libpam: update 1.5.2 -> 1.5.3

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

4 files changed, 1 insertions, 382 deletions

diff --git a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch b/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
deleted file mode 100644
index 94dcb04f0a..0000000000
--- a/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 42404548721c653317c911c83d885e2fc7fbca70 Mon Sep 17 00:00:00 2001
-From: Per Jessen <per@jessen.ch>
-Date: Fri, 22 Apr 2022 18:15:36 +0200
-Subject: [PATCH] pam_motd: do not rely on all filesystems providing a filetype
-
-When using scandir() to look for MOTD files to display, we wrongly
-relied on all filesystems providing a filetype.  This is a fix to divert
-to lstat() when we have no filetype.  To maintain MT safety, it isn't
-possible to use lstat() in the scandir() filter function, so all of the
-filtering has been moved to an additional loop after scanning all the
-motd dirs.
-Also, remove superfluous alphasort from scandir(), we are doing
-a qsort() later.
-
-Resolves: https://github.com/linux-pam/linux-pam/issues/455
-
-Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/42404548721c653317c911c83d885e2fc7fbca70]
-
-Signed-off-by: Per Jessen <per@jessen.ch>
-Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
----
- modules/pam_motd/pam_motd.c | 49 ++++++++++++++++++++++++++++++-------
- 1 file changed, 40 insertions(+), 9 deletions(-)
-
-diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
-index 6ac8cba2..5ca486e4 100644
---- a/modules/pam_motd/pam_motd.c
-+++ b/modules/pam_motd/pam_motd.c
-@@ -166,11 +166,6 @@ static int compare_strings(const void *a, const void *b)
-     }
- }
- 
--static int filter_dirents(const struct dirent *d)
--{
--    return (d->d_type == DT_REG || d->d_type == DT_LNK);
--}
--
- static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
- 	char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing)
- {
-@@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
- 
-     for (i = 0; i < num_motd_dirs; i++) {
- 	int rv;
--	rv = scandir(motd_dir_path_split[i], &(dirscans[i]),
--		filter_dirents, alphasort);
-+	rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL);
- 	if (rv < 0) {
- 	    if (errno != ENOENT || report_missing) {
- 		pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m",
-@@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
-     if (dirscans_size_total == 0)
-         goto out;
- 
-+    /* filter out unwanted names, directories, and complement data with lstat() */
-+    for (i = 0; i < num_motd_dirs; i++) {
-+	struct dirent **d = dirscans[i];
-+	for (unsigned int j = 0; j < dirscans_sizes[i]; j++) {
-+	    int rc;
-+	    char *fullpath;
-+	    struct stat s;
-+
-+	    switch(d[j]->d_type) {    /* the filetype determines how to proceed */
-+	    case DT_REG:              /* regular files and     */
-+	    case DT_LNK:              /* symlinks              */
-+		continue;             /* are good.             */
-+	    case DT_UNKNOWN:   /* for file systems that do not provide */
-+			       /* a filetype, we use lstat()           */
-+		if (join_dir_strings(&fullpath, motd_dir_path_split[i],
-+				     d[j]->d_name) <= 0)
-+		    break;
-+		rc = lstat(fullpath, &s);
-+		_pam_drop(fullpath);  /* free the memory alloc'ed by join_dir_strings */
-+		if (rc != 0)          /* if the lstat() somehow failed */
-+		    break;
-+
-+		if (S_ISREG(s.st_mode) ||          /* regular files and  */
-+		    S_ISLNK(s.st_mode)) continue;  /* symlinks are good  */
-+		break;
-+	    case DT_DIR:          /* We don't want directories     */
-+	    default:              /* nor anything else             */
-+		break;
-+	    }
-+	    _pam_drop(d[j]);  /* free memory                   */
-+	    d[j] = NULL;      /* indicate this one was dropped */
-+	    dirscans_size_total--;
-+	}
-+    }
-+
-     /* Allocate space for all file names found in the directories, including duplicates. */
-     if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) {
- 	pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array");
-@@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
- 	unsigned int j;
- 
- 	for (j = 0; j < dirscans_sizes[i]; j++) {
--	    dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
--	    i_dirnames++;
-+	    if (NULL != dirscans[i][j]) {
-+	        dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
-+	        i_dirnames++;
-+	    }
- 	}
-     }
- 
--- 
-2.39.0
-
diff --git a/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch b/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch
deleted file mode 100644
index 40040a873a..0000000000
--- a/meta/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From e8e8ccfd57e0274b431bc5717bf37c488285b07b Mon Sep 17 00:00:00 2001
-From: Mingli Yu <mingli.yu@windriver.com>
-Date: Wed, 27 Oct 2021 10:30:46 +0800
-Subject: [PATCH] run-xtests.sh: check whether files exist
-
-Fixes:
- # ./run-xtests.sh . tst-pam_access1
- mv: cannot stat '/etc/security/opasswd': No such file or directory
- PASS: tst-pam_access1
- mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory
- ==================
- 1 tests passed
- 0 tests not run
- ==================
-
-Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/e8e8ccfd57e0274b431bc5717bf37c488285b07b]
-
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
----
- xtests/run-xtests.sh | 20 +++++++++++++-------
- 1 file changed, 13 insertions(+), 7 deletions(-)
-
-diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh
-index 14f585d9..ff9a4dc1 100755
---- a/xtests/run-xtests.sh
-+++ b/xtests/run-xtests.sh
-@@ -18,10 +18,12 @@ all=0
- 
- mkdir -p /etc/security
- for config in access.conf group.conf time.conf limits.conf ; do
--	cp /etc/security/$config /etc/security/$config-pam-xtests
-+	[ -f "/etc/security/$config" ] &&
-+		mv /etc/security/$config /etc/security/$config-pam-xtests
- 	install -m 644 "${SRCDIR}"/$config /etc/security/$config
- done
--mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
-+[ -f /etc/security/opasswd ] &&
-+	mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
- 
- for testname in $XTESTS ; do
- 	  for cfg in "${SRCDIR}"/$testname*.pamd ; do
-@@ -47,11 +49,15 @@ for testname in $XTESTS ; do
- 	  all=`expr $all + 1`
- 	  rm -f /etc/pam.d/$testname*
- done
--mv /etc/security/access.conf-pam-xtests /etc/security/access.conf
--mv /etc/security/group.conf-pam-xtests /etc/security/group.conf
--mv /etc/security/time.conf-pam-xtests /etc/security/time.conf
--mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf
--mv /etc/security/opasswd-pam-xtests /etc/security/opasswd
-+
-+for config in access.conf group.conf time.conf limits.conf opasswd ; do
-+	if [ -f "/etc/security/$config-pam-xtests" ]; then
-+		mv /etc/security/$config-pam-xtests /etc/security/$config
-+	else
-+		rm -f /etc/security/$config
-+	fi
-+done
-+
- if test "$failed" -ne 0; then
- 	  echo "==================="
- 	  echo "$failed of $all tests failed"
--- 
-2.32.0
-
diff --git a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch b/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch
deleted file mode 100644
index e7bf03f9f7..0000000000
--- a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch
+++ /dev/null
@@ -1,205 +0,0 @@
-From 23393bef92c1e768eda329813d7af55481c6ca9f Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk <kukuk@suse.com>
-Date: Thu, 24 Feb 2022 10:37:32 +0100
-Subject: [PATCH 2/2] pam_access: handle hostnames in access.conf
-
-According to the manual page, the following entry is valid but does not
-work:
--:root:ALL EXCEPT localhost
-
-See https://bugzilla.suse.com/show_bug.cgi?id=1019866
-
-Patched is based on PR#226 from Josef Moellers
-
-Upstream-Status: Backport
-CVE: CVE-2022-28321
-
-Reference to upstream patch:
-[https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f]
-
-Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
----
- modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++-------
- 1 file changed, 76 insertions(+), 19 deletions(-)
-
-diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
-index 277192b..bca424f 100644
---- a/modules/pam_access/pam_access.c
-+++ b/modules/pam_access/pam_access.c
-@@ -637,7 +637,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
-       if ((str_len = strlen(string)) > tok_len
- 	  && strcasecmp(tok, string + str_len - tok_len) == 0)
- 	return YES;
--    } else if (tok[tok_len - 1] == '.') {
-+    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers (end with ".") */
-       struct addrinfo hint;
- 
-       memset (&hint, '\0', sizeof (hint));
-@@ -678,7 +678,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
-       return NO;
-     }
- 
--    /* Assume network/netmask with an IP of a host.  */
-+    /* Assume network/netmask, IP address or hostname.  */
-     return network_netmask_match(pamh, tok, string, item);
- }
- 
-@@ -696,7 +696,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
-     /*
-      * If the token has the magic value "ALL" the match always succeeds.
-      * Otherwise, return YES if the token fully matches the string.
--	 * "NONE" token matches NULL string.
-+     * "NONE" token matches NULL string.
-      */
- 
-     if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
-@@ -714,7 +714,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
- 
- /* network_netmask_match - match a string against one token
-  * where string is a hostname or ip (v4,v6) address and tok
-- * represents either a single ip (v4,v6) address or a network/netmask
-+ * represents either a hostname, a single ip (v4,v6) address
-+ * or a network/netmask
-  */
- static int
- network_netmask_match (pam_handle_t *pamh,
-@@ -723,10 +724,12 @@ network_netmask_match (pam_handle_t *pamh,
-     char *netmask_ptr;
-     char netmask_string[MAXHOSTNAMELEN + 1];
-     int addr_type;
-+    struct addrinfo *ai = NULL;
- 
-     if (item->debug)
--    pam_syslog (pamh, LOG_DEBUG,
-+      pam_syslog (pamh, LOG_DEBUG,
- 		"network_netmask_match: tok=%s, item=%s", tok, string);
-+
-     /* OK, check if tok is of type addr/mask */
-     if ((netmask_ptr = strchr(tok, '/')) != NULL)
-       {
-@@ -760,54 +763,108 @@ network_netmask_match (pam_handle_t *pamh,
- 	    netmask_ptr = number_to_netmask(netmask, addr_type,
- 		netmask_string, MAXHOSTNAMELEN);
- 	  }
--	}
-+
-+        /*
-+         * Construct an addrinfo list from the IP address.
-+         * This should not fail as the input is a correct IP address...
-+         */
-+	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
-+	  {
-+	    return NO;
-+	  }
-+      }
-     else
--	/* NO, then check if it is only an addr */
--	if (isipaddr(tok, NULL, NULL) != YES)
-+      {
-+        /*
-+	 * It is either an IP address or a hostname.
-+	 * Let getaddrinfo sort everything out
-+	 */
-+	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
- 	  {
-+	    pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
-+
- 	    return NO;
- 	  }
-+	netmask_ptr = NULL;
-+      }
- 
-     if (isipaddr(string, NULL, NULL) != YES)
-       {
--	/* Assume network/netmask with a name of a host.  */
- 	struct addrinfo hint;
- 
-+	/* Assume network/netmask with a name of a host.  */
- 	memset (&hint, '\0', sizeof (hint));
- 	hint.ai_flags = AI_CANONNAME;
- 	hint.ai_family = AF_UNSPEC;
- 
- 	if (item->gai_rv != 0)
-+	  {
-+	    freeaddrinfo(ai);
- 	    return NO;
-+	  }
- 	else if (!item->res &&
- 		(item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
-+	  {
-+	    freeaddrinfo(ai);
- 	    return NO;
-+	  }
-         else
- 	  {
- 	    struct addrinfo *runp = item->res;
-+	    struct addrinfo *runp1;
- 
- 	    while (runp != NULL)
- 	      {
- 		char buf[INET6_ADDRSTRLEN];
- 
--		DIAG_PUSH_IGNORE_CAST_ALIGN;
--		inet_ntop (runp->ai_family,
--			runp->ai_family == AF_INET
--			? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
--			: (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
--			buf, sizeof (buf));
--		DIAG_POP_IGNORE_CAST_ALIGN;
-+		if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
-+		  {
-+		    freeaddrinfo(ai);
-+		    return NO;
-+		  }
- 
--		if (are_addresses_equal(buf, tok, netmask_ptr))
-+		for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
- 		  {
--		    return YES;
-+                    char buf1[INET6_ADDRSTRLEN];
-+
-+                    if (runp->ai_family != runp1->ai_family)
-+                      continue;
-+
-+                    if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
-+		      {
-+			freeaddrinfo(ai);
-+			return NO;
-+		      }
-+
-+                    if (are_addresses_equal (buf, buf1, netmask_ptr))
-+                      {
-+                        freeaddrinfo(ai);
-+                        return YES;
-+                      }
- 		  }
- 		runp = runp->ai_next;
- 	      }
- 	  }
-       }
-     else
--      return (are_addresses_equal(string, tok, netmask_ptr));
-+      {
-+       struct addrinfo *runp1;
-+
-+       for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
-+         {
-+           char buf1[INET6_ADDRSTRLEN];
-+
-+           (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
-+
-+           if (are_addresses_equal(string, buf1, netmask_ptr))
-+             {
-+               freeaddrinfo(ai);
-+               return YES;
-+             }
-+         }
-+      }
-+
-+  freeaddrinfo(ai);
- 
-   return NO;
- }
--- 
-2.37.3
-
diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb
index bec47ab836..c8f1e16459 100644
--- a/meta/recipes-extended/pam/libpam_1.5.2.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -21,14 +21,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
            file://pam.d/common-session-noninteractive \
            file://pam.d/other \
            file://libpam-xtests.patch \
-           file://0001-run-xtests.sh-check-whether-files-exist.patch \
            file://run-ptest \
            file://pam-volatiles.conf \
-           file://CVE-2022-28321-0002.patch \
-           file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
            "
 
-SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"
+SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"
 
 DEPENDS = "bison-native flex-native cracklib libxml2-native virtual/crypt"