From 4e51659ff4eeb59349a931e7844f25a55c63f03e Mon Sep 17 00:00:00 2001
From: Wang Mingyu <wangmy@cn.fujitsu.com>
Date: Fri, 21 Feb 2020 02:09:15 -0800
Subject: shadow: upgrade 4.8 -> 4.8.1

0001-Do-not-check-for-validity-of-shell-executable.patch
CVE-2019-19882.patch
Removed since they are included in 4.8.1.

(From OE-Core rev: de9cceb13e264434eb0b8393c3b0c0217b8d505e)

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 ...ot-check-for-validity-of-shell-executable.patch | 29 ------------
 .../shadow/files/CVE-2019-19882.patch              | 55 ----------------------
 meta/recipes-extended/shadow/shadow.inc            |  6 +--
 meta/recipes-extended/shadow/shadow_4.8.1.bb       | 10 ++++
 meta/recipes-extended/shadow/shadow_4.8.bb         | 10 ----
 5 files changed, 12 insertions(+), 98 deletions(-)
 delete mode 100644 meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch
 delete mode 100644 meta/recipes-extended/shadow/files/CVE-2019-19882.patch
 create mode 100644 meta/recipes-extended/shadow/shadow_4.8.1.bb
 delete mode 100644 meta/recipes-extended/shadow/shadow_4.8.bb

(limited to 'meta/recipes-extended/shadow')

diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch b/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch
deleted file mode 100644
index 2d15ff0673..0000000000
--- a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 0d0aded7307a9f4ee0d299951512acd18b3e029e Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Wed, 4 Dec 2019 19:28:48 +0100
-Subject: [PATCH] Do not check for validity of shell executable.
-
-This kind of check fails when building a rootfs.
-
-Upstream-Status: Inappropriate [oe-core specific]
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- src/useradd.c | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/src/useradd.c b/src/useradd.c
-index 4af0f7c..898fe02 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -1328,10 +1328,7 @@ static void process_flags (int argc, char **argv)
- 				if (   ( !VALID (optarg) )
- 				    || (   ('\0' != optarg[0])
- 				        && ('/'  != optarg[0])
--				        && ('*'  != optarg[0]) )
--				    || (stat(optarg, &st) != 0)
--				    || (S_ISDIR(st.st_mode))
--				    || (access(optarg, X_OK) != 0)) {
-+				        && ('*'  != optarg[0]) )) {
- 					fprintf (stderr,
- 					         _("%s: invalid shell '%s'\n"),
- 					         Prog, optarg);
diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch
deleted file mode 100644
index 894d867680..0000000000
--- a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001
-From: Dave Reisner <dreisner@archlinux.org>
-Date: Mon, 16 Dec 2019 14:11:23 -0500
-Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected
-
-Here's a sad story:
-
-* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be
-installed with file caps rather than setuid.
-* https://bugs.archlinux.org/task/63248 is filed to take advantage of
-this.
-* The arch maintainer of the 'shadow' package notices that this doesn't
-work, and submits a pull request to fix this in shadow.
-* edf7547ad5 is merged, fixing the post install hooks.
-
-The problem here is that distros have been building shadow with PAM for
-O(years), but the install hooks have silently failed due to the
-combination of the directory mismatch (suidubins vs suidsbins) and later
-success with setuid'ing newgidmap/newuidmap.
-
-With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
-who never built shadow explicitly with --enable-account-tools-setuid are
-now getting setuid account tools, and don't have PAM configuration
-suitable for use with setuid account management tools.
-
-It's entirely unclear to me why you'd want this, but I assume there's
-some reason out there for it existing. Regardless, setuid binaries are
-dangerous and shouldn't be enabled by default without good reason.
-
-[1] https://bugs.archlinux.org/task/64836
-[2] https://bugs.gentoo.org/702252
-
-Upstream-Status: Backport
-CVE: CVE-2019-19882
-Signed-off-by: Li Zhou <li.zhou@windriver.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index e3ed3b43..d6e2bfbd 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid,
- 	   *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
- 	   ;;
- 	 esac],
--	[enable_acct_tools_setuid="maybe"]
-+	[enable_acct_tools_setuid="no"]
- )
- 
- AC_ARG_ENABLE(utmpx,
--- 
-2.17.1
-
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 3bfa39e6ff..f86e5e03c0 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -13,7 +13,6 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
            file://shadow-4.1.3-dots-in-usernames.patch \
            ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://shadow-relaxed-usernames.patch \
-           file://CVE-2019-19882.patch \
            "
 
 SRC_URI_append_class-target = " \
@@ -25,14 +24,13 @@ SRC_URI_append_class-native = " \
            file://0001-Disable-use-of-syslog-for-sysroot.patch \
            file://0002-Allow-for-setting-password-in-clear-text.patch \
            file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
-           file://0001-Do-not-check-for-validity-of-shell-executable.patch \
            "
 SRC_URI_append_class-nativesdk = " \
            file://0001-Disable-use-of-syslog-for-sysroot.patch \
            "
 
-SRC_URI[md5sum] = "017ac773ba370bc28e157cee30dad71a"
-SRC_URI[sha256sum] = "82016d65317555fc8ce9e669eb187984d8d4b1f8ecda0769f4bc5412aed326e4"
+SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480"
+SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a"
 
 # Additional Policy files for PAM
 PAM_SRC_URI = "file://pam.d/chfn \
diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb
new file mode 100644
index 0000000000..c975395ff8
--- /dev/null
+++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb
@@ -0,0 +1,10 @@
+require shadow.inc
+
+# Build falsely assumes that if --enable-libpam is set, we don't need to link against
+# libcrypt. This breaks chsh.
+BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}"
+
+BBCLASSEXTEND = "native nativesdk"
+
+
+
diff --git a/meta/recipes-extended/shadow/shadow_4.8.bb b/meta/recipes-extended/shadow/shadow_4.8.bb
deleted file mode 100644
index c975395ff8..0000000000
--- a/meta/recipes-extended/shadow/shadow_4.8.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-require shadow.inc
-
-# Build falsely assumes that if --enable-libpam is set, we don't need to link against
-# libcrypt. This breaks chsh.
-BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}"
-
-BBCLASSEXTEND = "native nativesdk"
-
-
-
-- 
cgit v1.2.3-54-g00ecf