diff options
author | mancha <mancha1@hush.com> | 2013-06-24 09:49:55 -0500 |
---|---|---|
committer | Niels Horn <niels.horn@slackbuilds.org> | 2013-06-29 16:12:38 -0300 |
commit | 5e7435b792e3d7c0576fe39c8fe8269e311d3d50 (patch) | |
tree | d3c0b7a2f2bbaa87b59297cd06879f54aee57cd2 | |
parent | 65f5cba659a44050e2e9b69c963e7c2f2ef57549 (diff) |
system/gdm: Fix crypt() usage with glibc-2.17+
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with
EINVAL (w/ NULL return) if the salt violates specifications.
Additionally, on FIPS-140 enabled Linux systems, DES or MD5
encrypted passwords passed to crypt() fail with EPERM (w/
NULL return).
Slackware-current has transitioned to glibc 2.17 and as you
might be aware from reading my posts on LQ, I have dedicated
time to fixing userland which does not adequately handle
crypt() returns given the new behavior.
gdm is negatively affected and my attached patch (against
gdm 2.20.11) addresses this.
This is in anticipation of a new Slackware release but can
be applied to the SBo package for Slackware 14.0 since it is
backwards compatible and should not affect behavior on glibc
2.15. It would be good if my assertion were tested.
[rworkman] Yeah, it seems to work here :-)
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
-rw-r--r-- | system/gdm/gdm.SlackBuild | 5 | ||||
-rw-r--r-- | system/gdm/patches/gdm-2.20.11-crypt.diff | 134 |
2 files changed, 138 insertions, 1 deletions
diff --git a/system/gdm/gdm.SlackBuild b/system/gdm/gdm.SlackBuild index 727b618089217..7699068bd7083 100644 --- a/system/gdm/gdm.SlackBuild +++ b/system/gdm/gdm.SlackBuild @@ -11,7 +11,7 @@ PRGNAM=gdm VERSION=${VERSION:-2.20.11} -BUILD=${BUILD:-4} +BUILD=${BUILD:-5} TAG=${TAG:-_SBo} if [ -z "$ARCH" ]; then @@ -60,6 +60,9 @@ find . \ # Don't automatically start ssh-agent -- this is the user's job patch -p1 < $CWD/patches/do_not_start_ssh-agent.diff +# Fix crypt() usage with glibc-2.17 and later +patch -p1 < $CWD/patches/gdm-2.20.11-crypt.diff + CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ diff --git a/system/gdm/patches/gdm-2.20.11-crypt.diff b/system/gdm/patches/gdm-2.20.11-crypt.diff new file mode 100644 index 0000000000000..d72bd80c46e5a --- /dev/null +++ b/system/gdm/patches/gdm-2.20.11-crypt.diff @@ -0,0 +1,134 @@ +Correctly handle crypt() NULL returns when built against glibc 2.17+ + +Author: mancha + +======= + +--- gdm-2.20.11/daemon/verify-crypt.c.orig 2013-06-23 ++++ gdm-2.20.11/daemon/verify-crypt.c 2013-06-23 +@@ -104,7 +104,7 @@ gdm_verify_user (GdmDisplay *d, + const char *username, + gboolean allow_retry) + { +- gchar *login, *passwd, *ppasswd; ++ gchar *login, *passwd, *ppasswd, *cpasswd; + struct passwd *pwent; + #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \ + || defined (HAVE_LOGINRESTRICTIONS) +@@ -190,8 +190,10 @@ gdm_verify_user (GdmDisplay *d, + } + + /* Check whether password is valid */ +- if (ppasswd == NULL || (ppasswd[0] != '\0' && +- strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) { ++ cpasswd = ppasswd ? crypt (passwd, ppasswd) : NULL; ++ if (ppasswd == NULL || cpasswd == NULL || ++ (ppasswd[0] != '\0' && ++ strcmp (cpasswd, ppasswd) != 0)) { + gdm_sleep_no_signal (gdm_daemon_config_get_value_int (GDM_KEY_RETRY_DELAY)); + gdm_debug ("Couldn't authenticate user"); + +@@ -200,6 +202,7 @@ gdm_verify_user (GdmDisplay *d, + g_free (login); + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + return NULL; + } + +@@ -217,6 +220,7 @@ gdm_verify_user (GdmDisplay *d, + g_free (login); + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + return NULL; + } + +@@ -233,6 +237,7 @@ gdm_verify_user (GdmDisplay *d, + g_free (login); + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + if (message != NULL) + free (message); + return NULL; +@@ -259,6 +264,7 @@ gdm_verify_user (GdmDisplay *d, + g_free (login); + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + return NULL; + } + +@@ -266,6 +272,7 @@ gdm_verify_user (GdmDisplay *d, + + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + + if ( ! gdm_slave_check_user_wants_to_log_in (login)) { + g_free (login); +--- gdm-2.20.11/daemon/verify-shadow.c.orig 2013-06-23 ++++ gdm-2.20.11/daemon/verify-shadow.c 2013-06-23 +@@ -105,7 +105,7 @@ gdm_verify_user (GdmDisplay *d, + const char *username, + gboolean allow_retry) + { +- gchar *login, *passwd, *ppasswd; ++ gchar *login, *passwd, *ppasswd, *cpasswd; + struct passwd *pwent; + struct spwd *sp; + #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \ +@@ -211,8 +211,10 @@ gdm_verify_user (GdmDisplay *d, + } + + /* Check whether password is valid */ +- if (ppasswd == NULL || (ppasswd[0] != '\0' && +- strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) { ++ cpasswd = ppasswd ? crypt (passwd, ppasswd) : NULL; ++ if (ppasswd == NULL || cpasswd == NULL || ++ (ppasswd[0] != '\0' && ++ strcmp (cpasswd, ppasswd) != 0)) { + gdm_sleep_no_signal (gdm_daemon_config_get_value_int (GDM_KEY_RETRY_DELAY)); + gdm_debug ("Couldn't authenticate user"); + +@@ -221,6 +223,7 @@ gdm_verify_user (GdmDisplay *d, + g_free (login); + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + return NULL; + } + +@@ -238,6 +241,7 @@ gdm_verify_user (GdmDisplay *d, + g_free (login); + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + return NULL; + } + +@@ -254,6 +258,7 @@ gdm_verify_user (GdmDisplay *d, + g_free (login); + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + if (message != NULL) + free (message); + return NULL; +@@ -280,6 +285,7 @@ gdm_verify_user (GdmDisplay *d, + g_free (login); + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + return NULL; + } + +@@ -287,6 +293,7 @@ gdm_verify_user (GdmDisplay *d, + + g_free (passwd); + g_free (ppasswd); ++ g_free (cpasswd); + + if ( ! gdm_slave_check_user_wants_to_log_in (login)) { + g_free (login); |