package/linux-pam: bump version to 1.2.1

Move to the latest release of linux-pam. This allows us to remove a number of patches and consolidate the existing ones : - 0001-configure.patch - 0007-rhosts.patch these two patches deal with the ruserok function, which is not usable with uclibc. Consolidated into 0002-Conditionally-compile-per-ruserok-availability.patch. - 0003-group.patch - 0005-succeed.patch - 0006-time.patch these three patches deal with the innetgr function, which is not usable with uclibc. Consolidated into 0003-Conditionally-compile-per-innetgr-availability.patch. - 0004-mkdir.patch Fixed in upstream, no longer required. - 0002-doc-makefile-am.patch renamed to 0001-doc-makefile-am.patch. - 0008-fix-CVE-2014-2583.patch - 0009-fix-CVE-2013-7041.patch These patches are already included in the new release and so can be safely deleted. Signed-off-by: Brendan Heading <brendanheading@gmail.com> Tested-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2025-07-28 21:56:31 +00:00 · 2015-08-23 20:02:58 +01:00 · 2015-08-23 20:02:58 +01:00 · 2bf63505eb
commit 2bf63505eb
parent 80470c9f1a
13 changed files with 138 additions and 248 deletions
--- a/package/linux-pam/0001-configure.patch
+++ b/package/linux-pam/0001-configure.patch
@ -1,19 +0,0 @@
 Add check for ruserok
 ruserok is not available/functional in uclibc, provide conditions for compilation
 where needed.
 Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
 diff -urN a/configure.in b/configure.in
 --- a/configure.in	2012-08-17 03:48:24.000000000 -0500
 +++ b/configure.in	2013-07-17 09:49:23.760254684 -0500
@@ -526,7 +526,7 @@
 AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
 AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
 AC_CHECK_FUNCS(getgrouplist getline getdelim)
 -AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
 +AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
 AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
 AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
--- a/package/linux-pam/0001-doc-makefile-am.patch
+++ b/package/linux-pam/0001-doc-makefile-am.patch
@ -3,6 +3,9 @@ Disable generation of documentation
 Generation of documentation is not necessary in Buildroot, disable it completely.
 Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
 Signed-off-by: Brendan Heading <brendanheading@gmail.com>
 Upstream-status: inappropriate
 diff -urN a/doc/Makefile.am b/doc/Makefile.am
 --- a/doc/Makefile.am	2012-08-15 06:08:43.000000000 -0500
--- a/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch
+++ b/package/linux-pam/0002-Conditionally-compile-per-ruserok-availability.patch
@ -0,0 +1,49 @@
 ruserok is not available/functional in uclibc, provide conditions
 for compilation where needed.
 Patch originally by Dmitry Golubovsky <golubovsky@gmail.com> -
 porting to linux-pam 1.2.1.
 Signed-off-by: Brendan Heading <brendanheading@gmail.com>
 Upstream-status: pending
 ---
 configure.ac                    | 2 +-
 modules/pam_rhosts/pam_rhosts.c | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 08e4530..fd2fd23 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -542,7 +542,7 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
 AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
 AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
 AC_CHECK_FUNCS(getgrouplist getline getdelim)
 -AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
 +AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af ruserok)
 AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
 AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
 diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
 index bc9e76f..909db29 100644
 --- a/modules/pam_rhosts/pam_rhosts.c
 +++ b/modules/pam_rhosts/pam_rhosts.c
@@ -114,8 +114,12 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
 #ifdef HAVE_RUSEROK_AF
     retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
 #else
 +  #ifdef HAVE_RUSEROK
     retval = ruserok (rhost, as_root, ruser, luser);
 -#endif
 +  #else
 +    retval = -1;
 +  #endif  /* HAVE_RUSEROK */
 +#endif  /*HAVE_RUSEROK_AF */
     if (retval != 0) {
       if (!opt_silent || opt_debug)
 	pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
 -- 
 2.4.3
--- a/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch
+++ b/package/linux-pam/0003-Conditionally-compile-per-innetgr-availability.patch
@ -0,0 +1,84 @@
 innetgr is not available/functional in uclibc, provide conditions for
 compilation.
 Patch originally by Dmitry Golubovsky <golubovsky@gmail.com> - porting
 to linux-pam 1.2.1.
 Signed-off-by: Brendan Heading <brendanheading@gmail.com>
 Upstream-status: pending
 ---
 modules/pam_group/pam_group.c           | 8 +++++++-
 modules/pam_succeed_if/pam_succeed_if.c | 4 ++++
 modules/pam_time/pam_time.c             | 8 +++++++-
 3 files changed, 18 insertions(+), 2 deletions(-)
 diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
 index be5f20f..0982de8 100644
 --- a/modules/pam_group/pam_group.c
 +++ b/modules/pam_group/pam_group.c
@@ -655,8 +655,14 @@ static int check_account(pam_handle_t *pamh, const char *service,
 	    continue;
 	}
 	/* If buffer starts with @, we are using netgroups */
 -	if (buffer[0] == '@')
 +	if (buffer[0] == '@') {
 +#ifdef HAVE_INNETGR
 	  good &= innetgr (&buffer[1], NULL, user, NULL);
 +#else
 +	  good = 0;
 +	  pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
 +#endif  /* HAVE_INNETGR */
 +	}
 	/* otherwise, if the buffer starts with %, it's a UNIX group */
 	else if (buffer[0] == '%')
           good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
 diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
 index aa828fc..c09d669 100644
 --- a/modules/pam_succeed_if/pam_succeed_if.c
 +++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -233,16 +233,20 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
 static int
 evaluate_innetgr(const char *host, const char *user, const char *group)
 {
 +#ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 1)
 		return PAM_SUCCESS;
 +#endif /* HAVE_INNETGR */
 	return PAM_AUTH_ERR;
 }
 /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
 static int
 evaluate_notinnetgr(const char *host, const char *user, const char *group)
 {
 +#ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 0)
 		return PAM_SUCCESS;
 +#endif /* HAVE_INNETGR */
 	return PAM_AUTH_ERR;
 }
 diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
 index c94737c..4898fd2 100644
 --- a/modules/pam_time/pam_time.c
 +++ b/modules/pam_time/pam_time.c
@@ -554,8 +554,14 @@ check_account(pam_handle_t *pamh, const char *service,
 	       continue;
 	  }
 	  /* If buffer starts with @, we are using netgroups */
 -	  if (buffer[0] == '@')
 +	  if (buffer[0] == '@') {
 +#ifdef HAVE_INNETGR
 	    good &= innetgr (&buffer[1], NULL, user, NULL);
 +#else
 +	    good = 0;
 +	    pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
 +#endif /* HAVE_INNETGR */
 +	  }
 	  else
 	    good &= logic_field(pamh, user, buffer, count, is_same);
 	  D(("with user: %s", good ? "passes":"fails" ));
 -- 
 2.4.3
--- a/package/linux-pam/0003-group.patch
+++ b/package/linux-pam/0003-group.patch
@ -1,26 +0,0 @@
 Conditionally compile per innetgr availability
 innetgr is not available/functional in uclibc, provide conditions for compilation.
 Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
 Index: linux-pam-1.1.4/modules/pam_group/pam_group.c
 ============================================================================
 --- linux-pam-1.1.4/modules/pam_group/pam_group.c	2011-06-21 05:04:56.000000000 -0400
 +++ linux-pam-1.1.4/modules/pam_group/pam_group.c	2012-08-09 21:35:06.000000000 -0400
@@ -655,8 +655,14 @@
 	    continue;
 	}
 	/* If buffer starts with @, we are using netgroups */
 -	if (buffer[0] == '@')
 +	if (buffer[0] == '@') {
 +#ifdef HAVE_INNETGR
 	  good &= innetgr (&buffer[1], NULL, user, NULL);
 +#else
 +	  good = 0;
 +	  pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
 +#endif  /* HAVE_INNETGR */
 +	}
 	/* otherwise, if the buffer starts with %, it's a UNIX group */
 	else if (buffer[0] == '%')
           good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
--- a/package/linux-pam/0004-mkdir.patch
+++ b/package/linux-pam/0004-mkdir.patch
@ -1,17 +0,0 @@
 $(mkdir_p) is obsolete for newer automake, use $(MKDIR_P) instead.
 Upstream should really gettextize with a newer version before packing up.
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 diff -Nura Linux-PAM-1.1.7.orig/po/Makefile.in.in Linux-PAM-1.1.7/po/Makefile.in.in
 --- Linux-PAM-1.1.7.orig/po/Makefile.in.in	2013-09-11 20:45:16.610770002 -0300
 +++ Linux-PAM-1.1.7/po/Makefile.in.in	2013-09-11 20:45:28.030145316 -0300
@@ -31,7 +31,7 @@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 mkinstalldirs = $(SHELL) @install_sh@ -d
 -mkdir_p = @mkdir_p@
 +mkdir_p = @MKDIR_P@
 GMSGFMT_ = @GMSGFMT@
 GMSGFMT_no = @GMSGFMT@
--- a/package/linux-pam/0005-succeed.patch
+++ b/package/linux-pam/0005-succeed.patch
@ -1,31 +0,0 @@
 Conditionally compile per innetgr availability
 innetgr is not available/functional in uclibc, provide conditions for compilation.
 Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
 Index: linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c
 ============================================================================
 --- linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c	2011-06-21 05:04:56.000000000 -0400
 +++ linux-pam-1.1.4/modules/pam_succeed_if/pam_succeed_if.c	2012-08-09 21:05:02.000000000 -0400
@@ -233,16 +233,20 @@
 static int
 evaluate_innetgr(const char *host, const char *user, const char *group)
 {
 +#ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 1)
 		return PAM_SUCCESS;
 +#endif /* HAVE_INNETGR */
 	return PAM_AUTH_ERR;
 }
 /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
 static int
 evaluate_notinnetgr(const char *host, const char *user, const char *group)
 {
 +#ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 0)
 		return PAM_SUCCESS;
 +#endif /* HAVE_INNETGR */
 	return PAM_AUTH_ERR;
 }
--- a/package/linux-pam/0006-time.patch
+++ b/package/linux-pam/0006-time.patch
@ -1,26 +0,0 @@
 Conditionally compile per innetgr availability
 innetgr is not available/functional in uclibc, provide conditions for compilation.
 Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
 Index: linux-pam-1.1.4/modules/pam_time/pam_time.c
 ============================================================================
 --- linux-pam-1.1.4/modules/pam_time/pam_time.c	2011-06-21 05:04:56.000000000 -0400
 +++ linux-pam-1.1.4/modules/pam_time/pam_time.c	2012-08-09 21:02:29.000000000 -0400
@@ -554,8 +554,14 @@
 	       continue;
 	  }
 	  /* If buffer starts with @, we are using netgroups */
 -	  if (buffer[0] == '@')
 +	  if (buffer[0] == '@') {
 +#ifdef HAVE_INNETGR
 	    good &= innetgr (&buffer[1], NULL, user, NULL);
 +#else
 +	    good = 0;
 +	    pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
 +#endif /* HAVE_INNETGR */
 +	  }
 	  else
 	    good &= logic_field(pamh, user, buffer, count, is_same);
 	  D(("with user: %s", good ? "passes":"fails" ));
--- a/package/linux-pam/0007-rhosts.patch
+++ b/package/linux-pam/0007-rhosts.patch
@ -1,24 +0,0 @@
 Conditionally compile per ruserok availability
 ruserok is not available/functional in uclibc, provide conditions for compilation.
 Signed-off-by: Dmitry Golubovsky <golubovsky@gmail.com>
 Index: linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c
 ============================================================================
 --- linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c	2011-06-21 05:04:56.000000000 -0400
 +++ linux-pam-1.1.4/modules/pam_rhosts/pam_rhosts.c	2012-08-09 21:19:34.000000000 -0400
@@ -114,8 +114,12 @@
 #ifdef HAVE_RUSEROK_AF
     retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
 #else
 +  #ifdef HAVE_RUSEROK
     retval = ruserok (rhost, as_root, ruser, luser);
 -#endif
 +  #else
 +    retval = -1;
 +  #endif  /* HAVE_RUSEROK */
 +#endif  /*HAVE_RUSEROK_AF */
     if (retval != 0) {
       if (!opt_silent || opt_debug)
 	pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
--- a/package/linux-pam/0008-fix-CVE-2014-2583.patch
+++ b/package/linux-pam/0008-fix-CVE-2014-2583.patch
@ -1,53 +0,0 @@
 From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
 From: "Dmitry V. Levin" <ldv@altlinux.org>
 Date: Wed, 26 Mar 2014 22:17:23 +0000
 Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
 pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
 the timestamp pathname it creates, so extra care should be taken to
 avoid potential directory traversal issues.
 * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
 "." and ".." tty values as invalid.
 (get_ruser): Treat "." and ".." ruser values, as well as any ruser
 value containing '/', as invalid.
 Fixes CVE-2014-2583.
 Reported-by: Sebastian Krahmer <krahmer@suse.de>
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
 index 5193733..b3f08b1 100644
 --- a/modules/pam_timestamp/pam_timestamp.c
 +++ b/modules/pam_timestamp/pam_timestamp.c
@@ -158,7 +158,7 @@ check_tty(const char *tty)
 		tty = strrchr(tty, '/') + 1;
 	}
 	/* Make sure the tty wasn't actually a directory (no basename). */
 -	if (strlen(tty) == 0) {
 +	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
 		return NULL;
 	}
 	return tty;
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
 		if (pwd != NULL) {
 			ruser = pwd->pw_name;
 		}
 +	} else {
 +		/*
 +		 * This ruser is used by format_timestamp_name as a component
 +		 * of constructed timestamp pathname, so ".", "..", and '/'
 +		 * are disallowed to avoid potential path traversal issues.
 +		 */
 +		if (!strcmp(ruser, ".") ||
 +		    !strcmp(ruser, "..") ||
 +		    strchr(ruser, '/')) {
 +			ruser = NULL;
 +		}
 	}
 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
 		*ruserbuf = '\0';
 -- 
 cgit v0.10.2
--- a/package/linux-pam/0009-fix-CVE-2013-7041.patch
+++ b/package/linux-pam/0009-fix-CVE-2013-7041.patch
@ -1,50 +0,0 @@
 From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
 From: "Dmitry V. Levin" <ldv@altlinux.org>
 Date: Fri, 24 Jan 2014 22:18:32 +0000
 Subject: pam_userdb: fix password hash comparison
 Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
 passwords support in pam_userdb, hashes are compared case-insensitively.
 This bug leads to accepting hashes for completely different passwords in
 addition to those that should be accepted.
 Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
 modern password hashes with different lengths and settings, did not
 update the hash comparison accordingly, which leads to accepting
 computed hashes longer than stored hashes when the latter is a prefix
 of the former.
 * modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
 hash whose length differs from the stored hash length.
 Compare computed and stored hashes case-sensitively.
 Fixes CVE-2013-7041.
 Bug-Debian: http://bugs.debian.org/731368
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
 index de8b5b1..ff040e6 100644
 --- a/modules/pam_userdb/pam_userdb.c
 +++ b/modules/pam_userdb/pam_userdb.c
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
 	  } else {
 	    cryptpw = crypt (pass, data.dptr);
 -	    if (cryptpw) {
 -	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);
 +	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
 +	      compare = memcmp(data.dptr, cryptpw, data.dsize);
 	    } else {
 	      compare = -2;
 	      if (ctrl & PAM_DEBUG_ARG) {
 -		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
 +		if (cryptpw)
 +		  pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
 +		else
 +		  pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
 	      }
 	    };
 -- 
 cgit v0.10.2
--- a/package/linux-pam/linux-pam.hash
+++ b/package/linux-pam/linux-pam.hash
@ -1,2 +1,2 @@
 # Locally computed hashes, not provided by upstream
-sha256	c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55	Linux-PAM-1.1.8.tar.bz2
+sha256	342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9	Linux-PAM-1.2.1.tar.bz2
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@ -4,7 +4,7 @@
 #
 ################################################################################
-LINUX_PAM_VERSION = 1.1.8
+LINUX_PAM_VERSION = 1.2.1
 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
 LINUX_PAM_SITE = http://linux-pam.org/library
 LINUX_PAM_INSTALL_STAGING = YES
`@ -1,2 +1,2 @@`
	`# Locally computed hashes, not provided by upstream`	`# Locally computed hashes, not provided by upstream`
	`sha256 c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55 Linux-PAM-1.1.8.tar.bz2`	`sha256 342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9 Linux-PAM-1.2.1.tar.bz2`