diff options
author | Dave Cobbley <david.j.cobbley@linux.intel.com> | 2018-08-14 20:05:37 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-23 04:26:31 +0300 |
commit | eb8dc40360f0cfef56fb6947cc817a547d6d9bc6 (patch) | |
tree | de291a73dc37168da6370e2cf16c347d1eba9df8 /meta-security/recipes-security/libgssglue | |
parent | 9c3cf826d853102535ead04cebc2d6023eff3032 (diff) | |
download | openbmc-eb8dc40360f0cfef56fb6947cc817a547d6d9bc6.tar.xz |
[Subtree] Removing import-layers directory
As part of the move to subtrees, need to bring all the import layers
content to the top level.
Change-Id: I4a163d10898cbc6e11c27f776f60e1a470049d8f
Signed-off-by: Dave Cobbley <david.j.cobbley@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-security/recipes-security/libgssglue')
6 files changed, 223 insertions, 0 deletions
diff --git a/meta-security/recipes-security/libgssglue/files/libgssglue-canon-name.patch b/meta-security/recipes-security/libgssglue/files/libgssglue-canon-name.patch new file mode 100644 index 000000000..cb7c47b3f --- /dev/null +++ b/meta-security/recipes-security/libgssglue/files/libgssglue-canon-name.patch @@ -0,0 +1,60 @@ +fix the bug: +g_canon_name.c:125:5: warning: passing argument 2 of '__gss_copy_namebuf' from incompatible pointer type [enabled by default] + +the 2nd argument of __gss_copy_namebuf should be address of *gss_buffer_t, \ +but a *gss_buffer_t is assigned. + +what __gss_copy_namebuf does is to alloc memory for a gss_buffer_desc and \ +copy from src and return its address. + +if following code failed, gss_release_name will free \ +union_canon_name->external_name.value if it is not NULL. + +OM_uint32 __gss_copy_namebuf(src, dest) + gss_buffer_t src; + gss_buffer_t *dest; + +typedef struct gss_union_name_t { + gss_mechanism gss_mech; + gss_OID name_type; + gss_buffer_desc external_name; + /* + * These last two fields are only filled in for mechanism + * names. + */ + gss_OID mech_type; + gss_name_t mech_name; +} gss_union_name_desc, *gss_union_name_t; + +typedef struct gss_buffer_desc_struct { + size_t length; + void FAR *value; +} gss_buffer_desc, FAR *gss_buffer_t; + +Upstream-Status: Pending +Signed-off-by: Yao Zhao <yao.zhao@windriver.com> + +--- a/src/g_canon_name.c ++++ b/src/g_canon_name.c +@@ -121,11 +121,17 @@ gss_canonicalize_name (OM_uint32 *minor_ + + union_canon_name->mech_name = mech_name; + +- status = __gss_copy_namebuf(&union_input_name->external_name, +- &union_canon_name->external_name); +- if (status != GSS_S_COMPLETE) +- goto failure; ++ union_canon_name->external_name.value = (void*) malloc( ++ union_input_name->external_name.length + 1); ++ if (!union_canon_name->external_name.value) ++ goto failure; + ++ memcpy(union_canon_name->external_name.value, ++ union_input_name->external_name.value, ++ union_input_name->external_name.length); ++ union_canon_name->external_name.length = ++ union_input_name->external_name.length; ++ + if (union_input_name->name_type != GSS_C_NO_OID) { + status = generic_gss_copy_oid(minor_status, + union_input_name->name_type, diff --git a/meta-security/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch b/meta-security/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch new file mode 100644 index 000000000..6aa1a657a --- /dev/null +++ b/meta-security/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch @@ -0,0 +1,43 @@ +Use secure_getenv instead of getenv for setuid programs + +(bnc#694598 CVE-2011-2709 bnc#831805) + +import from: +https://build.opensuse.org/package/view_file/openSUSE:Factory/libgssglue/secure-getenv.patch + +Upstream-Status: Pending + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> + +diff --git a/src/g_initialize.c b/src/g_initialize.c +index 200f173..935a9fa 100644 +--- a/src/g_initialize.c ++++ b/src/g_initialize.c +@@ -26,6 +26,7 @@ + * This function will initialize the gssapi mechglue library + */ + ++#define _GNU_SOURCE + #include "mglueP.h" + #include <stdlib.h> + +@@ -197,8 +198,7 @@ static void solaris_initialize () + void *dl; + gss_mechanism (*sym)(void), mech; + +- if ((getuid() != geteuid()) || +- ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) ++ if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) + filename = MECH_CONF; + + if ((conffile = fopen(filename, "r")) == NULL) { +@@ -274,8 +274,7 @@ static void linux_initialize () + void *dl; + gss_mechanism (*sym)(void), mech; + +- if ((getuid() != geteuid()) || +- ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) ++ if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) + filename = MECH_CONF; + + if ((conffile = fopen(filename, "r")) == NULL) { diff --git a/meta-security/recipes-security/libgssglue/files/libgssglue-g-initialize.patch b/meta-security/recipes-security/libgssglue/files/libgssglue-g-initialize.patch new file mode 100644 index 000000000..4a9ba3322 --- /dev/null +++ b/meta-security/recipes-security/libgssglue/files/libgssglue-g-initialize.patch @@ -0,0 +1,21 @@ +Fix the warning for getuid, geteuid +g_initialize.c: In function 'linux_initialize': +g_initialize.c:275:5: warning: implicit declaration of function 'getuid' [-Wimplicit-function-declaration] +g_initialize.c:275:5: warning: implicit declaration of function 'geteuid' [-Wimplicit-function-declaration] + +Upstream-Status: Pending +Signed-off-by: Yao Zhao <yao.zhao@windriver.com> + +diff --git a/src/g_initialize.c b/src1/g_initialize.c +index 82fcce1..200f173 100644 +--- a/src/g_initialize.c ++++ b/src/g_initialize.c +@@ -29,6 +29,8 @@ + #include "mglueP.h" + #include <stdlib.h> + ++#include <unistd.h> /*getuid, geteuid */ ++#include <sys/types.h> + #include <stdio.h> + #include <string.h> + #include <ctype.h> diff --git a/meta-security/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch b/meta-security/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch new file mode 100644 index 000000000..6dce3e737 --- /dev/null +++ b/meta-security/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch @@ -0,0 +1,27 @@ +1) add free if malloc failed for (*mechanisms)->elements +2) g_inq_cred.c: In function 'gss_inquire_cred': +g_inq_cred.c:161:8: warning: passing argument 3 of 'generic_gss_copy_oid' from incompatible pointer type [enabled by default] + +Upstream-Status: Pending +Signed-off-by: Yao Zhao <yao.zhao@windriver.com> + +--- a/src/g_inq_cred.c ++++ b/src/g_inq_cred.c +@@ -152,13 +152,15 @@ gss_OID_set * mechanisms; + union_cred->count); + if ((*mechanisms)->elements == NULL) { + *minor_status = ENOMEM; ++ free(*mechanisms); ++ *mechanisms = GSS_C_NO_OID_SET; + return (GSS_S_FAILURE); + } + + for (i=0; i < union_cred->count; i++) { +- status = generic_gss_copy_oid(minor_status, ++ status = generic_gss_add_oid_set_member(minor_status, + &union_cred->mechs_array[i], +- &((*mechanisms)->elements[i])); ++ mechanisms); + if (status != GSS_S_COMPLETE) + break; + } diff --git a/meta-security/recipes-security/libgssglue/files/libgssglue-mglueP.patch b/meta-security/recipes-security/libgssglue/files/libgssglue-mglueP.patch new file mode 100644 index 000000000..6c9ebf05c --- /dev/null +++ b/meta-security/recipes-security/libgssglue/files/libgssglue-mglueP.patch @@ -0,0 +1,21 @@ +fix the warning: +warning: implicit declaration of function 'generic_gss_copy_oid_set' [-Wimplicit-function-declaration] + +Upstream-Status: Pending +Signed-off-by: Yao Zhao <yao.zhao@windriver.com> + +--- a/src/mglueP.h ++++ b/src/mglueP.h +@@ -447,6 +447,12 @@ OM_uint32 generic_gss_copy_oid + gss_OID * /* new_oid */ + ); + ++OM_uint32 generic_gss_copy_oid_set ++ (OM_uint32 *minor_status, /* minor_status */ ++ const gss_OID_set_desc * const oidset, /* oid */ ++ gss_OID_set *new_oidset /* new_oid */ ++ ); ++ + OM_uint32 generic_gss_create_empty_oid_set + (OM_uint32 *, /* minor_status */ + gss_OID_set * /* oid_set */ diff --git a/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb b/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb new file mode 100644 index 000000000..f7859a71c --- /dev/null +++ b/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb @@ -0,0 +1,51 @@ +SUMMARY = "Exports a gssapi interface which calls other gssapi libraries" +DESCRIPTION = "\ +This library exports a gssapi interface, but does not implement any gssapi \ +mechanisms itself; instead it calls gssapi routines in other libraries, \ +depending on the mechanism. \ +" + +HOMEPAGE = "http://www.citi.umich.edu/projects/nfsv4/linux/" +SECTION = "libs" + +LICENSE = "BSD-3-Clause | HPND" + +#Copyright (c) 1996, by Sun Microsystems, Inc. HPND +#Copyright (c) 2007 The Regents of the University of Michigan. BSD-3-Clause +#Copyright 1995 by the Massachusetts Institute of Technology. HPND without Disclaimer +#Copyright 1993 by OpenVision Technologies, Inc. HPND +LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \ + file://src/g_accept_sec_context.c;beginline=3;endline=23;md5=8a7f4017cb7f4be49f8981cb8c472690 \ + file://src/g_ccache_name.c;beginline=1;endline=32;md5=208d4de05d5c8273963a8332f084faa7 \ + file://src/oid_ops.c;beginline=1;endline=26;md5=1f194d148b396972da26759a8ec399f0 \ + file://src/oid_ops.c;beginline=378;endline=398;md5=e02c165cb8383e950214baca2fbd664b \ +" + +SRC_URI = "http://www.citi.umich.edu/projects/nfsv4/linux/${BPN}/${BP}.tar.gz \ + file://libgssglue-canon-name.patch \ + file://libgssglue-gss-inq-cred.patch \ + file://libgssglue-mglueP.patch \ + file://libgssglue-g-initialize.patch \ + file://libgssglue-fix-CVE-2011-2709.patch \ +" + +SRC_URI[md5sum] = "088797f3180702fa54e786496b32e750" +SRC_URI[sha256sum] = "3f791a75502ba723e5e85e41e5e0c711bb89e2716b7c0ec6e74bd1df6739043a" + +# gssglue can use krb5, spkm3... as gssapi library, configurable +RRECOMMENDS_${PN} += "krb5" + +inherit autotools + +do_install_append() { + # install some docs + install -d -m 0755 ${D}${docdir}/${BPN} + install -m 0644 ${S}/AUTHORS ${S}/ChangeLog ${S}/NEWS ${S}/README ${D}${docdir}/${BPN} + + # install the gssapi_mech.conf + install -d -m 0755 ${D}${sysconfdir} + install -m 0644 ${S}/doc/gssapi_mech.conf ${D}${sysconfdir} + + # change the libgssapi_krb5.so path and name(it is .so.2) + sed -i -e "s:/usr/lib/libgssapi_krb5.so:libgssapi_krb5.so.2:" ${D}${sysconfdir}/gssapi_mech.conf +} |