Accepting request 849367 from home:jmoellers:branches:Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/849367
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=226

pam-bsc1177858-dont-free-environment-string.patch

@@ -0,0 +1,26 @@
+Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c
++++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
+@@ -701,8 +701,9 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 			pam_syslog(pamh, LOG_ERR,
+ 				   "can't set environment variable '%s'",
+ 				   xauthority);
+-		putenv (xauthority); /* The environment owns this string now. */
+-		/* Don't free environment variables nor set them to NULL. */
++		if (putenv (xauthority) == 0) /* The environment owns this string now. */
++		    xauthority = NULL;
++		/* Don't free environment variables. */
+ 
+ 		/* set $DISPLAY in pam handle to make su - work */
+ 		{
+@@ -765,7 +766,8 @@ cleanup:
+ 		unsetenv (XAUTHENV);
+ 	free(cookiefile);
+ 	free(cookie);
+-	free(xauthority);
++	if (xauthority != NULL)	/* If it hasn't been successfully passed to putenv() ... */
++	    free(xauthority);
+ 	return retval;
+ }
+ 

pam-pam_cracklib-add-usersubstr.patch

@@ -0,0 +1,99 @@
+Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
++++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
+@@ -88,6 +88,7 @@ struct cracklib_options {
+ 	int reject_user;
+         int gecos_check;
+         int enforce_for_root;
++	int user_substr;
+         const char *cracklib_dictpath;
+ };
+ 
+@@ -100,6 +101,7 @@ struct cracklib_options {
+ #define CO_LOW_CREDIT   1
+ #define CO_OTH_CREDIT   1
+ #define CO_MIN_WORD_LENGTH 4
++#define CO_MIN_WORD_LENGTH      4
+ 
+ static int
+ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
+@@ -185,6 +187,10 @@ _pam_parse (pam_handle_t *pamh, struct c
+ 	     if (!*(opt->cracklib_dictpath)) {
+ 		 opt->cracklib_dictpath = CRACKLIB_DICTS;
+ 	     }
++	 } else if ((str = pam_str_skip_prefix(*argv, "usersubstr=")) != NULL) {
++	     opt->user_substr = strtol(str, &ep, 10);
++	     if (ep == str)
++	         opt->user_substr = 0;
+ 	 } else {
+ 	     pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
+ 	 }
+@@ -525,13 +531,54 @@ static int wordcheck(const char *new, ch
+     return 0;
+ }
+ 
+-static int usercheck(struct cracklib_options *opt, const char *new,
++/*
++ * RETURNS: True if the password is unacceptable, else false
++ */
++static int usersubstr(pam_handle_t *pamh, int len, const char *new, char *user)
++{
++    int i, userlen;
++    int bad = 0;	// Assume it's OK unless proven otherwise
++    char *subuser = calloc(len+1, sizeof(char));
++
++    if (subuser == NULL) {
++	return 1;
++    }
++
++    userlen = strlen(user);
++
++    if (len >= CO_MIN_WORD_LENGTH &&
++	    userlen > len) {
++	for(i = 0; !bad && (i <= userlen - len); i++) {
++	    strncpy(subuser, user+i, len+1);
++	    subuser[len] = '\0';
++	    bad = wordcheck(new, subuser);
++	}
++    } else {
++	// if we already tested substrings, there's no need to test
++	// the whole username; all substrings would've been found :)
++	if (!bad)
++	    bad = wordcheck(new, user);
++    }
++
++    free(subuser);
++
++    return bad;
++}
++
++/*
++ * RETURNS: True if the password is unacceptable, else false
++ */
++static int usercheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new,
+ 		     char *user)
+ {
+-    if (!opt->reject_user)
+-        return 0;
++    int bad = 0;
++
++    if (opt->reject_user)
++        bad = wordcheck(new, user);
++    if (!bad && opt->user_substr != 0)
++       bad = usersubstr(pamh, opt->user_substr, new, user);
+ 
+-    return wordcheck(new, user);
++    return bad;
+ }
+ 
+ static char * str_lower(char *string)
+@@ -646,7 +693,7 @@ static const char *password_check(pam_ha
+ 	if (!msg && sequence(opt, new))
+ 	        msg = _("contains too long of a monotonic character sequence");
+ 
+-	if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
++	if (!msg && (usercheck(pamh, opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
+ 	        msg = _("contains the user name in some form");
+ 
+ 	free(usermono);

pam.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Wed Nov 18 13:02:15 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- pam_cracklib: added code to check whether the password contains
+  a substring of of the user's name of at least <N> characters length
+  in some form.
+  This is enabled by the new parameter "usersubstr=<N>"
+  See https://github.com/libpwquality/libpwquality/commit/bfef79dbe6aa525e9557bf4b0a61e6dde12749c4
+  [jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch]
+
+-------------------------------------------------------------------
+Wed Nov 18 10:02:32 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- pam_xauth.c: do not free() a string which has been (successfully)
+  passed to putenv().
+  [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch]
+
 -------------------------------------------------------------------
 Fri Nov 13 09:13:18 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
 

pam.spec

@@ -49,6 +49,8 @@ Patch2:         pam-limit-nproc.patch
 Patch4:         pam-hostnames-in-access_conf.patch
 Patch5:         pam-xauth_ownership.patch
 Patch6:         pam-bsc1178727-initialize-daysleft.patch
+Patch8:         pam-bsc1177858-dont-free-environment-string.patch
+Patch9:         pam-pam_cracklib-add-usersubstr.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
@@ -143,6 +145,8 @@ cp -a %{SOURCE12} .
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch8 -p1
+%patch9 -p1
 
 %build
 bash ./pam-login_defs-check.sh