LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

libpam: bump to 1.2.0 

- Add configure options --disable-nis, --disable-regenerate-docu
 - 000-OE-libpam-xtests.patch is not relevant in OpenWrt
 - 001-no_nis.patch was dropped because we now --disable-nis
 - 002-no_yywrap.patch was dropped be cause it was fixed in 1.2.0
 - 003-no_doc was dropped because we ignore doc/ with
   --disable-regenreate-docu
 - 004-fix_lib64 was replaced by new 0001-build-use-host_cpu...
 - pam_rhosts will not be built with musl because ruserok{,_af{
   are not available
 - pam_lastlog will not be built with musl because logwtmp is missing

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
lilik-openwrt-22.03
Yousong Zhou 10 years ago
parent
771ce26a71
commit
9f35f2a9e5
18 changed files with 403 additions and 941 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -2
      libs/libpam/Makefile
  2. +0
    -35
      libs/libpam/patches/000-OE-libpam-xtests.patch
  3. +28
    -0
      libs/libpam/patches/0001-build-use-host_cpu-for-lib64-directory-handling.patch
  4. +77
    -0
      libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch
  5. +60
    -0
      libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch
  6. +28
    -0
      libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch
  7. +133
    -0
      libs/libpam/patches/0005-build-fix-doc-build.patch
  8. +29
    -0
      libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch
  9. +44
    -23
      libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch
  10. +0
    -68
      libs/libpam/patches/001-no_nis.patch
  11. +0
    -26
      libs/libpam/patches/002-no_yywrap.patch
  12. +0
    -22
      libs/libpam/patches/003-no_doc.patch
  13. +0
    -16
      libs/libpam/patches/004-fix_lib64.patch
  14. +0
    -364
      libs/libpam/patches/005-fix_ruserok.patch
  15. +0
    -271
      libs/libpam/patches/006-fix_xdr.patch
  16. +0
    -52
      libs/libpam/patches/007-cve-2014-2583.patch
  17. +0
    -11
      libs/libpam/patches/008-LIBCRYPT-fix.patch
  18. +0
    -51
      libs/libpam/patches/009-pam_rhosts-fix.patch

+ 4
- 2
libs/libpam/Makefile View File

@ -8,8 +8,8 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=libpam PKG_NAME:=libpam
PKG_VERSION:=1.1.8
PKG_RELEASE:=5
PKG_VERSION:=1.2.0
PKG_RELEASE:=1
PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.linux-pam.org/library/ PKG_SOURCE_URL:=http://www.linux-pam.org/library/
@ -45,6 +45,8 @@ define Build/Configure
--disable-selinux \ --disable-selinux \
--disable-nls \ --disable-nls \
--disable-rpath \ --disable-rpath \
--disable-nis \
--disable-regenerate-docu \
--enable-db=no \ --enable-db=no \
) )
endef endef


+ 0
- 35
libs/libpam/patches/000-OE-libpam-xtests.patch View File

@ -1,35 +0,0 @@
This patch is used to create a new sub package libpam-xtests to do more checks.
Upstream-Status: Pending
Signed-off-by: Kang Kai <kai.kang@windriver.com>
--- a/xtests/Makefile.am
+++ b/xtests/Makefile.am
@@ -7,7 +7,7 @@ AM_CFLAGS = -DLIBPAM_COMPILE -I$(top_src
LDADD = $(top_builddir)/libpam/libpam.la \
$(top_builddir)/libpam_misc/libpam_misc.la
-CLEANFILES = *~ $(XTESTS)
+CLEANFILES = *~
EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \
@@ -51,3 +51,18 @@ EXTRA_PROGRAMS = $(XTESTS)
xtests: $(XTESTS) run-xtests.sh
"$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS}
+
+all: $(XTESTS)
+
+install: install_xtests
+
+install_xtests:
+ $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests
+ for file in $(EXTRA_DIST) ; do \
+ $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \
+ done
+ for file in $(XTESTS); do \
+ $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \
+ done
+
+.PHONY: all install_xtests

+ 28
- 0
libs/libpam/patches/0001-build-use-host_cpu-for-lib64-directory-handling.patch View File

@ -0,0 +1,28 @@
From ee916fd0ec70eb37a97da29f6ec0c26bef7cf6f2 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 16:11:31 +0800
Subject: [PATCH 1/7] build: use $host_cpu for lib64 directory handling.
* configure.ac: use $host_cpu for lib64 directory handling.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index fd0e310..1bc2591 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,7 +27,7 @@ dnl If we use /usr as prefix, use /etc for config files
fi
if test ${libdir} = '${exec_prefix}/lib'
then
- case "`uname -m`" in
+ case "$host_cpu" in
x86_64|ppc64|s390x|sparc64)
libdir="/lib64" ;;
*)
--
1.7.10.4

+ 77
- 0
libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch View File

@ -0,0 +1,77 @@
From e985c1ef2c739a597b2d7a2efc3c310c02e40c1f Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:19:23 +0800
Subject: [PATCH 2/7] build: ignore pam_rhosts if neither ruserok nor
ruserok_af is available.
* configure.ac: check for ruserok and ruserok_af
* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 5 ++++-
modules/Makefile.am | 11 ++++++++---
modules/pam_rhosts/pam_rhosts.c | 1 +
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1bc2591..3c4d8bb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -542,7 +542,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
+AC_CHECK_FUNCS([ruserok_af ruserok], [break])
+
+AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes])
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/modules/Makefile.am b/modules/Makefile.am
index 0c80cea..9ad26a9 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -2,16 +2,21 @@
# Copyright (c) 2005, 2006, 2008 Thorsten Kukuk <kukuk@thkukuk.de>
#
-SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
+if COND_BUILD_PAM_RHOSTS
+ MAYBE_PAM_RHOSTS = pam_rhosts
+endif
+
+SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \
pam_mkhomedir pam_motd pam_namespace pam_nologin \
- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
+ pam_permit pam_pwhistory pam_rootok pam_securetty \
pam_selinux pam_sepermit pam_shells pam_stress \
pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
pam_tty_audit pam_umask \
- pam_unix pam_userdb pam_warn pam_wheel pam_xauth
+ pam_unix pam_userdb pam_warn pam_wheel pam_xauth \
+ $(MAYBE_PAM_RHOSTS)
CLEANFILES = *~
diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
index bc9e76f..51ef13e 100644
--- a/modules/pam_rhosts/pam_rhosts.c
+++ b/modules/pam_rhosts/pam_rhosts.c
@@ -35,6 +35,7 @@
#include <pwd.h>
#include <netdb.h>
#include <string.h>
+#include <stdlib.h>
#include <syslog.h>
#define PAM_SM_AUTH /* only defines this management group */
--
1.7.10.4

+ 60
- 0
libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch View File

@ -0,0 +1,60 @@
From 173164996ca7daf3fa705f2a0bb2991b0d5d2083 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 21:18:05 +0800
Subject: [PATCH 3/7] build: ignore pam_lastlog when logwtmp is not available.
* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 2 ++
modules/Makefile.am | 8 ++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 3c4d8bb..8de6edf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -544,8 +544,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
AC_CHECK_FUNCS(getgrouplist getline getdelim)
AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
AC_CHECK_FUNCS([ruserok_af ruserok], [break])
+AC_CHECK_FUNCS([logwtmp])
AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes])
+AM_CONDITIONAL([COND_BUILD_PAM_LASTLOG], [test "$ac_cv_func_logwtmp" = yes])
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/modules/Makefile.am b/modules/Makefile.am
index 9ad26a9..b98dc5c 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -6,9 +6,13 @@ if COND_BUILD_PAM_RHOSTS
MAYBE_PAM_RHOSTS = pam_rhosts
endif
+if COND_BUILD_PAM_LASTLOG
+ MAYBE_PAM_LASTLOG = pam_lastlog
+endif
+
SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ pam_group pam_issue pam_keyinit pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \
pam_mkhomedir pam_motd pam_namespace pam_nologin \
pam_permit pam_pwhistory pam_rootok pam_securetty \
@@ -16,7 +20,7 @@ SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
pam_tty_audit pam_umask \
pam_unix pam_userdb pam_warn pam_wheel pam_xauth \
- $(MAYBE_PAM_RHOSTS)
+ $(MAYBE_PAM_RHOSTS) $(MAYBE_PAM_LASTLOG)
CLEANFILES = *~
--
1.7.10.4

+ 28
- 0
libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch View File

@ -0,0 +1,28 @@
From 20e5efe4b2a8471bc52e480e53cff68a4de19c56 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:22:31 +0800
Subject: [PATCH 4/7] build: fix build when crypt() is not part of crypt_libs.
* configure.ac: ditto.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 8de6edf..c15441b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -416,7 +416,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
[crypt_libs="crypt"])
BACKUP_LIBS=$LIBS
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
LIBS=$BACKUP_LIBS
AC_SUBST(LIBCRYPT)
--
1.7.10.4

+ 133
- 0
libs/libpam/patches/0005-build-fix-doc-build.patch View File

@ -0,0 +1,133 @@
From df7abf333d19aefd166f613b696345732ae4c9c8 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 20:38:41 +0800
Subject: [PATCH 5/7] build: fix doc build.
* Makefile.am: ignore doc/ directory if not ENABLE_REGENERATE_MAN
* doc/adg/Makefile.am: remove check on ENABLE_REGENERATE_MAN
* doc/man/Makefile.am: ditto
* doc/mwg/Makefile.am: ditto
* doc/sag/Makefile.am: ditto
* doc/specs/Makefile.am: ignore CC from command line
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
Makefile.am | 5 ++++-
doc/adg/Makefile.am | 3 ---
doc/man/Makefile.am | 2 --
doc/mwg/Makefile.am | 3 ---
doc/sag/Makefile.am | 2 --
doc/specs/Makefile.am | 2 +-
6 files changed, 5 insertions(+), 12 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 3db4e37..5e6592a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,10 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+if ENABLE_REGENERATE_MAN
+ MAYBE_DOC = doc
+endif
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests $(MAYBE_DOC)
CLEANFILES = *~
diff --git a/doc/adg/Makefile.am b/doc/adg/Makefile.am
index 77bd7a9..bec5edc 100644
--- a/doc/adg/Makefile.am
+++ b/doc/adg/Makefile.am
@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS)
XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html
all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf
@@ -51,8 +50,6 @@ html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf
-endif
-
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
$(mkinstalldirs) $(DESTDIR)$(pdfdir)
diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
index 78c891d..b1dc421 100644
--- a/doc/man/Makefile.am
+++ b/doc/man/Makefile.am
@@ -45,7 +45,6 @@ XMLS = pam.3.xml pam.8.xml \
misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
pam_misc_setenv.3.xml
-if ENABLE_REGENERATE_MAN
PAM.8: pam.8
pam_get_authtok_noverify.3: pam_get_authtok.3
pam_get_authtok_verify.3: pam_get_authtok.3
@@ -60,4 +59,3 @@ pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
-include $(top_srcdir)/Make.xml.rules
-endif
diff --git a/doc/mwg/Makefile.am b/doc/mwg/Makefile.am
index 2bbb2d0..f57e297 100644
--- a/doc/mwg/Makefile.am
+++ b/doc/mwg/Makefile.am
@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS)
XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html
all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf
@@ -51,8 +50,6 @@ html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf
-endif
-
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
$(mkinstalldirs) $(DESTDIR)$(pdfdir)
diff --git a/doc/sag/Makefile.am b/doc/sag/Makefile.am
index 31816aa..a8b655f 100644
--- a/doc/sag/Makefile.am
+++ b/doc/sag/Makefile.am
@@ -10,7 +10,6 @@ XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html
all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf
@@ -51,7 +50,6 @@ html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf
-endif
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am
index 99ecc70..39c850f 100644
--- a/doc/specs/Makefile.am
+++ b/doc/specs/Makefile.am
@@ -11,7 +11,7 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw
AM_YFLAGS = -d
-CC = @CC_FOR_BUILD@
+override CC = @CC_FOR_BUILD@
CPPFLAGS = @BUILD_CPPFLAGS@
CFLAGS = @BUILD_CFLAGS@
LDFLAGS = @BUILD_LDFLAGS@
--
1.7.10.4

+ 29
- 0
libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch View File

@ -0,0 +1,29 @@
From 596797ab7f46fb4d0338e75db7c0d1019cd4df87 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:16:18 +0800
Subject: [PATCH 6/7] pam_unix: fix compilation in case rpc/rpc.h is missing.
* modules/pam_unix/pam_unix_passwd.c: conditional compile on the
availability of rpc/rpc.h
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
modules/pam_unix/pam_unix_passwd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 2d330e5..970724a 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -336,7 +336,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
}
if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
-#ifdef HAVE_NIS
+#if defined(HAVE_NIS) && defined(HAVE_RPC_RPC_H)
if ((master=getNISserver(pamh, ctrl)) != NULL) {
struct timeval timeout;
struct yppasswd yppwd;
--
1.7.10.4

libs/libpam/patches/000-OE-pam-no-innetgr.patch → libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch View File


+ 0
- 68
libs/libpam/patches/001-no_nis.patch View File

@ -1,68 +0,0 @@
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -44,7 +44,7 @@
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/socket.h>
-#ifdef HAVE_RPCSVC_YPCLNT_H
+#ifdef HAVE_RPCSVC_YPCLNT_H && USE_NIS
#include <rpcsvc/ypclnt.h>
#endif
#ifdef HAVE_LIBAUDIT
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -79,18 +79,18 @@
#include "passverify.h"
#include "bigcrypt.h"
-#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
+#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER && USE_NIS
# define HAVE_NIS
#endif
#ifdef HAVE_NIS
# include <rpc/rpc.h>
-# if HAVE_RPCSVC_YP_PROT_H
+# if HAVE_RPCSVC_YP_PROT_H && USE_NIS
# include <rpcsvc/yp_prot.h>
# endif
-# if HAVE_RPCSVC_YPCLNT_H
+# if HAVE_RPCSVC_YPCLNT_H && USE_NIS
# include <rpcsvc/ypclnt.h>
# endif
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -19,7 +19,7 @@
#include <ctype.h>
#include <syslog.h>
#include <sys/resource.h>
-#ifdef HAVE_RPCSVC_YPCLNT_H
+#ifdef HAVE_RPCSVC_YPCLNT_H && USE_NIS
#include <rpcsvc/ypclnt.h>
#endif
@@ -402,7 +402,7 @@ int _unix_getpwnam(pam_handle_t *pamh, c
}
}
-#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND)
+#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND) && (USE_NIS)
if (!matched && nis) {
char *userinfo = NULL, *domain = NULL;
int len = 0, i;
--- a/modules/pam_unix/yppasswd_xdr.c
+++ b/modules/pam_unix/yppasswd_xdr.c
@@ -15,6 +15,10 @@
#ifdef HAVE_RPC_RPC_H
#include <rpc/rpc.h>
+#ifdef USE_NIS
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+#endif
#include "yppasswd.h"
bool_t

+ 0
- 26
libs/libpam/patches/002-no_yywrap.patch View File

@ -1,26 +0,0 @@
--- a/conf/pam_conv1/pam_conv_l.c
+++ b/conf/pam_conv1/pam_conv_l.c
@@ -534,7 +534,9 @@ void yyset_lineno (int line_number );
#ifdef __cplusplus
extern "C" int yywrap (void );
#else
-extern int yywrap (void );
+int yywrap (void ) {
+ return 1;
+}
#endif
#endif
--- a/doc/specs/parse_l.c
+++ b/doc/specs/parse_l.c
@@ -520,7 +520,9 @@ void yyset_lineno (int line_number );
#ifdef __cplusplus
extern "C" int yywrap (void );
#else
-extern int yywrap (void );
+int yywrap (void ) {
+ return 1;
+}
#endif
#endif

+ 0
- 22
libs/libpam/patches/003-no_doc.patch View File

@ -1,22 +0,0 @@
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,7 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
CLEANFILES = *~
--- a/Makefile.in
+++ b/Makefile.in
@@ -288,7 +288,7 @@ top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
CLEANFILES = *~
EXTRA_DIST = pgp.keys.asc CHANGELOG ChangeLog-CVS Copyright Make.xml.rules
ACLOCAL_AMFLAGS = -I m4

+ 0
- 16
libs/libpam/patches/004-fix_lib64.patch View File

@ -1,16 +0,0 @@
--- a/configure.in
+++ b/configure.in
@@ -28,12 +28,7 @@ dnl If we use /usr as prefix, use /etc f
fi
if test ${libdir} = '${exec_prefix}/lib'
then
- case "`uname -m`" in
- x86_64|ppc64|s390x|sparc64)
- libdir="/lib64" ;;
- *)
- libdir="/lib" ;;
- esac
+ libdir="/lib"
fi
if test ${sbindir} = '${exec_prefix}/sbin'
then

+ 0
- 364
libs/libpam/patches/005-fix_ruserok.patch View File

@ -1,364 +0,0 @@
--- a/modules/pam_rhosts/pam_rhosts.c
+++ b/modules/pam_rhosts/pam_rhosts.c
@@ -43,6 +43,361 @@
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
+#ifdef __UCLIBC__
+
+#include <stdio.h>
+#include <sys/stat.h>
+
+
+int __check_rhosts_file = 1;
+
+/* Extremely paranoid file open function. */
+static FILE *
+iruserfopen (const char *file, uid_t okuser)
+{
+ struct stat st;
+ char *cp = NULL;
+ FILE *res = NULL;
+
+ /* If not a regular file, if owned by someone other than user or
+ root, if writeable by anyone but the owner, or if hardlinked
+ anywhere, quit. */
+ if (lstat (file, &st))
+ cp = "lstat failed";
+ else if (!S_ISREG (st.st_mode))
+ cp = "not regular file";
+ else
+ {
+ res = fopen (file, "r");
+ if (!res)
+ cp = "cannot open";
+ else if (fstat (fileno (res), &st) < 0)
+ cp = "fstat failed";
+ else if (st.st_uid && st.st_uid != okuser)
+ cp = "bad owner";
+ else if (st.st_mode & (S_IWGRP|S_IWOTH))
+ cp = "writeable by other than owner";
+ else if (st.st_nlink > 1)
+ cp = "hard linked somewhere";
+ }
+
+ /* If there were any problems, quit. */
+ if (cp != NULL)
+ {
+ if (res)
+ fclose (res);
+ return NULL;
+ }
+
+ return res;
+}
+
+/*
+ * Returns 1 for blank lines (or only comment lines) and 0 otherwise
+ */
+static int
+__isempty(char *p)
+{
+ while (*p && isspace (*p)) {
+ ++p;
+ }
+
+ return (*p == '\0' || *p == '#') ? 1 : 0 ;
+}
+
+/* Returns 1 on positive match, 0 on no match, -1 on negative match. */
+static int
+__icheckhost (u_int32_t raddr, char *lhost, const char *rhost)
+{
+ struct hostent *hp;
+ u_int32_t laddr;
+ int negate=1; /* Multiply return with this to get -1 instead of 1 */
+ char **pp;
+
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ int save_errno;
+ size_t buflen;
+ char *buffer;
+ struct hostent hostbuf;
+ int herr;
+#endif
+
+#ifdef HAVE_NETGROUP
+ /* Check nis netgroup. */
+ if (strncmp ("+@", lhost, 2) == 0)
+ return innetgr (&lhost[2], rhost, NULL, NULL);
+
+ if (strncmp ("-@", lhost, 2) == 0)
+ return -innetgr (&lhost[2], rhost, NULL, NULL);
+#endif /* HAVE_NETGROUP */
+
+ /* -host */
+ if (strncmp ("-", lhost,1) == 0) {
+ negate = -1;
+ lhost++;
+ } else if (strcmp ("+",lhost) == 0) {
+ return 1; /* asking for trouble, but ok.. */
+ }
+
+ /* Try for raw ip address first. */
+ if (isdigit (*lhost) && (laddr = inet_addr (lhost)) != INADDR_NONE)
+ return negate * (! (raddr ^ laddr));
+
+ /* Better be a hostname. */
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ buflen = 1024;
+ buffer = malloc(buflen);
+ save_errno = errno;
+
+ while (gethostbyname_r (lhost, &hostbuf, buffer, buflen, &hp, &herr)
+ != 0) {
+ free(buffer);
+ return (0);
+ }
+ free(buffer);
+ __set_errno (save_errno);
+#else
+ hp = gethostbyname(lhost);
+#endif /* __UCLIBC_HAS_REENTRANT_RPC__ */
+
+ if (hp == NULL)
+ return 0;
+
+ /* Spin through ip addresses. */
+ for (pp = hp->h_addr_list; *pp; ++pp)
+ if (!memcmp (&raddr, *pp, sizeof (u_int32_t)))
+ return negate;
+
+ /* No match. */
+ return (0);
+}
+
+/* Returns 1 on positive match, 0 on no match, -1 on negative match. */
+static int
+__icheckuser (const char *luser, const char *ruser)
+{
+
+ /*
+ luser is user entry from .rhosts/hosts.equiv file
+ ruser is user id on remote host
+ */
+
+#ifdef HAVE_NETGROUP
+ /* [-+]@netgroup */
+ if (strncmp ("+@", luser, 2) == 0)
+ return innetgr (&luser[2], NULL, ruser, NULL);
+
+ if (strncmp ("-@", luser,2) == 0)
+ return -innetgr (&luser[2], NULL, ruser, NULL);
+#endif /* HAVE_NETGROUP */
+
+ /* -user */
+ if (strncmp ("-", luser, 1) == 0)
+ return -(strcmp (&luser[1], ruser) == 0);
+
+ /* + */
+ if (strcmp ("+", luser) == 0)
+ return 1;
+
+ /* simple string match */
+ return strcmp (ruser, luser) == 0;
+}
+
+/*
+ * Returns 0 if positive match, -1 if _not_ ok.
+ */
+static int
+__ivaliduser2(FILE *hostf, u_int32_t raddr, const char *luser,
+ const char *ruser, const char *rhost)
+{
+ register const char *user;
+ register char *p;
+ int hcheck, ucheck;
+ char *buf = NULL;
+ size_t bufsize = 0;
+ int retval = -1;
+
+ while (getline (&buf, &bufsize, hostf) > 0) {
+ buf[bufsize - 1] = '\0'; /* Make sure it's terminated. */
+ p = buf;
+
+ /* Skip empty or comment lines */
+ if (__isempty (p)) {
+ continue;
+ }
+
+ /* Skip lines that are too long. */
+ if (strchr (p, '\n') == NULL) {
+ int ch = getc_unlocked (hostf);
+
+ while (ch != '\n' && ch != EOF)
+ ch = getc_unlocked (hostf);
+ continue;
+ }
+
+ for (;*p && !isspace(*p); ++p) {
+ *p = tolower (*p);
+ }
+
+ /* Next we want to find the permitted name for the remote user. */
+ if (*p == ' ' || *p == '\t') {
+ /* <nul> terminate hostname and skip spaces */
+ for (*p++='\0'; *p && isspace (*p); ++p);
+
+ user = p; /* this is the user's name */
+ while (*p && !isspace (*p))
+ ++p; /* find end of user's name */
+ } else
+ user = p;
+
+ *p = '\0'; /* <nul> terminate username (+host?) */
+
+ /* buf -> host(?) ; user -> username(?) */
+
+ /* First check host part */
+ hcheck = __icheckhost (raddr, buf, rhost);
+
+ if (hcheck < 0)
+ break;
+
+ if (hcheck) {
+ /* Then check user part */
+ if (! (*user))
+ user = luser;
+
+ ucheck = __icheckuser (user, ruser);
+
+ /* Positive 'host user' match? */
+ if (ucheck > 0) {
+ retval = 0;
+ break;
+ }
+
+ /* Negative 'host -user' match? */
+ if (ucheck < 0)
+ break;
+
+ /* Neither, go on looking for match */
+ }
+ }
+
+ free (buf);
+
+ return retval;
+}
+
+static int
+iruserok2 (u_int32_t raddr, int superuser, const char *ruser, const char *luser,
+ const char *rhost)
+{
+ FILE *hostf = NULL;
+ int isbad = -1;
+
+ if (!superuser)
+ hostf = iruserfopen (_PATH_HEQUIV, 0);
+
+ if (hostf) {
+ isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
+ fclose (hostf);
+
+ if (!isbad)
+ return 0;
+ }
+
+ if (__check_rhosts_file || superuser) {
+ char *pbuf;
+ struct passwd *pwd;
+ size_t dirlen;
+ uid_t uid;
+
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ size_t buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
+ struct passwd pwdbuf;
+ char *buffer = stack_heap_alloc(buflen);
+
+ if (getpwnam_r (luser, &pwdbuf, buffer,
+ buflen, &pwd) != 0 || pwd == NULL)
+ {
+ stack_heap_free(buffer);
+ return -1;
+ }
+ stack_heap_free(buffer);
+#else
+ if ((pwd = getpwnam(luser)) == NULL)
+ return -1;
+#endif
+
+ dirlen = strlen (pwd->pw_dir);
+ pbuf = malloc (dirlen + sizeof "/.rhosts");
+ strcpy (pbuf, pwd->pw_dir);
+ strcat (pbuf, "/.rhosts");
+
+ /* Change effective uid while reading .rhosts. If root and
+ reading an NFS mounted file system, can't read files that
+ are protected read/write owner only. */
+ uid = geteuid ();
+ seteuid (pwd->pw_uid);
+ hostf = iruserfopen (pbuf, pwd->pw_uid);
+ free(pbuf);
+
+ if (hostf != NULL) {
+ isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
+ fclose (hostf);
+ }
+
+ seteuid (uid);
+ return isbad;
+ }
+ return -1;
+}
+
+int ruserok(const char *rhost, int superuser, const char *ruser,
+ const char *luser)
+{
+ struct hostent *hp;
+ u_int32_t addr;
+ char **ap;
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ size_t buflen;
+ char *buffer;
+ int herr;
+ struct hostent hostbuf;
+#endif
+
+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
+ buflen = 1024;
+ buffer = stack_heap_alloc(buflen);
+
+ while (gethostbyname_r (rhost, &hostbuf, buffer,
+ buflen, &hp, &herr) != 0 || hp == NULL)
+ {
+ if (herr != NETDB_INTERNAL || errno != ERANGE) {
+ stack_heap_free(buffer);
+ return -1;
+ } else
+ {
+ /* Enlarge the buffer. */
+ buflen *= 2;
+ stack_heap_free(buffer);
+ buffer = stack_heap_alloc(buflen);
+ }
+ }
+ stack_heap_free(buffer);
+#else
+ if ((hp = gethostbyname(rhost)) == NULL) {
+ return -1;
+ }
+#endif
+ for (ap = hp->h_addr_list; *ap; ++ap) {
+ memmove(&addr, *ap, sizeof(addr));
+ if (iruserok2(addr, superuser, ruser, luser, rhost) == 0)
+ return 0;
+ }
+ return -1;
+}
+
+#endif /* __UCLIBC__ */
+
PAM_EXTERN
int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
const char **argv)

+ 0
- 271
libs/libpam/patches/006-fix_xdr.patch View File

@ -1,271 +0,0 @@
--- a/modules/pam_unix/yppasswd_xdr.c
+++ b/modules/pam_unix/yppasswd_xdr.c
@@ -21,6 +21,268 @@
#endif
#include "yppasswd.h"
+#ifdef __UCLIBC__
+
+static const char xdr_zero[BYTES_PER_XDR_UNIT] = {0, 0, 0, 0};
+
+/*
+ * XDR integers
+ */
+bool_t
+xdr_int (XDR *xdrs, int *ip)
+{
+
+#if INT_MAX < LONG_MAX
+ long l;
+
+ switch (xdrs->x_op)
+ {
+ case XDR_ENCODE:
+ l = (long) *ip;
+ return XDR_PUTLONG (xdrs, &l);
+
+ case XDR_DECODE:
+ if (!XDR_GETLONG (xdrs, &l))
+ {
+ return FALSE;
+ }
+ *ip = (int) l;
+ case XDR_FREE:
+ return TRUE;
+ }
+ return FALSE;
+#elif INT_MAX == LONG_MAX
+ return xdr_long (xdrs, (long *) ip);
+#elif INT_MAX == SHRT_MAX
+ return xdr_short (xdrs, (short *) ip);
+#else
+#error unexpected integer sizes in xdr_int()
+#endif
+}
+
+/*
+ * XDR null terminated ASCII strings
+ * xdr_string deals with "C strings" - arrays of bytes that are
+ * terminated by a NULL character. The parameter cpp references a
+ * pointer to storage; If the pointer is null, then the necessary
+ * storage is allocated. The last parameter is the max allowed length
+ * of the string as specified by a protocol.
+ */
+bool_t
+xdr_string (XDR *xdrs, char **cpp, u_int maxsize)
+{
+ char *sp = *cpp; /* sp is the actual string pointer */
+ u_int size;
+ u_int nodesize;
+
+ /*
+ * first deal with the length since xdr strings are counted-strings
+ */
+ switch (xdrs->x_op)
+ {
+ case XDR_FREE:
+ if (sp == NULL)
+ {
+ return TRUE; /* already free */
+ }
+ /* fall through... */
+ case XDR_ENCODE:
+ if (sp == NULL)
+ return FALSE;
+ size = strlen (sp);
+ break;
+ case XDR_DECODE:
+ break;
+ }
+ if (!xdr_u_int (xdrs, &size))
+ {
+ return FALSE;
+ }
+ if (size > maxsize)
+ {
+ return FALSE;
+ }
+ nodesize = size + 1;
+
+ /*
+ * now deal with the actual bytes
+ */
+ switch (xdrs->x_op)
+ {
+ case XDR_DECODE:
+ if (nodesize == 0)
+ {
+ return TRUE;
+ }
+ if (sp == NULL)
+ *cpp = sp = (char *) mem_alloc (nodesize);
+ if (sp == NULL)
+ {
+#ifdef USE_IN_LIBIO
+ if (_IO_fwide (stderr, 0) > 0)
+ (void) fwprintf (stderr, L"%s",
+ _("xdr_string: out of memory\n"));
+ else
+#endif
+ (void) fputs (_("xdr_string: out of memory\n"), stderr);
+ return FALSE;
+ }
+ sp[size] = 0;
+ /* fall into ... */
+
+ case XDR_ENCODE:
+ return xdr_opaque (xdrs, sp, size);
+
+ case XDR_FREE:
+ mem_free (sp, nodesize);
+ *cpp = NULL;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/*
+ * XDR long integers
+ * The definition of xdr_long() is kept for backward
+ * compatibility. Instead xdr_int() should be used.
+ */
+bool_t
+xdr_long (XDR *xdrs, long *lp)
+{
+ if (xdrs->x_op == XDR_ENCODE
+ && (sizeof (int32_t) == sizeof (long)
+ || (int32_t) *lp == *lp))
+ return XDR_PUTLONG (xdrs, lp);
+
+ if (xdrs->x_op == XDR_DECODE)
+ return XDR_GETLONG (xdrs, lp);
+
+ if (xdrs->x_op == XDR_FREE)
+ return TRUE;
+
+ return FALSE;
+}
+
+/*
+ * XDR unsigned integers
+ */
+bool_t
+xdr_u_int (XDR *xdrs, u_int *up)
+{
+#if UINT_MAX < ULONG_MAX
+ u_long l;
+
+ switch (xdrs->x_op)
+ {
+ case XDR_ENCODE:
+ l = (u_long) * up;
+ return XDR_PUTLONG (xdrs, (long *) &l);
+
+ case XDR_DECODE:
+ if (!XDR_GETLONG (xdrs, (long *) &l))
+ {
+ return FALSE;
+ }
+ *up = (u_int) l;
+ case XDR_FREE:
+ return TRUE;
+ }
+ return FALSE;
+#elif UINT_MAX == ULONG_MAX
+ return xdr_u_long (xdrs, (u_long *) up);
+#elif UINT_MAX == USHRT_MAX
+ return xdr_short (xdrs, (short *) up);
+#else
+#error unexpected integer sizes in xdr_u_int()
+#endif
+}
+
+/*
+ * XDR opaque data
+ * Allows the specification of a fixed size sequence of opaque bytes.
+ * cp points to the opaque object and cnt gives the byte length.
+ */
+bool_t
+xdr_opaque (XDR *xdrs, caddr_t cp, u_int cnt)
+{
+ u_int rndup;
+ static char crud[BYTES_PER_XDR_UNIT];
+
+ /*
+ * if no data we are done
+ */
+ if (cnt == 0)
+ return TRUE;
+
+ /*
+ * round byte count to full xdr units
+ */
+ rndup = cnt % BYTES_PER_XDR_UNIT;
+ if (rndup > 0)
+ rndup = BYTES_PER_XDR_UNIT - rndup;
+
+ switch (xdrs->x_op)
+ {
+ case XDR_DECODE:
+ if (!XDR_GETBYTES (xdrs, cp, cnt))
+ {
+ return FALSE;
+ }
+ if (rndup == 0)
+ return TRUE;
+ return XDR_GETBYTES (xdrs, (caddr_t)crud, rndup);
+
+ case XDR_ENCODE:
+ if (!XDR_PUTBYTES (xdrs, cp, cnt))
+ {
+ return FALSE;
+ }
+ if (rndup == 0)
+ return TRUE;
+ return XDR_PUTBYTES (xdrs, xdr_zero, rndup);
+
+ case XDR_FREE:
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/*
+ * XDR unsigned long integers
+ * The definition of xdr_u_long() is kept for backward
+ * compatibility. Instead xdr_u_int() should be used.
+ */
+bool_t
+xdr_u_long (XDR *xdrs, u_long *ulp)
+{
+ switch (xdrs->x_op)
+ {
+ case XDR_DECODE:
+ {
+ long int tmp;
+
+ if (XDR_GETLONG (xdrs, &tmp) == FALSE)
+ return FALSE;
+
+ *ulp = (uint32_t) tmp;
+ return TRUE;
+ }
+
+ case XDR_ENCODE:
+ if (sizeof (uint32_t) != sizeof (u_long)
+ && (uint32_t) *ulp != *ulp)
+ return FALSE;
+
+ return XDR_PUTLONG (xdrs, (long *) ulp);
+
+ case XDR_FREE:
+ return TRUE;
+ }
+ return FALSE;
+}
+
+#endif /* UCLIBC */
+
bool_t
xdr_xpasswd(XDR * xdrs, xpasswd * objp)
{

+ 0
- 52
libs/libpam/patches/007-cve-2014-2583.patch View File

@ -1,52 +0,0 @@
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Wed, 26 Mar 2014 22:17:23 +0000
Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
the timestamp pathname it creates, so extra care should be taken to
avoid potential directory traversal issues.
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
"." and ".." tty values as invalid.
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
value containing '/', as invalid.
Fixes CVE-2014-2583.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index 5193733..b3f08b1 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -158,7 +158,7 @@ check_tty(const char *tty)
tty = strrchr(tty, '/') + 1;
}
/* Make sure the tty wasn't actually a directory (no basename). */
- if (strlen(tty) == 0) {
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
return NULL;
}
return tty;
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
if (pwd != NULL) {
ruser = pwd->pw_name;
}
+ } else {
+ /*
+ * This ruser is used by format_timestamp_name as a component
+ * of constructed timestamp pathname, so ".", "..", and '/'
+ * are disallowed to avoid potential path traversal issues.
+ */
+ if (!strcmp(ruser, ".") ||
+ !strcmp(ruser, "..") ||
+ strchr(ruser, '/')) {
+ ruser = NULL;
+ }
}
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
*ruserbuf = '\0';
--
cgit v0.10.2

+ 0
- 11
libs/libpam/patches/008-LIBCRYPT-fix.patch View File

@ -1,11 +0,0 @@
--- a/configure.in.orig 2015-06-16 20:40:02.938216001 +0800
+++ b/configure.in 2015-06-16 20:40:16.198216001 +0800
@@ -399,7 +399,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" =
[crypt_libs="crypt"])
BACKUP_LIBS=$LIBS
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
LIBS=$BACKUP_LIBS
AC_SUBST(LIBCRYPT)

+ 0
- 51
libs/libpam/patches/009-pam_rhosts-fix.patch View File

@ -1,51 +0,0 @@
--- a/configure.in.orig 2015-06-16 21:05:09.938216001 +0800
+++ b/configure.in 2015-06-16 21:05:29.374216001 +0800
@@ -525,7 +525,8 @@ AC_CHECK_FUNCS(fseeko getdomainname geth
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
+AC_CHECK_FUNCS(ruserok ruserok_af)
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
--- a/modules/pam_rhosts/pam_rhosts.c.orig 2015-06-16 20:58:20.002216001 +0800
+++ b/modules/pam_rhosts/pam_rhosts.c 2015-06-16 21:10:10.026216001 +0800
@@ -35,6 +35,7 @@
#include <pwd.h>
#include <netdb.h>
#include <string.h>
+#include <stdlib.h>
#include <syslog.h>
#define PAM_SM_AUTH /* only defines this management group */
@@ -43,7 +43,7 @@
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
-#ifdef __UCLIBC__
+#if defined(__UCLIBC__) || (!defined(HAVE_RUSEROK) && !defined(HAVE_RUSEROK_AF))
#include <stdio.h>
#include <sys/stat.h>
@@ -293,8 +294,10 @@ iruserok2 (u_int32_t raddr, int superuse
FILE *hostf = NULL;
int isbad = -1;
+#ifdef _PATH_HEQUIV
if (!superuser)
hostf = iruserfopen (_PATH_HEQUIV, 0);
+#endif
if (hostf) {
isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
@@ -396,7 +396,7 @@ int ruserok(const char *rhost, int super
return -1;
}
-#endif /* __UCLIBC__ */
+#endif /* __UCLIBC__ || (!defined(HAVE_RUSEROK) && !defined(HAVE_RUSEROK_AF)) */
PAM_EXTERN
int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,

Write Preview
Loading…
Cancel
Save