- Update to current git:

- Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff - obsoletes pam_loginuid-log_write_errors.diff - obsoletes pam_xauth-sigpipe.diff - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=143
2015-01-09 14:23:58 +00:00 · 2015-01-09 14:23:58 +00:00 · dc953fdb0f
commit dc953fdb0f
parent bdcad7ea0f
7 changed files with 38197 additions and 1160 deletions
--- a/Linux-PAM-git-20140127.diff
+++ b/Linux-PAM-git-20140127.diff
--- a/Linux-PAM-git-20150109.diff
+++ b/Linux-PAM-git-20150109.diff
--- a/bug-870433_pam_timestamp-fix-directory-traversal.patch
+++ b/bug-870433_pam_timestamp-fix-directory-traversal.patch
@ -1,53 +0,0 @@
 From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
 From: "Dmitry V. Levin" <ldv@altlinux.org>
 Date: Wed, 26 Mar 2014 22:17:23 +0000
 Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
 (ticket #27)
 pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
 the timestamp pathname it creates, so extra care should be taken to
 avoid potential directory traversal issues.
 * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
 "." and ".." tty values as invalid.
 (get_ruser): Treat "." and ".." ruser values, as well as any ruser
 value containing '/', as invalid.
 Fixes CVE-2014-2583.
 Reported-by: Sebastian Krahmer <krahmer@suse.de>
 ---
 modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)
 diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
 index 5193733..b3f08b1 100644
 --- a/modules/pam_timestamp/pam_timestamp.c
 +++ b/modules/pam_timestamp/pam_timestamp.c
@@ -158,7 +158,7 @@ check_tty(const char *tty)
 		tty = strrchr(tty, '/') + 1;
 	}
 	/* Make sure the tty wasn't actually a directory (no basename). */
 -	if (strlen(tty) == 0) {
 +	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
 		return NULL;
 	}
 	return tty;
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
 		if (pwd != NULL) {
 			ruser = pwd->pw_name;
 		}
 +	} else {
 +		/*
 +		 * This ruser is used by format_timestamp_name as a component
 +		 * of constructed timestamp pathname, so ".", "..", and '/'
 +		 * are disallowed to avoid potential path traversal issues.
 +		 */
 +		if (!strcmp(ruser, ".") ||
 +		    !strcmp(ruser, "..") ||
 +		    strchr(ruser, '/')) {
 +			ruser = NULL;
 +		}
 	}
 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
 		*ruserbuf = '\0';
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Fri Jan  9 14:53:50 CET 2015 - kukuk@suse.de
 - Update to current git:
  - Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff
  - obsoletes pam_loginuid-log_write_errors.diff
  - obsoletes pam_xauth-sigpipe.diff
  - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch
 -------------------------------------------------------------------
 Tue May  6 14:31:36 UTC 2014 - bwiedemann@suse.com
--- a/pam.spec
+++ b/pam.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -52,12 +52,13 @@ Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         fix-man-links.dif
-Patch1:         Linux-PAM-git-20140127.diff
+Patch1:         Linux-PAM-git-20150109.diff
-Patch2:         pam_loginuid-log_write_errors.diff
+Patch2:         pam-limit-nproc.patch
 Patch3:         pam_xauth-sigpipe.diff
 Patch4:         bug-870433_pam_timestamp-fix-directory-traversal.patch
 Patch5:         pam-limit-nproc.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # Remove with next version update:
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
@ -103,11 +104,9 @@ building both PAM-aware applications and modules for use with PAM.
 %patch0 -p1
 %patch1 -p2
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %build
 autoreconf -fiv
 export CFLAGS="%optflags -DNDEBUG"
 %configure \
 	--sbindir=/sbin \
--- a/pam_loginuid-log_write_errors.diff
+++ b/pam_loginuid-log_write_errors.diff
@ -1,47 +0,0 @@
 commit 256b50e1fce2f785f1032a1949dd2d1dbc17e250
 Author: Dmitry V. Levin <ldv@altlinux.org>
 Date:   Sun Jan 19 14:12:59 2014 +0000
    pam_loginuid: log significant loginuid write errors
    * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
    during /proc/self/loginuid update that are not ignored.
 modules/pam_loginuid/pam_loginuid.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)
 ---
 diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
 index c476f7b..73c42f9 100644
 --- a/modules/pam_loginuid/pam_loginuid.c
 +++ b/modules/pam_loginuid/pam_loginuid.c
@@ -75,8 +75,8 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
 			rc = PAM_IGNORE;
 		}
 		if (rc != PAM_IGNORE) {
 -			pam_syslog(pamh, LOG_ERR,
 -				   "Cannot open /proc/self/loginuid: %m");
 +			pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
 +				   "/proc/self/loginuid");
 		}
 		return rc;
 	}
@@ -88,8 +88,14 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
 		goto done;	/* already correct */
 	}
 	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
 -	    pam_modutil_write(fd, loginuid, count) == count)
 +	    pam_modutil_write(fd, loginuid, count) == count) {
 		rc = PAM_SUCCESS;
 +	} else {
 +		if (rc != PAM_IGNORE) {
 +			pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
 +				   "/proc/self/loginuid");
 +		}
 +	}
  done:
 	close(fd);
 	return rc;
 _______________________________________________
 linux-pam-commits mailing list
 linux-pam-commits@lists.fedorahosted.org
 https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits
--- a/pam_xauth-sigpipe.diff
+++ b/pam_xauth-sigpipe.diff
@ -1,36 +0,0 @@
 commit 47db675c910a065fa9602753a904b050b0322f29
 Author: Dmitry V. Levin <ldv@altlinux.org>
 Date:   Fri Jan 24 13:38:38 2014 +0000
    pam_xauth: avoid potential SIGPIPE when writing to xauth process
    Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.
    * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
    close the read end of input pipe after writing to its write end.
 modules/pam_xauth/pam_xauth.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
 ---
 diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
 index 7075547..c7ce55a 100644
 --- a/modules/pam_xauth/pam_xauth.c
 +++ b/modules/pam_xauth/pam_xauth.c
@@ -179,12 +179,12 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output,
 	}
 	/* We're the parent, so close the other ends of the pipes. */
 -	close(ipipe[0]);
 	close(opipe[1]);
 	/* Send input to the process (if we have any), then send an EOF. */
 	if (input) {
 		(void)pam_modutil_write(ipipe[1], input, strlen(input));
 	}
 +	close(ipipe[0]); /* close here to avoid possible SIGPIPE above */
 	close(ipipe[1]);
 	/* Read data output until we run out of stuff to read. */
 _______________________________________________
 linux-pam-commits mailing list
 linux-pam-commits@lists.fedorahosted.org
 https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits