From 4e0f706210bde378fb97fe41fc341810f907d1d0 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Mon, 22 Dec 2014 11:26:59 -0300 Subject: [PATCH 1/5] ntp: security bump to version 4.2.8 Fixes: CVE-2014-9293 - ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities). CVE-2014-9294 - The ntp-keygen utility generated weak MD5 keys with insufficient entropy. CVE-2014-9295 - ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code. CVE-2014-9296 - The general packet processing function in ntpd did not handle an error case correctly. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- .../0001-fix-ntp-keygen-without-openssl.patch | 153 ++++++++++++++++++ .../{ntp-002-nano.patch => 0002-nano.patch} | 0 package/ntp/Config.in | 1 + package/ntp/ntp-001-adjtimex.patch | 33 ---- package/ntp/ntp.hash | 2 + package/ntp/ntp.mk | 16 +- 6 files changed, 166 insertions(+), 39 deletions(-) create mode 100644 package/ntp/0001-fix-ntp-keygen-without-openssl.patch rename package/ntp/{ntp-002-nano.patch => 0002-nano.patch} (100%) delete mode 100644 package/ntp/ntp-001-adjtimex.patch create mode 100644 package/ntp/ntp.hash diff --git a/package/ntp/0001-fix-ntp-keygen-without-openssl.patch b/package/ntp/0001-fix-ntp-keygen-without-openssl.patch new file mode 100644 index 000000000..b9883be1e --- /dev/null +++ b/package/ntp/0001-fix-ntp-keygen-without-openssl.patch @@ -0,0 +1,153 @@ +Fix build breakage without openssl. +From upstream: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg + +Signed-off-by: Gustavo Zacarias + +diff -Nura ntp-4.2.8.orig/configure.ac ntp-4.2.8/configure.ac +--- ntp-4.2.8.orig/configure.ac 2014-12-22 10:16:10.449311393 -0300 ++++ ntp-4.2.8/configure.ac 2014-12-22 10:17:30.757215905 -0300 +@@ -102,7 +102,7 @@ + enable_nls=no + LIBOPTS_CHECK_NOBUILD([sntp/libopts]) + +-NTP_ENABLE_LOCAL_LIBEVENT ++NTP_LIBEVENT_CHECK_NOBUILD([2], [sntp/libevent]) + + NTP_LIBNTP + +@@ -771,6 +771,10 @@ + + #### + ++AC_CHECK_FUNCS([arc4random_buf]) ++ ++#### ++ + saved_LIBS="$LIBS" + LIBS="$LIBS $LDADD_LIBNTP" + AC_CHECK_FUNCS([daemon]) +diff -Nura ntp-4.2.8.orig/libntp/ntp_crypto_rnd.c ntp-4.2.8/libntp/ntp_crypto_rnd.c +--- ntp-4.2.8.orig/libntp/ntp_crypto_rnd.c 2014-12-22 10:16:10.430301237 -0300 ++++ ntp-4.2.8/libntp/ntp_crypto_rnd.c 2014-12-22 10:18:04.921468163 -0300 +@@ -24,6 +24,21 @@ + int crypto_rand_init = 0; + #endif + ++#ifndef HAVE_ARC4RANDOM_BUF ++static void ++arc4random_buf(void *buf, size_t nbytes); ++ ++void ++evutil_secure_rng_get_bytes(void *buf, size_t nbytes); ++ ++static void ++arc4random_buf(void *buf, size_t nbytes) ++{ ++ evutil_secure_rng_get_bytes(buf, nbytes); ++ return; ++} ++#endif ++ + /* + * As of late 2014, here's how we plan to provide cryptographic-quality + * random numbers: +diff -Nura ntp-4.2.8.orig/Makefile.am ntp-4.2.8/Makefile.am +--- ntp-4.2.8.orig/Makefile.am 2014-12-22 10:16:10.441307117 -0300 ++++ ntp-4.2.8/Makefile.am 2014-12-22 10:16:49.403122474 -0300 +@@ -3,6 +3,7 @@ + NULL = + + SUBDIRS = \ ++ sntp \ + scripts \ + include \ + libntp \ +@@ -17,7 +18,6 @@ + clockstuff \ + kernel \ + util \ +- sntp \ + tests \ + $(NULL) + +@@ -64,7 +64,6 @@ + .gcc-warning \ + libtool \ + html/.datecheck \ +- sntp/built-sources-only \ + $(srcdir)/COPYRIGHT \ + $(srcdir)/.checkChangeLog \ + $(NULL) +diff -Nura ntp-4.2.8.orig/sntp/configure.ac ntp-4.2.8/sntp/configure.ac +--- ntp-4.2.8.orig/sntp/configure.ac 2014-12-22 10:16:10.428300168 -0300 ++++ ntp-4.2.8/sntp/configure.ac 2014-12-22 10:24:11.238172928 -0300 +@@ -97,11 +97,14 @@ + enable_nls=no + LIBOPTS_CHECK + +-AM_COND_IF( +- [BUILD_SNTP], +- [NTP_LIBEVENT_CHECK], +- [NTP_LIBEVENT_CHECK_NOBUILD] +-) ++# From when we only used libevent for sntp: ++#AM_COND_IF( ++# [BUILD_SNTP], ++# [NTP_LIBEVENT_CHECK], ++# [NTP_LIBEVENT_CHECK_NOBUILD] ++#) ++ ++NTP_LIBEVENT_CHECK([2]) + + # Checks for libraries. + +diff -Nura ntp-4.2.8.orig/sntp/m4/ntp_libevent.m4 ntp-4.2.8/sntp/m4/ntp_libevent.m4 +--- ntp-4.2.8.orig/sntp/m4/ntp_libevent.m4 2014-12-22 10:16:10.417294288 -0300 ++++ ntp-4.2.8/sntp/m4/ntp_libevent.m4 2014-12-22 10:20:31.757915561 -0300 +@@ -1,4 +1,25 @@ +-dnl NTP_ENABLE_LOCAL_LIBEVENT -*- Autoconf -*- ++# SYNOPSIS -*- Autoconf -*- ++# ++# NTP_ENABLE_LOCAL_LIBEVENT ++# NTP_LIBEVENT_CHECK([MINVERSION [, DIR]]) ++# NTP_LIBEVENT_CHECK_NOBUILD([MINVERSION [, DIR]]) ++# ++# DESCRIPTION ++# ++# AUTHOR ++# ++# Harlan Stenn ++# ++# LICENSE ++# ++# This file is Copyright (c) 2014 Network Time Foundation ++# ++# Copying and distribution of this file, with or without modification, are ++# permitted in any medium without royalty provided the copyright notice, ++# author attribution and this notice are preserved. This file is offered ++# as-is, without any warranty. ++ ++dnl NTP_ENABLE_LOCAL_LIBEVENT + dnl + dnl Provide only the --enable-local-libevent command-line option. + dnl +@@ -29,7 +50,7 @@ + dnl but DO NOT invoke DIR/configure if we are going to use our bundled + dnl version. This may be the case for nested packages. + dnl +-dnl provide --enable-local-libevent . ++dnl provides --enable-local-libevent . + dnl + dnl Examples: + dnl +diff -Nura ntp-4.2.8.orig/util/Makefile.am ntp-4.2.8/util/Makefile.am +--- ntp-4.2.8.orig/util/Makefile.am 2014-12-22 10:16:10.435303910 -0300 ++++ ntp-4.2.8/util/Makefile.am 2014-12-22 10:21:02.500339706 -0300 +@@ -19,6 +19,7 @@ + LDADD= ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) $(PTHREAD_LIBS) + tg2_LDADD= ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) + ntp_keygen_LDADD = version.o $(LIBOPTS_LDADD) ../libntp/libntp.a ++ntp_keygen_LDADD += $(LDADD_LIBEVENT) + ntp_keygen_LDADD += $(LDADD_LIBNTP) $(PTHREAD_LIBS) $(LDADD_NTP) $(LIBM) + ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h + diff --git a/package/ntp/ntp-002-nano.patch b/package/ntp/0002-nano.patch similarity index 100% rename from package/ntp/ntp-002-nano.patch rename to package/ntp/0002-nano.patch diff --git a/package/ntp/Config.in b/package/ntp/Config.in index c92ae93e1..d4caddfd0 100644 --- a/package/ntp/Config.in +++ b/package/ntp/Config.in @@ -1,5 +1,6 @@ config BR2_PACKAGE_NTP bool "ntp" + select BR2_PACKAGE_LIBEVENT help Network Time Protocol suite/programs. Provides things like ntpd, ntpdate, ntpq, etc... diff --git a/package/ntp/ntp-001-adjtimex.patch b/package/ntp/ntp-001-adjtimex.patch deleted file mode 100644 index 40625fa18..000000000 --- a/package/ntp/ntp-001-adjtimex.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://support.ntp.org/bugs/show_bug.cgi?id=769 -http://bugs.gentoo.org/254030 - ---- ntp/util/tickadj.c -+++ ntp/util/tickadj.c -@@ -21,7 +21,8 @@ - # include - #endif /* HAVE_UNISTD_H */ - --#ifdef HAVE___ADJTIMEX /* Linux */ -+/* proper handling here has been moved to upstream ntp bugzilla */ -+#ifdef linux - - #include - struct timex txc; -@@ -91,7 +92,7 @@ - } - - if (!errflg) { -- if (__adjtimex(&txc) < 0) -+ if (adjtimex(&txc) < 0) - perror("adjtimex"); - else if (!quiet) - printf("tick = %ld\ntick_adj = %d\n", -@@ -146,7 +147,7 @@ - #endif - } - -- if (__adjtimex(&txc) < 0) -+ if (adjtimex(&txc) < 0) - { - perror("adjtimex"); - } diff --git a/package/ntp/ntp.hash b/package/ntp/ntp.hash new file mode 100644 index 000000000..2ff644981 --- /dev/null +++ b/package/ntp/ntp.hash @@ -0,0 +1,2 @@ +# From http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8.tar.gz.md5 +md5 6972a626be6150db8cfbd0b63d8719e7ntp-4.2.8.tar.gz diff --git a/package/ntp/ntp.mk b/package/ntp/ntp.mk index bb950a1c6..1708978f3 100644 --- a/package/ntp/ntp.mk +++ b/package/ntp/ntp.mk @@ -5,25 +5,29 @@ ################################################################################ NTP_VERSION_MAJOR = 4.2 -NTP_VERSION = $(NTP_VERSION_MAJOR).6p5 +NTP_VERSION = $(NTP_VERSION_MAJOR).8 NTP_SITE = http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-$(NTP_VERSION_MAJOR) +NTP_DEPENDENCIES = host-pkgconf libevent +# For 0001-fix-ntp-keygen-without-openssl.patch +NTP_AUTORECONF = YES NTP_LICENSE = ntp license NTP_LICENSE_FILES = COPYRIGHT NTP_CONF_ENV = ac_cv_lib_md5_MD5Init=no +NTP_CONF_OPTS = --with-shared \ + --program-transform-name=s,,, \ + --disable-tickadj \ + --with-yielding-select=yes \ + --disable-local-libevent ifneq ($(BR2_INET_IPV6),y) NTP_CONF_ENV += isc_cv_have_in6addr_any=no endif -NTP_CONF_OPTS = --with-shared \ - --program-transform-name=s,,, \ - --disable-tickadj - ifeq ($(BR2_PACKAGE_OPENSSL),y) NTP_CONF_OPTS += --with-crypto NTP_DEPENDENCIES += openssl else - NTP_CONF_OPTS += --without-crypto + NTP_CONF_OPTS += --without-crypto --disable-openssl-random endif ifeq ($(BR2_PACKAGE_NTP_NTPSNMPD),y) From 1b546fed5dab741d5648785207c5adfbfea2ac10 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Mon, 22 Dec 2014 11:27:00 -0300 Subject: [PATCH 2/5] ntp: update sample config Drop redundant IP version and double default restrict. Tweak KoD and other defaults for properness. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- package/ntp/ntpd.etc.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package/ntp/ntpd.etc.conf b/package/ntp/ntpd.etc.conf index 6a2b88cbd..543c8ff82 100644 --- a/package/ntp/ntpd.etc.conf +++ b/package/ntp/ntpd.etc.conf @@ -1,8 +1,8 @@ server 0.pool.ntp.org iburst server 1.pool.ntp.org iburst -restrict default kod nomodify notrap nopeer noquery -restrict -6 default kod nomodify notrap nopeer noquery - +# Allow only time queries, at a limited rate, sending KoD when in excess. +# Allow all local queries (IPv4, IPv6) +restrict default nomodify nopeer noquery limited kod restrict 127.0.0.1 -restrict -6 ::1 +restrict [::1] From d75c86f3eef8c22cf56662550e09f3b0ac33e92e Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Mon, 22 Dec 2014 11:27:01 -0300 Subject: [PATCH 3/5] ntp: adjust initscript Use proper status messages, make spacing standard instead of a mix of spacing/tabbing, drop boringly obvious comment from the header. Also make reload = restart since ntpd doesn't handle reloading resulting in the old reload being 'stop'. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- package/ntp/S49ntp | 46 ++++++++++++++++++++-------------------------- 1 file changed, 20 insertions(+), 26 deletions(-) diff --git a/package/ntp/S49ntp b/package/ntp/S49ntp index 5721f5948..171c200d8 100755 --- a/package/ntp/S49ntp +++ b/package/ntp/S49ntp @@ -1,10 +1,5 @@ #! /bin/sh -# -# System-V init script for the openntp daemon -# -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -DESC="network time protocol daemon" NAME=ntpd DAEMON=/usr/sbin/$NAME @@ -14,31 +9,30 @@ test -x $DAEMON || exit 0 # Read config file if it is present. if [ -r /etc/default/$NAME ] then - . /etc/default/$NAME + . /etc/default/$NAME fi case "$1" in start) - echo -n "Starting $DESC: $NAME" - start-stop-daemon -S -q -x $DAEMON -- -g - echo "." - ;; - stop) echo -n "Stopping $DESC: $NAME" - start-stop-daemon -K -q -n $NAME - echo "." - ;; - reload|force-reload) echo -n "Reloading $DESC configuration..." - start-stop-daemon -K -q -n $NAME -s 1 - echo "done." - ;; - restart) echo "Restarting $DESC: $NAME" - $0 stop - sleep 1 - $0 start - ;; - *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" >&2 - exit 1 - ;; + echo -n "Starting $NAME: " + start-stop-daemon -S -q -x $DAEMON -- -g + [ $? = 0 ] && echo "OK" || echo "FAIL" + ;; + stop) + echo -n "Stopping $NAME: " + start-stop-daemon -K -q -n $NAME + [ $? = 0 ] && echo "OK" || echo "FAIL" + ;; + restart|reload) + echo "Restarting $NAME: " + $0 stop + sleep 1 + $0 start + ;; + *) + echo "Usage: $0 {start|stop|restart|reload}" >&2 + exit 1 + ;; esac exit 0 From 9e34cbd1d2cdc107e2223fb202e0bb35411e63ee Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Thu, 18 Dec 2014 15:04:41 -0300 Subject: [PATCH 4/5] linux-pam: add security patches To fix: CVE-2013-7041 - use case sensitive comparison in pam_userdb CVE-2014-2583 - potential path traversal issue in pam_timestamp Also add hash file (computed, the hash files upstream cover up to 1.1.7) Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- ...1-configure.patch => 0001-configure.patch} | 0 ...le-am.patch => 0002-doc-makefile-am.patch} | 0 ...ux-pam-03-group.patch => 0003-group.patch} | 0 ...ux-pam-04-mkdir.patch => 0004-mkdir.patch} | 0 ...am-05-succeed.patch => 0005-succeed.patch} | 0 ...inux-pam-06-time.patch => 0006-time.patch} | 0 ...-pam-07-rhosts.patch => 0007-rhosts.patch} | 0 .../linux-pam/0008-fix-CVE-2014-2583.patch | 53 +++++++++++++++++++ .../linux-pam/0009-fix-CVE-2013-7041.patch | 50 +++++++++++++++++ package/linux-pam/linux-pam.hash | 2 + 10 files changed, 105 insertions(+) rename package/linux-pam/{linux-pam-01-configure.patch => 0001-configure.patch} (100%) rename package/linux-pam/{linux-pam-02-doc-makefile-am.patch => 0002-doc-makefile-am.patch} (100%) rename package/linux-pam/{linux-pam-03-group.patch => 0003-group.patch} (100%) rename package/linux-pam/{linux-pam-04-mkdir.patch => 0004-mkdir.patch} (100%) rename package/linux-pam/{linux-pam-05-succeed.patch => 0005-succeed.patch} (100%) rename package/linux-pam/{linux-pam-06-time.patch => 0006-time.patch} (100%) rename package/linux-pam/{linux-pam-07-rhosts.patch => 0007-rhosts.patch} (100%) create mode 100644 package/linux-pam/0008-fix-CVE-2014-2583.patch create mode 100644 package/linux-pam/0009-fix-CVE-2013-7041.patch create mode 100644 package/linux-pam/linux-pam.hash diff --git a/package/linux-pam/linux-pam-01-configure.patch b/package/linux-pam/0001-configure.patch similarity index 100% rename from package/linux-pam/linux-pam-01-configure.patch rename to package/linux-pam/0001-configure.patch diff --git a/package/linux-pam/linux-pam-02-doc-makefile-am.patch b/package/linux-pam/0002-doc-makefile-am.patch similarity index 100% rename from package/linux-pam/linux-pam-02-doc-makefile-am.patch rename to package/linux-pam/0002-doc-makefile-am.patch diff --git a/package/linux-pam/linux-pam-03-group.patch b/package/linux-pam/0003-group.patch similarity index 100% rename from package/linux-pam/linux-pam-03-group.patch rename to package/linux-pam/0003-group.patch diff --git a/package/linux-pam/linux-pam-04-mkdir.patch b/package/linux-pam/0004-mkdir.patch similarity index 100% rename from package/linux-pam/linux-pam-04-mkdir.patch rename to package/linux-pam/0004-mkdir.patch diff --git a/package/linux-pam/linux-pam-05-succeed.patch b/package/linux-pam/0005-succeed.patch similarity index 100% rename from package/linux-pam/linux-pam-05-succeed.patch rename to package/linux-pam/0005-succeed.patch diff --git a/package/linux-pam/linux-pam-06-time.patch b/package/linux-pam/0006-time.patch similarity index 100% rename from package/linux-pam/linux-pam-06-time.patch rename to package/linux-pam/0006-time.patch diff --git a/package/linux-pam/linux-pam-07-rhosts.patch b/package/linux-pam/0007-rhosts.patch similarity index 100% rename from package/linux-pam/linux-pam-07-rhosts.patch rename to package/linux-pam/0007-rhosts.patch diff --git a/package/linux-pam/0008-fix-CVE-2014-2583.patch b/package/linux-pam/0008-fix-CVE-2014-2583.patch new file mode 100644 index 000000000..a8b5f7bb7 --- /dev/null +++ b/package/linux-pam/0008-fix-CVE-2014-2583.patch @@ -0,0 +1,53 @@ +From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Wed, 26 Mar 2014 22:17:23 +0000 +Subject: pam_timestamp: fix potential directory traversal issue (ticket #27) + +pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of +the timestamp pathname it creates, so extra care should be taken to +avoid potential directory traversal issues. + +* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat +"." and ".." tty values as invalid. +(get_ruser): Treat "." and ".." ruser values, as well as any ruser +value containing '/', as invalid. + +Fixes CVE-2014-2583. + +Reported-by: Sebastian Krahmer +Signed-off-by: Gustavo Zacarias + +diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c +index 5193733..b3f08b1 100644 +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -158,7 +158,7 @@ check_tty(const char *tty) + tty = strrchr(tty, '/') + 1; + } + /* Make sure the tty wasn't actually a directory (no basename). */ +- if (strlen(tty) == 0) { ++ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { + return NULL; + } + return tty; +@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) + if (pwd != NULL) { + ruser = pwd->pw_name; + } ++ } else { ++ /* ++ * This ruser is used by format_timestamp_name as a component ++ * of constructed timestamp pathname, so ".", "..", and '/' ++ * are disallowed to avoid potential path traversal issues. ++ */ ++ if (!strcmp(ruser, ".") || ++ !strcmp(ruser, "..") || ++ strchr(ruser, '/')) { ++ ruser = NULL; ++ } + } + if (ruser == NULL || strlen(ruser) >= ruserbuflen) { + *ruserbuf = '\0'; +-- +cgit v0.10.2 + diff --git a/package/linux-pam/0009-fix-CVE-2013-7041.patch b/package/linux-pam/0009-fix-CVE-2013-7041.patch new file mode 100644 index 000000000..ed5880735 --- /dev/null +++ b/package/linux-pam/0009-fix-CVE-2013-7041.patch @@ -0,0 +1,50 @@ +From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Fri, 24 Jan 2014 22:18:32 +0000 +Subject: pam_userdb: fix password hash comparison + +Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed +passwords support in pam_userdb, hashes are compared case-insensitively. +This bug leads to accepting hashes for completely different passwords in +addition to those that should be accepted. + +Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for +modern password hashes with different lengths and settings, did not +update the hash comparison accordingly, which leads to accepting +computed hashes longer than stored hashes when the latter is a prefix +of the former. + +* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed +hash whose length differs from the stored hash length. +Compare computed and stored hashes case-sensitively. +Fixes CVE-2013-7041. + +Bug-Debian: http://bugs.debian.org/731368 +Signed-off-by: Gustavo Zacarias + +diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c +index de8b5b1..ff040e6 100644 +--- a/modules/pam_userdb/pam_userdb.c ++++ b/modules/pam_userdb/pam_userdb.c +@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, + } else { + cryptpw = crypt (pass, data.dptr); + +- if (cryptpw) { +- compare = strncasecmp (data.dptr, cryptpw, data.dsize); ++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { ++ compare = memcmp(data.dptr, cryptpw, data.dsize); + } else { + compare = -2; + if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); ++ if (cryptpw) ++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); ++ else ++ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); + } + }; + +-- +cgit v0.10.2 + diff --git a/package/linux-pam/linux-pam.hash b/package/linux-pam/linux-pam.hash new file mode 100644 index 000000000..3f420c2ba --- /dev/null +++ b/package/linux-pam/linux-pam.hash @@ -0,0 +1,2 @@ +# Locally computed hashes, not provided by upstream +sha256 c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55 Linux-PAM-1.1.8.tar.bz2 From dd725ce212439beddf9e7d91c58c6d77c4068247 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Wed, 10 Dec 2014 17:14:41 -0300 Subject: [PATCH 5/5] util-linux: add security patch for CVE-2014-9114 Fixes CVE-2014-9114 - command injection flaw in blkid. See https://bugzilla.redhat.com/show_bug.cgi?id=1168485 Patch upstream. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- ...ms-as.patch => 0001-sscanf-no-ms-as.patch} | 0 ... 0002-program-invocation-short-name.patch} | 0 ...kostemp-for-older-version-of-uClibc.patch} | 0 .../util-linux/0004-fix-CVE-2014-9114.patch | 168 ++++++++++++++++++ 4 files changed, 168 insertions(+) rename package/util-linux/{util-linux-001-sscanf-no-ms-as.patch => 0001-sscanf-no-ms-as.patch} (100%) rename package/util-linux/{util-linux-002-program-invocation-short-name.patch => 0002-program-invocation-short-name.patch} (100%) rename package/util-linux/{util-linux-003-c.h-define-mkostemp-for-older-version-of-uClibc.patch => 0003-c.h-define-mkostemp-for-older-version-of-uClibc.patch} (100%) create mode 100644 package/util-linux/0004-fix-CVE-2014-9114.patch diff --git a/package/util-linux/util-linux-001-sscanf-no-ms-as.patch b/package/util-linux/0001-sscanf-no-ms-as.patch similarity index 100% rename from package/util-linux/util-linux-001-sscanf-no-ms-as.patch rename to package/util-linux/0001-sscanf-no-ms-as.patch diff --git a/package/util-linux/util-linux-002-program-invocation-short-name.patch b/package/util-linux/0002-program-invocation-short-name.patch similarity index 100% rename from package/util-linux/util-linux-002-program-invocation-short-name.patch rename to package/util-linux/0002-program-invocation-short-name.patch diff --git a/package/util-linux/util-linux-003-c.h-define-mkostemp-for-older-version-of-uClibc.patch b/package/util-linux/0003-c.h-define-mkostemp-for-older-version-of-uClibc.patch similarity index 100% rename from package/util-linux/util-linux-003-c.h-define-mkostemp-for-older-version-of-uClibc.patch rename to package/util-linux/0003-c.h-define-mkostemp-for-older-version-of-uClibc.patch diff --git a/package/util-linux/0004-fix-CVE-2014-9114.patch b/package/util-linux/0004-fix-CVE-2014-9114.patch new file mode 100644 index 000000000..95cb1c5e3 --- /dev/null +++ b/package/util-linux/0004-fix-CVE-2014-9114.patch @@ -0,0 +1,168 @@ +From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 27 Nov 2014 13:39:35 +0100 +Subject: [PATCH] libblkid: care about unsafe chars in cache + +The high-level libblkid API uses /run/blkid/blkid.tab cache to +store probing results. The cache format is + + devname + +and unfortunately the cache code does not escape quotation marks: + + # mkfs.ext4 -L 'AAA"BBB' + + # cat /run/blkid/blkid.tab + ... + /dev/sdb1 + +such string is later incorrectly parsed and blkid(8) returns +nonsenses. And for use-cases like + + # eval $(blkid -o export /dev/sdb1) + +it's also insecure. + +Note that mount, udevd and blkid -p are based on low-level libblkid +API, it bypass the cache and directly read data from the devices. + +The current udevd upstream does not depend on blkid(8) output at all, +it's directly linked with the library and all unsafe chars are encoded by +\x notation. + + # mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1 + # udevadm info --export-db | grep LABEL + ... + E: ID_FS_LABEL=X__/tmp/foo___ + E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22 + +Signed-off-by: Karel Zak +Signed-off-by: Gustavo Zacarias +--- + libblkid/src/read.c | 21 ++++++++++++++++++--- + libblkid/src/save.c | 22 +++++++++++++++++++++- + misc-utils/blkid.8 | 5 ++++- + misc-utils/blkid.c | 4 ++-- + 4 files changed, 45 insertions(+), 7 deletions(-) + +diff --git a/libblkid/src/read.c b/libblkid/src/read.c +index 0e91c9c..81ab0df 100644 +--- a/libblkid/src/read.c ++++ b/libblkid/src/read.c +@@ -252,15 +252,30 @@ static int parse_token(char **name, char **value, char **cp) + *value = skip_over_blank(*value + 1); + + if (**value == '"') { +- end = strchr(*value + 1, '"'); +- if (!end) { ++ char *p = end = *value + 1; ++ ++ /* convert 'foo\"bar' to 'foo"bar' */ ++ while (*p) { ++ if (*p == '\\') { ++ p++; ++ *end = *p; ++ } else { ++ *end = *p; ++ if (*p == '"') ++ break; ++ } ++ p++; ++ end++; ++ } ++ ++ if (*end != '"') { + DBG(READ, ul_debug("unbalanced quotes at: %s", *value)); + *cp = *value; + return -BLKID_ERR_CACHE; + } + (*value)++; + *end = '\0'; +- end++; ++ end = ++p; + } else { + end = skip_over_word(*value); + if (*end) { +diff --git a/libblkid/src/save.c b/libblkid/src/save.c +index 8216f09..5e8bbee 100644 +--- a/libblkid/src/save.c ++++ b/libblkid/src/save.c +@@ -26,6 +26,21 @@ + + #include "blkidP.h" + ++ ++static void save_quoted(const char *data, FILE *file) ++{ ++ const char *p; ++ ++ fputc('"', file); ++ for (p = data; p && *p; p++) { ++ if ((unsigned char) *p == 0x22 || /* " */ ++ (unsigned char) *p == 0x5c) /* \ */ ++ fputc('\\', file); ++ ++ fputc(*p, file); ++ } ++ fputc('"', file); ++} + static int save_dev(blkid_dev dev, FILE *file) + { + struct list_head *p; +@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE *file) + + if (dev->bid_pri) + fprintf(file, " PRI=\"%d\"", dev->bid_pri); ++ + list_for_each(p, &dev->bid_tags) { + blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags); +- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val); ++ ++ fputc(' ', file); /* space between tags */ ++ fputs(tag->bit_name, file); /* tag NAME */ ++ fputc('=', file); /* separator between NAME and VALUE */ ++ save_quoted(tag->bit_val, file); /* tag "VALUE" */ + } + fprintf(file, ">%s\n", dev->bid_name); + +diff --git a/misc-utils/blkid.8 b/misc-utils/blkid.8 +index 156a14b..c95b833 100644 +--- a/misc-utils/blkid.8 ++++ b/misc-utils/blkid.8 +@@ -200,7 +200,10 @@ partitions. This output format is \fBDEPRECATED\fR. + .TP + .B export + print key=value pairs for easy import into the environment; this output format +-is automatically enabled when I/O Limits (\fB-i\fR option) are requested ++is automatically enabled when I/O Limits (\fB-i\fR option) are requested. ++ ++The non-printing characters are encoded by ^ and M- notation and all ++potentially unsafe characters are escaped. + .RE + .TP + .BI \-O " offset" +diff --git a/misc-utils/blkid.c b/misc-utils/blkid.c +index a6ca660..1bd8646 100644 +--- a/misc-utils/blkid.c ++++ b/misc-utils/blkid.c +@@ -306,7 +306,7 @@ static void print_value(int output, int num, const char *devname, + printf("DEVNAME=%s\n", devname); + fputs(name, stdout); + fputs("=", stdout); +- safe_print(value, valsz, NULL); ++ safe_print(value, valsz, " \\\"'$`<>"); + fputs("\n", stdout); + + } else { +@@ -315,7 +315,7 @@ static void print_value(int output, int num, const char *devname, + fputs(" ", stdout); + fputs(name, stdout); + fputs("=\"", stdout); +- safe_print(value, valsz, "\""); ++ safe_print(value, valsz, "\"\\"); + fputs("\"", stdout); + } + } +-- +2.0.4 +