mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2025-08-05 05:17:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

community/shadow: upgrade to 4.5

Browse Source
This commit is contained in:
Natanael Copa 2017-11-29 16:22:49 +00:00
parent da5ea802a3
commit fe20e8da2f
6 changed files with 10 additions and 267 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch
View File

@ -1,59 +0,0 @@
From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 23 Feb 2017 09:47:29 -0600
Subject: [PATCH] su: properly clear child PID
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
---
src/su.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
--- a/src/su.c
+++ b/src/su.c
@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
/* wake child when resumed */
kill (pid, SIGCONT);
stop = false;
+ } else {
+ pid_child = 0;
}
} while (!stop);
}
- if (0 != caught) {
+ if (0 != caught && 0 != pid_child) {
(void) fputs ("\n", stderr);
(void) fputs (_("Session terminated, terminating shell..."),
stderr);
(void) kill (-pid_child, caught);
(void) signal (SIGALRM, kill_child);
+ (void) signal (SIGCHLD, catch_signals);
(void) alarm (2);
- (void) wait (&status);
+ sigemptyset (&ourset);
+ if ((sigaddset (&ourset, SIGALRM) != 0)
+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+ kill_child (0);
+ } else {
+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
+ sigsuspend (&ourset);
+ }
+ pid_child = 0;
+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+ }
+
(void) fputs (_(" ...terminated.\n"), stderr);
}

46
community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch
View File

@ -1,46 +0,0 @@
From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
From: Sebastian Krahmer <krahmer@suse.com>
Date: Wed, 3 Aug 2016 11:51:07 -0500
Subject: [PATCH] Simplify getulong
Use strtoul to read an unsigned long, rather than reading
a signed long long and casting it.
https://bugzilla.suse.com/show_bug.cgi?id=979282
---
lib/getulong.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/lib/getulong.c b/lib/getulong.c
index 61579ca..08d2c1a 100644
--- a/lib/getulong.c
+++ b/lib/getulong.c
@@ -44,22 +44,19 @@
*/
int getulong (const char *numstr, /*@out@*/unsigned long int *result)
{
- long long int val;
+ unsigned long int val;
char *endptr;
errno = 0;
- val = strtoll (numstr, &endptr, 0);
+ val = strtoul (numstr, &endptr, 0);
if ( ('\0' == *numstr)
|| ('\0' != *endptr)
|| (ERANGE == errno)
- /*@+ignoresigns@*/
- || (val != (unsigned long int)val)
- /*@=ignoresigns@*/
) {
return 0;
}
- *result = (unsigned long int)val;
+ *result = val;
return 1;
}
--
2.1.4

29
community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch
View File

@ -1,29 +0,0 @@
From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 14 May 2017 17:58:10 +0200
Subject: [PATCH] Reset pid_child only if waitpid was successful.
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.
This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.
Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/su.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/su.c
+++ b/src/su.c
@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
/* wake child when resumed */
kill (pid, SIGCONT);
stop = false;
- } else {
+ } else if ( (pid_t)-1 != pid) {
pid_child = 0;
}
} while (!stop);

26
community/shadow/APKBUILD
View File

@ -2,8 +2,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
pkgname=shadow
pkgver=4.2.1
pkgrel=11
pkgver=4.5
pkgrel=0
pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)"
url="http://pkg-shadow.alioth.debian.org/"
arch="all"
@ -11,20 +11,19 @@ license="GPL"
depends=""
makedepends="linux-pam-dev"
subpackages="$pkgname-doc $pkgname-dbg $pkgname-uidmap"
source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz
source="https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz
login.pamd
dots-in-usernames.patch
cross-size-checks.patch
verbose-error-when-uid-doesnt-match.patch
301-CVE-2017-2616-su-properly-clear-child-PID.patch
302-CVE-2016-6252-fix-integer-overflow.patch
303-Reset-pid_child-only-if-waitpid-was-successful.patch
useradd-usergroups.patch
pam-useradd.patch
"
# secfixes:
# - CVE-2016-6252
# - CVE-2017-2616 (+ regression fix)
# 4.5-r0:
# - CVE-2017-12424
# 4.2.1-r11:
# - CVE-2017-2616
# 4.2.1-r7:
# - CVE-2016-6252
options="suid"
builddir="$srcdir/shadow-$pkgver"
@ -104,13 +103,8 @@ uidmap() {
touch etc/subuid etc/subgid
}
sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz
sha512sums="e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5 shadow-4.5.tar.xz
46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd
745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch
c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch
1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch
0954920ce9307948848d8f9ca5ea5bba4db8394793ef314ab5c6770948e96071748192b52ba8c31d543fe71ce0e6e2a7f3a2a92862966a940639a19df1048634 301-CVE-2017-2616-su-properly-clear-child-PID.patch
36f494347cb980d85ea82331ec620a949be45f5f2c400a3b13f409a8d9c932c0f822cb0baa2ee78c6f356e7bf93de51c1b0f20730e8f3af36a746a5632d19bbe 302-CVE-2016-6252-fix-integer-overflow.patch
e36d54759b71d48c62aefc4032e63deccafa69d22f8bae772b4c0ca135b431db9cd35a1a2a2adf5c76996e76e13ab82e1cf19bba70c6ca4414b3979a43c292c2 303-Reset-pid_child-only-if-waitpid-was-successful.patch
49f1d5ded82d2d479805c77d7cc6274c30233596e375b28306b31a33f8fbfc3611dbc77d606081b8300247908c267297dbb6c5d1a30d56095dda53c6a636fb56 useradd-usergroups.patch
0b4587e263cb6be12fa5ae6bc3b3fc4d3696dae355bc67d085dc58c52ff96edb4d163b95db2092b8c2f3310839430cac03c7af356641b42e24ee4aa6410f5cf1 pam-useradd.patch"

42
community/shadow/cross-size-checks.patch
View File

@ -1,42 +0,0 @@
From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001
From: James Le Cuirot <chewi@aura-online.co.uk>
Date: Sat, 23 Aug 2014 09:46:39 +0100
Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF
This built-in check is simpler than the previous method and, most
importantly, works when cross-compiling.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
configure.in | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/configure.in b/configure.in
index 1a3f841..4a4d6d0 100644
--- a/configure.in
+++ b/configure.in
@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then
dnl
dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
dnl
- AC_RUN_IFELSE([AC_LANG_SOURCE([
-#include <sys/types.h>
-int main(void) {
- uid_t u;
- gid_t g;
- return (sizeof u < 4) || (sizeof g < 4);
-}
- ])], [id32bit="yes"], [id32bit="no"])
-
- if test "x$id32bit" = "xyes"; then
+ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
+ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
+
+ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
enable_subids="yes"
else
--
2.3.6

75
community/shadow/verbose-error-when-uid-doesnt-match.patch
View File

@ -1,75 +0,0 @@
From: Hank Leininger <hlein@korelogic.com>
Date: Mon, 6 Apr 2015 08:22:48 -0500
Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not
like the user/group ownership of their target process.
Currently the error is just:
newuidmap: Target [pid] is owned by a different user
With this patch it will be like:
newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99
Why is this useful? Well, in my case...
The grsecurity kernel-hardening patch includes an option to make parts
of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
the current uid. This comes with an option to make /proc/pid/
directories readable by a specific gid; sysadmins and the like are then
put into that group so they can see a full 'ps'.
This means that the check in new[ug]idmap fails, as in the above quoted
error - /proc/[targetpid] is owned by root, but the group is 99 so that
users in group 99 can see the process.
Some Googling finds dozens of people hitting this problem, but not
*knowing* that they have hit this problem, because the errors and
circumstances are non-obvious.
Some graceful way of handling this and not failing, will be next ;) But
in the meantime it'd be nice to have new[ug]idmap emit a more useful
error, so that it's easier to troubleshoot.
Thanks!
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
src/newgidmap.c | 6 ++++--
src/newuidmap.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/newgidmap.c b/src/newgidmap.c
index a532b45..451c6a6 100644
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -161,8 +161,10 @@ int main(int argc, char **argv)
(getgid() != pw->pw_gid) ||
(pw->pw_uid != st.st_uid) ||
(pw->pw_gid != st.st_gid)) {
- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
- Prog, target);
+ fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
+ Prog, target,
+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
+ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
return EXIT_FAILURE;
}
diff --git a/src/newuidmap.c b/src/newuidmap.c
index 5150078..9c8bc1b 100644
--- a/src/newuidmap.c
+++ b/src/newuidmap.c
@@ -161,8 +161,10 @@ int main(int argc, char **argv)
(getgid() != pw->pw_gid) ||
(pw->pw_uid != st.st_uid) ||
(pw->pw_gid != st.st_gid)) {
- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
- Prog, target);
+ fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
+ Prog, target,
+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
+ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
return EXIT_FAILURE;
}