From 1e72f8c47dc47e8f96a5927ccb35763f99964e16 Mon Sep 17 00:00:00 2001 From: willysr Date: Thu, 20 Feb 2014 12:02:56 +0700 Subject: [PATCH] Update KNOWN ISSUES and Remove Shadow Patch Now included in 14.1 and Current Signed-off-by: willysr --- KNOWN_ISSUES.TXT | 28 --------------- .../shadow-4.1.5.1_CVE-2005-4890_relax.diff | 35 ------------------- 2 files changed, 63 deletions(-) delete mode 100644 testing/shadow/shadow-4.1.5.1_CVE-2005-4890_relax.diff diff --git a/KNOWN_ISSUES.TXT b/KNOWN_ISSUES.TXT index c56be0d..3659f44 100644 --- a/KNOWN_ISSUES.TXT +++ b/KNOWN_ISSUES.TXT @@ -19,34 +19,6 @@ in testing/yelp. You also need to rebuild some packages, since by default, the SlackBuild script is configured to remove help files. You can remove the --without-help-dir line to produce help files. -Fri Feb 14 12:11:22 UTC 2014 -By default, gksu will not work in Slackware 14.1 since shadow has been patched -to fix security vulnerabilities, but this caused gksu to be broken. -See this thread on LQ for more information -http://www.linuxquestions.org/questions/slackware-14/%5Bslackware-14-1%5D-su-c-tty-hijacking-and-some-breakage-4175486942/ - -The solution for this problem is easy, but since it's not yet applied upstream, -we provided a simple fix from Mancha to fix this problem. - -Download the shadow source from Slackware mirror site such as -http://slackware.osuosl.org/slackware-14.1/source/a/shadow/ -or -http://slackware.osuosl.org/slackware64-14.1/source/a/shadow/ - -and also a patch included in testing/shadow and put it on the same folder. -Edit the shadow.SlackBuild and add this line -patch -p1 --verbose < $CWD/shadow-4.1.5.1_CVE-2005-4890_relax.diff || exit 1 - -before configure line and rebuild shadow package. -You can upgrade to the modified version by running: -upgradepkg /tmp/shadow-4.1.5.1-i486-2.tgz -or -upgradepkg /tmp/shadow-4.1.5.1-x86_64-2.tgz - -After upgrading to the modified version, gksu will work normally. - -This patch will goes into Slackware 14.1 and Slackware-Current soon. - Mon Jun 10 03:09:28 UTC 2013 If you are encountering problems with Caja (MATE's file manager) opening directories when clicking on files in certain programs like Dropbox, Skype, diff --git a/testing/shadow/shadow-4.1.5.1_CVE-2005-4890_relax.diff b/testing/shadow/shadow-4.1.5.1_CVE-2005-4890_relax.diff deleted file mode 100644 index 6c4d0d1..0000000 --- a/testing/shadow/shadow-4.1.5.1_CVE-2005-4890_relax.diff +++ /dev/null @@ -1,35 +0,0 @@ -From 0f6a809b7c4c9a8f4adb5b25808dd68000e17aa2 Mon Sep 17 00:00:00 2001 -From: mancha -Date: Wed, 04 Dec 2013 -Subject: restrict "su -c" only when callee is not root - -Shadow 4.1.5 addressed a tty-hijacking vulnerability in "su -c" -(CVE-2005-4890) by detaching the controlling terminal. - -Omni-directional protection is excessive and breaks commonly-used -methods for privilege escalation. Breakage is particularly severe -on non-PAM systems. - -This patch relaxes the restriction and only detaches the controlling -tty when the callee is not root. After all, we are not overly concerned -with root injecting commands to non-privileged users. - ---- - src/su.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/src/su.c -+++ b/src/su.c -@@ -1076,10 +1076,10 @@ int main (int argc, char **argv) - - set_environment (pw); - -- if (!doshell) { -+ if (!doshell && pw->pw_uid != 0) { - /* There is no need for a controlling terminal. - * This avoids the callee to inject commands on -- * the caller's tty. */ -+ * the caller's tty when the callee is not root. */ - int err = -1; - - #ifdef USE_PAM