summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch63
-rw-r--r--meta/recipes-extended/pam/libpam/crypt_configure.patch4
-rw-r--r--meta/recipes-extended/pam/libpam/destdirfix.patch24
-rw-r--r--meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch41
-rw-r--r--meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch226
-rw-r--r--meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch63
-rw-r--r--meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch35
-rw-r--r--meta/recipes-extended/pam/libpam_1.2.1.bb (renamed from meta/recipes-extended/pam/libpam_1.1.6.bb)10
8 files changed, 127 insertions, 339 deletions
diff --git a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch b/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch
deleted file mode 100644
index d364cea97e..0000000000
--- a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch
+++ /dev/null
@@ -1,63 +0,0 @@
1Backport from linux-pam git repo.
2
3[YOCTO #4107]
4
5Upstream-Status: Backport
6
7Signed-off-by: Kang Kai <kai.kang@windriver.com>
8
9From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001
10From: Tomas Mraz <tmraz@fedoraproject.org>
11Date: Fri, 8 Feb 2013 15:04:26 +0100
12Subject: [PATCH] Add checks for crypt() returning NULL.
13
14modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
15modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
16---
17 modules/pam_pwhistory/opasswd.c | 2 +-
18 modules/pam_unix/bigcrypt.c | 9 +++++++++
19 2 files changed, 10 insertions(+), 1 deletions(-)
20
21diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
22index 274fdb9..836d713 100644
23--- a/modules/pam_pwhistory/opasswd.c
24+++ b/modules/pam_pwhistory/opasswd.c
25@@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass)
26 outval = crypt (newpass, oldpass);
27 #endif
28
29- return strcmp(outval, oldpass) == 0;
30+ return outval != NULL && strcmp(outval, oldpass) == 0;
31 }
32
33 /* Check, if the new password is already in the opasswd file. */
34diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c
35index e10d1c5..e1d57a0 100644
36--- a/modules/pam_unix/bigcrypt.c
37+++ b/modules/pam_unix/bigcrypt.c
38@@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt)
39 #else
40 tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */
41 #endif
42+ if (tmp_ptr == NULL) {
43+ free(dec_c2_cryptbuf);
44+ return NULL;
45+ }
46 /* and place in the static area */
47 strncpy(cipher_ptr, tmp_ptr, 13);
48 cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
49@@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt)
50 #else
51 tmp_ptr = crypt(plaintext_ptr, salt_ptr);
52 #endif
53+ if (tmp_ptr == NULL) {
54+ _pam_overwrite(dec_c2_cryptbuf);
55+ free(dec_c2_cryptbuf);
56+ return NULL;
57+ }
58
59 /* skip the salt for seg!=0 */
60 strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
61--
621.7.5.4
63
diff --git a/meta/recipes-extended/pam/libpam/crypt_configure.patch b/meta/recipes-extended/pam/libpam/crypt_configure.patch
index efa82fb9b9..bec82a5f10 100644
--- a/meta/recipes-extended/pam/libpam/crypt_configure.patch
+++ b/meta/recipes-extended/pam/libpam/crypt_configure.patch
@@ -16,8 +16,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
16 16
17Index: Linux-PAM-1.1.6/configure.in 17Index: Linux-PAM-1.1.6/configure.in
18=================================================================== 18===================================================================
19--- Linux-PAM-1.1.6.org/configure.in 19--- Linux-PAM-1.1.6.org/configure.ac
20+++ Linux-PAM-1.1.6/configure.in 20+++ Linux-PAM-1.1.6/configure.ac
21@@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = 21@@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" =
22 [crypt_libs="crypt"]) 22 [crypt_libs="crypt"])
23 23
diff --git a/meta/recipes-extended/pam/libpam/destdirfix.patch b/meta/recipes-extended/pam/libpam/destdirfix.patch
deleted file mode 100644
index 52145ecb34..0000000000
--- a/meta/recipes-extended/pam/libpam/destdirfix.patch
+++ /dev/null
@@ -1,24 +0,0 @@
1Avoid the failure:
2
3| mkdir -p /etc/security/namespace.d
4| mkdir: cannot create directory `/etc/security/namespace.d': Permission denied
5
6if /etc/security/namespace.d doesn't exist. The DESTDIR prefix is missing.
7
8RP 2012/8/19
9
10Upstream-Status: Pending
11
12Index: Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am
13===================================================================
14--- Linux-PAM-1.1.6.orig/modules/pam_namespace/Makefile.am 2012-08-15 11:08:43.000000000 +0000
15+++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am 2012-08-19 12:25:32.311038943 +0000
16@@ -40,7 +40,7 @@
17 secureconf_SCRIPTS = namespace.init
18
19 install-data-local:
20- mkdir -p $(namespaceddir)
21+ mkdir -p $(DESTDIR)$(namespaceddir)
22 endif
23
24
diff --git a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch b/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch
deleted file mode 100644
index 5d2b69aae0..0000000000
--- a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1Upstream-Status: Backport
2
3Fix for CVE-2010-4708
4
5Change default for user_readenv to 0 and document the
6new default for user_readenv.
7
8This fix is got from:
9http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
10/pam_env.c?r1=1.22&r2=1.23&view=patch
11http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
12/pam_env.8.xml?r1=1.7&r2=1.8&view=patch
13
14Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
15
16---
17--- a/modules/pam_env/pam_env.c 2012-09-05 13:57:47.000000000 +0800
18+++ b/modules/pam_env/pam_env.c 2012-09-05 13:58:05.000000000 +0800
19@@ -10,7 +10,7 @@
20 #define DEFAULT_READ_ENVFILE 1
21
22 #define DEFAULT_USER_ENVFILE ".pam_environment"
23-#define DEFAULT_USER_READ_ENVFILE 1
24+#define DEFAULT_USER_READ_ENVFILE 0
25
26 #include "config.h"
27
28--- a/modules/pam_env/pam_env.8.xml 2012-09-05 13:58:24.000000000 +0800
29+++ b/modules/pam_env/pam_env.8.xml 2012-09-05 13:59:36.000000000 +0800
30@@ -147,7 +147,10 @@
31 <listitem>
32 <para>
33 Turns on or off the reading of the user specific environment
34- file. 0 is off, 1 is on. By default this option is on.
35+ file. 0 is off, 1 is on. By default this option is off as user
36+ supplied environment variables in the PAM environment could affect
37+ behavior of subsequent modules in the stack without the consent
38+ of the system administrator.
39 </para>
40 </listitem>
41 </varlistentry>
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
index b285e96c27..423267f707 100644
--- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
+++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
@@ -1,6 +1,9 @@
1Debian patch to add a new 'nullok_secure' option to pam_unix, which 1From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001
2accepts users with null passwords only when the applicant is connected 2From: Amarnath Valluri <amarnath.valluri@intel.com>
3from a tty listed in /etc/securetty. 3Date: Wed, 15 Jul 2015 13:07:20 +0300
4Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix,
5 which accepts users with null passwords only when the applicant is connected
6 from a tty listed in /etc/securetty.
4 7
5Authors: Sam Hartman <hartmans@debian.org>, 8Authors: Sam Hartman <hartmans@debian.org>,
6 Steve Langasek <vorlon@debian.org> 9 Steve Langasek <vorlon@debian.org>
@@ -8,10 +11,24 @@ Authors: Sam Hartman <hartmans@debian.org>,
8Upstream-Status: Pending 11Upstream-Status: Pending
9 12
10Signed-off-by: Ming Liu <ming.liu@windriver.com> 13Signed-off-by: Ming Liu <ming.liu@windriver.com>
11=================================================================== 14
12diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am 15v2:
13--- a/modules/pam_unix/Makefile.am 2013-07-05 09:51:31.014483164 +0800 16 - Forward ported from v1.1.6 to v1.2.1
14+++ b/modules/pam_unix/Makefile.am 2013-07-05 10:26:12.884484000 +0800 17
18Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
19---
20 modules/pam_unix/Makefile.am | 3 ++-
21 modules/pam_unix/README | 11 ++++++++++-
22 modules/pam_unix/pam_unix.8 | 9 ++++++++-
23 modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++-
24 modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++-----
25 modules/pam_unix/support.h | 8 ++++++--
26 6 files changed, 79 insertions(+), 11 deletions(-)
27
28diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
29index 56ed591..9a372ac 100644
30--- a/modules/pam_unix/Makefile.am
31+++ b/modules/pam_unix/Makefile.am
15@@ -30,7 +30,8 @@ if HAVE_VERSIONING 32@@ -30,7 +30,8 @@ if HAVE_VERSIONING
16 pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map 33 pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
17 endif 34 endif
@@ -22,10 +39,33 @@ diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
22 39
23 securelib_LTLIBRARIES = pam_unix.la 40 securelib_LTLIBRARIES = pam_unix.la
24 41
25diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 42diff --git a/modules/pam_unix/README b/modules/pam_unix/README
26--- a/modules/pam_unix/pam_unix.8 2013-07-05 09:52:16.825108201 +0800 43index 3935dba..7880d91 100644
27+++ b/modules/pam_unix/pam_unix.8 2013-07-05 10:28:34.724483774 +0800 44--- a/modules/pam_unix/README
28@@ -220,7 +220,14 @@ A little more extreme than debug\&. 45+++ b/modules/pam_unix/README
46@@ -67,7 +67,16 @@ nullok
47
48 The default action of this module is to not permit the user access to a
49 service if their official password is blank. The nullok argument overrides
50- this default.
51+ this default and allows any user with a blank password to access the
52+ service.
53+
54+nullok_secure
55+
56+ The default action of this module is to not permit the user access to a
57+ service if their official password is blank. The nullok_secure argument
58+ overrides this default and allows any user with a blank password to access
59+ the service as long as the value of PAM_TTY is set to one of the values
60+ found in /etc/securetty.
61
62 try_first_pass
63
64diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
65index 339178b..a4bd906 100644
66--- a/modules/pam_unix/pam_unix.8
67+++ b/modules/pam_unix/pam_unix.8
68@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi
29 .RS 4 69 .RS 4
30 The default action of this module is to not permit the user access to a service if their official password is blank\&. The 70 The default action of this module is to not permit the user access to a service if their official password is blank\&. The
31 \fBnullok\fR 71 \fBnullok\fR
@@ -41,10 +81,11 @@ diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
41 .RE 81 .RE
42 .PP 82 .PP
43 \fBtry_first_pass\fR 83 \fBtry_first_pass\fR
44diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml 84diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
45--- a/modules/pam_unix/pam_unix.8.xml 2013-07-05 09:52:38.775108523 +0800 85index a8b64bb..1ced6f4 100644
46+++ b/modules/pam_unix/pam_unix.8.xml 2013-07-05 10:30:23.084483630 +0800 86--- a/modules/pam_unix/pam_unix.8.xml
47@@ -135,7 +135,24 @@ 87+++ b/modules/pam_unix/pam_unix.8.xml
88@@ -159,7 +159,24 @@
48 <para> 89 <para>
49 The default action of this module is to not permit the 90 The default action of this module is to not permit the
50 user access to a service if their official password is blank. 91 user access to a service if their official password is blank.
@@ -70,36 +111,15 @@ diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
70 </para> 111 </para>
71 </listitem> 112 </listitem>
72 </varlistentry> 113 </varlistentry>
73diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README 114diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
74--- a/modules/pam_unix/README 2013-07-05 09:51:52.205107846 +0800 115index abccd82..2361957 100644
75+++ b/modules/pam_unix/README 2013-07-05 10:27:10.774484537 +0800 116--- a/modules/pam_unix/support.c
76@@ -57,7 +57,16 @@ nullok 117+++ b/modules/pam_unix/support.c
77 118@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
78 The default action of this module is to not permit the user access to a
79 service if their official password is blank. The nullok argument overrides
80- this default.
81+ this default and allows any user with a blank password to access the
82+ service.
83+
84+nullok_secure
85+
86+ The default action of this module is to not permit the user access to a
87+ service if their official password is blank. The nullok_secure argument
88+ overrides this default and allows any user with a blank password to access
89+ the service as long as the value of PAM_TTY is set to one of the values
90+ found in /etc/securetty.
91
92 try_first_pass
93
94diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
95--- a/modules/pam_unix/support.c 2013-07-05 09:50:49.134482523 +0800
96+++ b/modules/pam_unix/support.c 2013-07-05 09:56:26.924484267 +0800
97@@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl
98 /* now parse the arguments to this module */ 119 /* now parse the arguments to this module */
99 120
100 for (; argc-- > 0; ++argv) { 121 for (; argc-- > 0; ++argv) {
101- int j; 122+ int sl;
102+ int j, sl;
103 123
104 D(("pam_unix arg: %s", *argv)); 124 D(("pam_unix arg: %s", *argv));
105 125
@@ -108,48 +128,46 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
108- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { 128- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
109- break; 129- break;
110+ if (unix_args[j].token) { 130+ if (unix_args[j].token) {
111+ sl = strlen(unix_args[j].token); 131+ sl = strlen(unix_args[j].token);
112+ if (unix_args[j].token[sl-1] == '=') { 132+ if (unix_args[j].token[sl-1] == '=') {
113+ /* exclude argument from comparison */ 133+ /* exclude argument from comparison */
114+ if (!strncmp(*argv, unix_args[j].token, sl)) 134+ if (!strncmp(*argv, unix_args[j].token, sl))
115+ break; 135+ break;
116+ } else { 136+ } else {
117+ /* compare full strings */ 137+ /* compare full strings */
118+ if (!strcmp(*argv, unix_args[j].token)) 138+ if (!strcmp(*argv, unix_args[j].token))
119+ break; 139+ break;
120+ } 140+ }
121 } 141 }
122 } 142 }
123 143
124@@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h 144@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
125 child = fork();
126 if (child == 0) { 145 if (child == 0) {
127 int i=0;
128+ int nullok = off(UNIX__NONULL, ctrl);
129 struct rlimit rlim;
130 static char *envp[] = { NULL }; 146 static char *envp[] = { NULL };
131 char *args[] = { NULL, NULL, NULL, NULL }; 147 const char *args[] = { NULL, NULL, NULL, NULL };
132@@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h 148+ int nullok = off(UNIX__NONULL, ctrl);
149
150 /* XXX - should really tidy up PAM here too */
151
152@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
133 /* exec binary helper */ 153 /* exec binary helper */
134 args[0] = strdup(CHKPWD_HELPER); 154 args[0] = CHKPWD_HELPER;
135 args[1] = x_strdup(user); 155 args[1] = user;
136- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ 156- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
137+
138+ if (on(UNIX_NULLOK_SECURE, ctrl)) { 157+ if (on(UNIX_NULLOK_SECURE, ctrl)) {
139+ const void *uttyname; 158+ const void *uttyname;
140+ retval = pam_get_item(pamh, PAM_TTY, &uttyname); 159+ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
141+ if (retval != PAM_SUCCESS || uttyname == NULL 160+ if (retval != PAM_SUCCESS || uttyname == NULL
142+ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) 161+ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) {
143+ { 162+ nullok = 0;
144+ nullok = 0; 163+ }
145+ }
146+ } 164+ }
147+ 165+
148+ if (nullok) { 166+ if (nullok) {
149 args[2]=strdup("nullok"); 167 args[2]="nullok";
150 } else { 168 } else {
151 args[2]=strdup("nonull"); 169 args[2]="nonull";
152@@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u 170@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
153 if (on(UNIX__NONULL, ctrl)) 171 if (on(UNIX__NONULL, ctrl))
154 return 0; /* will fail but don't let on yet */ 172 return 0; /* will fail but don't let on yet */
155 173
@@ -167,56 +185,56 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
167 /* UNIX passwords area */ 185 /* UNIX passwords area */
168 186
169 retval = get_pwd_hash(pamh, name, &pwd, &salt); 187 retval = get_pwd_hash(pamh, name, &pwd, &salt);
170@@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t * 188@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
171 } 189 }
172 } 190 }
173 } else { 191 } else {
174- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); 192- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
175+ retval = verify_pwd_hash(p, salt, 193+ retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name));
176+ _unix_blankpasswd(pamh, ctrl, name));
177 } 194 }
178 195
179 if (retval == PAM_SUCCESS) { 196 if (retval == PAM_SUCCESS) {
180diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h 197diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
181--- a/modules/pam_unix/support.h 2013-07-05 09:51:10.385107934 +0800 198index 3729ce0..43cdbea 100644
182+++ b/modules/pam_unix/support.h 2013-07-05 10:23:54.815107842 +0800 199--- a/modules/pam_unix/support.h
183@@ -90,8 +90,9 @@ typedef struct { 200+++ b/modules/pam_unix/support.h
184 password hash algorithms */ 201@@ -99,8 +99,9 @@ typedef struct {
185 #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
186 #define UNIX_MIN_PASS_LEN 27 /* min length for password */ 202 #define UNIX_MIN_PASS_LEN 27 /* min length for password */
187+#define UNIX_NULLOK_SECURE 28 /* NULL passwords allowed only on secure ttys */ 203 #define UNIX_QUIET 28 /* Don't print informational messages */
204 #define UNIX_DES 29 /* DES, default */
205+#define UNIX_NULLOK_SECURE 30 /* NULL passwords allowed only on secure ttys */
188 /* -------------- */ 206 /* -------------- */
189-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ 207-#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
190+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ 208+#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
191 209
192 #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) 210 #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
193 211
194@@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C 212@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
195 /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100}, 213 /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0},
196 /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200}, 214 /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
197 /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400}, 215 /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
198-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000}, 216-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
199+/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200}, 217+/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0200, 0},
200 /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000}, 218 /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
201 /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000}, 219 /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
202 /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000}, 220 /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
203@@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C 221@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
204 /* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000}, 222 /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
205 /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000}, 223 /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
206 /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000}, 224 /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
207-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, 225+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000, 0},
208+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000},
209+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000},
210 }; 226 };
211 227
212 #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) 228 #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
213@@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl 229@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh
230 ,const char *prompt2
214 ,const char *data_name 231 ,const char *data_name
215 ,const void **pass); 232 ,const void **pass);
216
217+extern int _pammodutil_tty_secure(const pam_handle_t *pamh, 233+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
218+ const char *uttyname); 234+ const char *uttyname);
219+ 235
220 extern int _unix_run_verify_binary(pam_handle_t *pamh, 236 extern int _unix_run_verify_binary(pam_handle_t *pamh,
221 unsigned int ctrl, const char *user, int *daysleft); 237 unsigned int ctrl, const char *user, int *daysleft);
222 #endif /* _PAM_UNIX_SUPPORT_H */ 238--
2392.1.4
240
diff --git a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch b/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch
deleted file mode 100644
index 06cca13abe..0000000000
--- a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch
+++ /dev/null
@@ -1,63 +0,0 @@
1From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
2From: "Dmitry V. Levin" <ldv@altlinux.org>
3Date: Wed, 26 Mar 2014 22:17:23 +0000
4Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
5 (ticket #27)
6
7commit 9dcead87e6d7f66d34e7a56d11a30daca367dffb upstream
8
9pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
10the timestamp pathname it creates, so extra care should be taken to
11avoid potential directory traversal issues.
12
13* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
14"." and ".." tty values as invalid.
15(get_ruser): Treat "." and ".." ruser values, as well as any ruser
16value containing '/', as invalid.
17
18Fixes CVE-2014-2583.
19
20Reported-by: Sebastian Krahmer <krahmer@suse.de>
21
22Upstream-Status: Backport
23
24Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
25Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
26---
27 modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
28 1 files changed, 12 insertions(+), 1 deletions(-)
29
30diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
31index 5193733..b3f08b1 100644
32--- a/modules/pam_timestamp/pam_timestamp.c
33+++ b/modules/pam_timestamp/pam_timestamp.c
34@@ -158,7 +158,7 @@ check_tty(const char *tty)
35 tty = strrchr(tty, '/') + 1;
36 }
37 /* Make sure the tty wasn't actually a directory (no basename). */
38- if (strlen(tty) == 0) {
39+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
40 return NULL;
41 }
42 return tty;
43@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
44 if (pwd != NULL) {
45 ruser = pwd->pw_name;
46 }
47+ } else {
48+ /*
49+ * This ruser is used by format_timestamp_name as a component
50+ * of constructed timestamp pathname, so ".", "..", and '/'
51+ * are disallowed to avoid potential path traversal issues.
52+ */
53+ if (!strcmp(ruser, ".") ||
54+ !strcmp(ruser, "..") ||
55+ strchr(ruser, '/')) {
56+ ruser = NULL;
57+ }
58 }
59 if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
60 *ruserbuf = '\0';
61--
621.7.5.4
63
diff --git a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch b/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch
deleted file mode 100644
index c13535ecc2..0000000000
--- a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch
+++ /dev/null
@@ -1,35 +0,0 @@
1Backport from linux-pam git repo.
2
3[YOCTO #4107]
4
5Upstream-Status: Backport
6
7Signed-off-by: Kang Kai <kai.kang@windriver.com>
8
9From bd07ad3adc626f842a4391d256541883426fd389 Mon Sep 17 00:00:00 2001
10From: Tomas Mraz <tmraz@fedoraproject.org>
11Date: Tue, 13 Nov 2012 09:19:05 +0100
12Subject: [PATCH] Reflect the enforce_for_root semantics change in
13 pam_pwhistory xtest.
14
15xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
16running with real uid == 0.
17---
18 xtests/tst-pam_pwhistory1.pamd | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/xtests/tst-pam_pwhistory1.pamd b/xtests/tst-pam_pwhistory1.pamd
22index 68e1b94..d60db7c 100644
23--- a/xtests/tst-pam_pwhistory1.pamd
24+++ b/xtests/tst-pam_pwhistory1.pamd
25@@ -1,6 +1,6 @@
26 #%PAM-1.0
27 auth required pam_permit.so
28 account required pam_permit.so
29-password required pam_pwhistory.so remember=10 retry=1
30+password required pam_pwhistory.so remember=10 retry=1 enforce_for_root
31 password required pam_unix.so use_authtok md5
32 session required pam_permit.so
33--
341.7.11.7
35
diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.2.1.bb
index d347bdc43b..ac3097ef7c 100644
--- a/meta/recipes-extended/pam/libpam_1.1.6.bb
+++ b/meta/recipes-extended/pam/libpam_1.2.1.bb
@@ -18,19 +18,15 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \
18 file://pam.d/common-session-noninteractive \ 18 file://pam.d/common-session-noninteractive \
19 file://pam.d/other \ 19 file://pam.d/other \
20 file://libpam-xtests.patch \ 20 file://libpam-xtests.patch \
21 file://destdirfix.patch \
22 file://fixsepbuild.patch \ 21 file://fixsepbuild.patch \
23 file://reflect-the-enforce_for_root-semantics-change-in-pam.patch \
24 file://add-checks-for-crypt-returning-NULL.patch \
25 file://libpam-fix-for-CVE-2010-4708.patch \
26 file://pam-security-abstract-securetty-handling.patch \ 22 file://pam-security-abstract-securetty-handling.patch \
27 file://pam-unix-nullok-secure.patch \ 23 file://pam-unix-nullok-secure.patch \
28 file://pam_timestamp-fix-potential-directory-traversal-issu.patch \
29 file://libpam-xtests-remove-bash-dependency.patch \ 24 file://libpam-xtests-remove-bash-dependency.patch \
30 file://crypt_configure.patch \ 25 file://crypt_configure.patch \
31 " 26 "
32SRC_URI[md5sum] = "7b73e58b7ce79ffa321d408de06db2c4" 27
33SRC_URI[sha256sum] = "bab887d6280f47fc3963df3b95735a27a16f0f663636163ddf3acab5f1149fc2" 28SRC_URI[md5sum] = "9dc53067556d2dd567808fd509519dd6"
29SRC_URI[sha256sum] = "342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9"
34 30
35SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch" 31SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch"
36SRC_URI_append_libc-musl = " file://pam-no-innetgr.patch" 32SRC_URI_append_libc-musl = " file://pam-no-innetgr.patch"