From patchwork Wed Jan 10 20:03:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Kanavin X-Patchwork-Id: 37611 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B4BEC4707B for ; Wed, 10 Jan 2024 20:03:47 +0000 (UTC) Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52]) by mx.groups.io with SMTP id smtpd.web10.3659.1704917023446574992 for ; Wed, 10 Jan 2024 12:03:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fP8R/cD5; spf=pass (domain: gmail.com, ip: 209.85.218.52, mailfrom: alex.kanavin@gmail.com) Received: by mail-ej1-f52.google.com with SMTP id a640c23a62f3a-a28fb463a28so463816866b.3 for ; Wed, 10 Jan 2024 12:03:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704917022; x=1705521822; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1P6E4oobtYSEZT67WS/WeGa0LC//4jQNcHPNjTe4G8c=; b=fP8R/cD5iuEyqjOSGW91AMaefrt+1UptjzjwdzAevI6f1xkuUb5I7KgrWEipyuQkcW 6msFdiKSeZayLTDVciJSOAw/X6WaVEgk5NYC3eIFV7Sfjf+Asjwdjg8CNk1dLlbNWDd0 q898GoMKAVT7K9M2QMUdIOZWlShon8DzMKUdW7w048uVuEhaCp93wievt6H4jfIcXRK8 6JiyTBLxc0x/vhf7xN1jgaCCBMMDwGwL67fk9IWSfsgnNdrh/TGDOLs+oj+JYcKL3UCs HdYH2f7FKHsLR8jljOW7LhJlVBDJj3uKxLCIsXfLGm+Bh604+C1rFrmWrpfUrRl6l3NC 8qew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704917022; x=1705521822; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1P6E4oobtYSEZT67WS/WeGa0LC//4jQNcHPNjTe4G8c=; b=WX141XSeyrzTlIzEcV0ic4eNp/CIbiQQ0ocdeRNngtGVYa5v1HBtwhQV7DUqwAi2XX nosxRRvlyIRg3OSNX3ztjPdUCu9aquwPZ1Pv68QV4wI5M/xSnx5t+1zA3uMiz9Ix2b93 EoXuiwNSboMvdqf4HBIYu9T6ObZUVrlPYAybonTt7KP5UmTl+a4xKf6l5mxcPVOg2VVL mxwc2IuXJ3qeZIQ2ZiuvmcIgZ4tA3LfPdLDd6jtFFHhyeqea+IDnxsCQy29FBThOJk06 z2qjJ+Jgs4g8KEalsOclxChMe4Djg+NBMblVML806/Cl41K3FIPd19NGhR8QZzFzIQHx ZCEA== X-Gm-Message-State: AOJu0YykbV6wyN0f6lQ+fWFyEn8wpDItq4jAu3e6WNmJD/YLJibMhQo5 xfy48BrhE4PehToh/Fhqbdwi/B1WAx8= X-Google-Smtp-Source: AGHT+IEOCb3Gbhiq5couJYom6h61UgcgROgj6QftDXwGEruQ1/PjpBECVNa632Ux7VfGwwANYFDKuw== X-Received: by 2002:a17:906:d9de:b0:a29:e2e7:8faa with SMTP id qk30-20020a170906d9de00b00a29e2e78faamr24694ejb.101.1704917021337; Wed, 10 Jan 2024 12:03:41 -0800 (PST) Received: from Zen2.lab.linutronix.de. (drugstore.linutronix.de. [80.153.143.164]) by smtp.gmail.com with ESMTPSA id la8-20020a170906ad8800b00a2af8872e9bsm2455012ejb.14.2024.01.10.12.03.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Jan 2024 12:03:40 -0800 (PST) From: Alexander Kanavin X-Google-Original-From: Alexander Kanavin To: openembedded-core@lists.openembedded.org Cc: Alexander Kanavin Subject: [PATCH 1/2] shadow: update 4.13 -> 4.14.2 Date: Wed, 10 Jan 2024 21:03:28 +0100 Message-Id: <20240110200329.2173442-1-alex@linutronix.de> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Jan 2024 20:03:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/193521 License-Update: formatting, spdx conversion Drop: 0001-Disable-use-of-syslog-for-sysroot.patch (issue fixed upstream) 0001-Fix-can-not-print-full-login.patch 0001-Overhaul-valid_field.patch CVE-2023-29383.patch (backports) libbsd is a new native dependency, as otherwise glibc >= 2.38 is needed. A similar fix is added to musl in order to define non-standard __BEGIN_DECLS/__END_DECLS. Signed-off-by: Alexander Kanavin --- ...01-Disable-use-of-syslog-for-sysroot.patch | 52 ------- .../0001-Fix-can-not-print-full-login.patch | 41 ----- .../files/0001-Overhaul-valid_field.patch | 65 -------- .../shadow/files/CVE-2023-29383.patch | 53 ------- .../shadow/files/CVE-2023-4641.patch | 147 ------------------ ...nexpected-open-failure-in-chroot-env.patch | 16 +- meta/recipes-extended/shadow/shadow.inc | 20 +-- .../{shadow_4.13.bb => shadow_4.14.2.bb} | 0 8 files changed, 16 insertions(+), 378 deletions(-) delete mode 100644 meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch delete mode 100644 meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch delete mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch delete mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch delete mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641.patch rename meta/recipes-extended/shadow/{shadow_4.13.bb => shadow_4.14.2.bb} (100%) diff --git a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch deleted file mode 100644 index fa1532c8317..00000000000 --- a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 85d0444229ee3d14fefcf10d093f49c862826f82 Mon Sep 17 00:00:00 2001 -From: Richard Purdie -Date: Thu, 14 Apr 2022 23:11:53 +0000 -Subject: [PATCH] Disable use of syslog for shadow-native tools - -Disable use of syslog to prevent sysroot user and group additions from -writing entries to the host's syslog. This patch should only be used -with the shadow-native recipe. - -Upstream-Status: Inappropriate [OE specific configuration] -Signed-off-by: Richard Purdie -Signed-off-by: Peter Kjellerstedt - ---- - configure.ac | 2 +- - src/login_nopam.c | 3 ++- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 924254a..603af81 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -191,7 +191,7 @@ AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd", - [Path to passwd program.]) - - dnl XXX - quick hack, should disappear before anyone notices :). --AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().]) -+#AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().]) - if test "$ac_cv_func_ruserok" = "yes"; then - AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for rlogind.]) - AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value (0 or 1).]) -diff --git a/src/login_nopam.c b/src/login_nopam.c -index df6ba88..fc24e13 100644 ---- a/src/login_nopam.c -+++ b/src/login_nopam.c -@@ -29,7 +29,6 @@ - #ifndef USE_PAM - #ident "$Id$" - --#include "prototypes.h" - /* - * This module implements a simple but effective form of login access - * control based on login names and on host (or domain) names, internet -@@ -57,6 +56,8 @@ - #include - #include /* for inet_ntoa() */ - -+#include "prototypes.h" -+ - #if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64) - #undef MAXHOSTNAMELEN - #define MAXHOSTNAMELEN 256 diff --git a/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch b/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch deleted file mode 100644 index 89f9c05c8d3..00000000000 --- a/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit 670cae834827a8f794e6f7464fa57790d911b63c -Author: SoumyaWind <121475834+SoumyaWind@users.noreply.github.com> -Date: Tue Dec 27 17:40:17 2022 +0530 - - shadow: Fix can not print full login timeout message - - Login timed out message prints only first few bytes when write is immediately followed by exit. - Calling exit from new handler provides enough time to display full message. - -Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/670cae834827a8f794e6f7464fa57790d911b63c] - -diff --git a/src/login.c b/src/login.c -index 116e2cb3..c55f4de0 100644 ---- a/src/login.c -+++ b/src/login.c -@@ -120,6 +120,7 @@ static void get_pam_user (char **ptr_pam_user); - - static void init_env (void); - static void alarm_handler (int); -+static void exit_handler (int); - - /* - * usage - print login command usage and exit -@@ -391,11 +392,16 @@ static void init_env (void) - #endif /* !USE_PAM */ - } - -+static void exit_handler (unused int sig) -+{ -+ _exit (0); -+} - - static void alarm_handler (unused int sig) - { - write (STDERR_FILENO, tmsg, strlen (tmsg)); -- _exit (0); -+ signal(SIGALRM, exit_handler); -+ alarm(2); - } - - #ifdef USE_PAM diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch deleted file mode 100644 index ac08be515bf..00000000000 --- a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 31 Mar 2023 14:46:50 +0200 -Subject: [PATCH] Overhaul valid_field() - -e5905c4b ("Added control character check") introduced checking for -control characters but had the logic inverted, so it rejects all -characters that are not control ones. - -Cast the character to `unsigned char` before passing to the character -checking functions to avoid UB. - -Use strpbrk(3) for the illegal character test and return early. - -Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] - -Signed-off-by: Xiangyu Chen ---- - lib/fields.c | 24 ++++++++++-------------- - 1 file changed, 10 insertions(+), 14 deletions(-) - -diff --git a/lib/fields.c b/lib/fields.c -index fb51b582..53929248 100644 ---- a/lib/fields.c -+++ b/lib/fields.c -@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal) - - /* For each character of field, search if it appears in the list - * of illegal characters. */ -+ if (illegal && NULL != strpbrk (field, illegal)) { -+ return -1; -+ } -+ -+ /* Search if there are non-printable or control characters */ - for (cp = field; '\0' != *cp; cp++) { -- if (strchr (illegal, *cp) != NULL) { -+ unsigned char c = *cp; -+ if (!isprint (c)) { -+ err = 1; -+ } -+ if (iscntrl (c)) { - err = -1; - break; - } - } - -- if (0 == err) { -- /* Search if there are non-printable or control characters */ -- for (cp = field; '\0' != *cp; cp++) { -- if (!isprint (*cp)) { -- err = 1; -- } -- if (!iscntrl (*cp)) { -- err = -1; -- break; -- } -- } -- } -- - return err; - } - --- -2.34.1 - diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch deleted file mode 100644 index f53341d3fc2..00000000000 --- a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch +++ /dev/null @@ -1,53 +0,0 @@ -From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 -From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> -Date: Thu, 23 Mar 2023 23:39:38 +0000 -Subject: [PATCH] Added control character check - -Added control character check, returning -1 (to "err") if control characters are present. - -CVE: CVE-2023-29383 -Upstream-Status: Backport - -Reference to upstream: -https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d - -Signed-off-by: Xiangyu Chen ---- - lib/fields.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/lib/fields.c b/lib/fields.c -index 640be931..fb51b582 100644 ---- a/lib/fields.c -+++ b/lib/fields.c -@@ -21,9 +21,9 @@ - * - * The supplied field is scanned for non-printable and other illegal - * characters. -- * + -1 is returned if an illegal character is present. -- * + 1 is returned if no illegal characters are present, but the field -- * contains a non-printable character. -+ * + -1 is returned if an illegal or control character is present. -+ * + 1 is returned if no illegal or control characters are present, -+ * but the field contains a non-printable character. - * + 0 is returned otherwise. - */ - int valid_field (const char *field, const char *illegal) -@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) - } - - if (0 == err) { -- /* Search if there are some non-printable characters */ -+ /* Search if there are non-printable or control characters */ - for (cp = field; '\0' != *cp; cp++) { - if (!isprint (*cp)) { - err = 1; -+ } -+ if (!iscntrl (*cp)) { -+ err = -1; - break; - } - } --- -2.34.1 - diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch deleted file mode 100644 index 1fabfe928e4..00000000000 --- a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001 -From: Alejandro Colomar -Date: Sat, 10 Jun 2023 16:20:05 +0200 -Subject: [PATCH] gpasswd(1): Fix password leak - -How to trigger this password leak? -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -When gpasswd(1) asks for the new password, it asks twice (as is usual -for confirming the new password). Each of those 2 password prompts -uses agetpass() to get the password. If the second agetpass() fails, -the first password, which has been copied into the 'static' buffer -'pass' via STRFCPY(), wasn't being zeroed. - -agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and -can fail for any of the following reasons: - -- malloc(3) or readpassphrase(3) failure. - - These are going to be difficult to trigger. Maybe getting the system - to the limits of memory utilization at that exact point, so that the - next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. - About readpassphrase(3), ENFILE and EINTR seem the only plausible - ones, and EINTR probably requires privilege or being the same user; - but I wouldn't discard ENFILE so easily, if a process starts opening - files. - -- The password is longer than PASS_MAX. - - The is plausible with physical access. However, at that point, a - keylogger will be a much simpler attack. - -And, the attacker must be able to know when the second password is being -introduced, which is not going to be easy. - -How to read the password after the leak? -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Provoking the leak yourself at the right point by entering a very long -password is easy, and inspecting the process stack at that point should -be doable. Try to find some consistent patterns. - -Then, search for those patterns in free memory, right after the victim -leaks their password. - -Once you get the leak, a program should read all the free memory -searching for patterns that gpasswd(1) leaves nearby the leaked -password. - -On 6/10/23 03:14, Seth Arnold wrote: -> An attacker process wouldn't be able to use malloc(3) for this task. -> There's a handful of tools available for userspace to allocate memory: -> -> - brk / sbrk -> - mmap MAP_ANONYMOUS -> - mmap /dev/zero -> - mmap some other file -> - shm_open -> - shmget -> -> Most of these return only pages of zeros to a process. Using mmap of an -> existing file, you can get some of the contents of the file demand-loaded -> into the memory space on the first use. -> -> The MAP_UNINITIALIZED flag only works if the kernel was compiled with -> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. -> -> malloc(3) doesn't zero memory, to our collective frustration, but all the -> garbage in the allocations is from previous allocations in the current -> process. It isn't leftover from other processes. -> -> The avenues available for reading the memory: -> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) -> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) -> - ptrace (requires ptrace privileges, mediated by YAMA) -> - causing memory to be swapped to disk, and then inspecting the swap -> -> These all require a certain amount of privileges. - -How to fix it? -~~~~~~~~~~~~~~ - -memzero(), which internally calls explicit_bzero(3), or whatever -alternative the system provides with a slightly different name, will -make sure that the buffer is zeroed in memory, and optimizations are not -allowed to impede this zeroing. - -This is not really 100% effective, since compilers may place copies of -the string somewhere hidden in the stack. Those copies won't get zeroed -by explicit_bzero(3). However, that's arguably a compiler bug, since -compilers should make everything possible to avoid optimizing strings -that are later passed to explicit_bzero(3). But we all know that -sometimes it's impossible to have perfect knowledge in the compiler, so -this is plausible. Nevertheless, there's nothing we can do against such -issues, except minimizing the time such passwords are stored in plain -text. - -Security concerns -~~~~~~~~~~~~~~~~~ - -We believe this isn't easy to exploit. Nevertheless, and since the fix -is trivial, this fix should probably be applied soon, and backported to -all supported distributions, to prevent someone else having more -imagination than us to find a way. - -Affected versions -~~~~~~~~~~~~~~~~~ - -All. Bug introduced in shadow 19990709. That's the second commit in -the git history. - -Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") - -CVE: CVE-2023-4641 -Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] - -Reported-by: Alejandro Colomar -Cc: Serge Hallyn -Cc: Iker Pedrosa -Cc: Seth Arnold -Cc: Christian Brauner -Cc: Balint Reczey -Cc: Sam James -Cc: David Runge -Cc: Andreas Jaeger -Cc: <~hallyn/shadow@lists.sr.ht> -Signed-off-by: Alejandro Colomar -Signed-off-by: Xiangyu Chen ---- - src/gpasswd.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/gpasswd.c b/src/gpasswd.c -index 5983f787..2d8869ef 100644 ---- a/src/gpasswd.c -+++ b/src/gpasswd.c -@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr) - strzero (cp); - cp = getpass (_("Re-enter new password: ")); - if (NULL == cp) { -+ memzero (pass, sizeof pass); - exit (1); - } - --- -2.34.1 - diff --git a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch index 85d91751056..4a932d2dbb1 100644 --- a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch +++ b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch @@ -1,4 +1,4 @@ -From 21583da072aa66901d859ac00ce209bac87ddecc Mon Sep 17 00:00:00 2001 +From a773c6b240d27e23d6be41decef0edf24fcee523 Mon Sep 17 00:00:00 2001 From: Chen Qi Date: Thu, 17 Jul 2014 15:53:34 +0800 Subject: [PATCH] commonio.c-fix-unexpected-open-failure-in-chroot-env @@ -15,35 +15,37 @@ Note that this patch doesn't change the logic in the code, it just expands the codes. Signed-off-by: Chen Qi - --- lib/commonio.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/commonio.c b/lib/commonio.c -index 9a02ce1..61384ec 100644 +index 73fdb3a..d1231e9 100644 --- a/lib/commonio.c +++ b/lib/commonio.c -@@ -616,10 +616,18 @@ int commonio_open (struct commonio_db *db, int mode) +@@ -606,10 +606,18 @@ int commonio_open (struct commonio_db *db, int mode) db->cursor = NULL; db->changed = false; - fd = open (db->filename, - (db->readonly ? O_RDONLY : O_RDWR) -- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); +- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC); - saved_errno = errno; + if (db->readonly) { + fd = open (db->filename, + (true ? O_RDONLY : O_RDWR) -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC); + saved_errno = errno; + } else { + fd = open (db->filename, + (false ? O_RDONLY : O_RDWR) -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW| O_CLOEXEC); + saved_errno = errno; + } + db->fp = NULL; if (fd >= 0) { #ifdef WITH_TCB +-- +2.30.2 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index ce3ce627156..c024746d4ff 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -5,7 +5,7 @@ BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" SECTION = "base/utils" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=c9a450b7be84eac23e6353efecb60b5b \ - file://src/passwd.c;beginline=2;endline=30;md5=758c26751513b6795395275969dd3be1 \ + file://src/passwd.c;beginline=2;endline=7;md5=67bcf314687820b2f010d4863fce3fc5 \ " DEPENDS = "virtual/crypt" @@ -14,10 +14,6 @@ GITHUB_BASE_URI = "https://github.com/shadow-maint/shadow/releases" SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ file://useradd \ - file://0001-Fix-can-not-print-full-login.patch \ - file://CVE-2023-29383.patch \ - file://0001-Overhaul-valid_field.patch \ - file://CVE-2023-4641.patch \ " SRC_URI:append:class-target = " \ @@ -26,14 +22,9 @@ SRC_URI:append:class-target = " \ " SRC_URI:append:class-native = " \ - file://0001-Disable-use-of-syslog-for-sysroot.patch \ file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ " -SRC_URI:append:class-nativesdk = " \ - file://0001-Disable-use-of-syslog-for-sysroot.patch \ - " -SRC_URI[sha256sum] = "813057047499c7fe81108adcf0cffa3ad4ec75e19a80151f9cbaa458ff2e86cd" - +SRC_URI[sha256sum] = "a305edf5d19bddbdf5e836d2d609fa8bff2d35458819de4d9f06306a1cf24342" # Additional Policy files for PAM PAM_SRC_URI = "file://pam.d/chfn \ @@ -44,7 +35,7 @@ PAM_SRC_URI = "file://pam.d/chfn \ file://pam.d/passwd \ file://pam.d/su" -inherit autotools gettext github-releases +inherit autotools gettext github-releases pkgconfig export CONFIG_SHELL="/bin/sh" @@ -54,6 +45,8 @@ EXTRA_OECONF += "--without-libcrack \ --without-sssd \ ${NSCDOPT}" +CFLAGS:append:libc-musl = " -DLIBBSD_OVERLAY" + NSCDOPT = "" NSCDOPT:class-native = "--without-nscd" NSCDOPT:class-nativesdk = "--without-nscd" @@ -73,13 +66,14 @@ PAM_PLUGINS = "libpam-runtime \ PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" -PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" +PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} libbsd" PACKAGECONFIG:class-nativesdk = "" PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}" PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit" PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage" +PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd" RDEPENDS:${PN} = "shadow-securetty \ base-passwd \ diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.14.2.bb similarity index 100% rename from meta/recipes-extended/shadow/shadow_4.13.bb rename to meta/recipes-extended/shadow/shadow_4.14.2.bb