- pam_tally2: remove invalid options from manpage (bnc#726071)

- fix possible overflow and DOS in pam_env (bnc#724480)
  CVE-2011-3148, CVE-2011-3149

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=83

bug-724480_pam_env-fix-dos.patch

@@ -0,0 +1,33 @@
+Description: abort when encountering an overflowed environment variable
+ expansion (CVE-2011-3149).
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
+Author: Kees Cook <kees@debian.org>
+
+Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
+===================================================================
+--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
++++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
+@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pam
+ 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
+ 	pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
+ 		 tmp, tmpptr);
++	return PAM_ABORT;
+       }
+       continue;
+     }
+@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pam
+ 	    D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
+ 	    pam_syslog (pamh, LOG_ERR,
+ 			"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
++	    return PAM_ABORT;
+ 	  }
+ 	}
+       }           /* if ('{' != *orig++) */
+@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pam
+ 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
+ 	pam_syslog(pamh, LOG_ERR,
+ 		   "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
++	return PAM_ABORT;
+       }
+     }
+   }              /* for (;*orig;) */

bug-724480_pam_env-fix-overflow.patch

@@ -0,0 +1,29 @@
+Description: correctly count leading whitespace when parsing environment
+ file (CVE-2011-3148).
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
+Author: Kees Cook <kees@debian.org>
+
+Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
+===================================================================
+--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
++++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
+@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char
+     char *p = buffer;
+     char *s, *os;
+     int used = 0;
++    int whitespace;
+ 
+     /* loop broken with a 'break' when a non-'\\n' ended line is read */
+ 
+@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char
+ 
+ 	/* skip leading spaces --- line may be blank */
+ 
+-	s = p + strspn(p, " \n\t");
++	whitespace = strspn(p, " \n\t");
++	s = p + whitespace;
+ 	if (*s && (*s != '#')) {
++	    used += whitespace;
+ 	    os = s;
+ 
+ 	    /*

pam.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Oct 25 14:24:27 CEST 2011 - mc@suse.de
+
+- pam_tally2: remove invalid options from manpage (bnc#726071)
+- fix possible overflow and DOS in pam_env (bnc#724480)
+  CVE-2011-3148, CVE-2011-3149
+
 -------------------------------------------------------------------
 Mon Jun 27 15:29:11 CEST 2011 - kukuk@suse.de
 

pam.spec

@@ -39,7 +39,7 @@ Obsoletes:      pam-64bit
 %endif
 #
 Version:        1.1.4
-Release:        7
+Release:        1
 Summary:        A Security Tool that Provides Authentication for Applications
 Source:         Linux-PAM-%{version}.tar.bz2
 Source1:        Linux-PAM-%{version}-docs.tar.bz2
@@ -52,6 +52,9 @@ Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         pam_tally-deprecated.diff
+Patch1:         bug-724480_pam_env-fix-overflow.patch
+Patch2:         bug-724480_pam_env-fix-dos.patch
+Patch3:         pam_tally2-man.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -101,6 +104,9 @@ building both PAM-aware applications and modules for use with PAM.
 %prep
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p0
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \

pam_tally2-man.dif

@@ -0,0 +1,55 @@
+Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8
+===================================================================
+--- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8
++++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8
+@@ -269,13 +269,6 @@ If the module is invoked by a user with
+ \fBsu\fR, otherwise this argument should be omitted\&.
+ .RE
+ .PP
+-\fBno_lock_time\fR
+-.RS 4
+-Do not use the \&.fail_locktime field in
+-\FC/var/log/faillog\F[]
+-for this user\&.
+-.RE
+-.PP
+ \fBeven_deny_root\fR
+ .RS 4
+ Root account can become unavailable\&.
+Index: Linux-PAM-1.1.4/modules/pam_tally2/README
+===================================================================
+--- Linux-PAM-1.1.4.orig/modules/pam_tally2/README
++++ Linux-PAM-1.1.4/modules/pam_tally2/README
+@@ -76,10 +76,6 @@ AUTH OPTIONS
+         incremented. The sysadmin should use this for user launched services,
+         like su, otherwise this argument should be omitted.
+ 
+-    no_lock_time
+-
+-        Do not use the .fail_locktime field in /var/log/faillog for this user.
+-
+     even_deny_root
+ 
+         Root account can become unavailable.
+Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml
+===================================================================
+--- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8.xml
++++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml
+@@ -238,17 +238,6 @@
+             </varlistentry>
+             <varlistentry>
+               <term>
+-                <option>no_lock_time</option>
+-              </term>
+-              <listitem>
+-                <para>
+-                  Do not use the .fail_locktime field in
+-                  <filename>/var/log/faillog</filename> for this user.
+-                </para>
+-              </listitem>
+-            </varlistentry>
+-            <varlistentry>
+-              <term>
+                 <option>even_deny_root</option>
+               </term>
+               <listitem>