libpam: update to 1.5.0
authorRosen Penev <rosenp@gmail.com>
Wed, 25 Nov 2020 00:52:51 +0000 (16:52 -0800)
committerRosen Penev <rosenp@gmail.com>
Wed, 25 Nov 2020 00:54:15 +0000 (16:54 -0800)
Fixes CVE-2020-27780

Removed upstreamed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
libs/libpam/Makefile
libs/libpam/patches/010-crypt.patch [deleted file]
libs/libpam/patches/020-fgetpwent_r.patch [deleted file]

index d5a51b2b122cbf3fe61398bb57fc820e47c63241..719ab826c9533be152f903681df2cbe88bf10fb1 100644 (file)
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libpam
-PKG_VERSION:=1.4.0
+PKG_VERSION:=1.5.0
 PKG_RELEASE:=1
 
 PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam/releases/download/v$(PKG_VERSION)
-PKG_HASH:=cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034
+PKG_HASH:=02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8
 PKG_BUILD_DIR:=$(BUILD_DIR)/Linux-PAM-$(PKG_VERSION)
 
 PKG_MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
diff --git a/libs/libpam/patches/010-crypt.patch b/libs/libpam/patches/010-crypt.patch
deleted file mode 100644 (file)
index 705e809..0000000
+++ /dev/null
@@ -1,35 +0,0 @@
-From aef363c7e8e942224e6cffc4398366c6e5d31749 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Thu, 11 Jun 2020 00:04:32 +0200
-Subject: [PATCH] configure.ac: fix build failure when crypt() does not require
- libcrypt
-
-Since commit 522246d20e4cd92fadc2d760228cb7e78cbeb4c5, the build fails
-if "none required" is returned by AC_SEARCH_LIBS for libcrypt.
-
-Resolves: https://github.com/linux-pam/linux-pam/pull/235
-Fixes: http://autobuild.buildroot.org/results/92b3dd7c984d2b843ac9aacacd69eec99f28743e
-Fixes: v1.4.0~228 ("Use cached 'crypt' library result correctly")
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- configure.ac | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index ea08a7a3..c1862ea7 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -428,7 +428,11 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
-   [crypt_libs="crypt"])
- BACKUP_LIBS=$LIBS
--AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_cv_search_crypt}", LIBCRYPT="")
-+AC_SEARCH_LIBS([crypt],[$crypt_libs])
-+case "$ac_cv_search_crypt" in
-+      -l*) LIBCRYPT="$ac_cv_search_crypt" ;;
-+      *) LIBCRYPT="" ;;
-+esac
- AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
- LIBS=$BACKUP_LIBS
- AC_SUBST(LIBCRYPT)
diff --git a/libs/libpam/patches/020-fgetpwent_r.patch b/libs/libpam/patches/020-fgetpwent_r.patch
deleted file mode 100644 (file)
index cc80429..0000000
+++ /dev/null
@@ -1,110 +0,0 @@
---- a/modules/pam_faillock/pam_faillock.c
-+++ b/modules/pam_faillock/pam_faillock.c
-@@ -348,42 +348,81 @@ set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const c
- static int
- check_local_user (pam_handle_t *pamh, const char *user)
- {
--      struct passwd pw, *pwp;
--      char buf[16384];
--      int found = 0;
-+      int rc;
-+      size_t user_len;
-       FILE *fp;
--      int errn;
-+      char line[BUFSIZ];
--      fp = fopen(PATH_PASSWD, "r");
--      if (fp == NULL) {
--              pam_syslog(pamh, LOG_ERR, "unable to open %s: %m",
--                         PATH_PASSWD);
--              return -1;
-+      /* Validate the user name.  */
-+      if ((user_len = strlen(user)) == 0) {
-+              pam_syslog(pamh, LOG_NOTICE, "user name is not valid");
-+              return PAM_SERVICE_ERR;
-+      }
-+
-+      if (user_len > sizeof(line) - sizeof(":")) {
-+              pam_syslog(pamh, LOG_NOTICE, "user name is too long");
-+              return PAM_SERVICE_ERR;
-+      }
-+
-+      if (strchr(user, ':') != NULL) {
-+              /*
-+               * "root:x" is not a local user name even if the passwd file
-+               * contains a line starting with "root:x:".
-+               */
-+              return PAM_PERM_DENIED;
-       }
--      for (;;) {
--              errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp);
--              if (errn == ERANGE) {
--                      pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?",
--                                 PATH_PASSWD);
-+      /* Open the passwd file.  */
-+      FILE *file_name = "/etc/passwd";
-+      if ((fp = fopen(file_name, "r")) == NULL) {
-+              pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name);
-+              return PAM_SERVICE_ERR;
-+      }
-+
-+      /*
-+       * Scan the file using fgets() instead of fgetpwent_r() because
-+       * the latter is not flexible enough in handling long lines
-+       * in passwd files.
-+       */
-+      rc = PAM_PERM_DENIED;
-+      while (fgets(line, sizeof(line), fp) != NULL) {
-+              size_t line_len;
-+              const char *str;
-+
-+              /*
-+               * Does this line start with the user name
-+               * followed by a colon?
-+               */
-+              if (strncmp(user, line, user_len) == 0 &&
-+                  line[user_len] == ':') {
-+                      rc = PAM_SUCCESS;
-                       break;
-               }
--              if (errn != 0)
--                      break;
--              if (strcmp(pwp->pw_name, user) == 0) {
--                      found = 1;
-+              /* Has a newline been read?  */
-+              line_len = strlen(line);
-+              if (line_len < sizeof(line) - 1 ||
-+                  line[line_len - 1] == '\n') {
-+                      /* Yes, continue with the next line.  */
-+                      continue;
-+              }
-+
-+              /* No, read till the end of this line first.  */
-+              while ((str = fgets(line, sizeof(line), fp)) != NULL) {
-+                      line_len = strlen(line);
-+                      if (line_len == 0 ||
-+                          line[line_len - 1] == '\n') {
-+                              break;
-+                      }
-+              }
-+              if (str == NULL) {
-+                      /* fgets returned NULL, we are done.  */
-                       break;
-               }
-+              /* Continue with the next line.  */
-       }
--      fclose (fp);
--
--      if (errn != 0 && errn != ENOENT) {
--              pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m");
--              return -1;
--      } else {
--              return found;
--      }
-+      fclose(fp);
-+      return rc;
- }
- static int