From 4e51659ff4eeb59349a931e7844f25a55c63f03e Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Fri, 21 Feb 2020 02:09:15 -0800 Subject: shadow: upgrade 4.8 -> 4.8.1 0001-Do-not-check-for-validity-of-shell-executable.patch CVE-2019-19882.patch Removed since they are included in 4.8.1. (From OE-Core rev: de9cceb13e264434eb0b8393c3b0c0217b8d505e) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie --- ...ot-check-for-validity-of-shell-executable.patch | 29 ------------ .../shadow/files/CVE-2019-19882.patch | 55 ---------------------- meta/recipes-extended/shadow/shadow.inc | 6 +-- meta/recipes-extended/shadow/shadow_4.8.1.bb | 10 ++++ meta/recipes-extended/shadow/shadow_4.8.bb | 10 ---- 5 files changed, 12 insertions(+), 98 deletions(-) delete mode 100644 meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch delete mode 100644 meta/recipes-extended/shadow/files/CVE-2019-19882.patch create mode 100644 meta/recipes-extended/shadow/shadow_4.8.1.bb delete mode 100644 meta/recipes-extended/shadow/shadow_4.8.bb (limited to 'meta') diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch b/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch deleted file mode 100644 index 2d15ff0673..0000000000 --- a/meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0d0aded7307a9f4ee0d299951512acd18b3e029e Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin -Date: Wed, 4 Dec 2019 19:28:48 +0100 -Subject: [PATCH] Do not check for validity of shell executable. - -This kind of check fails when building a rootfs. - -Upstream-Status: Inappropriate [oe-core specific] -Signed-off-by: Alexander Kanavin ---- - src/useradd.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/useradd.c b/src/useradd.c -index 4af0f7c..898fe02 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -1328,10 +1328,7 @@ static void process_flags (int argc, char **argv) - if ( ( !VALID (optarg) ) - || ( ('\0' != optarg[0]) - && ('/' != optarg[0]) -- && ('*' != optarg[0]) ) -- || (stat(optarg, &st) != 0) -- || (S_ISDIR(st.st_mode)) -- || (access(optarg, X_OK) != 0)) { -+ && ('*' != optarg[0]) )) { - fprintf (stderr, - _("%s: invalid shell '%s'\n"), - Prog, optarg); diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch deleted file mode 100644 index 894d867680..0000000000 --- a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001 -From: Dave Reisner -Date: Mon, 16 Dec 2019 14:11:23 -0500 -Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected - -Here's a sad story: - -* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be -installed with file caps rather than setuid. -* https://bugs.archlinux.org/task/63248 is filed to take advantage of -this. -* The arch maintainer of the 'shadow' package notices that this doesn't -work, and submits a pull request to fix this in shadow. -* edf7547ad5 is merged, fixing the post install hooks. - -The problem here is that distros have been building shadow with PAM for -O(years), but the install hooks have silently failed due to the -combination of the directory mismatch (suidubins vs suidsbins) and later -success with setuid'ing newgidmap/newuidmap. - -With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far) -who never built shadow explicitly with --enable-account-tools-setuid are -now getting setuid account tools, and don't have PAM configuration -suitable for use with setuid account management tools. - -It's entirely unclear to me why you'd want this, but I assume there's -some reason out there for it existing. Regardless, setuid binaries are -dangerous and shouldn't be enabled by default without good reason. - -[1] https://bugs.archlinux.org/task/64836 -[2] https://bugs.gentoo.org/702252 - -Upstream-Status: Backport -CVE: CVE-2019-19882 -Signed-off-by: Li Zhou ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index e3ed3b43..d6e2bfbd 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid, - *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid) - ;; - esac], -- [enable_acct_tools_setuid="maybe"] -+ [enable_acct_tools_setuid="no"] - ) - - AC_ARG_ENABLE(utmpx, --- -2.17.1 - diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 3bfa39e6ff..f86e5e03c0 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -13,7 +13,6 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}. file://shadow-4.1.3-dots-in-usernames.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ file://shadow-relaxed-usernames.patch \ - file://CVE-2019-19882.patch \ " SRC_URI_append_class-target = " \ @@ -25,14 +24,13 @@ SRC_URI_append_class-native = " \ file://0001-Disable-use-of-syslog-for-sysroot.patch \ file://0002-Allow-for-setting-password-in-clear-text.patch \ file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ - file://0001-Do-not-check-for-validity-of-shell-executable.patch \ " SRC_URI_append_class-nativesdk = " \ file://0001-Disable-use-of-syslog-for-sysroot.patch \ " -SRC_URI[md5sum] = "017ac773ba370bc28e157cee30dad71a" -SRC_URI[sha256sum] = "82016d65317555fc8ce9e669eb187984d8d4b1f8ecda0769f4bc5412aed326e4" +SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480" +SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a" # Additional Policy files for PAM PAM_SRC_URI = "file://pam.d/chfn \ diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb new file mode 100644 index 0000000000..c975395ff8 --- /dev/null +++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb @@ -0,0 +1,10 @@ +require shadow.inc + +# Build falsely assumes that if --enable-libpam is set, we don't need to link against +# libcrypt. This breaks chsh. +BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}" + +BBCLASSEXTEND = "native nativesdk" + + + diff --git a/meta/recipes-extended/shadow/shadow_4.8.bb b/meta/recipes-extended/shadow/shadow_4.8.bb deleted file mode 100644 index c975395ff8..0000000000 --- a/meta/recipes-extended/shadow/shadow_4.8.bb +++ /dev/null @@ -1,10 +0,0 @@ -require shadow.inc - -# Build falsely assumes that if --enable-libpam is set, we don't need to link against -# libcrypt. This breaks chsh. -BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}" - -BBCLASSEXTEND = "native nativesdk" - - - -- cgit v1.2.3-54-g00ecf