pool/oath-toolkit
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 859201 from home:mnhauke

Browse Source 
- Update to version 2.6.5
  * oathtool: Support for reading KEY and OTP from standard input
    or filename.
    KEY and OTP may now be given as '-' to mean stdin, or @FILE to
    read from a particular file.  This is recommended on multi-user
    systems, since secrets as command line parameters leak.
  * pam_oath: Fix unlikely logic fail on out of memory conditions.
  * Doc fixes.
- Update to version 2.6.4
  * libpskc: New --with-xmlsec-crypto-engine to hard-code crypto
    engine.  Use it like --with-xmlsec-crypto-engine=gnutls or
    --with-xmlsec-crypto-engine=openssl if the default dynamic
    loading fails because of runtime linker search path issues.
  * oathtool --totp --verbose now prints TOTP hash mode.
  * oathtool: Hash names (e.g., SHA256) for --totp are now upper
    case.  Lower/mixed case hash names are supported for
    compatibility.
  * pam_oath: Fail gracefully for missing users.
    This allows you to incrementally add support for OATH
    authentication instead of forcing it on all users.
  * Fix libpskc memory corruption bug.
  * Fix man pages.
  * Build fixes.
- Update to version 2.6.3
  * pam_oath: Fix self-tests.
- Drop not longer needed patches:
  * 0001-Fix-no-return-in-nonvoid-function-errors-reported-by.patch
  * 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch
  * 0002-update_gnulibs_files.patch
  * gnulib-libio.patch

OBS-URL: https://build.opensuse.org/request/show/859201
OBS-URL: https://build.opensuse.org/package/show/security/oath-toolkit?expand=0&rev=25
This commit is contained in:
Torsten Gruner 2020-12-30 14:07:02 +00:00 committed by Git OBS Bridge
parent 3760c6fe0b
commit 180aeeec77
10 changed files with 68 additions and 9258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
0001-Fix-no-return-in-nonvoid-function-errors-reported-by.patch
View File

@ -1,39 +0,0 @@
From ff24ad44384433611fabaa9ae9ba8ac1418fb2df Mon Sep 17 00:00:00 2001
From: Martin Hauke <mardnh@gmx.de>
Date: Mon, 29 Aug 2016 22:26:43 +0200
Subject: [PATCH] Fix no-return-in-nonvoid-function errors reported by RPM
postbuild check
I: Program returns random data in a function
E: oath-toolkit no-return-in-nonvoid-function pskcverify.c:43
E: oath-toolkit no-return-in-nonvoid-function serialno.c:45
---
libpskc/examples/pskcverify.c | 2 ++
libpskc/examples/serialno.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/libpskc/examples/pskcverify.c b/libpskc/examples/pskcverify.c
index 76e1b4d..4e6a2cc 100644
--- a/libpskc/examples/pskcverify.c
+++ b/libpskc/examples/pskcverify.c
@@ -40,4 +40,6 @@ main (int argc, const char *argv[])
pskc_done (container);
pskc_global_done ();
+
+ return 0;
}
diff --git a/libpskc/examples/serialno.c b/libpskc/examples/serialno.c
index 7682adb..420cab5 100644
--- a/libpskc/examples/serialno.c
+++ b/libpskc/examples/serialno.c
@@ -42,4 +42,6 @@ main (int argc, const char *argv[])
pskc_done (container);
pskc_global_done ();
+
+ return 0;
}
--
2.6.6

9053
0002-update_gnulibs_files.patch
View File

File diff suppressed because it is too large Load Diff

32
0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch
View File

@ -1,32 +0,0 @@
From 70722be5a76d28df8ebbf8a706c6346c57cebb62 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 5 Jul 2018 18:39:48 +0200
Subject: [PATCH] pam_oath: assign safe default to alwaysok config member
The way this was before allowed for the PAM authentication to
potentially succeed when the first `goto done` line is hit. If the
undefined data behind alwaysok is non-zero (which is quite probable)
this would happen.
In theory a local attacker could try to exhaust memory just enough to
hit this spot and get e.g. root access.
---
pam_oath/pam_oath.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
index 57fd33c..cfc3331 100644
--- a/pam_oath/pam_oath.c
+++ b/pam_oath/pam_oath.c
@@ -146,6 +146,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
char *query_prompt = NULL;
char *onlypasswd = strdup (""); /* empty passwords never match */
+ cfg.alwaysok = false; /* make sure this gets a safe default */
+
if (!onlypasswd)
{
retval = PAM_BUF_ERR;
--
2.16.4

119
gnulib-libio.patch
View File

@ -1,119 +0,0 @@
2018-03-05 Paul Eggert <eggert@cs.ucla.edu>
fflush: adjust to glibc 2.28 libio.h removal
Problem reported by Daniel P. Berrangé in:
https://lists.gnu.org/r/bug-gnulib/2018-03/msg00000.html
* lib/fbufmode.c (fbufmode):
* lib/fflush.c (clear_ungetc_buffer_preserving_position)
(disable_seek_optimization, rpl_fflush):
* lib/fpending.c (__fpending):
* lib/fpurge.c (fpurge):
* lib/freadable.c (freadable):
* lib/freadahead.c (freadahead):
* lib/freading.c (freading):
* lib/freadptr.c (freadptr):
* lib/freadseek.c (freadptrinc):
* lib/fseeko.c (fseeko):
* lib/fseterr.c (fseterr):
* lib/fwritable.c (fwritable):
* lib/fwriting.c (fwriting):
Check _IO_EOF_SEEN instead of _IO_ftrylockfile.
* lib/stdio-impl.h (_IO_IN_BACKUP) [_IO_EOF_SEEN]:
Define if not already defined.
Index: oath-toolkit-2.6.2/liboath/gl/fflush.c
===================================================================
--- oath-toolkit-2.6.2.orig/liboath/gl/fflush.c
+++ oath-toolkit-2.6.2/liboath/gl/fflush.c
@@ -33,7 +33,7 @@
#undef fflush
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
/* Clear the stream's ungetc buffer, preserving the value of ftello (fp). */
static void
@@ -72,7 +72,7 @@ clear_ungetc_buffer (FILE *fp)
#endif
-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+#if ! (defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
# if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
/* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
@@ -148,7 +148,7 @@ rpl_fflush (FILE *stream)
if (stream == NULL || ! freading (stream))
return fflush (stream);
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
clear_ungetc_buffer_preserving_position (stream);
Index: oath-toolkit-2.6.2/liboath/gl/fpurge.c
===================================================================
--- oath-toolkit-2.6.2.orig/liboath/gl/fpurge.c
+++ oath-toolkit-2.6.2/liboath/gl/fpurge.c
@@ -62,7 +62,7 @@ fpurge (FILE *fp)
/* Most systems provide FILE as a struct and the necessary bitmask in
<stdio.h>, because they need it for implementing getc() and putc() as
fast macros. */
-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
fp->_IO_read_end = fp->_IO_read_ptr;
fp->_IO_write_ptr = fp->_IO_write_base;
/* Avoid memory leak when there is an active ungetc buffer. */
Index: oath-toolkit-2.6.2/liboath/gl/freading.c
===================================================================
--- oath-toolkit-2.6.2.orig/liboath/gl/freading.c
+++ oath-toolkit-2.6.2/liboath/gl/freading.c
@@ -31,7 +31,7 @@ freading (FILE *fp)
/* Most systems provide FILE as a struct and the necessary bitmask in
<stdio.h>, because they need it for implementing getc() and putc() as
fast macros. */
-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
return ((fp->_flags & _IO_NO_WRITES) != 0
|| ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
&& fp->_IO_read_base != NULL));
Index: oath-toolkit-2.6.2/liboath/gl/fseeko.c
===================================================================
--- oath-toolkit-2.6.2.orig/liboath/gl/fseeko.c
+++ oath-toolkit-2.6.2/liboath/gl/fseeko.c
@@ -47,7 +47,7 @@ fseeko (FILE *fp, off_t offset, int when
#endif
/* These tests are based on fpurge.c. */
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
if (fp->_IO_read_end == fp->_IO_read_ptr
&& fp->_IO_write_ptr == fp->_IO_write_base
&& fp->_IO_save_base == NULL)
@@ -123,7 +123,7 @@ fseeko (FILE *fp, off_t offset, int when
return -1;
}
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
fp->_flags &= ~_IO_EOF_SEEN;
fp->_offset = pos;
#elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
Index: oath-toolkit-2.6.2/liboath/gl/stdio-impl.h
===================================================================
--- oath-toolkit-2.6.2.orig/liboath/gl/stdio-impl.h
+++ oath-toolkit-2.6.2/liboath/gl/stdio-impl.h
@@ -18,6 +18,12 @@
the same implementation of stdio extension API, except that some fields
have different naming conventions, or their access requires some casts. */
+/* Glibc 2.28 made _IO_IN_BACKUP private. For now, work around this
+ problem by defining it ourselves. FIXME: Do not rely on glibc
+ internals. */
+#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
+# define _IO_IN_BACKUP 0x100
+#endif
/* BSD stdio derived implementations. */

3
oath-toolkit-2.6.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b03446fa4b549af5ebe4d35d7aba51163442d255660558cd861ebce536824aa0
size 4295786

3
oath-toolkit-2.6.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d207120c7e7fdd540142d04ca06d83fb3277c8f2fb794a74535d04b2aa0ec219
size 5477292

BIN
oath-toolkit-2.6.5.tar.gz.sig Normal file
View File

Binary file not shown.

36
oath-toolkit.changes
View File

@ -1,3 +1,39 @@
-------------------------------------------------------------------
Tue Dec 29 11:58:14 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 2.6.5
* oathtool: Support for reading KEY and OTP from standard input
or filename.
KEY and OTP may now be given as '-' to mean stdin, or @FILE to
read from a particular file. This is recommended on multi-user
systems, since secrets as command line parameters leak.
* pam_oath: Fix unlikely logic fail on out of memory conditions.
* Doc fixes.
- Update to version 2.6.4
* libpskc: New --with-xmlsec-crypto-engine to hard-code crypto
engine. Use it like --with-xmlsec-crypto-engine=gnutls or
--with-xmlsec-crypto-engine=openssl if the default dynamic
loading fails because of runtime linker search path issues.
* oathtool --totp --verbose now prints TOTP hash mode.
* oathtool: Hash names (e.g., SHA256) for --totp are now upper
case. Lower/mixed case hash names are supported for
compatibility.
* pam_oath: Fail gracefully for missing users.
This allows you to incrementally add support for OATH
authentication instead of forcing it on all users.
* Fix libpskc memory corruption bug.
* Fix man pages.
* Build fixes.
- Update to version 2.6.3
* pam_oath: Fix self-tests.
- Drop not longer needed patches:
* 0001-Fix-no-return-in-nonvoid-function-errors-reported-by.patch
* 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch
* 0002-update_gnulibs_files.patch
* gnulib-libio.patch
- Use source verification
- Use proper source URLs
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 6 07:59:16 UTC 2018 - schwab@suse.de Mon Aug 6 07:59:16 UTC 2018 - schwab@suse.de

23
oath-toolkit.keyring Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9fV+QlTmXxo2naObDuGtw5
8YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9zZWZzc29uLm9yZz6IlgQT
FggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYhBLHSvRN1vst4TPT4xNc8
9jjFPAa+BQJezg00BQkDekmAAAoJENc89jjFPAa+7QMBAKyq5ZypvFOXgcwlNtQd
f6F+SP9LnCNSreQRYo4RxSwAAQD7A+O56xFPB1DIM74lpvaExNJFHbJXCIfFGifJ
ycR0A7gzBFySz3UWCSsGAQQB2kcPAQEHQLzCFcHHrKzVSPDDarZPYqn89H5TPaxw
cORgRg+4DagEiH4EGBYIACYCGyAWIQSx0r0Tdb7LeEz0+MTXPPY4xTwGvgUCXs4N
RwUJA3pI0gAKCRDXPPY4xTwGvgxBAQCyHr8nGeaoOAmhPPOGDObOoa6/Dps+WBpm
vFw8J/Z5AAEAtE/pypHisMHmF4cy5S/kHVzLZvfxaTAlGqtoZGHShAa4MwRcks+B
FgkrBgEEAdpHDwEBB0DsUwiDmnlwMSNoSF+ByvW0E6TVXou9PKDa9SpZvKghioj1
BBgWCAAmAhsCFiEEsdK9E3W+y3hM9PjE1zz2OMU8Br4FAl7ODUwFCQN6SMsAgXYg
BBkWCAAdFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAlySz4EACgkQUXIrCP5HRaKn
TAEAoB+OWrHmYCK8Cjr1DgPUH7JnhPBmR2DbhR5jPRREEugA+gOMeWmL6GOpaPfK
YLcNhzw4ZnAlxSLY1wq1eANBpiQOCRDXPPY4xTwGvuQiAPwKnKAbzegaSATxN1cd
Fia4m80uJNFHMQL679WSBG3FIAEA8uLgxGud6SqFgIaFR4wrzrIgzVWqHxDuu56f
JSf/iAe4OARcks9qEgorBgEEAZdVAQUBAQdAMZUbpg1up2WOwPlQn3pPVaRMejyZ
nScmD7d5TRzHehwDAQgHiH4EGBYIACYCGwwWIQSx0r0Tdb7LeEz0+MTXPPY4xTwG
vgUCXs4NQAUJA3pI1gAKCRDXPPY4xTwGvu8QAP9Ln136hLt/yLfx4KYjBxPAdfd9
oRYd3xqWFBxNZmn+BgD/XZrhNaY3MEBV4yIx4ts6JT7dJfXGcbNjxK1T2BlXdQE=
=moUA
-----END PGP PUBLIC KEY BLOCK-----

18
oath-toolkit.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package oath-toolkit # spec file for package oath-toolkit
# #
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2020 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -12,22 +12,20 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
Name: oath-toolkit Name: oath-toolkit
Version: 2.6.2 Version: 2.6.5
Release: 0 Release: 0
Summary: Toolkit for one-time password authentication systems Summary: Toolkit for one-time password authentication systems
License: GPL-3.0-or-later AND LGPL-2.1-or-later License: GPL-3.0-or-later AND LGPL-2.1-or-later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
URL: http://www.nongnu.org/oath-toolkit/ URL: http://www.nongnu.org/oath-toolkit/
Source: http://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz Source: https://download-mirror.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz
Patch1: 0001-Fix-no-return-in-nonvoid-function-errors-reported-by.patch Source1: https://download-mirror.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz.sig
Patch2: 0002-update_gnulibs_files.patch Source99: %{name}.keyring
Patch3: 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch
Patch4: gnulib-libio.patch
BuildRequires: bison BuildRequires: bison
BuildRequires: gengetopt BuildRequires: gengetopt
BuildRequires: libgcrypt-devel BuildRequires: libgcrypt-devel
@ -130,10 +128,6 @@ This subpackage contains the headers for this library.
%prep %prep
%setup -q %setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build %build
autoreconf -fiv autoreconf -fiv