diff options
Diffstat (limited to 'meta/recipes-extended/shadow/files/CVE-2019-19882.patch')
-rw-r--r-- | meta/recipes-extended/shadow/files/CVE-2019-19882.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch b/meta/recipes-extended/shadow/files/CVE-2019-19882.patch deleted file mode 100644 index 894d867680..0000000000 --- a/meta/recipes-extended/shadow/files/CVE-2019-19882.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 66b7bc0dcfda12d7f58eba993bd02872cae1d713 Mon Sep 17 00:00:00 2001 -From: Dave Reisner <dreisner@archlinux.org> -Date: Mon, 16 Dec 2019 14:11:23 -0500 -Subject: [PATCH] Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected - -Here's a sad story: - -* 70971457 is merged into shadow, allowing newgidmap/newuidmap to be -installed with file caps rather than setuid. -* https://bugs.archlinux.org/task/63248 is filed to take advantage of -this. -* The arch maintainer of the 'shadow' package notices that this doesn't -work, and submits a pull request to fix this in shadow. -* edf7547ad5 is merged, fixing the post install hooks. - -The problem here is that distros have been building shadow with PAM for -O(years), but the install hooks have silently failed due to the -combination of the directory mismatch (suidubins vs suidsbins) and later -success with setuid'ing newgidmap/newuidmap. - -With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far) -who never built shadow explicitly with --enable-account-tools-setuid are -now getting setuid account tools, and don't have PAM configuration -suitable for use with setuid account management tools. - -It's entirely unclear to me why you'd want this, but I assume there's -some reason out there for it existing. Regardless, setuid binaries are -dangerous and shouldn't be enabled by default without good reason. - -[1] https://bugs.archlinux.org/task/64836 -[2] https://bugs.gentoo.org/702252 - -Upstream-Status: Backport -CVE: CVE-2019-19882 -Signed-off-by: Li Zhou <li.zhou@windriver.com> ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index e3ed3b43..d6e2bfbd 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid, - *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid) - ;; - esac], -- [enable_acct_tools_setuid="maybe"] -+ [enable_acct_tools_setuid="no"] - ) - - AC_ARG_ENABLE(utmpx, --- -2.17.1 - |