deleted file mode 100644
@@ -1,108 +0,0 @@
-From 42404548721c653317c911c83d885e2fc7fbca70 Mon Sep 17 00:00:00 2001
-From: Per Jessen <per@jessen.ch>
-Date: Fri, 22 Apr 2022 18:15:36 +0200
-Subject: [PATCH] pam_motd: do not rely on all filesystems providing a filetype
-
-When using scandir() to look for MOTD files to display, we wrongly
-relied on all filesystems providing a filetype. This is a fix to divert
-to lstat() when we have no filetype. To maintain MT safety, it isn't
-possible to use lstat() in the scandir() filter function, so all of the
-filtering has been moved to an additional loop after scanning all the
-motd dirs.
-Also, remove superfluous alphasort from scandir(), we are doing
-a qsort() later.
-
-Resolves: https://github.com/linux-pam/linux-pam/issues/455
-
-Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/42404548721c653317c911c83d885e2fc7fbca70]
-
-Signed-off-by: Per Jessen <per@jessen.ch>
-Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
----
- modules/pam_motd/pam_motd.c | 49 ++++++++++++++++++++++++++++++-------
- 1 file changed, 40 insertions(+), 9 deletions(-)
-
-diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
-index 6ac8cba2..5ca486e4 100644
---- a/modules/pam_motd/pam_motd.c
-+++ b/modules/pam_motd/pam_motd.c
-@@ -166,11 +166,6 @@ static int compare_strings(const void *a, const void *b)
- }
- }
-
--static int filter_dirents(const struct dirent *d)
--{
-- return (d->d_type == DT_REG || d->d_type == DT_LNK);
--}
--
- static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
- char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing)
- {
-@@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
-
- for (i = 0; i < num_motd_dirs; i++) {
- int rv;
-- rv = scandir(motd_dir_path_split[i], &(dirscans[i]),
-- filter_dirents, alphasort);
-+ rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL);
- if (rv < 0) {
- if (errno != ENOENT || report_missing) {
- pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m",
-@@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
- if (dirscans_size_total == 0)
- goto out;
-
-+ /* filter out unwanted names, directories, and complement data with lstat() */
-+ for (i = 0; i < num_motd_dirs; i++) {
-+ struct dirent **d = dirscans[i];
-+ for (unsigned int j = 0; j < dirscans_sizes[i]; j++) {
-+ int rc;
-+ char *fullpath;
-+ struct stat s;
-+
-+ switch(d[j]->d_type) { /* the filetype determines how to proceed */
-+ case DT_REG: /* regular files and */
-+ case DT_LNK: /* symlinks */
-+ continue; /* are good. */
-+ case DT_UNKNOWN: /* for file systems that do not provide */
-+ /* a filetype, we use lstat() */
-+ if (join_dir_strings(&fullpath, motd_dir_path_split[i],
-+ d[j]->d_name) <= 0)
-+ break;
-+ rc = lstat(fullpath, &s);
-+ _pam_drop(fullpath); /* free the memory alloc'ed by join_dir_strings */
-+ if (rc != 0) /* if the lstat() somehow failed */
-+ break;
-+
-+ if (S_ISREG(s.st_mode) || /* regular files and */
-+ S_ISLNK(s.st_mode)) continue; /* symlinks are good */
-+ break;
-+ case DT_DIR: /* We don't want directories */
-+ default: /* nor anything else */
-+ break;
-+ }
-+ _pam_drop(d[j]); /* free memory */
-+ d[j] = NULL; /* indicate this one was dropped */
-+ dirscans_size_total--;
-+ }
-+ }
-+
- /* Allocate space for all file names found in the directories, including duplicates. */
- if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) {
- pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array");
-@@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
- unsigned int j;
-
- for (j = 0; j < dirscans_sizes[i]; j++) {
-- dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
-- i_dirnames++;
-+ if (NULL != dirscans[i][j]) {
-+ dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
-+ i_dirnames++;
-+ }
- }
- }
-
-2.39.0
-
deleted file mode 100644
@@ -1,65 +0,0 @@
-From e8e8ccfd57e0274b431bc5717bf37c488285b07b Mon Sep 17 00:00:00 2001
-From: Mingli Yu <mingli.yu@windriver.com>
-Date: Wed, 27 Oct 2021 10:30:46 +0800
-Subject: [PATCH] run-xtests.sh: check whether files exist
-
-Fixes:
- # ./run-xtests.sh . tst-pam_access1
- mv: cannot stat '/etc/security/opasswd': No such file or directory
- PASS: tst-pam_access1
- mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory
- ==================
- 1 tests passed
- 0 tests not run
- ==================
-
-Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/e8e8ccfd57e0274b431bc5717bf37c488285b07b]
-
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
----
- xtests/run-xtests.sh | 20 +++++++++++++-------
- 1 file changed, 13 insertions(+), 7 deletions(-)
-
-diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh
-index 14f585d9..ff9a4dc1 100755
---- a/xtests/run-xtests.sh
-+++ b/xtests/run-xtests.sh
-@@ -18,10 +18,12 @@ all=0
-
- mkdir -p /etc/security
- for config in access.conf group.conf time.conf limits.conf ; do
-- cp /etc/security/$config /etc/security/$config-pam-xtests
-+ [ -f "/etc/security/$config" ] &&
-+ mv /etc/security/$config /etc/security/$config-pam-xtests
- install -m 644 "${SRCDIR}"/$config /etc/security/$config
- done
--mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
-+[ -f /etc/security/opasswd ] &&
-+ mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
-
- for testname in $XTESTS ; do
- for cfg in "${SRCDIR}"/$testname*.pamd ; do
-@@ -47,11 +49,15 @@ for testname in $XTESTS ; do
- all=`expr $all + 1`
- rm -f /etc/pam.d/$testname*
- done
--mv /etc/security/access.conf-pam-xtests /etc/security/access.conf
--mv /etc/security/group.conf-pam-xtests /etc/security/group.conf
--mv /etc/security/time.conf-pam-xtests /etc/security/time.conf
--mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf
--mv /etc/security/opasswd-pam-xtests /etc/security/opasswd
-+
-+for config in access.conf group.conf time.conf limits.conf opasswd ; do
-+ if [ -f "/etc/security/$config-pam-xtests" ]; then
-+ mv /etc/security/$config-pam-xtests /etc/security/$config
-+ else
-+ rm -f /etc/security/$config
-+ fi
-+done
-+
- if test "$failed" -ne 0; then
- echo "==================="
- echo "$failed of $all tests failed"
-2.32.0
-
deleted file mode 100644
@@ -1,205 +0,0 @@
-From 23393bef92c1e768eda329813d7af55481c6ca9f Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk <kukuk@suse.com>
-Date: Thu, 24 Feb 2022 10:37:32 +0100
-Subject: [PATCH 2/2] pam_access: handle hostnames in access.conf
-
-According to the manual page, the following entry is valid but does not
-work:
--:root:ALL EXCEPT localhost
-
-See https://bugzilla.suse.com/show_bug.cgi?id=1019866
-
-Patched is based on PR#226 from Josef Moellers
-
-Upstream-Status: Backport
-CVE: CVE-2022-28321
-
-Reference to upstream patch:
-[https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f]
-
-Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
----
- modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++-------
- 1 file changed, 76 insertions(+), 19 deletions(-)
-
-diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
-index 277192b..bca424f 100644
---- a/modules/pam_access/pam_access.c
-+++ b/modules/pam_access/pam_access.c
-@@ -637,7 +637,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
- if ((str_len = strlen(string)) > tok_len
- && strcasecmp(tok, string + str_len - tok_len) == 0)
- return YES;
-- } else if (tok[tok_len - 1] == '.') {
-+ } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */
- struct addrinfo hint;
-
- memset (&hint, '\0', sizeof (hint));
-@@ -678,7 +678,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
- return NO;
- }
-
-- /* Assume network/netmask with an IP of a host. */
-+ /* Assume network/netmask, IP address or hostname. */
- return network_netmask_match(pamh, tok, string, item);
- }
-
-@@ -696,7 +696,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
- /*
- * If the token has the magic value "ALL" the match always succeeds.
- * Otherwise, return YES if the token fully matches the string.
-- * "NONE" token matches NULL string.
-+ * "NONE" token matches NULL string.
- */
-
- if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
-@@ -714,7 +714,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
-
- /* network_netmask_match - match a string against one token
- * where string is a hostname or ip (v4,v6) address and tok
-- * represents either a single ip (v4,v6) address or a network/netmask
-+ * represents either a hostname, a single ip (v4,v6) address
-+ * or a network/netmask
- */
- static int
- network_netmask_match (pam_handle_t *pamh,
-@@ -723,10 +724,12 @@ network_netmask_match (pam_handle_t *pamh,
- char *netmask_ptr;
- char netmask_string[MAXHOSTNAMELEN + 1];
- int addr_type;
-+ struct addrinfo *ai = NULL;
-
- if (item->debug)
-- pam_syslog (pamh, LOG_DEBUG,
-+ pam_syslog (pamh, LOG_DEBUG,
- "network_netmask_match: tok=%s, item=%s", tok, string);
-+
- /* OK, check if tok is of type addr/mask */
- if ((netmask_ptr = strchr(tok, '/')) != NULL)
- {
-@@ -760,54 +763,108 @@ network_netmask_match (pam_handle_t *pamh,
- netmask_ptr = number_to_netmask(netmask, addr_type,
- netmask_string, MAXHOSTNAMELEN);
- }
-- }
-+
-+ /*
-+ * Construct an addrinfo list from the IP address.
-+ * This should not fail as the input is a correct IP address...
-+ */
-+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
-+ {
-+ return NO;
-+ }
-+ }
- else
-- /* NO, then check if it is only an addr */
-- if (isipaddr(tok, NULL, NULL) != YES)
-+ {
-+ /*
-+ * It is either an IP address or a hostname.
-+ * Let getaddrinfo sort everything out
-+ */
-+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
- {
-+ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
-+
- return NO;
- }
-+ netmask_ptr = NULL;
-+ }
-
- if (isipaddr(string, NULL, NULL) != YES)
- {
-- /* Assume network/netmask with a name of a host. */
- struct addrinfo hint;
-
-+ /* Assume network/netmask with a name of a host. */
- memset (&hint, '\0', sizeof (hint));
- hint.ai_flags = AI_CANONNAME;
- hint.ai_family = AF_UNSPEC;
-
- if (item->gai_rv != 0)
-+ {
-+ freeaddrinfo(ai);
- return NO;
-+ }
- else if (!item->res &&
- (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
-+ {
-+ freeaddrinfo(ai);
- return NO;
-+ }
- else
- {
- struct addrinfo *runp = item->res;
-+ struct addrinfo *runp1;
-
- while (runp != NULL)
- {
- char buf[INET6_ADDRSTRLEN];
-
-- DIAG_PUSH_IGNORE_CAST_ALIGN;
-- inet_ntop (runp->ai_family,
-- runp->ai_family == AF_INET
-- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
-- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
-- buf, sizeof (buf));
-- DIAG_POP_IGNORE_CAST_ALIGN;
-+ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
-+ {
-+ freeaddrinfo(ai);
-+ return NO;
-+ }
-
-- if (are_addresses_equal(buf, tok, netmask_ptr))
-+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
- {
-- return YES;
-+ char buf1[INET6_ADDRSTRLEN];
-+
-+ if (runp->ai_family != runp1->ai_family)
-+ continue;
-+
-+ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
-+ {
-+ freeaddrinfo(ai);
-+ return NO;
-+ }
-+
-+ if (are_addresses_equal (buf, buf1, netmask_ptr))
-+ {
-+ freeaddrinfo(ai);
-+ return YES;
-+ }
- }
- runp = runp->ai_next;
- }
- }
- }
- else
-- return (are_addresses_equal(string, tok, netmask_ptr));
-+ {
-+ struct addrinfo *runp1;
-+
-+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
-+ {
-+ char buf1[INET6_ADDRSTRLEN];
-+
-+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
-+
-+ if (are_addresses_equal(string, buf1, netmask_ptr))
-+ {
-+ freeaddrinfo(ai);
-+ return YES;
-+ }
-+ }
-+ }
-+
-+ freeaddrinfo(ai);
-
- return NO;
- }
-2.37.3
-
similarity index 95%
rename from meta/recipes-extended/pam/libpam_1.5.2.bb
rename to meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -21,14 +21,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
file://pam.d/common-session-noninteractive \
file://pam.d/other \
file://libpam-xtests.patch \
- file://0001-run-xtests.sh-check-whether-files-exist.patch \
file://run-ptest \
file://pam-volatiles.conf \
- file://CVE-2022-28321-0002.patch \
- file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
"
-SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"
+SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"
DEPENDS = "bison-native flex-native cracklib libxml2-native virtual/crypt"
Changelog: https://github.com/linux-pam/linux-pam/releases/tag/v1.5.3 The following patch files were removed because they are in v1.5.3: 0001-run-xtests.sh-check-whether-files-exist.patch 0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch CVE-2022-28321-0002.patch Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> --- ...rely-on-all-filesystems-providing-a-.patch | 108 --------- ...-xtests.sh-check-whether-files-exist.patch | 65 ------ .../pam/libpam/CVE-2022-28321-0002.patch | 205 ------------------ .../pam/{libpam_1.5.2.bb => libpam_1.5.3.bb} | 5 +- 4 files changed, 1 insertion(+), 382 deletions(-) delete mode 100644 meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch delete mode 100644 meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch delete mode 100644 meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch rename meta/recipes-extended/pam/{libpam_1.5.2.bb => libpam_1.5.3.bb} (95%)