4 files changed, 2 insertions, 88 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch b/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch
deleted file mode 100644
index 2d15ff0673..0000000000
--- a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 0d0aded7307a9f4ee0d299951512acd18b3e029e Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Wed, 4 Dec 2019 19:28:48 +0100
-Subject: [PATCH] Do not check for validity of shell executable.
-This kind of check fails when building a rootfs.
-Upstream-Status: Inappropriate [oe-core specific]
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
- src/useradd.c | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-diff --git a/src/useradd.c b/src/useradd.c
-index 4af0f7c..898fe02 100644
--- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -1328,10 +1328,7 @@ static void process_flags (int argc, char **argv)
-                                if (   ( !VALID (optarg) )
-                                    || (   ('\0' != optarg[0])
-                                        && ('/'  != optarg[0])
-                                       && ('*'  != optarg[0]) )
-                                   || (stat(optarg, &st) != 0)
-                                   || (S_ISDIR(st.st_mode))
-                                   || (access(optarg, X_OK) != 0)) {
-+                                       && ('*'  != optarg[0]) )) {
-                                        fprintf (stderr,
-                                                 _("%s: invalid shell '%s'\n"),
-                                                 Prog, optarg);
diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch
deleted file mode 100644
index 894d867680..0000000000
--- a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001
-From: Dave Reisner <dreisner@archlinux.org>
-Date: Mon, 16 Dec 2019 14:11:23 -0500
-Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected
-Here's a sad story:
-* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be
-installed with file caps rather than setuid.
-* https://bugs.archlinux.org/task/63248 is filed to take advantage of
-this.
-* The arch maintainer of the 'shadow' package notices that this doesn't
-work, and submits a pull request to fix this in shadow.
-* edf7547ad5 is merged, fixing the post install hooks.
-The problem here is that distros have been building shadow with PAM for
-O(years), but the install hooks have silently failed due to the
-combination of the directory mismatch (suidubins vs suidsbins) and later
-success with setuid'ing newgidmap/newuidmap.
-With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
-who never built shadow explicitly with --enable-account-tools-setuid are
-now getting setuid account tools, and don't have PAM configuration
-suitable for use with setuid account management tools.
-It's entirely unclear to me why you'd want this, but I assume there's
-some reason out there for it existing. Regardless, setuid binaries are
-dangerous and shouldn't be enabled by default without good reason.
-[1] https://bugs.archlinux.org/task/64836
-[2] https://bugs.gentoo.org/702252
-Upstream-Status: Backport
-CVE: CVE-2019-19882
-Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/configure.ac b/configure.ac
-index e3ed3b43..d6e2bfbd 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid,
-           *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
-           ;;
-         esac],
-       [enable_acct_tools_setuid="maybe"]
-+       [enable_acct_tools_setuid="no"]
- )
- 
- AC_ARG_ENABLE(utmpx,
-- 
-2.17.1
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 3bfa39e6ff..f86e5e03c0 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -13,7 +13,6 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
           file://shadow-4.1.3-dots-in-usernames.patch \
           ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
           file://shadow-relaxed-usernames.patch \
-           file://CVE-2019-19882.patch \
           "
 SRC_URI_append_class-target = " \
@@ -25,14 +24,13 @@ SRC_URI_append_class-native = " \
           file://0001-Disable-use-of-syslog-for-sysroot.patch \
           file://0002-Allow-for-setting-password-in-clear-text.patch \
           file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
-           file://0001-Do-not-check-for-validity-of-shell-executable.patch \
           "
 SRC_URI_append_class-nativesdk = " \
           file://0001-Disable-use-of-syslog-for-sysroot.patch \
           "
-SRC_URI[md5sum] = "017ac773ba370bc28e157cee30dad71a"
+SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480"
-SRC_URI[sha256sum] = "82016d65317555fc8ce9e669eb187984d8d4b1f8ecda0769f4bc5412aed326e4"
+SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a"
 # Additional Policy files for PAM
 PAM_SRC_URI = "file://pam.d/chfn \
diff --git a/meta/recipes-extended/shadow/shadow_4.8.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb
index c975395ff8..c975395ff8 100644
--- a/meta/recipes-extended/shadow/shadow_4.8.bb
+++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb

diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch b/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch deleted file mode 100644 index 2d15ff0673..0000000000 --- a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch +++ /dev/null
@@ -1,29 +0,0 @@
1	From 0d0aded7307a9f4ee0d299951512acd18b3e029e Mon Sep 17 00:00:00 2001
2	From: Alexander Kanavin <alex.kanavin@gmail.com>
3	Date: Wed, 4 Dec 2019 19:28:48 +0100
4	Subject: [PATCH] Do not check for validity of shell executable.
5
6	This kind of check fails when building a rootfs.
7
8	Upstream-Status: Inappropriate [oe-core specific]
9	Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
10	---
11	src/useradd.c \| 5 +----
12	1 file changed, 1 insertion(+), 4 deletions(-)
13
14	diff --git a/src/useradd.c b/src/useradd.c
15	index 4af0f7c..898fe02 100644
16	--- a/src/useradd.c
17	+++ b/src/useradd.c
18	@@ -1328,10 +1328,7 @@ static void process_flags (int argc, char **argv)
19	if ( ( !VALID (optarg) )
20	\|\| ( ('\0' != optarg[0])
21	&& ('/' != optarg[0])
22	- && ('*' != optarg[0]) )
23	- \|\| (stat(optarg, &st) != 0)
24	- \|\| (S_ISDIR(st.st_mode))
25	- \|\| (access(optarg, X_OK) != 0)) {
26	+ && ('*' != optarg[0]) )) {
27	fprintf (stderr,
28	_("%s: invalid shell '%s'\n"),
29	Prog, optarg);


diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch deleted file mode 100644 index 894d867680..0000000000 --- a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch +++ /dev/null
@@ -1,55 +0,0 @@
1	From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001
2	From: Dave Reisner <dreisner@archlinux.org>
3	Date: Mon, 16 Dec 2019 14:11:23 -0500
4	Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected
5
6	Here's a sad story:
7
8	* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be
9	installed with file caps rather than setuid.
10	* https://bugs.archlinux.org/task/63248 is filed to take advantage of
11	this.
12	* The arch maintainer of the 'shadow' package notices that this doesn't
13	work, and submits a pull request to fix this in shadow.
14	* edf7547ad5 is merged, fixing the post install hooks.
15
16	The problem here is that distros have been building shadow with PAM for
17	O(years), but the install hooks have silently failed due to the
18	combination of the directory mismatch (suidubins vs suidsbins) and later
19	success with setuid'ing newgidmap/newuidmap.
20
21	With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
22	who never built shadow explicitly with --enable-account-tools-setuid are
23	now getting setuid account tools, and don't have PAM configuration
24	suitable for use with setuid account management tools.
25
26	It's entirely unclear to me why you'd want this, but I assume there's
27	some reason out there for it existing. Regardless, setuid binaries are
28	dangerous and shouldn't be enabled by default without good reason.
29
30	[1] https://bugs.archlinux.org/task/64836
31	[2] https://bugs.gentoo.org/702252
32
33	Upstream-Status: Backport
34	CVE: CVE-2019-19882
35	Signed-off-by: Li Zhou <li.zhou@windriver.com>
36	---
37	configure.ac \| 2 +-
38	1 file changed, 1 insertion(+), 1 deletion(-)
39
40	diff --git a/configure.ac b/configure.ac
41	index e3ed3b43..d6e2bfbd 100644
42	--- a/configure.ac
43	+++ b/configure.ac
44	@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid,
45	*) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
46	;;
47	esac],
48	- [enable_acct_tools_setuid="maybe"]
49	+ [enable_acct_tools_setuid="no"]
50	)
51
52	AC_ARG_ENABLE(utmpx,
53	--
54	2.17.1
55


diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 3bfa39e6ff..f86e5e03c0 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc
@@ -13,7 +13,6 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
13	file://shadow-4.1.3-dots-in-usernames.patch \	13	file://shadow-4.1.3-dots-in-usernames.patch \
14	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \	14	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
15	file://shadow-relaxed-usernames.patch \	15	file://shadow-relaxed-usernames.patch \
16	file://CVE-2019-19882.patch \
17	"	16	"
18		17
19	SRC_URI_append_class-target = " \	18	SRC_URI_append_class-target = " \
@@ -25,14 +24,13 @@ SRC_URI_append_class-native = " \
25	file://0001-Disable-use-of-syslog-for-sysroot.patch \	24	file://0001-Disable-use-of-syslog-for-sysroot.patch \
26	file://0002-Allow-for-setting-password-in-clear-text.patch \	25	file://0002-Allow-for-setting-password-in-clear-text.patch \
27	file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \	26	file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
28	file://0001-Do-not-check-for-validity-of-shell-executable.patch \
29	"	27	"
30	SRC_URI_append_class-nativesdk = " \	28	SRC_URI_append_class-nativesdk = " \
31	file://0001-Disable-use-of-syslog-for-sysroot.patch \	29	file://0001-Disable-use-of-syslog-for-sysroot.patch \
32	"	30	"
33		31
34	SRC_URI[md5sum] = "017ac773ba370bc28e157cee30dad71a"	32	SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480"
35	SRC_URI[sha256sum] = "82016d65317555fc8ce9e669eb187984d8d4b1f8ecda0769f4bc5412aed326e4"	33	SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a"
36		34
37	# Additional Policy files for PAM	35	# Additional Policy files for PAM
38	PAM_SRC_URI = "file://pam.d/chfn \	36	PAM_SRC_URI = "file://pam.d/chfn \


diff --git a/meta/recipes-extended/shadow/shadow_4.8.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb index c975395ff8..c975395ff8 100644 --- a/meta/recipes-extended/shadow/shadow_4.8.bb +++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb