diff options
author | Saul Wold <sgw@linux.intel.com> | 2013-04-05 10:09:32 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2013-04-05 18:21:31 +0100 |
commit | 216d701c016720f232ded9c85235b14b7945385f (patch) | |
tree | 11856ea9df434023290373315b7899dbc92a2c08 /meta/recipes-extended/shadow | |
parent | 59c073514c01b018f6123bb177141888b6f8c8ee (diff) | |
download | poky-216d701c016720f232ded9c85235b14b7945385f.tar.gz |
shadow: add patch to fix crypt: Invalid Argument
This patch came from Slackware and address a change in crypt()'s handling
of an invalid seed, which in the past returned an encrypted string and now
returns a NULL.
[YOCTO #4097] related to tinylogin segfault
(From OE-Core rev: a7f7e6da8383b4bde6d8ce951e5c3c955073c0bd)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/shadow')
-rw-r--r-- | meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch | 63 | ||||
-rw-r--r-- | meta/recipes-extended/shadow/shadow_4.1.4.3.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch b/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch new file mode 100644 index 0000000000..7cd45afebb --- /dev/null +++ b/meta/recipes-extended/shadow/files/slackware_fix_for_glib-2.17_crypt.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | |||
2 | This patch is from Slackware, I tried to find the actual | ||
3 | author to add that attribution. The comment below is the | ||
4 | best summary, I will not repeat it here. | ||
5 | |||
6 | Upstream-Status: Backport from slackware | ||
7 | |||
8 | Signed-off-by: Saul Wold <sgw@linux.intel.com> | ||
9 | |||
10 | Index: shadow-4.1.4.3/lib/encrypt.c | ||
11 | =================================================================== | ||
12 | --- shadow-4.1.4.3.orig/lib/encrypt.c | ||
13 | +++ shadow-4.1.4.3/lib/encrypt.c | ||
14 | @@ -45,15 +45,40 @@ char *pw_encrypt (const char *clear, con | ||
15 | static char cipher[128]; | ||
16 | char *cp; | ||
17 | |||
18 | - cp = crypt (clear, salt); | ||
19 | - if (!cp) { | ||
20 | - /* | ||
21 | - * Single Unix Spec: crypt() may return a null pointer, | ||
22 | - * and set errno to indicate an error. The caller doesn't | ||
23 | - * expect us to return NULL, so... | ||
24 | - */ | ||
25 | - perror ("crypt"); | ||
26 | - exit (EXIT_FAILURE); | ||
27 | + cp = crypt (clear, salt); | ||
28 | + if (!cp) { | ||
29 | + /* | ||
30 | + * In glibc-2.17 and newer, crypt() will return NULL if | ||
31 | + * it was called using an invalid salt format. Previous | ||
32 | + * versions of glibc would go ahead and compute a DES hash | ||
33 | + * using the invalid salt. The salt value in this case was | ||
34 | + * always '!'. We might arrive at this place if either the | ||
35 | + * user does not exist, or if the hash in /etc/shadow doesn't | ||
36 | + * have the proper magic for one of the supported hash | ||
37 | + * formats (for example, if the account was locked using | ||
38 | + * "passwd -l". To handle this situation, we will recompute | ||
39 | + * the hash using a hardcoded salt as was previously done | ||
40 | + * by glibc. The hash returned by the old glibc function | ||
41 | + * always began with "!!", which would ensure that it could | ||
42 | + * never match an otherwise valid hash in /etc/shadow that | ||
43 | + * was disabled with a "!" at the beginning (since the second | ||
44 | + * character would never be "!" as well), so we will also | ||
45 | + * prepend the resulting hash with "!!". Finally, in case | ||
46 | + * crypt() failed for some other reason we will check to see | ||
47 | + * if we still get NULL from crypt even with the valid salt | ||
48 | + * and will fail if that's the case. | ||
49 | + */ | ||
50 | + | ||
51 | + /* Recalculate hash using a hardcoded, valid SHA512 salt: */ | ||
52 | + cp = crypt (clear, "$6$8IIcy/1EPOk/"); | ||
53 | + | ||
54 | + if (!cp) { | ||
55 | + perror ("crypt"); | ||
56 | + exit (EXIT_FAILURE); | ||
57 | + } else { | ||
58 | + sprintf (cipher, "!!%s", cp); | ||
59 | + return cipher; | ||
60 | + } | ||
61 | } | ||
62 | |||
63 | /* The GNU crypt does not return NULL if the algorithm is not | ||
diff --git a/meta/recipes-extended/shadow/shadow_4.1.4.3.bb b/meta/recipes-extended/shadow/shadow_4.1.4.3.bb index 8226a6e3b3..caf24c06af 100644 --- a/meta/recipes-extended/shadow/shadow_4.1.4.3.bb +++ b/meta/recipes-extended/shadow/shadow_4.1.4.3.bb | |||
@@ -23,6 +23,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.bz2 \ | |||
23 | file://shadow-4.1.4.2-su_no_sanitize_env.patch \ | 23 | file://shadow-4.1.4.2-su_no_sanitize_env.patch \ |
24 | file://shadow-update-pam-conf.patch \ | 24 | file://shadow-update-pam-conf.patch \ |
25 | file://shadow_fix_for_automake-1.12.patch \ | 25 | file://shadow_fix_for_automake-1.12.patch \ |
26 | file://slackware_fix_for_glib-2.17_crypt.patch \ | ||
26 | " | 27 | " |
27 | 28 | ||
28 | SRC_URI[md5sum] = "b8608d8294ac88974f27b20f991c0e79" | 29 | SRC_URI[md5sum] = "b8608d8294ac88974f27b20f991c0e79" |