- Update to current git:

- Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff - obsoletes pam_loginuid-log_write_errors.diff - obsoletes pam_xauth-sigpipe.diff - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=143
2015-01-09 14:23:58 +00:00 · 2015-01-09 14:23:58 +00:00 · dc953fdb0f
commit dc953fdb0f
parent bdcad7ea0f
7 changed files with 38197 additions and 1160 deletions
--- a/Linux-PAM-git-20140127.diff
+++ b/Linux-PAM-git-20140127.diff
--- a/Linux-PAM-git-20150109.diff
+++ b/Linux-PAM-git-20150109.diff
--- a/bug-870433_pam_timestamp-fix-directory-traversal.patch
+++ b/bug-870433_pam_timestamp-fix-directory-traversal.patch
@ -1,53 +0,0 @@
-From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Wed, 26 Mar 2014 22:17:23 +0000
-Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
- (ticket #27)
-
-pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
-the timestamp pathname it creates, so extra care should be taken to
-avoid potential directory traversal issues.
-
-* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
-"." and ".." tty values as invalid.
-(get_ruser): Treat "." and ".." ruser values, as well as any ruser
-value containing '/', as invalid.
-
-Fixes CVE-2014-2583.
-
-Reported-by: Sebastian Krahmer <krahmer@suse.de>
---
- modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
-index 5193733..b3f08b1 100644
--- a/modules/pam_timestamp/pam_timestamp.c
-+++ b/modules/pam_timestamp/pam_timestamp.c
-@@ -158,7 +158,7 @@ check_tty(const char *tty)
- 		tty = strrchr(tty, '/') + 1;
- 	}
- 	/* Make sure the tty wasn't actually a directory (no basename). */
-	if (strlen(tty) == 0) {
-+	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
- 		return NULL;
- 	}
- 	return tty;
-@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
- 		if (pwd != NULL) {
- 			ruser = pwd->pw_name;
- 		}
-+	} else {
-+		/*
-+		 * This ruser is used by format_timestamp_name as a component
-+		 * of constructed timestamp pathname, so ".", "..", and '/'
-+		 * are disallowed to avoid potential path traversal issues.
-+		 */
-+		if (!strcmp(ruser, ".") ||
-+		    !strcmp(ruser, "..") ||
-+		    strchr(ruser, '/')) {
-+			ruser = NULL;
-+		}
- 	}
- 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
- 		*ruserbuf = '\0';
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Jan  9 14:53:50 CET 2015 - kukuk@suse.de
+
+- Update to current git:
+  - Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff
+  - obsoletes pam_loginuid-log_write_errors.diff
+  - obsoletes pam_xauth-sigpipe.diff
+  - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch
+
 -------------------------------------------------------------------
 Tue May  6 14:31:36 UTC 2014 - bwiedemann@suse.com

--- a/pam.spec
+++ b/pam.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -52,12 +52,13 @@ Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         fix-man-links.dif
-Patch1:         Linux-PAM-git-20140127.diff
-Patch2:         pam_loginuid-log_write_errors.diff
-Patch3:         pam_xauth-sigpipe.diff
-Patch4:         bug-870433_pam_timestamp-fix-directory-traversal.patch
-Patch5:         pam-limit-nproc.patch
+Patch1:         Linux-PAM-git-20150109.diff
+Patch2:         pam-limit-nproc.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+# Remove with next version update:
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool

 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
@ -103,11 +104,9 @@ building both PAM-aware applications and modules for use with PAM.
 %patch0 -p1
 %patch1 -p2
 %patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1

 %build
+autoreconf -fiv
 export CFLAGS="%optflags -DNDEBUG"
 %configure \
 	--sbindir=/sbin \
--- a/pam_loginuid-log_write_errors.diff
+++ b/pam_loginuid-log_write_errors.diff
@ -1,47 +0,0 @@
-commit 256b50e1fce2f785f1032a1949dd2d1dbc17e250
-Author: Dmitry V. Levin <ldv@altlinux.org>
-Date:   Sun Jan 19 14:12:59 2014 +0000
-
-    pam_loginuid: log significant loginuid write errors
-    
-    * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
-    during /proc/self/loginuid update that are not ignored.
-
- modules/pam_loginuid/pam_loginuid.c |   12 +++++++++---
- 1 files changed, 9 insertions(+), 3 deletions(-)
---
-diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
-index c476f7b..73c42f9 100644
--- a/modules/pam_loginuid/pam_loginuid.c
-+++ b/modules/pam_loginuid/pam_loginuid.c
-@@ -75,8 +75,8 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
- 			rc = PAM_IGNORE;
- 		}
- 		if (rc != PAM_IGNORE) {
-			pam_syslog(pamh, LOG_ERR,
-				   "Cannot open /proc/self/loginuid: %m");
-+			pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
-+				   "/proc/self/loginuid");
- 		}
- 		return rc;
- 	}
-@@ -88,8 +88,14 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
- 		goto done;	/* already correct */
- 	}
- 	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
-	    pam_modutil_write(fd, loginuid, count) == count)
-+	    pam_modutil_write(fd, loginuid, count) == count) {
- 		rc = PAM_SUCCESS;
-+	} else {
-+		if (rc != PAM_IGNORE) {
-+			pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
-+				   "/proc/self/loginuid");
-+		}
-+	}
-  done:
- 	close(fd);
- 	return rc;
-_______________________________________________
-linux-pam-commits mailing list
-linux-pam-commits@lists.fedorahosted.org
-https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits
--- a/pam_xauth-sigpipe.diff
+++ b/pam_xauth-sigpipe.diff
@ -1,36 +0,0 @@
-commit 47db675c910a065fa9602753a904b050b0322f29
-Author: Dmitry V. Levin <ldv@altlinux.org>
-Date:   Fri Jan 24 13:38:38 2014 +0000
-
-    pam_xauth: avoid potential SIGPIPE when writing to xauth process
-    
-    Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.
-    
-    * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
-    close the read end of input pipe after writing to its write end.
-
- modules/pam_xauth/pam_xauth.c |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
---
-diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
-index 7075547..c7ce55a 100644
--- a/modules/pam_xauth/pam_xauth.c
-+++ b/modules/pam_xauth/pam_xauth.c
-@@ -179,12 +179,12 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output,
- 	}
- 
- 	/* We're the parent, so close the other ends of the pipes. */
-	close(ipipe[0]);
- 	close(opipe[1]);
- 	/* Send input to the process (if we have any), then send an EOF. */
- 	if (input) {
- 		(void)pam_modutil_write(ipipe[1], input, strlen(input));
- 	}
-+	close(ipipe[0]); /* close here to avoid possible SIGPIPE above */
- 	close(ipipe[1]);
- 
- 	/* Read data output until we run out of stuff to read. */
-_______________________________________________
-linux-pam-commits mailing list
-linux-pam-commits@lists.fedorahosted.org
-https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits