diff options
| author |   Li Zhou <li.zhou@windriver.com> | 2020-01-03 13:58:12 +0800 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-01-03 22:35:19 +0000 |
| commit | a0de64cab692562d4bbd64f8bdcaa3fc6bc694bb (patch) | |
| tree | 4b7bbed4f6d302e31e6b857f19434e858693030b | |
| parent | 0da6e0a232019fe7eccfbdf33a13c1fe0a35cddd (diff) | |
| download | openembedded-core-contrib-a0de64cab692562d4bbd64f8bdcaa3fc6bc694bb.tar.gz | |
shadow: Security Advisory - shadow - CVE-2019-19882
Backport patch from <https://github.com/shadow-maint/shadow/pull/199/
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-extended/shadow/files/CVE-2019-19882.patch | 55 | ||||
| -rw-r--r-- | meta/recipes-extended/shadow/shadow.inc | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch new file mode 100644 index 0000000000..894d867680 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch @@ -0,0 +1,55 @@ +From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001 +From: Dave Reisner <dreisner@archlinux.org> +Date: Mon, 16 Dec 2019 14:11:23 -0500 +Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected + +Here's a sad story: + +* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be +installed with file caps rather than setuid. +* https://bugs.archlinux.org/task/63248 is filed to take advantage of +this. +* The arch maintainer of the 'shadow' package notices that this doesn't +work, and submits a pull request to fix this in shadow. +* edf7547ad5 is merged, fixing the post install hooks. + +The problem here is that distros have been building shadow with PAM for +O(years), but the install hooks have silently failed due to the +combination of the directory mismatch (suidubins vs suidsbins) and later +success with setuid'ing newgidmap/newuidmap. + +With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far) +who never built shadow explicitly with --enable-account-tools-setuid are +now getting setuid account tools, and don't have PAM configuration +suitable for use with setuid account management tools. + +It's entirely unclear to me why you'd want this, but I assume there's +some reason out there for it existing. Regardless, setuid binaries are +dangerous and shouldn't be enabled by default without good reason. + +[1] https://bugs.archlinux.org/task/64836 +[2] https://bugs.gentoo.org/702252 + +Upstream-Status: Backport +CVE: CVE-2019-19882 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index e3ed3b43..d6e2bfbd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid, + *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid) + ;; + esac], +- [enable_acct_tools_setuid="maybe"] ++ [enable_acct_tools_setuid="no"] + ) + + AC_ARG_ENABLE(utmpx, +-- +2.17.1 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 267d2324c5..3bfa39e6ff 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -13,6 +13,7 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}. file://shadow-4.1.3-dots-in-usernames.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ file://shadow-relaxed-usernames.patch \ + file://CVE-2019-19882.patch \ " SRC_URI_append_class-target = " \ |