I've seen issues where static libraries built on one host were not
usable on a different host with default compiler options. This may be
another one of these.
We're reverting to dynamic linking with libraries in a custom
directory in sysroot that would be bundled together with shadow-native
proper. Patch is coming.
Alex
On Fri, 19 Jan 2024 at 13:13, Chen, Qi <qi.c...@windriver.com> wrote:
>
> I didn't do anything particular, but as several people are sharing the
> server, it's possible that its environment is somewhat messed up. I'll check
> more and fix the environment. Thanks for your double check.
>
> Regards,
> Qi
>
> -----Original Message-----
> From: Alexander Kanavin <alex.kana...@gmail.com>
> Sent: Friday, January 19, 2024 6:12 PM
> To: Chen, Qi <qi.c...@windriver.com>
> Cc: openembedded-core@lists.openembedded.org; Alexander Kanavin
> <a...@linutronix.de>
> Subject: Re: [OE-core] [PATCH v3 1/2] shadow: update 4.13 -> 4.14.2
>
> I just tried poky master on ubuntu 20.04, and the issues do not appear. Do
> you have a custom setup?
>
> Alex
>
> On Fri, 19 Jan 2024 at 04:06, ChenQi <qi.c...@windriver.com> wrote:
> >
> > I'm seeing build failures on Ubuntu 20.04.
> > GCC version: 9.4.0
> >
> > 1. error: parameter name omitted
> > The problem is that the active_sessions_count function's definition
> > lacks parameter. I did change like below:
> > -unsigned long active_sessions_count(const char *name, unsigned long
> > unused)
> > +unsigned long active_sessions_count(const char *name, unsigned long
> > unused unused_parameter)
> > But then I observed another error, as shown below.
> >
> > 2. undefined reference to `dlsym'.
> > | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> > ../lib/.libs/libshadow.a(libshadow_la-nss.o): in function `nss_exit':
> > | nss.c:(.text+0x32): undefined reference to `dlclose'
> > | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> > ../lib/.libs/libshadow.a(libshadow_la-nss.o): in function `nss_init':
> > | nss.c:(.text+0x1dd): undefined reference to `dlopen'
> > | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> > nss.c:(.text+0x21c): undefined reference to `dlsym'
> > | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> > nss.c:(.text+0x237): undefined reference to `dlsym'
> > | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> > nss.c:(.text+0x253): undefined reference to `dlsym'
> > | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> > nss.c:(.text+0x365): undefined reference to `dlclose'
> > | /ala-lpggp72/qichen/Yocto/builds/build-master/tmp/hosttools/ld:
> > nss.c:(.text+0x3b2): undefined reference to `dlerror'
> > | collect2: error: ld returned 1 exit status
> > | make[2]: *** [Makefile:1130: su] Error 1
> >
> > On Ubuntu22.04, there's no such issue.
> >
> > Regards,
> > Qi
> >
> > On 1/11/24 21:15, Alexander Kanavin wrote:
> > > License-Update: formatting, spdx conversion
> > >
> > > Drop:
> > > 0001-Disable-use-of-syslog-for-sysroot.patch
> > > (issue fixed upstream)
> > >
> > > 0001-Fix-can-not-print-full-login.patch
> > > 0001-Overhaul-valid_field.patch
> > > CVE-2023-29383.patch
> > > (backports)
> > >
> > > libbsd is a new native dependency, as otherwise glibc >= 2.38 is
> > > needed.
> > >
> > > A similar fix is added to musl in order to define non-standard
> > > __BEGIN_DECLS/__END_DECLS.
> > >
> > > Signed-off-by: Alexander Kanavin <a...@linutronix.de>
> > > ---
> > > ...01-Disable-use-of-syslog-for-sysroot.patch | 52 -------
> > > .../0001-Fix-can-not-print-full-login.patch | 41 -----
> > > .../files/0001-Overhaul-valid_field.patch | 65 --------
> > > .../shadow/files/CVE-2023-29383.patch | 53 -------
> > > .../shadow/files/CVE-2023-4641.patch | 147 ------------------
> > > ...nexpected-open-failure-in-chroot-env.patch | 16 +-
> > > meta/recipes-extended/shadow/shadow.inc | 20 +--
> > > .../{shadow_4.13.bb => shadow_4.14.2.bb} | 0
> > > 8 files changed, 16 insertions(+), 378 deletions(-)
> > > delete mode 100644
> > > meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
> > > delete mode 100644
> > > meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-login.patch
> > > delete mode 100644
> > > meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
> > > delete mode 100644
> > > meta/recipes-extended/shadow/files/CVE-2023-29383.patch
> > > delete mode 100644
> > > meta/recipes-extended/shadow/files/CVE-2023-4641.patch
> > > rename meta/recipes-extended/shadow/{shadow_4.13.bb =>
> > > shadow_4.14.2.bb} (100%)
> > >
> > > diff --git
> > > a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-
> > > sysroot.patch
> > > b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-
> > > sysroot.patch
> > > deleted file mode 100644
> > > index fa1532c8317..00000000000
> > > ---
> > > a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-
> > > sysroot.patch
> > > +++ /dev/null
> > > @@ -1,52 +0,0 @@
> > > -From 85d0444229ee3d14fefcf10d093f49c862826f82 Mon Sep 17 00:00:00
> > > 2001
> > > -From: Richard Purdie <richard.pur...@linuxfoundation.org>
> > > -Date: Thu, 14 Apr 2022 23:11:53 +0000
> > > -Subject: [PATCH] Disable use of syslog for shadow-native tools
> > > -
> > > -Disable use of syslog to prevent sysroot user and group additions
> > > from -writing entries to the host's syslog. This patch should only
> > > be used -with the shadow-native recipe.
> > > -
> > > -Upstream-Status: Inappropriate [OE specific configuration]
> > > -Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
> > > -Signed-off-by: Peter Kjellerstedt <peter.kjellerst...@axis.com>
> > > -
> > > ----
> > > - configure.ac | 2 +-
> > > - src/login_nopam.c | 3 ++-
> > > - 2 files changed, 3 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/configure.ac b/configure.ac -index 924254a..603af81
> > > 100644
> > > ---- a/configure.ac
> > > -+++ b/configure.ac
> > > -@@ -191,7 +191,7 @@ AC_DEFINE_UNQUOTED(PASSWD_PROGRAM,
> > > "$shadow_cv_passwd_dir/passwd",
> > > - [Path to passwd program.])
> > > -
> > > - dnl XXX - quick hack, should disappear before anyone notices :).
> > > --AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().])
> > > -+#AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().])
> > > - if test "$ac_cv_func_ruserok" = "yes"; then
> > > - AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag
> > > for rlogind.])
> > > - AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return
> > > value (0 or 1).])
> > > -diff --git a/src/login_nopam.c b/src/login_nopam.c -index
> > > df6ba88..fc24e13 100644
> > > ---- a/src/login_nopam.c
> > > -+++ b/src/login_nopam.c
> > > -@@ -29,7 +29,6 @@
> > > - #ifndef USE_PAM
> > > - #ident "$Id$"
> > > -
> > > --#include "prototypes.h"
> > > - /*
> > > - * This module implements a simple but effective form of login
> > > access
> > > - * control based on login names and on host (or domain) names,
> > > internet
> > > -@@ -57,6 +56,8 @@
> > > - #include <netinet/in.h>
> > > - #include <arpa/inet.h> /* for inet_ntoa() */
> > > -
> > > -+#include "prototypes.h"
> > > -+
> > > - #if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64)
> > > - #undef MAXHOSTNAMELEN
> > > - #define MAXHOSTNAMELEN 256
> > > diff --git
> > > a/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-log
> > > in.patch
> > > b/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-log
> > > in.patch
> > > deleted file mode 100644
> > > index 89f9c05c8d3..00000000000
> > > ---
> > > a/meta/recipes-extended/shadow/files/0001-Fix-can-not-print-full-log
> > > in.patch
> > > +++ /dev/null
> > > @@ -1,41 +0,0 @@
> > > -commit 670cae834827a8f794e6f7464fa57790d911b63c
> > > -Author: SoumyaWind <121475834+soumyaw...@users.noreply.github.com>
> > > -Date: Tue Dec 27 17:40:17 2022 +0530
> > > -
> > > - shadow: Fix can not print full login timeout message
> > > -
> > > - Login timed out message prints only first few bytes when write is
> > > immediately followed by exit.
> > > - Calling exit from new handler provides enough time to display full
> > > message.
> > > -
> > > -Upstream-Status: Backport
> > > [https://github.com/shadow-maint/shadow/commit/670cae834827a8f794e6f
> > > 7464fa57790d911b63c]
> > > -
> > > -diff --git a/src/login.c b/src/login.c -index 116e2cb3..c55f4de0
> > > 100644
> > > ---- a/src/login.c
> > > -+++ b/src/login.c
> > > -@@ -120,6 +120,7 @@ static void get_pam_user (char **ptr_pam_user);
> > > -
> > > - static void init_env (void);
> > > - static void alarm_handler (int);
> > > -+static void exit_handler (int);
> > > -
> > > - /*
> > > - * usage - print login command usage and exit -@@ -391,11 +392,16
> > > @@ static void init_env (void)
> > > - #endif /* !USE_PAM */
> > > - }
> > > -
> > > -+static void exit_handler (unused int sig) {
> > > -+ _exit (0);
> > > -+}
> > > -
> > > - static void alarm_handler (unused int sig)
> > > - {
> > > - write (STDERR_FILENO, tmsg, strlen (tmsg));
> > > -- _exit (0);
> > > -+ signal(SIGALRM, exit_handler);
> > > -+ alarm(2);
> > > - }
> > > -
> > > - #ifdef USE_PAM
> > > diff --git
> > > a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
> > > b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
> > > deleted file mode 100644
> > > index ac08be515bf..00000000000
> > > ---
> > > a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
> > > +++ /dev/null
> > > @@ -1,65 +0,0 @@
> > > -From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00
> > > 2001
> > > -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?=
> > > <cgzo...@googlemail.com>
> > > -Date: Fri, 31 Mar 2023 14:46:50 +0200
> > > -Subject: [PATCH] Overhaul valid_field()
> > > -
> > > -e5905c4b ("Added control character check") introduced checking for
> > > -control characters but had the logic inverted, so it rejects all
> > > -characters that are not control ones.
> > > -
> > > -Cast the character to `unsigned char` before passing to the
> > > character -checking functions to avoid UB.
> > > -
> > > -Use strpbrk(3) for the illegal character test and return early.
> > > -
> > > -Upstream-Status: Backport
> > > [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d5599
> > > 8386e4ceb4273c19eb4]
> > > -
> > > -Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
> > > ----
> > > - lib/fields.c | 24 ++++++++++--------------
> > > - 1 file changed, 10 insertions(+), 14 deletions(-)
> > > -
> > > -diff --git a/lib/fields.c b/lib/fields.c -index fb51b582..53929248
> > > 100644
> > > ---- a/lib/fields.c
> > > -+++ b/lib/fields.c
> > > -@@ -37,26 +37,22 @@ int valid_field (const char *field, const char
> > > *illegal)
> > > -
> > > - /* For each character of field, search if it appears in the list
> > > - * of illegal characters. */
> > > -+ if (illegal && NULL != strpbrk (field, illegal)) {
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ /* Search if there are non-printable or control characters */
> > > - for (cp = field; '\0' != *cp; cp++) {
> > > -- if (strchr (illegal, *cp) != NULL) {
> > > -+ unsigned char c = *cp;
> > > -+ if (!isprint (c)) {
> > > -+ err = 1;
> > > -+ }
> > > -+ if (iscntrl (c)) {
> > > - err = -1;
> > > - break;
> > > - }
> > > - }
> > > -
> > > -- if (0 == err) {
> > > -- /* Search if there are non-printable or control characters
> > > */
> > > -- for (cp = field; '\0' != *cp; cp++) {
> > > -- if (!isprint (*cp)) {
> > > -- err = 1;
> > > -- }
> > > -- if (!iscntrl (*cp)) {
> > > -- err = -1;
> > > -- break;
> > > -- }
> > > -- }
> > > -- }
> > > --
> > > - return err;
> > > - }
> > > -
> > > ---
> > > -2.34.1
> > > -
> > > diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
> > > b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
> > > deleted file mode 100644
> > > index f53341d3fc2..00000000000
> > > --- a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
> > > +++ /dev/null
> > > @@ -1,53 +0,0 @@
> > > -From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00
> > > 2001
> > > -From: tomspiderlabs
> > > <128755403+tomspiderl...@users.noreply.github.com>
> > > -Date: Thu, 23 Mar 2023 23:39:38 +0000
> > > -Subject: [PATCH] Added control character check
> > > -
> > > -Added control character check, returning -1 (to "err") if control
> > > characters are present.
> > > -
> > > -CVE: CVE-2023-29383
> > > -Upstream-Status: Backport
> > > -
> > > -Reference to upstream:
> > > -https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd
> > > 96ee618411ebfac663d
> > > -
> > > -Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
> > > ----
> > > - lib/fields.c | 11 +++++++----
> > > - 1 file changed, 7 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/lib/fields.c b/lib/fields.c -index 640be931..fb51b582
> > > 100644
> > > ---- a/lib/fields.c
> > > -+++ b/lib/fields.c
> > > -@@ -21,9 +21,9 @@
> > > - *
> > > - * The supplied field is scanned for non-printable and other
> > > illegal
> > > - * characters.
> > > -- * + -1 is returned if an illegal character is present.
> > > -- * + 1 is returned if no illegal characters are present, but the field
> > > -- * contains a non-printable character.
> > > -+ * + -1 is returned if an illegal or control character is present.
> > > -+ * + 1 is returned if no illegal or control characters are present,
> > > -+ * but the field contains a non-printable character.
> > > - * + 0 is returned otherwise.
> > > - */
> > > - int valid_field (const char *field, const char *illegal) -@@
> > > -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
> > > - }
> > > -
> > > - if (0 == err) {
> > > -- /* Search if there are some non-printable characters */
> > > -+ /* Search if there are non-printable or control
> > > -+ characters */
> > > - for (cp = field; '\0' != *cp; cp++) {
> > > - if (!isprint (*cp)) {
> > > - err = 1;
> > > -+ }
> > > -+ if (!iscntrl (*cp)) {
> > > -+ err = -1;
> > > - break;
> > > - }
> > > - }
> > > ---
> > > -2.34.1
> > > -
> > > diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
> > > b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
> > > deleted file mode 100644
> > > index 1fabfe928e4..00000000000
> > > --- a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
> > > +++ /dev/null
> > > @@ -1,147 +0,0 @@
> > > -From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00
> > > 2001
> > > -From: Alejandro Colomar <a...@kernel.org>
> > > -Date: Sat, 10 Jun 2023 16:20:05 +0200
> > > -Subject: [PATCH] gpasswd(1): Fix password leak
> > > -
> > > -How to trigger this password leak?
> > > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > -
> > > -When gpasswd(1) asks for the new password, it asks twice (as is
> > > usual -for confirming the new password). Each of those 2 password
> > > prompts -uses agetpass() to get the password. If the second
> > > agetpass() fails, -the first password, which has been copied into
> > > the 'static' buffer -'pass' via STRFCPY(), wasn't being zeroed.
> > > -
> > > -agetpass() is defined in <./libmisc/agetpass.c> (around line 91),
> > > and -can fail for any of the following reasons:
> > > -
> > > -- malloc(3) or readpassphrase(3) failure.
> > > -
> > > - These are going to be difficult to trigger. Maybe getting the system
> > > - to the limits of memory utilization at that exact point, so that the
> > > - next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
> > > - About readpassphrase(3), ENFILE and EINTR seem the only plausible
> > > - ones, and EINTR probably requires privilege or being the same user;
> > > - but I wouldn't discard ENFILE so easily, if a process starts opening
> > > - files.
> > > -
> > > -- The password is longer than PASS_MAX.
> > > -
> > > - The is plausible with physical access. However, at that point, a
> > > - keylogger will be a much simpler attack.
> > > -
> > > -And, the attacker must be able to know when the second password is
> > > being -introduced, which is not going to be easy.
> > > -
> > > -How to read the password after the leak?
> > > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > -
> > > -Provoking the leak yourself at the right point by entering a very
> > > long -password is easy, and inspecting the process stack at that
> > > point should -be doable. Try to find some consistent patterns.
> > > -
> > > -Then, search for those patterns in free memory, right after the
> > > victim -leaks their password.
> > > -
> > > -Once you get the leak, a program should read all the free memory
> > > -searching for patterns that gpasswd(1) leaves nearby the leaked
> > > -password.
> > > -
> > > -On 6/10/23 03:14, Seth Arnold wrote:
> > > -> An attacker process wouldn't be able to use malloc(3) for this task.
> > > -> There's a handful of tools available for userspace to allocate memory:
> > > ->
> > > -> - brk / sbrk
> > > -> - mmap MAP_ANONYMOUS
> > > -> - mmap /dev/zero
> > > -> - mmap some other file
> > > -> - shm_open
> > > -> - shmget
> > > ->
> > > -> Most of these return only pages of zeros to a process. Using
> > > -> mmap of an existing file, you can get some of the contents of the
> > > -> file demand-loaded into the memory space on the first use.
> > > ->
> > > -> The MAP_UNINITIALIZED flag only works if the kernel was compiled
> > > -> with CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
> > > ->
> > > -> malloc(3) doesn't zero memory, to our collective frustration, but
> > > -> all the garbage in the allocations is from previous allocations
> > > -> in the current process. It isn't leftover from other processes.
> > > ->
> > > -> The avenues available for reading the memory:
> > > -> - /dev/mem and /dev/kmem (requires root, not available with
> > > -> Secure Boot)
> > > -> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
> > > -> - ptrace (requires ptrace privileges, mediated by YAMA)
> > > -> - causing memory to be swapped to disk, and then inspecting the
> > > -> swap
> > > ->
> > > -> These all require a certain amount of privileges.
> > > -
> > > -How to fix it?
> > > -~~~~~~~~~~~~~~
> > > -
> > > -memzero(), which internally calls explicit_bzero(3), or whatever
> > > -alternative the system provides with a slightly different name,
> > > will -make sure that the buffer is zeroed in memory, and
> > > optimizations are not -allowed to impede this zeroing.
> > > -
> > > -This is not really 100% effective, since compilers may place copies
> > > of -the string somewhere hidden in the stack. Those copies won't
> > > get zeroed -by explicit_bzero(3). However, that's arguably a
> > > compiler bug, since -compilers should make everything possible to
> > > avoid optimizing strings -that are later passed to
> > > explicit_bzero(3). But we all know that -sometimes it's impossible
> > > to have perfect knowledge in the compiler, so -this is plausible.
> > > Nevertheless, there's nothing we can do against such -issues, except
> > > minimizing the time such passwords are stored in plain -text.
> > > -
> > > -Security concerns
> > > -~~~~~~~~~~~~~~~~~
> > > -
> > > -We believe this isn't easy to exploit. Nevertheless, and since the
> > > fix -is trivial, this fix should probably be applied soon, and
> > > backported to -all supported distributions, to prevent someone else
> > > having more -imagination than us to find a way.
> > > -
> > > -Affected versions
> > > -~~~~~~~~~~~~~~~~~
> > > -
> > > -All. Bug introduced in shadow 19990709. That's the second commit
> > > in -the git history.
> > > -
> > > -Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream
> > > version, shadow (19990709)")
> > > -
> > > -CVE: CVE-2023-4641
> > > -Upstream-Status: Backport
> > > [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90
> > > c0abda3e839e9c57904]
> > > -
> > > -Reported-by: Alejandro Colomar <a...@kernel.org>
> > > -Cc: Serge Hallyn <se...@hallyn.com>
> > > -Cc: Iker Pedrosa <ipedr...@redhat.com>
> > > -Cc: Seth Arnold <seth.arn...@canonical.com>
> > > -Cc: Christian Brauner <christ...@brauner.io>
> > > -Cc: Balint Reczey <rbal...@debian.org>
> > > -Cc: Sam James <s...@gentoo.org>
> > > -Cc: David Runge <dv...@archlinux.org>
> > > -Cc: Andreas Jaeger <a...@suse.de>
> > > -Cc: <~hallyn/sha...@lists.sr.ht>
> > > -Signed-off-by: Alejandro Colomar <a...@kernel.org>
> > > -Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
> > > ----
> > > - src/gpasswd.c | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/src/gpasswd.c b/src/gpasswd.c -index
> > > 5983f787..2d8869ef 100644
> > > ---- a/src/gpasswd.c
> > > -+++ b/src/gpasswd.c
> > > -@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr)
> > > - strzero (cp);
> > > - cp = getpass (_("Re-enter new password: "));
> > > - if (NULL == cp) {
> > > -+ memzero (pass, sizeof pass);
> > > - exit (1);
> > > - }
> > > -
> > > ---
> > > -2.34.1
> > > -
> > > diff --git
> > > a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-
> > > failure-in-chroot-env.patch
> > > b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-
> > > failure-in-chroot-env.patch index 85d91751056..4a932d2dbb1 100644
> > > ---
> > > a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-
> > > failure-in-chroot-env.patch
> > > +++ b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-o
> > > +++ pen-failure-in-chroot-env.patch
> > > @@ -1,4 +1,4 @@
> > > -From 21583da072aa66901d859ac00ce209bac87ddecc Mon Sep 17 00:00:00
> > > 2001
> > > +From a773c6b240d27e23d6be41decef0edf24fcee523 Mon Sep 17 00:00:00
> > > +2001
> > > From: Chen Qi <qi.c...@windriver.com>
> > > Date: Thu, 17 Jul 2014 15:53:34 +0800
> > > Subject: [PATCH]
> > > commonio.c-fix-unexpected-open-failure-in-chroot-env
> > > @@ -15,35 +15,37 @@ Note that this patch doesn't change the logic in the
> > > code, it just expands
> > > the codes.
> > >
> > > Signed-off-by: Chen Qi <qi.c...@windriver.com>
> > > -
> > > ---
> > > lib/commonio.c | 16 ++++++++++++----
> > > 1 file changed, 12 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/lib/commonio.c b/lib/commonio.c -index
> > > 9a02ce1..61384ec 100644
> > > +index 73fdb3a..d1231e9 100644
> > > --- a/lib/commonio.c
> > > +++ b/lib/commonio.c
> > > -@@ -616,10 +616,18 @@ int commonio_open (struct commonio_db *db,
> > > int mode)
> > > +@@ -606,10 +606,18 @@ int commonio_open (struct commonio_db *db,
> > > +int mode)
> > > db->cursor = NULL;
> > > db->changed = false;
> > >
> > > - fd = open (db->filename,
> > > - (db->readonly ? O_RDONLY : O_RDWR)
> > > -- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
> > > +- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC);
> > > - saved_errno = errno;
> > > + if (db->readonly) {
> > > + fd = open (db->filename,
> > > + (true ? O_RDONLY : O_RDWR)
> > > -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
> > > ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW |
> > > ++ O_CLOEXEC);
> > > + saved_errno = errno;
> > > + } else {
> > > + fd = open (db->filename,
> > > + (false ? O_RDONLY : O_RDWR)
> > > -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
> > > ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW|
> > > ++ O_CLOEXEC);
> > > + saved_errno = errno;
> > > + }
> > > +
> > > db->fp = NULL;
> > > if (fd >= 0) {
> > > #ifdef WITH_TCB
> > > +--
> > > +2.30.2
> > > +
> > > diff --git a/meta/recipes-extended/shadow/shadow.inc
> > > b/meta/recipes-extended/shadow/shadow.inc
> > > index ce3ce627156..c024746d4ff 100644
> > > --- a/meta/recipes-extended/shadow/shadow.inc
> > > +++ b/meta/recipes-extended/shadow/shadow.inc
> > > @@ -5,7 +5,7 @@ BUGTRACKER =
> > > "http://github.com/shadow-maint/shadow/issues";
> > > SECTION = "base/utils"
> > > LICENSE = "BSD-3-Clause"
> > > LIC_FILES_CHKSUM = "file://COPYING;md5=c9a450b7be84eac23e6353efecb60b5b
> > > \
> > > -
> > > file://src/passwd.c;beginline=2;endline=30;md5=758c26751513b6795395275969dd3be1
> > > \
> > > +
> > > + file://src/passwd.c;beginline=2;endline=7;md5=67bcf314687820b2f010
> > > + d4863fce3fc5 \
> > > "
> > >
> > > DEPENDS = "virtual/crypt"
> > > @@ -14,10 +14,6 @@ GITHUB_BASE_URI =
> > > "https://github.com/shadow-maint/shadow/releases";
> > > SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \
> > > ${@bb.utils.contains('PACKAGECONFIG', 'pam',
> > > '${PAM_SRC_URI}', '', d)} \
> > > file://useradd \
> > > - file://0001-Fix-can-not-print-full-login.patch \
> > > - file://CVE-2023-29383.patch \
> > > - file://0001-Overhaul-valid_field.patch \
> > > - file://CVE-2023-4641.patch \
> > > "
> > >
> > > SRC_URI:append:class-target = " \
> > > @@ -26,14 +22,9 @@ SRC_URI:append:class-target = " \
> > > "
> > >
> > > SRC_URI:append:class-native = " \
> > > - file://0001-Disable-use-of-syslog-for-sysroot.patch \
> > >
> > > file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
> > > "
> > > -SRC_URI:append:class-nativesdk = " \
> > > - file://0001-Disable-use-of-syslog-for-sysroot.patch \
> > > - "
> > > -SRC_URI[sha256sum] =
> > > "813057047499c7fe81108adcf0cffa3ad4ec75e19a80151f9cbaa458ff2e86cd"
> > > -
> > > +SRC_URI[sha256sum] =
> > > "a305edf5d19bddbdf5e836d2d609fa8bff2d35458819de4d9f06306a1cf24342"
> > >
> > > # Additional Policy files for PAM
> > > PAM_SRC_URI = "file://pam.d/chfn \ @@ -44,7 +35,7 @@ PAM_SRC_URI =
> > > "file://pam.d/chfn \
> > > file://pam.d/passwd \
> > > file://pam.d/su"
> > >
> > > -inherit autotools gettext github-releases
> > > +inherit autotools gettext github-releases pkgconfig
> > >
> > > export CONFIG_SHELL="/bin/sh"
> > >
> > > @@ -54,6 +45,8 @@ EXTRA_OECONF += "--without-libcrack \
> > > --without-sssd \
> > > ${NSCDOPT}"
> > >
> > > +CFLAGS:append:libc-musl = " -DLIBBSD_OVERLAY"
> > > +
> > > NSCDOPT = ""
> > > NSCDOPT:class-native = "--without-nscd"
> > > NSCDOPT:class-nativesdk = "--without-nscd"
> > > @@ -73,13 +66,14 @@ PAM_PLUGINS = "libpam-runtime \
> > >
> > > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
> > > ${@bb.utils.contains('DISTRO_FEATURES', 'xattr',
> > > 'attr', '', d)}"
> > > -PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES',
> > > 'xattr', 'attr', '', d)}"
> > > +PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES',
> > > 'xattr', 'attr', '', d)} libbsd"
> > > PACKAGECONFIG:class-nativesdk = ""
> > > PACKAGECONFIG[pam] =
> > > "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}"
> > > PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr"
> > > PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl"
> > > PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit"
> > > PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux
> > > libsemanage"
> > > +PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd"
> > >
> > > RDEPENDS:${PN} = "shadow-securetty \
> > > base-passwd \
> > > diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb
> > > b/meta/recipes-extended/shadow/shadow_4.14.2.bb
> > > similarity index 100%
> > > rename from meta/recipes-extended/shadow/shadow_4.13.bb
> > > rename to meta/recipes-extended/shadow/shadow_4.14.2.bb
> > >
> > >
> > >
> >
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194040):
https://lists.openembedded.org/g/openembedded-core/message/194040
Mute This Topic: https://lists.openembedded.org/mt/103661547/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
