Commit cc64981c authored by Xuetian Weng's avatar Xuetian Weng

systemd, util-linux, pam: update and use our own pool for ntp

parent a11e90ee
......@@ -3,37 +3,26 @@
#
pkgname=pam
pkgver=1.1.8
pkgrel=3
pkgver=1.2.1
pkgrel=1
pkgdesc="PAM (Pluggable Authentication Modules) library"
arch=('x86_64')
license=('GPL2')
url="http://www.kernel.org/pub/linux/libs/pam/"
depends=('glibc' 'db' 'cracklib' 'libtirpc')
url="http://linux-pam.org"
depends=('glibc' 'cracklib' 'libtirpc' 'pambase')
makedepends=('flex' 'w3m' 'docbook-xml>=4.4' 'docbook-xsl')
backup=(etc/security/{access.conf,group.conf,limits.conf,namespace.conf,namespace.init,pam_env.conf,time.conf} etc/pam.d/other etc/default/passwd etc/environment)
source=("https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-$pkgver.tar.bz2"
#http://www.kernel.org/pub/linux/libs/pam/library/Linux-PAM-$pkgver.tar.bz2
"pam_unix2-glibc216.patch"
# file below should have been at https://build.opensuse.org/package/show/Linux-PAM/pam-modules
#"pam_unix2-2.9.1.tar.bz2" # actually now from Arch
"ftp://ftp.archlinux.org/other/pam_unix2/pam_unix2-2.9.1.tar.bz2"
pam-1.1.8-cve-2013-7041.patch
pam-1.1.8-cve-2014-2583.patch
other)
md5sums=('35b6091af95981b1b2cd60d813b5e4ee'
'dac109f68e04a4df37575fda6001ea17'
source=(http://linux-pam.org/library/Linux-PAM-$pkgver.tar.bz2
https://sources.archlinux.org/other/pam_unix2/pam_unix2-2.9.1.tar.bz2
pam_unix2-glibc216.patch)
md5sums=('9dc53067556d2dd567808fd509519dd6'
'da6a46e5f8cd3eaa7cbc4fc3a7e2b555'
'653661bea920de3bb2713bb85b408bc2'
'144ea8e2f9d49a0f4021027ca2c1558f'
'ac4900287a767654a3e8d9251a43f5e4')
'dac109f68e04a4df37575fda6001ea17')
options=('!emptydirs')
prepare() {
prepare () {
cd $srcdir/Linux-PAM-$pkgver
# fix CVEs in pam
patch -Np1 -i "${srcdir}/pam-1.1.8-cve-2013-7041.patch"
patch -Np1 -i "${srcdir}/pam-1.1.8-cve-2014-2583.patch"
# fix pam_unix2 building
cd $srcdir/pam_unix2-2.9.1
......@@ -42,7 +31,7 @@ prepare() {
build() {
cd $srcdir/Linux-PAM-$pkgver
./configure --libdir=/usr/lib --sbindir=/usr/sbin
./configure --libdir=/usr/lib --sbindir=/usr/sbin --disable-db
make
cd $srcdir/pam_unix2-2.9.1
......@@ -58,7 +47,6 @@ build() {
package() {
cd $srcdir/Linux-PAM-$pkgver
make DESTDIR=$pkgdir SCONFIGDIR=/etc/security install
install -D -m644 ../other $pkgdir/etc/pam.d/other
# build pam_unix2 module
# source ftp://ftp.suse.com/pub/people/kukuk/pam/pam_unix2
......
From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Fri, 24 Jan 2014 22:18:32 +0000
Subject: [PATCH] pam_userdb: fix password hash comparison
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
passwords support in pam_userdb, hashes are compared case-insensitively.
This bug leads to accepting hashes for completely different passwords in
addition to those that should be accepted.
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
modern password hashes with different lengths and settings, did not
update the hash comparison accordingly, which leads to accepting
computed hashes longer than stored hashes when the latter is a prefix
of the former.
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
hash whose length differs from the stored hash length.
Compare computed and stored hashes case-sensitively.
Fixes CVE-2013-7041.
Bug-Debian: http://bugs.debian.org/731368
---
modules/pam_userdb/pam_userdb.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index de8b5b1..ff040e6 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
} else {
cryptpw = crypt (pass, data.dptr);
- if (cryptpw) {
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
} else {
compare = -2;
if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ if (cryptpw)
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
+ else
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
}
};
--
1.8.3.1
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Wed, 26 Mar 2014 22:17:23 +0000
Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
(ticket #27)
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
the timestamp pathname it creates, so extra care should be taken to
avoid potential directory traversal issues.
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
"." and ".." tty values as invalid.
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
value containing '/', as invalid.
Fixes CVE-2014-2583.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
---
modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index 5193733..b3f08b1 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -158,7 +158,7 @@ check_tty(const char *tty)
tty = strrchr(tty, '/') + 1;
}
/* Make sure the tty wasn't actually a directory (no basename). */
- if (strlen(tty) == 0) {
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
return NULL;
}
return tty;
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
if (pwd != NULL) {
ruser = pwd->pw_name;
}
+ } else {
+ /*
+ * This ruser is used by format_timestamp_name as a component
+ * of constructed timestamp pathname, so ".", "..", and '/'
+ * are disallowed to avoid potential path traversal issues.
+ */
+ if (!strcmp(ruser, ".") ||
+ !strcmp(ruser, "..") ||
+ strchr(ruser, '/')) {
+ ruser = NULL;
+ }
}
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
*ruserbuf = '\0';
--
1.8.3.1
pkgname=pambase
pkgver=20130928
pkgrel=1
pkgdesc="Base PAM configuration for services"
arch=('any')
url="http://www.archlinux.org"
license=('GPL')
source=('system-auth'
'system-local-login'
'system-login'
'system-remote-login'
'system-services'
'other')
backup=('etc/pam.d/system-auth'
'etc/pam.d/system-local-login'
'etc/pam.d/system-login'
'etc/pam.d/system-remote-login'
'etc/pam.d/system-services'
'etc/pam.d/other')
md5sums=('6116b8e199a3dfd26a085a67a718435d'
'477237985820117a0e6e1b13a86eb599'
'7464f86d346b22dd07b433c341a33aab'
'477237985820117a0e6e1b13a86eb599'
'6969307eef026979703a6eba33c2e3eb'
'6e6c8719e5989d976a14610f340bd33a')
package() {
install -dm755 "$pkgdir/etc/pam.d"
install -m644 -t "$pkgdir/etc/pam.d" "${source[@]}"
}
# vim:set ts=2 sw=2 et:
#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
#%PAM-1.0
auth required pam_env.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
......@@ -12,6 +12,5 @@ password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
......@@ -12,9 +12,8 @@ account include system-auth
password include system-auth
session optional pam_loginuid.so
session required pam_env.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard
-session optional pam_ck_connector.so nox11
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so
......@@ -6,6 +6,6 @@ account include system-auth
session optional pam_loginuid.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
session required pam_env.so
# maintainer: Fabian Kosmale <inkane@chakra-project.org>
pkgname=systemd
pkgver=225
pkgrel=2
pkgver=227
pkgrel=1
pkgdesc="A system and service manager for Linux"
arch=('x86_64')
url="http://www.freedesktop.org/wiki/Software/systemd"
......@@ -66,17 +66,13 @@ md5sums=('SKIP'
prepare() {
cd "$pkgname"
# networkd: fix neworkd crash
# https://github.com/systemd/systemd/commit/49f6e11e89b4
git cherry-pick -n 49f6e11e89b4
./autogen.sh
}
build() {
cd "$pkgname"
local timeservers=({0..3}.arch.pool.ntp.org) # WARNING: this needs to change before the package can move to stable
local timeservers=({0..3}.chakra.pool.ntp.org)
./configure \
--libexecdir=/usr/lib \
......@@ -89,7 +85,6 @@ build() {
--enable-gnuefi \
--disable-audit \
--disable-ima \
--disable-kdbus \
--with-sysvinit-path= \
--with-sysvrcnd-path= \
--with-ntp-servers="${timeservers[*]}"
......
From 02501746545ef729cefed28b5feb0b4e59c3d34f Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Fri, 11 Sep 2015 11:19:30 +0200
Subject: [PATCH] libmount: (monitor) don't check for regular mtab
The monitor supports utab only (as documented). It's application
responsibility to use libmount in the right way. It's overkill to
check for valid environment during monitor initialization.
For example systemd checks for regular mtab during boot, it's better
than try to be smart later in libmount monitor when system is already
running.
Signed-off-by: Karel Zak <kzak@redhat.com>
---
libmount/src/monitor.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/libmount/src/monitor.c b/libmount/src/monitor.c
index cc3854e..ca9e02c 100644
--- a/libmount/src/monitor.c
+++ b/libmount/src/monitor.c
@@ -220,7 +220,7 @@ static int userspace_add_watch(struct monitor_entry *me, int *final, int *fd)
assert(me->path);
/*
- * libmount uses rename(2) to atomically update utab/mtab, monitor
+ * libmount uses rename(2) to atomically update utab, monitor
* rename changes is too tricky. It seems better to monitor utab
* lockfile close.
*/
@@ -399,10 +399,6 @@ int mnt_monitor_enable_userspace(struct libmnt_monitor *mn, int enable, const ch
DBG(MONITOR, ul_debugobj(mn, "allocate new userspace monitor"));
- /* create a new entry */
- if (mnt_has_regular_mtab(NULL, NULL))
- return -ENOSYS;
-
if (!filename)
filename = mnt_get_utab_path(); /* /run/mount/utab */
if (!filename) {
--
2.5.3
#
pkgname=util-linux
pkgver=2.26.2
pkgver=2.27
pkgrel=1
pkgdesc="Miscellaneous system utilities for Linux"
url="http://www.kernel.org/pub/linux/utils/util-linux/"
url="https://www.kernel.org/pub/linux/utils/util-linux/"
arch=('x86_64')
groups=('base')
depends=('pam' 'shadow' 'coreutils' 'glibc')
......@@ -13,31 +13,26 @@ conflicts=('util-linux-ng' 'eject')
provides=("util-linux-ng=${pkgver}" 'eject')
license=('GPL2')
options=('strip' 'debug')
source=("https://www.kernel.org/pub/linux/utils/util-linux/v2.26/$pkgname-$pkgver.tar."{xz,sign}
uuidd.tmpfiles
pam-{login,common,su}
system-{auth,local-login,login,remote-login,services})
validpgpkeys=('B0C64D14301CC6EFAEDF60E4E4B71D5EEC39C284') # Karel Zak
source=("https://www.kernel.org/pub/linux/utils/util-linux/v2.27/$pkgname-$pkgver.tar."{xz,sign}
"0001-libmount-monitor-don-t-check-for-regular-mtab.patch"
pam-{login,common,su})
backup=(etc/pam.d/chfn
etc/pam.d/chsh
etc/pam.d/login
etc/pam.d/su
etc/pam.d/su-l)
install=util-linux.install
md5sums=('9bdf368c395f1b70325d0eb22c7f48fb'
md5sums=('5b06bbda9309624ee7add15bc8d8ca22'
'SKIP'
'a39554bfd65cccfd8254bb46922f4a67'
'f9e06605db9107b9c4bb1c48059fe18e'
'4368b3f98abd8a32662e094c54e7f9b1'
'a31374fef2cba0ca34dfc7078e2969e4'
'fa85e5cce5d723275b14365ba71a8aad'
'5f169a4ffe7ed69f58e106cdd2d760df'
'477237985820117a0e6e1b13a86eb599'
'17c691f2da319df8fe851bc47cc1d662'
'477237985820117a0e6e1b13a86eb599'
'30fe7d41e054ee43fab7855bf88a07e5')
validpgpkeys=('B0C64D14301CC6EFAEDF60E4E4B71D5EEC39C284') # Karel Zak
'fa85e5cce5d723275b14365ba71a8aad')
prepare() {
cd "$pkgname-$pkgver"
patch -Np1 <../0001-libmount-monitor-don-t-check-for-regular-mtab.patch
}
build() {
......@@ -56,7 +51,6 @@ build() {
--enable-write \
--enable-mesg \
--enable-libmount-force-mountinfo \
--enable-socket-activation \
--with-python=3
make
......@@ -82,11 +76,7 @@ package() {
install -m644 "$srcdir/pam-login" "$pkgdir/etc/pam.d/login"
install -m644 "$srcdir/pam-su" "${pkgdir}/etc/pam.d/su"
install -m644 "$srcdir/pam-su" "${pkgdir}/etc/pam.d/su-l"
install -m644 "$srcdir/system-auth" "${pkgdir}/etc/pam.d/system-auth"
install -m644 "$srcdir/system-local-login" "${pkgdir}/etc/pam.d/system-local-login"
install -m644 "$srcdir/system-login" "${pkgdir}/etc/pam.d/system-login"
install -m644 "$srcdir/system-remote-login" "${pkgdir}/etc/pam.d/system-remote-login"
install -m644 "$srcdir/system-services" "${pkgdir}/etc/pam.d/system-services"
install -Dm644 "$srcdir/uuidd.tmpfiles" "$pkgdir/usr/lib/tmpfiles.d/uuidd.conf"
# TODO(dreisner): offer this upstream?
sed -i '/ListenStream/ aRuntimeDirectory=uuidd' "$pkgdir/usr/lib/systemd/system/uuidd.socket"
}
post_install() {
# No use of systemd-tmpfiles or uuidd (use number instead) here because
# the package dependency would create a circular dep to systemd and filesystem.
if [ ! -d run/uuidd ]; then
install -o 68 -g 68 -dm755 run/uuidd
fi
}
post_upgrade() {
post_install
}
d /run/uuidd 0755 uuidd uuidd
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment