From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 294711382C5 for ; Thu, 12 Apr 2018 13:50:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 55F81E086A; Thu, 12 Apr 2018 13:50:43 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1DB42E086A for ; Thu, 12 Apr 2018 13:50:42 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 18966335C43 for ; Thu, 12 Apr 2018 13:50:40 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 31EC1278 for ; Thu, 12 Apr 2018 13:50:38 +0000 (UTC) From: "Lars Wendler" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Lars Wendler" Message-ID: <1523541034.067ef63075c8f2348bd6c2c9d213093f7b4e892f.polynomial-c@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch sys-apps/shadow/files/shadow-4.4-load_defaults.patch sys-apps/shadow/files/shadow-4.4-prototypes.patch sys-apps/shadow/files/shadow-4.4-su-snprintf.patch X-VCS-Directories: sys-apps/shadow/files/ X-VCS-Committer: polynomial-c X-VCS-Committer-Name: Lars Wendler X-VCS-Revision: 067ef63075c8f2348bd6c2c9d213093f7b4e892f X-VCS-Branch: master Date: Thu, 12 Apr 2018 13:50:38 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 00dbed1d-0089-450a-8c8b-05f23f5091a9 X-Archives-Hash: 158af2f53692b0efbbb917cb68304651 commit: 067ef63075c8f2348bd6c2c9d213093f7b4e892f Author: Michael Mair-Keimberger gmail com> AuthorDate: Thu Apr 12 13:25:40 2018 +0000 Commit: Lars Wendler gentoo org> CommitDate: Thu Apr 12 13:50:34 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=067ef630 sys-apps/shadow: remove unused patches Closes: https://github.com/gentoo/gentoo/pull/7956 .../shadow/files/shadow-4.4-CVE-2017-2616.patch | 62 ---------------------- .../shadow/files/shadow-4.4-load_defaults.patch | 37 ------------- sys-apps/shadow/files/shadow-4.4-prototypes.patch | 42 --------------- sys-apps/shadow/files/shadow-4.4-su-snprintf.patch | 29 ---------- 4 files changed, 170 deletions(-) diff --git a/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch b/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch deleted file mode 100644 index b788ec35342..00000000000 --- a/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Thu, 23 Feb 2017 09:47:29 -0600 -Subject: [PATCH] su: properly clear child PID - -If su is compiled with PAM support, it is possible for any local user -to send SIGKILL to other processes with root privileges. There are -only two conditions. First, the user must be able to perform su with -a successful login. This does NOT have to be the root user, even using -su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL -can only be sent to processes which were executed after the su process. -It is not possible to send SIGKILL to processes which were already -running. I consider this as a security vulnerability, because I was -able to write a proof of concept which unlocked a screen saver of -another user this way. ---- - src/su.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/src/su.c b/src/su.c -index f20d230..d86aa86 100644 ---- a/src/su.c -+++ b/src/su.c -@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void) - /* wake child when resumed */ - kill (pid, SIGCONT); - stop = false; -+ } else { -+ pid_child = 0; - } - } while (!stop); - } - -- if (0 != caught) { -+ if (0 != caught && 0 != pid_child) { - (void) fputs ("\n", stderr); - (void) fputs (_("Session terminated, terminating shell..."), - stderr); -@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void) - snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n")); - - (void) signal (SIGALRM, kill_child); -+ (void) signal (SIGCHLD, catch_signals); - (void) alarm (2); - -- (void) wait (&status); -+ sigemptyset (&ourset); -+ if ((sigaddset (&ourset, SIGALRM) != 0) -+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { -+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); -+ kill_child (0); -+ } else { -+ while (0 == waitpid (pid_child, &status, WNOHANG)) { -+ sigsuspend (&ourset); -+ } -+ pid_child = 0; -+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); -+ } -+ - (void) fputs (_(" ...terminated.\n"), stderr); - } - diff --git a/sys-apps/shadow/files/shadow-4.4-load_defaults.patch b/sys-apps/shadow/files/shadow-4.4-load_defaults.patch deleted file mode 100644 index 4c0b84f6803..00000000000 --- a/sys-apps/shadow/files/shadow-4.4-load_defaults.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 507f96cdeb54079fb636c7ce21e371f7a16a520e Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 25 Aug 2016 11:20:34 +0200 -Subject: [PATCH] Fix regression in useradd not loading defaults properly. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The get_defaults() has to be called before processing the flags. - -Signed-off-by: Tomáš Mráz ---- - src/useradd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/useradd.c b/src/useradd.c -index fefa234..6c43e7e 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -2027,6 +2027,8 @@ int main (int argc, char **argv) - is_shadow_grp = sgr_file_present (); - #endif - -+ get_defaults (); -+ - process_flags (argc, argv); - - #ifdef ENABLE_SUBIDS -@@ -2036,8 +2038,6 @@ int main (int argc, char **argv) - (!user_id || (user_id <= uid_max && user_id >= uid_min)); - #endif /* ENABLE_SUBIDS */ - -- get_defaults (); -- - #ifdef ACCT_TOOLS_SETUID - #ifdef USE_PAM - { diff --git a/sys-apps/shadow/files/shadow-4.4-prototypes.patch b/sys-apps/shadow/files/shadow-4.4-prototypes.patch deleted file mode 100644 index 5209a2988f7..00000000000 --- a/sys-apps/shadow/files/shadow-4.4-prototypes.patch +++ /dev/null @@ -1,42 +0,0 @@ -https://github.com/shadow-maint/shadow/pull/53 - -From 32c0b283ef5d68b63e4ec05fb22ed0db938fea67 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger -Date: Mon, 5 Dec 2016 17:15:29 -0500 -Subject: [PATCH] include getdef.h for getdef_bool prototype - -Otherwise we get build warnings like: -sgroupio.c:255:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration] -shadowio.c:131:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration] ---- - lib/sgroupio.c | 1 + - lib/shadowio.c | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/lib/sgroupio.c b/lib/sgroupio.c -index f2685779a12b..5423626a01da 100644 ---- a/lib/sgroupio.c -+++ b/lib/sgroupio.c -@@ -40,6 +40,7 @@ - #include "prototypes.h" - #include "defines.h" - #include "commonio.h" -+#include "getdef.h" - #include "sgroupio.h" - - /*@null@*/ /*@only@*/struct sgrp *__sgr_dup (const struct sgrp *sgent) -diff --git a/lib/shadowio.c b/lib/shadowio.c -index 6e44ab24d69c..5fa3d312bbf9 100644 ---- a/lib/shadowio.c -+++ b/lib/shadowio.c -@@ -40,6 +40,7 @@ - #include - #include - #include "commonio.h" -+#include "getdef.h" - #include "shadowio.h" - #ifdef WITH_TCB - #include --- -2.11.0.rc2 - diff --git a/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch b/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch deleted file mode 100644 index 45667c8e4bf..00000000000 --- a/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch +++ /dev/null @@ -1,29 +0,0 @@ -fix from upstream - -From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Sun, 18 Sep 2016 21:31:18 -0500 -Subject: [PATCH] su.c: fix missing length argument to snprintf - ---- - src/su.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/su.c b/src/su.c -index 0c50a9456afd..93ffd2fbe2b4 100644 ---- a/src/su.c -+++ b/src/su.c -@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void) - stderr); - (void) kill (-pid_child, caught); - -- snprintf (kill_msg, _(" ...killed.\n")); -- snprintf (wait_msg, _(" ...waiting for child to terminate.\n")); -+ snprintf (kill_msg, 256, _(" ...killed.\n")); -+ snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n")); - - (void) signal (SIGALRM, kill_child); - (void) alarm (2); --- -2.11.0.rc2 -