diff --git a/bug-724480_pam_env-fix-dos.patch b/bug-724480_pam_env-fix-dos.patch new file mode 100644 index 0000000..7b886a9 --- /dev/null +++ b/bug-724480_pam_env-fix-dos.patch @@ -0,0 +1,33 @@ +Description: abort when encountering an overflowed environment variable + expansion (CVE-2011-3149). +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565 +Author: Kees Cook + +Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c +=================================================================== +--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c ++++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c +@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pam + D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); + pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", + tmp, tmpptr); ++ return PAM_ABORT; + } + continue; + } +@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pam + D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); + pam_syslog (pamh, LOG_ERR, + "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); ++ return PAM_ABORT; + } + } + } /* if ('{' != *orig++) */ +@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pam + D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); + pam_syslog(pamh, LOG_ERR, + "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); ++ return PAM_ABORT; + } + } + } /* for (;*orig;) */ diff --git a/bug-724480_pam_env-fix-overflow.patch b/bug-724480_pam_env-fix-overflow.patch new file mode 100644 index 0000000..de74d06 --- /dev/null +++ b/bug-724480_pam_env-fix-overflow.patch @@ -0,0 +1,29 @@ +Description: correctly count leading whitespace when parsing environment + file (CVE-2011-3148). +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469 +Author: Kees Cook + +Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c +=================================================================== +--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c ++++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c +@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char + char *p = buffer; + char *s, *os; + int used = 0; ++ int whitespace; + + /* loop broken with a 'break' when a non-'\\n' ended line is read */ + +@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char + + /* skip leading spaces --- line may be blank */ + +- s = p + strspn(p, " \n\t"); ++ whitespace = strspn(p, " \n\t"); ++ s = p + whitespace; + if (*s && (*s != '#')) { ++ used += whitespace; + os = s; + + /* diff --git a/pam.changes b/pam.changes index 121210d..c27c06d 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Oct 25 14:24:27 CEST 2011 - mc@suse.de + +- pam_tally2: remove invalid options from manpage (bnc#726071) +- fix possible overflow and DOS in pam_env (bnc#724480) + CVE-2011-3148, CVE-2011-3149 + ------------------------------------------------------------------- Mon Jun 27 15:29:11 CEST 2011 - kukuk@suse.de diff --git a/pam.spec b/pam.spec index 99aaed3..e032480 100644 --- a/pam.spec +++ b/pam.spec @@ -39,7 +39,7 @@ Obsoletes: pam-64bit %endif # Version: 1.1.4 -Release: 7 +Release: 1 Summary: A Security Tool that Provides Authentication for Applications Source: Linux-PAM-%{version}.tar.bz2 Source1: Linux-PAM-%{version}-docs.tar.bz2 @@ -52,6 +52,9 @@ Source7: common-session.pamd Source8: etc.environment Source9: baselibs.conf Patch0: pam_tally-deprecated.diff +Patch1: bug-724480_pam_env-fix-overflow.patch +Patch2: bug-724480_pam_env-fix-dos.patch +Patch3: pam_tally2-man.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -101,6 +104,9 @@ building both PAM-aware applications and modules for use with PAM. %prep %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p0 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \ diff --git a/pam_tally2-man.dif b/pam_tally2-man.dif new file mode 100644 index 0000000..cee8222 --- /dev/null +++ b/pam_tally2-man.dif @@ -0,0 +1,55 @@ +Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8 +=================================================================== +--- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8 ++++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8 +@@ -269,13 +269,6 @@ If the module is invoked by a user with + \fBsu\fR, otherwise this argument should be omitted\&. + .RE + .PP +-\fBno_lock_time\fR +-.RS 4 +-Do not use the \&.fail_locktime field in +-\FC/var/log/faillog\F[] +-for this user\&. +-.RE +-.PP + \fBeven_deny_root\fR + .RS 4 + Root account can become unavailable\&. +Index: Linux-PAM-1.1.4/modules/pam_tally2/README +=================================================================== +--- Linux-PAM-1.1.4.orig/modules/pam_tally2/README ++++ Linux-PAM-1.1.4/modules/pam_tally2/README +@@ -76,10 +76,6 @@ AUTH OPTIONS + incremented. The sysadmin should use this for user launched services, + like su, otherwise this argument should be omitted. + +- no_lock_time +- +- Do not use the .fail_locktime field in /var/log/faillog for this user. +- + even_deny_root + + Root account can become unavailable. +Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml +=================================================================== +--- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8.xml ++++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml +@@ -238,17 +238,6 @@ + + + +- +- +- +- +- Do not use the .fail_locktime field in +- /var/log/faillog for this user. +- +- +- +- +- + + +