Browse Source

libpam: bump to 1.2.0

- Add configure options --disable-nis, --disable-regenerate-docu
 - 000-OE-libpam-xtests.patch is not relevant in OpenWrt
 - 001-no_nis.patch was dropped because we now --disable-nis
 - 002-no_yywrap.patch was dropped be cause it was fixed in 1.2.0
 - 003-no_doc was dropped because we ignore doc/ with
   --disable-regenreate-docu
 - 004-fix_lib64 was replaced by new 0001-build-use-host_cpu...
 - pam_rhosts will not be built with musl because ruserok{,_af{
   are not available
 - pam_lastlog will not be built with musl because logwtmp is missing

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
lilik-openwrt-22.03
Yousong Zhou 10 years ago
parent
commit
9f35f2a9e5
18 changed files with 403 additions and 941 deletions
  1. +4
    -2
      libs/libpam/Makefile
  2. +0
    -35
      libs/libpam/patches/000-OE-libpam-xtests.patch
  3. +28
    -0
      libs/libpam/patches/0001-build-use-host_cpu-for-lib64-directory-handling.patch
  4. +77
    -0
      libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch
  5. +60
    -0
      libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch
  6. +28
    -0
      libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch
  7. +133
    -0
      libs/libpam/patches/0005-build-fix-doc-build.patch
  8. +29
    -0
      libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch
  9. +44
    -23
      libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch
  10. +0
    -68
      libs/libpam/patches/001-no_nis.patch
  11. +0
    -26
      libs/libpam/patches/002-no_yywrap.patch
  12. +0
    -22
      libs/libpam/patches/003-no_doc.patch
  13. +0
    -16
      libs/libpam/patches/004-fix_lib64.patch
  14. +0
    -364
      libs/libpam/patches/005-fix_ruserok.patch
  15. +0
    -271
      libs/libpam/patches/006-fix_xdr.patch
  16. +0
    -52
      libs/libpam/patches/007-cve-2014-2583.patch
  17. +0
    -11
      libs/libpam/patches/008-LIBCRYPT-fix.patch
  18. +0
    -51
      libs/libpam/patches/009-pam_rhosts-fix.patch

+ 4
- 2
libs/libpam/Makefile View File

@ -8,8 +8,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libpam
PKG_VERSION:=1.1.8
PKG_RELEASE:=5
PKG_VERSION:=1.2.0
PKG_RELEASE:=1
PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.linux-pam.org/library/
@ -45,6 +45,8 @@ define Build/Configure
--disable-selinux \
--disable-nls \
--disable-rpath \
--disable-nis \
--disable-regenerate-docu \
--enable-db=no \
)
endef


+ 0
- 35
libs/libpam/patches/000-OE-libpam-xtests.patch View File

@ -1,35 +0,0 @@
This patch is used to create a new sub package libpam-xtests to do more checks.
Upstream-Status: Pending
Signed-off-by: Kang Kai <kai.kang@windriver.com>
--- a/xtests/Makefile.am
+++ b/xtests/Makefile.am
@@ -7,7 +7,7 @@ AM_CFLAGS = -DLIBPAM_COMPILE -I$(top_src
LDADD = $(top_builddir)/libpam/libpam.la \
$(top_builddir)/libpam_misc/libpam_misc.la
-CLEANFILES = *~ $(XTESTS)
+CLEANFILES = *~
EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \
@@ -51,3 +51,18 @@ EXTRA_PROGRAMS = $(XTESTS)
xtests: $(XTESTS) run-xtests.sh
"$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS}
+
+all: $(XTESTS)
+
+install: install_xtests
+
+install_xtests:
+ $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests
+ for file in $(EXTRA_DIST) ; do \
+ $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \
+ done
+ for file in $(XTESTS); do \
+ $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \
+ done
+
+.PHONY: all install_xtests

+ 28
- 0
libs/libpam/patches/0001-build-use-host_cpu-for-lib64-directory-handling.patch View File

@ -0,0 +1,28 @@
From ee916fd0ec70eb37a97da29f6ec0c26bef7cf6f2 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 16:11:31 +0800
Subject: [PATCH 1/7] build: use $host_cpu for lib64 directory handling.
* configure.ac: use $host_cpu for lib64 directory handling.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index fd0e310..1bc2591 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,7 +27,7 @@ dnl If we use /usr as prefix, use /etc for config files
fi
if test ${libdir} = '${exec_prefix}/lib'
then
- case "`uname -m`" in
+ case "$host_cpu" in
x86_64|ppc64|s390x|sparc64)
libdir="/lib64" ;;
*)
--
1.7.10.4

+ 77
- 0
libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch View File

@ -0,0 +1,77 @@
From e985c1ef2c739a597b2d7a2efc3c310c02e40c1f Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:19:23 +0800
Subject: [PATCH 2/7] build: ignore pam_rhosts if neither ruserok nor
ruserok_af is available.
* configure.ac: check for ruserok and ruserok_af
* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 5 ++++-
modules/Makefile.am | 11 ++++++++---
modules/pam_rhosts/pam_rhosts.c | 1 +
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1bc2591..3c4d8bb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -542,7 +542,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
+AC_CHECK_FUNCS([ruserok_af ruserok], [break])
+
+AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes])
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/modules/Makefile.am b/modules/Makefile.am
index 0c80cea..9ad26a9 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -2,16 +2,21 @@
# Copyright (c) 2005, 2006, 2008 Thorsten Kukuk <kukuk@thkukuk.de>
#
-SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
+if COND_BUILD_PAM_RHOSTS
+ MAYBE_PAM_RHOSTS = pam_rhosts
+endif
+
+SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \
pam_mkhomedir pam_motd pam_namespace pam_nologin \
- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
+ pam_permit pam_pwhistory pam_rootok pam_securetty \
pam_selinux pam_sepermit pam_shells pam_stress \
pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
pam_tty_audit pam_umask \
- pam_unix pam_userdb pam_warn pam_wheel pam_xauth
+ pam_unix pam_userdb pam_warn pam_wheel pam_xauth \
+ $(MAYBE_PAM_RHOSTS)
CLEANFILES = *~
diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
index bc9e76f..51ef13e 100644
--- a/modules/pam_rhosts/pam_rhosts.c
+++ b/modules/pam_rhosts/pam_rhosts.c
@@ -35,6 +35,7 @@
#include <pwd.h>
#include <netdb.h>
#include <string.h>
+#include <stdlib.h>
#include <syslog.h>
#define PAM_SM_AUTH /* only defines this management group */
--
1.7.10.4

+ 60
- 0
libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch View File

@ -0,0 +1,60 @@
From 173164996ca7daf3fa705f2a0bb2991b0d5d2083 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 21:18:05 +0800
Subject: [PATCH 3/7] build: ignore pam_lastlog when logwtmp is not available.
* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 2 ++
modules/Makefile.am | 8 ++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 3c4d8bb..8de6edf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -544,8 +544,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
AC_CHECK_FUNCS(getgrouplist getline getdelim)
AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
AC_CHECK_FUNCS([ruserok_af ruserok], [break])
+AC_CHECK_FUNCS([logwtmp])
AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes])
+AM_CONDITIONAL([COND_BUILD_PAM_LASTLOG], [test "$ac_cv_func_logwtmp" = yes])
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/modules/Makefile.am b/modules/Makefile.am
index 9ad26a9..b98dc5c 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -6,9 +6,13 @@ if COND_BUILD_PAM_RHOSTS
MAYBE_PAM_RHOSTS = pam_rhosts
endif
+if COND_BUILD_PAM_LASTLOG
+ MAYBE_PAM_LASTLOG = pam_lastlog
+endif
+
SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ pam_group pam_issue pam_keyinit pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \
pam_mkhomedir pam_motd pam_namespace pam_nologin \
pam_permit pam_pwhistory pam_rootok pam_securetty \
@@ -16,7 +20,7 @@ SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
pam_tty_audit pam_umask \
pam_unix pam_userdb pam_warn pam_wheel pam_xauth \
- $(MAYBE_PAM_RHOSTS)
+ $(MAYBE_PAM_RHOSTS) $(MAYBE_PAM_LASTLOG)
CLEANFILES = *~
--
1.7.10.4

+ 28
- 0
libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch View File

@ -0,0 +1,28 @@
From 20e5efe4b2a8471bc52e480e53cff68a4de19c56 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:22:31 +0800
Subject: [PATCH 4/7] build: fix build when crypt() is not part of crypt_libs.
* configure.ac: ditto.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 8de6edf..c15441b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -416,7 +416,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
[crypt_libs="crypt"])
BACKUP_LIBS=$LIBS
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
LIBS=$BACKUP_LIBS
AC_SUBST(LIBCRYPT)
--
1.7.10.4

+ 133
- 0
libs/libpam/patches/0005-build-fix-doc-build.patch View File

@ -0,0 +1,133 @@
From df7abf333d19aefd166f613b696345732ae4c9c8 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 20:38:41 +0800
Subject: [PATCH 5/7] build: fix doc build.
* Makefile.am: ignore doc/ directory if not ENABLE_REGENERATE_MAN
* doc/adg/Makefile.am: remove check on ENABLE_REGENERATE_MAN
* doc/man/Makefile.am: ditto
* doc/mwg/Makefile.am: ditto
* doc/sag/Makefile.am: ditto
* doc/specs/Makefile.am: ignore CC from command line
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
Makefile.am | 5 ++++-
doc/adg/Makefile.am | 3 ---
doc/man/Makefile.am | 2 --
doc/mwg/Makefile.am | 3 ---
doc/sag/Makefile.am | 2 --
doc/specs/Makefile.am | 2 +-
6 files changed, 5 insertions(+), 12 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 3db4e37..5e6592a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,10 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+if ENABLE_REGENERATE_MAN
+ MAYBE_DOC = doc
+endif
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests $(MAYBE_DOC)
CLEANFILES = *~
diff --git a/doc/adg/Makefile.am b/doc/adg/Makefile.am
index 77bd7a9..bec5edc 100644
--- a/doc/adg/Makefile.am
+++ b/doc/adg/Makefile.am
@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS)
XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html
all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf
@@ -51,8 +50,6 @@ html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf
-endif
-
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
$(mkinstalldirs) $(DESTDIR)$(pdfdir)
diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
index 78c891d..b1dc421 100644
--- a/doc/man/Makefile.am
+++ b/doc/man/Makefile.am
@@ -45,7 +45,6 @@ XMLS = pam.3.xml pam.8.xml \
misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
pam_misc_setenv.3.xml
-if ENABLE_REGENERATE_MAN
PAM.8: pam.8
pam_get_authtok_noverify.3: pam_get_authtok.3
pam_get_authtok_verify.3: pam_get_authtok.3
@@ -60,4 +59,3 @@ pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
-include $(top_srcdir)/Make.xml.rules
-endif
diff --git a/doc/mwg/Makefile.am b/doc/mwg/Makefile.am
index 2bbb2d0..f57e297 100644
--- a/doc/mwg/Makefile.am
+++ b/doc/mwg/Makefile.am
@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS)
XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html
all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf
@@ -51,8 +50,6 @@ html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf
-endif
-
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
$(mkinstalldirs) $(DESTDIR)$(pdfdir)
diff --git a/doc/sag/Makefile.am b/doc/sag/Makefile.am
index 31816aa..a8b655f 100644
--- a/doc/sag/Makefile.am
+++ b/doc/sag/Makefile.am
@@ -10,7 +10,6 @@ XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html
all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf
@@ -51,7 +50,6 @@ html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf
-endif
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am
index 99ecc70..39c850f 100644
--- a/doc/specs/Makefile.am
+++ b/doc/specs/Makefile.am
@@ -11,7 +11,7 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw
AM_YFLAGS = -d
-CC = @CC_FOR_BUILD@
+override CC = @CC_FOR_BUILD@
CPPFLAGS = @BUILD_CPPFLAGS@
CFLAGS = @BUILD_CFLAGS@
LDFLAGS = @BUILD_LDFLAGS@
--
1.7.10.4

+ 29
- 0
libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch View File

@ -0,0 +1,29 @@
From 596797ab7f46fb4d0338e75db7c0d1019cd4df87 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:16:18 +0800
Subject: [PATCH 6/7] pam_unix: fix compilation in case rpc/rpc.h is missing.
* modules/pam_unix/pam_unix_passwd.c: conditional compile on the
availability of rpc/rpc.h
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
modules/pam_unix/pam_unix_passwd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 2d330e5..970724a 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -336,7 +336,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
}
if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
-#ifdef HAVE_NIS
+#if defined(HAVE_NIS) && defined(HAVE_RPC_RPC_H)
if ((master=getNISserver(pamh, ctrl)) != NULL) {
struct timeval timeout;
struct yppasswd yppwd;
--
1.7.10.4

libs/libpam/patches/000-OE-pam-no-innetgr.patch → libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch View File


+ 0
- 68
libs/libpam/patches/001-no_nis.patch View File

@ -1,68 +0,0 @@
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -44,7 +44,7 @@
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/socket.h>
-#ifdef HAVE_RPCSVC_YPCLNT_H
+#ifdef HAVE_RPCSVC_YPCLNT_H && USE_NIS
#include <rpcsvc/ypclnt.h>
#endif
#ifdef HAVE_LIBAUDIT
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -79,18 +79,18 @@
#include "passverify.h"
#include "bigcrypt.h"
-#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
+#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER && USE_NIS
# define HAVE_NIS
#endif
#ifdef HAVE_NIS
# include <rpc/rpc.h>
-# if HAVE_RPCSVC_YP_PROT_H
+# if HAVE_RPCSVC_YP_PROT_H && USE_NIS
# include <rpcsvc/yp_prot.h>
# endif
-# if HAVE_RPCSVC_YPCLNT_H
+# if HAVE_RPCSVC_YPCLNT_H && USE_NIS
# include <rpcsvc/ypclnt.h>
# endif
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -19,7 +19,7 @@
#include <ctype.h>
#include <syslog.h>
#include <sys/resource.h>
-#ifdef HAVE_RPCSVC_YPCLNT_H
+#ifdef HAVE_RPCSVC_YPCLNT_H && USE_NIS
#include <rpcsvc/ypclnt.h>
#endif
@@ -402,7 +402,7 @@ int _unix_getpwnam(pam_handle_t *pamh, c
}
}
-#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND)
+#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND) && (USE_NIS)
if (!matched && nis) {
char *userinfo = NULL, *domain = NULL;
int len = 0, i;
--- a/modules/pam_unix/yppasswd_xdr.c
+++ b/modules/pam_unix/yppasswd_xdr.c
@@ -15,6 +15,10 @@
#ifdef HAVE_RPC_RPC_H
#include <rpc/rpc.h>
+#ifdef USE_NIS
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+#endif
#include "yppasswd.h"
bool_t

+ 0
- 26
libs/libpam/patches/002-no_yywrap.patch View File

@ -1,26 +0,0 @@
--- a/conf/pam_conv1/pam_conv_l.c
+++ b/conf/pam_conv1/pam_conv_l.c
@@ -534,7 +534,9 @@ void yyset_lineno (int line_number );
#ifdef __cplusplus
extern "C" int yywrap (void );
#else
-extern int yywrap (void );
+int yywrap (void ) {
+ return 1;
+}
#endif
#endif
--- a/doc/specs/parse_l.c
+++ b/doc/specs/parse_l.c
@@ -520,7 +520,9 @@ void yyset_lineno (int line_number );
#ifdef __cplusplus
extern "C" int yywrap (void );
#else
-extern int yywrap (void );
+int yywrap (void ) {
+ return 1;
+}
#endif
#endif

+ 0
- 22
libs/libpam/patches/003-no_doc.patch View File

@ -1,22 +0,0 @@
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,7 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
CLEANFILES = *~
--- a/Makefile.in
+++ b/Makefile.in
@@ -288,7 +288,7 @@ top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
CLEANFILES = *~
EXTRA_DIST = pgp.keys.asc CHANGELOG ChangeLog-CVS Copyright Make.xml.rules
ACLOCAL_AMFLAGS = -I m4

+ 0
- 16
libs/libpam/patches/004-fix_lib64.patch View File

@ -1,16 +0,0 @@
--- a/configure.in
+++ b/configure.in
@@ -28,12 +28,7 @@ dnl If we use /usr as prefix, use /etc f
fi
if test ${libdir} = '${exec_prefix}/lib'
then
- case "`uname -m`" in
- x86_64|ppc64|s390x|sparc64)
- libdir="/lib64" ;;
- *)
- libdir="/lib" ;;
- esac
+ libdir="/lib"
fi
if test ${sbindir} = '${exec_prefix}/sbin'
then

+ 0
- 364
libs/libpam/patches/005-fix_ruserok.patch View File

@ -1,364 +0,0 @@
--- a/modules/pam_rhosts/pam_rhosts.c
+++ b/modules/pam_rhosts/pam_rhosts.c
@@ -43,6 +43,361 @@
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
+#ifdef __UCLIBC__
+
+#include <stdio.h>
+#include <sys/stat.h>
+
+
+int __check_rhosts_file = 1;
+
+/* Extremely paranoid file open function. */
+static FILE *
+iruserfopen (const char *file, uid_t okuser)
+{
+ struct stat st;
+ char *cp = NULL;
+ FILE *res = NULL;
+
+ /* If not a regular file, if owned by someone other than user or
+ root, if writeable by anyone but the owner, or if hardlinked
+ anywhere, quit. */
+ if (lstat (file, &st))
+ cp = "lstat failed";
+ else if (!S_ISREG (st.st_mode))
+ cp = "not regular file";
+ else
+ {
+ res = fopen (file, "r");
+ if (!res)
+ cp = "cannot open";
+ else if (fstat (fileno (res), &st) < 0)
+ cp = "fstat failed";
+ else if (st.st_uid && st.st_uid != okuser)
+ cp = "bad owner";
+ else if (st.st_mode & (S_IWGRP|S_IWOTH))
+ cp = "writeable by other than owner";
+ else if (st.st_nlink > 1)
+ cp = "hard linked somewhere";
+ }
+
+ /* If there were any problems, quit. */
+ if (cp != NULL)
+ {
+ if (res)
+ fclose (res);
+ return NULL;
+ }
+
+ return res;
+}
+
+/*
+ * Returns 1 for blank lines (or only comment lines) and 0 otherwise
+ */
+static int
+__isempty(char *p)
+{
+ while (*p && isspace (*p)) {
+ ++p;
+ }
+
+ return (*p == '\0' || *p == '#') ? 1 : 0 ;
+}
+
+/* Returns 1 on positive match, 0 on no match, -1 on negative match. */
+static int
+__icheckhost (u_int32_t raddr, char *lhost, const char *rhost)
+{
+ struct hostent *hp;
+ u_int32_t laddr;
+ int negate=1; /* Multiply return with this to get -1 instead of 1 */
+ char **pp;
+
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ int save_errno;
+ size_t buflen;
+ char *buffer;
+ struct hostent hostbuf;
+ int herr;
+#endif
+
+#ifdef HAVE_NETGROUP
+ /* Check nis netgroup. */
+ if (strncmp ("+@", lhost, 2) == 0)
+ return innetgr (&lhost[2], rhost, NULL, NULL);
+
+ if (strncmp ("-@", lhost, 2) == 0)
+ return -innetgr (&lhost[2], rhost, NULL, NULL);
+#endif /* HAVE_NETGROUP */
+
+ /* -host */
+ if (strncmp ("-", lhost,1) == 0) {
+ negate = -1;
+ lhost++;
+ } else if (strcmp ("+",lhost) == 0) {
+ return 1; /* asking for trouble, but ok.. */
+ }
+
+ /* Try for raw ip address first. */
+ if (isdigit (*lhost) && (laddr = inet_addr (lhost)) != INADDR_NONE)
+ return negate * (! (raddr ^ laddr));
+
+ /* Better be a hostname. */
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ buflen = 1024;
+ buffer = malloc(buflen);
+ save_errno = errno;
+
+ while (gethostbyname_r (lhost, &hostbuf, buffer, buflen, &hp, &herr)
+ != 0) {
+ free(buffer);
+ return (0);
+ }
+ free(buffer);
+ __set_errno (save_errno);
+#else
+ hp = gethostbyname(lhost);
+#endif /* __UCLIBC_HAS_REENTRANT_RPC__ */
+
+ if (hp == NULL)
+ return 0;
+
+ /* Spin through ip addresses. */
+ for (pp = hp->h_addr_list; *pp; ++pp)
+ if (!memcmp (&raddr, *pp, sizeof (u_int32_t)))
+ return negate;
+
+ /* No match. */
+ return (0);
+}
+
+/* Returns 1 on positive match, 0 on no match, -1 on negative match. */
+static int
+__icheckuser (const char *luser, const char *ruser)
+{
+
+ /*
+ luser is user entry from .rhosts/hosts.equiv file
+ ruser is user id on remote host
+ */
+
+#ifdef HAVE_NETGROUP
+ /* [-+]@netgroup */
+ if (strncmp ("+@", luser, 2) == 0)
+ return innetgr (&luser[2], NULL, ruser, NULL);
+
+ if (strncmp ("-@", luser,2) == 0)
+ return -innetgr (&luser[2], NULL, ruser, NULL);
+#endif /* HAVE_NETGROUP */
+
+ /* -user */
+ if (strncmp ("-", luser, 1) == 0)
+ return -(strcmp (&luser[1], ruser) == 0);
+
+ /* + */
+ if (strcmp ("+", luser) == 0)
+ return 1;
+
+ /* simple string match */
+ return strcmp (ruser, luser) == 0;
+}
+
+/*
+ * Returns 0 if positive match, -1 if _not_ ok.
+ */
+static int
+__ivaliduser2(FILE *hostf, u_int32_t raddr, const char *luser,
+ const char *ruser, const char *rhost)
+{
+ register const char *user;
+ register char *p;
+ int hcheck, ucheck;
+ char *buf = NULL;
+ size_t bufsize = 0;
+ int retval = -1;
+
+ while (getline (&buf, &bufsize, hostf) > 0) {
+ buf[bufsize - 1] = '\0'; /* Make sure it's terminated. */
+ p = buf;
+
+ /* Skip empty or comment lines */
+ if (__isempty (p)) {
+ continue;
+ }
+
+ /* Skip lines that are too long. */
+ if (strchr (p, '\n') == NULL) {
+ int ch = getc_unlocked (hostf);
+
+ while (ch != '\n' && ch != EOF)
+ ch = getc_unlocked (hostf);
+ continue;
+ }
+
+ for (;*p && !isspace(*p); ++p) {
+ *p = tolower (*p);
+ }
+
+ /* Next we want to find the permitted name for the remote user. */
+ if (*p == ' ' || *p == '\t') {
+ /* <nul> terminate hostname and skip spaces */
+ for (*p++='\0'; *p && isspace (*p); ++p);
+
+ user = p; /* this is the user's name */
+ while (*p && !isspace (*p))
+ ++p; /* find end of user's name */
+ } else
+ user = p;
+
+ *p = '\0'; /* <nul> terminate username (+host?) */
+
+ /* buf -> host(?) ; user -> username(?) */
+
+ /* First check host part */
+ hcheck = __icheckhost (raddr, buf, rhost);
+
+ if (hcheck < 0)
+ break;
+
+ if (hcheck) {
+ /* Then check user part */
+ if (! (*user))
+ user = luser;
+
+ ucheck = __icheckuser (user, ruser);
+
+ /* Positive 'host user' match? */
+ if (ucheck > 0) {
+ retval = 0;
+ break;
+ }
+
+ /* Negative 'host -user' match? */
+ if (ucheck < 0)
+ break;
+
+ /* Neither, go on looking for match */
+ }
+ }
+
+ free (buf);
+
+ return retval;
+}
+
+static int
+iruserok2 (u_int32_t raddr, int superuser, const char *ruser, const char *luser,
+ const char *rhost)
+{
+ FILE *hostf = NULL;
+ int isbad = -1;
+
+ if (!superuser)
+ hostf = iruserfopen (_PATH_HEQUIV, 0);
+
+ if (hostf) {
+ isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
+ fclose (hostf);
+
+ if (!isbad)
+ return 0;
+ }
+
+ if (__check_rhosts_file || superuser) {
+ char *pbuf;
+ struct passwd *pwd;
+ size_t dirlen;
+ uid_t uid;
+
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ size_t buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
+ struct passwd pwdbuf;
+ char *buffer = stack_heap_alloc(buflen);
+
+ if (getpwnam_r (luser, &pwdbuf, buffer,
+ buflen, &pwd) != 0 || pwd == NULL)
+ {
+ stack_heap_free(buffer);
+ return -1;
+ }
+ stack_heap_free(buffer);
+#else
+ if ((pwd = getpwnam(luser)) == NULL)
+ return -1;
+#endif
+
+ dirlen = strlen (pwd->pw_dir);
+ pbuf = malloc (dirlen + sizeof "/.rhosts");
+ strcpy (pbuf, pwd->pw_dir);
+ strcat (pbuf, "/.rhosts");
+
+ /* Change effective uid while reading .rhosts. If root and
+ reading an NFS mounted file system, can't read files that
+ are protected read/write owner only. */
+ uid = geteuid ();
+ seteuid (pwd->pw_uid);
+ hostf = iruserfopen (pbuf, pwd->pw_uid);
+ free(pbuf);
+
+ if (hostf != NULL) {
+ isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
+ fclose (hostf);
+ }
+
+ seteuid (uid);
+ return isbad;
+ }
+ return -1;
+}
+
+int ruserok(const char *rhost, int superuser, const char *ruser,
+ const char *luser)
+{
+ struct hostent *hp;
+ u_int32_t addr;
+ char **ap;
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ size_t buflen;
+ char *buffer;
+ int herr;
+ struct hostent hostbuf;
+#endif
+
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ buflen = 1024;
+ buffer = stack_heap_alloc(buflen);
+
+ while (gethostbyname_r (rhost, &hostbuf, buffer,
+ buflen, &hp, &herr) != 0 || hp == NULL)
+ {
+ if (herr != NETDB_INTERNAL || errno != ERANGE) {
+ stack_heap_free(buffer);
+ return -1;
+ } else
+ {
+ /* Enlarge the buffer. */
+ buflen *= 2;
+ stack_heap_free(buffer);
+ buffer = stack_heap_alloc(buflen);
+ }
+ }
+ stack_heap_free(buffer);
+#else
+ if ((hp = gethostbyname(rhost)) == NULL) {
+ return -1;
+ }
+#endif
+ for (ap = hp->h_addr_list; *ap; ++ap) {
+ memmove(&addr, *ap, sizeof(addr));
+ if (iruserok2(addr, superuser, ruser, luser, rhost) == 0)
+ return 0;
+ }
+ return -1;
+}
+
+#endif /* __UCLIBC__ */
+
PAM_EXTERN
int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
const char **argv)

+ 0
- 271
libs/libpam/patches/006-fix_xdr.patch View File

@ -1,271 +0,0 @@
--- a/modules/pam_unix/yppasswd_xdr.c
+++ b/modules/pam_unix/yppasswd_xdr.c
@@ -21,6 +21,268 @@
#endif
#include "yppasswd.h"
+#ifdef __UCLIBC__
+
+static const char xdr_zero[BYTES_PER_XDR_UNIT] = {0, 0, 0, 0};
+
+/*
+ * XDR integers
+ */
+bool_t
+xdr_int (XDR *xdrs, int *ip)
+{
+
+#if INT_MAX < LONG_MAX
+ long l;
+
+ switch (xdrs->x_op)
+ {
+ case XDR_ENCODE:
+ l = (long) *ip;
+ return XDR_PUTLONG (xdrs, &l);
+
+ case XDR_DECODE:
+ if (!XDR_GETLONG (xdrs, &l))
+ {
+ return FALSE;
+ }
+ *ip = (int) l;
+ case XDR_FREE:
+ return TRUE;
+ }
+ return FALSE;
+#elif INT_MAX == LONG_MAX
+ return xdr_long (xdrs, (long *) ip);
+#elif INT_MAX == SHRT_MAX
+ return xdr_short (xdrs, (short *) ip);
+#else
+#error unexpected integer sizes in xdr_int()
+#endif
+}
+
+/*
+ * XDR null terminated ASCII strings
+ * xdr_string deals with "C strings" - arrays of bytes that are
+ * terminated by a NULL character. The parameter cpp references a
+ * pointer to storage; If the pointer is null, then the necessary
+ * storage is allocated. The last parameter is the max allowed length
+ * of the string as specified by a protocol.
+ */
+bool_t
+xdr_string (XDR *xdrs, char **cpp, u_int maxsize)
+{
+ char *sp = *cpp; /* sp is the actual string pointer */
+ u_int size;
+ u_int nodesize;
+
+ /*
+ * first deal with the length since xdr strings are counted-strings
+ */
+ switch (xdrs->x_op)
+ {
+ case XDR_FREE:
+ if (sp == NULL)
+ {
+ return TRUE; /* already free */
+ }
+ /* fall through... */
+ case XDR_ENCODE:
+ if (sp == NULL)
+ return FALSE;
+ size = strlen (sp);
+ break;
+ case XDR_DECODE:
+ break;
+ }
+ if (!xdr_u_int (xdrs, &size))
+ {
+ return FALSE;
+ }
+ if (size > maxsize)
+ {
+ return FALSE;
+ }
+ nodesize = size + 1;
+
+ /*
+ * now deal with the actual bytes
+ */
+ switch (xdrs->x_op)
+ {
+ case XDR_DECODE:
+ if (nodesize == 0)
+ {
+ return TRUE;
+ }
+ if (sp == NULL)
+ *cpp = sp = (char *) mem_alloc (nodesize);
+ if (sp == NULL)
+ {
+#ifdef USE_IN_LIBIO
+ if (_IO_fwide (stderr, 0) > 0)
+ (void) fwprintf (stderr, L"%s",
+ _("xdr_string: out of memory\n"));
+ else
+#endif
+ (void) fputs (_("xdr_string: out of memory\n"), stderr);
+ return FALSE;
+ }
+ sp[size] = 0;
+ /* fall into ... */
+
+ case XDR_ENCODE:
+ return xdr_opaque (xdrs, sp, size);
+
+ case XDR_FREE:
+ mem_free (sp, nodesize);
+ *cpp = NULL;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/*
+ * XDR long integers
+ * The definition of xdr_long() is kept for backward
+ * compatibility. Instead xdr_int() should be used.
+ */
+bool_t
+xdr_long (XDR *xdrs, long *lp)
+{
+ if (xdrs->x_op == XDR_ENCODE
+ && (sizeof (int32_t) == sizeof (long)
+ || (int32_t) *lp == *lp))
+ return XDR_PUTLONG (xdrs, lp);
+
+ if (xdrs->x_op == XDR_DECODE)
+ return XDR_GETLONG (xdrs, lp);
+
+ if (xdrs->x_op == XDR_FREE)
+ return TRUE;
+
+ return FALSE;
+}
+
+/*
+ * XDR unsigned integers
+ */
+bool_t
+xdr_u_int (XDR *xdrs, u_int *up)
+{
+#if UINT_MAX < ULONG_MAX
+ u_long l;
+
+ switch (xdrs->x_op)
+ {
+ case XDR_ENCODE:
+ l = (u_long) * up;
+ return XDR_PUTLONG (xdrs, (long *) &l);
+
+ case XDR_DECODE:
+ if (!XDR_GETLONG (xdrs, (long *) &l))
+ {
+ return FALSE;
+ }
+ *up = (u_int) l;
+ case XDR_FREE:
+ return TRUE;
+ }
+ return FALSE;
+#elif UINT_MAX == ULONG_MAX
+ return xdr_u_long (xdrs, (u_long *) up);
+#elif UINT_MAX == USHRT_MAX
+ return xdr_short (xdrs, (short *) up);
+#else
+#error unexpected integer sizes in xdr_u_int()
+#endif
+}
+
+/*
+ * XDR opaque data
+ * Allows the specification of a fixed size sequence of opaque bytes.
+ * cp points to the opaque object and cnt gives the byte length.
+ */
+bool_t
+xdr_opaque (XDR *xdrs, caddr_t cp, u_int cnt)
+{
+ u_int rndup;
+ static char crud[BYTES_PER_XDR_UNIT];
+
+ /*
+ * if no data we are done
+ */
+ if (cnt == 0)
+ return TRUE;
+
+ /*
+ * round byte count to full xdr units
+ */
+ rndup = cnt % BYTES_PER_XDR_UNIT;
+ if (rndup > 0)
+ rndup = BYTES_PER_XDR_UNIT - rndup;
+
+ switch (xdrs->x_op)
+ {
+ case XDR_DECODE:
+ if (!XDR_GETBYTES (xdrs, cp, cnt))
+ {
+ return FALSE;
+ }
+ if (rndup == 0)
+ return TRUE;
+ return XDR_GETBYTES (xdrs, (caddr_t)crud, rndup);
+
+ case XDR_ENCODE:
+ if (!XDR_PUTBYTES (xdrs, cp, cnt))
+ {
+ return FALSE;
+ }
+ if (rndup == 0)
+ return TRUE;
+ return XDR_PUTBYTES (xdrs, xdr_zero, rndup);
+
+ case XDR_FREE:
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/*
+ * XDR unsigned long integers
+ * The definition of xdr_u_long() is kept for backward
+ * compatibility. Instead xdr_u_int() should be used.
+ */
+bool_t
+xdr_u_long (XDR *xdrs, u_long *ulp)
+{
+ switch (xdrs->x_op)
+ {
+ case XDR_DECODE:
+ {
+ long int tmp;
+
+ if (XDR_GETLONG (xdrs, &tmp) == FALSE)
+ return FALSE;
+
+ *ulp = (uint32_t) tmp;
+ return TRUE;
+ }
+
+ case XDR_ENCODE:
+ if (sizeof (uint32_t) != sizeof (u_long)
+ && (uint32_t) *ulp != *ulp)
+ return FALSE;
+
+ return XDR_PUTLONG (xdrs, (long *) ulp);
+
+ case XDR_FREE:
+ return TRUE;
+ }
+ return FALSE;
+}
+
+#endif /* UCLIBC */
+
bool_t
xdr_xpasswd(XDR * xdrs, xpasswd * objp)
{

+ 0
- 52
libs/libpam/patches/007-cve-2014-2583.patch View File

@ -1,52 +0,0 @@
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Wed, 26 Mar 2014 22:17:23 +0000
Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
the timestamp pathname it creates, so extra care should be taken to
avoid potential directory traversal issues.
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
"." and ".." tty values as invalid.
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
value containing '/', as invalid.
Fixes CVE-2014-2583.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index 5193733..b3f08b1 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -158,7 +158,7 @@ check_tty(const char *tty)
tty = strrchr(tty, '/') + 1;
}
/* Make sure the tty wasn't actually a directory (no basename). */
- if (strlen(tty) == 0) {
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
return NULL;
}
return tty;
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
if (pwd != NULL) {
ruser = pwd->pw_name;
}
+ } else {
+ /*
+ * This ruser is used by format_timestamp_name as a component
+ * of constructed timestamp pathname, so ".", "..", and '/'
+ * are disallowed to avoid potential path traversal issues.
+ */
+ if (!strcmp(ruser, ".") ||
+ !strcmp(ruser, "..") ||
+ strchr(ruser, '/')) {
+ ruser = NULL;
+ }
}
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
*ruserbuf = '\0';
--
cgit v0.10.2

+ 0
- 11
libs/libpam/patches/008-LIBCRYPT-fix.patch View File

@ -1,11 +0,0 @@
--- a/configure.in.orig 2015-06-16 20:40:02.938216001 +0800
+++ b/configure.in 2015-06-16 20:40:16.198216001 +0800
@@ -399,7 +399,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" =
[crypt_libs="crypt"])
BACKUP_LIBS=$LIBS
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
LIBS=$BACKUP_LIBS
AC_SUBST(LIBCRYPT)

+ 0
- 51
libs/libpam/patches/009-pam_rhosts-fix.patch View File

@ -1,51 +0,0 @@
--- a/configure.in.orig 2015-06-16 21:05:09.938216001 +0800
+++ b/configure.in 2015-06-16 21:05:29.374216001 +0800
@@ -525,7 +525,8 @@ AC_CHECK_FUNCS(fseeko getdomainname geth
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
+AC_CHECK_FUNCS(ruserok ruserok_af)
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
--- a/modules/pam_rhosts/pam_rhosts.c.orig 2015-06-16 20:58:20.002216001 +0800
+++ b/modules/pam_rhosts/pam_rhosts.c 2015-06-16 21:10:10.026216001 +0800
@@ -35,6 +35,7 @@
#include <pwd.h>
#include <netdb.h>
#include <string.h>
+#include <stdlib.h>
#include <syslog.h>
#define PAM_SM_AUTH /* only defines this management group */
@@ -43,7 +43,7 @@
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
-#ifdef __UCLIBC__
+#if defined(__UCLIBC__) || (!defined(HAVE_RUSEROK) && !defined(HAVE_RUSEROK_AF))
#include <stdio.h>
#include <sys/stat.h>
@@ -293,8 +294,10 @@ iruserok2 (u_int32_t raddr, int superuse
FILE *hostf = NULL;
int isbad = -1;
+#ifdef _PATH_HEQUIV
if (!superuser)
hostf = iruserfopen (_PATH_HEQUIV, 0);
+#endif
if (hostf) {
isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
@@ -396,7 +396,7 @@ int ruserok(const char *rhost, int super
return -1;
}
-#endif /* __UCLIBC__ */
+#endif /* __UCLIBC__ || (!defined(HAVE_RUSEROK) && !defined(HAVE_RUSEROK_AF)) */
PAM_EXTERN
int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,

Loading…
Cancel
Save