Compare commits
11 Commits
28de666583
...
74dc5c1b16
| Author | SHA1 | Date | |
|---|---|---|---|
|
74dc5c1b16 | ||
|
|
2230917672 | ||
|
|
9572e4a3ef | ||
|
|
8ffdecd180 | ||
|
|
a6cda3857d | ||
|
|
14d9f82135 | ||
|
|
2a19bb8f33 | ||
|
|
7ab8c02632 | ||
|
|
f65a21afde | ||
|
|
286571f20a | ||
|
|
96e9e3c621 |
45
backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch
Normal file
45
backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From ee20d385ef319f8523f1debc49f375c8eff257a6 Mon Sep 17 00:00:00 2001
|
||||
From: "Andrew G. Morgan" <morgan@kernel.org>
|
||||
Date: Fri, 22 Dec 2023 06:37:02 -0800
|
||||
Subject: Stop using _pam_overwrite() in pam_cap.c.
|
||||
|
||||
It looks like the Linux-PAM folk have deprecated this macro. Compiler optimization
|
||||
is hard to account for: apparently this explicit deletion is no longer
|
||||
guaranteed to work. This function was marked deprecated in v1.5.3 of Linux-PAM.
|
||||
|
||||
I've replaced its use with memset(). I'm not convinced that that will be honored
|
||||
either, but remain hopeful and prefer to leave the code explicit in its intent
|
||||
without a deprecation warning messing up the build log. Should some compiler
|
||||
optimize it away and it leads to an exploit of some sort, it can be revealed as
|
||||
a compilation bug.
|
||||
|
||||
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
||||
---
|
||||
pam_cap/pam_cap.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
|
||||
index b9419cb..3fe3b8c 100644
|
||||
--- a/pam_cap/pam_cap.c
|
||||
+++ b/pam_cap/pam_cap.c
|
||||
@@ -199,7 +199,7 @@ defer:
|
||||
int i;
|
||||
for (i = 0; i < groups_n; i++) {
|
||||
char *g = groups[i];
|
||||
- _pam_overwrite(g);
|
||||
+ memset(g, 0, strlen(g));
|
||||
_pam_drop(g);
|
||||
}
|
||||
if (groups != NULL) {
|
||||
@@ -440,7 +440,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||
small race associated with a redundant read of the
|
||||
config. */
|
||||
|
||||
- _pam_overwrite(conf_caps);
|
||||
+ memset(conf_caps, 0, strlen(conf_caps));
|
||||
_pam_drop(conf_caps);
|
||||
|
||||
return PAM_SUCCESS;
|
||||
--
|
||||
cgit 1.2.3-korg
|
||||
|
||||
27
backport-getpcaps-fix-program-name-in-help-message.patch
Normal file
27
backport-getpcaps-fix-program-name-in-help-message.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 17c5e89521fd0455a8f18563eb37e5ddbc7d34cb Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Wilk <jwilk@jwilk.net>
|
||||
Date: Mon, 29 Jan 2024 11:33:40 +0100
|
||||
Subject: getpcaps: fix program name in help message
|
||||
|
||||
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
|
||||
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
||||
---
|
||||
progs/getpcaps.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/progs/getpcaps.c b/progs/getpcaps.c
|
||||
index 7e14c36..b4cbda8 100644
|
||||
--- a/progs/getpcaps.c
|
||||
+++ b/progs/getpcaps.c
|
||||
@@ -14,7 +14,7 @@
|
||||
static void usage(int code)
|
||||
{
|
||||
fprintf(stderr,
|
||||
-"usage: getcaps [opts] <pid> [<pid> ...]\n\n"
|
||||
+"usage: getpcaps [opts] <pid> [<pid> ...]\n\n"
|
||||
" This program displays the capabilities on the queried process(es).\n"
|
||||
" The capabilities are displayed in the cap_from_text(3) format.\n"
|
||||
"\n"
|
||||
--
|
||||
cgit 1.2.3-korg
|
||||
|
||||
38
backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch
Normal file
38
backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 41997af6891658ab511c014e20f7846945c11742 Mon Sep 17 00:00:00 2001
|
||||
From: Roy Li <rongqing.li@windriver.com>
|
||||
Date: Mon, 9 Aug 2021 17:32:20 +0800
|
||||
Subject: [PATCH] [Backport] libcap: Ensure the XATTR_NAME_CAPS is defined when
|
||||
it is used
|
||||
|
||||
VFS_CAP_U32 can not ensure that XATTR_NAME_CAPS is defined, and failed to build
|
||||
libcap-native in old release, like CentOS release 6.7 (Final), with the blow
|
||||
error:
|
||||
cap_file.c: In function ‘cap_get_fd’:
|
||||
cap_file.c:199: error: ‘XATTR_NAME_CAPS’ undeclared (first use in this function)
|
||||
cap_file.c:199: error: (Each undeclared identifier is reported only once
|
||||
Reference: http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-support/libcap/files/0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch
|
||||
|
||||
Signed-off-by: Roy Li <rongqing.li@windriver.com>
|
||||
Signed-off-by: lichi <lichi7@huawei.com>
|
||||
Signed-off-by: luchangkun <luchangkun@h-partners.com>
|
||||
Signed-off-by: huangyaojun <huangyaojun@huawei.com>
|
||||
---
|
||||
libcap/cap_file.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libcap/cap_file.c b/libcap/cap_file.c
|
||||
index 4178705..1e6a28e 100644
|
||||
--- a/libcap/cap_file.c
|
||||
+++ b/libcap/cap_file.c
|
||||
@@ -45,7 +45,7 @@ extern int fremovexattr(int, const char *);
|
||||
|
||||
#include "libcap.h"
|
||||
|
||||
-#ifdef VFS_CAP_U32
|
||||
+#if defined (VFS_CAP_U32) && defined (XATTR_NAME_CAPS)
|
||||
|
||||
#if VFS_CAP_U32 != __CAP_BLKS
|
||||
# error VFS representation of capabilities is not the same size as kernel
|
||||
--
|
||||
2.27.0
|
||||
|
||||
Binary file not shown.
BIN
libcap-2.69.tar.gz
Normal file
BIN
libcap-2.69.tar.gz
Normal file
Binary file not shown.
27
libcap.spec
27
libcap.spec
@ -1,12 +1,16 @@
|
||||
Name: libcap
|
||||
Version: 2.66
|
||||
Release: 1
|
||||
Version: 2.69
|
||||
Release: 3
|
||||
Summary: A library for getting and setting POSIX.1e draft 15 capabilities
|
||||
License: GPLv2
|
||||
URL: https://sites.google.com/site/fullycapable
|
||||
Source0: https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz
|
||||
|
||||
Patch0: libcap-buildflags.patch
|
||||
Patch1: backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch
|
||||
Patch2: support-specify-cc.patch
|
||||
Patch3: backport-getpcaps-fix-program-name-in-help-message.patch
|
||||
Patch4: backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch
|
||||
|
||||
BuildRequires: libattr-devel pam-devel perl-interpreter gcc
|
||||
|
||||
@ -51,7 +55,6 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%license License
|
||||
%doc doc/capability.notes
|
||||
%{_libdir}/*.so.*
|
||||
%{_sbindir}/*
|
||||
%{_libdir}/security/pam_cap.so
|
||||
@ -70,6 +73,24 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
|
||||
%{_mandir}/man8/*.gz
|
||||
|
||||
%changelog
|
||||
* Wed Mar 27 2024 yanglongkang <yanglongkang@h-partners.com> - 2.69-3
|
||||
- backport upstream patches:
|
||||
getpcaps: fix program name in help message
|
||||
Stop using _pam_overwrite() in pam_cap.c
|
||||
|
||||
|
||||
* Sun Apr 16 2023 jammyjellyfish <jammyjellyfish255@outlook.com> - 2.69-2
|
||||
- Support specify CC
|
||||
|
||||
* Thu Jul 20 2023 wangyunjia <yunjia.wang@huawei.com> - 2.69-1
|
||||
- update version to 2.69
|
||||
|
||||
* Mon Jul 3 2023 wangyunjia <yunjia.wang@huawei.com> - 2.66-3
|
||||
- VFS_CAP_U32 can not ensure that XATTR_NAME_CAPS is defined, and failed to build
|
||||
|
||||
* Mon Jan 30 2023 wangyunjia <yunjia.wang@huawei.com> - 2.66-2
|
||||
- fix CVE-2023-2602/CVE-2023-2603 && fix memory leaks
|
||||
|
||||
* Mon Jan 30 2023 wangyunjia <yunjia.wang@huawei.com> - 2.66-1
|
||||
- update version to 2.66
|
||||
|
||||
|
||||
12
support-specify-cc.patch
Normal file
12
support-specify-cc.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up libcap-2.66/Make.Rules.orig2 libcap-2.66/Make.Rules
|
||||
--- libcap-2.66/Make.Rules.orig2 2023-04-16 17:46:55.922279005 +0800
|
||||
+++ libcap-2.66/Make.Rules 2023-04-16 17:46:13.518097014 +0800
|
||||
@@ -66,7 +66,7 @@ DEFINES := -D_LARGEFILE64_SOURCE -D_FILE
|
||||
SYSTEM_HEADERS = /usr/include
|
||||
|
||||
SUDO := sudo
|
||||
-CC := $(CROSS_COMPILE)gcc
|
||||
+CC ?= $(CROSS_COMPILE)gcc
|
||||
LD := $(CC) -Wl,-x -shared
|
||||
AR := $(CROSS_COMPILE)ar
|
||||
RANLIB := $(CROSS_COMPILE)ranlib
|
||||
Loading…
x
Reference in New Issue
Block a user