aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormancha <mancha1@hush.com>2013-06-24 09:49:55 -0500
committerNiels Horn <niels.horn@slackbuilds.org>2013-06-29 16:12:38 -0300
commit5e7435b792e3d7c0576fe39c8fe8269e311d3d50 (patch)
treed3c0b7a2f2bbaa87b59297cd06879f54aee57cd2
parent65f5cba659a44050e2e9b69c963e7c2f2ef57549 (diff)
system/gdm: Fix crypt() usage with glibc-2.17+
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/ NULL return) if the salt violates specifications. Additionally, on FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to crypt() fail with EPERM (w/ NULL return). Slackware-current has transitioned to glibc 2.17 and as you might be aware from reading my posts on LQ, I have dedicated time to fixing userland which does not adequately handle crypt() returns given the new behavior. gdm is negatively affected and my attached patch (against gdm 2.20.11) addresses this. This is in anticipation of a new Slackware release but can be applied to the SBo package for Slackware 14.0 since it is backwards compatible and should not affect behavior on glibc 2.15. It would be good if my assertion were tested. [rworkman] Yeah, it seems to work here :-) Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
-rw-r--r--system/gdm/gdm.SlackBuild5
-rw-r--r--system/gdm/patches/gdm-2.20.11-crypt.diff134
2 files changed, 138 insertions, 1 deletions
diff --git a/system/gdm/gdm.SlackBuild b/system/gdm/gdm.SlackBuild
index 727b618089217..7699068bd7083 100644
--- a/system/gdm/gdm.SlackBuild
+++ b/system/gdm/gdm.SlackBuild
@@ -11,7 +11,7 @@
PRGNAM=gdm
VERSION=${VERSION:-2.20.11}
-BUILD=${BUILD:-4}
+BUILD=${BUILD:-5}
TAG=${TAG:-_SBo}
if [ -z "$ARCH" ]; then
@@ -60,6 +60,9 @@ find . \
# Don't automatically start ssh-agent -- this is the user's job
patch -p1 < $CWD/patches/do_not_start_ssh-agent.diff
+# Fix crypt() usage with glibc-2.17 and later
+patch -p1 < $CWD/patches/gdm-2.20.11-crypt.diff
+
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
diff --git a/system/gdm/patches/gdm-2.20.11-crypt.diff b/system/gdm/patches/gdm-2.20.11-crypt.diff
new file mode 100644
index 0000000000000..d72bd80c46e5a
--- /dev/null
+++ b/system/gdm/patches/gdm-2.20.11-crypt.diff
@@ -0,0 +1,134 @@
+Correctly handle crypt() NULL returns when built against glibc 2.17+
+
+Author: mancha
+
+=======
+
+--- gdm-2.20.11/daemon/verify-crypt.c.orig 2013-06-23
++++ gdm-2.20.11/daemon/verify-crypt.c 2013-06-23
+@@ -104,7 +104,7 @@ gdm_verify_user (GdmDisplay *d,
+ const char *username,
+ gboolean allow_retry)
+ {
+- gchar *login, *passwd, *ppasswd;
++ gchar *login, *passwd, *ppasswd, *cpasswd;
+ struct passwd *pwent;
+ #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \
+ || defined (HAVE_LOGINRESTRICTIONS)
+@@ -190,8 +190,10 @@ gdm_verify_user (GdmDisplay *d,
+ }
+
+ /* Check whether password is valid */
+- if (ppasswd == NULL || (ppasswd[0] != '\0' &&
+- strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) {
++ cpasswd = ppasswd ? crypt (passwd, ppasswd) : NULL;
++ if (ppasswd == NULL || cpasswd == NULL ||
++ (ppasswd[0] != '\0' &&
++ strcmp (cpasswd, ppasswd) != 0)) {
+ gdm_sleep_no_signal (gdm_daemon_config_get_value_int (GDM_KEY_RETRY_DELAY));
+ gdm_debug ("Couldn't authenticate user");
+
+@@ -200,6 +202,7 @@ gdm_verify_user (GdmDisplay *d,
+ g_free (login);
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+ return NULL;
+ }
+
+@@ -217,6 +220,7 @@ gdm_verify_user (GdmDisplay *d,
+ g_free (login);
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+ return NULL;
+ }
+
+@@ -233,6 +237,7 @@ gdm_verify_user (GdmDisplay *d,
+ g_free (login);
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+ if (message != NULL)
+ free (message);
+ return NULL;
+@@ -259,6 +264,7 @@ gdm_verify_user (GdmDisplay *d,
+ g_free (login);
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+ return NULL;
+ }
+
+@@ -266,6 +272,7 @@ gdm_verify_user (GdmDisplay *d,
+
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+
+ if ( ! gdm_slave_check_user_wants_to_log_in (login)) {
+ g_free (login);
+--- gdm-2.20.11/daemon/verify-shadow.c.orig 2013-06-23
++++ gdm-2.20.11/daemon/verify-shadow.c 2013-06-23
+@@ -105,7 +105,7 @@ gdm_verify_user (GdmDisplay *d,
+ const char *username,
+ gboolean allow_retry)
+ {
+- gchar *login, *passwd, *ppasswd;
++ gchar *login, *passwd, *ppasswd, *cpasswd;
+ struct passwd *pwent;
+ struct spwd *sp;
+ #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \
+@@ -211,8 +211,10 @@ gdm_verify_user (GdmDisplay *d,
+ }
+
+ /* Check whether password is valid */
+- if (ppasswd == NULL || (ppasswd[0] != '\0' &&
+- strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) {
++ cpasswd = ppasswd ? crypt (passwd, ppasswd) : NULL;
++ if (ppasswd == NULL || cpasswd == NULL ||
++ (ppasswd[0] != '\0' &&
++ strcmp (cpasswd, ppasswd) != 0)) {
+ gdm_sleep_no_signal (gdm_daemon_config_get_value_int (GDM_KEY_RETRY_DELAY));
+ gdm_debug ("Couldn't authenticate user");
+
+@@ -221,6 +223,7 @@ gdm_verify_user (GdmDisplay *d,
+ g_free (login);
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+ return NULL;
+ }
+
+@@ -238,6 +241,7 @@ gdm_verify_user (GdmDisplay *d,
+ g_free (login);
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+ return NULL;
+ }
+
+@@ -254,6 +258,7 @@ gdm_verify_user (GdmDisplay *d,
+ g_free (login);
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+ if (message != NULL)
+ free (message);
+ return NULL;
+@@ -280,6 +285,7 @@ gdm_verify_user (GdmDisplay *d,
+ g_free (login);
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+ return NULL;
+ }
+
+@@ -287,6 +293,7 @@ gdm_verify_user (GdmDisplay *d,
+
+ g_free (passwd);
+ g_free (ppasswd);
++ g_free (cpasswd);
+
+ if ( ! gdm_slave_check_user_wants_to_log_in (login)) {
+ g_free (login);