /etc/security/time.conf-pam-xtests /etc/security/time.conf | ||
49 | -mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf | ||
50 | -mv /etc/security/opasswd-pam-xtests /etc/security/opasswd | ||
51 | + | ||
52 | +for config in access.conf group.conf time.conf limits.conf opasswd ; do | ||
53 | + if [ -f "/etc/security/$config-pam-xtests" ]; then | ||
54 | + mv /etc/security/$config-pam-xtests /etc/security/$config | ||
55 | + else | ||
56 | + rm -f /etc/security/$config | ||
57 | + fi | ||
58 | +done | ||
59 | + | ||
60 | if test "$failed" -ne 0; then | ||
61 | echo "===================" | ||
62 | echo "$failed of $all tests failed" | ||
63 | -- | ||
64 | 2.32.0 | ||
65 | |||
diff --git a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch b/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch deleted file mode 100644 index e7bf03f9f7..0000000000 --- a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch +++ /dev/null | |||
@@ -1,205 +0,0 @@ | |||
1 | From 23393bef92c1e768eda329813d7af55481c6ca9f Mon Sep 17 00:00:00 2001 | ||
2 | From: Thorsten Kukuk <kukuk@suse.com> | ||
3 | Date: Thu, 24 Feb 2022 10:37:32 +0100 | ||
4 | Subject: [PATCH 2/2] pam_access: handle hostnames in access.conf | ||
5 | |||
6 | According to the manual page, the following entry is valid but does not | ||
7 | work: | ||
8 | -:root:ALL EXCEPT localhost | ||
9 | |||
10 | See https://bugzilla.suse.com/show_bug.cgi?id=1019866 | ||
11 | |||
12 | Patched is based on PR#226 from Josef Moellers | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2022-28321 | ||
16 | |||
17 | Reference to upstream patch: | ||
18 | [https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f] | ||
19 | |||
20 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
21 | --- | ||
22 | modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++------- | ||
23 | 1 file changed, 76 insertions(+), 19 deletions(-) | ||
24 | |||
25 | diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c | ||
26 | index 277192b..bca424f 100644 | ||
27 | --- a/modules/pam_access/pam_access.c | ||
28 | +++ b/modules/pam_access/pam_access.c | ||
29 | @@ -637,7 +637,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) | ||
30 | if ((str_len = strlen(string)) > tok_len | ||
31 | && strcasecmp(tok, string + str_len - tok_len) == 0) | ||
32 | return YES; | ||
33 | - } else if (tok[tok_len - 1] == '.') { | ||
34 | + } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ | ||
35 | struct addrinfo hint; | ||
36 | |||
37 | memset (&hint, '\0', sizeof (hint)); | ||
38 | @@ -678,7 +678,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) | ||
39 | return NO; | ||
40 | } | ||
41 | |||
42 | - /* Assume network/netmask with an IP of a host. */ | ||
43 | + /* Assume network/netmask, IP address or hostname. */ | ||
44 | return network_netmask_match(pamh, tok, string, item); | ||
45 | } | ||
46 | |||
47 | @@ -696,7 +696,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, | ||
48 | /* | ||
49 | * If the token has the magic value "ALL" the match always succeeds. | ||
50 | * Otherwise, return YES if the token fully matches the string. | ||
51 | - * "NONE" token matches NULL string. | ||
52 | + * "NONE" token matches NULL string. | ||
53 | */ | ||
54 | |||
55 | if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ | ||
56 | @@ -714,7 +714,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, | ||
57 | |||
58 | /* network_netmask_match - match a string against one token | ||
59 | * where string is a hostname or ip (v4,v6) address and tok | ||
60 | - * represents either a single ip (v4,v6) address or a network/netmask | ||
61 | + * represents either a hostname, a single ip (v4,v6) address | ||
62 | + * or a network/netmask | ||
63 | */ | ||
64 | static int | ||
65 | network_netmask_match (pam_handle_t *pamh, | ||
66 | @@ -723,10 +724,12 @@ network_netmask_match (pam_handle_t *pamh, | ||
67 | char *netmask_ptr; | ||
68 | char netmask_string[MAXHOSTNAMELEN + 1]; | ||
69 | int addr_type; | ||
70 | + struct addrinfo *ai = NULL; | ||
71 | |||
72 | if (item->debug) | ||
73 | - pam_syslog (pamh, LOG_DEBUG, | ||
74 | + pam_syslog (pamh, LOG_DEBUG, | ||
75 | "network_netmask_match: tok=%s, item=%s", tok, string); | ||
76 | + | ||
77 | /* OK, check if tok is of type addr/mask */ | ||
78 | if ((netmask_ptr = strchr(tok, '/')) != NULL) | ||
79 | { | ||
80 | @@ -760,54 +763,108 @@ network_netmask_match (pam_handle_t *pamh, | ||
81 | netmask_ptr = number_to_netmask(netmask, addr_type, | ||
82 | netmask_string, MAXHOSTNAMELEN); | ||
83 | } | ||
84 | - } | ||
85 | + | ||
86 | + /* | ||
87 | + * Construct an addrinfo list from the IP address. | ||
88 | + * This should not fail as the input is a correct IP address... | ||
89 | + */ | ||
90 | + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) | ||
91 | + { | ||
92 | + return NO; | ||
93 | + } | ||
94 | + } | ||
95 | else | ||
96 | - /* NO, then check if it is only an addr */ | ||
97 | - if (isipaddr(tok, NULL, NULL) != YES) | ||
98 | + { | ||
99 | + /* | ||
100 | + * It is either an IP address or a hostname. | ||
101 | + * Let getaddrinfo sort everything out | ||
102 | + */ | ||
103 | + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) | ||
104 | { | ||
105 | + pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); | ||
106 | + | ||
107 | return NO; | ||
108 | } | ||
109 | + netmask_ptr = NULL; | ||
110 | + } | ||
111 | |||
112 | if (isipaddr(string, NULL, NULL) != YES) | ||
113 | { | ||
114 | - /* Assume network/netmask with a name of a host. */ | ||
115 | struct addrinfo hint; | ||
116 | |||
117 | + /* Assume network/netmask with a name of a host. */ | ||
118 | memset (&hint, '\0', sizeof (hint)); | ||
119 | hint.ai_flags = AI_CANONNAME; | ||
120 | hint.ai_family = AF_UNSPEC; | ||
121 | |||
122 | if (item->gai_rv != 0) | ||
123 | + { | ||
124 | + freeaddrinfo(ai); | ||
125 | return NO; | ||
126 | + } | ||
127 | else if (!item->res && | ||
128 | (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0) | ||
129 | + { | ||
130 | + freeaddrinfo(ai); | ||
131 | return NO; | ||
132 | + } | ||
133 | else | ||
134 | { | ||
135 | struct addrinfo *runp = item->res; | ||
136 | + struct addrinfo *runp1; | ||
137 | |||
138 | while (runp != NULL) | ||
139 | { | ||
140 | char buf[INET6_ADDRSTRLEN]; | ||
141 | |||
142 | - DIAG_PUSH_IGNORE_CAST_ALIGN; | ||
143 | - inet_ntop (runp->ai_family, | ||
144 | - runp->ai_family == AF_INET | ||
145 | - ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr | ||
146 | - : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, | ||
147 | - buf, sizeof (buf)); | ||
148 | - DIAG_POP_IGNORE_CAST_ALIGN; | ||
149 | + if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0) | ||
150 | + { | ||
151 | + freeaddrinfo(ai); | ||
152 | + return NO; | ||
153 | + } | ||
154 | |||
155 | - if (are_addresses_equal(buf, tok, netmask_ptr)) | ||
156 | + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) | ||
157 | { | ||
158 | - return YES; | ||
159 | + char buf1[INET6_ADDRSTRLEN]; | ||
160 | + | ||
161 | + if (runp->ai_family != runp1->ai_family) | ||
162 | + continue; | ||
163 | + | ||
164 | + if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0) | ||
165 | + { | ||
166 | + freeaddrinfo(ai); | ||
167 | + return NO; | ||
168 | + } | ||
169 | + | ||
170 | + if (are_addresses_equal (buf, buf1, netmask_ptr)) | ||
171 | + { | ||
172 | + freeaddrinfo(ai); | ||
173 | + return YES; | ||
174 | + } | ||
175 | } | ||
176 | runp = runp->ai_next; | ||
177 | } | ||
178 | } | ||
179 | } | ||
180 | else | ||
181 | - return (are_addresses_equal(string, tok, netmask_ptr)); | ||
182 | + { | ||
183 | + struct addrinfo *runp1; | ||
184 | + | ||
185 | + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) | ||
186 | + { | ||
187 | + char buf1[INET6_ADDRSTRLEN]; | ||
188 | + | ||
189 | + (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); | ||
190 | + | ||
191 | + if (are_addresses_equal(string, buf1, netmask_ptr)) | ||
192 | + { | ||
193 | + freeaddrinfo(ai); | ||
194 | + return YES; | ||
195 | + } | ||
196 | + } | ||
197 | + } | ||
198 | + | ||
199 | + freeaddrinfo(ai); | ||
200 | |||
201 | return NO; | ||
202 | } | ||
203 | -- | ||
204 | 2.37.3 | ||
205 | |||
diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb index bec47ab836..c8f1e16459 100644 --- a/meta/recipes-extended/pam/libpam_1.5.2.bb +++ b/meta/recipes-extended/pam/libpam_1.5.3.bb | |||
@@ -21,14 +21,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \ | |||
21 | file://pam.d/common-session-noninteractive \ | 21 | file://pam.d/common-session-noninteractive \ |
22 | file://pam.d/other \ | 22 | file://pam.d/other \ |
23 | file://libpam-xtests.patch \ | 23 | file://libpam-xtests.patch \ |
24 | file://0001-run-xtests.sh-check-whether-files-exist.patch \ | ||
25 | file://run-ptest \ | 24 | file://run-ptest \ |
26 | file://pam-volatiles.conf \ | 25 | file://pam-volatiles.conf \ |
27 | file://CVE-2022-28321-0002.patch \ | ||
28 | file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \ | ||
29 | " | 26 | " |
30 | 27 | ||
31 | SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d" | 28 | SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283" |
32 | 29 | ||
33 | DEPENDS = "bison-native flex-native cracklib libxml2-native virtual/crypt" | 30 | DEPENDS = "bison-native flex-native cracklib libxml2-native virtual/crypt" |
34 | 31 | ||