Sync from SUSE:SLFO:1.1 pam-config revision 316a707ee1cd3b79cd7b3e7dc9b3151f

_servicedata

@@ -2,5 +2,5 @@
 <service name="tar_scm">
                 <param name="url">https://github.com/SUSE/pam-config.git</param>
               
-<param name="changesrevision">03eb1f496e20526822e96d0be2f4b6a9c6396914</param></service>
+<param name="changesrevision">c328cbfc2b9576a92d32372df03eebef0aefb975</param></service>
 </servicedata>

pam-config.changes

@@ -1,14 +1,9 @@
 -------------------------------------------------------------------
-Wed Sep 11 13:54:08 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+Fri May 16 16:24:57 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 
-- Add PreRequires for pam-extra, several other packages depend on
-  that pam_limits is installed and enabled by default
-
--------------------------------------------------------------------
-Wed Sep 11 07:58:07 UTC 2024 - kukuk@suse.com
-
-- Update to version 2.11+git.20240911:
-  * Only add pam_limits if available
+- Stop adding pam_env in AUTH stack, and be sure to put this module at the
+  really end of the SESSION stack.
+  [bsc#1243226, CVE-2025-6018, remove-pam_env-from-auth-stack.patch]
 
 -------------------------------------------------------------------
 Fri Sep 06 08:20:00 UTC 2024 - kukuk@suse.com

pam-config.spec

@@ -17,7 +17,7 @@
 
 
 Name:           pam-config
-Version:        2.11+git.20240911
+Version:        2.11+git.20240906
 Release:        0
 Summary:        Utility to modify common PAM configuration files
 License:        GPL-2.0-only
@@ -26,11 +26,12 @@ URL:            https://github.com/SUSE/pam-config
 Source:         %{name}-%{version}.tar.xz
 # Do not show some rpmlint errors.
 Source1:        pam-config-rpmlintrc
+# PATCH-FIX-UPSTREAM
+Patch0:         remove-pam_env-from-auth-stack.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  docbook-xsl-stylesheets
 PreReq:         pam >= 1.3.0
-PreReq:         pam-extra
 Recommends:     pam_pwquality
 
 %description
@@ -42,6 +43,7 @@ add/adjust/remove other PAM modules and their options.
 
 %prep
 %setup -q
+%patch 0 -p1
 
 %build
 ./autogen.sh

remove-pam_env-from-auth-stack.patch

@@ -0,0 +1,60 @@
+diff --git a/src/mod_pam_env.c b/src/mod_pam_env.c
+index b280789..2d04391 100644
+--- a/src/mod_pam_env.c
++++ b/src/mod_pam_env.c
+@@ -38,9 +38,6 @@ write_config_env (pam_module_t * this, enum write_type op, FILE * fp)
+ 
+   switch (op)
+     {
+-    case AUTH:
+-      fprintf (fp, "auth\trequired\tpam_env.so\t");
+-      break;
+     case SESSION:
+       fprintf (fp, "session\toptional\tpam_env.so\t");
+       break;
+diff --git a/src/pam-config.c b/src/pam-config.c
+index 29b34ef..0d97b5a 100644
+--- a/src/pam-config.c
++++ b/src/pam-config.c
+@@ -1059,8 +1059,6 @@ main (int argc, char *argv[])
+       if (sanitize_check_account (common_module_list, 0) != 0)
+	return 1;
+ 
+-      opt_set = mod_pam_unix.get_opt_set (&mod_pam_env, AUTH);
+-      opt_set->enable (opt_set, "is_enabled", TRUE);
+       opt_set = mod_pam_unix.get_opt_set (&mod_pam_unix, AUTH);
+       opt_set->enable (opt_set, "is_enabled", TRUE);
+       if (sanitize_check_auth (common_module_list, 0) != 0)
+diff --git a/src/supported-modules.h b/src/supported-modules.h
+index 5067db8..bf7b4ba 100644
+--- a/src/supported-modules.h
++++ b/src/supported-modules.h
+@@ -121,7 +121,6 @@ static pam_module_t *module_list_account[] = {
+ };
+ 
+ static pam_module_t *module_list_auth[] = {
+-  &mod_pam_env,
+   &mod_pam_faildelay,
+   &mod_pam_group,
+   &mod_pam_pkcs11,
+@@ -195,10 +194,10 @@ static pam_module_t *module_list_session[] = {
+   &mod_pam_gnome_keyring,
+   &mod_pam_kwallet5,
+   &mod_pam_exec,
+-  &mod_pam_env,
+   &mod_pam_mktemp,
+   &mod_pam_himmelblau,
+   &mod_pam_kanidm,
++  &mod_pam_env,
+   NULL
+ };
+ 
+@@ -224,8 +223,8 @@ static pam_module_t *module_list_session_nl[] = {
+   &mod_pam_gnome_keyring,
+   &mod_pam_kwallet5,
+   &mod_pam_exec,
+-  &mod_pam_env,
+   &mod_pam_mktemp,
++  &mod_pam_env,
+   NULL
+ };