diff options
author | Wang Mingyu <wangmy@cn.fujitsu.com> | 2020-02-21 02:09:15 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-02-21 17:48:09 +0000 |
commit | 4e51659ff4eeb59349a931e7844f25a55c63f03e (patch) | |
tree | d69e3aae6012c4b6054cef9a2736c595f783e03b /meta/recipes-extended/shadow | |
parent | af2215bffc620d78ad690f63b1218e8b2306c495 (diff) | |
download | poky-4e51659ff4eeb59349a931e7844f25a55c63f03e.tar.gz |
shadow: upgrade 4.8 -> 4.8.1
0001-Do-not-check-for-validity-of-shell-executable.patch
CVE-2019-19882.patch
Removed since they are included in 4.8.1.
(From OE-Core rev: de9cceb13e264434eb0b8393c3b0c0217b8d505e)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/shadow')
-rw-r--r-- | meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch | 29 | ||||
-rw-r--r-- | meta/recipes-extended/shadow/files/CVE-2019-19882.patch | 55 | ||||
-rw-r--r-- | meta/recipes-extended/shadow/shadow.inc | 6 | ||||
-rw-r--r-- | meta/recipes-extended/shadow/shadow_4.8.1.bb (renamed from meta/recipes-extended/shadow/shadow_4.8.bb) | 0 |
4 files changed, 2 insertions, 88 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch b/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch deleted file mode 100644 index 2d15ff0673..0000000000 --- a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | From 0d0aded7307a9f4ee0d299951512acd18b3e029e Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | ||
3 | Date: Wed, 4 Dec 2019 19:28:48 +0100 | ||
4 | Subject: [PATCH] Do not check for validity of shell executable. | ||
5 | |||
6 | This kind of check fails when building a rootfs. | ||
7 | |||
8 | Upstream-Status: Inappropriate [oe-core specific] | ||
9 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
10 | --- | ||
11 | src/useradd.c | 5 +---- | ||
12 | 1 file changed, 1 insertion(+), 4 deletions(-) | ||
13 | |||
14 | diff --git a/src/useradd.c b/src/useradd.c | ||
15 | index 4af0f7c..898fe02 100644 | ||
16 | --- a/src/useradd.c | ||
17 | +++ b/src/useradd.c | ||
18 | @@ -1328,10 +1328,7 @@ static void process_flags (int argc, char **argv) | ||
19 | if ( ( !VALID (optarg) ) | ||
20 | || ( ('\0' != optarg[0]) | ||
21 | && ('/' != optarg[0]) | ||
22 | - && ('*' != optarg[0]) ) | ||
23 | - || (stat(optarg, &st) != 0) | ||
24 | - || (S_ISDIR(st.st_mode)) | ||
25 | - || (access(optarg, X_OK) != 0)) { | ||
26 | + && ('*' != optarg[0]) )) { | ||
27 | fprintf (stderr, | ||
28 | _("%s: invalid shell '%s'\n"), | ||
29 | Prog, optarg); | ||
diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch deleted file mode 100644 index 894d867680..0000000000 --- a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dave Reisner <dreisner@archlinux.org> | ||
3 | Date: Mon, 16 Dec 2019 14:11:23 -0500 | ||
4 | Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected | ||
5 | |||
6 | Here's a sad story: | ||
7 | |||
8 | * 70971457 is merged into shadow, allowing newgidmap/newuidmap to be | ||
9 | installed with file caps rather than setuid. | ||
10 | * https://bugs.archlinux.org/task/63248 is filed to take advantage of | ||
11 | this. | ||
12 | * The arch maintainer of the 'shadow' package notices that this doesn't | ||
13 | work, and submits a pull request to fix this in shadow. | ||
14 | * edf7547ad5 is merged, fixing the post install hooks. | ||
15 | |||
16 | The problem here is that distros have been building shadow with PAM for | ||
17 | O(years), but the install hooks have silently failed due to the | ||
18 | combination of the directory mismatch (suidubins vs suidsbins) and later | ||
19 | success with setuid'ing newgidmap/newuidmap. | ||
20 | |||
21 | With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far) | ||
22 | who never built shadow explicitly with --enable-account-tools-setuid are | ||
23 | now getting setuid account tools, and don't have PAM configuration | ||
24 | suitable for use with setuid account management tools. | ||
25 | |||
26 | It's entirely unclear to me why you'd want this, but I assume there's | ||
27 | some reason out there for it existing. Regardless, setuid binaries are | ||
28 | dangerous and shouldn't be enabled by default without good reason. | ||
29 | |||
30 | [1] https://bugs.archlinux.org/task/64836 | ||
31 | [2] https://bugs.gentoo.org/702252 | ||
32 | |||
33 | Upstream-Status: Backport | ||
34 | CVE: CVE-2019-19882 | ||
35 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
36 | --- | ||
37 | configure.ac | 2 +- | ||
38 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
39 | |||
40 | diff --git a/configure.ac b/configure.ac | ||
41 | index e3ed3b43..d6e2bfbd 100644 | ||
42 | --- a/configure.ac | ||
43 | +++ b/configure.ac | ||
44 | @@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid, | ||
45 | *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid) | ||
46 | ;; | ||
47 | esac], | ||
48 | - [enable_acct_tools_setuid="maybe"] | ||
49 | + [enable_acct_tools_setuid="no"] | ||
50 | ) | ||
51 | |||
52 | AC_ARG_ENABLE(utmpx, | ||
53 | -- | ||
54 | 2.17.1 | ||
55 | |||
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 3bfa39e6ff..f86e5e03c0 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc | |||
@@ -13,7 +13,6 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}. | |||
13 | file://shadow-4.1.3-dots-in-usernames.patch \ | 13 | file://shadow-4.1.3-dots-in-usernames.patch \ |
14 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ | 14 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ |
15 | file://shadow-relaxed-usernames.patch \ | 15 | file://shadow-relaxed-usernames.patch \ |
16 | file://CVE-2019-19882.patch \ | ||
17 | " | 16 | " |
18 | 17 | ||
19 | SRC_URI_append_class-target = " \ | 18 | SRC_URI_append_class-target = " \ |
@@ -25,14 +24,13 @@ SRC_URI_append_class-native = " \ | |||
25 | file://0001-Disable-use-of-syslog-for-sysroot.patch \ | 24 | file://0001-Disable-use-of-syslog-for-sysroot.patch \ |
26 | file://0002-Allow-for-setting-password-in-clear-text.patch \ | 25 | file://0002-Allow-for-setting-password-in-clear-text.patch \ |
27 | file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ | 26 | file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ |
28 | file://0001-Do-not-check-for-validity-of-shell-executable.patch \ | ||
29 | " | 27 | " |
30 | SRC_URI_append_class-nativesdk = " \ | 28 | SRC_URI_append_class-nativesdk = " \ |
31 | file://0001-Disable-use-of-syslog-for-sysroot.patch \ | 29 | file://0001-Disable-use-of-syslog-for-sysroot.patch \ |
32 | " | 30 | " |
33 | 31 | ||
34 | SRC_URI[md5sum] = "017ac773ba370bc28e157cee30dad71a" | 32 | SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480" |
35 | SRC_URI[sha256sum] = "82016d65317555fc8ce9e669eb187984d8d4b1f8ecda0769f4bc5412aed326e4" | 33 | SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a" |
36 | 34 | ||
37 | # Additional Policy files for PAM | 35 | # Additional Policy files for PAM |
38 | PAM_SRC_URI = "file://pam.d/chfn \ | 36 | PAM_SRC_URI = "file://pam.d/chfn \ |
diff --git a/meta/recipes-extended/shadow/shadow_4.8.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb index c975395ff8..c975395ff8 100644 --- a/meta/recipes-extended/shadow/shadow_4.8.bb +++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb | |||