diff options
author | Sam James <sam@gentoo.org> | 2021-11-14 09:26:29 +0000 |
---|---|---|
committer | Sam James <sam@gentoo.org> | 2021-11-14 09:26:29 +0000 |
commit | a2d21bec1e6e7b22806c3ff047c4626b8b72a1ff (patch) | |
tree | 31c1fcbc9050d769bdb36bdc185d612f839382cd /sys-apps/shadow | |
parent | sys-auth/passwdqc: drop 2.0.0-r2, 2.0.1-r2 (diff) | |
download | gentoo-a2d21bec1e6e7b22806c3ff047c4626b8b72a1ff.tar.gz gentoo-a2d21bec1e6e7b22806c3ff047c4626b8b72a1ff.tar.bz2 gentoo-a2d21bec1e6e7b22806c3ff047c4626b8b72a1ff.zip |
sys-apps/shadow: backport upstream patch for crash
Also throw in a configure typo patch, given we're calling eautoreconf anyway.
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'sys-apps/shadow')
-rw-r--r-- | sys-apps/shadow/files/shadow-4.9-configure-typo.patch | 19 | ||||
-rw-r--r-- | sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch | 35 | ||||
-rw-r--r-- | sys-apps/shadow/shadow-4.9-r4.ebuild | 251 |
3 files changed, 305 insertions, 0 deletions
diff --git a/sys-apps/shadow/files/shadow-4.9-configure-typo.patch b/sys-apps/shadow/files/shadow-4.9-configure-typo.patch new file mode 100644 index 000000000000..1a6db304a013 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.9-configure-typo.patch @@ -0,0 +1,19 @@ +https://github.com/shadow-maint/shadow/commit/049f9a7f6b320c728a6274299041e360381d7cd5 + +From 049f9a7f6b320c728a6274299041e360381d7cd5 Mon Sep 17 00:00:00 2001 +From: Andy Zaugg <andy.zaugg@gmail.com> +Date: Tue, 21 Sep 2021 21:51:10 -0700 +Subject: [PATCH] Fix parentheses in configure.ac + +Resolving issue https://github.com/shadow-maint/shadow/issues/419 +--- a/configure.ac ++++ b/configure.ac +@@ -345,7 +345,7 @@ if test "$with_sssd" = "yes"; then + [AC_MSG_ERROR([posix_spawn is needed for sssd support])]) + fi + +-AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])]) ++AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])) + AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"]) + + dnl Check for some functions in libc first, only if not found check for diff --git a/sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch b/sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch new file mode 100644 index 000000000000..d7102ce03c32 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch @@ -0,0 +1,35 @@ +https://github.com/shadow-maint/shadow/commit/117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 + +From 117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 Mon Sep 17 00:00:00 2001 +From: Michael Vetter <jubalh@iodoru.org> +Date: Mon, 20 Sep 2021 11:04:50 +0200 +Subject: [PATCH] Only free sgent if it was initialized + +`sgent` is only initialized in `get_group()` if `is_shadowgrp` is true. +So we should also only attempt to free it if this is actually the case. + +Can otherwise lead to: +``` +free() double free detected in tcache 2 (gpasswd) +``` +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -1207,11 +1207,13 @@ int main (int argc, char **argv) + sssd_flush_cache (SSSD_DB_GROUP); + + #ifdef SHADOWGRP +- if (sgent.sg_adm) { +- xfree(sgent.sg_adm); +- } +- if (sgent.sg_mem) { +- xfree(sgent.sg_mem); ++ if (is_shadowgrp) { ++ if (sgent.sg_adm) { ++ xfree(sgent.sg_adm); ++ } ++ if (sgent.sg_mem) { ++ xfree(sgent.sg_mem); ++ } + } + #endif + if (grent.gr_mem) { diff --git a/sys-apps/shadow/shadow-4.9-r4.ebuild b/sys-apps/shadow/shadow-4.9-r4.ebuild new file mode 100644 index 000000000000..044718eed4c1 --- /dev/null +++ b/sys-apps/shadow/shadow-4.9-r4.ebuild @@ -0,0 +1,251 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools pam + +DESCRIPTION="Utilities to deal with user accounts" +HOMEPAGE="https://github.com/shadow-maint/shadow" +SRC_URI="https://github.com/shadow-maint/shadow/releases/download/v${PV}/${P}.tar.xz" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su xattr" +# Taken from the man/Makefile.am file. +LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) + +REQUIRED_USE="?? ( cracklib pam )" + +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext +" +COMMON_DEPEND=" + virtual/libcrypt:= + acl? ( sys-apps/acl:0= ) + audit? ( >=sys-process/audit-2.6:0= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) + nls? ( virtual/libintl ) + pam? ( sys-libs/pam:0= ) + skey? ( sys-auth/skey:0= ) + selinux? ( + >=sys-libs/libselinux-1.28:0= + sys-libs/libsemanage:0= + ) + xattr? ( sys-apps/attr:0= ) +" +DEPEND="${COMMON_DEPEND} + >=sys-kernel/linux-headers-4.14 +" +RDEPEND="${COMMON_DEPEND} + !<sys-apps/man-pages-5.11-r1 + !=sys-apps/man-pages-5.12-r0 + !=sys-apps/man-pages-5.12-r1 + nls? ( + !<app-i18n/man-pages-it-5.06-r1 + !<app-i18n/man-pages-ja-20180315-r1 + !<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1 + ) + pam? ( >=sys-auth/pambase-20150213 ) + su? ( !sys-apps/util-linux[su(-)] ) +" + +PATCHES=( + "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" + "${FILESDIR}/${P}-libsubid_pam_linking.patch" + "${FILESDIR}/${P}-libsubid_oot_build.patch" + "${FILESDIR}/shadow-4.9-libcrack.patch" + "${FILESDIR}/shadow-4.9-SHA-rounds.patch" + "${FILESDIR}/${P}-gpasswd-double-free.patch" + "${FILESDIR}/${P}-configure-typo.patch" +) + +src_prepare() { + default + eautoreconf + #elibtoolize +} + +src_configure() { + local myeconfargs=( + --disable-account-tools-setuid + --with-btrfs + --without-group-name-max-length + --without-tcb + $(use_enable nls) + $(use_with acl) + $(use_with audit) + $(use_with bcrypt) + $(use_with cracklib libcrack) + $(use_with elibc_glibc nscd) + $(use_with pam libpam) + $(use_with selinux) + $(use_with skey) + $(use_with su) + $(use_with xattr attr) + ) + econf "${myeconfargs[@]}" + + has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 + + if use nls ; then + local l langs="po" # These are the pot files. + for l in ${LANGS[*]} ; do + has ${l} ${LINGUAS-${l}} && langs+=" ${l}" + done + sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die + fi +} + +set_login_opt() { + local comment="" opt=${1} val=${2} + if [[ -z ${val} ]]; then + comment="#" + sed -i \ + -e "/^${opt}\>/s:^:#:" \ + "${ED}"/etc/login.defs || die + else + sed -i -r \ + -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ + "${ED}"/etc/login.defs + fi + local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) + einfo "${res:-Unable to find ${opt} in /etc/login.defs}" +} + +src_install() { + emake DESTDIR="${D}" suidperms=4711 install + + # 4.9 regression: https://github.com/shadow-maint/shadow/issues/389 + emake DESTDIR="${D}" -C man install + + find "${ED}" -name '*.la' -type f -delete || die + + insinto /etc + if ! use pam ; then + insopts -m0600 + doins etc/login.access etc/limits + fi + + # needed for 'useradd -D' + insinto /etc/default + insopts -m0600 + doins "${FILESDIR}"/default/useradd + + if use split-usr ; then + # move passwd to / to help recover broke systems #64441 + # We cannot simply remove this or else net-misc/scponly + # and other tools will break because of hardcoded passwd + # location + dodir /bin + mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die + dosym ../../bin/passwd /usr/bin/passwd + fi + + cd "${S}" || die + insinto /etc + insopts -m0644 + newins etc/login.defs login.defs + + set_login_opt CREATE_HOME yes + if ! use pam ; then + set_login_opt MAIL_CHECK_ENAB no + set_login_opt SU_WHEEL_ONLY yes + set_login_opt CRACKLIB_DICTPATH /usr/lib/cracklib_dict + set_login_opt LOGIN_RETRIES 3 + set_login_opt ENCRYPT_METHOD SHA512 + set_login_opt CONSOLE + else + dopamd "${FILESDIR}"/pam.d-include/shadow + + for x in chsh shfn ; do + newpamd "${FILESDIR}"/pam.d-include/passwd ${x} + done + + for x in chpasswd newusers ; do + newpamd "${FILESDIR}"/pam.d-include/chpasswd ${x} + done + + newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems + + # comment out login.defs options that pam hates + local opt sed_args=() + for opt in \ + CHFN_AUTH \ + CONSOLE \ + CRACKLIB_DICTPATH \ + ENV_HZ \ + ENVIRON_FILE \ + FAILLOG_ENAB \ + FTMP_FILE \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + MOTD_FILE \ + NOLOGINS_FILE \ + OBSCURE_CHECKS_ENAB \ + PASS_ALWAYS_WARN \ + PASS_CHANGE_TRIES \ + PASS_MIN_LEN \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + SU_WHEEL_ONLY + do + set_login_opt ${opt} + sed_args+=( -e "/^#${opt}\>/b pamnote" ) + done + sed -i "${sed_args[@]}" \ + -e 'b exit' \ + -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ + -e ': exit' \ + "${ED}"/etc/login.defs || die + + # remove manpages that pam will install for us + # and/or don't apply when using pam + find "${ED}"/usr/share/man -type f \ + '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ + -delete + + # Remove pam.d files provided by pambase. + rm "${ED}"/etc/pam.d/{login,passwd} || die + if use su ; then + rm "${ED}"/etc/pam.d/su || die + fi + fi + + # Remove manpages that are handled by other packages + find "${ED}"/usr/share/man -type f \ + '(' -name id.1 -o -name getspnam.3 ')' \ + -delete + + cd "${S}" || die + dodoc ChangeLog NEWS TODO + newdoc README README.download + cd doc || die + dodoc HOWTO README* WISHLIST *.txt +} + +pkg_preinst() { + rm -f "${EROOT}"/etc/pam.d/system-auth.new \ + "${EROOT}/etc/login.defs.new" +} + +pkg_postinst() { + # Enable shadow groups. + if [ ! -f "${EROOT}"/etc/gshadow ] ; then + if grpck -r -R "${EROOT}" 2>/dev/null ; then + grpconv -R "${EROOT}" + else + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "run 'grpconv' afterwards!" + fi + fi + + [[ ! -f "${EROOT}"/etc/subgid ]] && + touch "${EROOT}"/etc/subgid + [[ ! -f "${EROOT}"/etc/subuid ]] && + touch "${EROOT}"/etc/subuid + + einfo "The 'adduser' symlink to 'useradd' has been dropped." +} |