libpam: Upgrade v1.1.6 -> v1.2.1

Dropped upstreamed patches(commit-id): - add-checks-for-crypt-returning-NULL.patch(8dc056c) - destdirfix.patch(d7e6b92) - libpam-fix-for-CVE-2010-4708.patch(4c430f6) Dropped backported patches(commit-id): - pam_timestamp-fix-potential-directory-traversal-issu.patch(9dcead8) - reflect-the-enforce_for_root-semantics-change-in-pam.patch(bd07ad3) Forward ported patches: - pam-unix-nullok-secure.patch - crypt_configure.patch (From OE-Core rev: 8683206f7ba85f693751415f896a0cc62931e3c4) Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Amarnath Valluri <amarnath.valluri@intel.com> 2015-07-17 11:53:24 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-07-20 10:40:42 +0100
commit: 88dd997d9941b63ae9eead6690ecf2b785c0740c (patch)
tree: fe531585f3741dcb457bcf74683db6f60a0a2bce /meta/recipes-extended
parent: e9b9f8c0c5a208c02453839442099527fe6b13de (diff)
download: poky-88dd997d9941b63ae9eead6690ecf2b785c0740c.tar.gz
8 files changed, 127 insertions, 339 deletions
diff --git a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch b/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch
deleted file mode 100644
index d364cea97e..0000000000
--- a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-Backport from linux-pam git repo.
-[YOCTO #4107]
-Upstream-Status: Backport
-Signed-off-by: Kang Kai <kai.kang@windriver.com>
-From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Fri, 8 Feb 2013 15:04:26 +0100
-Subject: [PATCH] Add checks for crypt() returning NULL.
-modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
-modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
---
- modules/pam_pwhistory/opasswd.c |    2 +-
- modules/pam_unix/bigcrypt.c     |    9 +++++++++
- 2 files changed, 10 insertions(+), 1 deletions(-)
-diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
-index 274fdb9..836d713 100644
--- a/modules/pam_pwhistory/opasswd.c
-+++ b/modules/pam_pwhistory/opasswd.c
-@@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass)
-   outval = crypt (newpass, oldpass);
- #endif
- 
-  return strcmp(outval, oldpass) == 0;
-+  return outval != NULL && strcmp(outval, oldpass) == 0;
- }
- 
- /* Check, if the new password is already in the opasswd file.  */
-diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c
-index e10d1c5..e1d57a0 100644
--- a/modules/pam_unix/bigcrypt.c
-+++ b/modules/pam_unix/bigcrypt.c
-@@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt)
- #else
-        tmp_ptr = crypt(plaintext_ptr, salt);   /* libc crypt() */
- #endif
-+       if (tmp_ptr == NULL) {
-+               free(dec_c2_cryptbuf);
-+               return NULL;
-+       }
-        /* and place in the static area */
-        strncpy(cipher_ptr, tmp_ptr, 13);
-        cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
-@@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt)
- #else
-                        tmp_ptr = crypt(plaintext_ptr, salt_ptr);
- #endif
-+                       if (tmp_ptr == NULL) {
-+                               _pam_overwrite(dec_c2_cryptbuf);
-+                               free(dec_c2_cryptbuf);
-+                               return NULL;
-+                       }
- 
-                        /* skip the salt for seg!=0 */
-                        strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
-- 
-1.7.5.4
diff --git a/meta/recipes-extended/pam/libpam/crypt_configure.patch b/meta/recipes-extended/pam/libpam/crypt_configure.patch
index efa82fb9b9..bec82a5f10 100644
--- a/meta/recipes-extended/pam/libpam/crypt_configure.patch
+++ b/meta/recipes-extended/pam/libpam/crypt_configure.patch
@@ -16,8 +16,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 Index: Linux-PAM-1.1.6/configure.in
 ===================================================================
--- Linux-PAM-1.1.6.org/configure.in
+--- Linux-PAM-1.1.6.org/configure.ac
-+++ Linux-PAM-1.1.6/configure.in
+++ Linux-PAM-1.1.6/configure.ac
 @@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" =
   [crypt_libs="crypt"])
 
diff --git a/meta/recipes-extended/pam/libpam/destdirfix.patch b/meta/recipes-extended/pam/libpam/destdirfix.patch
deleted file mode 100644
index 52145ecb34..0000000000
--- a/meta/recipes-extended/pam/libpam/destdirfix.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Avoid the failure:
-| mkdir -p /etc/security/namespace.d
-| mkdir: cannot create directory `/etc/security/namespace.d': Permission denied
-if /etc/security/namespace.d doesn't exist. The DESTDIR prefix is missing.
-RP 2012/8/19
-Upstream-Status: Pending
-Index: Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am
-===================================================================
--- Linux-PAM-1.1.6.orig/modules/pam_namespace/Makefile.am      2012-08-15 11:08:43.000000000 +0000
-+++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am   2012-08-19 12:25:32.311038943 +0000
-@@ -40,7 +40,7 @@
-   secureconf_SCRIPTS = namespace.init
- 
- install-data-local:
-       mkdir -p $(namespaceddir)
-+       mkdir -p $(DESTDIR)$(namespaceddir)
- endif
- 
- 
diff --git a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch b/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch
deleted file mode 100644
index 5d2b69aae0..0000000000
--- a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Upstream-Status: Backport
-Fix for CVE-2010-4708
-Change default for user_readenv to 0 and document the 
-new default for user_readenv.
-This fix is got from:
-http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
-/pam_env.c?r1=1.22&r2=1.23&view=patch
-http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
-/pam_env.8.xml?r1=1.7&r2=1.8&view=patch
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
--- a/modules/pam_env/pam_env.c 2012-09-05 13:57:47.000000000 +0800
-+++ b/modules/pam_env/pam_env.c 2012-09-05 13:58:05.000000000 +0800
-@@ -10,7 +10,7 @@
- #define DEFAULT_READ_ENVFILE    1
- 
- #define DEFAULT_USER_ENVFILE    ".pam_environment"
-#define DEFAULT_USER_READ_ENVFILE 1
-+#define DEFAULT_USER_READ_ENVFILE 0
- 
- #include "config.h"
- 
--- a/modules/pam_env/pam_env.8.xml     2012-09-05 13:58:24.000000000 +0800
-+++ b/modules/pam_env/pam_env.8.xml     2012-09-05 13:59:36.000000000 +0800
-@@ -147,7 +147,10 @@
-         <listitem>
-           <para>
-             Turns on or off the reading of the user specific environment
-            file. 0 is off, 1 is on. By default this option is on.
-+            file. 0 is off, 1 is on. By default this option is off as user
-+            supplied environment variables in the PAM environment could affect
-+            behavior of subsequent modules in the stack without the consent
-+            of the system administrator.
-           </para>
-         </listitem>
-       </varlistentry>
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
index b285e96c27..423267f707 100644
--- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
+++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
@@ -1,6 +1,9 @@
-Debian patch to add a new 'nullok_secure' option to pam_unix, which
+From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001
-accepts users with null passwords only when the applicant is connected
+From: Amarnath Valluri <amarnath.valluri@intel.com>
-from a tty listed in /etc/securetty.
+Date: Wed, 15 Jul 2015 13:07:20 +0300
+Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix,
+ which accepts users with null passwords only when the applicant is connected
+ from a tty listed in /etc/securetty.
 Authors: Sam Hartman <hartmans@debian.org>,
         Steve Langasek <vorlon@debian.org>
@@ -8,10 +11,24 @@ Authors: Sam Hartman <hartmans@debian.org>,
 Upstream-Status: Pending
 Signed-off-by: Ming Liu <ming.liu@windriver.com>
-===================================================================
-diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
+v2:
--- a/modules/pam_unix/Makefile.am      2013-07-05 09:51:31.014483164 +0800
+        - Forward ported from v1.1.6 to v1.2.1
-+++ b/modules/pam_unix/Makefile.am      2013-07-05 10:26:12.884484000 +0800
+Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
+---
+ modules/pam_unix/Makefile.am    |  3 ++-
+ modules/pam_unix/README         | 11 ++++++++++-
+ modules/pam_unix/pam_unix.8     |  9 ++++++++-
+ modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++-
+ modules/pam_unix/support.c      | 40 +++++++++++++++++++++++++++++++++++-----
+ modules/pam_unix/support.h      |  8 ++++++--
+ 6 files changed, 79 insertions(+), 11 deletions(-)
+diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
+index 56ed591..9a372ac 100644
+--- a/modules/pam_unix/Makefile.am
+++ b/modules/pam_unix/Makefile.am
 @@ -30,7 +30,8 @@ if HAVE_VERSIONING
   pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
@@ -22,10 +39,33 @@ diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
 
 securelib_LTLIBRARIES = pam_unix.la
 
-diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
+diff --git a/modules/pam_unix/README b/modules/pam_unix/README
--- a/modules/pam_unix/pam_unix.8       2013-07-05 09:52:16.825108201 +0800
+index 3935dba..7880d91 100644
-+++ b/modules/pam_unix/pam_unix.8       2013-07-05 10:28:34.724483774 +0800
+--- a/modules/pam_unix/README
-@@ -220,7 +220,14 @@ A little more extreme than debug\&.
+++ b/modules/pam_unix/README
+@@ -67,7 +67,16 @@ nullok
+ 
+     The default action of this module is to not permit the user access to a
+     service if their official password is blank. The nullok argument overrides
+-    this default.
+    this default and allows any user with a blank password to access the
+    service.
+
+nullok_secure
+
+    The default action of this module is to not permit the user access to a
+    service if their official password is blank. The nullok_secure argument
+    overrides this default and allows any user with a blank password to access
+    the service as long as the value of PAM_TTY is set to one of the values
+    found in /etc/securetty.
+ 
+ try_first_pass
+ 
+diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
+index 339178b..a4bd906 100644
+--- a/modules/pam_unix/pam_unix.8
+++ b/modules/pam_unix/pam_unix.8
+@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi
 .RS 4
 The default action of this module is to not permit the user access to a service if their official password is blank\&. The
 \fBnullok\fR
@@ -41,10 +81,11 @@ diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
 .RE
 .PP
 \fBtry_first_pass\fR
-diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
+diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
--- a/modules/pam_unix/pam_unix.8.xml   2013-07-05 09:52:38.775108523 +0800
+index a8b64bb..1ced6f4 100644
-+++ b/modules/pam_unix/pam_unix.8.xml   2013-07-05 10:30:23.084483630 +0800
+--- a/modules/pam_unix/pam_unix.8.xml
-@@ -135,7 +135,24 @@
+++ b/modules/pam_unix/pam_unix.8.xml
+@@ -159,7 +159,24 @@
           <para>
             The default action of this module is to not permit the
             user access to a service if their official password is blank.
@@ -70,36 +111,15 @@ diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
           </para>
         </listitem>
       </varlistentry>
-diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
--- a/modules/pam_unix/README   2013-07-05 09:51:52.205107846 +0800
+index abccd82..2361957 100644
-+++ b/modules/pam_unix/README   2013-07-05 10:27:10.774484537 +0800
+--- a/modules/pam_unix/support.c
-@@ -57,7 +57,16 @@ nullok
+++ b/modules/pam_unix/support.c
- 
+@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
-     The default action of this module is to not permit the user access to a
-     service if their official password is blank. The nullok argument overrides
-    this default.
-+    this default and allows any user with a blank password to access the
-+    service.
-+
-+nullok_secure
-+
-+    The default action of this module is to not permit the user access to a
-+    service if their official password is blank. The nullok_secure argument
-+    overrides this default and allows any user with a blank password to access
-+    the service as long as the value of PAM_TTY is set to one of the values
-+    found in /etc/securetty.
- 
- try_first_pass
- 
-diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
--- a/modules/pam_unix/support.c        2013-07-05 09:50:49.134482523 +0800
-+++ b/modules/pam_unix/support.c        2013-07-05 09:56:26.924484267 +0800
-@@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl
        /* now parse the arguments to this module */
 
        for (; argc-- > 0; ++argv) {
-               int j;
+               int sl;
-+               int j, sl;
 
                D(("pam_unix arg: %s", *argv));
 
@@ -108,48 +128,46 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
 -                           && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
 -                               break;
 +                       if (unix_args[j].token) {
-+                           sl = strlen(unix_args[j].token);
+                               sl = strlen(unix_args[j].token);
-+                           if (unix_args[j].token[sl-1] == '=') {
+                               if (unix_args[j].token[sl-1] == '=') {
-+                               /* exclude argument from comparison */
+                                       /* exclude argument from comparison */
-+                               if (!strncmp(*argv, unix_args[j].token, sl))
+                                       if (!strncmp(*argv, unix_args[j].token, sl))
-+                                   break;
+                                               break;
-+                           } else {
+                               } else {
 +                               /* compare full strings */
-+                               if (!strcmp(*argv, unix_args[j].token))
+                                       if (!strcmp(*argv, unix_args[j].token))
-+                                   break;
+                                               break;
-+                           }
+                               }
                        }
                }
 
-@@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h
+@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
-     child = fork();
     if (child == 0) {
-         int i=0;
-+        int nullok = off(UNIX__NONULL, ctrl);
-         struct rlimit rlim;
        static char *envp[] = { NULL };
-        char *args[] = { NULL, NULL, NULL, NULL };
+        const char *args[] = { NULL, NULL, NULL, NULL };
-@@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h
+       int nullok = off(UNIX__NONULL, ctrl);
+ 
+        /* XXX - should really tidy up PAM here too */
+ 
+@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
        /* exec binary helper */
-        args[0] = strdup(CHKPWD_HELPER);
+        args[0] = CHKPWD_HELPER;
-        args[1] = x_strdup(user);
+        args[1] = user;
 -       if (off(UNIX__NONULL, ctrl)) {  /* this means we've succeeded */
-+
 +       if (on(UNIX_NULLOK_SECURE, ctrl)) {
-+           const void *uttyname;
+               const void *uttyname;
-+           retval = pam_get_item(pamh, PAM_TTY, &uttyname);
+               retval = pam_get_item(pamh, PAM_TTY, &uttyname);
-+           if (retval != PAM_SUCCESS || uttyname == NULL
+               if (retval != PAM_SUCCESS || uttyname == NULL
-+               || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
+                       || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) {
-+           {
+                       nullok = 0;
-+               nullok = 0;
+               }
-+           }
 +       }
 +
 +       if (nullok) {
-          args[2]=strdup("nullok");
+          args[2]="nullok";
        } else {
-          args[2]=strdup("nonull");
+          args[2]="nonull";
-@@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u
+@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
        if (on(UNIX__NONULL, ctrl))
                return 0;       /* will fail but don't let on yet */
 
@@ -167,56 +185,56 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
        /* UNIX passwords area */
 
        retval = get_pwd_hash(pamh, name, &pwd, &salt);
-@@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t *
+@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                        }
                }
        } else {
 -               retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
-+               retval = verify_pwd_hash(p, salt,
+               retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name));
-+                                        _unix_blankpasswd(pamh, ctrl, name));
        }
 
        if (retval == PAM_SUCCESS) {
-diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h
+diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
--- a/modules/pam_unix/support.h        2013-07-05 09:51:10.385107934 +0800
+index 3729ce0..43cdbea 100644
-+++ b/modules/pam_unix/support.h        2013-07-05 10:23:54.815107842 +0800
+--- a/modules/pam_unix/support.h
-@@ -90,8 +90,9 @@ typedef struct {
+++ b/modules/pam_unix/support.h
-                                           password hash algorithms */
+@@ -99,8 +99,9 @@ typedef struct {
- #define UNIX_BLOWFISH_PASS       26    /* new password hashes will use blowfish */
 #define UNIX_MIN_PASS_LEN        27    /* min length for password */
-+#define UNIX_NULLOK_SECURE       28    /* NULL passwords allowed only on secure ttys */
+ #define UNIX_QUIET              28     /* Don't print informational messages */
+ #define UNIX_DES                 29     /* DES, default */
+#define UNIX_NULLOK_SECURE       30     /* NULL passwords allowed only on secure ttys */
 /* -------------- */
-#define UNIX_CTRLS_              28    /* number of ctrl arguments defined */
+-#define UNIX_CTRLS_              30    /* number of ctrl arguments defined */
-+#define UNIX_CTRLS_              29    /* number of ctrl arguments defined */
+#define UNIX_CTRLS_              31    /* number of ctrl arguments defined */
 
 #define UNIX_DES_CRYPT(ctrl)   (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
 
-@@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
+@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- /* UNIX_NOT_SET_PASS */    {"not_set_pass",    _ALL_ON_,                0100},
+ /* UNIX_NOT_SET_PASS */    {"not_set_pass",    _ALL_ON_,                0100, 0},
- /* UNIX__PRELIM */         {NULL,              _ALL_ON_^(0600),         0200},
+ /* UNIX__PRELIM */         {NULL,              _ALL_ON_^(0600),         0200, 0},
- /* UNIX__UPDATE */         {NULL,              _ALL_ON_^(0600),         0400},
+ /* UNIX__UPDATE */         {NULL,              _ALL_ON_^(0600),         0400, 0},
-/* UNIX__NONULL */         {NULL,              _ALL_ON_,               01000},
+-/* UNIX__NONULL */         {NULL,              _ALL_ON_,               01000, 0},
-+/* UNIX__NONULL */         {NULL,              _ALL_ON_^(0x10000000),  0x200},
+/* UNIX__NONULL */         {NULL,              _ALL_ON_^(0x10000000),   0200, 0},
- /* UNIX__QUIET */          {NULL,              _ALL_ON_,               02000},
+ /* UNIX__QUIET */          {NULL,              _ALL_ON_,               02000, 0},
- /* UNIX_USE_AUTHTOK */     {"use_authtok",     _ALL_ON_,               04000},
+ /* UNIX_USE_AUTHTOK */     {"use_authtok",     _ALL_ON_,               04000, 0},
- /* UNIX_SHADOW */          {"shadow",          _ALL_ON_,              010000},
+ /* UNIX_SHADOW */          {"shadow",          _ALL_ON_,              010000, 0},
-@@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C
+@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- /* UNIX_SHA512_PASS */     {"sha512",       _ALL_ON_^(0260420000), 040000000},
+ /* UNIX_MIN_PASS_LEN */    {"minlen=",         _ALL_ON_,         0400000000, 0},
- /* UNIX_ALGO_ROUNDS */     {"rounds=",         _ALL_ON_,          0100000000},
+ /* UNIX_QUIET */           {"quiet",           _ALL_ON_,         01000000000, 0},
- /* UNIX_BLOWFISH_PASS */   {"blowfish",    _ALL_ON_^(0260420000), 0200000000},
+ /* UNIX_DES */             {"des",             _ALL_ON_^(0260420000),      0, 1},
-/* UNIX_MIN_PASS_LEN */    {"minlen=",         _ALL_ON_,          0400000000},
+/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(0x200),  0x10000000, 0},
-+/* UNIX_MIN_PASS_LEN */    {"minlen=",         _ALL_ON_,          0400000000},
-+/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(0x200),  0x10000000},
 };
 
 #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
-@@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl
+@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh
+                        ,const char *prompt2
                        ,const char *data_name
                        ,const void **pass);
- 
 +extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
-+                                 const char *uttyname);
+         const char *uttyname);
-+
+ 
 extern int _unix_run_verify_binary(pam_handle_t *pamh,
                        unsigned int ctrl, const char *user, int *daysleft);
- #endif /* _PAM_UNIX_SUPPORT_H */
+-- 
+2.1.4
diff --git a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch b/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch
deleted file mode 100644
index 06cca13abe..0000000000
--- a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Wed, 26 Mar 2014 22:17:23 +0000
-Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
- (ticket #27)
-commit 9dcead87e6d7f66d34e7a56d11a30daca367dffb upstream
-pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
-the timestamp pathname it creates, so extra care should be taken to
-avoid potential directory traversal issues.
-* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
-"." and ".." tty values as invalid.
-(get_ruser): Treat "." and ".." ruser values, as well as any ruser
-value containing '/', as invalid.
-Fixes CVE-2014-2583.
-Reported-by: Sebastian Krahmer <krahmer@suse.de>
-Upstream-Status: Backport
-Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
- modules/pam_timestamp/pam_timestamp.c |   13 ++++++++++++-
- 1 files changed, 12 insertions(+), 1 deletions(-)
-diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
-index 5193733..b3f08b1 100644
--- a/modules/pam_timestamp/pam_timestamp.c
-+++ b/modules/pam_timestamp/pam_timestamp.c
-@@ -158,7 +158,7 @@ check_tty(const char *tty)
-                tty = strrchr(tty, '/') + 1;
-        }
-        /* Make sure the tty wasn't actually a directory (no basename). */
-       if (strlen(tty) == 0) {
-+       if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
-                return NULL;
-        }
-        return tty;
-@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
-                if (pwd != NULL) {
-                        ruser = pwd->pw_name;
-                }
-+       } else {
-+               /*
-+                * This ruser is used by format_timestamp_name as a component
-+                * of constructed timestamp pathname, so ".", "..", and '/'
-+                * are disallowed to avoid potential path traversal issues.
-+                */
-+               if (!strcmp(ruser, ".") ||
-+                   !strcmp(ruser, "..") ||
-+                   strchr(ruser, '/')) {
-+                       ruser = NULL;
-+               }
-        }
-        if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
-                *ruserbuf = '\0';
-- 
-1.7.5.4
diff --git a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch b/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch
deleted file mode 100644
index c13535ecc2..0000000000
--- a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-Backport from linux-pam git repo.
-[YOCTO #4107]
-Upstream-Status: Backport
-Signed-off-by: Kang Kai <kai.kang@windriver.com>
-From bd07ad3adc626f842a4391d256541883426fd389 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Tue, 13 Nov 2012 09:19:05 +0100
-Subject: [PATCH] Reflect the enforce_for_root semantics change in
- pam_pwhistory xtest.
-xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
-running with real uid == 0.
---
- xtests/tst-pam_pwhistory1.pamd | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/xtests/tst-pam_pwhistory1.pamd b/xtests/tst-pam_pwhistory1.pamd
-index 68e1b94..d60db7c 100644
--- a/xtests/tst-pam_pwhistory1.pamd
-+++ b/xtests/tst-pam_pwhistory1.pamd
-@@ -1,6 +1,6 @@
- #%PAM-1.0
- auth     required       pam_permit.so
- account  required       pam_permit.so
-password required      pam_pwhistory.so remember=10 retry=1
-+password required      pam_pwhistory.so remember=10 retry=1 enforce_for_root
- password required      pam_unix.so     use_authtok md5
- session  required       pam_permit.so
-- 
-1.7.11.7
diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.2.1.bb
index d347bdc43b..ac3097ef7c 100644
--- a/meta/recipes-extended/pam/libpam_1.1.6.bb
+++ b/meta/recipes-extended/pam/libpam_1.2.1.bb
@@ -18,19 +18,15 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \
           file://pam.d/common-session-noninteractive \
           file://pam.d/other \
           file://libpam-xtests.patch \
-           file://destdirfix.patch \
           file://fixsepbuild.patch \
-           file://reflect-the-enforce_for_root-semantics-change-in-pam.patch \
-           file://add-checks-for-crypt-returning-NULL.patch \
-           file://libpam-fix-for-CVE-2010-4708.patch \
           file://pam-security-abstract-securetty-handling.patch \
           file://pam-unix-nullok-secure.patch \
-           file://pam_timestamp-fix-potential-directory-traversal-issu.patch \
           file://libpam-xtests-remove-bash-dependency.patch \
           file://crypt_configure.patch \
          "
-SRC_URI[md5sum] = "7b73e58b7ce79ffa321d408de06db2c4"
-SRC_URI[sha256sum] = "bab887d6280f47fc3963df3b95735a27a16f0f663636163ddf3acab5f1149fc2"
+SRC_URI[md5sum] = "9dc53067556d2dd567808fd509519dd6"
+SRC_URI[sha256sum] = "342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9"
 SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch"
 SRC_URI_append_libc-musl = " file://pam-no-innetgr.patch"
author	Amarnath Valluri <amarnath.valluri@intel.com>	2015-07-17 11:53:24 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-07-20 10:40:42 +0100
commit	88dd997d9941b63ae9eead6690ecf2b785c0740c (patch)
tree	fe531585f3741dcb457bcf74683db6f60a0a2bce /meta/recipes-extended
parent	e9b9f8c0c5a208c02453839442099527fe6b13de (diff)
download	poky-88dd997d9941b63ae9eead6690ecf2b785c0740c.tar.gz