Accepting request 109933 from Linux-PAM

- Update to new upstream release 1.1.5 * pam_env: Fix CVE-2011-3148: correctly count leading whitespace when parsing environment file in pam_env * Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in pam_env * pam_access: Add hostname resolution cache (forwarded request 107892 from jengelh) OBS-URL: https://build.opensuse.org/request/show/109933 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=52
2012-03-20 16:47:35 +00:00 · 2012-03-20 16:47:35 +00:00 · c704d4fd14
commit c704d4fd14
parent ff351dd822 04ace596ec
9 changed files with 39 additions and 152 deletions
--- a/Linux-PAM-1.1.4-docs.tar.bz2
+++ b/Linux-PAM-1.1.4-docs.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a3bcdbcede0865f0ce40aa1c1363afc2c51a878334a31689f959b0bdcf53cc6e
-size 498363
--- a/Linux-PAM-1.1.4.tar.bz2
+++ b/Linux-PAM-1.1.4.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:13cf4775ffd4fdd8c79a88610d569ebacef738eb2be729eaf8655c942bcd9e50
-size 1123198
--- a/Linux-PAM-1.1.5-docs.tar.bz2
+++ b/Linux-PAM-1.1.5-docs.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e4b10ffebe2e5cc355bd37c4e17a2288eb90d1396b06961738a7e7ef848c754c
+size 498228
--- a/Linux-PAM-1.1.5.tar.bz2
+++ b/Linux-PAM-1.1.5.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:65def4df04254dc4c5156859d36c34ad6d7afbcf3adbf2780530ebc4dbf2a116
+size 1123524
--- a/bug-724480_pam_env-fix-dos.patch
+++ b/bug-724480_pam_env-fix-dos.patch
@ -1,33 +0,0 @@
-Description: abort when encountering an overflowed environment variable
- expansion (CVE-2011-3149).
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
-Author: Kees Cook <kees@debian.org>
-
-Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
-===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
-+++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
-@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pam
- 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- 	pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
- 		 tmp, tmpptr);
-+	return PAM_ABORT;
-       }
-       continue;
-     }
-@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pam
- 	    D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- 	    pam_syslog (pamh, LOG_ERR,
- 			"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
-+	    return PAM_ABORT;
- 	  }
- 	}
-       }           /* if ('{' != *orig++) */
-@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pam
- 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- 	pam_syslog(pamh, LOG_ERR,
- 		   "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
-+	return PAM_ABORT;
-       }
-     }
-   }              /* for (;*orig;) */
--- a/bug-724480_pam_env-fix-overflow.patch
+++ b/bug-724480_pam_env-fix-overflow.patch
@ -1,29 +0,0 @@
-Description: correctly count leading whitespace when parsing environment
- file (CVE-2011-3148).
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
-Author: Kees Cook <kees@debian.org>
-
-Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
-===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
-+++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
-@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char
-     char *p = buffer;
-     char *s, *os;
-     int used = 0;
-+    int whitespace;
- 
-     /* loop broken with a 'break' when a non-'\\n' ended line is read */
- 
-@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char
- 
- 	/* skip leading spaces --- line may be blank */
- 
-	s = p + strspn(p, " \n\t");
-+	whitespace = strspn(p, " \n\t");
-+	s = p + whitespace;
- 	if (*s && (*s != '#')) {
-+	    used += whitespace;
- 	    os = s;
- 
- 	    /*
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Sat Mar  3 15:16:42 UTC 2012 - jengelh@medozas.de
+
+- Update to new upstream release 1.1.5
+* pam_env: Fix CVE-2011-3148: correctly count leading whitespace
+  when parsing environment file in pam_env
+* Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in
+  pam_env
+* pam_access: Add hostname resolution cache
+
 -------------------------------------------------------------------
 Tue Oct 25 14:24:27 CEST 2011 - mc@suse.de

--- a/pam.spec
+++ b/pam.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -15,32 +15,36 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #

-# norootforbuild

 %define enable_selinux 1

 Name:           pam
 Url:            http://www.kernel.org/pub/linux/libs/pam/
-BuildRequires:  bison cracklib-devel db-devel flex
 BuildRequires:  audit-devel
-BuildRequires:  libtirpc-devel
+BuildRequires:  bison
+BuildRequires:  cracklib-devel
+BuildRequires:  db-devel
+BuildRequires:  flex
+BuildRequires:  pkgconfig(libtirpc)
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
 %define libpam_so_version 0.83.1
 %define libpam_misc_so_version 0.82.0
 %define libpamc_so_version 0.82.1
-License:        GPL-2.0+ or BSD-3-Clause
-Group:          System/Libraries
-AutoReqProv:    on
 # bug437293
 %ifarch ppc64
 Obsoletes:      pam-64bit
 %endif
 #
-Version:        1.1.4
-Release:        1
+Version:        1.1.5
+Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
+License:        GPL-2.0+ or BSD-3-Clause
+Group:          System/Libraries
+
+###DL-URL:	http://www.kernel.org/pub/linux/libs/pam/library/
+#DL-URL:	https://fedorahosted.org/releases/l/i/linux-pam/
 Source:         Linux-PAM-%{version}.tar.bz2
 Source1:        Linux-PAM-%{version}-docs.tar.bz2
 Source2:        securetty
@ -52,9 +56,6 @@ Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         pam_tally-deprecated.diff
-Patch1:         bug-724480_pam_env-fix-overflow.patch
-Patch2:         bug-724480_pam_env-fix-dos.patch
-Patch3:         pam_tally2-man.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -65,10 +66,11 @@ having to recompile programs that do authentication.


 %package doc
-License:        GPL-2.0+ or BSD-3-Clause
 Summary:        Documentation for Pluggable Authentication Modules
 Group:          Documentation/HTML
-###BuildArch:      noarch
+%if 0%{?suse_version} >= 1140
+BuildArch:      noarch
+%endif

 %description doc
 PAM (Pluggable Authentication Modules) is a system security tool that
@ -80,11 +82,9 @@ This package contains the documentation.


 %package devel
-License:        GPL-2.0+ or BSD-3-Clause
 Summary:        Include Files and Libraries for PAM-Development
 Group:          Development/Libraries/C and C++
 Requires:       pam = %{version} glibc-devel
-AutoReqProv:    on
 # bug437293
 %ifarch ppc64
 Obsoletes:      pam-devel-64bit
@ -104,15 +104,12 @@ building both PAM-aware applications and modules for use with PAM.
 %prep
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p0
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1

 %build
-CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \
-./configure \
-        --infodir=%{_infodir} \
-        --mandir=%{_mandir} \
+export CFLAGS="%optflags -DNDEBUG"
+%configure \
+	--sbindir=/sbin \
+	--includedir=%_includedir/security \
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
@ -179,15 +176,12 @@ install -m 644 NEWS COPYING $DOC
 # Create filelist with translatins
 %{find_lang} Linux-PAM

-%clean
-rm -rf $RPM_BUILD_ROOT
+%verifyscript
+%verify_permissions -e /sbin/unix_chkpwd

 %post -p /sbin/ldconfig

-%postun
-/sbin/ldconfig
-%verifyscript
-%verify_permissions -e /sbin/unix_chkpwd
+%postun -p /sbin/ldconfig

 %files -f Linux-PAM.lang
 %defattr(-,root,root)
--- a/pam_tally2-man.dif
+++ b/pam_tally2-man.dif
@ -1,55 +0,0 @@
-Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8
-===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8
-+++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8
-@@ -269,13 +269,6 @@ If the module is invoked by a user with
- \fBsu\fR, otherwise this argument should be omitted\&.
- .RE
- .PP
-\fBno_lock_time\fR
-.RS 4
-Do not use the \&.fail_locktime field in
-\FC/var/log/faillog\F[]
-for this user\&.
-.RE
-.PP
- \fBeven_deny_root\fR
- .RS 4
- Root account can become unavailable\&.
-Index: Linux-PAM-1.1.4/modules/pam_tally2/README
-===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_tally2/README
-+++ Linux-PAM-1.1.4/modules/pam_tally2/README
-@@ -76,10 +76,6 @@ AUTH OPTIONS
-         incremented. The sysadmin should use this for user launched services,
-         like su, otherwise this argument should be omitted.
- 
-    no_lock_time
-
-        Do not use the .fail_locktime field in /var/log/faillog for this user.
-
-     even_deny_root
- 
-         Root account can become unavailable.
-Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml
-===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8.xml
-+++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml
-@@ -238,17 +238,6 @@
-             </varlistentry>
-             <varlistentry>
-               <term>
-                <option>no_lock_time</option>
-              </term>
-              <listitem>
-                <para>
-                  Do not use the .fail_locktime field in
-                  <filename>/var/log/faillog</filename> for this user.
-                </para>
-              </listitem>
-            </varlistentry>
-            <varlistentry>
-              <term>
-                 <option>even_deny_root</option>
-               </term>
-               <listitem>