Small security patch from upstream cvs #69212 and install more pam.d files #69895.

author: Mike Frysinger <vapier@gentoo.org> 2004-11-03 17:58:23 +0000
committer: Mike Frysinger <vapier@gentoo.org> 2004-11-03 17:58:23 +0000
commit: 6768ba5b81b12de9fe6596f0dbaafc7e4fbf40b4 (patch)
tree: b621aad4bed0135f540779b0c495dfe8ae4edc63 /sys-apps
parent: integer overflow vulnerability, #69936 (diff)
download: historical-6768ba5b81b12de9fe6596f0dbaafc7e4fbf40b4.tar.gz
historical-6768ba5b81b12de9fe6596f0dbaafc7e4fbf40b4.tar.bz2
historical-6768ba5b81b12de9fe6596f0dbaafc7e4fbf40b4.zip
6 files changed, 219 insertions, 7 deletions
diff --git a/sys-apps/shadow/ChangeLog b/sys-apps/shadow/ChangeLog
index eef46b704088..db648d9906a0 100644
--- a/sys-apps/shadow/ChangeLog
+++ b/sys-apps/shadow/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for sys-apps/shadow
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.82 2004/11/02 20:10:00 eradicator Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.83 2004/11/03 17:58:23 vapier Exp $
+
+*shadow-4.0.5-r1 (03 Nov 2004)
+
+  03 Nov 2004; Mike Frysinger <vapier@gentoo.org>
+  +files/shadow-4.0.5-remove-else.patch, +shadow-4.0.5-r1.ebuild,
+  shadow-4.0.5.ebuild:
+  Small security patch from upstream cvs #69212 and install more pam.d files
+  #69895.
 
   02 Nov 2004; Jeremy Huddleston <eradicator@gentoo.org>
   shadow-4.0.5.ebuild:
diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest
index 31cad62b4ca8..743623238bf2 100644
--- a/sys-apps/shadow/Manifest
+++ b/sys-apps/shadow/Manifest
@@ -1,10 +1,11 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-MD5 dc49d5a6adedfeaad0c322fe6295f400 ChangeLog 15305
+MD5 29fe43bd59a344aefa4c8fca5dcaf34b ChangeLog 15560
 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
+MD5 4197b8e41821d02f449941e6815b1dd2 shadow-4.0.5.ebuild 5098
 MD5 23ef7363bf5ffa1d0f3343ff2a618e5d shadow-4.0.4.1-r4.ebuild 5943
-MD5 62785e1a26fe63b7ccc57707e6d16270 shadow-4.0.5.ebuild 5068
+MD5 8129c7ef42c602e442d848ef234d0e3f shadow-4.0.5-r1.ebuild 5234
 MD5 cef6788bc7c8c5468c1b1f68df77ed9e files/digest-shadow-4.0.4.1-r4 67
 MD5 2d2faa6b9a837f9319de52a780485743 files/securetty 243
 MD5 058f760e522ab65e270293003805fe61 files/shadow-4.0.4.1-userdel-missing-brackets.patch 380
@@ -13,11 +14,13 @@ MD5 d8b8542a7bc013011a293732ca504a50 files/digest-shadow-4.0.5 66
 MD5 c31db5c71b0cdfca75346abc2887aa02 files/shadow-4.0.5-nls-manpages.patch 362
 MD5 38ab75648a10b5d49d2aaffab77d787e files/shadow-4.0.5-login.defs.patch 753
 MD5 636f233fa173a998195016c3808173d4 files/shadow-4.0.5-skey.patch 395
+MD5 d8b8542a7bc013011a293732ca504a50 files/digest-shadow-4.0.5-r1 66
 MD5 aaf16ddabef285df169e37254b13561c files/shadow-4.0.4.1-selinux.diff 4296
 MD5 201f1321262da41ccd1a0283216ae9a7 files/shadow-4.0.4.1-su-pam_open_session.patch 4886
 MD5 bb55107c3a9354ef2d1977547fdb5a83 files/shadow-4.0.4.1-useradd-manpage-update.patch 958
 MD5 7becc41b4f7264483ee3ff0ca8277084 files/shadow-4.0.4.1-passwd-typo.patch 438
 MD5 b8efca60a25e256eebe54c3d0db0760f files/shadow-4.0.4.1-gcc34-xmalloc.patch 361
+MD5 391991f50203bd8b7738474051befdee files/shadow-4.0.5-remove-else.patch 531
 MD5 020e030c2d09b206e88cf9051ced6244 files/shadow-4.0.4.1-nonis.patch 1504
 MD5 6e0bc0211949c624da0ea08d994a7038 files/default/useradd 96
 MD5 51b0337bd261f6ed5e53af5dc196431a files/pam.d/system-auth 499
@@ -30,7 +33,7 @@ MD5 1baa646400c4a596290e9d4b9e1c09b2 files/pam.d/system-auth-1.1 491
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.9.10 (GNU/Linux)
 
-iD8DBQFBiPFMHTu7gpaalycRAuVGAJwIbRA43mbN09W+dG2bW8K3IFYkjACfWOK0
-cxkMVbXiKDIK9OYMJC5RaEo=
-=un4Y
+iD8DBQFBiRxuHTu7gpaalycRAiPpAJ4pYqOPM5b2iSwmgEIDRwO7LbsXFACfcw9V
+D5gek/wZlm3dZTqWkrLD8bE=
+=SDkZ
 -----END PGP SIGNATURE-----
diff --git a/sys-apps/shadow/files/digest-shadow-4.0.5-r1 b/sys-apps/shadow/files/digest-shadow-4.0.5-r1
new file mode 100644
index 000000000000..00b3a379adf1
--- /dev/null
+++ b/sys-apps/shadow/files/digest-shadow-4.0.5-r1
@@ -0,0 +1 @@
+MD5 cca17a4843a3b5b324a5398faf81c3b4 shadow-4.0.5.tar.bz2 1012361
diff --git a/sys-apps/shadow/files/shadow-4.0.5-remove-else.patch b/sys-apps/shadow/files/shadow-4.0.5-remove-else.patch
new file mode 100644
index 000000000000..fc375e81fd4f
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.5-remove-else.patch
@@ -0,0 +1,16 @@
+===================================================================
+RCS file: /cvsroot/shadow/libmisc/pwdcheck.c,v
+retrieving revision 1.3
+retrieving revision 1.4
+diff -u -r1.3 -r1.4
+--- shadow/libmisc/pwdcheck.c	2004/06/02 23:50:10	1.3
++++ shadow/libmisc/pwdcheck.c	2004/11/02 18:46:30	1.4
+@@ -34,7 +34,7 @@
+ 	retcode = pam_acct_mgmt (pamh, 0);
+ 	if (retcode == PAM_NEW_AUTHTOK_REQD)
+ 		retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+-	else if (retcode)
++	if (retcode)
+ 		goto bailout;
+ 
+ 	if (pam_setcred (pamh, 0))
diff --git a/sys-apps/shadow/shadow-4.0.5-r1.ebuild b/sys-apps/shadow/shadow-4.0.5-r1.ebuild
new file mode 100644
index 000000000000..343a5c83743e
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.0.5-r1.ebuild
@@ -0,0 +1,183 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.5-r1.ebuild,v 1.1 2004/11/03 17:58:23 vapier Exp $
+
+inherit eutils libtool gnuconfig flag-o-matic
+
+FORCE_SYSTEMAUTH_UPDATE="no"
+SELINUX_PATCH="shadow-4.0.4.1-selinux.diff"
+
+DESCRIPTION="Utilities to deal with user accounts"
+HOMEPAGE="http://shadow.pld.org.pl/"
+SRC_URI="ftp://ftp.pld.org.pl/software/shadow/${P}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sparc x86"
+IUSE="pam selinux nls skey"
+
+RDEPEND=">=sys-libs/cracklib-2.7-r3
+	pam? ( >=sys-libs/pam-0.75-r4 )
+	!pam? ( !virtual/login )
+	skey? ( app-admin/skey )
+	selinux? ( sys-libs/libselinux )"
+DEPEND="${DEPEND}
+	>=sys-apps/portage-2.0.51-r2
+	nls? ( sys-devel/gettext )"
+#this requires a newer portage (>2.0.51-r2)
+#PROVIDE="!pam? ( virtual/login )"
+
+pkg_preinst() {
+	rm -f ${ROOT}/etc/pam.d/system-auth.new
+}
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+
+	# uclibc support, corrects NIS usage
+	epatch ${FILESDIR}/shadow-4.0.4.1-nonis.patch
+
+	# If su should not simulate a login shell, use '/bin/sh' as shell to enable
+	# running of commands as user with /bin/false as shell, closing bug #15015.
+	# *** This one could be a security hole; disable for now ***
+	#epatch ${FILESDIR}/${P}-nologin-run-sh.patch
+
+	# don't install manpages if USE=-nls
+	epatch ${FILESDIR}/shadow-${PV}-nls-manpages.patch
+
+	# tweak the default login.defs
+	epatch ${FILESDIR}/shadow-${PV}-login.defs.patch
+
+	# fix small graphical typo in passwd.1 #68150
+	epatch ${FILESDIR}/shadow-4.0.4.1-passwd-typo.patch
+
+	# skeychallenge call needs updating #69741
+	epatch ${FILESDIR}/shadow-${PV}-skey.patch
+
+	# remove an extra else #69212
+	epatch ${FILESDIR}/shadow-${PV}-remove-else.patch
+
+	# Allows shadow configure detect newer systems properly
+	gnuconfig_update
+	elibtoolize
+}
+
+src_compile() {
+	append-ldflags -Wl,-z,now
+	econf \
+		--disable-desrpc \
+		--with-libcrypt \
+		--with-libcrack \
+		--enable-shared=no \
+		--enable-static=yes \
+		$(use_with pam libpam) \
+		$(use_with skey libskey) \
+		$(use_with selinux) \
+		$(use_enable nls) \
+		|| die "bad configure"
+	emake || die "compile problem"
+}
+
+src_install() {
+	make DESTDIR=${D} install || die "install problem"
+	dosym useradd /usr/sbin/adduser
+
+	# lock down setuid perms #47208
+	fperms go-r /bin/su /usr/bin/ch{fn,sh,age} \
+		/usr/bin/{expiry,newgrp,passwd,gpasswd} || die "fperms"
+
+	# Remove libshadow and libmisc; see bug 37725 and the following
+	# comment from shadow's README.linux:
+	#   Currently, libshadow.a is for internal use only, so if you see
+	#   -lshadow in a Makefile of some other package, it is safe to
+	#   remove it.
+	rm -f ${D}/lib/lib{misc,shadow}.{a,la}
+
+	# Do not install this login, but rather the one from
+	# pam-login, as this one have a serious root exploit
+	# with pam support enabled.
+	use pam && rm ${D}/bin/login
+
+	insinto /etc
+	# Using a securetty with devfs device names added
+	# (compat names kept for non-devfs compatibility)
+	insopts -m0600 ; doins ${FILESDIR}/securetty
+	insopts -m0600 ; doins etc/login.access
+	insopts -m0644 ; doins etc/limits
+
+	# needed for 'adduser -D'
+	insinto /etc/default
+	insopts -m0600
+	doins ${FILESDIR}/default/useradd
+
+	# move passwd to / to help recover broke systems #64441
+	mv ${D}/usr/bin/passwd ${D}/bin/
+	dosym /bin/passwd /usr/bin/passwd
+
+	if use pam ; then
+		insinto /etc/pam.d ; insopts -m0644
+		for x in ${FILESDIR}/pam.d/*; do
+			[ -f ${x} ] && doins ${x}
+		done
+		cd ${FILESDIR}/pam.d
+		# Make sure /etc/pam.d/system-auth is the new version ..
+		mv ${D}/etc/pam.d/system-auth-1.1 ${D}/etc/pam.d/system-auth
+		newins system-auth-1.1 system-auth.new || die
+		for x in chage chsh chfn chpasswd newusers \
+		         user{add,del,mod} group{add,del,mod} ; do
+			newins shadow ${x}
+		done
+
+		# remove manpages that pam will install for us
+		# and/or don't apply when using pam
+
+		find ${D}/usr/share/man \
+			'(' -name 'login.1' -o -name 'suauth.5' ')' \
+			-exec rm {} \;
+	else
+		insinto /etc
+		insopts -m0644
+		newins etc/login.defs.linux login.defs
+	fi
+
+	# Remove manpages that are handled by other packages
+	find ${D}/usr/share/man \
+		'(' -name id.1 -o -name passwd.5 -o name getspnam.3 ')' \
+		-exec rm {} \;
+
+	cd ${S}/doc
+	dodoc INSTALL README WISHLIST
+	docinto txt
+	dodoc HOWTO LSM README.* *.txt
+
+	# ttyB0 is the PDC software console
+	if [ "${ARCH}" = "hppa" ]
+	then
+		echo "ttyB0" >> ${D}/etc/securetty
+	fi
+}
+
+pkg_postinst() {
+	use pam || return 0;
+	local CHECK1="$(md5sum ${ROOT}/etc/pam.d/system-auth | cut -d ' ' -f 1)"
+	local CHECK2="$(md5sum ${ROOT}/etc/pam.d/system-auth.new | cut -d ' ' -f 1)"
+
+	if [ "${CHECK1}" != "${CHECK2}" -a "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ]
+	then
+		ewarn "Due to a security issue, ${ROOT}etc/pam.d/system-auth "
+		ewarn "is being updated automatically. Your old "
+		ewarn "system-auth will be backed up as:"
+		ewarn
+		ewarn "  ${ROOT}etc/pam.d/system-auth.bak"
+		echo
+
+		cp -a ${ROOT}/etc/pam.d/system-auth \
+			${ROOT}/etc/pam.d/system-auth.bak;
+		mv -f ${ROOT}/etc/pam.d/system-auth.new \
+			${ROOT}/etc/pam.d/system-auth
+		rm -f ${ROOT}/etc/pam.d/._cfg????_system-auth
+	else
+		rm -f ${ROOT}/etc/pam.d/system-auth.new
+	fi
+}
diff --git a/sys-apps/shadow/shadow-4.0.5.ebuild b/sys-apps/shadow/shadow-4.0.5.ebuild
index 368b0022447d..cb27fcb7b25e 100644
--- a/sys-apps/shadow/shadow-4.0.5.ebuild
+++ b/sys-apps/shadow/shadow-4.0.5.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.5.ebuild,v 1.12 2004/11/03 14:52:20 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.5.ebuild,v 1.13 2004/11/03 17:58:23 vapier Exp $
 
 inherit eutils libtool gnuconfig flag-o-matic
 
@@ -22,6 +22,7 @@ RDEPEND=">=sys-libs/cracklib-2.7-r3
 	skey? ( app-admin/skey )
 	selinux? ( sys-libs/libselinux )"
 DEPEND="${DEPEND}
+	>=sys-apps/portage-2.0.51-r2
 	nls? ( sys-devel/gettext )"
 #this requires a newer portage (>2.0.51-r2)
 #PROVIDE="!pam? ( virtual/login )"
author	Mike Frysinger <vapier@gentoo.org>	2004-11-03 17:58:23 +0000
committer	Mike Frysinger <vapier@gentoo.org>	2004-11-03 17:58:23 +0000
commit	6768ba5b81b12de9fe6596f0dbaafc7e4fbf40b4 (patch)
tree	b621aad4bed0135f540779b0c495dfe8ae4edc63 /sys-apps
parent	integer overflow vulnerability, #69936 (diff)
download	historical-6768ba5b81b12de9fe6596f0dbaafc7e4fbf40b4.tar.gz historical-6768ba5b81b12de9fe6596f0dbaafc7e4fbf40b4.tar.bz2 historical-6768ba5b81b12de9fe6596f0dbaafc7e4fbf40b4.zip