diff options
Diffstat (limited to 'source/a/shadow')
4 files changed, 399 insertions, 23 deletions
diff --git a/source/a/shadow/68a722760487d3537905d97d45e5fba189592022.patch b/source/a/shadow/68a722760487d3537905d97d45e5fba189592022.patch new file mode 100644 index 000000000..3c4ce8342 --- /dev/null +++ b/source/a/shadow/68a722760487d3537905d97d45e5fba189592022.patch @@ -0,0 +1,321 @@ +From 68a722760487d3537905d97d45e5fba189592022 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa <ipedrosa@redhat.com> +Date: Tue, 8 Aug 2023 16:01:41 +0200 +Subject: [PATCH] libmisc: add readpassphrase source code + +Remove libbsd dependency by including the source code of +readpassphrase() in the project. + +Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> +--- + configure.ac | 17 +--- + libmisc/Makefile.am | 2 + + libmisc/readpassphrase.c | 198 +++++++++++++++++++++++++++++++++++++++ + libmisc/readpassphrase.h | 45 +++++++++ + 4 files changed, 246 insertions(+), 16 deletions(-) + create mode 100644 libmisc/readpassphrase.c + create mode 100644 libmisc/readpassphrase.h + +diff --git a/configure.ac b/configure.ac +index d9cf73037..160719dd5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -45,7 +45,7 @@ AC_CHECK_HEADERS(crypt.h utmp.h \ + dnl shadow now uses the libc's shadow implementation + AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])]) + +-AC_CHECK_FUNCS(arc4random_buf futimes \ ++AC_CHECK_FUNCS(arc4random_buf futimes readpassphrase \ + getentropy getrandom getspnam getusershell \ + initgroups lckpwdf lutimes mempcpy \ + setgroups updwtmp updwtmpx innetgr \ +@@ -412,21 +412,6 @@ AC_SUBST(LIYESCRYPT) + AC_CHECK_LIB(crypt, crypt, [LIYESCRYPT=-lcrypt], + [AC_MSG_ERROR([crypt() not found])]) + +-AC_SEARCH_LIBS([readpassphrase], [bsd], [], [ +- AC_MSG_ERROR([readpassphrase() is missing, either from libc or libbsd]) +-]) +-AS_IF([test "$ac_cv_search_readpassphrase" = "-lbsd"], [ +- PKG_CHECK_MODULES([LIBBSD], [libbsd-overlay]) +-]) +-dnl Make sure either the libc or libbsd provide the header. +-save_CFLAGS="$CFLAGS" +-CFLAGS="$CFLAGS $LIBBSD_CFLAGS" +-AC_CHECK_HEADERS([readpassphrase.h]) +-AS_IF([test "$ac_cv_header_readpassphrase_h" != "yes"], [ +- AC_MSG_ERROR([readpassphrase.h is missing]) +-]) +-CFLAGS="$save_CFLAGS" +- + AC_SUBST(LIBACL) + if test "$with_acl" != "no"; then + AC_CHECK_HEADERS(acl/libacl.h attr/error_context.h, [acl_header="yes"], [acl_header="no"]) +diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am +index b135447c9..90f1dec8e 100644 +--- a/libmisc/Makefile.am ++++ b/libmisc/Makefile.am +@@ -64,6 +64,8 @@ libmisc_la_SOURCES = \ + pwdcheck.c \ + pwd_init.c \ + csrand.c \ ++ readpassphrase.h \ ++ readpassphrase.c \ + remove_tree.c \ + rlogin.c \ + root_flag.c \ +diff --git a/libmisc/readpassphrase.c b/libmisc/readpassphrase.c +new file mode 100644 +index 000000000..5ff060cca +--- /dev/null ++++ b/libmisc/readpassphrase.c +@@ -0,0 +1,198 @@ ++/* $OpenBSD: readpassphrase.c,v 1.26 2016/10/18 12:47:18 millert Exp $ */ ++ ++/* ++ * Copyright (c) 2000-2002, 2007, 2010 ++ * Todd C. Miller <Todd.Miller@courtesan.com> ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ * Sponsored in part by the Defense Advanced Research Projects ++ * Agency (DARPA) and Air Force Research Laboratory, Air Force ++ * Materiel Command, USAF, under agreement number F39502-99-1-0512. ++ */ ++ ++#include <ctype.h> ++#include <errno.h> ++#include <fcntl.h> ++#include <paths.h> ++#include <pwd.h> ++#include <signal.h> ++#include <string.h> ++#include <termios.h> ++#include <unistd.h> ++#include <readpassphrase.h> ++ ++#ifndef TCSASOFT ++#define TCSASOFT 0 ++#endif ++ ++#ifndef _NSIG ++#if defined(NSIG) ++#define _NSIG NSIG ++#else ++/* The SIGRTMAX define might be set to a function such as sysconf(). */ ++#define _NSIG (SIGRTMAX + 1) ++#endif ++#endif ++ ++static volatile sig_atomic_t signo[_NSIG]; ++ ++static void handler(int); ++ ++char * ++readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags) ++{ ++ ssize_t nr; ++ int input, output, save_errno, i, need_restart; ++ char ch, *p, *end; ++ struct termios term, oterm; ++ struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm; ++ struct sigaction savetstp, savettin, savettou, savepipe; ++ ++ /* I suppose we could alloc on demand in this case (XXX). */ ++ if (bufsiz == 0) { ++ errno = EINVAL; ++ return(NULL); ++ } ++ ++restart: ++ for (i = 0; i < _NSIG; i++) ++ signo[i] = 0; ++ nr = -1; ++ save_errno = 0; ++ need_restart = 0; ++ /* ++ * Read and write to /dev/tty if available. If not, read from ++ * stdin and write to stderr unless a tty is required. ++ */ ++ if ((flags & RPP_STDIN) || ++ (input = output = open(_PATH_TTY, O_RDWR)) == -1) { ++ if (flags & RPP_REQUIRE_TTY) { ++ errno = ENOTTY; ++ return(NULL); ++ } ++ input = STDIN_FILENO; ++ output = STDERR_FILENO; ++ } ++ ++ /* ++ * Turn off echo if possible. ++ * If we are using a tty but are not the foreground pgrp this will ++ * generate SIGTTOU, so do it *before* installing the signal handlers. ++ */ ++ if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) { ++ memcpy(&term, &oterm, sizeof(term)); ++ if (!(flags & RPP_ECHO_ON)) ++ term.c_lflag &= ~(ECHO | ECHONL); ++#ifdef VSTATUS ++ if (term.c_cc[VSTATUS] != _POSIX_VDISABLE) ++ term.c_cc[VSTATUS] = _POSIX_VDISABLE; ++#endif ++ (void)tcsetattr(input, TCSAFLUSH|TCSASOFT, &term); ++ } else { ++ memset(&term, 0, sizeof(term)); ++ term.c_lflag |= ECHO; ++ memset(&oterm, 0, sizeof(oterm)); ++ oterm.c_lflag |= ECHO; ++ } ++ ++ /* ++ * Catch signals that would otherwise cause the user to end ++ * up with echo turned off in the shell. Don't worry about ++ * things like SIGXCPU and SIGVTALRM for now. ++ */ ++ sigemptyset(&sa.sa_mask); ++ sa.sa_flags = 0; /* don't restart system calls */ ++ sa.sa_handler = handler; ++ (void)sigaction(SIGALRM, &sa, &savealrm); ++ (void)sigaction(SIGHUP, &sa, &savehup); ++ (void)sigaction(SIGINT, &sa, &saveint); ++ (void)sigaction(SIGPIPE, &sa, &savepipe); ++ (void)sigaction(SIGQUIT, &sa, &savequit); ++ (void)sigaction(SIGTERM, &sa, &saveterm); ++ (void)sigaction(SIGTSTP, &sa, &savetstp); ++ (void)sigaction(SIGTTIN, &sa, &savettin); ++ (void)sigaction(SIGTTOU, &sa, &savettou); ++ ++ if (!(flags & RPP_STDIN)) ++ (void)write(output, prompt, strlen(prompt)); ++ end = buf + bufsiz - 1; ++ p = buf; ++ while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') { ++ if (p < end) { ++ if ((flags & RPP_SEVENBIT)) ++ ch &= 0x7f; ++ if (isalpha((unsigned char)ch)) { ++ if ((flags & RPP_FORCELOWER)) ++ ch = (char)tolower((unsigned char)ch); ++ if ((flags & RPP_FORCEUPPER)) ++ ch = (char)toupper((unsigned char)ch); ++ } ++ *p++ = ch; ++ } ++ } ++ *p = '\0'; ++ save_errno = errno; ++ if (!(term.c_lflag & ECHO)) ++ (void)write(output, "\n", 1); ++ ++ /* Restore old terminal settings and signals. */ ++ if (memcmp(&term, &oterm, sizeof(term)) != 0) { ++ const int sigttou = signo[SIGTTOU]; ++ ++ /* Ignore SIGTTOU generated when we are not the fg pgrp. */ ++ while (tcsetattr(input, TCSAFLUSH|TCSASOFT, &oterm) == -1 && ++ errno == EINTR && !signo[SIGTTOU]) ++ continue; ++ signo[SIGTTOU] = sigttou; ++ } ++ (void)sigaction(SIGALRM, &savealrm, NULL); ++ (void)sigaction(SIGHUP, &savehup, NULL); ++ (void)sigaction(SIGINT, &saveint, NULL); ++ (void)sigaction(SIGQUIT, &savequit, NULL); ++ (void)sigaction(SIGPIPE, &savepipe, NULL); ++ (void)sigaction(SIGTERM, &saveterm, NULL); ++ (void)sigaction(SIGTSTP, &savetstp, NULL); ++ (void)sigaction(SIGTTIN, &savettin, NULL); ++ (void)sigaction(SIGTTOU, &savettou, NULL); ++ if (input != STDIN_FILENO) ++ (void)close(input); ++ ++ /* ++ * If we were interrupted by a signal, resend it to ourselves ++ * now that we have restored the signal handlers. ++ */ ++ for (i = 0; i < _NSIG; i++) { ++ if (signo[i]) { ++ kill(getpid(), i); ++ switch (i) { ++ case SIGTSTP: ++ case SIGTTIN: ++ case SIGTTOU: ++ need_restart = 1; ++ } ++ } ++ } ++ if (need_restart) ++ goto restart; ++ ++ if (save_errno) ++ errno = save_errno; ++ return(nr == -1 ? NULL : buf); ++} ++ ++static void handler(int s) ++{ ++ ++ signo[s] = 1; ++} +diff --git a/libmisc/readpassphrase.h b/libmisc/readpassphrase.h +new file mode 100644 +index 000000000..336a01156 +--- /dev/null ++++ b/libmisc/readpassphrase.h +@@ -0,0 +1,45 @@ ++/* $OpenBSD: readpassphrase.h,v 1.4 2003/06/03 01:52:39 millert Exp $ */ ++ ++/* ++ * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com> ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ * Sponsored in part by the Defense Advanced Research Projects ++ * Agency (DARPA) and Air Force Research Laboratory, Air Force ++ * Materiel Command, USAF, under agreement number F39502-99-1-0512. ++ */ ++ ++#ifndef LIBBSD_READPASSPHRASE_H ++#define LIBBSD_READPASSPHRASE_H ++ ++#define RPP_ECHO_OFF 0x00 /* Turn off echo (default). */ ++#define RPP_ECHO_ON 0x01 /* Leave echo on. */ ++#define RPP_REQUIRE_TTY 0x02 /* Fail if there is no tty. */ ++#define RPP_FORCELOWER 0x04 /* Force input to lower case. */ ++#define RPP_FORCEUPPER 0x08 /* Force input to upper case. */ ++#define RPP_SEVENBIT 0x10 /* Strip the high bit from input. */ ++#define RPP_STDIN 0x20 /* Read from stdin, not /dev/tty */ ++ ++#ifdef LIBBSD_OVERLAY ++#include <sys/cdefs.h> ++#else ++//#include <bsd/sys/cdefs.h> ++#endif ++#include <sys/types.h> ++ ++__BEGIN_DECLS ++char * readpassphrase(const char *, char *, size_t, int); ++__END_DECLS ++ ++#endif /* !LIBBSD_READPASSPHRASE_H */ diff --git a/source/a/shadow/a6f6da96f4898a34e5ed1475053075172f9915b2.patch b/source/a/shadow/a6f6da96f4898a34e5ed1475053075172f9915b2.patch new file mode 100644 index 000000000..224d76aef --- /dev/null +++ b/source/a/shadow/a6f6da96f4898a34e5ed1475053075172f9915b2.patch @@ -0,0 +1,52 @@ +From a6f6da96f4898a34e5ed1475053075172f9915b2 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa <ipedrosa@redhat.com> +Date: Tue, 8 Aug 2023 16:04:38 +0200 +Subject: [PATCH] Revert "Use freezero(3) where suitable" + +This reverts commit 1482224c546cabc3a08ec069c775b116171f182a. +--- + libmisc/agetpass.c | 8 ++++++-- + libmisc/obscure.c | 6 ++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/libmisc/agetpass.c b/libmisc/agetpass.c +index 1ff9d63b3..fe030076d 100644 +--- a/libmisc/agetpass.c ++++ b/libmisc/agetpass.c +@@ -118,7 +118,8 @@ agetpass(const char *prompt) + return pass; + + fail: +- freezero(pass, PASS_MAX + 2); ++ memzero(pass, PASS_MAX); ++ free(pass); + return NULL; + } + +@@ -126,5 +127,8 @@ agetpass(const char *prompt) + void + erase_pass(char *pass) + { +- freezero(pass, PASS_MAX + 2); ++ if (pass == NULL) ++ return; ++ memzero(pass, PASS_MAX); ++ free(pass); + } +diff --git a/libmisc/obscure.c b/libmisc/obscure.c +index 40aa8efc6..deae4954f 100644 +--- a/libmisc/obscure.c ++++ b/libmisc/obscure.c +@@ -221,8 +221,10 @@ static /*@observer@*//*@null@*/const char *obscure_msg ( + + msg = password_check (old1, new1, pwdp); + +- freezero (new1, newlen); +- freezero (old1, oldlen); ++ memzero (new1, newlen); ++ memzero (old1, oldlen); ++ free (new1); ++ free (old1); + + return msg; + } diff --git a/source/a/shadow/shadow.SlackBuild b/source/a/shadow/shadow.SlackBuild index e35e57a7a..bcee8f9ee 100755 --- a/source/a/shadow/shadow.SlackBuild +++ b/source/a/shadow/shadow.SlackBuild @@ -99,6 +99,9 @@ zcat $CWD/shadow.CVE-2005-4890.relax.diff.gz | patch -p1 --verbose || exit 1 # short version up to the first '.' on the login prompt: zcat $CWD/shadow.login.display.short.hostname.diff.gz | patch -p1 --verbose || exit 1 +cat 68a722760487d3537905d97d45e5fba189592022.patch | patch -p1 --verbose || exit 1 +cat a6f6da96f4898a34e5ed1475053075172f9915b2.patch | patch -p1 --verbose || exit 1 + # Add missing file: if [ ! -r man/login.defs.d/HOME_MODE.xml ]; then zcat $CWD/HOME_MODE.xml.gz > man/login.defs.d/HOME_MODE.xml @@ -124,10 +127,12 @@ CFLAGS="$SLKCFLAGS" \ --sysconfdir=/etc \ --mandir=/usr/man \ --docdir=/usr/doc/shadow-$VERSION \ + --enable-lastlog \ --enable-man \ --enable-subordinate-ids \ --disable-shared \ --with-group-name-max-length=32 \ + --with-libbsd=no \ $SHADOW_OPTIONS \ $PAM_OPTIONS \ --build=$ARCH-slackware-linux diff --git a/source/a/shadow/shadow.login.display.short.hostname.diff b/source/a/shadow/shadow.login.display.short.hostname.diff index 53a22f8b8..f8422e809 100644 --- a/source/a/shadow/shadow.login.display.short.hostname.diff +++ b/source/a/shadow/shadow.login.display.short.hostname.diff @@ -1,26 +1,6 @@ -diff -u -r --new-file shadow-4.8.1.orig/libmisc/loginprompt.c shadow-4.8.1/libmisc/loginprompt.c ---- shadow-4.8.1.orig/libmisc/loginprompt.c 2019-07-23 10:26:08.000000000 -0500 -+++ shadow-4.8.1/libmisc/loginprompt.c 2020-02-06 17:29:43.386954096 -0600 -@@ -99,6 +99,15 @@ - } - } - (void) gethostname (buf, sizeof buf); -+ /* Trim away everything after the first '.': */ -+ i = 0; -+ while (buf[i] != '\0' && i < sizeof(buf) - 1) { -+ if (buf[i] == '.') { -+ buf[i] = '\0'; -+ break; -+ } -+ i++; -+ } - printf (prompt, buf); - (void) fflush (stdout); - } -diff -u -r --new-file shadow-4.8.1.orig/src/login.c shadow-4.8.1/src/login.c ---- shadow-4.8.1.orig/src/login.c 2020-01-12 07:58:49.000000000 -0600 -+++ shadow-4.8.1/src/login.c 2020-02-06 17:29:33.191954722 -0600 -@@ -761,6 +761,15 @@ +--- ./src/login.c.orig 2023-09-25 10:52:15.000000000 -0500 ++++ ./src/login.c 2023-10-24 20:24:47.101964317 -0500 +@@ -705,6 +705,15 @@ /* Make the login prompt look like we want it */ if (gethostname (hostn, sizeof (hostn)) == 0) { @@ -36,3 +16,21 @@ diff -u -r --new-file shadow-4.8.1.orig/src/login.c shadow-4.8.1/src/login.c snprintf (loginprompt, sizeof (loginprompt), _("%s login: "), hostn); +--- ./lib/loginprompt.c.orig 2023-09-25 10:52:15.000000000 -0500 ++++ ./lib/loginprompt.c 2023-10-24 20:24:47.101964317 -0500 +@@ -71,6 +71,15 @@ + } + } + (void) gethostname (buf, sizeof buf); ++ /* Trim away everything after the first '.': */ ++ i = 0; ++ while (buf[i] != '\0' && i < sizeof(buf) - 1) { ++ if (buf[i] == '.') { ++ buf[i] = '\0'; ++ break; ++ } ++ i++; ++ } + printf (_("\n%s login: "), buf); + (void) fflush (stdout); + |