Message ID | 20230418060859.241917-1-xiangyu.chen@eng.windriver.com |
---|---|
State | New, archived |
Headers | show |
Series | [kirkstone] shadow: backport patch to fix CVE-2023-29383 | expand |
I encountered a couple of issues with this patch. 1. The patch file for a CVE fix should have the CVE number in the filename, i.e. CVE-2023-29383.patch rather than 0001-Added-control-character-check.patch 2. Applying the patch resulted in many errors of the type: example 1 TOPDIR/tmp/work/core2-32-poky-linux/cronie/1.6.1-r0/recipe-sysroot-native/usr/sbin/useradd Running groupadd commands... NOTE: cronie: Performing groupadd with [--root TOPDIR/tmp/work/core2-32-poky-linux/cronie/1.6.1-r0/recipe-sysroot --system crontab] configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator) configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator) groupadd: failure while writing changes to /etc/group ERROR: cronie: groupadd command did not succeed. WARNING: exit code 1 from a shell command. example 2 TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/recipe-sysroot-native/usr/sbin/useradd Running useradd commands... NOTE: dbus: Performing useradd with [--root TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/recipe-sysroot --system --home /var/lib/dbus --no-create-home --shell /bin/false --user-group messagebus] configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator) configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator) useradd: Warning: missing or non-executable shell '/bin/false' useradd: failure while writing changes to /etc/passwd ERROR: dbus: useradd command did not succeed. WARNING: TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179:345 exit 1 from 'exit 1' WARNING: Backtrace (BB generated script): #1: bbfatal, TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179, line 345 #2: perform_useradd, TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179, line 331 #3: useradd_preinst, TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179, line 256 #4: useradd_sysroot, TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179, line 186 #5: main, TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179, line 357 I see that the two items are set in meta/recipes-extended/shadow/files/login.defs_shadow-sysroot Not sure how your patch triggers this, but it will need to be resolved before I can take the patch. Thanks for helping fix CVEs! Steve On Mon, Apr 17, 2023 at 8:09 PM Xiangyu Chen <xiangyu.chen@eng.windriver.com> wrote: > > From: Xiangyu Chen <xiangyu.chen@windriver.com> > > Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > --- > .../0001-Added-control-character-check.patch | 53 +++++++++++++++++++ > meta/recipes-extended/shadow/shadow.inc | 1 + > 2 files changed, 54 insertions(+) > create mode 100644 meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch > > diff --git a/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch b/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch > new file mode 100644 > index 0000000000..f53341d3fc > --- /dev/null > +++ b/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch > @@ -0,0 +1,53 @@ > +From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 > +From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> > +Date: Thu, 23 Mar 2023 23:39:38 +0000 > +Subject: [PATCH] Added control character check > + > +Added control character check, returning -1 (to "err") if control characters are present. > + > +CVE: CVE-2023-29383 > +Upstream-Status: Backport > + > +Reference to upstream: > +https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d > + > +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> > +--- > + lib/fields.c | 11 +++++++---- > + 1 file changed, 7 insertions(+), 4 deletions(-) > + > +diff --git a/lib/fields.c b/lib/fields.c > +index 640be931..fb51b582 100644 > +--- a/lib/fields.c > ++++ b/lib/fields.c > +@@ -21,9 +21,9 @@ > + * > + * The supplied field is scanned for non-printable and other illegal > + * characters. > +- * + -1 is returned if an illegal character is present. > +- * + 1 is returned if no illegal characters are present, but the field > +- * contains a non-printable character. > ++ * + -1 is returned if an illegal or control character is present. > ++ * + 1 is returned if no illegal or control characters are present, > ++ * but the field contains a non-printable character. > + * + 0 is returned otherwise. > + */ > + int valid_field (const char *field, const char *illegal) > +@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) > + } > + > + if (0 == err) { > +- /* Search if there are some non-printable characters */ > ++ /* Search if there are non-printable or control characters */ > + for (cp = field; '\0' != *cp; cp++) { > + if (!isprint (*cp)) { > + err = 1; > ++ } > ++ if (!iscntrl (*cp)) { > ++ err = -1; > + break; > + } > + } > +-- > +2.34.1 > + > diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc > index 5106b95571..8546501a04 100644 > --- a/meta/recipes-extended/shadow/shadow.inc > +++ b/meta/recipes-extended/shadow/shadow.inc > @@ -16,6 +16,7 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP} > ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ > file://shadow-relaxed-usernames.patch \ > file://useradd \ > + file://0001-Added-control-character-check.patch \ > " > > SRC_URI:append:class-target = " \ > -- > 2.32.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#180179): https://lists.openembedded.org/g/openembedded-core/message/180179 > Mute This Topic: https://lists.openembedded.org/mt/98338508/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch b/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch new file mode 100644 index 0000000000..f53341d3fc --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch @@ -0,0 +1,53 @@ +From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 +From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> +Date: Thu, 23 Mar 2023 23:39:38 +0000 +Subject: [PATCH] Added control character check + +Added control character check, returning -1 (to "err") if control characters are present. + +CVE: CVE-2023-29383 +Upstream-Status: Backport + +Reference to upstream: +https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + lib/fields.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index 640be931..fb51b582 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -21,9 +21,9 @@ + * + * The supplied field is scanned for non-printable and other illegal + * characters. +- * + -1 is returned if an illegal character is present. +- * + 1 is returned if no illegal characters are present, but the field +- * contains a non-printable character. ++ * + -1 is returned if an illegal or control character is present. ++ * + 1 is returned if no illegal or control characters are present, ++ * but the field contains a non-printable character. + * + 0 is returned otherwise. + */ + int valid_field (const char *field, const char *illegal) +@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) + } + + if (0 == err) { +- /* Search if there are some non-printable characters */ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { + if (!isprint (*cp)) { + err = 1; ++ } ++ if (!iscntrl (*cp)) { ++ err = -1; + break; + } + } +-- +2.34.1 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 5106b95571..8546501a04 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -16,6 +16,7 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP} ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ file://shadow-relaxed-usernames.patch \ file://useradd \ + file://0001-Added-control-character-check.patch \ " SRC_URI:append:class-target = " \