December security fixes

package/linux-pam/0008-fix-CVE-2014-2583.patch

@@ -0,0 +1,53 @@
+From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 26 Mar 2014 22:17:23 +0000
+Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
+
+pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
+the timestamp pathname it creates, so extra care should be taken to
+avoid potential directory traversal issues.
+
+* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
+"." and ".." tty values as invalid.
+(get_ruser): Treat "." and ".." ruser values, as well as any ruser
+value containing '/', as invalid.
+
+Fixes CVE-2014-2583.
+
+Reported-by: Sebastian Krahmer <krahmer@suse.de>
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
+index 5193733..b3f08b1 100644
+--- a/modules/pam_timestamp/pam_timestamp.c
++++ b/modules/pam_timestamp/pam_timestamp.c
+@@ -158,7 +158,7 @@ check_tty(const char *tty)
+ 		tty = strrchr(tty, '/') + 1;
+ 	}
+ 	/* Make sure the tty wasn't actually a directory (no basename). */
+-	if (strlen(tty) == 0) {
++	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
+ 		return NULL;
+ 	}
+ 	return tty;
+@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
+ 		if (pwd != NULL) {
+ 			ruser = pwd->pw_name;
+ 		}
++	} else {
++		/*
++		 * This ruser is used by format_timestamp_name as a component
++		 * of constructed timestamp pathname, so ".", "..", and '/'
++		 * are disallowed to avoid potential path traversal issues.
++		 */
++		if (!strcmp(ruser, ".") ||
++		    !strcmp(ruser, "..") ||
++		    strchr(ruser, '/')) {
++			ruser = NULL;
++		}
+ 	}
+ 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
+ 		*ruserbuf = '\0';
+-- 
+cgit v0.10.2
+

package/linux-pam/0009-fix-CVE-2013-7041.patch

@@ -0,0 +1,50 @@
+From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Fri, 24 Jan 2014 22:18:32 +0000
+Subject: pam_userdb: fix password hash comparison
+
+Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
+passwords support in pam_userdb, hashes are compared case-insensitively.
+This bug leads to accepting hashes for completely different passwords in
+addition to those that should be accepted.
+
+Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
+modern password hashes with different lengths and settings, did not
+update the hash comparison accordingly, which leads to accepting
+computed hashes longer than stored hashes when the latter is a prefix
+of the former.
+
+* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
+hash whose length differs from the stored hash length.
+Compare computed and stored hashes case-sensitively.
+Fixes CVE-2013-7041.
+
+Bug-Debian: http://bugs.debian.org/731368
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
+index de8b5b1..ff040e6 100644
+--- a/modules/pam_userdb/pam_userdb.c
++++ b/modules/pam_userdb/pam_userdb.c
+@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
+ 	  } else {
+ 	    cryptpw = crypt (pass, data.dptr);
+
+-	    if (cryptpw) {
+-	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);
++	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
++	      compare = memcmp(data.dptr, cryptpw, data.dsize);
+ 	    } else {
+ 	      compare = -2;
+ 	      if (ctrl & PAM_DEBUG_ARG) {
+-		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
++		if (cryptpw)
++		  pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
++		else
++		  pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ 	      }
+ 	    };
+
+-- 
+cgit v0.10.2
+

package/linux-pam/linux-pam.hash

@@ -0,0 +1,2 @@
+# Locally computed hashes, not provided by upstream
+sha256	c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55	Linux-PAM-1.1.8.tar.bz2

package/ntp/0001-fix-ntp-keygen-without-openssl.patch

@@ -0,0 +1,153 @@
+Fix build breakage without openssl.
+From upstream: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff -Nura ntp-4.2.8.orig/configure.ac ntp-4.2.8/configure.ac
+--- ntp-4.2.8.orig/configure.ac	2014-12-22 10:16:10.449311393 -0300
++++ ntp-4.2.8/configure.ac	2014-12-22 10:17:30.757215905 -0300
+@@ -102,7 +102,7 @@
+ enable_nls=no
+ LIBOPTS_CHECK_NOBUILD([sntp/libopts])
+
+-NTP_ENABLE_LOCAL_LIBEVENT
++NTP_LIBEVENT_CHECK_NOBUILD([2], [sntp/libevent])
+
+ NTP_LIBNTP
+
+@@ -771,6 +771,10 @@
+
+ #### 
+
++AC_CHECK_FUNCS([arc4random_buf])
++
++####
++
+ saved_LIBS="$LIBS"
+ LIBS="$LIBS $LDADD_LIBNTP"
+ AC_CHECK_FUNCS([daemon])
+diff -Nura ntp-4.2.8.orig/libntp/ntp_crypto_rnd.c ntp-4.2.8/libntp/ntp_crypto_rnd.c
+--- ntp-4.2.8.orig/libntp/ntp_crypto_rnd.c	2014-12-22 10:16:10.430301237 -0300
++++ ntp-4.2.8/libntp/ntp_crypto_rnd.c	2014-12-22 10:18:04.921468163 -0300
+@@ -24,6 +24,21 @@
+ int crypto_rand_init = 0;
+ #endif
+
++#ifndef HAVE_ARC4RANDOM_BUF
++static void
++arc4random_buf(void *buf, size_t nbytes);
++
++void
++evutil_secure_rng_get_bytes(void *buf, size_t nbytes);
++
++static void
++arc4random_buf(void *buf, size_t nbytes)
++{
++	evutil_secure_rng_get_bytes(buf, nbytes);
++	return;
++}
++#endif
++
+ /*
+  * As of late 2014, here's how we plan to provide cryptographic-quality
+  * random numbers:
+diff -Nura ntp-4.2.8.orig/Makefile.am ntp-4.2.8/Makefile.am
+--- ntp-4.2.8.orig/Makefile.am	2014-12-22 10:16:10.441307117 -0300
++++ ntp-4.2.8/Makefile.am	2014-12-22 10:16:49.403122474 -0300
+@@ -3,6 +3,7 @@
+ NULL =
+
+ SUBDIRS =		\
++	sntp		\
+ 	scripts		\
+ 	include		\
+ 	libntp		\
+@@ -17,7 +18,6 @@
+ 	clockstuff	\
+ 	kernel		\
+ 	util		\
+-	sntp		\
+ 	tests		\
+ 	$(NULL)
+
+@@ -64,7 +64,6 @@
+ 	.gcc-warning			\
+ 	libtool				\
+ 	html/.datecheck			\
+-	sntp/built-sources-only		\
+ 	$(srcdir)/COPYRIGHT		\
+ 	$(srcdir)/.checkChangeLog	\
+ 	$(NULL)
+diff -Nura ntp-4.2.8.orig/sntp/configure.ac ntp-4.2.8/sntp/configure.ac
+--- ntp-4.2.8.orig/sntp/configure.ac	2014-12-22 10:16:10.428300168 -0300
++++ ntp-4.2.8/sntp/configure.ac	2014-12-22 10:24:11.238172928 -0300
+@@ -97,11 +97,14 @@
+ enable_nls=no
+ LIBOPTS_CHECK
+
+-AM_COND_IF(
+-    [BUILD_SNTP],
+-    [NTP_LIBEVENT_CHECK],
+-    [NTP_LIBEVENT_CHECK_NOBUILD]
+-)
++# From when we only used libevent for sntp:
++#AM_COND_IF(
++#    [BUILD_SNTP],
++#    [NTP_LIBEVENT_CHECK],
++#    [NTP_LIBEVENT_CHECK_NOBUILD]
++#)
++
++NTP_LIBEVENT_CHECK([2])
+
+ # Checks for libraries.
+
+diff -Nura ntp-4.2.8.orig/sntp/m4/ntp_libevent.m4 ntp-4.2.8/sntp/m4/ntp_libevent.m4
+--- ntp-4.2.8.orig/sntp/m4/ntp_libevent.m4	2014-12-22 10:16:10.417294288 -0300
++++ ntp-4.2.8/sntp/m4/ntp_libevent.m4	2014-12-22 10:20:31.757915561 -0300
+@@ -1,4 +1,25 @@
+-dnl NTP_ENABLE_LOCAL_LIBEVENT				     -*- Autoconf -*-
++# SYNOPSIS						-*- Autoconf -*-
++#
++#  NTP_ENABLE_LOCAL_LIBEVENT
++#  NTP_LIBEVENT_CHECK([MINVERSION [, DIR]])
++#  NTP_LIBEVENT_CHECK_NOBUILD([MINVERSION [, DIR]])
++#
++# DESCRIPTION
++#
++# AUTHOR
++#
++#  Harlan Stenn
++#
++# LICENSE
++#
++#  This file is Copyright (c) 2014 Network Time Foundation
++# 
++#  Copying and distribution of this file, with or without modification, are
++#  permitted in any medium without royalty provided the copyright notice,
++#  author attribution and this notice are preserved.  This file is offered
++#  as-is, without any warranty.
++
++dnl NTP_ENABLE_LOCAL_LIBEVENT
+ dnl
+ dnl Provide only the --enable-local-libevent command-line option.
+ dnl
+@@ -29,7 +50,7 @@
+ dnl but DO NOT invoke DIR/configure if we are going to use our bundled
+ dnl version.  This may be the case for nested packages.
+ dnl
+-dnl provide --enable-local-libevent .
++dnl provides --enable-local-libevent .
+ dnl
+ dnl Examples:
+ dnl
+diff -Nura ntp-4.2.8.orig/util/Makefile.am ntp-4.2.8/util/Makefile.am
+--- ntp-4.2.8.orig/util/Makefile.am	2014-12-22 10:16:10.435303910 -0300
++++ ntp-4.2.8/util/Makefile.am	2014-12-22 10:21:02.500339706 -0300
+@@ -19,6 +19,7 @@
+ LDADD=		../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) $(PTHREAD_LIBS)
+ tg2_LDADD=	../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM)
+ ntp_keygen_LDADD  = version.o $(LIBOPTS_LDADD) ../libntp/libntp.a
++ntp_keygen_LDADD += $(LDADD_LIBEVENT)
+ ntp_keygen_LDADD += $(LDADD_LIBNTP) $(PTHREAD_LIBS) $(LDADD_NTP) $(LIBM)
+ ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h
+

package/ntp/Config.in

@@ -1,5 +1,6 @@
 config BR2_PACKAGE_NTP
 	bool "ntp"
+	select BR2_PACKAGE_LIBEVENT
 	help
 	  Network Time Protocol suite/programs.
 	  Provides things like ntpd, ntpdate, ntpq, etc...

package/ntp/S49ntp

@@ -1,10 +1,5 @@
 #! /bin/sh
-#
-# System-V init script for the openntp daemon
-#
 
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-DESC="network time protocol daemon"
 NAME=ntpd
 DAEMON=/usr/sbin/$NAME
 
@@ -14,31 +9,30 @@ test -x $DAEMON || exit 0
 # Read config file if it is present.
 if [ -r /etc/default/$NAME ]
 then
-	. /etc/default/$NAME
+  . /etc/default/$NAME
 fi
 
 case "$1" in
   start)
-	echo -n "Starting $DESC: $NAME"
-	start-stop-daemon -S -q -x $DAEMON -- -g
-	echo "."
-	;;
-  stop) echo -n "Stopping $DESC: $NAME"
-	start-stop-daemon -K -q -n $NAME
-	echo "."
-	;;
-  reload|force-reload) echo -n "Reloading $DESC configuration..."
-	start-stop-daemon -K -q -n $NAME -s 1
-	echo "done."
-  ;;
-  restart) echo "Restarting $DESC: $NAME"
-	$0 stop
-	sleep 1
-	$0 start
-	;;
-  *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" >&2
-	exit 1
-	;;
+    echo -n "Starting $NAME: "
+    start-stop-daemon -S -q -x $DAEMON -- -g
+    [ $? = 0 ] && echo "OK" || echo "FAIL"
+    ;;
+  stop)
+    echo -n "Stopping $NAME: "
+    start-stop-daemon -K -q -n $NAME
+    [ $? = 0 ] && echo "OK" || echo "FAIL"
+    ;;
+  restart|reload)
+    echo "Restarting $NAME: "
+    $0 stop
+    sleep 1
+    $0 start
+    ;;
+  *)
+    echo "Usage: $0 {start|stop|restart|reload}" >&2
+    exit 1
+    ;;
 esac
 
 exit 0

package/ntp/ntp.hash

@@ -0,0 +1,2 @@
+# From http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8.tar.gz.md5
+md5	6972a626be6150db8cfbd0b63d8719e7ntp-4.2.8.tar.gz