Compare commits
1 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| c65378021d |
@ -1,29 +0,0 @@
|
||||
--- a/src/mappers/mapper.c
|
||||
+++ b/src/mappers/mapper.c
|
||||
@@ -83,7 +83,12 @@
|
||||
/* get a line from buffer */
|
||||
from = mfile->pt;
|
||||
/* set up pointer */
|
||||
- while( *from && isspace(*from) ) from++;
|
||||
+ while( *from && isspace(*from)){
|
||||
+ if(from - mfile->buffer + 1 >= mfile->length){
|
||||
+ return 0;
|
||||
+ }
|
||||
+ from++;
|
||||
+ }
|
||||
to = strchr(from,'\n');
|
||||
/* if no newline, assume string ends at end of buffer */
|
||||
if (!to) to=mfile->buffer+mfile->length;
|
||||
|
||||
--- a/src/pam_pkcs11/pam_pkcs11.c
|
||||
+++ b/src/pam_pkcs11/pam_pkcs11.c
|
||||
@@ -208,7 +208,7 @@
|
||||
{
|
||||
int i, rv;
|
||||
const char *user = NULL;
|
||||
- char *password;
|
||||
+ char *password = NULL;
|
||||
unsigned int slot_num = 0;
|
||||
int is_a_screen_saver = 0;
|
||||
struct configuration_st *configuration;
|
||||
|
||||
@ -1,105 +0,0 @@
|
||||
From b665b287ff955bbbd9539252ff9f9e2754c3fb48 Mon Sep 17 00:00:00 2001
|
||||
From: Frank Morgner <frankmorgner@gmail.com>
|
||||
Date: Fri, 6 Dec 2024 04:39:04 +0100
|
||||
Subject: [PATCH] fixed possible authentication bypass: Use signatures to
|
||||
verify authentication by default
|
||||
|
||||
If cert_policy is set to none (the default value), then pam_pkcs11 will
|
||||
only check if the user is capable of logging into the token. An attacker
|
||||
may create a different token with the user's public data (e.g. the
|
||||
user's certificate) and a PIN known to the attacker. If no signature
|
||||
with the private key is required, then the attacker may now login as
|
||||
user with that created token.
|
||||
|
||||
This change, by default, uses the private key to crate a signature. A
|
||||
new policy, `no_signature` is introduced if the module should really
|
||||
*not* validate the key's signature
|
||||
---
|
||||
src/common/cert_vfy.h | 2 +-
|
||||
src/pam_pkcs11/pam_config.c | 16 +++++++++++-----
|
||||
src/pam_pkcs11/pam_pkcs11.c | 2 +-
|
||||
3 files changed, 13 insertions(+), 7 deletions(-)
|
||||
|
||||
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
|
||||
===================================================================
|
||||
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/common/cert_vfy.h
|
||||
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
|
||||
@@ -48,7 +48,7 @@ typedef enum {
|
||||
struct cert_policy_st {
|
||||
int ca_policy;
|
||||
int crl_policy;
|
||||
- int signature_policy;
|
||||
+ int no_signature_policy;
|
||||
const char *ca_dir;
|
||||
const char *crl_dir;
|
||||
const char *nss_dir;
|
||||
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
|
||||
===================================================================
|
||||
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_config.c
|
||||
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
|
||||
@@ -87,7 +87,7 @@ static void display_config (void) {
|
||||
DBG1("support_threads %d",configuration.support_threads);
|
||||
DBG1("ca_policy %d",configuration.policy.ca_policy);
|
||||
DBG1("crl_policy %d",configuration.policy.crl_policy);
|
||||
- DBG1("signature_policy %d",configuration.policy.signature_policy);
|
||||
+ DBG1("no_signature_policy %d",configuration.policy.no_signature_policy);
|
||||
DBG1("ocsp_policy %d",configuration.policy.ocsp_policy);
|
||||
DBG1("err_display_time %d", configuration.err_display_time);
|
||||
}
|
||||
@@ -180,7 +180,7 @@ static void parse_config_file(void) {
|
||||
configuration.policy.crl_policy=CRLP_NONE;
|
||||
configuration.policy.ocsp_policy=OCSP_NONE;
|
||||
configuration.policy.ca_policy=0;
|
||||
- configuration.policy.signature_policy=0;
|
||||
+ configuration.policy.no_signature_policy=0;
|
||||
break;
|
||||
} else if ( !strcmp(policy_list->data,"crl_auto") ) {
|
||||
configuration.policy.crl_policy=CRLP_AUTO;
|
||||
@@ -193,7 +193,10 @@ static void parse_config_file(void) {
|
||||
} else if ( !strcmp(policy_list->data,"ca") ) {
|
||||
configuration.policy.ca_policy=1;
|
||||
} else if ( !strcmp(policy_list->data,"signature") ) {
|
||||
- configuration.policy.signature_policy=1;
|
||||
+ // ignore this setting for legacy reasons
|
||||
+ } else if ( !strcmp(policy_list->data,"no_signature") ) {
|
||||
+ // ignore this setting for legacy reasons
|
||||
+ configuration.policy.no_signature_policy=1;
|
||||
} else {
|
||||
DBG1("Invalid CRL policy: %s",policy_list->data);
|
||||
}
|
||||
@@ -321,7 +324,7 @@ struct configuration_st *pk_configure( i
|
||||
if (strstr(argv[i],"none")) {
|
||||
configuration.policy.crl_policy=CRLP_NONE;
|
||||
configuration.policy.ca_policy=0;
|
||||
- configuration.policy.signature_policy=0;
|
||||
+ configuration.policy.no_signature_policy=0;
|
||||
configuration.policy.ocsp_policy=OCSP_NONE;
|
||||
}
|
||||
if (strstr(argv[i],"crl_online")) {
|
||||
@@ -340,7 +343,10 @@ struct configuration_st *pk_configure( i
|
||||
configuration.policy.ca_policy=1;
|
||||
}
|
||||
if (strstr(argv[i],"signature")) {
|
||||
- configuration.policy.signature_policy=1;
|
||||
+ // ignore this setting for legacy reasons
|
||||
+ }
|
||||
+ if (strstr(argv[i],"no_signature")) {
|
||||
+ configuration.policy.no_signature_policy=1;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
|
||||
===================================================================
|
||||
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_pkcs11.c
|
||||
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
|
||||
@@ -618,8 +618,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
|
||||
|
||||
|
||||
/* if signature check is enforced, generate random data, sign and verify */
|
||||
- if (configuration->policy.signature_policy) {
|
||||
- pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
|
||||
+ if (!configuration->policy.no_signature_policy) {
|
||||
+ pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
|
||||
|
||||
|
||||
#ifdef notdef
|
||||
@ -1,10 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 19 13:50:20 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
|
||||
|
||||
- Security update fix [bsc#1237062, CVE-2025-24032]
|
||||
* Fix CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`)
|
||||
* Add pam_pkcs11-CVE-2025-24032.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 5 09:28:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
|
||||
|
||||
@ -14,14 +7,6 @@ Wed Feb 5 09:28:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
|
||||
- Fix RPM warnings
|
||||
- Add %check section running test suite
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 24 21:07:33 UTC 2024 - Simon Vogl <simon.vogl@gmx.net>
|
||||
|
||||
- Fix for boo#1230870:
|
||||
* Add patch 0001-memory-leak-fixes.patch
|
||||
- Add -Wno-implicit-function-declaration to CFLAGS to fix build
|
||||
with gcc14 and newer
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 7 15:19:11 UTC 2024 - Davide Benini <davide.benini@suse.com>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package pam_pkcs11
|
||||
#
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -35,12 +35,9 @@ Patch0: %{name}-fsf-address.patch
|
||||
Patch1: %{name}-0.5.3-nss-conf.patch
|
||||
Patch3: %{name}-0.6.0-nss-autoconf.patch
|
||||
Patch4: 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
|
||||
# 0001-memory-leak-fixes.patch - Fix memory leaks and issues with kscreenlocker (boo#1230870) - adapted from https://github.com/OpenSC/pam_pkcs11/commit/f8e7d85aa3ca4fd2e2a8c2dfe601d1224debe372.patch
|
||||
Patch6: 0001-memory-leak-fixes.patch
|
||||
# PATCH-FIX-UPSTREAM: bsc#1236314 CVE-2025-24531 has a regression returning PAM_IGNORE in many situations with possible authentication bypass
|
||||
Patch7: pam_pkcs11-CVE-2025-24531.patch
|
||||
# PATCH-FIX-UPSTREAM: bsc#1237062 CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`)
|
||||
Patch8: pam_pkcs11-CVE-2025-24032.patch
|
||||
Patch5: pam_pkcs11-CVE-2025-24531.patch
|
||||
|
||||
BuildRequires: curl-devel
|
||||
BuildRequires: docbook-xsl-stylesheets
|
||||
BuildRequires: doxygen
|
||||
@ -103,7 +100,6 @@ sed -i '/^HTML_TIMESTAMP/s/YES/NO/' doc/doxygen.conf.in
|
||||
%build
|
||||
./bootstrap
|
||||
%configure\
|
||||
CFLAGS="${CFLAGS:-%optflags} -Wno-implicit-function-declaration"\
|
||||
--docdir=%{_docdir}/%{name}\
|
||||
--with-nss\
|
||||
--with-curl
|
||||
@ -111,6 +107,7 @@ sed -i '/^HTML_TIMESTAMP/s/YES/NO/' doc/doxygen.conf.in
|
||||
# Generate documentation: This sounds like an upstream bug while making an upstream source tarball.
|
||||
%make_build dist
|
||||
|
||||
|
||||
%check
|
||||
%make_build check
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user