diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2012-07-25 17:30:01 -0400 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2012-07-25 23:18:40 -0400 |
commit | 732ea6382ae159971c1ce23352555f7b8f6fbe87 (patch) | |
tree | dfac18763131c3b3aedd0ced4ed5d503128a5d2e /pkgs/os-specific/linux/shadow | |
parent | d3fb3157d125cdf9ca107d36b632c84060c32e6e (diff) |
shadow: Update to 4.1.5.1
Fixes CVE-2005-4890 and CVE-2011-0721.
Diffstat (limited to 'pkgs/os-specific/linux/shadow')
-rw-r--r-- | pkgs/os-specific/linux/shadow/default.nix | 16 | ||||
-rw-r--r-- | pkgs/os-specific/linux/shadow/keep-path.patch | 21 | ||||
-rw-r--r-- | pkgs/os-specific/linux/shadow/no-sanitize-env.patch | 16 | ||||
-rw-r--r-- | pkgs/os-specific/linux/shadow/su-name.patch | 20 |
4 files changed, 19 insertions, 54 deletions
diff --git a/pkgs/os-specific/linux/shadow/default.nix b/pkgs/os-specific/linux/shadow/default.nix index f14b249d5144f..e673a7e30881e 100644 --- a/pkgs/os-specific/linux/shadow/default.nix +++ b/pkgs/os-specific/linux/shadow/default.nix @@ -1,21 +1,25 @@ { stdenv, fetchurl, pam ? null, glibcCross ? null }: let - glibc = if stdenv ? cross - then glibcCross - else assert stdenv ? glibc; stdenv.glibc; + + glibc = + if stdenv ? cross + then glibcCross + else assert stdenv ? glibc; stdenv.glibc; + in + stdenv.mkDerivation rec { - name = "shadow-4.1.4.2"; + name = "shadow-4.1.5.1"; src = fetchurl { url = "http://pkg-shadow.alioth.debian.org/releases/${name}.tar.bz2"; - sha256 = "1449ny7pdnwkavg92wvibapnkgdq5pas38nvl1m5xa37g5m7z64p"; + sha256 = "1yvqx57vzih0jdy3grir8vfbkxp0cl0myql37bnmi2yn90vk6cma"; }; buildInputs = stdenv.lib.optional (pam != null && stdenv.isLinux) pam; - patches = [ ./no-sanitize-env.patch ./su-name.patch ./keep-path.patch ]; + patches = [ ./keep-path.patch ]; # Assume System V `setpgrp (void)', which is the default on GNU variants # (`AC_FUNC_SETPGRP' is not cross-compilation capable.) diff --git a/pkgs/os-specific/linux/shadow/keep-path.patch b/pkgs/os-specific/linux/shadow/keep-path.patch index 4b8406b53b089..99fd17c27bc98 100644 --- a/pkgs/os-specific/linux/shadow/keep-path.patch +++ b/pkgs/os-specific/linux/shadow/keep-path.patch @@ -1,18 +1,15 @@ -Don't reset $PATH to /bin:/usr/bin. This is consistent with `su' in -coreutils and important on NixOS. - -diff -ru -x '*~' shadow-4.1.4.2-orig/src/su.c shadow-4.1.4.2/src/su.c ---- shadow-4.1.4.2-orig/src/su.c 2009-07-23 22:38:56.000000000 +0200 -+++ shadow-4.1.4.2/src/su.c 2010-06-04 13:23:11.000000000 +0200 -@@ -827,6 +827,7 @@ - (void) signal (SIGINT, SIG_DFL); - (void) signal (SIGQUIT, SIG_DFL); +diff -ru shadow-4.1.5.1-orig/src/su.c shadow-4.1.5.1/src/su.c +--- shadow-4.1.5.1-orig/src/su.c 2012-05-25 07:51:55.000000000 -0400 ++++ shadow-4.1.5.1/src/su.c 2012-07-25 17:22:57.013547930 -0400 +@@ -879,6 +879,7 @@ + } + } +#if 0 - cp = getdef_str ((pwent.pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH"); + cp = getdef_str ((pw->pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH"); if (NULL == cp) { - addenv ("PATH=/bin:/usr/bin", NULL); -@@ -835,6 +836,7 @@ + addenv ((pw->pw_uid == 0) ? "PATH=/sbin:/bin:/usr/sbin:/usr/bin" : "PATH=/bin:/usr/bin", NULL); +@@ -887,6 +888,7 @@ } else { addenv ("PATH", cp); } diff --git a/pkgs/os-specific/linux/shadow/no-sanitize-env.patch b/pkgs/os-specific/linux/shadow/no-sanitize-env.patch deleted file mode 100644 index 902706d137eb6..0000000000000 --- a/pkgs/os-specific/linux/shadow/no-sanitize-env.patch +++ /dev/null @@ -1,16 +0,0 @@ -Don't remove environment variables such as PATH or SHELL. - -http://bugs.gentoo.org/show_bug.cgi?id=301957 -https://alioth.debian.org/scm/browser.php?group_id=30580 - ---- a/src/su.c -+++ b/src/su.c -@@ -342,7 +342,7 @@ - #endif - #endif /* !USE_PAM */ - -- sanitize_env (); -+ /* sanitize_env (); */ - - (void) setlocale (LC_ALL, ""); - (void) bindtextdomain (PACKAGE, LOCALEDIR); diff --git a/pkgs/os-specific/linux/shadow/su-name.patch b/pkgs/os-specific/linux/shadow/su-name.patch deleted file mode 100644 index 5873c93427484..0000000000000 --- a/pkgs/os-specific/linux/shadow/su-name.patch +++ /dev/null @@ -1,20 +0,0 @@ -When su is invoked with command line arguments for the shell (e.g. "su -- -c 'cmd'"), set argv[0] in the shell to "-su" or "-<basename>" (as -determined by the SU_NAME option in /etc/login.defs). This is -necessary to make Bash compiled with the NON_INTERACTIVE_LOGIN_SHELLS -option to read startup files. It is also consistent with the -behaviour of `su' in coreutils, and with the case where there are no -arguments ("su -"). - -diff -ru -x '*~' shadow-4.1.4.2-orig/src/su.c shadow-4.1.4.2/src/su.c ---- shadow-4.1.4.2-orig/src/su.c 2009-07-23 22:38:56.000000000 +0200 -+++ shadow-4.1.4.2/src/su.c 2010-06-04 13:02:24.000000000 +0200 -@@ -983,7 +983,7 @@ - * Use the shell and create an argv - * with the rest of the command line included. - */ -- argv[-1] = shellstr; -+ argv[-1] = cp; - #ifndef USE_PAM - execve_shell (shellstr, &argv[-1], environ); - err = errno; |