4 files changed, 1 insertions, 382 deletions
diff --git a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch b/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
deleted file mode 100644
index 94dcb04f0a..0000000000
--- a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 42404548721c653317c911c83d885e2fc7fbca70 Mon Sep 17 00:00:00 2001
-From: Per Jessen <per@jessen.ch>
-Date: Fri, 22 Apr 2022 18:15:36 +0200
-Subject: [PATCH] pam_motd: do not rely on all filesystems providing a filetype
-When using scandir() to look for MOTD files to display, we wrongly
-relied on all filesystems providing a filetype.  This is a fix to divert
-to lstat() when we have no filetype.  To maintain MT safety, it isn't
-possible to use lstat() in the scandir() filter function, so all of the
-filtering has been moved to an additional loop after scanning all the
-motd dirs.
-Also, remove superfluous alphasort from scandir(), we are doing
-a qsort() later.
-Resolves: https://github.com/linux-pam/linux-pam/issues/455
-Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/42404548721c653317c911c83d885e2fc7fbca70]
-Signed-off-by: Per Jessen <per@jessen.ch>
-Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
- modules/pam_motd/pam_motd.c | 49 ++++++++++++++++++++++++++++++-------
- 1 file changed, 40 insertions(+), 9 deletions(-)
-diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
-index 6ac8cba2..5ca486e4 100644
--- a/modules/pam_motd/pam_motd.c
-+++ b/modules/pam_motd/pam_motd.c
-@@ -166,11 +166,6 @@ static int compare_strings(const void *a, const void *b)
-     }
- }
- 
-static int filter_dirents(const struct dirent *d)
-{
-    return (d->d_type == DT_REG || d->d_type == DT_LNK);
-}
-
- static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
-        char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing)
- {
-@@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
- 
-     for (i = 0; i < num_motd_dirs; i++) {
-        int rv;
-       rv = scandir(motd_dir_path_split[i], &(dirscans[i]),
-               filter_dirents, alphasort);
-+       rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL);
-        if (rv < 0) {
-            if (errno != ENOENT || report_missing) {
-                pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m",
-@@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
-     if (dirscans_size_total == 0)
-         goto out;
- 
-+    /* filter out unwanted names, directories, and complement data with lstat() */
-+    for (i = 0; i < num_motd_dirs; i++) {
-+       struct dirent **d = dirscans[i];
-+       for (unsigned int j = 0; j < dirscans_sizes[i]; j++) {
-+           int rc;
-+           char *fullpath;
-+           struct stat s;
-+
-+           switch(d[j]->d_type) {    /* the filetype determines how to proceed */
-+           case DT_REG:              /* regular files and     */
-+           case DT_LNK:              /* symlinks              */
-+               continue;             /* are good.             */
-+           case DT_UNKNOWN:   /* for file systems that do not provide */
-+                              /* a filetype, we use lstat()           */
-+               if (join_dir_strings(&fullpath, motd_dir_path_split[i],
-+                                    d[j]->d_name) <= 0)
-+                   break;
-+               rc = lstat(fullpath, &s);
-+               _pam_drop(fullpath);  /* free the memory alloc'ed by join_dir_strings */
-+               if (rc != 0)          /* if the lstat() somehow failed */
-+                   break;
-+
-+               if (S_ISREG(s.st_mode) ||          /* regular files and  */
-+                   S_ISLNK(s.st_mode)) continue;  /* symlinks are good  */
-+               break;
-+           case DT_DIR:          /* We don't want directories     */
-+           default:              /* nor anything else             */
-+               break;
-+           }
-+           _pam_drop(d[j]);  /* free memory                   */
-+           d[j] = NULL;      /* indicate this one was dropped */
-+           dirscans_size_total--;
-+       }
-+    }
-+
-     /* Allocate space for all file names found in the directories, including duplicates. */
-     if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) {
-        pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array");
-@@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
-        unsigned int j;
- 
-        for (j = 0; j < dirscans_sizes[i]; j++) {
-           dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
-           i_dirnames++;
-+           if (NULL != dirscans[i][j]) {
-+               dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
-+               i_dirnames++;
-+           }
-        }
-     }
- 
-- 
-2.39.0
diff --git a/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch b/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch
deleted file mode 100644
index 40040a873a..0000000000
--- a/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From e8e8ccfd57e0274b431bc5717bf37c488285b07b Mon Sep 17 00:00:00 2001
-From: Mingli Yu <mingli.yu@windriver.com>
-Date: Wed, 27 Oct 2021 10:30:46 +0800
-Subject: [PATCH] run-xtests.sh: check whether files exist
-Fixes:
- # ./run-xtests.sh . tst-pam_access1
- mv: cannot stat '/etc/security/opasswd': No such file or directory
- PASS: tst-pam_access1
- mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory
- ==================
- 1 tests passed
- 0 tests not run
- ==================
-Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/e8e8ccfd57e0274b431bc5717bf37c488285b07b]
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
- xtests/run-xtests.sh | 20 +++++++++++++-------
- 1 file changed, 13 insertions(+), 7 deletions(-)
-diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh
-index 14f585d9..ff9a4dc1 100755
--- a/xtests/run-xtests.sh
-+++ b/xtests/run-xtests.sh
-@@ -18,10 +18,12 @@ all=0
- 
- mkdir -p /etc/security
- for config in access.conf group.conf time.conf limits.conf ; do
-       cp /etc/security/$config /etc/security/$config-pam-xtests
-+       [ -f "/etc/security/$config" ] &&
-+               mv /etc/security/$config /etc/security/$config-pam-xtests
-        install -m 644 "${SRCDIR}"/$config /etc/security/$config
- done
-mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
-+[ -f /etc/security/opasswd ] &&
-+       mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
- 
- for testname in $XTESTS ; do
-          for cfg in "${SRCDIR}"/$testname*.pamd ; do
-@@ -47,11 +49,15 @@ for testname in $XTESTS ; do
-          all=`expr $all + 1`
-          rm -f /etc/pam.d/$testname*
- done
-mv /etc/security/access.conf-pam-xtests /etc/security/access.conf
-mv /etc/security/group.conf-pam-xtests /etc/security/group.conf
-mv /etc/security/time.conf-pam-xtests /etc/security/time.conf
-mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf
-mv /etc/security/opasswd-pam-xtests /etc/security/opasswd
-+
-+for config in access.conf group.conf time.conf limits.conf opasswd ; do
-+       if [ -f "/etc/security/$config-pam-xtests" ]; then
-+               mv /etc/security/$config-pam-xtests /etc/security/$config
-+       else
-+               rm -f /etc/security/$config
-+       fi
-+done
-+
- if test "$failed" -ne 0; then
-          echo "==================="
-          echo "$failed of $all tests failed"
-- 
-2.32.0
diff --git a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch b/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch
deleted file mode 100644
index e7bf03f9f7..0000000000
--- a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch
+++ /dev/null
@@ -1,205 +0,0 @@
-From 23393bef92c1e768eda329813d7af55481c6ca9f Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk <kukuk@suse.com>
-Date: Thu, 24 Feb 2022 10:37:32 +0100
-Subject: [PATCH 2/2] pam_access: handle hostnames in access.conf
-According to the manual page, the following entry is valid but does not
-work:
-:root:ALL EXCEPT localhost
-See https://bugzilla.suse.com/show_bug.cgi?id=1019866
-Patched is based on PR#226 from Josef Moellers
-Upstream-Status: Backport
-CVE: CVE-2022-28321
-Reference to upstream patch:
-[https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f]
-Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
---
- modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++-------
- 1 file changed, 76 insertions(+), 19 deletions(-)
-diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
-index 277192b..bca424f 100644
--- a/modules/pam_access/pam_access.c
-+++ b/modules/pam_access/pam_access.c
-@@ -637,7 +637,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
-       if ((str_len = strlen(string)) > tok_len
-          && strcasecmp(tok, string + str_len - tok_len) == 0)
-        return YES;
-    } else if (tok[tok_len - 1] == '.') {
-+    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers (end with ".") */
-       struct addrinfo hint;
- 
-       memset (&hint, '\0', sizeof (hint));
-@@ -678,7 +678,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
-       return NO;
-     }
- 
-    /* Assume network/netmask with an IP of a host.  */
-+    /* Assume network/netmask, IP address or hostname.  */
-     return network_netmask_match(pamh, tok, string, item);
- }
- 
-@@ -696,7 +696,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
-     /*
-      * If the token has the magic value "ALL" the match always succeeds.
-      * Otherwise, return YES if the token fully matches the string.
-        * "NONE" token matches NULL string.
-+     * "NONE" token matches NULL string.
-      */
- 
-     if (strcasecmp(tok, "ALL") == 0) {         /* all: always matches */
-@@ -714,7 +714,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
- 
- /* network_netmask_match - match a string against one token
-  * where string is a hostname or ip (v4,v6) address and tok
- * represents either a single ip (v4,v6) address or a network/netmask
-+ * represents either a hostname, a single ip (v4,v6) address
-+ * or a network/netmask
-  */
- static int
- network_netmask_match (pam_handle_t *pamh,
-@@ -723,10 +724,12 @@ network_netmask_match (pam_handle_t *pamh,
-     char *netmask_ptr;
-     char netmask_string[MAXHOSTNAMELEN + 1];
-     int addr_type;
-+    struct addrinfo *ai = NULL;
- 
-     if (item->debug)
-    pam_syslog (pamh, LOG_DEBUG,
-+      pam_syslog (pamh, LOG_DEBUG,
-                "network_netmask_match: tok=%s, item=%s", tok, string);
-+
-     /* OK, check if tok is of type addr/mask */
-     if ((netmask_ptr = strchr(tok, '/')) != NULL)
-       {
-@@ -760,54 +763,108 @@ network_netmask_match (pam_handle_t *pamh,
-            netmask_ptr = number_to_netmask(netmask, addr_type,
-                netmask_string, MAXHOSTNAMELEN);
-          }
-       }
-+
-+        /*
-+         * Construct an addrinfo list from the IP address.
-+         * This should not fail as the input is a correct IP address...
-+         */
-+       if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
-+         {
-+           return NO;
-+         }
-+      }
-     else
-       /* NO, then check if it is only an addr */
-       if (isipaddr(tok, NULL, NULL) != YES)
-+      {
-+        /*
-+        * It is either an IP address or a hostname.
-+        * Let getaddrinfo sort everything out
-+        */
-+       if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
-          {
-+           pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
-+
-            return NO;
-          }
-+       netmask_ptr = NULL;
-+      }
- 
-     if (isipaddr(string, NULL, NULL) != YES)
-       {
-       /* Assume network/netmask with a name of a host.  */
-        struct addrinfo hint;
- 
-+       /* Assume network/netmask with a name of a host.  */
-        memset (&hint, '\0', sizeof (hint));
-        hint.ai_flags = AI_CANONNAME;
-        hint.ai_family = AF_UNSPEC;
- 
-        if (item->gai_rv != 0)
-+         {
-+           freeaddrinfo(ai);
-            return NO;
-+         }
-        else if (!item->res &&
-                (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
-+         {
-+           freeaddrinfo(ai);
-            return NO;
-+         }
-         else
-          {
-            struct addrinfo *runp = item->res;
-+           struct addrinfo *runp1;
- 
-            while (runp != NULL)
-              {
-                char buf[INET6_ADDRSTRLEN];
- 
-               DIAG_PUSH_IGNORE_CAST_ALIGN;
-               inet_ntop (runp->ai_family,
-                       runp->ai_family == AF_INET
-                       ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
-                       : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
-                       buf, sizeof (buf));
-               DIAG_POP_IGNORE_CAST_ALIGN;
-+               if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
-+                 {
-+                   freeaddrinfo(ai);
-+                   return NO;
-+                 }
- 
-               if (are_addresses_equal(buf, tok, netmask_ptr))
-+               for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
-                  {
-                   return YES;
-+                    char buf1[INET6_ADDRSTRLEN];
-+
-+                    if (runp->ai_family != runp1->ai_family)
-+                      continue;
-+
-+                    if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
-+                     {
-+                       freeaddrinfo(ai);
-+                       return NO;
-+                     }
-+
-+                    if (are_addresses_equal (buf, buf1, netmask_ptr))
-+                      {
-+                        freeaddrinfo(ai);
-+                        return YES;
-+                      }
-                  }
-                runp = runp->ai_next;
-              }
-          }
-       }
-     else
-      return (are_addresses_equal(string, tok, netmask_ptr));
-+      {
-+       struct addrinfo *runp1;
-+
-+       for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
-+         {
-+           char buf1[INET6_ADDRSTRLEN];
-+
-+           (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
-+
-+           if (are_addresses_equal(string, buf1, netmask_ptr))
-+             {
-+               freeaddrinfo(ai);
-+               return YES;
-+             }
-+         }
-+      }
-+
-+  freeaddrinfo(ai);
- 
-   return NO;
- }
-- 
-2.37.3
diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb
index bec47ab836..c8f1e16459 100644
--- a/meta/recipes-extended/pam/libpam_1.5.2.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -21,14 +21,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
           file://pam.d/common-session-noninteractive \
           file://pam.d/other \
           file://libpam-xtests.patch \
-           file://0001-run-xtests.sh-check-whether-files-exist.patch \
           file://run-ptest \
           file://pam-volatiles.conf \
-           file://CVE-2022-28321-0002.patch \
-           file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
           "
-SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"
+SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"
 DEPENDS = "bison-native flex-native cracklib libxml2-native virtual/crypt"

diff --git a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch b/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch deleted file mode 100644 index 94dcb04f0a..0000000000 --- a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch +++ /dev/null
@@ -1,108 +0,0 @@
1	From 42404548721c653317c911c83d885e2fc7fbca70 Mon Sep 17 00:00:00 2001
2	From: Per Jessen <per@jessen.ch>
3	Date: Fri, 22 Apr 2022 18:15:36 +0200
4	Subject: [PATCH] pam_motd: do not rely on all filesystems providing a filetype
5
6	When using scandir() to look for MOTD files to display, we wrongly
7	relied on all filesystems providing a filetype. This is a fix to divert
8	to lstat() when we have no filetype. To maintain MT safety, it isn't
9	possible to use lstat() in the scandir() filter function, so all of the
10	filtering has been moved to an additional loop after scanning all the
11	motd dirs.
12	Also, remove superfluous alphasort from scandir(), we are doing
13	a qsort() later.
14
15	Resolves: https://github.com/linux-pam/linux-pam/issues/455
16
17	Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/42404548721c653317c911c83d885e2fc7fbca70]
18
19	Signed-off-by: Per Jessen <per@jessen.ch>
20	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
21	---
22	modules/pam_motd/pam_motd.c \| 49 ++++++++++++++++++++++++++++++-------
23	1 file changed, 40 insertions(+), 9 deletions(-)
24
25	diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
26	index 6ac8cba2..5ca486e4 100644
27	--- a/modules/pam_motd/pam_motd.c
28	+++ b/modules/pam_motd/pam_motd.c
29	@@ -166,11 +166,6 @@ static int compare_strings(const void a, const void b)
30	}
31	}
32
33	-static int filter_dirents(const struct dirent *d)
34	-{
35	- return (d->d_type == DT_REG \|\| d->d_type == DT_LNK);
36	-}
37	-
38	static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
39	char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing)
40	{
41	@@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
42
43	for (i = 0; i < num_motd_dirs; i++) {
44	int rv;
45	- rv = scandir(motd_dir_path_split[i], &(dirscans[i]),
46	- filter_dirents, alphasort);
47	+ rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL);
48	if (rv < 0) {
49	if (errno != ENOENT \|\| report_missing) {
50	pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m",
51	@@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
52	if (dirscans_size_total == 0)
53	goto out;
54
55	+ /* filter out unwanted names, directories, and complement data with lstat() */
56	+ for (i = 0; i < num_motd_dirs; i++) {
57	+ struct dirent **d = dirscans[i];
58	+ for (unsigned int j = 0; j < dirscans_sizes[i]; j++) {
59	+ int rc;
60	+ char *fullpath;
61	+ struct stat s;
62	+
63	+ switch(d[j]->d_type) { /* the filetype determines how to proceed */
64	+ case DT_REG: /* regular files and */
65	+ case DT_LNK: /* symlinks */
66	+ continue; /* are good. */
67	+ case DT_UNKNOWN: /* for file systems that do not provide */
68	+ /* a filetype, we use lstat() */
69	+ if (join_dir_strings(&fullpath, motd_dir_path_split[i],
70	+ d[j]->d_name) <= 0)
71	+ break;
72	+ rc = lstat(fullpath, &s);
73	+ _pam_drop(fullpath); /* free the memory alloc'ed by join_dir_strings */
74	+ if (rc != 0) /* if the lstat() somehow failed */
75	+ break;
76	+
77	+ if (S_ISREG(s.st_mode) \|\| /* regular files and */
78	+ S_ISLNK(s.st_mode)) continue; /* symlinks are good */
79	+ break;
80	+ case DT_DIR: /* We don't want directories */
81	+ default: /* nor anything else */
82	+ break;
83	+ }
84	+ _pam_drop(d[j]); /* free memory */
85	+ d[j] = NULL; /* indicate this one was dropped */
86	+ dirscans_size_total--;
87	+ }
88	+ }
89	+
90	/* Allocate space for all file names found in the directories, including duplicates. */
91	if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) {
92	pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array");
93	@@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
94	unsigned int j;
95
96	for (j = 0; j < dirscans_sizes[i]; j++) {
97	- dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
98	- i_dirnames++;
99	+ if (NULL != dirscans[i][j]) {
100	+ dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
101	+ i_dirnames++;
102	+ }
103	}
104	}
105
106	--
107	2.39.0
108


diff --git a/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch b/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch deleted file mode 100644 index 40040a873a..0000000000 --- a/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch +++ /dev/null
@@ -1,65 +0,0 @@
1	From e8e8ccfd57e0274b431bc5717bf37c488285b07b Mon Sep 17 00:00:00 2001
2	From: Mingli Yu <mingli.yu@windriver.com>
3	Date: Wed, 27 Oct 2021 10:30:46 +0800
4	Subject: [PATCH] run-xtests.sh: check whether files exist
5
6	Fixes:
7	# ./run-xtests.sh . tst-pam_access1
8	mv: cannot stat '/etc/security/opasswd': No such file or directory
9	PASS: tst-pam_access1
10	mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory
11	==================
12	1 tests passed
13	0 tests not run
14	==================
15
16	Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/e8e8ccfd57e0274b431bc5717bf37c488285b07b]
17
18	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
19	---
20	xtests/run-xtests.sh \| 20 +++++++++++++-------
21	1 file changed, 13 insertions(+), 7 deletions(-)
22
23	diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh
24	index 14f585d9..ff9a4dc1 100755
25	--- a/xtests/run-xtests.sh
26	+++ b/xtests/run-xtests.sh
27	@@ -18,10 +18,12 @@ all=0
28
29	mkdir -p /etc/security
30	for config in access.conf group.conf time.conf limits.conf ; do
31	- cp /etc/security/$config /etc/security/$config-pam-xtests
32	+ [ -f "/etc/security/$config" ] &&
33	+ mv /etc/security/$config /etc/security/$config-pam-xtests
34	install -m 644 "${SRCDIR}"/$config /etc/security/$config
35	done
36	-mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
37	+[ -f /etc/security/opasswd ] &&
38	+ mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
39
40	for testname in $XTESTS ; do
41	for cfg in "${SRCDIR}"/$testname*.pamd ; do
42	@@ -47,11 +49,15 @@ for testname in $XTESTS ; do
43	all=`expr $all + 1`
44	rm -f /etc/pam.d/$testname*
45	done
46	-mv /etc/security/access.conf-pam-xtests /etc/security/access.conf
47	-mv /etc/security/group.conf-pam-xtests /etc/security/group.conf
48	-mv /etc/security/time.conf-pam-xtests /etc/security/time.conf
49	-mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf
50	-mv /etc/security/opasswd-pam-xtests /etc/security/opasswd
51	+
52	+for config in access.conf group.conf time.conf limits.conf opasswd ; do
53	+ if [ -f "/etc/security/$config-pam-xtests" ]; then
54	+ mv /etc/security/$config-pam-xtests /etc/security/$config
55	+ else
56	+ rm -f /etc/security/$config
57	+ fi
58	+done
59	+
60	if test "$failed" -ne 0; then
61	echo "==================="
62	echo "$failed of $all tests failed"
63	--
64	2.32.0
65


diff --git a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch b/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch deleted file mode 100644 index e7bf03f9f7..0000000000 --- a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch +++ /dev/null
@@ -1,205 +0,0 @@
1	From 23393bef92c1e768eda329813d7af55481c6ca9f Mon Sep 17 00:00:00 2001
2	From: Thorsten Kukuk <kukuk@suse.com>
3	Date: Thu, 24 Feb 2022 10:37:32 +0100
4	Subject: [PATCH 2/2] pam_access: handle hostnames in access.conf
5
6	According to the manual page, the following entry is valid but does not
7	work:
8	-:root:ALL EXCEPT localhost
9
10	See https://bugzilla.suse.com/show_bug.cgi?id=1019866
11
12	Patched is based on PR#226 from Josef Moellers
13
14	Upstream-Status: Backport
15	CVE: CVE-2022-28321
16
17	Reference to upstream patch:
18	[https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f]
19
20	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
21	---
22	modules/pam_access/pam_access.c \| 95 ++++++++++++++++++++++++++-------
23	1 file changed, 76 insertions(+), 19 deletions(-)
24
25	diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
26	index 277192b..bca424f 100644
27	--- a/modules/pam_access/pam_access.c
28	+++ b/modules/pam_access/pam_access.c
29	@@ -637,7 +637,7 @@ remote_match (pam_handle_t pamh, char tok, struct login_info *item)
30	if ((str_len = strlen(string)) > tok_len
31	&& strcasecmp(tok, string + str_len - tok_len) == 0)
32	return YES;
33	- } else if (tok[tok_len - 1] == '.') {
34	+ } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */
35	struct addrinfo hint;
36
37	memset (&hint, '\0', sizeof (hint));
38	@@ -678,7 +678,7 @@ remote_match (pam_handle_t pamh, char tok, struct login_info *item)
39	return NO;
40	}
41
42	- /* Assume network/netmask with an IP of a host. */
43	+ /* Assume network/netmask, IP address or hostname. */
44	return network_netmask_match(pamh, tok, string, item);
45	}
46
47	@@ -696,7 +696,7 @@ string_match (pam_handle_t pamh, const char tok, const char *string,
48	/*
49	* If the token has the magic value "ALL" the match always succeeds.
50	* Otherwise, return YES if the token fully matches the string.
51	- * "NONE" token matches NULL string.
52	+ * "NONE" token matches NULL string.
53	*/
54
55	if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
56	@@ -714,7 +714,8 @@ string_match (pam_handle_t pamh, const char tok, const char *string,
57
58	/* network_netmask_match - match a string against one token
59	* where string is a hostname or ip (v4,v6) address and tok
60	- * represents either a single ip (v4,v6) address or a network/netmask
61	+ * represents either a hostname, a single ip (v4,v6) address
62	+ * or a network/netmask
63	*/
64	static int
65	network_netmask_match (pam_handle_t *pamh,
66	@@ -723,10 +724,12 @@ network_netmask_match (pam_handle_t *pamh,
67	char *netmask_ptr;
68	char netmask_string[MAXHOSTNAMELEN + 1];
69	int addr_type;
70	+ struct addrinfo *ai = NULL;
71
72	if (item->debug)
73	- pam_syslog (pamh, LOG_DEBUG,
74	+ pam_syslog (pamh, LOG_DEBUG,
75	"network_netmask_match: tok=%s, item=%s", tok, string);
76	+
77	/* OK, check if tok is of type addr/mask */
78	if ((netmask_ptr = strchr(tok, '/')) != NULL)
79	{
80	@@ -760,54 +763,108 @@ network_netmask_match (pam_handle_t *pamh,
81	netmask_ptr = number_to_netmask(netmask, addr_type,
82	netmask_string, MAXHOSTNAMELEN);
83	}
84	- }
85	+
86	+ /*
87	+ * Construct an addrinfo list from the IP address.
88	+ * This should not fail as the input is a correct IP address...
89	+ */
90	+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
91	+ {
92	+ return NO;
93	+ }
94	+ }
95	else
96	- /* NO, then check if it is only an addr */
97	- if (isipaddr(tok, NULL, NULL) != YES)
98	+ {
99	+ /*
100	+ * It is either an IP address or a hostname.
101	+ * Let getaddrinfo sort everything out
102	+ */
103	+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
104	{
105	+ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
106	+
107	return NO;
108	}
109	+ netmask_ptr = NULL;
110	+ }
111
112	if (isipaddr(string, NULL, NULL) != YES)
113	{
114	- /* Assume network/netmask with a name of a host. */
115	struct addrinfo hint;
116
117	+ /* Assume network/netmask with a name of a host. */
118	memset (&hint, '\0', sizeof (hint));
119	hint.ai_flags = AI_CANONNAME;
120	hint.ai_family = AF_UNSPEC;
121
122	if (item->gai_rv != 0)
123	+ {
124	+ freeaddrinfo(ai);
125	return NO;
126	+ }
127	else if (!item->res &&
128	(item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
129	+ {
130	+ freeaddrinfo(ai);
131	return NO;
132	+ }
133	else
134	{
135	struct addrinfo *runp = item->res;
136	+ struct addrinfo *runp1;
137
138	while (runp != NULL)
139	{
140	char buf[INET6_ADDRSTRLEN];
141
142	- DIAG_PUSH_IGNORE_CAST_ALIGN;
143	- inet_ntop (runp->ai_family,
144	- runp->ai_family == AF_INET
145	- ? (void ) &((struct sockaddr_in ) runp->ai_addr)->sin_addr
146	- : (void ) &((struct sockaddr_in6 ) runp->ai_addr)->sin6_addr,
147	- buf, sizeof (buf));
148	- DIAG_POP_IGNORE_CAST_ALIGN;
149	+ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
150	+ {
151	+ freeaddrinfo(ai);
152	+ return NO;
153	+ }
154
155	- if (are_addresses_equal(buf, tok, netmask_ptr))
156	+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
157	{
158	- return YES;
159	+ char buf1[INET6_ADDRSTRLEN];
160	+
161	+ if (runp->ai_family != runp1->ai_family)
162	+ continue;
163	+
164	+ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
165	+ {
166	+ freeaddrinfo(ai);
167	+ return NO;
168	+ }
169	+
170	+ if (are_addresses_equal (buf, buf1, netmask_ptr))
171	+ {
172	+ freeaddrinfo(ai);
173	+ return YES;
174	+ }
175	}
176	runp = runp->ai_next;
177	}
178	}
179	}
180	else
181	- return (are_addresses_equal(string, tok, netmask_ptr));
182	+ {
183	+ struct addrinfo *runp1;
184	+
185	+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
186	+ {
187	+ char buf1[INET6_ADDRSTRLEN];
188	+
189	+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
190	+
191	+ if (are_addresses_equal(string, buf1, netmask_ptr))
192	+ {
193	+ freeaddrinfo(ai);
194	+ return YES;
195	+ }
196	+ }
197	+ }
198	+
199	+ freeaddrinfo(ai);
200
201	return NO;
202	}
203	--
204	2.37.3
205


diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb index bec47ab836..c8f1e16459 100644 --- a/meta/recipes-extended/pam/libpam_1.5.2.bb +++ b/meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -21,14 +21,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
21	file://pam.d/common-session-noninteractive \	21	file://pam.d/common-session-noninteractive \
22	file://pam.d/other \	22	file://pam.d/other \
23	file://libpam-xtests.patch \	23	file://libpam-xtests.patch \
24	file://0001-run-xtests.sh-check-whether-files-exist.patch \
25	file://run-ptest \	24	file://run-ptest \
26	file://pam-volatiles.conf \	25	file://pam-volatiles.conf \
27	file://CVE-2022-28321-0002.patch \
28	file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
29	"	26	"
30		27
31	SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"	28	SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"
32		29
33	DEPENDS = "bison-native flex-native cracklib libxml2-native virtual/crypt"	30	DEPENDS = "bison-native flex-native cracklib libxml2-native virtual/crypt"
34		31