pool/pam_pkcs11
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1243980 from security:chipcard

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1243980
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_pkcs11?expand=0&rev=41
This commit is contained in:
Ana Guerrero 2025-02-06 21:11:13 +00:00 committed by Git OBS Bridge
commit 8e4ca4434d
8 changed files with 44 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
View File

@ -1,39 +0,0 @@
From 8da6c472ddcf18a30676bf8f7c55785dd2de91c5 Mon Sep 17 00:00:00 2001
From: Paul Wolneykien <manowar@altlinux.org>
Date: Fri, 26 Apr 2024 18:10:24 +0300
Subject: [PATCH] Set 'slot_num' configuration parameter to 0 by default
See https://github.com/OpenSC/pam_pkcs11/pull/74 for details.
Signed-off-by: Paul Wolneykien <manowar@altlinux.org>
---
src/pam_pkcs11/pam_config.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
--- a/src/pam_pkcs11/pam_config.c
+++ b/src/pam_pkcs11/pam_config.c
@@ -50,7 +50,7 @@ struct configuration_st configuration =
NULL, /* const char *pkcs11_module_path; */
NULL, /* screen savers */
NULL, /* slot_description */
- -1, /* int slot_num; */
+ 0, /* int slot_num; */
0, /* support threads */
/* cert policy; */
{
@@ -167,13 +167,8 @@ static void parse_config_file(void) {
configuration.slot_num =
scconf_get_int(pkcs11_mblk,"slot_num",configuration.slot_num);
- if (configuration.slot_description != NULL && configuration.slot_num != -1) {
- DBG1("Can not specify both slot_description and slot_num in file %s",configuration.config_file);
- return;
- }
-
- if (configuration.slot_description == NULL && configuration.slot_num == -1) {
- DBG1("Neither slot_description nor slot_num found in file %s",configuration.config_file);
+ if (configuration.slot_description != NULL && configuration.slot_num != 0) {
+ DBG1("Can not specify both slot_description and slot_num != 0 in file %s",configuration.config_file);
return;
}

29
0001-memory-leak-fixes.patch
View File

@ -1,29 +0,0 @@
--- a/src/mappers/mapper.c
+++ b/src/mappers/mapper.c
@@ -83,7 +83,12 @@
/* get a line from buffer */
from = mfile->pt;
/* set up pointer */
- while( *from && isspace(*from) ) from++;
+ while( *from && isspace(*from)){
+ if(from - mfile->buffer + 1 >= mfile->length){
+ return 0;
+ }
+ from++;
+ }
to = strchr(from,'\n');
/* if no newline, assume string ends at end of buffer */
if (!to) to=mfile->buffer+mfile->length;
--- a/src/pam_pkcs11/pam_pkcs11.c
+++ b/src/pam_pkcs11/pam_pkcs11.c
@@ -208,7 +208,7 @@
{
int i, rv;
const char *user = NULL;
- char *password;
+ char *password = NULL;
unsigned int slot_num = 0;
int is_a_screen_saver = 0;
struct configuration_st *configuration;

10
pam_pkcs11-0.5.3-nss-conf.patch
View File

@ -1,7 +1,7 @@
Index: pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in Index: pam_pkcs11-pam_pkcs11-0.6.13/etc/pam_pkcs11.conf.example.in
=================================================================== ===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/etc/pam_pkcs11.conf.example.in --- pam_pkcs11-pam_pkcs11-0.6.13.orig/etc/pam_pkcs11.conf.example.in
+++ pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in +++ pam_pkcs11-pam_pkcs11-0.6.13/etc/pam_pkcs11.conf.example.in
@@ -9,7 +9,7 @@ pam_pkcs11 { @@ -9,7 +9,7 @@ pam_pkcs11 {
nullok = true; nullok = true;
@ -24,8 +24,8 @@ Index: pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in
+ } + }
pkcs11_module opensc { pkcs11_module opensc {
module = /usr/lib/opensc-pkcs11.so; module = @libdir@/opensc-pkcs11.so;
@@ -162,7 +167,7 @@ pam_pkcs11 { @@ -164,7 +169,7 @@ pam_pkcs11 {
# If used null mapper should be the last in the list :-) # If used null mapper should be the last in the list :-)
# Also you should select at least one mapper, otherwise # Also you should select at least one mapper, otherwise
# certificate will not match :-) # certificate will not match :-)

10
pam_pkcs11-0.6.0-nss-autoconf.patch
View File

@ -1,6 +1,8 @@
--- pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c Index: pam_pkcs11-pam_pkcs11-0.6.13/src/pam_pkcs11/pam_config.c
+++ pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c ===================================================================
@@ -45,7 +45,7 @@ --- pam_pkcs11-pam_pkcs11-0.6.13.orig/src/pam_pkcs11/pam_config.c
+++ pam_pkcs11-pam_pkcs11-0.6.13/src/pam_pkcs11/pam_config.c
@@ -47,7 +47,7 @@ struct configuration_st configuration =
0, /* int card_only; */ 0, /* int card_only; */
0, /* int wait_for_card; */ 0, /* int wait_for_card; */
"default", /* const char *pkcs11_module; */ "default", /* const char *pkcs11_module; */
@ -8,4 +10,4 @@
+ NULL, /* const char *pkcs11_module_path; */ + NULL, /* const char *pkcs11_module_path; */
NULL, /* screen savers */ NULL, /* screen savers */
NULL, /* slot_description */ NULL, /* slot_description */
-1, /* int slot_num; */ 0, /* int slot_num; */

BIN
pam_pkcs11-0.6.12.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

3
pam_pkcs11-0.6.13.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8a853f4e6e136ceecdcffad798570e3d6af2fde08e975656b2dc931989c35aff
size 281213

22
pam_pkcs11.changes
View File

@ -1,3 +1,25 @@
-------------------------------------------------------------------
Thu Feb 6 16:04:09 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
- Update to 0.6.13
* Added pkcs11-eventmgr systemd service unit.
* Updated Russian translations for pam_pkcs11 (thx Max Kosmach and Andrey Cherepanov).
* Fixed possible authentication bypass (CVE-2025-24032):
* Use signatures to verify authentication by default (thx Frank Morgner).
* Fixed possible authentication bypass (CVE-2025-24531):
* Restoring the original card_only / wait_for_card behavior (thx Matthias Gerstner, Frank Morgner).
* Move pam_securetty.so upward in the example PAM config.
* Set 'slot_num' configuration parameter to 0 by default (thx Jpereyra316).
* Print details about configuration parse errors (thx Jpereyra316).
* Add Chinese (Simplified) translation.
* Capitalize all PAM messages (thx Alynx Zhou).
* Made pkcs11_make_hash_link support whitespaces in file names
* Drop 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
* Drop 0001-memory-leak-fixes.patch
* Rebase pam_pkcs11-0.5.3-nss-conf.patch
* Rebase pam_pkcs11-0.6.0-nss-autoconf.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 22 16:07:50 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org> Wed Jan 22 16:07:50 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>

15
pam_pkcs11.spec
View File

@ -19,7 +19,7 @@
# It seems to be an upstream naming bug: # It seems to be an upstream naming bug:
%define _name pam_pkcs11-pam_pkcs11 %define _name pam_pkcs11-pam_pkcs11
Name: pam_pkcs11 Name: pam_pkcs11
Version: 0.6.12 Version: 0.6.13
Release: 0 Release: 0
Summary: PKCS #11 PAM Module Summary: PKCS #11 PAM Module
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
@ -34,9 +34,7 @@ Source4: pkcs11_eventmgr.service
Patch0: %{name}-fsf-address.patch Patch0: %{name}-fsf-address.patch
Patch1: %{name}-0.5.3-nss-conf.patch Patch1: %{name}-0.5.3-nss-conf.patch
Patch3: %{name}-0.6.0-nss-autoconf.patch Patch3: %{name}-0.6.0-nss-autoconf.patch
Patch4: 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
# 0001-memory-leak-fixes.patch - Fix memory leaks and issues with kscreenlocker (boo#1230870) - adapted from https://github.com/OpenSC/pam_pkcs11/commit/f8e7d85aa3ca4fd2e2a8c2dfe601d1224debe372.patch
Patch6: 0001-memory-leak-fixes.patch
BuildRequires: curl-devel BuildRequires: curl-devel
BuildRequires: docbook-xsl-stylesheets BuildRequires: docbook-xsl-stylesheets
BuildRequires: doxygen BuildRequires: doxygen
@ -50,10 +48,8 @@ BuildRequires: openssl-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pcsc-lite-devel BuildRequires: pcsc-lite-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
%{?systemd_requires}
%if 0%{?suse_version} >= 1210
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
%endif %{?systemd_requires}
%description %description
This Linux PAM module allows X.509 a certificate-based user This Linux PAM module allows X.509 a certificate-based user
@ -79,6 +75,7 @@ Summary: PKCS #11 API PAM Documentation
# File conflict. devel-doc split was done with 0.6.9 upgrade, after SLE 12 SP3, Leap 42.3. # File conflict. devel-doc split was done with 0.6.9 upgrade, after SLE 12 SP3, Leap 42.3.
Group: Documentation/HTML Group: Documentation/HTML
Conflicts: pam_pkcs11 < 0.6.9 Conflicts: pam_pkcs11 < 0.6.9
BuildArch: noarch
%description devel-doc %description devel-doc
API documentation for pam_pkcs11 API documentation for pam_pkcs11
@ -107,6 +104,9 @@ sed -i '/^HTML_TIMESTAMP/s/YES/NO/' doc/doxygen.conf.in
# Generate documentation: This sounds like an upstream bug while making an upstream source tarball. # Generate documentation: This sounds like an upstream bug while making an upstream source tarball.
%make_build dist %make_build dist
%check
%make_build check
%install %install
%make_install %make_install
%if 0%{?suse_version} <= 1500 %if 0%{?suse_version} <= 1500
@ -132,6 +132,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/pam.d
cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/ cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/
%endif %endif
install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
rm %{buildroot}%{_unitdir}/pkcs11-eventmgr.service
%if 0%{?suse_version} < 1600 %if 0%{?suse_version} < 1600
mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}%{_sbindir}
ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr