diff options
Diffstat (limited to 'source')
| -rw-r--r-- | source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch | 51 | ||||
| -rwxr-xr-x | source/a/pam/pam.SlackBuild | 3 | ||||
| -rw-r--r-- | source/a/pam/pam.url | 2 | ||||
| -rw-r--r-- | source/ap/cups-filters/CVE-2023-24805.patch | 167 | ||||
| -rwxr-xr-x | source/ap/cups-filters/cups-filters.SlackBuild | 4 |
5 files changed, 209 insertions, 18 deletions
diff --git a/source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch b/source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch index 82010bbad..1212a6d31 100644 --- a/source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch +++ b/source/a/pam/fedora-patches/pam-1.5.0-redhat-modules.patch @@ -1,22 +1,26 @@ ---- ./doc/sag/pam_faillock.xml.orig 2020-11-10 09:46:13.000000000 -0600 -+++ ./doc/sag/pam_faillock.xml 2020-11-11 13:54:28.033031520 -0600 -@@ -36,3 +36,41 @@ - href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> - </section> - </section> +--- ./doc/sag/pam_faillock.xml.orig 2023-05-19 13:22:11.197977808 -0500 ++++ ./doc/sag/pam_faillock.xml 2023-05-19 13:24:39.673969595 -0500 +@@ -1,27 +1,38 @@ +-<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="sag-pam_faillock"> +<?xml version='1.0' encoding='UTF-8'?> +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" + "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<section id='sag-pam_faillock'> -+ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title> + <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title> +- <cmdsynopsis sepchar=" "> +- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-cmdsynopsisauth")/*)'/> + <cmdsynopsis> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/> -+ </cmdsynopsis> + </cmdsynopsis> +- <cmdsynopsis sepchar=" "> +- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-cmdsynopsisacct")/*)'/> + <cmdsynopsis> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/> -+ </cmdsynopsis> + </cmdsynopsis> +- <section xml:id="sag-pam_faillock-description"> +- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-description")/*)'/> + <section id='sag-pam_faillock-description'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/> @@ -40,11 +44,28 @@ + <section id='sag-pam_faillock-author'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> -+ </section> + </section> +- <section xml:id="sag-pam_faillock-options"> +- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-options")/*)'/> +- </section> +- <section xml:id="sag-pam_faillock-types"> +- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-types")/*)'/> +- </section> +- <section xml:id="sag-pam_faillock-return_values"> +- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-return_values")/*)'/> +- </section> +- <section xml:id="sag-pam_faillock-examples"> +- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-examples")/*)'/> +- </section> +- <section xml:id="sag-pam_faillock-author"> +- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-author")/*)'/> +- </section> +-</section> +\ No newline at end of file +</section> ---- ./configure.ac.orig 2020-11-11 13:54:28.033031520 -0600 -+++ ./configure.ac 2020-11-11 13:56:58.260034880 -0600 -@@ -639,6 +639,8 @@ +--- ./configure.ac.orig 2023-05-07 18:06:47.000000000 -0500 ++++ ./configure.ac 2023-05-19 13:22:11.198977808 -0500 +@@ -754,6 +754,8 @@ po/Makefile.in \ Make.xml.rules \ modules/Makefile \ @@ -53,8 +74,8 @@ modules/pam_access/Makefile \ modules/pam_debug/Makefile modules/pam_deny/Makefile \ modules/pam_echo/Makefile modules/pam_env/Makefile \ ---- ./modules/Makefile.am.orig 2020-11-11 13:54:28.033031520 -0600 -+++ ./modules/Makefile.am 2020-11-11 13:58:24.059036799 -0600 +--- ./modules/Makefile.am.orig 2023-05-07 18:06:47.000000000 -0500 ++++ ./modules/Makefile.am 2023-05-19 13:22:11.198977808 -0500 @@ -44,6 +44,8 @@ SUBDIRS := \ diff --git a/source/a/pam/pam.SlackBuild b/source/a/pam/pam.SlackBuild index 1e29e91bd..bfa4e9249 100755 --- a/source/a/pam/pam.SlackBuild +++ b/source/a/pam/pam.SlackBuild @@ -27,7 +27,7 @@ SRCNAM=Linux-PAM PKGNAM=pam PAMRHVER=${PAMRHVER:-$(echo pam-redhat-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -141,6 +141,7 @@ CXXFLAGS="$SLKCFLAGS" \ --disable-rpath \ --disable-selinux \ --disable-static \ + --enable-lastlog \ --build=$ARCH-slackware-linux || exit 1 # Make these man pages or the build falls over later diff --git a/source/a/pam/pam.url b/source/a/pam/pam.url index 07dfcb99b..d9bd3667c 100644 --- a/source/a/pam/pam.url +++ b/source/a/pam/pam.url @@ -1,2 +1,2 @@ -#http://www.linux-pam.org/library/Linux-PAM-1.3.1.tar.bz2 +#http://www.linux-pam.org/library/Linux-PAM-1.5.3.tar.bz2 https://github.com/linux-pam/linux-pam/releases diff --git a/source/ap/cups-filters/CVE-2023-24805.patch b/source/ap/cups-filters/CVE-2023-24805.patch new file mode 100644 index 000000000..e84312a82 --- /dev/null +++ b/source/ap/cups-filters/CVE-2023-24805.patch @@ -0,0 +1,167 @@ +--- ./backend/beh.c.orig 2023-01-24 19:38:24.000000000 -0600 ++++ ./backend/beh.c 2023-05-19 13:08:27.724167656 -0500 +@@ -22,12 +22,14 @@ + #include "backend-private.h" + #include <cups/array.h> + #include <ctype.h> ++#include <sys/wait.h> ++ + + /* + * Local globals... + */ + +-static int job_canceled = 0; /* Set to 1 on SIGTERM */ ++static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */ + + /* + * Local functions... +@@ -213,21 +215,44 @@ + char **argv, /* I - Command-line arguments */ + char *filename) { /* I - File name of input data */ + const char *cups_serverbin; /* Location of programs */ ++ char *backend_argv[8]; // Arguments for called CUPS backend + char scheme[1024], /* Scheme from URI */ + *ptr, /* Pointer into scheme */ +- cmdline[65536]; /* Backend command line */ +- int retval; ++ backend_path[2048]; // Backend path ++ int pid, ++ wait_pid, ++ wait_status, ++ retval = 0; ++ int bytes; ++ + + /* + * Build the backend command line... + */ + +- strncpy(scheme, uri, sizeof(scheme) - 1); +- if (strlen(uri) > 1023) +- scheme[1023] = '\0'; ++ scheme[0] = '\0'; ++ strncat(scheme, uri, sizeof(scheme) - 1); + if ((ptr = strchr(scheme, ':')) != NULL) + *ptr = '\0'; +- ++ else ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n"); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ if (strchr(scheme, '/')) ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n"); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n", ++ scheme); ++ exit (CUPS_BACKEND_FAILED); ++ } + if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL) + cups_serverbin = CUPS_SERVERBIN; + +@@ -235,16 +260,26 @@ + fprintf(stderr, + "ERROR: beh: Direct output into a file not supported.\n"); + exit (CUPS_BACKEND_FAILED); +- } else +- snprintf(cmdline, sizeof(cmdline), +- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s", +- cups_serverbin, scheme, argv[1], argv[2], argv[3], +- /* Apply number of copies only if beh was called with a +- file name and not with the print data in stdin, as +- backends should handle copies only if they are called +- with a file name */ +- (argc == 6 ? "1" : argv[4]), +- argv[5], filename); ++ } ++ ++ backend_argv[0] = uri; ++ backend_argv[1] = argv[1]; ++ backend_argv[2] = argv[2]; ++ backend_argv[3] = argv[3]; ++ backend_argv[4] = (argc == 6 ? "1" : argv[4]); ++ backend_argv[5] = argv[5]; ++ backend_argv[6] = filename; ++ backend_argv[7] = NULL; ++ ++ bytes = snprintf(backend_path, sizeof(backend_path), ++ "%s/backend/%s", cups_serverbin, scheme); ++ if (bytes < 0 || bytes >= sizeof(backend_path)) ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n", ++ scheme); ++ exit (CUPS_BACKEND_FAILED); ++ } + + /* + * Overwrite the device URI and run the actual backend... +@@ -253,17 +288,41 @@ + setenv("DEVICE_URI", uri, 1); + + fprintf(stderr, +- "DEBUG: beh: Executing backend command line \"%s\"...\n", +- cmdline); ++ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n", ++ backend_path, backend_argv[1], backend_argv[2], backend_argv[3], ++ backend_argv[4], backend_argv[5], ++ (backend_argv[6] && backend_argv[6][0] ? " " : ""), ++ (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : "")); + fprintf(stderr, + "DEBUG: beh: Using device URI: %s\n", + uri); + +- retval = system(cmdline) >> 8; ++ if ((pid = fork()) == 0) ++ { ++ retval = execv(backend_path, backend_argv); ++ ++ if (retval == -1) ++ fprintf(stderr, "ERROR: Unable to execute backend: %s\n", ++ strerror(errno)); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ else if (pid < 0) ++ { ++ fprintf(stderr, "ERROR: Unable to fork for backend\n"); ++ return (CUPS_BACKEND_FAILED); ++ } ++ ++ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR); + +- if (retval == -1) +- fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n", +- strerror(errno)); ++ if (wait_pid >= 0 && wait_status) ++ { ++ if (WIFEXITED(wait_status)) ++ retval = WEXITSTATUS(wait_status); ++ else if (WTERMSIG(wait_status) != SIGTERM) ++ retval = WTERMSIG(wait_status); ++ else ++ retval = 0; ++ } + + return (retval); + } +@@ -277,8 +336,10 @@ + sigterm_handler(int sig) { /* I - Signal number (unused) */ + (void)sig; + +- fprintf(stderr, +- "DEBUG: beh: Job canceled.\n"); ++ const char * const msg = "DEBUG: beh: Job canceled.\n"; ++ // The if() is to eliminate the return value and silence the warning ++ // about an unused return value. ++ if (write(2, msg, strlen(msg))); + + if (job_canceled) + _exit(CUPS_BACKEND_OK); diff --git a/source/ap/cups-filters/cups-filters.SlackBuild b/source/ap/cups-filters/cups-filters.SlackBuild index 05f90d9a4..a43530823 100755 --- a/source/ap/cups-filters/cups-filters.SlackBuild +++ b/source/ap/cups-filters/cups-filters.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=cups-filters VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -78,6 +78,8 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \+ +zcat $CWD/CVE-2023-24805.patch.gz | patch -p1 --verbose || exit 1 + if [ ! -r configure ]; then if [ -x ./autogen.sh ]; then NOCONFIGURE=1 ./autogen.sh |