libpam: Upgrade v1.1.6 -> v1.2.1
Dropped upstreamed patches(commit-id): - add-checks-for-crypt-returning-NULL.patch(8dc056c) - destdirfix.patch(d7e6b92) - libpam-fix-for-CVE-2010-4708.patch(4c430f6) Dropped backported patches(commit-id): - pam_timestamp-fix-potential-directory-traversal-issu.patch(9dcead8) - reflect-the-enforce_for_root-semantics-change-in-pam.patch(bd07ad3) Forward ported patches: - pam-unix-nullok-secure.patch - crypt_configure.patch (From OE-Core rev: 8683206f7ba85f693751415f896a0cc62931e3c4) Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
e9b9f8c0c5
commit
88dd997d99
|
@ -1,63 +0,0 @@
|
|||
Backport from linux-pam git repo.
|
||||
|
||||
[YOCTO #4107]
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Kang Kai <kai.kang@windriver.com>
|
||||
|
||||
From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Fri, 8 Feb 2013 15:04:26 +0100
|
||||
Subject: [PATCH] Add checks for crypt() returning NULL.
|
||||
|
||||
modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
|
||||
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
|
||||
---
|
||||
modules/pam_pwhistory/opasswd.c | 2 +-
|
||||
modules/pam_unix/bigcrypt.c | 9 +++++++++
|
||||
2 files changed, 10 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
|
||||
index 274fdb9..836d713 100644
|
||||
--- a/modules/pam_pwhistory/opasswd.c
|
||||
+++ b/modules/pam_pwhistory/opasswd.c
|
||||
@@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass)
|
||||
outval = crypt (newpass, oldpass);
|
||||
#endif
|
||||
|
||||
- return strcmp(outval, oldpass) == 0;
|
||||
+ return outval != NULL && strcmp(outval, oldpass) == 0;
|
||||
}
|
||||
|
||||
/* Check, if the new password is already in the opasswd file. */
|
||||
diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c
|
||||
index e10d1c5..e1d57a0 100644
|
||||
--- a/modules/pam_unix/bigcrypt.c
|
||||
+++ b/modules/pam_unix/bigcrypt.c
|
||||
@@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt)
|
||||
#else
|
||||
tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */
|
||||
#endif
|
||||
+ if (tmp_ptr == NULL) {
|
||||
+ free(dec_c2_cryptbuf);
|
||||
+ return NULL;
|
||||
+ }
|
||||
/* and place in the static area */
|
||||
strncpy(cipher_ptr, tmp_ptr, 13);
|
||||
cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
|
||||
@@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt)
|
||||
#else
|
||||
tmp_ptr = crypt(plaintext_ptr, salt_ptr);
|
||||
#endif
|
||||
+ if (tmp_ptr == NULL) {
|
||||
+ _pam_overwrite(dec_c2_cryptbuf);
|
||||
+ free(dec_c2_cryptbuf);
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
/* skip the salt for seg!=0 */
|
||||
strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
|
||||
--
|
||||
1.7.5.4
|
||||
|
|
@ -16,8 +16,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|||
|
||||
Index: Linux-PAM-1.1.6/configure.in
|
||||
===================================================================
|
||||
--- Linux-PAM-1.1.6.org/configure.in
|
||||
+++ Linux-PAM-1.1.6/configure.in
|
||||
--- Linux-PAM-1.1.6.org/configure.ac
|
||||
+++ Linux-PAM-1.1.6/configure.ac
|
||||
@@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" =
|
||||
[crypt_libs="crypt"])
|
||||
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
Avoid the failure:
|
||||
|
||||
| mkdir -p /etc/security/namespace.d
|
||||
| mkdir: cannot create directory `/etc/security/namespace.d': Permission denied
|
||||
|
||||
if /etc/security/namespace.d doesn't exist. The DESTDIR prefix is missing.
|
||||
|
||||
RP 2012/8/19
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Index: Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am
|
||||
===================================================================
|
||||
--- Linux-PAM-1.1.6.orig/modules/pam_namespace/Makefile.am 2012-08-15 11:08:43.000000000 +0000
|
||||
+++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am 2012-08-19 12:25:32.311038943 +0000
|
||||
@@ -40,7 +40,7 @@
|
||||
secureconf_SCRIPTS = namespace.init
|
||||
|
||||
install-data-local:
|
||||
- mkdir -p $(namespaceddir)
|
||||
+ mkdir -p $(DESTDIR)$(namespaceddir)
|
||||
endif
|
||||
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
Upstream-Status: Backport
|
||||
|
||||
Fix for CVE-2010-4708
|
||||
|
||||
Change default for user_readenv to 0 and document the
|
||||
new default for user_readenv.
|
||||
|
||||
This fix is got from:
|
||||
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
|
||||
/pam_env.c?r1=1.22&r2=1.23&view=patch
|
||||
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
|
||||
/pam_env.8.xml?r1=1.7&r2=1.8&view=patch
|
||||
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
|
||||
---
|
||||
--- a/modules/pam_env/pam_env.c 2012-09-05 13:57:47.000000000 +0800
|
||||
+++ b/modules/pam_env/pam_env.c 2012-09-05 13:58:05.000000000 +0800
|
||||
@@ -10,7 +10,7 @@
|
||||
#define DEFAULT_READ_ENVFILE 1
|
||||
|
||||
#define DEFAULT_USER_ENVFILE ".pam_environment"
|
||||
-#define DEFAULT_USER_READ_ENVFILE 1
|
||||
+#define DEFAULT_USER_READ_ENVFILE 0
|
||||
|
||||
#include "config.h"
|
||||
|
||||
--- a/modules/pam_env/pam_env.8.xml 2012-09-05 13:58:24.000000000 +0800
|
||||
+++ b/modules/pam_env/pam_env.8.xml 2012-09-05 13:59:36.000000000 +0800
|
||||
@@ -147,7 +147,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Turns on or off the reading of the user specific environment
|
||||
- file. 0 is off, 1 is on. By default this option is on.
|
||||
+ file. 0 is off, 1 is on. By default this option is off as user
|
||||
+ supplied environment variables in the PAM environment could affect
|
||||
+ behavior of subsequent modules in the stack without the consent
|
||||
+ of the system administrator.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
|
@ -1,6 +1,9 @@
|
|||
Debian patch to add a new 'nullok_secure' option to pam_unix, which
|
||||
accepts users with null passwords only when the applicant is connected
|
||||
from a tty listed in /etc/securetty.
|
||||
From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001
|
||||
From: Amarnath Valluri <amarnath.valluri@intel.com>
|
||||
Date: Wed, 15 Jul 2015 13:07:20 +0300
|
||||
Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix,
|
||||
which accepts users with null passwords only when the applicant is connected
|
||||
from a tty listed in /etc/securetty.
|
||||
|
||||
Authors: Sam Hartman <hartmans@debian.org>,
|
||||
Steve Langasek <vorlon@debian.org>
|
||||
|
@ -8,10 +11,24 @@ Authors: Sam Hartman <hartmans@debian.org>,
|
|||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Ming Liu <ming.liu@windriver.com>
|
||||
===================================================================
|
||||
diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
|
||||
--- a/modules/pam_unix/Makefile.am 2013-07-05 09:51:31.014483164 +0800
|
||||
+++ b/modules/pam_unix/Makefile.am 2013-07-05 10:26:12.884484000 +0800
|
||||
|
||||
v2:
|
||||
- Forward ported from v1.1.6 to v1.2.1
|
||||
|
||||
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
|
||||
---
|
||||
modules/pam_unix/Makefile.am | 3 ++-
|
||||
modules/pam_unix/README | 11 ++++++++++-
|
||||
modules/pam_unix/pam_unix.8 | 9 ++++++++-
|
||||
modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++-
|
||||
modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++-----
|
||||
modules/pam_unix/support.h | 8 ++++++--
|
||||
6 files changed, 79 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
|
||||
index 56ed591..9a372ac 100644
|
||||
--- a/modules/pam_unix/Makefile.am
|
||||
+++ b/modules/pam_unix/Makefile.am
|
||||
@@ -30,7 +30,8 @@ if HAVE_VERSIONING
|
||||
pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
@ -22,10 +39,33 @@ diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
|
|||
|
||||
securelib_LTLIBRARIES = pam_unix.la
|
||||
|
||||
diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
|
||||
--- a/modules/pam_unix/pam_unix.8 2013-07-05 09:52:16.825108201 +0800
|
||||
+++ b/modules/pam_unix/pam_unix.8 2013-07-05 10:28:34.724483774 +0800
|
||||
@@ -220,7 +220,14 @@ A little more extreme than debug\&.
|
||||
diff --git a/modules/pam_unix/README b/modules/pam_unix/README
|
||||
index 3935dba..7880d91 100644
|
||||
--- a/modules/pam_unix/README
|
||||
+++ b/modules/pam_unix/README
|
||||
@@ -67,7 +67,16 @@ nullok
|
||||
|
||||
The default action of this module is to not permit the user access to a
|
||||
service if their official password is blank. The nullok argument overrides
|
||||
- this default.
|
||||
+ this default and allows any user with a blank password to access the
|
||||
+ service.
|
||||
+
|
||||
+nullok_secure
|
||||
+
|
||||
+ The default action of this module is to not permit the user access to a
|
||||
+ service if their official password is blank. The nullok_secure argument
|
||||
+ overrides this default and allows any user with a blank password to access
|
||||
+ the service as long as the value of PAM_TTY is set to one of the values
|
||||
+ found in /etc/securetty.
|
||||
|
||||
try_first_pass
|
||||
|
||||
diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
|
||||
index 339178b..a4bd906 100644
|
||||
--- a/modules/pam_unix/pam_unix.8
|
||||
+++ b/modules/pam_unix/pam_unix.8
|
||||
@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi
|
||||
.RS 4
|
||||
The default action of this module is to not permit the user access to a service if their official password is blank\&. The
|
||||
\fBnullok\fR
|
||||
|
@ -41,10 +81,11 @@ diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
|
|||
.RE
|
||||
.PP
|
||||
\fBtry_first_pass\fR
|
||||
diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
|
||||
--- a/modules/pam_unix/pam_unix.8.xml 2013-07-05 09:52:38.775108523 +0800
|
||||
+++ b/modules/pam_unix/pam_unix.8.xml 2013-07-05 10:30:23.084483630 +0800
|
||||
@@ -135,7 +135,24 @@
|
||||
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
|
||||
index a8b64bb..1ced6f4 100644
|
||||
--- a/modules/pam_unix/pam_unix.8.xml
|
||||
+++ b/modules/pam_unix/pam_unix.8.xml
|
||||
@@ -159,7 +159,24 @@
|
||||
<para>
|
||||
The default action of this module is to not permit the
|
||||
user access to a service if their official password is blank.
|
||||
|
@ -70,36 +111,15 @@ diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
|
|||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README
|
||||
--- a/modules/pam_unix/README 2013-07-05 09:51:52.205107846 +0800
|
||||
+++ b/modules/pam_unix/README 2013-07-05 10:27:10.774484537 +0800
|
||||
@@ -57,7 +57,16 @@ nullok
|
||||
|
||||
The default action of this module is to not permit the user access to a
|
||||
service if their official password is blank. The nullok argument overrides
|
||||
- this default.
|
||||
+ this default and allows any user with a blank password to access the
|
||||
+ service.
|
||||
+
|
||||
+nullok_secure
|
||||
+
|
||||
+ The default action of this module is to not permit the user access to a
|
||||
+ service if their official password is blank. The nullok_secure argument
|
||||
+ overrides this default and allows any user with a blank password to access
|
||||
+ the service as long as the value of PAM_TTY is set to one of the values
|
||||
+ found in /etc/securetty.
|
||||
|
||||
try_first_pass
|
||||
|
||||
diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
||||
--- a/modules/pam_unix/support.c 2013-07-05 09:50:49.134482523 +0800
|
||||
+++ b/modules/pam_unix/support.c 2013-07-05 09:56:26.924484267 +0800
|
||||
@@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl
|
||||
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
||||
index abccd82..2361957 100644
|
||||
--- a/modules/pam_unix/support.c
|
||||
+++ b/modules/pam_unix/support.c
|
||||
@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
|
||||
/* now parse the arguments to this module */
|
||||
|
||||
for (; argc-- > 0; ++argv) {
|
||||
- int j;
|
||||
+ int j, sl;
|
||||
+ int sl;
|
||||
|
||||
D(("pam_unix arg: %s", *argv));
|
||||
|
||||
|
@ -108,48 +128,46 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
|||
- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
|
||||
- break;
|
||||
+ if (unix_args[j].token) {
|
||||
+ sl = strlen(unix_args[j].token);
|
||||
+ if (unix_args[j].token[sl-1] == '=') {
|
||||
+ /* exclude argument from comparison */
|
||||
+ if (!strncmp(*argv, unix_args[j].token, sl))
|
||||
+ break;
|
||||
+ } else {
|
||||
+ sl = strlen(unix_args[j].token);
|
||||
+ if (unix_args[j].token[sl-1] == '=') {
|
||||
+ /* exclude argument from comparison */
|
||||
+ if (!strncmp(*argv, unix_args[j].token, sl))
|
||||
+ break;
|
||||
+ } else {
|
||||
+ /* compare full strings */
|
||||
+ if (!strcmp(*argv, unix_args[j].token))
|
||||
+ break;
|
||||
+ }
|
||||
+ if (!strcmp(*argv, unix_args[j].token))
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h
|
||||
child = fork();
|
||||
@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
|
||||
if (child == 0) {
|
||||
int i=0;
|
||||
+ int nullok = off(UNIX__NONULL, ctrl);
|
||||
struct rlimit rlim;
|
||||
static char *envp[] = { NULL };
|
||||
char *args[] = { NULL, NULL, NULL, NULL };
|
||||
@@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h
|
||||
const char *args[] = { NULL, NULL, NULL, NULL };
|
||||
+ int nullok = off(UNIX__NONULL, ctrl);
|
||||
|
||||
/* XXX - should really tidy up PAM here too */
|
||||
|
||||
@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
|
||||
/* exec binary helper */
|
||||
args[0] = strdup(CHKPWD_HELPER);
|
||||
args[1] = x_strdup(user);
|
||||
args[0] = CHKPWD_HELPER;
|
||||
args[1] = user;
|
||||
- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
|
||||
+
|
||||
+ if (on(UNIX_NULLOK_SECURE, ctrl)) {
|
||||
+ const void *uttyname;
|
||||
+ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
|
||||
+ if (retval != PAM_SUCCESS || uttyname == NULL
|
||||
+ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
|
||||
+ {
|
||||
+ nullok = 0;
|
||||
+ }
|
||||
+ const void *uttyname;
|
||||
+ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
|
||||
+ if (retval != PAM_SUCCESS || uttyname == NULL
|
||||
+ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) {
|
||||
+ nullok = 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (nullok) {
|
||||
args[2]=strdup("nullok");
|
||||
args[2]="nullok";
|
||||
} else {
|
||||
args[2]=strdup("nonull");
|
||||
@@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u
|
||||
args[2]="nonull";
|
||||
@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
|
||||
if (on(UNIX__NONULL, ctrl))
|
||||
return 0; /* will fail but don't let on yet */
|
||||
|
||||
|
@ -167,56 +185,56 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
|||
/* UNIX passwords area */
|
||||
|
||||
retval = get_pwd_hash(pamh, name, &pwd, &salt);
|
||||
@@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t *
|
||||
@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
|
||||
}
|
||||
}
|
||||
} else {
|
||||
- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
|
||||
+ retval = verify_pwd_hash(p, salt,
|
||||
+ _unix_blankpasswd(pamh, ctrl, name));
|
||||
+ retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name));
|
||||
}
|
||||
|
||||
if (retval == PAM_SUCCESS) {
|
||||
diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h
|
||||
--- a/modules/pam_unix/support.h 2013-07-05 09:51:10.385107934 +0800
|
||||
+++ b/modules/pam_unix/support.h 2013-07-05 10:23:54.815107842 +0800
|
||||
@@ -90,8 +90,9 @@ typedef struct {
|
||||
password hash algorithms */
|
||||
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
|
||||
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
|
||||
index 3729ce0..43cdbea 100644
|
||||
--- a/modules/pam_unix/support.h
|
||||
+++ b/modules/pam_unix/support.h
|
||||
@@ -99,8 +99,9 @@ typedef struct {
|
||||
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
|
||||
+#define UNIX_NULLOK_SECURE 28 /* NULL passwords allowed only on secure ttys */
|
||||
#define UNIX_QUIET 28 /* Don't print informational messages */
|
||||
#define UNIX_DES 29 /* DES, default */
|
||||
+#define UNIX_NULLOK_SECURE 30 /* NULL passwords allowed only on secure ttys */
|
||||
/* -------------- */
|
||||
-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
|
||||
+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
|
||||
-#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
|
||||
+#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
|
||||
|
||||
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
|
||||
|
||||
@@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
|
||||
/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100},
|
||||
/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200},
|
||||
/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400},
|
||||
-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000},
|
||||
+/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200},
|
||||
/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000},
|
||||
/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000},
|
||||
/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000},
|
||||
@@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C
|
||||
/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000},
|
||||
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000},
|
||||
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000},
|
||||
-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000},
|
||||
+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000},
|
||||
+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000},
|
||||
@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
|
||||
/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0},
|
||||
/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
|
||||
/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
|
||||
-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
|
||||
+/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0200, 0},
|
||||
/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
|
||||
/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
|
||||
/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
|
||||
@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
|
||||
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
|
||||
/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
|
||||
/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
|
||||
+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000, 0},
|
||||
};
|
||||
|
||||
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
|
||||
@@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl
|
||||
@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh
|
||||
,const char *prompt2
|
||||
,const char *data_name
|
||||
,const void **pass);
|
||||
|
||||
+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
|
||||
+ const char *uttyname);
|
||||
+
|
||||
+ const char *uttyname);
|
||||
|
||||
extern int _unix_run_verify_binary(pam_handle_t *pamh,
|
||||
unsigned int ctrl, const char *user, int *daysleft);
|
||||
#endif /* _PAM_UNIX_SUPPORT_H */
|
||||
--
|
||||
2.1.4
|
||||
|
||||
|
|
|
@ -1,63 +0,0 @@
|
|||
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Wed, 26 Mar 2014 22:17:23 +0000
|
||||
Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
|
||||
(ticket #27)
|
||||
|
||||
commit 9dcead87e6d7f66d34e7a56d11a30daca367dffb upstream
|
||||
|
||||
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
|
||||
the timestamp pathname it creates, so extra care should be taken to
|
||||
avoid potential directory traversal issues.
|
||||
|
||||
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
|
||||
"." and ".." tty values as invalid.
|
||||
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
|
||||
value containing '/', as invalid.
|
||||
|
||||
Fixes CVE-2014-2583.
|
||||
|
||||
Reported-by: Sebastian Krahmer <krahmer@suse.de>
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
---
|
||||
modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
|
||||
1 files changed, 12 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||
index 5193733..b3f08b1 100644
|
||||
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||
@@ -158,7 +158,7 @@ check_tty(const char *tty)
|
||||
tty = strrchr(tty, '/') + 1;
|
||||
}
|
||||
/* Make sure the tty wasn't actually a directory (no basename). */
|
||||
- if (strlen(tty) == 0) {
|
||||
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
|
||||
return NULL;
|
||||
}
|
||||
return tty;
|
||||
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
|
||||
if (pwd != NULL) {
|
||||
ruser = pwd->pw_name;
|
||||
}
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * This ruser is used by format_timestamp_name as a component
|
||||
+ * of constructed timestamp pathname, so ".", "..", and '/'
|
||||
+ * are disallowed to avoid potential path traversal issues.
|
||||
+ */
|
||||
+ if (!strcmp(ruser, ".") ||
|
||||
+ !strcmp(ruser, "..") ||
|
||||
+ strchr(ruser, '/')) {
|
||||
+ ruser = NULL;
|
||||
+ }
|
||||
}
|
||||
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
|
||||
*ruserbuf = '\0';
|
||||
--
|
||||
1.7.5.4
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
Backport from linux-pam git repo.
|
||||
|
||||
[YOCTO #4107]
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Kang Kai <kai.kang@windriver.com>
|
||||
|
||||
From bd07ad3adc626f842a4391d256541883426fd389 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Tue, 13 Nov 2012 09:19:05 +0100
|
||||
Subject: [PATCH] Reflect the enforce_for_root semantics change in
|
||||
pam_pwhistory xtest.
|
||||
|
||||
xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
|
||||
running with real uid == 0.
|
||||
---
|
||||
xtests/tst-pam_pwhistory1.pamd | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/xtests/tst-pam_pwhistory1.pamd b/xtests/tst-pam_pwhistory1.pamd
|
||||
index 68e1b94..d60db7c 100644
|
||||
--- a/xtests/tst-pam_pwhistory1.pamd
|
||||
+++ b/xtests/tst-pam_pwhistory1.pamd
|
||||
@@ -1,6 +1,6 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_permit.so
|
||||
account required pam_permit.so
|
||||
-password required pam_pwhistory.so remember=10 retry=1
|
||||
+password required pam_pwhistory.so remember=10 retry=1 enforce_for_root
|
||||
password required pam_unix.so use_authtok md5
|
||||
session required pam_permit.so
|
||||
--
|
||||
1.7.11.7
|
||||
|
|
@ -18,19 +18,15 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \
|
|||
file://pam.d/common-session-noninteractive \
|
||||
file://pam.d/other \
|
||||
file://libpam-xtests.patch \
|
||||
file://destdirfix.patch \
|
||||
file://fixsepbuild.patch \
|
||||
file://reflect-the-enforce_for_root-semantics-change-in-pam.patch \
|
||||
file://add-checks-for-crypt-returning-NULL.patch \
|
||||
file://libpam-fix-for-CVE-2010-4708.patch \
|
||||
file://pam-security-abstract-securetty-handling.patch \
|
||||
file://pam-unix-nullok-secure.patch \
|
||||
file://pam_timestamp-fix-potential-directory-traversal-issu.patch \
|
||||
file://libpam-xtests-remove-bash-dependency.patch \
|
||||
file://crypt_configure.patch \
|
||||
"
|
||||
SRC_URI[md5sum] = "7b73e58b7ce79ffa321d408de06db2c4"
|
||||
SRC_URI[sha256sum] = "bab887d6280f47fc3963df3b95735a27a16f0f663636163ddf3acab5f1149fc2"
|
||||
|
||||
SRC_URI[md5sum] = "9dc53067556d2dd567808fd509519dd6"
|
||||
SRC_URI[sha256sum] = "342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9"
|
||||
|
||||
SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch"
|
||||
SRC_URI_append_libc-musl = " file://pam-no-innetgr.patch"
|
Loading…
Reference in New Issue