Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=multilib.git;a=commitdiff;h=9944fbfd8f4e278232435bca729b8db946a52fcb
commit 9944fbfd8f4e278232435bca729b8db946a52fcb Author: crazy <[email protected]> Date: Wed Jan 31 00:47:30 2018 +0100 util-linux-2.31.1-5-x86_64 * rebuild * drop old patch diff --git a/source/base/util-linux/CVE-2016-2779.patch b/source/base/util-linux/CVE-2016-2779.patch deleted file mode 100644 index abe9dea..0000000 --- a/source/base/util-linux/CVE-2016-2779.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 8e4925016875c6a4f2ab4f833ba66f0fc57396a2 Mon Sep 17 00:00:00 2001 -From: Karel Zak <[email protected]> -Date: Thu, 29 Sep 2016 16:32:33 +0200 -Subject: su,runuser: add libseccomp based workaround for TIOCSTI ioctl - -This patch add libseccomp based syscalls filter to disable TIOCSTI -ioctl in su/runuser children. - -IMHO it is not elegant solution due to dependence on libseccomp -(--without-seccomp if hate it)... but there is nothing better for now. - -Addresses: CVE-2016-2779 -Signed-off-by: Karel Zak <[email protected]> ---- - configure.ac | 16 ++++++++++++++++ - login-utils/Makemodule.am | 7 ++++--- - login-utils/su-common.c | 20 ++++++++++++++++++++ - 3 files changed, 40 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 680f5b6..6346865 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1691,6 +1691,22 @@ AS_IF([test "x$with_user" != xno], [ - ]) - AM_CONDITIONAL([HAVE_USER], [test "x$have_user" = xyes]) - -+ -+AC_ARG_WITH([libseccomp], AS_HELP_STRING([--without-seccomp], [compile without libseccomp]), -+ [], [with_seccomp=check] -+) -+have_seccomp=no -+AS_IF([test "x$with_seccomp" != xno], [ -+ PKG_CHECK_MODULES(SECCOMP,[libseccomp], [have_seccomp=yes], [have_seccomp=no]) -+ AS_CASE([$with_seccomp:$have_seccomp], -+ [yes:no], -+ [AC_MSG_ERROR([seccomp selected but libseccomp not found])], -+ [*:yes], -+ [AC_DEFINE([HAVE_LIBSECCOMP], [1], [Define if libseccomp is available])] -+ ) -+]) -+ -+ - AC_ARG_ENABLE([chfn-chsh-password], - AS_HELP_STRING([--disable-chfn-chsh-password], [do not require the user to enter the password in chfn and chsh]), - [], [enable_chfn_chsh_password=yes] -diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am -index be07ace..12f27e1 100644 ---- a/login-utils/Makemodule.am -+++ b/login-utils/Makemodule.am -@@ -140,9 +140,9 @@ su_SOURCES = \ - login-utils/su-common.h \ - login-utils/logindefs.c \ - login-utils/logindefs.h --su_CFLAGS = $(SUID_CFLAGS) $(AM_CFLAGS) -+su_CFLAGS = $(SUID_CFLAGS) $(AM_CFLAGS) $(SECCOMP_CFLAGS) - su_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS) --su_LDADD = $(LDADD) libcommon.la -lpam -+su_LDADD = $(LDADD) libcommon.la -lpam $(SECCOMP_LIBS) - if HAVE_LINUXPAM - su_LDADD += -lpam_misc - endif -@@ -158,7 +158,8 @@ runuser_SOURCES = \ - login-utils/su-common.h \ - login-utils/logindefs.c \ - login-utils/logindefs.h --runuser_LDADD = $(LDADD) libcommon.la -lpam -+runuser_LDADD = $(LDADD) libcommon.la -lpam $(SECCOMP_LIBS) -+runuser_CFLAGS = $(AM_CFLAGS) $(SECCOMP_CFLAGS) - if HAVE_LINUXPAM - runuser_LDADD += -lpam_misc - endif -diff --git a/login-utils/su-common.c b/login-utils/su-common.c -index ff20a2f..5ab2a1a 100644 ---- a/login-utils/su-common.c -+++ b/login-utils/su-common.c -@@ -59,6 +59,9 @@ enum - #include <sys/wait.h> - #include <syslog.h> - #include <utmp.h> -+#ifdef HAVE_LIBSECCOMP -+# include <seccomp.h> -+#endif - - #include "err.h" - -@@ -674,6 +677,21 @@ restricted_shell (const char *shell) - return true; - } - -+static void disable_tty_hijack(void) -+{ -+#ifdef HAVE_LIBSECCOMP -+ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); -+ if (!ctx) -+ err(EXIT_FAILURE, _("failed to initialize seccomp context")); -+ if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ioctl), 1, -+ SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)) < 0) -+ err(EXIT_FAILURE, _("failed to add seccomp rule")); -+ if (seccomp_load(ctx) < 0) -+ err(EXIT_FAILURE, _("failed to load seccomp rule")); -+ seccomp_release(ctx); -+#endif /* HAVE_LIBSECCOMP */ -+} -+ - static void __attribute__((__noreturn__)) - usage (int status) - { -@@ -970,6 +988,8 @@ su_main (int argc, char **argv, int mode) - change_identity (pw); - if (!same_session) - setsid (); -+ else -+ disable_tty_hijack(); - - /* Set environment after pam_open_session, which may put KRB5CCNAME - into the pam_env, etc. */ --- -cgit v0.12 - diff --git a/source/base/util-linux/FrugalBuild b/source/base/util-linux/FrugalBuild index b3edd38..9a60648 100644 --- a/source/base/util-linux/FrugalBuild +++ b/source/base/util-linux/FrugalBuild @@ -4,7 +4,7 @@ pkgname=util-linux pkgver=2.31.1 -pkgrel=4 +pkgrel=5 pkgdesc="Miscellaneous system utilities for Linux" url="http://www.kernel.org/pub/linux/utils/util-linux/" backup=('etc/sysconfig/numlock') _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
