aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRasmus Thomsen <oss@cogitri.dev>2021-01-07 11:47:59 +0100
committerRasmus Thomsen <oss@cogitri.dev>2021-01-07 10:55:41 +0000
commitc688a0f0cc909614ef7b18ceafbad81de10782a1 (patch)
treec46c6781f3ff0b27826bafa997f8250507d5deaf
parent54d3ca34eb243ac413eab32eb8466b1652bab914 (diff)
downloadaports-c688a0f0cc909614ef7b18ceafbad81de10782a1.tar.gz
aports-c688a0f0cc909614ef7b18ceafbad81de10782a1.tar.bz2
aports-c688a0f0cc909614ef7b18ceafbad81de10782a1.tar.xz
main/linux-pam: upgrade to 1.5.1
Also remove upstreamed patches. fixes #12271
-rw-r--r--main/linux-pam/0001-avoid-opendir-since-it-may-be-called-during-fork-exe.patch34
-rw-r--r--main/linux-pam/0adbaeb273da1d45213134aa271e95987103281c.patch74
-rw-r--r--main/linux-pam/APKBUILD17
-rw-r--r--main/linux-pam/c9593778a6133bf29eb2f47c24cc6d2f5d729fc8.patch275
4 files changed, 7 insertions, 393 deletions
diff --git a/main/linux-pam/0001-avoid-opendir-since-it-may-be-called-during-fork-exe.patch b/main/linux-pam/0001-avoid-opendir-since-it-may-be-called-during-fork-exe.patch
deleted file mode 100644
index d0de27b7e5..0000000000
--- a/main/linux-pam/0001-avoid-opendir-since-it-may-be-called-during-fork-exe.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From fc3af2492a42eb042d6ae1ee816224f951a30c64 Mon Sep 17 00:00:00 2001
-From: Clayton Craft <clayton@craftyguy.net>
-Date: Sun, 6 Sep 2020 15:23:43 -0700
-Subject: [PATCH] avoid opendir since it may be called during fork exec
-
-Some applications (e.g. Phosh) call PAM from a thread for async
-unlocking, and opendir causes deadlocks.
----
- libpam/pam_modutil_sanitize.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
-index 58b9537..fb58a72 100644
---- a/libpam/pam_modutil_sanitize.c
-+++ b/libpam/pam_modutil_sanitize.c
-@@ -128,6 +128,7 @@ close_fds(void)
- /* The lower limit is the same as for _POSIX_OPEN_MAX. */
- const unsigned int MIN_FD_NO = 20;
-
-+#if defined(__GLIBC__)
- /* If /proc is mounted, we can optimize which fd can be closed. */
- if ((dir = opendir("/proc/self/fd")) != NULL) {
- if ((dfd = dirfd(dir)) >= 0 && is_in_procfs(dfd) > 0) {
-@@ -141,6 +142,7 @@ close_fds(void)
- }
- closedir(dir);
- }
-+#endif
-
- /* If /proc isn't available, fallback to the previous behavior. */
- if (dfd < 0) {
---
-2.28.0
-
diff --git a/main/linux-pam/0adbaeb273da1d45213134aa271e95987103281c.patch b/main/linux-pam/0adbaeb273da1d45213134aa271e95987103281c.patch
deleted file mode 100644
index 4e6b077191..0000000000
--- a/main/linux-pam/0adbaeb273da1d45213134aa271e95987103281c.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-Upstream: Yes
-From 0adbaeb273da1d45213134aa271e95987103281c Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Thu, 11 Jun 2020 17:39:03 +0200
-Subject: [PATCH] pam_faillock: fix build on musl
-
-Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of
-fgetpwent_r which is not available on musl.
-
-Resolves: https://github.com/linux-pam/linux-pam/issues/236
-Resolves: https://github.com/linux-pam/linux-pam/pull/237
-Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- modules/pam_faillock/pam_faillock.c | 39 +----------------------------
- 1 file changed, 1 insertion(+), 38 deletions(-)
-
-diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
-index f592d0a2..71988d09 100644
---- a/modules/pam_faillock/pam_faillock.c
-+++ b/modules/pam_faillock/pam_faillock.c
-@@ -71,8 +71,6 @@
- #define MAX_TIME_INTERVAL 604800 /* 7 days */
- #define FAILLOCK_CONF_MAX_LINELEN 1023
-
--#define PATH_PASSWD "/etc/passwd"
--
- static const char default_faillock_conf[] = FAILLOCK_DEFAULT_CONF;
-
- struct options {
-@@ -348,42 +346,7 @@ set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const c
- static int
- check_local_user (pam_handle_t *pamh, const char *user)
- {
-- struct passwd pw, *pwp;
-- char buf[16384];
-- int found = 0;
-- FILE *fp;
-- int errn;
--
-- fp = fopen(PATH_PASSWD, "r");
-- if (fp == NULL) {
-- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m",
-- PATH_PASSWD);
-- return -1;
-- }
--
-- for (;;) {
-- errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp);
-- if (errn == ERANGE) {
-- pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?",
-- PATH_PASSWD);
-- break;
-- }
-- if (errn != 0)
-- break;
-- if (strcmp(pwp->pw_name, user) == 0) {
-- found = 1;
-- break;
-- }
-- }
--
-- fclose (fp);
--
-- if (errn != 0 && errn != ENOENT) {
-- pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m");
-- return -1;
-- } else {
-- return found;
-- }
-+ return pam_modutil_check_user_in_passwd(pamh, user, NULL) == PAM_SUCCESS;
- }
-
- static int
diff --git a/main/linux-pam/APKBUILD b/main/linux-pam/APKBUILD
index 28c7f21245..479269a9fd 100644
--- a/main/linux-pam/APKBUILD
+++ b/main/linux-pam/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=linux-pam
-pkgver=1.4.0
-pkgrel=1
+pkgver=1.5.1
+pkgrel=0
pkgdesc="Linux PAM (Pluggable Authentication Modules for Linux)"
url="https://www.kernel.org/pub/linux/libs/pam"
arch="all"
@@ -14,9 +14,6 @@ options="suid !check"
subpackages="$pkgname-dev $pkgname-doc"
source="
https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver.tar.xz
- c9593778a6133bf29eb2f47c24cc6d2f5d729fc8.patch
- 0adbaeb273da1d45213134aa271e95987103281c.patch
- 0001-avoid-opendir-since-it-may-be-called-during-fork-exe.patch
base-auth.pamd
base-account.pamd
@@ -28,8 +25,11 @@ source="
system-login.pamd
su.pamd
"
-
builddir="$srcdir"/Linux-PAM-$pkgver
+
+# secfixes:
+# 1.5.1:
+# - CVE-2020-27780
prepare() {
default_prepare
# disable insecure modules
@@ -73,10 +73,7 @@ package() {
&& chmod g+s "$pkgdir"/sbin/unix_chkpwd
}
-sha512sums="26eda95c45598a500bc142da4d1abf93d03b3bbb0f2390fa87c72dcbffa208dbfa115c0b411095c31ee9955e36422ccf3e2df3bd486818fafffef8c4310798c4 Linux-PAM-1.4.0.tar.xz
-8a324d01d23e882a9aa5f35cb15c428d2056af24c289e7c831f68adcac9321385671a50db6702406b487dbfc71763ad8de4d41effb9da0b1133c9f2fdeba0251 c9593778a6133bf29eb2f47c24cc6d2f5d729fc8.patch
-1c6859bead65eefbdce4de8672f4532ac358b271ff73aed973d3d02e9410d1312f2bec0d98cc2e3cda789a59481737a7466d9cb71562a027e13a0c53623aaa52 0adbaeb273da1d45213134aa271e95987103281c.patch
-f5607691950082a72aeb6b74b5e2d7679641baeafc8f53e9173b2606489401f09f66e2e7bc9cc04088953be2a8a4baa4253e23e9c07cf9b3721079847ea34148 0001-avoid-opendir-since-it-may-be-called-during-fork-exe.patch
+sha512sums="1db091fc43b934dde220f1b85f35937fbaa0a3feec699b2e597e2cdf0c3ce11c17d36d2286d479c9eed24e8ca3ca6233214e4dff256db47249e358c01d424837 Linux-PAM-1.5.1.tar.xz
ea6a10957ba9ec50d982bfabafb35060426ac797936f874097b4fa7620b89fd2ba3be9757401f9b787956fb23879d8ef73676f7703e75fcef3dca0b9559c4167 base-auth.pamd
85462201a4044c7e170e617d39b0eceb4790abc6c0504999117548030a16d80a9d2078d1ad97690d7d346e6374201f0c52e792ccb08ce2b1c4bbf0cc2be96f5b base-account.pamd
da5d9a361abfc5b705e01a8da3a2e6de3ba394a0814307a65ec5b6c88ddae199d54b4d443204bf770f8daccb990777b68a5da716fb756932cf21f9046c839540 base-password.pamd
diff --git a/main/linux-pam/c9593778a6133bf29eb2f47c24cc6d2f5d729fc8.patch b/main/linux-pam/c9593778a6133bf29eb2f47c24cc6d2f5d729fc8.patch
deleted file mode 100644
index 127a4151f5..0000000000
--- a/main/linux-pam/c9593778a6133bf29eb2f47c24cc6d2f5d729fc8.patch
+++ /dev/null
@@ -1,275 +0,0 @@
-Upstream: Yes
-Reason: Required for 0adbaeb273da1d45213134aa271e95987103281c.patch
-From c9593778a6133bf29eb2f47c24cc6d2f5d729fc8 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Thu, 11 Jun 2020 17:39:03 +0200
-Subject: [PATCH] Move check_user_in_passwd from pam_localuser.c to pam_modutil
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-
-* modules/pam_localuser/pam_localuser.c: Include
-<security/pam_modutil.h>.
-(pam_sm_authenticate): Replace check_user_in_passwd with
-pam_modutil_check_user_in_passwd.
-(check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd,
-move to ...
-* libpam/pam_modutil_check_user.c: ... new file.
-* libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c.
-* libpam/include/security/pam_modutil.h
-(pam_modutil_check_user_in_passwd): New function declaration.
-* libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface.
-
-Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
----
- libpam/Makefile.am | 1 +
- libpam/include/security/pam_modutil.h | 5 ++
- libpam/libpam.map | 5 ++
- libpam/pam_modutil_check_user.c | 90 +++++++++++++++++++++++++++
- modules/pam_localuser/pam_localuser.c | 86 +------------------------
- 5 files changed, 103 insertions(+), 84 deletions(-)
- create mode 100644 libpam/pam_modutil_check_user.c
-
-diff --git a/libpam/Makefile.am b/libpam/Makefile.am
-index 9252a837..11a1f329 100644
---- a/libpam/Makefile.am
-+++ b/libpam/Makefile.am
-@@ -35,6 +35,7 @@ libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \
- pam_misc.c pam_password.c pam_prelude.c \
- pam_session.c pam_start.c pam_strerror.c \
- pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \
-+ pam_modutil_check_user.c \
- pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \
- pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \
- pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \
-diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h
-index 3a6aec6a..33f87b90 100644
---- a/libpam/include/security/pam_modutil.h
-+++ b/libpam/include/security/pam_modutil.h
-@@ -58,6 +58,11 @@ extern "C" {
-
- #include <security/_pam_types.h>
-
-+extern int PAM_NONNULL((1,2))
-+pam_modutil_check_user_in_passwd(pam_handle_t *pamh,
-+ const char *user_name,
-+ const char *file_name);
-+
- extern struct passwd * PAM_NONNULL((1,2))
- pam_modutil_getpwnam(pam_handle_t *pamh, const char *user);
-
-diff --git a/libpam/libpam.map b/libpam/libpam.map
-index c9690a91..3cc7ef35 100644
---- a/libpam/libpam.map
-+++ b/libpam/libpam.map
-@@ -82,3 +82,8 @@ LIBPAM_1.4 {
- global:
- pam_start_confdir;
- } LIBPAM_1.0;
-+
-+LIBPAM_MODUTIL_1.4.1 {
-+ global:
-+ pam_modutil_check_user_in_passwd;
-+} LIBPAM_MODUTIL_1.3.2;
-diff --git a/libpam/pam_modutil_check_user.c b/libpam/pam_modutil_check_user.c
-new file mode 100644
-index 00000000..898b13a9
---- /dev/null
-+++ b/libpam/pam_modutil_check_user.c
-@@ -0,0 +1,90 @@
-+#include "pam_modutil_private.h"
-+#include <security/pam_ext.h>
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <syslog.h>
-+
-+int
-+pam_modutil_check_user_in_passwd(pam_handle_t *pamh,
-+ const char *user_name,
-+ const char *file_name)
-+{
-+ int rc;
-+ size_t user_len;
-+ FILE *fp;
-+ char line[BUFSIZ];
-+
-+ /* Validate the user name. */
-+ if ((user_len = strlen(user_name)) == 0) {
-+ pam_syslog(pamh, LOG_NOTICE, "user name is not valid");
-+ return PAM_SERVICE_ERR;
-+ }
-+
-+ if (user_len > sizeof(line) - sizeof(":")) {
-+ pam_syslog(pamh, LOG_NOTICE, "user name is too long");
-+ return PAM_SERVICE_ERR;
-+ }
-+
-+ if (strchr(user_name, ':') != NULL) {
-+ /*
-+ * "root:x" is not a local user name even if the passwd file
-+ * contains a line starting with "root:x:".
-+ */
-+ return PAM_PERM_DENIED;
-+ }
-+
-+ /* Open the passwd file. */
-+ if (file_name == NULL) {
-+ file_name = "/etc/passwd";
-+ }
-+ if ((fp = fopen(file_name, "r")) == NULL) {
-+ pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name);
-+ return PAM_SERVICE_ERR;
-+ }
-+
-+ /*
-+ * Scan the file using fgets() instead of fgetpwent_r() because
-+ * the latter is not flexible enough in handling long lines
-+ * in passwd files.
-+ */
-+ rc = PAM_PERM_DENIED;
-+ while (fgets(line, sizeof(line), fp) != NULL) {
-+ size_t line_len;
-+ const char *str;
-+
-+ /*
-+ * Does this line start with the user name
-+ * followed by a colon?
-+ */
-+ if (strncmp(user_name, line, user_len) == 0 &&
-+ line[user_len] == ':') {
-+ rc = PAM_SUCCESS;
-+ break;
-+ }
-+ /* Has a newline been read? */
-+ line_len = strlen(line);
-+ if (line_len < sizeof(line) - 1 ||
-+ line[line_len - 1] == '\n') {
-+ /* Yes, continue with the next line. */
-+ continue;
-+ }
-+
-+ /* No, read till the end of this line first. */
-+ while ((str = fgets(line, sizeof(line), fp)) != NULL) {
-+ line_len = strlen(line);
-+ if (line_len == 0 ||
-+ line[line_len - 1] == '\n') {
-+ break;
-+ }
-+ }
-+ if (str == NULL) {
-+ /* fgets returned NULL, we are done. */
-+ break;
-+ }
-+ /* Continue with the next line. */
-+ }
-+
-+ fclose(fp);
-+ return rc;
-+}
-diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c
-index cb507524..a9f2233c 100644
---- a/modules/pam_localuser/pam_localuser.c
-+++ b/modules/pam_localuser/pam_localuser.c
-@@ -45,92 +45,10 @@
- #include <unistd.h>
-
- #include <security/pam_modules.h>
-+#include <security/pam_modutil.h>
- #include <security/pam_ext.h>
- #include "pam_inline.h"
-
--static int
--check_user_in_passwd(pam_handle_t *pamh, const char *user_name,
-- const char *file_name)
--{
-- int rc;
-- size_t user_len;
-- FILE *fp;
-- char line[BUFSIZ];
--
-- /* Validate the user name. */
-- if ((user_len = strlen(user_name)) == 0) {
-- pam_syslog(pamh, LOG_NOTICE, "user name is not valid");
-- return PAM_SERVICE_ERR;
-- }
--
-- if (user_len > sizeof(line) - sizeof(":")) {
-- pam_syslog(pamh, LOG_NOTICE, "user name is too long");
-- return PAM_SERVICE_ERR;
-- }
--
-- if (strchr(user_name, ':') != NULL) {
-- /*
-- * "root:x" is not a local user name even if the passwd file
-- * contains a line starting with "root:x:".
-- */
-- return PAM_PERM_DENIED;
-- }
--
-- /* Open the passwd file. */
-- if (file_name == NULL) {
-- file_name = "/etc/passwd";
-- }
-- if ((fp = fopen(file_name, "r")) == NULL) {
-- pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name);
-- return PAM_SERVICE_ERR;
-- }
--
-- /*
-- * Scan the file using fgets() instead of fgetpwent_r() because
-- * the latter is not flexible enough in handling long lines
-- * in passwd files.
-- */
-- rc = PAM_PERM_DENIED;
-- while (fgets(line, sizeof(line), fp) != NULL) {
-- size_t line_len;
-- const char *str;
--
-- /*
-- * Does this line start with the user name
-- * followed by a colon?
-- */
-- if (strncmp(user_name, line, user_len) == 0 &&
-- line[user_len] == ':') {
-- rc = PAM_SUCCESS;
-- break;
-- }
-- /* Has a newline been read? */
-- line_len = strlen(line);
-- if (line_len < sizeof(line) - 1 ||
-- line[line_len - 1] == '\n') {
-- /* Yes, continue with the next line. */
-- continue;
-- }
--
-- /* No, read till the end of this line first. */
-- while ((str = fgets(line, sizeof(line), fp)) != NULL) {
-- line_len = strlen(line);
-- if (line_len == 0 ||
-- line[line_len - 1] == '\n') {
-- break;
-- }
-- }
-- if (str == NULL) {
-- /* fgets returned NULL, we are done. */
-- break;
-- }
-- /* Continue with the next line. */
-- }
--
-- fclose(fp);
-- return rc;
--}
--
- int
- pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-@@ -173,7 +91,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
- return rc == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rc;
- }
-
-- return check_user_in_passwd(pamh, user_name, file_name);
-+ return pam_modutil_check_user_in_passwd(pamh, user_name, file_name);
- }
-
- int