From d5ae7d902a40f26a8c26f4c6d300226689738716 Mon Sep 17 00:00:00 2001
From: Brad Bishop <bradleyb@fuzziesquirrel.com>
Date: Thu, 14 Jun 2018 09:52:03 -0700
Subject: Sumo refresh

Update external subtrees to latest Yocto sumo.

Change-Id: I8364f32bef079841c6e57f1c587f4b1bedf62fef
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
---
 .../shadow/files/CVE-2017-2616.patch               | 64 ++++++++++++++++++++++
 .../recipes-extended/shadow/files/pam.d/chpasswd   |  2 +
 .../recipes-extended/shadow/files/pam.d/newusers   |  2 +
 poky/meta/recipes-extended/shadow/shadow.inc       |  8 ++-
 4 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch

(limited to 'poky/meta/recipes-extended/shadow')

diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
new file mode 100644
index 000000000..ee728f095
--- /dev/null
+++ b/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
@@ -0,0 +1,64 @@
+shadow-4.2.1: Fix CVE-2017-2616
+
+[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943
+
+su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686]
+CVE: CVE-2017-2616
+bug: 855943
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/src/su.c b/src/su.c
+index 3704217..1efcd61 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 
diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd b/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd
index 9e3efa68b..b769d92ba 100644
--- a/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd
+++ b/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd
@@ -1,4 +1,6 @@
 # The PAM configuration file for the Shadow 'chpasswd' service
 #
 
+auth       sufficient   pam_rootok.so
+account    required     pam_permit.so
 password   include      common-password
diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/newusers b/poky/meta/recipes-extended/shadow/files/pam.d/newusers
index 4aa3dde48..4c59dfa47 100644
--- a/poky/meta/recipes-extended/shadow/files/pam.d/newusers
+++ b/poky/meta/recipes-extended/shadow/files/pam.d/newusers
@@ -1,4 +1,6 @@
 # The PAM configuration file for the Shadow 'newusers' service
 #
 
+auth       sufficient   pam_rootok.so
+account    required     pam_permit.so
 password   include      common-password
diff --git a/poky/meta/recipes-extended/shadow/shadow.inc b/poky/meta/recipes-extended/shadow/shadow.inc
index 673207fc9..6efe4a911 100644
--- a/poky/meta/recipes-extended/shadow/shadow.inc
+++ b/poky/meta/recipes-extended/shadow/shadow.inc
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \
 
 DEPENDS = "virtual/crypt"
 
-SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
+UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases"
+
+SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
            file://shadow-4.1.3-dots-in-usernames.patch \
            file://usermod-fix-compilation-failure-with-subids-disabled.patch \
            file://fix-installation-failure-with-subids-disabled.patch \
@@ -16,6 +18,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
            file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
            file://0001-useradd-copy-extended-attributes-of-home.patch \
            file://0001-shadow-CVE-2017-12424 \
+           file://CVE-2017-2616.patch \
            ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
            "
 
@@ -127,7 +130,8 @@ do_install_append() {
 	# Ensure that the image has as a /var/spool/mail dir so shadow can
 	# put mailboxes there if the user reconfigures shadow to its
 	# defaults (see sed below).
-	install -d ${D}${localstatedir}/spool/mail
+	install -m 0775 -d ${D}${localstatedir}/spool/mail
+	chown root:mail ${D}${localstatedir}/spool/mail
 
 	if [ -e ${WORKDIR}/pam.d ]; then
 		install -d ${D}${sysconfdir}/pam.d/
-- 
cgit v1.2.3