shadow: Security Advisory - shadow - CVE-2019-19882

Backport patch from <https://github.com/shadow-maint/shadow/pull/199/
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.

(From OE-Core rev: a0de64cab692562d4bbd64f8bdcaa3fc6bc694bb)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

2 files changed, 56 insertions, 0 deletions

diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch
new file mode 100644
index 0000000000..894d867680
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch
@@ -0,0 +1,55 @@
+From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001
+From: Dave Reisner <dreisner@archlinux.org>
+Date: Mon, 16 Dec 2019 14:11:23 -0500
+Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected
+
+Here's a sad story:
+
+* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be
+installed with file caps rather than setuid.
+* https://bugs.archlinux.org/task/63248 is filed to take advantage of
+this.
+* The arch maintainer of the 'shadow' package notices that this doesn't
+work, and submits a pull request to fix this in shadow.
+* edf7547ad5 is merged, fixing the post install hooks.
+
+The problem here is that distros have been building shadow with PAM for
+O(years), but the install hooks have silently failed due to the
+combination of the directory mismatch (suidubins vs suidsbins) and later
+success with setuid'ing newgidmap/newuidmap.
+
+With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
+who never built shadow explicitly with --enable-account-tools-setuid are
+now getting setuid account tools, and don't have PAM configuration
+suitable for use with setuid account management tools.
+
+It's entirely unclear to me why you'd want this, but I assume there's
+some reason out there for it existing. Regardless, setuid binaries are
+dangerous and shouldn't be enabled by default without good reason.
+
+[1] https://bugs.archlinux.org/task/64836
+[2] https://bugs.gentoo.org/702252
+
+Upstream-Status: Backport
+CVE: CVE-2019-19882
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index e3ed3b43..d6e2bfbd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid,
+           *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
+           ;;
+         esac],
+-       [enable_acct_tools_setuid="maybe"]
++       [enable_acct_tools_setuid="no"]
+ )
+ 
+ AC_ARG_ENABLE(utmpx,
+-- 
+2.17.1
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 267d2324c5..3bfa39e6ff 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -13,6 +13,7 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
            file://shadow-4.1.3-dots-in-usernames.patch \
            ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://shadow-relaxed-usernames.patch \
+           file://CVE-2019-19882.patch \
            "
 
 SRC_URI_append_class-target = " \