diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-29 16:22:49 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-29 16:25:19 +0000 |
commit | fe20e8da2f8b7fb6f208cccf8f369400d947a6a2 (patch) | |
tree | 70741c6972793be929492690674bf786596f43ca | |
parent | da5ea802a3975665ace500b89e647ebf4007b232 (diff) | |
download | alpine_aports-fe20e8da2f8b7fb6f208cccf8f369400d947a6a2.tar.bz2 alpine_aports-fe20e8da2f8b7fb6f208cccf8f369400d947a6a2.tar.xz alpine_aports-fe20e8da2f8b7fb6f208cccf8f369400d947a6a2.zip |
community/shadow: upgrade to 4.5
6 files changed, 10 insertions, 267 deletions
diff --git a/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch b/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch deleted file mode 100644 index 8f6f4e92e9..0000000000 --- a/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch +++ /dev/null | |||
@@ -1,59 +0,0 @@ | |||
1 | From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
3 | Date: Thu, 23 Feb 2017 09:47:29 -0600 | ||
4 | Subject: [PATCH] su: properly clear child PID | ||
5 | |||
6 | If su is compiled with PAM support, it is possible for any local user | ||
7 | to send SIGKILL to other processes with root privileges. There are | ||
8 | only two conditions. First, the user must be able to perform su with | ||
9 | a successful login. This does NOT have to be the root user, even using | ||
10 | su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL | ||
11 | can only be sent to processes which were executed after the su process. | ||
12 | It is not possible to send SIGKILL to processes which were already | ||
13 | running. I consider this as a security vulnerability, because I was | ||
14 | able to write a proof of concept which unlocked a screen saver of | ||
15 | another user this way. | ||
16 | --- | ||
17 | src/su.c | 19 +++++++++++++++++-- | ||
18 | 1 file changed, 17 insertions(+), 2 deletions(-) | ||
19 | |||
20 | --- a/src/su.c | ||
21 | +++ b/src/su.c | ||
22 | @@ -363,20 +363,35 @@ static void prepare_pam_close_session (v | ||
23 | /* wake child when resumed */ | ||
24 | kill (pid, SIGCONT); | ||
25 | stop = false; | ||
26 | + } else { | ||
27 | + pid_child = 0; | ||
28 | } | ||
29 | } while (!stop); | ||
30 | } | ||
31 | |||
32 | - if (0 != caught) { | ||
33 | + if (0 != caught && 0 != pid_child) { | ||
34 | (void) fputs ("\n", stderr); | ||
35 | (void) fputs (_("Session terminated, terminating shell..."), | ||
36 | stderr); | ||
37 | (void) kill (-pid_child, caught); | ||
38 | |||
39 | (void) signal (SIGALRM, kill_child); | ||
40 | + (void) signal (SIGCHLD, catch_signals); | ||
41 | (void) alarm (2); | ||
42 | |||
43 | - (void) wait (&status); | ||
44 | + sigemptyset (&ourset); | ||
45 | + if ((sigaddset (&ourset, SIGALRM) != 0) | ||
46 | + || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { | ||
47 | + fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); | ||
48 | + kill_child (0); | ||
49 | + } else { | ||
50 | + while (0 == waitpid (pid_child, &status, WNOHANG)) { | ||
51 | + sigsuspend (&ourset); | ||
52 | + } | ||
53 | + pid_child = 0; | ||
54 | + (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); | ||
55 | + } | ||
56 | + | ||
57 | (void) fputs (_(" ...terminated.\n"), stderr); | ||
58 | } | ||
59 | |||
diff --git a/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch b/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch deleted file mode 100644 index 2f2195b401..0000000000 --- a/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sebastian Krahmer <krahmer@suse.com> | ||
3 | Date: Wed, 3 Aug 2016 11:51:07 -0500 | ||
4 | Subject: [PATCH] Simplify getulong | ||
5 | |||
6 | Use strtoul to read an unsigned long, rather than reading | ||
7 | a signed long long and casting it. | ||
8 | |||
9 | https://bugzilla.suse.com/show_bug.cgi?id=979282 | ||
10 | --- | ||
11 | lib/getulong.c | 9 +++------ | ||
12 | 1 file changed, 3 insertions(+), 6 deletions(-) | ||
13 | |||
14 | diff --git a/lib/getulong.c b/lib/getulong.c | ||
15 | index 61579ca..08d2c1a 100644 | ||
16 | --- a/lib/getulong.c | ||
17 | +++ b/lib/getulong.c | ||
18 | @@ -44,22 +44,19 @@ | ||
19 | */ | ||
20 | int getulong (const char *numstr, /*@out@*/unsigned long int *result) | ||
21 | { | ||
22 | - long long int val; | ||
23 | + unsigned long int val; | ||
24 | char *endptr; | ||
25 | |||
26 | errno = 0; | ||
27 | - val = strtoll (numstr, &endptr, 0); | ||
28 | + val = strtoul (numstr, &endptr, 0); | ||
29 | if ( ('\0' == *numstr) | ||
30 | || ('\0' != *endptr) | ||
31 | || (ERANGE == errno) | ||
32 | - /*@+ignoresigns@*/ | ||
33 | - || (val != (unsigned long int)val) | ||
34 | - /*@=ignoresigns@*/ | ||
35 | ) { | ||
36 | return 0; | ||
37 | } | ||
38 | |||
39 | - *result = (unsigned long int)val; | ||
40 | + *result = val; | ||
41 | return 1; | ||
42 | } | ||
43 | |||
44 | -- | ||
45 | 2.1.4 | ||
46 | |||
diff --git a/community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch b/community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch deleted file mode 100644 index 64aeb34131..0000000000 --- a/community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
3 | Date: Sun, 14 May 2017 17:58:10 +0200 | ||
4 | Subject: [PATCH] Reset pid_child only if waitpid was successful. | ||
5 | |||
6 | Do not reset the pid_child to 0 if the child process is still | ||
7 | running. This else-condition can be reached with pid being -1, | ||
8 | therefore explicitly test this condition. | ||
9 | |||
10 | This is a regression fix for CVE-2017-2616. If su receives a | ||
11 | signal like SIGTERM, it is not propagated to the child. | ||
12 | |||
13 | Reported-by: Radu Duta <raduduta@gmail.com> | ||
14 | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
15 | --- | ||
16 | src/su.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | --- a/src/su.c | ||
20 | +++ b/src/su.c | ||
21 | @@ -363,7 +363,7 @@ static void prepare_pam_close_session (v | ||
22 | /* wake child when resumed */ | ||
23 | kill (pid, SIGCONT); | ||
24 | stop = false; | ||
25 | - } else { | ||
26 | + } else if ( (pid_t)-1 != pid) { | ||
27 | pid_child = 0; | ||
28 | } | ||
29 | } while (!stop); | ||
diff --git a/community/shadow/APKBUILD b/community/shadow/APKBUILD index 3264772979..13dc98d7ae 100644 --- a/community/shadow/APKBUILD +++ b/community/shadow/APKBUILD | |||
@@ -2,8 +2,8 @@ | |||
2 | # Contributor: Jakub Jirutka <jakub@jirutka.cz> | 2 | # Contributor: Jakub Jirutka <jakub@jirutka.cz> |
3 | # Maintainer: Stuart Cardall <developer@it-offshore.co.uk> | 3 | # Maintainer: Stuart Cardall <developer@it-offshore.co.uk> |
4 | pkgname=shadow | 4 | pkgname=shadow |
5 | pkgver=4.2.1 | 5 | pkgver=4.5 |
6 | pkgrel=11 | 6 | pkgrel=0 |
7 | pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)" | 7 | pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)" |
8 | url="http://pkg-shadow.alioth.debian.org/" | 8 | url="http://pkg-shadow.alioth.debian.org/" |
9 | arch="all" | 9 | arch="all" |
@@ -11,20 +11,19 @@ license="GPL" | |||
11 | depends="" | 11 | depends="" |
12 | makedepends="linux-pam-dev" | 12 | makedepends="linux-pam-dev" |
13 | subpackages="$pkgname-doc $pkgname-dbg $pkgname-uidmap" | 13 | subpackages="$pkgname-doc $pkgname-dbg $pkgname-uidmap" |
14 | source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz | 14 | source="https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz |
15 | login.pamd | 15 | login.pamd |
16 | dots-in-usernames.patch | 16 | dots-in-usernames.patch |
17 | cross-size-checks.patch | ||
18 | verbose-error-when-uid-doesnt-match.patch | ||
19 | 301-CVE-2017-2616-su-properly-clear-child-PID.patch | ||
20 | 302-CVE-2016-6252-fix-integer-overflow.patch | ||
21 | 303-Reset-pid_child-only-if-waitpid-was-successful.patch | ||
22 | useradd-usergroups.patch | 17 | useradd-usergroups.patch |
23 | pam-useradd.patch | 18 | pam-useradd.patch |
24 | " | 19 | " |
25 | # secfixes: | 20 | # secfixes: |
26 | # - CVE-2016-6252 | 21 | # 4.5-r0: |
27 | # - CVE-2017-2616 (+ regression fix) | 22 | # - CVE-2017-12424 |
23 | # 4.2.1-r11: | ||
24 | # - CVE-2017-2616 | ||
25 | # 4.2.1-r7: | ||
26 | # - CVE-2016-6252 | ||
28 | 27 | ||
29 | options="suid" | 28 | options="suid" |
30 | builddir="$srcdir/shadow-$pkgver" | 29 | builddir="$srcdir/shadow-$pkgver" |
@@ -104,13 +103,8 @@ uidmap() { | |||
104 | touch etc/subuid etc/subgid | 103 | touch etc/subuid etc/subgid |
105 | } | 104 | } |
106 | 105 | ||
107 | sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz | 106 | sha512sums="e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5 shadow-4.5.tar.xz |
108 | 46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd | 107 | 46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd |
109 | 745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch | 108 | 745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch |
110 | c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch | ||
111 | 1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch | ||
112 | 0954920ce9307948848d8f9ca5ea5bba4db8394793ef314ab5c6770948e96071748192b52ba8c31d543fe71ce0e6e2a7f3a2a92862966a940639a19df1048634 301-CVE-2017-2616-su-properly-clear-child-PID.patch | ||
113 | 36f494347cb980d85ea82331ec620a949be45f5f2c400a3b13f409a8d9c932c0f822cb0baa2ee78c6f356e7bf93de51c1b0f20730e8f3af36a746a5632d19bbe 302-CVE-2016-6252-fix-integer-overflow.patch | ||
114 | e36d54759b71d48c62aefc4032e63deccafa69d22f8bae772b4c0ca135b431db9cd35a1a2a2adf5c76996e76e13ab82e1cf19bba70c6ca4414b3979a43c292c2 303-Reset-pid_child-only-if-waitpid-was-successful.patch | ||
115 | 49f1d5ded82d2d479805c77d7cc6274c30233596e375b28306b31a33f8fbfc3611dbc77d606081b8300247908c267297dbb6c5d1a30d56095dda53c6a636fb56 useradd-usergroups.patch | 109 | 49f1d5ded82d2d479805c77d7cc6274c30233596e375b28306b31a33f8fbfc3611dbc77d606081b8300247908c267297dbb6c5d1a30d56095dda53c6a636fb56 useradd-usergroups.patch |
116 | 0b4587e263cb6be12fa5ae6bc3b3fc4d3696dae355bc67d085dc58c52ff96edb4d163b95db2092b8c2f3310839430cac03c7af356641b42e24ee4aa6410f5cf1 pam-useradd.patch" | 110 | 0b4587e263cb6be12fa5ae6bc3b3fc4d3696dae355bc67d085dc58c52ff96edb4d163b95db2092b8c2f3310839430cac03c7af356641b42e24ee4aa6410f5cf1 pam-useradd.patch" |
diff --git a/community/shadow/cross-size-checks.patch b/community/shadow/cross-size-checks.patch deleted file mode 100644 index bd451ba1bb..0000000000 --- a/community/shadow/cross-size-checks.patch +++ /dev/null | |||
@@ -1,42 +0,0 @@ | |||
1 | From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001 | ||
2 | From: James Le Cuirot <chewi@aura-online.co.uk> | ||
3 | Date: Sat, 23 Aug 2014 09:46:39 +0100 | ||
4 | Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF | ||
5 | |||
6 | This built-in check is simpler than the previous method and, most | ||
7 | importantly, works when cross-compiling. | ||
8 | |||
9 | Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> | ||
10 | --- | ||
11 | configure.in | 14 ++++---------- | ||
12 | 1 file changed, 4 insertions(+), 10 deletions(-) | ||
13 | |||
14 | diff --git a/configure.in b/configure.in | ||
15 | index 1a3f841..4a4d6d0 100644 | ||
16 | --- a/configure.in | ||
17 | +++ b/configure.in | ||
18 | @@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then | ||
19 | dnl | ||
20 | dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc | ||
21 | dnl | ||
22 | - AC_RUN_IFELSE([AC_LANG_SOURCE([ | ||
23 | -#include <sys/types.h> | ||
24 | -int main(void) { | ||
25 | - uid_t u; | ||
26 | - gid_t g; | ||
27 | - return (sizeof u < 4) || (sizeof g < 4); | ||
28 | -} | ||
29 | - ])], [id32bit="yes"], [id32bit="no"]) | ||
30 | - | ||
31 | - if test "x$id32bit" = "xyes"; then | ||
32 | + AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"]) | ||
33 | + AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"]) | ||
34 | + | ||
35 | + if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then | ||
36 | AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.]) | ||
37 | enable_subids="yes" | ||
38 | else | ||
39 | -- | ||
40 | 2.3.6 | ||
41 | |||
42 | |||
diff --git a/community/shadow/verbose-error-when-uid-doesnt-match.patch b/community/shadow/verbose-error-when-uid-doesnt-match.patch deleted file mode 100644 index 6f104b438c..0000000000 --- a/community/shadow/verbose-error-when-uid-doesnt-match.patch +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | From: Hank Leininger <hlein@korelogic.com> | ||
2 | Date: Mon, 6 Apr 2015 08:22:48 -0500 | ||
3 | Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not | ||
4 | like the user/group ownership of their target process. | ||
5 | |||
6 | Currently the error is just: | ||
7 | |||
8 | newuidmap: Target [pid] is owned by a different user | ||
9 | |||
10 | With this patch it will be like: | ||
11 | |||
12 | newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99 | ||
13 | |||
14 | Why is this useful? Well, in my case... | ||
15 | |||
16 | The grsecurity kernel-hardening patch includes an option to make parts | ||
17 | of /proc unreadable, such as /proc/pid/ dirs for processes not owned by | ||
18 | the current uid. This comes with an option to make /proc/pid/ | ||
19 | directories readable by a specific gid; sysadmins and the like are then | ||
20 | put into that group so they can see a full 'ps'. | ||
21 | |||
22 | This means that the check in new[ug]idmap fails, as in the above quoted | ||
23 | error - /proc/[targetpid] is owned by root, but the group is 99 so that | ||
24 | users in group 99 can see the process. | ||
25 | |||
26 | Some Googling finds dozens of people hitting this problem, but not | ||
27 | *knowing* that they have hit this problem, because the errors and | ||
28 | circumstances are non-obvious. | ||
29 | |||
30 | Some graceful way of handling this and not failing, will be next ;) But | ||
31 | in the meantime it'd be nice to have new[ug]idmap emit a more useful | ||
32 | error, so that it's easier to troubleshoot. | ||
33 | |||
34 | Thanks! | ||
35 | |||
36 | Signed-off-by: Hank Leininger <hlein@korelogic.com> | ||
37 | Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> | ||
38 | --- | ||
39 | src/newgidmap.c | 6 ++++-- | ||
40 | src/newuidmap.c | 6 ++++-- | ||
41 | 2 files changed, 8 insertions(+), 4 deletions(-) | ||
42 | |||
43 | diff --git a/src/newgidmap.c b/src/newgidmap.c | ||
44 | index a532b45..451c6a6 100644 | ||
45 | --- a/src/newgidmap.c | ||
46 | +++ b/src/newgidmap.c | ||
47 | @@ -161,8 +161,10 @@ int main(int argc, char **argv) | ||
48 | (getgid() != pw->pw_gid) || | ||
49 | (pw->pw_uid != st.st_uid) || | ||
50 | (pw->pw_gid != st.st_gid)) { | ||
51 | - fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), | ||
52 | - Prog, target); | ||
53 | + fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), | ||
54 | + Prog, target, | ||
55 | + (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, | ||
56 | + (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); | ||
57 | return EXIT_FAILURE; | ||
58 | } | ||
59 | |||
60 | diff --git a/src/newuidmap.c b/src/newuidmap.c | ||
61 | index 5150078..9c8bc1b 100644 | ||
62 | --- a/src/newuidmap.c | ||
63 | +++ b/src/newuidmap.c | ||
64 | @@ -161,8 +161,10 @@ int main(int argc, char **argv) | ||
65 | (getgid() != pw->pw_gid) || | ||
66 | (pw->pw_uid != st.st_uid) || | ||
67 | (pw->pw_gid != st.st_gid)) { | ||
68 | - fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), | ||
69 | - Prog, target); | ||
70 | + fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), | ||
71 | + Prog, target, | ||
72 | + (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, | ||
73 | + (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); | ||
74 | return EXIT_FAILURE; | ||
75 | } \ No newline at end of file | ||