summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/shadow
diff options
context:
space:
mode:
authorWang Mingyu <wangmy@cn.fujitsu.com>2020-02-21 02:09:15 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-02-21 17:48:09 +0000
commit4e51659ff4eeb59349a931e7844f25a55c63f03e (patch)
treed69e3aae6012c4b6054cef9a2736c595f783e03b /meta/recipes-extended/shadow
parentaf2215bffc620d78ad690f63b1218e8b2306c495 (diff)
downloadpoky-4e51659ff4eeb59349a931e7844f25a55c63f03e.tar.gz
shadow: upgrade 4.8 -> 4.8.1
0001-Do-not-check-for-validity-of-shell-executable.patch CVE-2019-19882.patch Removed since they are included in 4.8.1. (From OE-Core rev: de9cceb13e264434eb0b8393c3b0c0217b8d505e) Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/shadow')
-rw-r--r--meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch29
-rw-r--r--meta/recipes-extended/shadow/files/CVE-2019-19882.patch55
-rw-r--r--meta/recipes-extended/shadow/shadow.inc6
-rw-r--r--meta/recipes-extended/shadow/shadow_4.8.1.bb (renamed from meta/recipes-extended/shadow/shadow_4.8.bb)0
4 files changed, 2 insertions, 88 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch b/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch
deleted file mode 100644
index 2d15ff0673..0000000000
--- a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1From 0d0aded7307a9f4ee0d299951512acd18b3e029e Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Wed, 4 Dec 2019 19:28:48 +0100
4Subject: [PATCH] Do not check for validity of shell executable.
5
6This kind of check fails when building a rootfs.
7
8Upstream-Status: Inappropriate [oe-core specific]
9Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
10---
11 src/useradd.c | 5 +----
12 1 file changed, 1 insertion(+), 4 deletions(-)
13
14diff --git a/src/useradd.c b/src/useradd.c
15index 4af0f7c..898fe02 100644
16--- a/src/useradd.c
17+++ b/src/useradd.c
18@@ -1328,10 +1328,7 @@ static void process_flags (int argc, char **argv)
19 if ( ( !VALID (optarg) )
20 || ( ('\0' != optarg[0])
21 && ('/' != optarg[0])
22- && ('*' != optarg[0]) )
23- || (stat(optarg, &st) != 0)
24- || (S_ISDIR(st.st_mode))
25- || (access(optarg, X_OK) != 0)) {
26+ && ('*' != optarg[0]) )) {
27 fprintf (stderr,
28 _("%s: invalid shell '%s'\n"),
29 Prog, optarg);
diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch
deleted file mode 100644
index 894d867680..0000000000
--- a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001
2From: Dave Reisner <dreisner@archlinux.org>
3Date: Mon, 16 Dec 2019 14:11:23 -0500
4Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected
5
6Here's a sad story:
7
8* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be
9installed with file caps rather than setuid.
10* https://bugs.archlinux.org/task/63248 is filed to take advantage of
11this.
12* The arch maintainer of the 'shadow' package notices that this doesn't
13work, and submits a pull request to fix this in shadow.
14* edf7547ad5 is merged, fixing the post install hooks.
15
16The problem here is that distros have been building shadow with PAM for
17O(years), but the install hooks have silently failed due to the
18combination of the directory mismatch (suidubins vs suidsbins) and later
19success with setuid'ing newgidmap/newuidmap.
20
21With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
22who never built shadow explicitly with --enable-account-tools-setuid are
23now getting setuid account tools, and don't have PAM configuration
24suitable for use with setuid account management tools.
25
26It's entirely unclear to me why you'd want this, but I assume there's
27some reason out there for it existing. Regardless, setuid binaries are
28dangerous and shouldn't be enabled by default without good reason.
29
30[1] https://bugs.archlinux.org/task/64836
31[2] https://bugs.gentoo.org/702252
32
33Upstream-Status: Backport
34CVE: CVE-2019-19882
35Signed-off-by: Li Zhou <li.zhou@windriver.com>
36---
37 configure.ac | 2 +-
38 1 file changed, 1 insertion(+), 1 deletion(-)
39
40diff --git a/configure.ac b/configure.ac
41index e3ed3b43..d6e2bfbd 100644
42--- a/configure.ac
43+++ b/configure.ac
44@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid,
45 *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
46 ;;
47 esac],
48- [enable_acct_tools_setuid="maybe"]
49+ [enable_acct_tools_setuid="no"]
50 )
51
52 AC_ARG_ENABLE(utmpx,
53--
542.17.1
55
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 3bfa39e6ff..f86e5e03c0 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -13,7 +13,6 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
13 file://shadow-4.1.3-dots-in-usernames.patch \ 13 file://shadow-4.1.3-dots-in-usernames.patch \
14 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ 14 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
15 file://shadow-relaxed-usernames.patch \ 15 file://shadow-relaxed-usernames.patch \
16 file://CVE-2019-19882.patch \
17 " 16 "
18 17
19SRC_URI_append_class-target = " \ 18SRC_URI_append_class-target = " \
@@ -25,14 +24,13 @@ SRC_URI_append_class-native = " \
25 file://0001-Disable-use-of-syslog-for-sysroot.patch \ 24 file://0001-Disable-use-of-syslog-for-sysroot.patch \
26 file://0002-Allow-for-setting-password-in-clear-text.patch \ 25 file://0002-Allow-for-setting-password-in-clear-text.patch \
27 file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ 26 file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
28 file://0001-Do-not-check-for-validity-of-shell-executable.patch \
29 " 27 "
30SRC_URI_append_class-nativesdk = " \ 28SRC_URI_append_class-nativesdk = " \
31 file://0001-Disable-use-of-syslog-for-sysroot.patch \ 29 file://0001-Disable-use-of-syslog-for-sysroot.patch \
32 " 30 "
33 31
34SRC_URI[md5sum] = "017ac773ba370bc28e157cee30dad71a" 32SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480"
35SRC_URI[sha256sum] = "82016d65317555fc8ce9e669eb187984d8d4b1f8ecda0769f4bc5412aed326e4" 33SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a"
36 34
37# Additional Policy files for PAM 35# Additional Policy files for PAM
38PAM_SRC_URI = "file://pam.d/chfn \ 36PAM_SRC_URI = "file://pam.d/chfn \
diff --git a/meta/recipes-extended/shadow/shadow_4.8.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb
index c975395ff8..c975395ff8 100644
--- a/meta/recipes-extended/shadow/shadow_4.8.bb
+++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb