diff options
Diffstat (limited to 'meta/recipes-extended/shadow')
6 files changed, 277 insertions, 2 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch new file mode 100644 index 0000000000..aea07ff361 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> | ||
3 | Date: Fri, 31 Mar 2023 14:46:50 +0200 | ||
4 | Subject: [PATCH] Overhaul valid_field() | ||
5 | |||
6 | e5905c4b ("Added control character check") introduced checking for | ||
7 | control characters but had the logic inverted, so it rejects all | ||
8 | characters that are not control ones. | ||
9 | |||
10 | Cast the character to `unsigned char` before passing to the character | ||
11 | checking functions to avoid UB. | ||
12 | |||
13 | Use strpbrk(3) for the illegal character test and return early. | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] | ||
16 | |||
17 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | lib/fields.c | 24 ++++++++++-------------- | ||
21 | 1 file changed, 10 insertions(+), 14 deletions(-) | ||
22 | |||
23 | diff --git a/lib/fields.c b/lib/fields.c | ||
24 | index fb51b582..53929248 100644 | ||
25 | --- a/lib/fields.c | ||
26 | +++ b/lib/fields.c | ||
27 | @@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal) | ||
28 | |||
29 | /* For each character of field, search if it appears in the list | ||
30 | * of illegal characters. */ | ||
31 | + if (illegal && NULL != strpbrk (field, illegal)) { | ||
32 | + return -1; | ||
33 | + } | ||
34 | + | ||
35 | + /* Search if there are non-printable or control characters */ | ||
36 | for (cp = field; '\0' != *cp; cp++) { | ||
37 | - if (strchr (illegal, *cp) != NULL) { | ||
38 | + unsigned char c = *cp; | ||
39 | + if (!isprint (c)) { | ||
40 | + err = 1; | ||
41 | + } | ||
42 | + if (iscntrl (c)) { | ||
43 | err = -1; | ||
44 | break; | ||
45 | } | ||
46 | } | ||
47 | |||
48 | - if (0 == err) { | ||
49 | - /* Search if there are non-printable or control characters */ | ||
50 | - for (cp = field; '\0' != *cp; cp++) { | ||
51 | - if (!isprint (*cp)) { | ||
52 | - err = 1; | ||
53 | - } | ||
54 | - if (!iscntrl (*cp)) { | ||
55 | - err = -1; | ||
56 | - break; | ||
57 | - } | ||
58 | - } | ||
59 | - } | ||
60 | - | ||
61 | return err; | ||
62 | } | ||
63 | |||
64 | -- | ||
65 | 2.34.1 | ||
66 | |||
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch new file mode 100644 index 0000000000..dbf4a508e9 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 | ||
2 | From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> | ||
3 | Date: Thu, 23 Mar 2023 23:39:38 +0000 | ||
4 | Subject: [PATCH] Added control character check | ||
5 | |||
6 | Added control character check, returning -1 (to "err") if control characters are present. | ||
7 | |||
8 | CVE: CVE-2023-29383 | ||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Reference to upstream: | ||
12 | https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d | ||
13 | |||
14 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | lib/fields.c | 11 +++++++---- | ||
18 | 1 file changed, 7 insertions(+), 4 deletions(-) | ||
19 | |||
20 | diff --git a/lib/fields.c b/lib/fields.c | ||
21 | index 640be931..fb51b582 100644 | ||
22 | --- a/lib/fields.c | ||
23 | +++ b/lib/fields.c | ||
24 | @@ -21,9 +21,9 @@ | ||
25 | * | ||
26 | * The supplied field is scanned for non-printable and other illegal | ||
27 | * characters. | ||
28 | - * + -1 is returned if an illegal character is present. | ||
29 | - * + 1 is returned if no illegal characters are present, but the field | ||
30 | - * contains a non-printable character. | ||
31 | + * + -1 is returned if an illegal or control character is present. | ||
32 | + * + 1 is returned if no illegal or control characters are present, | ||
33 | + * but the field contains a non-printable character. | ||
34 | * + 0 is returned otherwise. | ||
35 | */ | ||
36 | int valid_field (const char *field, const char *illegal) | ||
37 | @@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) | ||
38 | } | ||
39 | |||
40 | if (0 == err) { | ||
41 | - /* Search if there are some non-printable characters */ | ||
42 | + /* Search if there are non-printable or control characters */ | ||
43 | for (cp = field; '\0' != *cp; cp++) { | ||
44 | if (!isprint (*cp)) { | ||
45 | err = 1; | ||
46 | + } | ||
47 | + if (!iscntrl (*cp)) { | ||
48 | + err = -1; | ||
49 | break; | ||
50 | } | ||
51 | } | ||
52 | -- | ||
53 | 2.34.1 | ||
54 | |||
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch new file mode 100644 index 0000000000..75dbbad299 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch | |||
@@ -0,0 +1,146 @@ | |||
1 | From 51731b01fd9a608397da22b7b9164e4996f3d4c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alejandro Colomar <alx@kernel.org> | ||
3 | Date: Sat, 10 Jun 2023 16:20:05 +0200 | ||
4 | Subject: [PATCH] gpasswd(1): Fix password leak | ||
5 | |||
6 | CVE: CVE-2023-4641 | ||
7 | Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] | ||
8 | |||
9 | How to trigger this password leak? | ||
10 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
11 | |||
12 | When gpasswd(1) asks for the new password, it asks twice (as is usual | ||
13 | for confirming the new password). Each of those 2 password prompts | ||
14 | uses agetpass() to get the password. If the second agetpass() fails, | ||
15 | the first password, which has been copied into the 'static' buffer | ||
16 | 'pass' via STRFCPY(), wasn't being zeroed. | ||
17 | |||
18 | agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and | ||
19 | can fail for any of the following reasons: | ||
20 | |||
21 | - malloc(3) or readpassphrase(3) failure. | ||
22 | |||
23 | These are going to be difficult to trigger. Maybe getting the system | ||
24 | to the limits of memory utilization at that exact point, so that the | ||
25 | next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. | ||
26 | About readpassphrase(3), ENFILE and EINTR seem the only plausible | ||
27 | ones, and EINTR probably requires privilege or being the same user; | ||
28 | but I wouldn't discard ENFILE so easily, if a process starts opening | ||
29 | files. | ||
30 | |||
31 | - The password is longer than PASS_MAX. | ||
32 | |||
33 | The is plausible with physical access. However, at that point, a | ||
34 | keylogger will be a much simpler attack. | ||
35 | |||
36 | And, the attacker must be able to know when the second password is being | ||
37 | introduced, which is not going to be easy. | ||
38 | |||
39 | How to read the password after the leak? | ||
40 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
41 | |||
42 | Provoking the leak yourself at the right point by entering a very long | ||
43 | password is easy, and inspecting the process stack at that point should | ||
44 | be doable. Try to find some consistent patterns. | ||
45 | |||
46 | Then, search for those patterns in free memory, right after the victim | ||
47 | leaks their password. | ||
48 | |||
49 | Once you get the leak, a program should read all the free memory | ||
50 | searching for patterns that gpasswd(1) leaves nearby the leaked | ||
51 | password. | ||
52 | |||
53 | On 6/10/23 03:14, Seth Arnold wrote: | ||
54 | > An attacker process wouldn't be able to use malloc(3) for this task. | ||
55 | > There's a handful of tools available for userspace to allocate memory: | ||
56 | > | ||
57 | > - brk / sbrk | ||
58 | > - mmap MAP_ANONYMOUS | ||
59 | > - mmap /dev/zero | ||
60 | > - mmap some other file | ||
61 | > - shm_open | ||
62 | > - shmget | ||
63 | > | ||
64 | > Most of these return only pages of zeros to a process. Using mmap of an | ||
65 | > existing file, you can get some of the contents of the file demand-loaded | ||
66 | > into the memory space on the first use. | ||
67 | > | ||
68 | > The MAP_UNINITIALIZED flag only works if the kernel was compiled with | ||
69 | > CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. | ||
70 | > | ||
71 | > malloc(3) doesn't zero memory, to our collective frustration, but all the | ||
72 | > garbage in the allocations is from previous allocations in the current | ||
73 | > process. It isn't leftover from other processes. | ||
74 | > | ||
75 | > The avenues available for reading the memory: | ||
76 | > - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) | ||
77 | > - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) | ||
78 | > - ptrace (requires ptrace privileges, mediated by YAMA) | ||
79 | > - causing memory to be swapped to disk, and then inspecting the swap | ||
80 | > | ||
81 | > These all require a certain amount of privileges. | ||
82 | |||
83 | How to fix it? | ||
84 | ~~~~~~~~~~~~~~ | ||
85 | |||
86 | memzero(), which internally calls explicit_bzero(3), or whatever | ||
87 | alternative the system provides with a slightly different name, will | ||
88 | make sure that the buffer is zeroed in memory, and optimizations are not | ||
89 | allowed to impede this zeroing. | ||
90 | |||
91 | This is not really 100% effective, since compilers may place copies of | ||
92 | the string somewhere hidden in the stack. Those copies won't get zeroed | ||
93 | by explicit_bzero(3). However, that's arguably a compiler bug, since | ||
94 | compilers should make everything possible to avoid optimizing strings | ||
95 | that are later passed to explicit_bzero(3). But we all know that | ||
96 | sometimes it's impossible to have perfect knowledge in the compiler, so | ||
97 | this is plausible. Nevertheless, there's nothing we can do against such | ||
98 | issues, except minimizing the time such passwords are stored in plain | ||
99 | text. | ||
100 | |||
101 | Security concerns | ||
102 | ~~~~~~~~~~~~~~~~~ | ||
103 | |||
104 | We believe this isn't easy to exploit. Nevertheless, and since the fix | ||
105 | is trivial, this fix should probably be applied soon, and backported to | ||
106 | all supported distributions, to prevent someone else having more | ||
107 | imagination than us to find a way. | ||
108 | |||
109 | Affected versions | ||
110 | ~~~~~~~~~~~~~~~~~ | ||
111 | |||
112 | All. Bug introduced in shadow 19990709. That's the second commit in | ||
113 | the git history. | ||
114 | |||
115 | Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") | ||
116 | Reported-by: Alejandro Colomar <alx@kernel.org> | ||
117 | Cc: Serge Hallyn <serge@hallyn.com> | ||
118 | Cc: Iker Pedrosa <ipedrosa@redhat.com> | ||
119 | Cc: Seth Arnold <seth.arnold@canonical.com> | ||
120 | Cc: Christian Brauner <christian@brauner.io> | ||
121 | Cc: Balint Reczey <rbalint@debian.org> | ||
122 | Cc: Sam James <sam@gentoo.org> | ||
123 | Cc: David Runge <dvzrv@archlinux.org> | ||
124 | Cc: Andreas Jaeger <aj@suse.de> | ||
125 | Cc: <~hallyn/shadow@lists.sr.ht> | ||
126 | Signed-off-by: Alejandro Colomar <alx@kernel.org> | ||
127 | Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> | ||
128 | --- | ||
129 | src/gpasswd.c | 1 + | ||
130 | 1 file changed, 1 insertion(+) | ||
131 | |||
132 | diff --git a/src/gpasswd.c b/src/gpasswd.c | ||
133 | index 4d75af96..a698b32a 100644 | ||
134 | --- a/src/gpasswd.c | ||
135 | +++ b/src/gpasswd.c | ||
136 | @@ -918,6 +918,7 @@ static void change_passwd (struct group *gr) | ||
137 | strzero (cp); | ||
138 | cp = getpass (_("Re-enter new password: ")); | ||
139 | if (NULL == cp) { | ||
140 | + memzero (pass, sizeof pass); | ||
141 | exit (1); | ||
142 | } | ||
143 | |||
144 | -- | ||
145 | 2.42.0 | ||
146 | |||
diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb index 5f7ea00bf1..4e68f826c6 100644 --- a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb +++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb | |||
@@ -2,7 +2,7 @@ SUMMARY = "Shadow utils requirements for useradd.bbclass" | |||
2 | HOMEPAGE = "http://github.com/shadow-maint/shadow" | 2 | HOMEPAGE = "http://github.com/shadow-maint/shadow" |
3 | BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" | 3 | BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" |
4 | SECTION = "base utils" | 4 | SECTION = "base utils" |
5 | LICENSE = "BSD | Artistic-1.0" | 5 | LICENSE = "BSD-3-Clause | Artistic-1.0" |
6 | LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" | 6 | LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" |
7 | 7 | ||
8 | DEPENDS = "base-passwd" | 8 | DEPENDS = "base-passwd" |
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index f86e5e03c0..c16292c38a 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc | |||
@@ -1,8 +1,9 @@ | |||
1 | SUMMARY = "Tools to change and administer password and group data" | 1 | SUMMARY = "Tools to change and administer password and group data" |
2 | HOMEPAGE = "http://github.com/shadow-maint/shadow" | 2 | HOMEPAGE = "http://github.com/shadow-maint/shadow" |
3 | DESCRIPTION = "${SUMMARY}" | ||
3 | BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" | 4 | BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" |
4 | SECTION = "base/utils" | 5 | SECTION = "base/utils" |
5 | LICENSE = "BSD | Artistic-1.0" | 6 | LICENSE = "BSD-3-Clause | Artistic-1.0" |
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ |
7 | file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af" | 8 | file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af" |
8 | 9 | ||
@@ -13,6 +14,9 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}. | |||
13 | file://shadow-4.1.3-dots-in-usernames.patch \ | 14 | file://shadow-4.1.3-dots-in-usernames.patch \ |
14 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ | 15 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ |
15 | file://shadow-relaxed-usernames.patch \ | 16 | file://shadow-relaxed-usernames.patch \ |
17 | file://CVE-2023-29383.patch \ | ||
18 | file://0001-Overhaul-valid_field.patch \ | ||
19 | file://CVE-2023-4641.patch \ | ||
16 | " | 20 | " |
17 | 21 | ||
18 | SRC_URI_append_class-target = " \ | 22 | SRC_URI_append_class-target = " \ |
diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb index c975395ff8..9dfcd4bc10 100644 --- a/meta/recipes-extended/shadow/shadow_4.8.1.bb +++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb | |||
@@ -6,5 +6,10 @@ BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p | |||
6 | 6 | ||
7 | BBCLASSEXTEND = "native nativesdk" | 7 | BBCLASSEXTEND = "native nativesdk" |
8 | 8 | ||
9 | # Severity is low and marked as closed and won't fix. | ||
10 | # https://bugzilla.redhat.com/show_bug.cgi?id=884658 | ||
11 | CVE_CHECK_WHITELIST += "CVE-2013-4235" | ||
9 | 12 | ||
13 | # This is an issue for a different shadow | ||
14 | CVE_CHECK_WHITELIST += "CVE-2016-15024" | ||
10 | 15 | ||