diff --git a/0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch b/0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch new file mode 100644 index 0000000..fb955f1 --- /dev/null +++ b/0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch @@ -0,0 +1,32 @@ +From 70722be5a76d28df8ebbf8a706c6346c57cebb62 Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Thu, 5 Jul 2018 18:39:48 +0200 +Subject: [PATCH] pam_oath: assign safe default to alwaysok config member + +The way this was before allowed for the PAM authentication to +potentially succeed when the first `goto done` line is hit. If the +undefined data behind alwaysok is non-zero (which is quite probable) +this would happen. + +In theory a local attacker could try to exhaust memory just enough to +hit this spot and get e.g. root access. +--- + pam_oath/pam_oath.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c +index 57fd33c..cfc3331 100644 +--- a/pam_oath/pam_oath.c ++++ b/pam_oath/pam_oath.c +@@ -146,6 +146,8 @@ pam_sm_authenticate (pam_handle_t * pamh, + char *query_prompt = NULL; + char *onlypasswd = strdup (""); /* empty passwords never match */ + ++ cfg.alwaysok = false; /* make sure this gets a safe default */ ++ + if (!onlypasswd) + { + retval = PAM_BUF_ERR; +-- +2.16.4 + diff --git a/oath-toolkit.changes b/oath-toolkit.changes index 631cfeb..f755bca 100644 --- a/oath-toolkit.changes +++ b/oath-toolkit.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jul 5 17:00:51 UTC 2018 - matthias.gerstner@suse.com + +- Add patch 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch: + - fix potential security issue in low memory situation (bsc#1089114) + ------------------------------------------------------------------- Sun May 20 21:40:32 UTC 2018 - julio@juliogonzalez.es diff --git a/oath-toolkit.spec b/oath-toolkit.spec index 23951ce..cbe889a 100644 --- a/oath-toolkit.spec +++ b/oath-toolkit.spec @@ -26,6 +26,7 @@ URL: http://www.nongnu.org/oath-toolkit/ Source: http://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz Patch1: 0001-Fix-no-return-in-nonvoid-function-errors-reported-by.patch Patch2: 0002-update_gnulibs_files.patch +Patch3: 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch BuildRequires: bison BuildRequires: gengetopt BuildRequires: libgcrypt-devel @@ -130,6 +131,7 @@ This subpackage contains the headers for this library. %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build autoreconf -fiv