- Update to 0.6.13

* Added pkcs11-eventmgr systemd service unit.
    * Updated Russian translations for pam_pkcs11 (thx Max Kosmach      and Andrey Cherepanov).
    * Fixed possible authentication bypass (CVE-2025-24032):
    * Use signatures to verify authentication by default      (thx Frank Morgner).
    * Fixed possible authentication bypass (CVE-2025-24531):
    * Restoring the original card_only / wait_for_card behavior      (thx Matthias Gerstner, Frank Morgner).
    * Move pam_securetty.so upward in the example PAM config.
    * Set 'slot_num' configuration parameter to 0 by default     (thx Jpereyra316).
    * Print details about configuration parse errors (thx Jpereyra316).
    * Add Chinese (Simplified) translation.
    * Capitalize all PAM messages (thx Alynx Zhou).
    * Made pkcs11_make_hash_link support whitespaces in file names
  * Drop 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
  * Drop 0001-memory-leak-fixes.patch
  * Rebase pam_pkcs11-0.5.3-nss-conf.patch
  * Rebase pam_pkcs11-0.6.0-nss-autoconf.patch

OBS-URL: https://build.opensuse.org/package/show/security:chipcard/pam_pkcs11?expand=0&rev=43

0001-Set-slot_num-configuration-parameter-to-0-by-default.patch

@@ -1,39 +0,0 @@
-From 8da6c472ddcf18a30676bf8f7c55785dd2de91c5 Mon Sep 17 00:00:00 2001
-From: Paul Wolneykien <manowar@altlinux.org>
-Date: Fri, 26 Apr 2024 18:10:24 +0300
-Subject: [PATCH] Set 'slot_num' configuration parameter to 0 by default
-
-See https://github.com/OpenSC/pam_pkcs11/pull/74 for details.
-
-Signed-off-by: Paul Wolneykien <manowar@altlinux.org>
----
- src/pam_pkcs11/pam_config.c |   11 +++--------
- 1 file changed, 3 insertions(+), 8 deletions(-)
-
---- a/src/pam_pkcs11/pam_config.c
-+++ b/src/pam_pkcs11/pam_config.c
-@@ -50,7 +50,7 @@ struct configuration_st configuration =
-         NULL,				/* const char *pkcs11_module_path; */
-         NULL,                           /* screen savers */
-         NULL,			/* slot_description */
--        -1,				/* int slot_num; */
-+        0,				/* int slot_num; */
- 	0,				/* support threads */
- 	/* cert policy; */
-         {
-@@ -167,13 +167,8 @@ static void parse_config_file(void) {
- 	    configuration.slot_num =
- 	        scconf_get_int(pkcs11_mblk,"slot_num",configuration.slot_num);
- 
--	    if (configuration.slot_description != NULL && configuration.slot_num != -1) {
--		DBG1("Can not specify both slot_description and slot_num in file %s",configuration.config_file);
--	            return;
--	    }
--
--	    if (configuration.slot_description == NULL && configuration.slot_num == -1) {
--		DBG1("Neither slot_description nor slot_num found in file %s",configuration.config_file);
-+	    if (configuration.slot_description != NULL && configuration.slot_num != 0) {
-+		DBG1("Can not specify both slot_description and slot_num != 0 in file %s",configuration.config_file);
- 	            return;
- 	    }
- 

0001-memory-leak-fixes.patch

@@ -1,29 +0,0 @@
---- a/src/mappers/mapper.c
-+++ b/src/mappers/mapper.c
-@@ -83,7 +83,12 @@
- 	/* get a line from buffer */
- 	from = mfile->pt;
- 	/* set up pointer */
--	while( *from && isspace(*from) ) from++;
-+	while( *from && isspace(*from)){
-+		if(from - mfile->buffer + 1 >= mfile->length){
-+			return 0;
-+		}
-+		from++;
-+	}
- 	to = strchr(from,'\n');
- 	/* if no newline, assume string ends at end of buffer */
- 	if (!to) to=mfile->buffer+mfile->length;
-
---- a/src/pam_pkcs11/pam_pkcs11.c
-+++ b/src/pam_pkcs11/pam_pkcs11.c
-@@ -208,7 +208,7 @@
- {
-   int i, rv;
-   const char *user = NULL;
--  char *password;
-+  char *password = NULL;
-   unsigned int slot_num = 0;
-   int is_a_screen_saver = 0;
-   struct configuration_st *configuration;
-

pam_pkcs11-0.5.3-nss-conf.patch

@@ -1,7 +1,7 @@
-Index: pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in
+Index: pam_pkcs11-pam_pkcs11-0.6.13/etc/pam_pkcs11.conf.example.in
 ===================================================================
---- pam_pkcs11-pam_pkcs11-0.6.12.orig/etc/pam_pkcs11.conf.example.in
+--- pam_pkcs11-pam_pkcs11-0.6.13.orig/etc/pam_pkcs11.conf.example.in
-+++ pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in
++++ pam_pkcs11-pam_pkcs11-0.6.13/etc/pam_pkcs11.conf.example.in
 @@ -9,7 +9,7 @@ pam_pkcs11 {
    nullok = true;
  
@@ -24,8 +24,8 @@ Index: pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in
 +  }
  
    pkcs11_module opensc {
-     module = /usr/lib/opensc-pkcs11.so;
+     module = @libdir@/opensc-pkcs11.so;
-@@ -162,7 +167,7 @@ pam_pkcs11 {
+@@ -164,7 +169,7 @@ pam_pkcs11 {
    # If used null mapper should be the last in the list :-)
    # Also you should select at least one mapper, otherwise
    # certificate will not match :-)

pam_pkcs11-0.6.0-nss-autoconf.patch

@@ -1,6 +1,8 @@
---- pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c
+Index: pam_pkcs11-pam_pkcs11-0.6.13/src/pam_pkcs11/pam_config.c
-+++ pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c
+===================================================================
-@@ -45,7 +45,7 @@
+--- pam_pkcs11-pam_pkcs11-0.6.13.orig/src/pam_pkcs11/pam_config.c
++++ pam_pkcs11-pam_pkcs11-0.6.13/src/pam_pkcs11/pam_config.c
+@@ -47,7 +47,7 @@ struct configuration_st configuration =
          0,				/* int card_only; */
          0,				/* int wait_for_card; */
          "default", 			/* const char *pkcs11_module; */
@@ -8,4 +10,4 @@
 +        NULL,				/* const char *pkcs11_module_path; */
          NULL,                           /* screen savers */
          NULL,			/* slot_description */
-         -1,				/* int slot_num; */
+         0,				/* int slot_num; */

pam_pkcs11-0.6.13.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8a853f4e6e136ceecdcffad798570e3d6af2fde08e975656b2dc931989c35aff
+size 281213

pam_pkcs11.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Thu Feb  6 16:04:09 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Update to 0.6.13
+    * Added pkcs11-eventmgr systemd service unit.
+    * Updated Russian translations for pam_pkcs11 (thx Max Kosmach      and Andrey Cherepanov).
+    * Fixed possible authentication bypass (CVE-2025-24032):
+    * Use signatures to verify authentication by default      (thx Frank Morgner).
+    * Fixed possible authentication bypass (CVE-2025-24531):
+    * Restoring the original card_only / wait_for_card behavior      (thx Matthias Gerstner, Frank Morgner).
+    * Move pam_securetty.so upward in the example PAM config.
+    * Set 'slot_num' configuration parameter to 0 by default     (thx Jpereyra316).
+    * Print details about configuration parse errors (thx Jpereyra316).
+    * Add Chinese (Simplified) translation.
+    * Capitalize all PAM messages (thx Alynx Zhou).
+    * Made pkcs11_make_hash_link support whitespaces in file names
+  * Drop 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
+  * Drop 0001-memory-leak-fixes.patch
+  * Rebase pam_pkcs11-0.5.3-nss-conf.patch
+  * Rebase pam_pkcs11-0.6.0-nss-autoconf.patch
+
+
 -------------------------------------------------------------------
 Wed Jan 22 16:07:50 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
 

pam_pkcs11.spec

@@ -19,7 +19,7 @@
 # It seems to be an upstream naming bug:
 %define _name pam_pkcs11-pam_pkcs11
 Name:           pam_pkcs11
-Version:        0.6.12
+Version:        0.6.13
 Release:        0
 Summary:        PKCS #11 PAM Module
 License:        LGPL-2.1-or-later
@@ -34,9 +34,7 @@ Source4:        pkcs11_eventmgr.service
 Patch0:         %{name}-fsf-address.patch
 Patch1:         %{name}-0.5.3-nss-conf.patch
 Patch3:         %{name}-0.6.0-nss-autoconf.patch
-Patch4:         0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
+
-# 0001-memory-leak-fixes.patch - Fix memory leaks and issues with kscreenlocker (boo#1230870) - adapted from https://github.com/OpenSC/pam_pkcs11/commit/f8e7d85aa3ca4fd2e2a8c2dfe601d1224debe372.patch
-Patch6:         0001-memory-leak-fixes.patch
 BuildRequires:  curl-devel
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  doxygen
@@ -50,10 +48,8 @@ BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  pkgconfig
-%{?systemd_requires}
-%if 0%{?suse_version} >= 1210
 BuildRequires:  systemd-rpm-macros
-%endif
+%{?systemd_requires}
 
 %description
 This Linux PAM module allows X.509 a certificate-based user
@@ -79,6 +75,7 @@ Summary:        PKCS #11 API PAM Documentation
 # File conflict. devel-doc split was done with 0.6.9 upgrade, after SLE 12 SP3, Leap 42.3.
 Group:          Documentation/HTML
 Conflicts:      pam_pkcs11 < 0.6.9
+BuildArch:      noarch
 
 %description devel-doc
 API documentation for pam_pkcs11
@@ -107,6 +104,9 @@ sed -i '/^HTML_TIMESTAMP/s/YES/NO/' doc/doxygen.conf.in
 # Generate documentation: This sounds like an upstream bug while making an upstream source tarball.
 %make_build dist
 
+%check
+%make_build check
+
 %install
 %make_install
 %if 0%{?suse_version} <= 1500
@@ -132,6 +132,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/pam.d
 cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/
 %endif
 install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
+rm %{buildroot}%{_unitdir}/pkcs11-eventmgr.service
 %if 0%{?suse_version} < 1600
 mkdir -p %{buildroot}%{_sbindir}
 ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr