I just tried poky master on ubuntu 20.04, and the issues do not
appear. Do you have a custom setup?
Alex
On Fri, 19 Jan 2024 at 04:06, ChenQi <qi.c...@windriver.com> wrote:
>
> I'm seeing build failures on Ubuntu 20.04.
> GCC version: 9.4.0
>
> 1. error: parameter name omitted
> The problem is that the active_sessions_count function's definition
> lacks parameter. I did change like below:
> -unsigned long active_sessions_count(const char *name, unsigned long unused)
> +unsigned long active_sessions_count(const char *name, unsigned long
> unused unused_parameter)
> But then I observed another error, as shown below.
>
> 2. undefined reference to `dlsym'.
> | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> ../lib/.libs/libshadow.a(libshadow_la-nss.o): in function `nss_exit':
> | nss.c:(.text+0x32): undefined reference to `dlclose'
> | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> ../lib/.libs/libshadow.a(libshadow_la-nss.o): in function `nss_init':
> | nss.c:(.text+0x1dd): undefined reference to `dlopen'
> | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> nss.c:(.text+0x21c): undefined reference to `dlsym'
> | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> nss.c:(.text+0x237): undefined reference to `dlsym'
> | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> nss.c:(.text+0x253): undefined reference to `dlsym'
> | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> nss.c:(.text+0x365): undefined reference to `dlclose'
> | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> nss.c:(.text+0x3b2): undefined reference to `dlerror'
> | collect2: error: ld returned 1 exit status
> | make[2]: *** [Makefile:1130: su] Error 1
>
> On Ubuntu22.04, there's no such issue.
>
> Regards,
> Qi
>
> On 1/11/24 21:15, Alexander Kanavin wrote:
> > License-Update: formatting, spdx conversion
> >
> > Drop:
> > 0001-Disable-use-of-syslog-for-sysroot.patch
> > (issue fixed upstream)
> >
> > 0001-Fix-can-not-print-full-login.patch
> > 0001-Overhaul-valid_field.patch
> > CVE-2023-29383.patch
> > (backports)
> >
> > libbsd is a new native dependency, as otherwise glibc >= 2.38
> > is needed.
> >
> > A similar fix is added to musl in order to define non-standard
> > __BEGIN_DECLS/__END_DECLS.
> >
> > Signed-off-by: Alexander Kanavin <a...@linutronix.de>
> > ---
> > ...01-Disable-use-of-syslog-for-sysroot.patch | 52 -------
> > .../0001-Fix-can-not-print-full-login.patch | 41 -----
> > .../files/0001-Overhaul-valid_field.patch | 65 --------
> > .../shadow/files/CVE-2023-29383.patch | 53 -------
> > .../shadow/files/CVE-2023-4641.patch | 147 ------------------
> > ...nexpected-open-failure-in-chroot-env.patch | 16 +-
> > meta/recipes-extended/shadow/shadow.inc | 20 +--
> > .../{shadow_4.13.bb => shadow_4.14.2.bb} | 0
> > 8 files changed, 16 insertions(+), 378 deletions(-)
> > delete mode 100644
> > meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
> > delete mode 100644
> > meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch
> > delete mode 100644
> > meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
> > delete mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch
> > delete mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641.patch
> > rename meta/recipes-extended/shadow/{shadow_4.13.bb => shadow_4.14.2.bb}
> > (100%)
> >
> > diff --git
> > a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
> >
> > b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
> > deleted file mode 100644
> > index fa1532c8317..00000000000
> > ---
> > a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
> > +++ /dev/null
> > @@ -1,52 +0,0 @@
> > -From 85d0444229ee3d14fefcf10d093f49c862826f82 Mon Sep 17 00:00:00 2001
> > -From: Richard Purdie <richard.pur...@linuxfoundation.org>
> > -Date: Thu, 14 Apr 2022 23:11:53 +0000
> > -Subject: [PATCH] Disable use of syslog for shadow-native tools
> > -
> > -Disable use of syslog to prevent sysroot user and group additions from
> > -writing entries to the host's syslog. This patch should only be used
> > -with the shadow-native recipe.
> > -
> > -Upstream-Status: Inappropriate [OE specific configuration]
> > -Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
> > -Signed-off-by: Peter Kjellerstedt <peter.kjellerst...@axis.com>
> > -
> > ----
> > - configure.ac | 2 +-
> > - src/login_nopam.c | 3 ++-
> > - 2 files changed, 3 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/configure.ac b/configure.ac
> > -index 924254a..603af81 100644
> > ---- a/configure.ac
> > -+++ b/configure.ac
> > -@@ -191,7 +191,7 @@ AC_DEFINE_UNQUOTED(PASSWD_PROGRAM,
> > "$shadow_cv_passwd_dir/passwd",
> > - [Path to passwd program.])
> > -
> > - dnl XXX - quick hack, should disappear before anyone notices :).
> > --AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().])
> > -+#AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().])
> > - if test "$ac_cv_func_ruserok" = "yes"; then
> > - AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for
> > rlogind.])
> > - AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value
> > (0 or 1).])
> > -diff --git a/src/login_nopam.c b/src/login_nopam.c
> > -index df6ba88..fc24e13 100644
> > ---- a/src/login_nopam.c
> > -+++ b/src/login_nopam.c
> > -@@ -29,7 +29,6 @@
> > - #ifndef USE_PAM
> > - #ident "$Id$"
> > -
> > --#include "prototypes.h"
> > - /*
> > - * This module implements a simple but effective form of login access
> > - * control based on login names and on host (or domain) names,
> > internet
> > -@@ -57,6 +56,8 @@
> > - #include <netinet/in.h>
> > - #include <arpa/inet.h> /* for inet_ntoa() */
> > -
> > -+#include "prototypes.h"
> > -+
> > - #if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64)
> > - #undef MAXHOSTNAMELEN
> > - #define MAXHOSTNAMELEN 256
> > diff --git
> > a/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch
> >
> > b/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch
> > deleted file mode 100644
> > index 89f9c05c8d3..00000000000
> > ---
> > a/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch
> > +++ /dev/null
> > @@ -1,41 +0,0 @@
> > -commit 670cae834827a8f794e6f7464fa57790d911b63c
> > -Author: SoumyaWind <121475834+soumyaw...@users.noreply.github.com>
> > -Date: Tue Dec 27 17:40:17 2022 +0530
> > -
> > - shadow: Fix can not print full login timeout message
> > -
> > - Login timed out message prints only first few bytes when write is
> > immediately followed by exit.
> > - Calling exit from new handler provides enough time to display full
> > message.
> > -
> > -Upstream-Status: Backport
> > [https://github.com/shadow-maint/shadow/commit/670cae834827a8f794e6f7464fa57790d911b63c]
> > -
> > -diff --git a/src/login.c b/src/login.c
> > -index 116e2cb3..c55f4de0 100644
> > ---- a/src/login.c
> > -+++ b/src/login.c
> > -@@ -120,6 +120,7 @@ static void get_pam_user (char **ptr_pam_user);
> > -
> > - static void init_env (void);
> > - static void alarm_handler (int);
> > -+static void exit_handler (int);
> > -
> > - /*
> > - * usage - print login command usage and exit
> > -@@ -391,11 +392,16 @@ static void init_env (void)
> > - #endif /* !USE_PAM */
> > - }
> > -
> > -+static void exit_handler (unused int sig)
> > -+{
> > -+ _exit (0);
> > -+}
> > -
> > - static void alarm_handler (unused int sig)
> > - {
> > - write (STDERR_FILENO, tmsg, strlen (tmsg));
> > -- _exit (0);
> > -+ signal(SIGALRM, exit_handler);
> > -+ alarm(2);
> > - }
> > -
> > - #ifdef USE_PAM
> > diff --git
> > a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
> > b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
> > deleted file mode 100644
> > index ac08be515bf..00000000000
> > --- a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
> > +++ /dev/null
> > @@ -1,65 +0,0 @@
> > -From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
> > -Date: Fri, 31 Mar 2023 14:46:50 +0200
> > -Subject: [PATCH] Overhaul valid_field()
> > -
> > -e5905c4b ("Added control character check") introduced checking for
> > -control characters but had the logic inverted, so it rejects all
> > -characters that are not control ones.
> > -
> > -Cast the character to `unsigned char` before passing to the character
> > -checking functions to avoid UB.
> > -
> > -Use strpbrk(3) for the illegal character test and return early.
> > -
> > -Upstream-Status: Backport
> > [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
> > -
> > -Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
> > ----
> > - lib/fields.c | 24 ++++++++++--------------
> > - 1 file changed, 10 insertions(+), 14 deletions(-)
> > -
> > -diff --git a/lib/fields.c b/lib/fields.c
> > -index fb51b582..53929248 100644
> > ---- a/lib/fields.c
> > -+++ b/lib/fields.c
> > -@@ -37,26 +37,22 @@ int valid_field (const char *field, const char
> > *illegal)
> > -
> > - /* For each character of field, search if it appears in the list
> > - * of illegal characters. */
> > -+ if (illegal && NULL != strpbrk (field, illegal)) {
> > -+ return -1;
> > -+ }
> > -+
> > -+ /* Search if there are non-printable or control characters */
> > - for (cp = field; '\0' != *cp; cp++) {
> > -- if (strchr (illegal, *cp) != NULL) {
> > -+ unsigned char c = *cp;
> > -+ if (!isprint (c)) {
> > -+ err = 1;
> > -+ }
> > -+ if (iscntrl (c)) {
> > - err = -1;
> > - break;
> > - }
> > - }
> > -
> > -- if (0 == err) {
> > -- /* Search if there are non-printable or control characters */
> > -- for (cp = field; '\0' != *cp; cp++) {
> > -- if (!isprint (*cp)) {
> > -- err = 1;
> > -- }
> > -- if (!iscntrl (*cp)) {
> > -- err = -1;
> > -- break;
> > -- }
> > -- }
> > -- }
> > --
> > - return err;
> > - }
> > -
> > ---
> > -2.34.1
> > -
> > diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
> > b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
> > deleted file mode 100644
> > index f53341d3fc2..00000000000
> > --- a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
> > +++ /dev/null
> > @@ -1,53 +0,0 @@
> > -From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
> > -From: tomspiderlabs <128755403+tomspiderl...@users.noreply.github.com>
> > -Date: Thu, 23 Mar 2023 23:39:38 +0000
> > -Subject: [PATCH] Added control character check
> > -
> > -Added control character check, returning -1 (to "err") if control
> > characters are present.
> > -
> > -CVE: CVE-2023-29383
> > -Upstream-Status: Backport
> > -
> > -Reference to upstream:
> > -https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
> > -
> > -Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
> > ----
> > - lib/fields.c | 11 +++++++----
> > - 1 file changed, 7 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/lib/fields.c b/lib/fields.c
> > -index 640be931..fb51b582 100644
> > ---- a/lib/fields.c
> > -+++ b/lib/fields.c
> > -@@ -21,9 +21,9 @@
> > - *
> > - * The supplied field is scanned for non-printable and other illegal
> > - * characters.
> > -- * + -1 is returned if an illegal character is present.
> > -- * + 1 is returned if no illegal characters are present, but the field
> > -- * contains a non-printable character.
> > -+ * + -1 is returned if an illegal or control character is present.
> > -+ * + 1 is returned if no illegal or control characters are present,
> > -+ * but the field contains a non-printable character.
> > - * + 0 is returned otherwise.
> > - */
> > - int valid_field (const char *field, const char *illegal)
> > -@@ -45,10 +45,13 @@ int valid_field (const char *field, const char
> > *illegal)
> > - }
> > -
> > - if (0 == err) {
> > -- /* Search if there are some non-printable characters */
> > -+ /* Search if there are non-printable or control characters */
> > - for (cp = field; '\0' != *cp; cp++) {
> > - if (!isprint (*cp)) {
> > - err = 1;
> > -+ }
> > -+ if (!iscntrl (*cp)) {
> > -+ err = -1;
> > - break;
> > - }
> > - }
> > ---
> > -2.34.1
> > -
> > diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
> > b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
> > deleted file mode 100644
> > index 1fabfe928e4..00000000000
> > --- a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
> > +++ /dev/null
> > @@ -1,147 +0,0 @@
> > -From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001
> > -From: Alejandro Colomar <a...@kernel.org>
> > -Date: Sat, 10 Jun 2023 16:20:05 +0200
> > -Subject: [PATCH] gpasswd(1): Fix password leak
> > -
> > -How to trigger this password leak?
> > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > -
> > -When gpasswd(1) asks for the new password, it asks twice (as is usual
> > -for confirming the new password). Each of those 2 password prompts
> > -uses agetpass() to get the password. If the second agetpass() fails,
> > -the first password, which has been copied into the 'static' buffer
> > -'pass' via STRFCPY(), wasn't being zeroed.
> > -
> > -agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
> > -can fail for any of the following reasons:
> > -
> > -- malloc(3) or readpassphrase(3) failure.
> > -
> > - These are going to be difficult to trigger. Maybe getting the system
> > - to the limits of memory utilization at that exact point, so that the
> > - next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
> > - About readpassphrase(3), ENFILE and EINTR seem the only plausible
> > - ones, and EINTR probably requires privilege or being the same user;
> > - but I wouldn't discard ENFILE so easily, if a process starts opening
> > - files.
> > -
> > -- The password is longer than PASS_MAX.
> > -
> > - The is plausible with physical access. However, at that point, a
> > - keylogger will be a much simpler attack.
> > -
> > -And, the attacker must be able to know when the second password is being
> > -introduced, which is not going to be easy.
> > -
> > -How to read the password after the leak?
> > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > -
> > -Provoking the leak yourself at the right point by entering a very long
> > -password is easy, and inspecting the process stack at that point should
> > -be doable. Try to find some consistent patterns.
> > -
> > -Then, search for those patterns in free memory, right after the victim
> > -leaks their password.
> > -
> > -Once you get the leak, a program should read all the free memory
> > -searching for patterns that gpasswd(1) leaves nearby the leaked
> > -password.
> > -
> > -On 6/10/23 03:14, Seth Arnold wrote:
> > -> An attacker process wouldn't be able to use malloc(3) for this task.
> > -> There's a handful of tools available for userspace to allocate memory:
> > ->
> > -> - brk / sbrk
> > -> - mmap MAP_ANONYMOUS
> > -> - mmap /dev/zero
> > -> - mmap some other file
> > -> - shm_open
> > -> - shmget
> > ->
> > -> Most of these return only pages of zeros to a process. Using mmap of an
> > -> existing file, you can get some of the contents of the file demand-loaded
> > -> into the memory space on the first use.
> > ->
> > -> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
> > -> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
> > ->
> > -> malloc(3) doesn't zero memory, to our collective frustration, but all the
> > -> garbage in the allocations is from previous allocations in the current
> > -> process. It isn't leftover from other processes.
> > ->
> > -> The avenues available for reading the memory:
> > -> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
> > -> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
> > -> - ptrace (requires ptrace privileges, mediated by YAMA)
> > -> - causing memory to be swapped to disk, and then inspecting the swap
> > ->
> > -> These all require a certain amount of privileges.
> > -
> > -How to fix it?
> > -~~~~~~~~~~~~~~
> > -
> > -memzero(), which internally calls explicit_bzero(3), or whatever
> > -alternative the system provides with a slightly different name, will
> > -make sure that the buffer is zeroed in memory, and optimizations are not
> > -allowed to impede this zeroing.
> > -
> > -This is not really 100% effective, since compilers may place copies of
> > -the string somewhere hidden in the stack. Those copies won't get zeroed
> > -by explicit_bzero(3). However, that's arguably a compiler bug, since
> > -compilers should make everything possible to avoid optimizing strings
> > -that are later passed to explicit_bzero(3). But we all know that
> > -sometimes it's impossible to have perfect knowledge in the compiler, so
> > -this is plausible. Nevertheless, there's nothing we can do against such
> > -issues, except minimizing the time such passwords are stored in plain
> > -text.
> > -
> > -Security concerns
> > -~~~~~~~~~~~~~~~~~
> > -
> > -We believe this isn't easy to exploit. Nevertheless, and since the fix
> > -is trivial, this fix should probably be applied soon, and backported to
> > -all supported distributions, to prevent someone else having more
> > -imagination than us to find a way.
> > -
> > -Affected versions
> > -~~~~~~~~~~~~~~~~~
> > -
> > -All. Bug introduced in shadow 19990709. That's the second commit in
> > -the git history.
> > -
> > -Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version,
> > shadow (19990709)")
> > -
> > -CVE: CVE-2023-4641
> > -Upstream-Status: Backport
> > [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904]
> > -
> > -Reported-by: Alejandro Colomar <a...@kernel.org>
> > -Cc: Serge Hallyn <se...@hallyn.com>
> > -Cc: Iker Pedrosa <ipedr...@redhat.com>
> > -Cc: Seth Arnold <seth.arn...@canonical.com>
> > -Cc: Christian Brauner <christ...@brauner.io>
> > -Cc: Balint Reczey <rbal...@debian.org>
> > -Cc: Sam James <s...@gentoo.org>
> > -Cc: David Runge <dv...@archlinux.org>
> > -Cc: Andreas Jaeger <a...@suse.de>
> > -Cc: <~hallyn/sha...@lists.sr.ht>
> > -Signed-off-by: Alejandro Colomar <a...@kernel.org>
> > -Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
> > ----
> > - src/gpasswd.c | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/src/gpasswd.c b/src/gpasswd.c
> > -index 5983f787..2d8869ef 100644
> > ---- a/src/gpasswd.c
> > -+++ b/src/gpasswd.c
> > -@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr)
> > - strzero (cp);
> > - cp = getpass (_("Re-enter new password: "));
> > - if (NULL == cp) {
> > -+ memzero (pass, sizeof pass);
> > - exit (1);
> > - }
> > -
> > ---
> > -2.34.1
> > -
> > diff --git
> > a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch
> >
> > b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch
> > index 85d91751056..4a932d2dbb1 100644
> > ---
> > a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch
> > +++
> > b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch
> > @@ -1,4 +1,4 @@
> > -From 21583da072aa66901d859ac00ce209bac87ddecc Mon Sep 17 00:00:00 2001
> > +From a773c6b240d27e23d6be41decef0edf24fcee523 Mon Sep 17 00:00:00 2001
> > From: Chen Qi <qi.c...@windriver.com>
> > Date: Thu, 17 Jul 2014 15:53:34 +0800
> > Subject: [PATCH] commonio.c-fix-unexpected-open-failure-in-chroot-env
> > @@ -15,35 +15,37 @@ Note that this patch doesn't change the logic in the
> > code, it just expands
> > the codes.
> >
> > Signed-off-by: Chen Qi <qi.c...@windriver.com>
> > -
> > ---
> > lib/commonio.c | 16 ++++++++++++----
> > 1 file changed, 12 insertions(+), 4 deletions(-)
> >
> > diff --git a/lib/commonio.c b/lib/commonio.c
> > -index 9a02ce1..61384ec 100644
> > +index 73fdb3a..d1231e9 100644
> > --- a/lib/commonio.c
> > +++ b/lib/commonio.c
> > -@@ -616,10 +616,18 @@ int commonio_open (struct commonio_db *db, int mode)
> > +@@ -606,10 +606,18 @@ int commonio_open (struct commonio_db *db, int mode)
> > db->cursor = NULL;
> > db->changed = false;
> >
> > - fd = open (db->filename,
> > - (db->readonly ? O_RDONLY : O_RDWR)
> > -- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
> > +- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC);
> > - saved_errno = errno;
> > + if (db->readonly) {
> > + fd = open (db->filename,
> > + (true ? O_RDONLY : O_RDWR)
> > -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
> > ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC);
> > + saved_errno = errno;
> > + } else {
> > + fd = open (db->filename,
> > + (false ? O_RDONLY : O_RDWR)
> > -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
> > ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW| O_CLOEXEC);
> > + saved_errno = errno;
> > + }
> > +
> > db->fp = NULL;
> > if (fd >= 0) {
> > #ifdef WITH_TCB
> > +--
> > +2.30.2
> > +
> > diff --git a/meta/recipes-extended/shadow/shadow.inc
> > b/meta/recipes-extended/shadow/shadow.inc
> > index ce3ce627156..c024746d4ff 100644
> > --- a/meta/recipes-extended/shadow/shadow.inc
> > +++ b/meta/recipes-extended/shadow/shadow.inc
> > @@ -5,7 +5,7 @@ BUGTRACKER = "http://github.com/shadow-maint/shadow/issues";
> > SECTION = "base/utils"
> > LICENSE = "BSD-3-Clause"
> > LIC_FILES_CHKSUM = "file://COPYING;md5=c9a450b7be84eac23e6353efecb60b5b \
> > -
> > file://src/passwd.c;beginline=2;endline=30;md5=758c26751513b6795395275969dd3be1
> > \
> > +
> > file://src/passwd.c;beginline=2;endline=7;md5=67bcf314687820b2f010d4863fce3fc5
> > \
> > "
> >
> > DEPENDS = "virtual/crypt"
> > @@ -14,10 +14,6 @@ GITHUB_BASE_URI =
> > "https://github.com/shadow-maint/shadow/releases";
> > SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \
> > ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}',
> > '', d)} \
> > file://useradd \
> > - file://0001-Fix-can-not-print-full-login.patch \
> > - file://CVE-2023-29383.patch \
> > - file://0001-Overhaul-valid_field.patch \
> > - file://CVE-2023-4641.patch \
> > "
> >
> > SRC_URI:append:class-target = " \
> > @@ -26,14 +22,9 @@ SRC_URI:append:class-target = " \
> > "
> >
> > SRC_URI:append:class-native = " \
> > - file://0001-Disable-use-of-syslog-for-sysroot.patch \
> >
> > file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
> > "
> > -SRC_URI:append:class-nativesdk = " \
> > - file://0001-Disable-use-of-syslog-for-sysroot.patch \
> > - "
> > -SRC_URI[sha256sum] =
> > "813057047499c7fe81108adcf0cffa3ad4ec75e19a80151f9cbaa458ff2e86cd"
> > -
> > +SRC_URI[sha256sum] =
> > "a305edf5d19bddbdf5e836d2d609fa8bff2d35458819de4d9f06306a1cf24342"
> >
> > # Additional Policy files for PAM
> > PAM_SRC_URI = "file://pam.d/chfn \
> > @@ -44,7 +35,7 @@ PAM_SRC_URI = "file://pam.d/chfn \
> > file://pam.d/passwd \
> > file://pam.d/su"
> >
> > -inherit autotools gettext github-releases
> > +inherit autotools gettext github-releases pkgconfig
> >
> > export CONFIG_SHELL="/bin/sh"
> >
> > @@ -54,6 +45,8 @@ EXTRA_OECONF += "--without-libcrack \
> > --without-sssd \
> > ${NSCDOPT}"
> >
> > +CFLAGS:append:libc-musl = " -DLIBBSD_OVERLAY"
> > +
> > NSCDOPT = ""
> > NSCDOPT:class-native = "--without-nscd"
> > NSCDOPT:class-nativesdk = "--without-nscd"
> > @@ -73,13 +66,14 @@ PAM_PLUGINS = "libpam-runtime \
> >
> > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
> > ${@bb.utils.contains('DISTRO_FEATURES', 'xattr',
> > 'attr', '', d)}"
> > -PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES',
> > 'xattr', 'attr', '', d)}"
> > +PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES',
> > 'xattr', 'attr', '', d)} libbsd"
> > PACKAGECONFIG:class-nativesdk = ""
> > PACKAGECONFIG[pam] =
> > "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}"
> > PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr"
> > PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl"
> > PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit"
> > PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux
> > libsemanage"
> > +PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd"
> >
> > RDEPENDS:${PN} = "shadow-securetty \
> > base-passwd \
> > diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb
> > b/meta/recipes-extended/shadow/shadow_4.14.2.bb
> > similarity index 100%
> > rename from meta/recipes-extended/shadow/shadow_4.13.bb
> > rename to meta/recipes-extended/shadow/shadow_4.14.2.bb
> >
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194025):
https://lists.openembedded.org/g/openembedded-core/message/194025
Mute This Topic: https://lists.openembedded.org/mt/103661547/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
