mirror of
git://slackware.nl/current.git
synced 2024-12-31 10:28:29 +01:00
26cd2dd0d1
a/shadow-4.8.1-x86_64-8.txz: Rebuilt.
It seems that /etc/suauth is not supported when PAM is in use, even if
configure.ac is hacked to enable it. I've removed the man pages for it,
and would suggest using sudo as a replacement.
l/libexif-0.6.22-x86_64-1.txz: Upgraded.
This update fixes bugs and security issues:
CVE-2018-20030: Fix for recursion DoS
CVE-2020-13114: Time consumption DoS when parsing canon array markers
CVE-2020-13113: Potential use of uninitialized memory
CVE-2020-13112: Various buffer overread fixes due to integer overflows
in maker notes
CVE-2020-0093: read overflow
CVE-2019-9278: replaced integer overflow checks the compiler could
optimize away by safer constructs
CVE-2020-12767: fixed division by zero
CVE-2016-6328: fixed integer overflow when parsing maker notes
CVE-2017-7544: fixed buffer overread
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544
(* Security fix *)
l/oniguruma-6.9.5_rev1-x86_64-2.txz: Rebuilt.
Rebuilt with --enable-posix-api. Thanks to MisterL.
l/python-packaging-20.4-x86_64-1.txz: Upgraded.
n/bind-9.16.3-x86_64-1.txz: Upgraded.
This update fixes a security issue:
A malicious actor who intentionally exploits the lack of effective
limitation on the number of fetches performed when processing referrals
can, through the use of specially crafted referrals, cause a recursing
server to issue a very large number of fetches in an attempt to process
the referral. This has at least two potential effects: The performance of
the recursing server can potentially be degraded by the additional work
required to perform these fetches, and the attacker can exploit this
behavior to use the recursing server as a reflector in a reflection attack
with a high amplification factor.
For more information, see:
https://kb.isc.org/docs/cve-2020-8616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616
(* Security fix *)
x/fontconfig-2.13.92-x86_64-1.txz: Upgraded.
x/xf86-input-libinput-0.30.0-x86_64-1.txz: Upgraded.
262 lines
8.3 KiB
Bash
Executable file
262 lines
8.3 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Copyright 2005-2020 Patrick J. Volkerding, Sebeka, Minnesota, USA
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use of this script, with or without modification, is
|
|
# permitted provided that the following conditions are met:
|
|
#
|
|
# 1. Redistributions of this script must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
|
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
cd $(dirname $0) ; CWD=$(pwd)
|
|
|
|
PKGNAM=shadow
|
|
VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
|
|
BUILD=${BUILD:-8}
|
|
|
|
# Automatically determine the architecture we're building on:
|
|
if [ -z "$ARCH" ]; then
|
|
case "$( uname -m )" in
|
|
i?86) export ARCH=i586 ;;
|
|
arm*) export ARCH=arm ;;
|
|
# Unless $ARCH is already set, use uname -m for all other archs:
|
|
*) export ARCH=$( uname -m ) ;;
|
|
esac
|
|
fi
|
|
|
|
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
|
|
# the name of the created package would be, and then exit. This information
|
|
# could be useful to other scripts.
|
|
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
|
|
echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
|
|
exit 0
|
|
fi
|
|
|
|
NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
|
|
|
|
TMP=${TMP:-/tmp}
|
|
PKG=$TMP/package-shadow
|
|
|
|
if [ "$ARCH" = "i586" ]; then
|
|
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "s390" ]; then
|
|
SLKCFLAGS="-O2"
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "x86_64" ]; then
|
|
SLKCFLAGS="-O2 -fPIC"
|
|
LIBDIRSUFFIX="64"
|
|
else
|
|
SLKCFLAGS="-O2"
|
|
LIBDIRSUFFIX=""
|
|
fi
|
|
|
|
rm -rf $PKG
|
|
mkdir -p $TMP $PKG
|
|
cd $TMP
|
|
rm -rf shadow-$VERSION
|
|
tar xvf $CWD/shadow-$VERSION.tar.xz || exit 1
|
|
cd shadow-$VERSION
|
|
|
|
# Choose correct options depending on whether PAM is installed:
|
|
if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
|
|
PAM_OPTIONS="--with-libpam"
|
|
unset SHADOW_OPTIONS
|
|
# By default, use the shadow version of /bin/su:
|
|
SHIP_SU=${SHIP_SU:-YES}
|
|
else
|
|
unset PAM_OPTIONS
|
|
SHADOW_OPTIONS="--enable-shadowgrp --without-libcrack"
|
|
# By default, use the shadow version of /bin/su:
|
|
SHIP_SU=${SHIP_SU:-YES}
|
|
fi
|
|
|
|
# Apply some patches taken from the svn trunk that
|
|
# fix some of the more serious bugs in 4.1.4.3:
|
|
for patch in $CWD/patches/*.diff.gz ; do
|
|
zcat $patch | patch -p0 --verbose || exit 1
|
|
done
|
|
|
|
# Relax the restrictions on "su -c" when it is used to become root.
|
|
# It's not likely that root is going to try to inject commands back into
|
|
# the user's shell to hack it, and the unnecessary restriction is causing
|
|
# breakage:
|
|
zcat $CWD/shadow.CVE-2005-4890.relax.diff.gz | patch -p1 --verbose || exit 1
|
|
|
|
# Even if gethostname() returns the FQDN (long hostname), just display the
|
|
# short version up to the first '.' on the login prompt:
|
|
zcat $CWD/shadow.login.display.short.hostname.diff.gz | patch -p1 --verbose || exit 1
|
|
|
|
# Add missing file:
|
|
if [ ! -r man/login.defs.d/HOME_MODE.xml ]; then
|
|
zcat $CWD/HOME_MODE.xml.gz > man/login.defs.d/HOME_MODE.xml
|
|
fi
|
|
|
|
chown -R root:root .
|
|
find . \
|
|
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
|
|
-exec chmod 755 {} \+ -o \
|
|
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
|
|
-exec chmod 644 {} \+
|
|
|
|
if [ ! -r ./configure ]; then
|
|
./autogen.sh
|
|
fi
|
|
|
|
CFLAGS="$SLKCFLAGS" \
|
|
./configure \
|
|
--prefix=/usr \
|
|
--sbindir=/usr/sbin \
|
|
--bindir=/usr/bin \
|
|
--sysconfdir=/etc \
|
|
--mandir=/usr/man \
|
|
--docdir=/usr/doc/shadow-$VERSION \
|
|
--enable-man \
|
|
--enable-subordinate-ids \
|
|
--disable-shared \
|
|
--with-group-name-max-length=32 \
|
|
$SHADOW_OPTIONS \
|
|
$PAM_OPTIONS \
|
|
--build=$ARCH-slackware-linux
|
|
|
|
# --enable-utmpx # defaults to 'no'
|
|
|
|
make $NUMJOBS || make || exit 1
|
|
make install DESTDIR=$PKG || exit 1
|
|
|
|
# Fix user group = 100:
|
|
zcat $CWD/useradd.gz > $PKG/etc/default/useradd
|
|
mv $PKG/etc/default/useradd $PKG/etc/default/useradd.new
|
|
|
|
# Put some stuff back in "old" locations and make symlinks for compat
|
|
mkdir -p $PKG/bin $PKG/sbin
|
|
( cd $PKG/usr/bin
|
|
mv groups ../../bin
|
|
mv login ../../bin
|
|
mv su ../../bin
|
|
mv faillog ../sbin
|
|
mv lastlog ../sbin
|
|
ln -s ../sbin/faillog
|
|
ln -s ../sbin/lastlog
|
|
)
|
|
mv $PKG/usr/sbin/nologin $PKG/sbin/nologin
|
|
|
|
if [ ! -z "$PAM_OPTIONS" ]; then
|
|
# Don't ship the login utilities. We'll be using the ones from util-linux:
|
|
for file in /bin/login /sbin/runuser /usr/bin/chfn /usr/bin/chsh \
|
|
/usr/man/man1/chfn.1.gz /usr/man/man1/chsh.1.gz /usr/man/man1/login.1.gz \
|
|
/usr/man/man1/runuser.1.gz ; do
|
|
rm -f $PKG${file}
|
|
done
|
|
# Install config files in /etc/pam.d/. We'll use our own copies... I'm not
|
|
# sure that I trust upstream enough to let them handle this stuff.
|
|
rm -rf $PKG/etc/pam.d
|
|
mkdir -p $PKG/etc/pam.d
|
|
for file in $CWD/pam.d/* ; do
|
|
cp -a ${file} $PKG/etc/pam.d/
|
|
done
|
|
if [ "$SHIP_SU" = "YES" ]; then
|
|
cp -a $CWD/pam.d-su/* $PKG/etc/pam.d/
|
|
fi
|
|
# Ensure correct perms/ownership on files in /etc/pam.d/:
|
|
chown root:root $PKG/etc/pam.d/*
|
|
chmod 644 $PKG/etc/pam.d/*
|
|
# Don't clobber existing config files:
|
|
find $PKG/etc/pam.d -type f -exec mv {} {}.new \;
|
|
# Install a login.defs with unsurprising defaults:
|
|
rm -f $PKG/etc/login.defs
|
|
zcat $CWD/login.defs.pam.gz > $PKG/etc/login.defs.new
|
|
else # not using PAM
|
|
mv $PKG/etc/login.access $PKG/etc/login.access.new
|
|
# Install a login.defs with unsurprising defaults:
|
|
rm -f $PKG/etc/login.defs
|
|
zcat $CWD/login.defs.shadow.gz > $PKG/etc/login.defs.new
|
|
fi
|
|
|
|
# If we aren't using this version of su, remove the files:
|
|
if [ "$SHIP_SU" = "NO" ]; then
|
|
rm $PKG/bin/su
|
|
find $PKG/usr/man -name su.1 | xargs rm
|
|
find $PKG/usr/man -name suauth.5 | xargs rm
|
|
fi
|
|
|
|
# /etc/suauth doesn't work with PAM, even if configure.ac is hacked to try
|
|
# to turn the feature on, so remove the man pages if we're using PAM:
|
|
if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
|
|
find $PKG/usr/man -name suauth.5 | xargs rm
|
|
fi
|
|
|
|
# /bin/groups is provided by coreutils.
|
|
rm -f $PKG/bin/groups
|
|
find $PKG -name groups.1 -exec rm {} \+
|
|
|
|
# I don't think this works well enough to recommend it.
|
|
#mv $PKG/etc/limits $PKG/etc/limits.new
|
|
rm -f $PKG/etc/limits
|
|
|
|
# Add the friendly 'adduser' script:
|
|
cat $CWD/adduser > $PKG/usr/sbin/adduser
|
|
chmod 0755 $PKG/usr/sbin/adduser
|
|
|
|
# Add sulogin to the package:
|
|
cp -a src/sulogin $PKG/sbin
|
|
( cd $PKG/bin ; ln -s ../sbin/sulogin )
|
|
cp -a ./man/zh_CN/man8/sulogin.8 $PKG/usr/man/zh_CN/man8/sulogin.8 || exit 1
|
|
cp -a ./man/ru/man8/sulogin.8 $PKG/usr/man/ru/man8/sulogin.8 || exit 1
|
|
cp -a ./man/de/man8/sulogin.8 $PKG/usr/man/de/man8/sulogin.8 || exit 1
|
|
cp -a ./man/ja/man8/sulogin.8 $PKG/usr/man/ja/man8/sulogin.8 || exit 1
|
|
cp -a ./man/man8/sulogin.8 $PKG/usr/man/man8/sulogin.8 || exit 1
|
|
|
|
# Add the empty faillog log file:
|
|
mkdir -p $PKG/var/log
|
|
touch $PKG/var/log/faillog.new
|
|
|
|
# Use 4711 rather than 4755 permissions where setuid root is required:
|
|
find $PKG -type f -perm 4755 -exec chmod 4711 "{}" \+
|
|
|
|
# Compress and if needed symlink the man pages:
|
|
if [ -d $PKG/usr/man ]; then
|
|
( cd $PKG/usr/man
|
|
for manpagedir in $(find . -type d -name "man*") ; do
|
|
( cd $manpagedir
|
|
for eachpage in $( find . -type l -maxdepth 1) ; do
|
|
ln -s $( readlink $eachpage ).gz $eachpage.gz
|
|
rm $eachpage
|
|
done
|
|
gzip -9 *.?
|
|
)
|
|
done
|
|
)
|
|
fi
|
|
|
|
mkdir -p $PKG/usr/doc/shadow-$VERSION
|
|
cp -a \
|
|
COPYING* NEWS README* TODO doc/{README*,HOWTO,WISHLIST,*.txt} \
|
|
$PKG/usr/doc/shadow-$VERSION
|
|
|
|
# If there's a ChangeLog, installing at least part of the recent history
|
|
# is useful, but don't let it get totally out of control:
|
|
if [ -r ChangeLog ]; then
|
|
DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
|
|
cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
|
|
touch -r ChangeLog $DOCSDIR/ChangeLog
|
|
fi
|
|
|
|
mkdir -p $PKG/install
|
|
cat $CWD/slack-desc > $PKG/install/slack-desc
|
|
zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
|
|
|
|
cd $PKG
|
|
/sbin/makepkg -l y -c n $TMP/shadow-$VERSION-$ARCH-$BUILD.txz
|