mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 00:20:08 +00:00
Code Issues Projects Releases Wiki Activity

shadow: upgrade 4.8 -> 4.8.1

Browse Source 
0001-Do-not-check-for-validity-of-shell-executable.patch
CVE-2019-19882.patch
Removed since they are included in 4.8.1.

(From OE-Core rev: de9cceb13e264434eb0b8393c3b0c0217b8d505e)

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Wang Mingyu
2020-02-21 02:09:15 -08:00
committed by Richard Purdie
parent af2215bffc
commit 4e51659ff4
4 changed files with 2 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-extended/shadow/files/0001-Do-not-check-for-validity-of-shell-executable.patch
-29
View File
@@ -1,29 +0,0 @@
From 0d0aded7307a9f4ee0d299951512acd18b3e029e Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Wed, 4 Dec 2019 19:28:48 +0100
Subject: [PATCH] Do not check for validity of shell executable.
This kind of check fails when building a rootfs.
Upstream-Status: Inappropriate [oe-core specific]
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
src/useradd.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index 4af0f7c..898fe02 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -1328,10 +1328,7 @@ static void process_flags (int argc, char **argv)
if ( ( !VALID (optarg) )
|| ( ('\0' != optarg[0])
&& ('/' != optarg[0])
- && ('*' != optarg[0]) )
- || (stat(optarg, &st) != 0)
- || (S_ISDIR(st.st_mode))
- || (access(optarg, X_OK) != 0)) {
+ && ('*' != optarg[0]) )) {
fprintf (stderr,
_("%s: invalid shell '%s'\n"),
Prog, optarg);
meta/recipes-extended/shadow/files/CVE-2019-19882.patch
-55
View File
@@ -1,55 +0,0 @@
From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001
From: Dave Reisner <dreisner@archlinux.org>
Date: Mon, 16 Dec 2019 14:11:23 -0500
Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected
Here's a sad story:
* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be
installed with file caps rather than setuid.
* https://bugs.archlinux.org/task/63248 is filed to take advantage of
this.
* The arch maintainer of the 'shadow' package notices that this doesn't
work, and submits a pull request to fix this in shadow.
* edf7547ad5 is merged, fixing the post install hooks.
The problem here is that distros have been building shadow with PAM for
O(years), but the install hooks have silently failed due to the
combination of the directory mismatch (suidubins vs suidsbins) and later
success with setuid'ing newgidmap/newuidmap.
With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
who never built shadow explicitly with --enable-account-tools-setuid are
now getting setuid account tools, and don't have PAM configuration
suitable for use with setuid account management tools.
It's entirely unclear to me why you'd want this, but I assume there's
some reason out there for it existing. Regardless, setuid binaries are
dangerous and shouldn't be enabled by default without good reason.
[1] https://bugs.archlinux.org/task/64836
[2] https://bugs.gentoo.org/702252
Upstream-Status: Backport
CVE: CVE-2019-19882
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index e3ed3b43..d6e2bfbd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid,
*) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
;;
esac],
- [enable_acct_tools_setuid="maybe"]
+ [enable_acct_tools_setuid="no"]
)
AC_ARG_ENABLE(utmpx,
--
2.17.1
meta/recipes-extended/shadow/shadow.inc
+2 -4
View File
@@ -13,7 +13,6 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
file://shadow-4.1.3-dots-in-usernames.patch \ file://shadow-4.1.3-dots-in-usernames.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
file://shadow-relaxed-usernames.patch \ file://shadow-relaxed-usernames.patch \
file://CVE-2019-19882.patch \
" "
SRC_URI_append_class-target = " \ SRC_URI_append_class-target = " \
@@ -25,14 +24,13 @@ SRC_URI_append_class-native = " \
file://0001-Disable-use-of-syslog-for-sysroot.patch \ file://0001-Disable-use-of-syslog-for-sysroot.patch \
file://0002-Allow-for-setting-password-in-clear-text.patch \ file://0002-Allow-for-setting-password-in-clear-text.patch \
file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
file://0001-Do-not-check-for-validity-of-shell-executable.patch \
" "
SRC_URI_append_class-nativesdk = " \ SRC_URI_append_class-nativesdk = " \
file://0001-Disable-use-of-syslog-for-sysroot.patch \ file://0001-Disable-use-of-syslog-for-sysroot.patch \
" "
SRC_URI[md5sum] = "017ac773ba370bc28e157cee30dad71a" SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480"
SRC_URI[sha256sum] = "82016d65317555fc8ce9e669eb187984d8d4b1f8ecda0769f4bc5412aed326e4" SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a"
# Additional Policy files for PAM # Additional Policy files for PAM
PAM_SRC_URI = "file://pam.d/chfn \ PAM_SRC_URI = "file://pam.d/chfn \
meta/recipes-extended/shadow/shadow_4.8.bb → meta/recipes-extended/shadow/shadow_4.8.1.bb
View File