From 06d7078f7631b92e8b789f8e94a3a346d8181ce6 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Thu, 11 Apr 2013 15:57:58 +0100
Subject: sudo: handle glibc 2.17 crypt semantics

Staring from glibc 2.17 the crypt() function will error out and return NULL if
the seed or "correct" is invalid. The failure case for this is the sudo user
having a locked account in /etc/shadow, so their password is "!", which is an
invalid hash.  crypt() never returned NULL previously so this is crashing in
strcmp().

[ YOCTO #4241 ]

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-extended/sudo/files/crypt.patch | 24 ++++++++++++++++++++++++
 meta/recipes-extended/sudo/sudo_1.8.6p7.bb   |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 meta/recipes-extended/sudo/files/crypt.patch

(limited to 'meta/recipes-extended')

diff --git a/meta/recipes-extended/sudo/files/crypt.patch b/meta/recipes-extended/sudo/files/crypt.patch
new file mode 100644
index 0000000000..53a257f52c
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/crypt.patch
@@ -0,0 +1,24 @@
+Staring from glibc 2.17 the crypt() function will error out and return NULL if
+the seed or "correct" is invalid. The failure case for this is the sudo user
+having a locked account in /etc/shadow, so their password is "!", which is an
+invalid hash.  crypt() never returned NULL previously so this is crashing in
+strcmp().
+
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+Index: sudo-1.8.6p7/plugins/sudoers/auth/passwd.c
+===================================================================
+--- sudo-1.8.6p7.orig/plugins/sudoers/auth/passwd.c	2013-04-11 15:26:28.456416867 +0100
++++ sudo-1.8.6p7/plugins/sudoers/auth/passwd.c	2013-04-11 15:31:31.156421718 +0100
+@@ -96,7 +96,9 @@
+      */
+     epass = (char *) crypt(pass, pw_epasswd);
+     pass[8] = sav;
+-    if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
++    if (epass == NULL)
++	error = AUTH_FAILURE;
++    else if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ 	error = strncmp(pw_epasswd, epass, DESLEN);
+     else
+ 	error = strcmp(pw_epasswd, epass);
diff --git a/meta/recipes-extended/sudo/sudo_1.8.6p7.bb b/meta/recipes-extended/sudo/sudo_1.8.6p7.bb
index b79d0d58d8..7198fd3c14 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.6p7.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.6p7.bb
@@ -4,6 +4,7 @@ PR = "r0"
 
 SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
            file://libtool.patch \
+           file://crypt.patch \
            ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
 
 PAM_SRC_URI = "file://sudo.pam"
-- 
cgit 1.2.3-korg