Accepting request 283087 from Linux-PAM

1 OBS-URL: https://build.opensuse.org/request/show/283087 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=79
2015-01-30 05:02:44 +00:00 · 2015-01-30 05:02:44 +00:00 · 34d91a5a3b
commit 34d91a5a3b
parent 19e8b12220 650e0bc92d
9 changed files with 38289 additions and 1163 deletions
--- a/Linux-PAM-git-20140127.diff
+++ b/Linux-PAM-git-20140127.diff
--- a/Linux-PAM-git-20150109.diff
+++ b/Linux-PAM-git-20150109.diff
--- a/bug-870433_pam_timestamp-fix-directory-traversal.patch
+++ b/bug-870433_pam_timestamp-fix-directory-traversal.patch
@ -1,53 +0,0 @@
-From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Wed, 26 Mar 2014 22:17:23 +0000
-Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
- (ticket #27)
-
-pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
-the timestamp pathname it creates, so extra care should be taken to
-avoid potential directory traversal issues.
-
-* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
-"." and ".." tty values as invalid.
-(get_ruser): Treat "." and ".." ruser values, as well as any ruser
-value containing '/', as invalid.
-
-Fixes CVE-2014-2583.
-
-Reported-by: Sebastian Krahmer <krahmer@suse.de>
---
- modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
-index 5193733..b3f08b1 100644
--- a/modules/pam_timestamp/pam_timestamp.c
-+++ b/modules/pam_timestamp/pam_timestamp.c
-@@ -158,7 +158,7 @@ check_tty(const char *tty)
- 		tty = strrchr(tty, '/') + 1;
- 	}
- 	/* Make sure the tty wasn't actually a directory (no basename). */
-	if (strlen(tty) == 0) {
-+	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
- 		return NULL;
- 	}
- 	return tty;
-@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
- 		if (pwd != NULL) {
- 			ruser = pwd->pw_name;
- 		}
-+	} else {
-+		/*
-+		 * This ruser is used by format_timestamp_name as a component
-+		 * of constructed timestamp pathname, so ".", "..", and '/'
-+		 * are disallowed to avoid potential path traversal issues.
-+		 */
-+		if (!strcmp(ruser, ".") ||
-+		    !strcmp(ruser, "..") ||
-+		    strchr(ruser, '/')) {
-+			ruser = NULL;
-+		}
- 	}
- 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
- 		*ruserbuf = '\0';
--- a/encryption_method_nis.diff
+++ b/encryption_method_nis.diff
@ -0,0 +1,77 @@
+diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+index 0cfc0f4..2239206 100644
+--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
+@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 		 * rebuild the password database file.
+ 		 */
+ 
+
+		/* if it is a NIS account, check for special hash algo */
+		if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
+		  /* preset encryption method with value from /etc/login.defs */
+		  int j;
+		  char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
+		  if (val) {
+		    for (j = 0; j < UNIX_CTRLS_; ++j) {
+		      if (unix_args[j].token && unix_args[j].is_hash_algo
+			  && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
+			break;
+		      }
+		    }
+		    if (j >= UNIX_CTRLS_) {
+		      pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
+		    } else {
+		      ctrl &= unix_args[j].mask;  /* for turning things off */
+		      ctrl |= unix_args[j].flag;  /* for turning things on  */
+		    }
+		    free (val);
+		  }
+		}
+
+ 		/*
+ 		 * First we encrypt the new password.
+ 		 */
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 19d72e6..dafa9f0 100644
+--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
+@@ -37,8 +37,8 @@
+ #define SELINUX_ENABLED 0
+ #endif
+ 
+-static char *
+-search_key (const char *key, const char *filename)
+char *
+_unix_search_key (const char *key, const char *filename)
+ {
+   FILE *fp;
+   char *buf = NULL;
+@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+ 	}
+ 
+ 	/* preset encryption method with value from /etc/login.defs */
+-	val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+	val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+ 	if (val) {
+ 	  for (j = 0; j < UNIX_CTRLS_; ++j) {
+ 	    if (unix_args[j].token && unix_args[j].is_hash_algo
+@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+ 
+ 	  /* read number of rounds for crypt algo */
+ 	  if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
+-	    val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+	    val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+ 
+ 	    if (val) {
+ 	      *rounds = strtol(val, NULL, 10);
+diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
+index 6f5b2eb..a35a8a8 100644
+--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
+@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh
+ 
+ extern int _unix_run_verify_binary(pam_handle_t *pamh,
+ 			unsigned int ctrl, const char *user, int *daysleft);
+extern char *_unix_search_key(const char *key, const char *filename);
+ #endif /* _PAM_UNIX_SUPPORT_H */
--- a/pam-limit-nproc.patch
+++ b/pam-limit-nproc.patch
@ -7,9 +7,9 @@ Index: Linux-PAM-1.1.8/modules/pam_limits/limits.conf
 #@student        -       maxlogins       4
 
 +# harden against fork-bombs
-+*               hard    nproc           800
-+*               soft    nproc           700
-+root            hard    nproc           900
-+root            soft    nproc           850
+*               hard    nproc           1700
+*               soft    nproc           1200
+root            hard    nproc           3000
+root            soft    nproc           1850
 +
 # End of file
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Fri Jan  9 15:37:28 CET 2015 - kukuk@suse.de
+
+- Re-add lost patch encryption_method_nis.diff [bnc#906660]
+
+-------------------------------------------------------------------
+Fri Jan  9 14:53:50 CET 2015 - kukuk@suse.de
+
+- Update to current git:
+  - Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff
+  - obsoletes pam_loginuid-log_write_errors.diff
+  - obsoletes pam_xauth-sigpipe.diff
+  - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch
+
+-------------------------------------------------------------------
+Fri Jan  9 11:10:45 UTC 2015 - bwiedemann@suse.com
+
+- increase process limit to 1200 to help chromium users with many tabs
+
 -------------------------------------------------------------------
 Tue May  6 14:31:36 UTC 2014 - bwiedemann@suse.com

--- a/pam.spec
+++ b/pam.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -52,12 +52,14 @@ Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         fix-man-links.dif
-Patch1:         Linux-PAM-git-20140127.diff
-Patch2:         pam_loginuid-log_write_errors.diff
-Patch3:         pam_xauth-sigpipe.diff
-Patch4:         bug-870433_pam_timestamp-fix-directory-traversal.patch
-Patch5:         pam-limit-nproc.patch
+Patch1:         Linux-PAM-git-20150109.diff
+Patch2:         pam-limit-nproc.patch
+Patch3:         encryption_method_nis.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+# Remove with next version update:
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool

 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
@ -104,10 +106,9 @@ building both PAM-aware applications and modules for use with PAM.
 %patch1 -p2
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
-%patch5 -p1

 %build
+autoreconf -fiv
 export CFLAGS="%optflags -DNDEBUG"
 %configure \
 	--sbindir=/sbin \
--- a/pam_loginuid-log_write_errors.diff
+++ b/pam_loginuid-log_write_errors.diff
@ -1,47 +0,0 @@
-commit 256b50e1fce2f785f1032a1949dd2d1dbc17e250
-Author: Dmitry V. Levin <ldv@altlinux.org>
-Date:   Sun Jan 19 14:12:59 2014 +0000
-
-    pam_loginuid: log significant loginuid write errors
-    
-    * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
-    during /proc/self/loginuid update that are not ignored.
-
- modules/pam_loginuid/pam_loginuid.c |   12 +++++++++---
- 1 files changed, 9 insertions(+), 3 deletions(-)
---
-diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
-index c476f7b..73c42f9 100644
--- a/modules/pam_loginuid/pam_loginuid.c
-+++ b/modules/pam_loginuid/pam_loginuid.c
-@@ -75,8 +75,8 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
- 			rc = PAM_IGNORE;
- 		}
- 		if (rc != PAM_IGNORE) {
-			pam_syslog(pamh, LOG_ERR,
-				   "Cannot open /proc/self/loginuid: %m");
-+			pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
-+				   "/proc/self/loginuid");
- 		}
- 		return rc;
- 	}
-@@ -88,8 +88,14 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
- 		goto done;	/* already correct */
- 	}
- 	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
-	    pam_modutil_write(fd, loginuid, count) == count)
-+	    pam_modutil_write(fd, loginuid, count) == count) {
- 		rc = PAM_SUCCESS;
-+	} else {
-+		if (rc != PAM_IGNORE) {
-+			pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
-+				   "/proc/self/loginuid");
-+		}
-+	}
-  done:
- 	close(fd);
- 	return rc;
-_______________________________________________
-linux-pam-commits mailing list
-linux-pam-commits@lists.fedorahosted.org
-https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits
--- a/pam_xauth-sigpipe.diff
+++ b/pam_xauth-sigpipe.diff
@ -1,36 +0,0 @@
-commit 47db675c910a065fa9602753a904b050b0322f29
-Author: Dmitry V. Levin <ldv@altlinux.org>
-Date:   Fri Jan 24 13:38:38 2014 +0000
-
-    pam_xauth: avoid potential SIGPIPE when writing to xauth process
-    
-    Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.
-    
-    * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
-    close the read end of input pipe after writing to its write end.
-
- modules/pam_xauth/pam_xauth.c |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
---
-diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
-index 7075547..c7ce55a 100644
--- a/modules/pam_xauth/pam_xauth.c
-+++ b/modules/pam_xauth/pam_xauth.c
-@@ -179,12 +179,12 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output,
- 	}
- 
- 	/* We're the parent, so close the other ends of the pipes. */
-	close(ipipe[0]);
- 	close(opipe[1]);
- 	/* Send input to the process (if we have any), then send an EOF. */
- 	if (input) {
- 		(void)pam_modutil_write(ipipe[1], input, strlen(input));
- 	}
-+	close(ipipe[0]); /* close here to avoid possible SIGPIPE above */
- 	close(ipipe[1]);
- 
- 	/* Read data output until we run out of stuff to read. */
-_______________________________________________
-linux-pam-commits mailing list
-linux-pam-commits@lists.fedorahosted.org
-https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits