community/shadow: upgrade to 4.5

community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch

-From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Thu, 23 Feb 2017 09:47:29 -0600
-Subject: [PATCH] su: properly clear child PID
-
-If su is compiled with PAM support, it is possible for any local user
-to send SIGKILL to other processes with root privileges. There are
-only two conditions. First, the user must be able to perform su with
-a successful login. This does NOT have to be the root user, even using
-su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
-can only be sent to processes which were executed after the su process.
-It is not possible to send SIGKILL to processes which were already
-running. I consider this as a security vulnerability, because I was
-able to write a proof of concept which unlocked a screen saver of
-another user this way.
----
- src/su.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
- 				/* wake child when resumed */
- 				kill (pid, SIGCONT);
- 				stop = false;
-+			} else {
-+				pid_child = 0;
- 			}
- 		} while (!stop);
- 	}
- 
--	if (0 != caught) {
-+	if (0 != caught && 0 != pid_child) {
- 		(void) fputs ("\n", stderr);
- 		(void) fputs (_("Session terminated, terminating shell..."),
- 		              stderr);
- 		(void) kill (-pid_child, caught);
- 
- 		(void) signal (SIGALRM, kill_child);
-+		(void) signal (SIGCHLD, catch_signals);
- 		(void) alarm (2);
- 
--		(void) wait (&status);
-+		sigemptyset (&ourset);
-+		if ((sigaddset (&ourset, SIGALRM) != 0)
-+		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
-+			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
-+			kill_child (0);
-+		} else {
-+			while (0 == waitpid (pid_child, &status, WNOHANG)) {
-+				sigsuspend (&ourset);
-+			}
-+			pid_child = 0;
-+			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
-+		}
-+
- 		(void) fputs (_(" ...terminated.\n"), stderr);
- 	}
- 

community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch

-From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
-From: Sebastian Krahmer <krahmer@suse.com>
-Date: Wed, 3 Aug 2016 11:51:07 -0500
-Subject: [PATCH] Simplify getulong
-
-Use strtoul to read an unsigned long, rather than reading
-a signed long long and casting it.
-
-https://bugzilla.suse.com/show_bug.cgi?id=979282
----
- lib/getulong.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/lib/getulong.c b/lib/getulong.c
-index 61579ca..08d2c1a 100644
---- a/lib/getulong.c
-+++ b/lib/getulong.c
-@@ -44,22 +44,19 @@
-  */
- int getulong (const char *numstr, /*@out@*/unsigned long int *result)
- {
--	long long int val;
-+	unsigned long int val;
- 	char *endptr;
- 
- 	errno = 0;
--	val = strtoll (numstr, &endptr, 0);
-+	val = strtoul (numstr, &endptr, 0);
- 	if (    ('\0' == *numstr)
- 	     || ('\0' != *endptr)
- 	     || (ERANGE == errno)
--	     /*@+ignoresigns@*/
--	     || (val != (unsigned long int)val)
--	     /*@=ignoresigns@*/
- 	   ) {
- 		return 0;
- 	}
- 
--	*result = (unsigned long int)val;
-+	*result = val;
- 	return 1;
- }
- 
--- 
-2.1.4
-

community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch

-From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 14 May 2017 17:58:10 +0200
-Subject: [PATCH] Reset pid_child only if waitpid was successful.
-
-Do not reset the pid_child to 0 if the child process is still
-running. This else-condition can be reached with pid being -1,
-therefore explicitly test this condition.
-
-This is a regression fix for CVE-2017-2616. If su receives a
-signal like SIGTERM, it is not propagated to the child.
-
-Reported-by: Radu Duta <raduduta@gmail.com>
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
----
- src/su.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
- 				/* wake child when resumed */
- 				kill (pid, SIGCONT);
- 				stop = false;
--			} else {
-+			} else if (   (pid_t)-1 != pid) {
- 				pid_child = 0;
- 			}
- 		} while (!stop);

community/shadow/APKBUILD

@@ -2,8 +2,8 @@
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
 pkgname=shadow
-pkgver=4.2.1
-pkgrel=11
+pkgver=4.5
+pkgrel=0
 pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)"
 url="http://pkg-shadow.alioth.debian.org/"
 arch="all"
@@ -11,20 +11,19 @@ license="GPL"
 depends=""
 makedepends="linux-pam-dev"
 subpackages="$pkgname-doc $pkgname-dbg $pkgname-uidmap"
-source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz
+source="https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz
 	login.pamd
 	dots-in-usernames.patch
-	cross-size-checks.patch
-	verbose-error-when-uid-doesnt-match.patch
-	301-CVE-2017-2616-su-properly-clear-child-PID.patch
-	302-CVE-2016-6252-fix-integer-overflow.patch
-	303-Reset-pid_child-only-if-waitpid-was-successful.patch
 	useradd-usergroups.patch
 	pam-useradd.patch
 	"
 # secfixes:
-#     - CVE-2016-6252
-#     - CVE-2017-2616 (+ regression fix)
+#   4.5-r0:
+#   - CVE-2017-12424
+#   4.2.1-r11:
+#   - CVE-2017-2616
+#   4.2.1-r7:
+#   - CVE-2016-6252
 
 options="suid"
 builddir="$srcdir/shadow-$pkgver"
@@ -104,13 +103,8 @@ uidmap() {
 	touch etc/subuid etc/subgid
 }
 
-sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0  shadow-4.2.1.tar.xz
+sha512sums="e57f8db54df23301c229d4be30d4cbb67efa1d1809cffcff79adc480b6019fb2b5fd09e112e82a3f00ad5a6b2994592adac93f70a631cf666b6f4723b61c87b5  shadow-4.5.tar.xz
 46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d  login.pamd
 745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d  dots-in-usernames.patch
-c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4  cross-size-checks.patch
-1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c  verbose-error-when-uid-doesnt-match.patch
-0954920ce9307948848d8f9ca5ea5bba4db8394793ef314ab5c6770948e96071748192b52ba8c31d543fe71ce0e6e2a7f3a2a92862966a940639a19df1048634  301-CVE-2017-2616-su-properly-clear-child-PID.patch
-36f494347cb980d85ea82331ec620a949be45f5f2c400a3b13f409a8d9c932c0f822cb0baa2ee78c6f356e7bf93de51c1b0f20730e8f3af36a746a5632d19bbe  302-CVE-2016-6252-fix-integer-overflow.patch
-e36d54759b71d48c62aefc4032e63deccafa69d22f8bae772b4c0ca135b431db9cd35a1a2a2adf5c76996e76e13ab82e1cf19bba70c6ca4414b3979a43c292c2  303-Reset-pid_child-only-if-waitpid-was-successful.patch
 49f1d5ded82d2d479805c77d7cc6274c30233596e375b28306b31a33f8fbfc3611dbc77d606081b8300247908c267297dbb6c5d1a30d56095dda53c6a636fb56  useradd-usergroups.patch
 0b4587e263cb6be12fa5ae6bc3b3fc4d3696dae355bc67d085dc58c52ff96edb4d163b95db2092b8c2f3310839430cac03c7af356641b42e24ee4aa6410f5cf1  pam-useradd.patch"

community/shadow/cross-size-checks.patch

-From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <chewi@aura-online.co.uk>
-Date: Sat, 23 Aug 2014 09:46:39 +0100
-Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF
-
-This built-in check is simpler than the previous method and, most
-importantly, works when cross-compiling.
-
-Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
----
- configure.in | 14 ++++----------
- 1 file changed, 4 insertions(+), 10 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index 1a3f841..4a4d6d0 100644
---- a/configure.in
-+++ b/configure.in
-@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then
- 	dnl
- 	dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
- 	dnl
--	AC_RUN_IFELSE([AC_LANG_SOURCE([
--#include <sys/types.h>
--int main(void) {
--	uid_t u;
--	gid_t g;
--	return (sizeof u < 4) || (sizeof g < 4);
--}
--	])], [id32bit="yes"], [id32bit="no"])
--
--	if test "x$id32bit" = "xyes"; then
-+	AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
-+	AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
-+
-+	if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
- 		AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
- 		enable_subids="yes"
- 	else
--- 
-2.3.6
-
-

community/shadow/verbose-error-when-uid-doesnt-match.patch

-From: Hank Leininger <hlein@korelogic.com>
-Date: Mon, 6 Apr 2015 08:22:48 -0500
-Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not
- like the user/group ownership of their target process.
-
-Currently the error is just:
-
-newuidmap: Target [pid] is owned by a different user
-
-With this patch it will be like:
-
-newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99
-
-Why is this useful?  Well, in my case...
-
-The grsecurity kernel-hardening patch includes an option to make parts
-of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
-the current uid.  This comes with an option to make /proc/pid/
-directories readable by a specific gid; sysadmins and the like are then
-put into that group so they can see a full 'ps'.
-
-This means that the check in new[ug]idmap fails, as in the above quoted
-error - /proc/[targetpid] is owned by root, but the group is 99 so that
-users in group 99 can see the process.
-
-Some Googling finds dozens of people hitting this problem, but not
-*knowing* that they have hit this problem, because the errors and
-circumstances are non-obvious.
-
-Some graceful way of handling this and not failing, will be next ;)  But
-in the meantime it'd be nice to have new[ug]idmap emit a more useful
-error, so that it's easier to troubleshoot.
-
-Thanks!
-
-Signed-off-by: Hank Leininger <hlein@korelogic.com>
-Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
----
- src/newgidmap.c | 6 ++++--
- src/newuidmap.c | 6 ++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/src/newgidmap.c b/src/newgidmap.c
-index a532b45..451c6a6 100644
---- a/src/newgidmap.c
-+++ b/src/newgidmap.c
-@@ -161,8 +161,10 @@ int main(int argc, char **argv)
- 	    (getgid() != pw->pw_gid) ||
- 	    (pw->pw_uid != st.st_uid) ||
- 	    (pw->pw_gid != st.st_gid)) {
--		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
--			Prog, target);
-+		fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
-+			Prog, target,
-+			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
-+			(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
- 		return EXIT_FAILURE;
- 	}
- 
-diff --git a/src/newuidmap.c b/src/newuidmap.c
-index 5150078..9c8bc1b 100644
---- a/src/newuidmap.c
-+++ b/src/newuidmap.c
-@@ -161,8 +161,10 @@ int main(int argc, char **argv)
- 	    (getgid() != pw->pw_gid) ||
- 	    (pw->pw_uid != st.st_uid) ||
- 	    (pw->pw_gid != st.st_gid)) {
--		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
--			Prog, target);
-+		fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
-+			Prog, target,
-+			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
-+			(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
- 		return EXIT_FAILURE;
- 	}
\ No newline at end of file