From 04ace596ecc1352dc83e4deeb002e18c8e2fbae28d166011505d5eb5dba68343 Mon Sep 17 00:00:00 2001 From: Wolfgang Engel Date: Mon, 19 Mar 2012 12:00:58 +0000 Subject: [PATCH] Accepting request 107892 from home:jengelh:branches:Linux-PAM - Update to new upstream release 1.1.5 * pam_env: Fix CVE-2011-3148: correctly count leading whitespace when parsing environment file in pam_env * Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in pam_env * pam_access: Add hostname resolution cache OBS-URL: https://build.opensuse.org/request/show/107892 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=86 --- Linux-PAM-1.1.4-docs.tar.bz2 | 3 -- Linux-PAM-1.1.4.tar.bz2 | 3 -- Linux-PAM-1.1.5-docs.tar.bz2 | 3 ++ Linux-PAM-1.1.5.tar.bz2 | 3 ++ bug-724480_pam_env-fix-dos.patch | 33 ---------------- bug-724480_pam_env-fix-overflow.patch | 29 -------------- pam.changes | 10 +++++ pam.spec | 52 +++++++++++-------------- pam_tally2-man.dif | 55 --------------------------- 9 files changed, 39 insertions(+), 152 deletions(-) delete mode 100644 Linux-PAM-1.1.4-docs.tar.bz2 delete mode 100644 Linux-PAM-1.1.4.tar.bz2 create mode 100644 Linux-PAM-1.1.5-docs.tar.bz2 create mode 100644 Linux-PAM-1.1.5.tar.bz2 delete mode 100644 bug-724480_pam_env-fix-dos.patch delete mode 100644 bug-724480_pam_env-fix-overflow.patch delete mode 100644 pam_tally2-man.dif diff --git a/Linux-PAM-1.1.4-docs.tar.bz2 b/Linux-PAM-1.1.4-docs.tar.bz2 deleted file mode 100644 index e0d6375..0000000 --- a/Linux-PAM-1.1.4-docs.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a3bcdbcede0865f0ce40aa1c1363afc2c51a878334a31689f959b0bdcf53cc6e -size 498363 diff --git a/Linux-PAM-1.1.4.tar.bz2 b/Linux-PAM-1.1.4.tar.bz2 deleted file mode 100644 index 013f369..0000000 --- a/Linux-PAM-1.1.4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:13cf4775ffd4fdd8c79a88610d569ebacef738eb2be729eaf8655c942bcd9e50 -size 1123198 diff --git a/Linux-PAM-1.1.5-docs.tar.bz2 b/Linux-PAM-1.1.5-docs.tar.bz2 new file mode 100644 index 0000000..889234a --- /dev/null +++ b/Linux-PAM-1.1.5-docs.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e4b10ffebe2e5cc355bd37c4e17a2288eb90d1396b06961738a7e7ef848c754c +size 498228 diff --git a/Linux-PAM-1.1.5.tar.bz2 b/Linux-PAM-1.1.5.tar.bz2 new file mode 100644 index 0000000..0c2ab97 --- /dev/null +++ b/Linux-PAM-1.1.5.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65def4df04254dc4c5156859d36c34ad6d7afbcf3adbf2780530ebc4dbf2a116 +size 1123524 diff --git a/bug-724480_pam_env-fix-dos.patch b/bug-724480_pam_env-fix-dos.patch deleted file mode 100644 index 7b886a9..0000000 --- a/bug-724480_pam_env-fix-dos.patch +++ /dev/null @@ -1,33 +0,0 @@ -Description: abort when encountering an overflowed environment variable - expansion (CVE-2011-3149). -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565 -Author: Kees Cook - -Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c -=================================================================== ---- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c -+++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c -@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pam - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", - tmp, tmpptr); -+ return PAM_ABORT; - } - continue; - } -@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pam - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - pam_syslog (pamh, LOG_ERR, - "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); -+ return PAM_ABORT; - } - } - } /* if ('{' != *orig++) */ -@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pam - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - pam_syslog(pamh, LOG_ERR, - "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); -+ return PAM_ABORT; - } - } - } /* for (;*orig;) */ diff --git a/bug-724480_pam_env-fix-overflow.patch b/bug-724480_pam_env-fix-overflow.patch deleted file mode 100644 index de74d06..0000000 --- a/bug-724480_pam_env-fix-overflow.patch +++ /dev/null @@ -1,29 +0,0 @@ -Description: correctly count leading whitespace when parsing environment - file (CVE-2011-3148). -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469 -Author: Kees Cook - -Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c -=================================================================== ---- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c -+++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c -@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char - char *p = buffer; - char *s, *os; - int used = 0; -+ int whitespace; - - /* loop broken with a 'break' when a non-'\\n' ended line is read */ - -@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char - - /* skip leading spaces --- line may be blank */ - -- s = p + strspn(p, " \n\t"); -+ whitespace = strspn(p, " \n\t"); -+ s = p + whitespace; - if (*s && (*s != '#')) { -+ used += whitespace; - os = s; - - /* diff --git a/pam.changes b/pam.changes index c27c06d..5ba943a 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Sat Mar 3 15:16:42 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.1.5 +* pam_env: Fix CVE-2011-3148: correctly count leading whitespace + when parsing environment file in pam_env +* Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in + pam_env +* pam_access: Add hostname resolution cache + ------------------------------------------------------------------- Tue Oct 25 14:24:27 CEST 2011 - mc@suse.de diff --git a/pam.spec b/pam.spec index e032480..41de528 100644 --- a/pam.spec +++ b/pam.spec @@ -1,7 +1,7 @@ # # spec file for package pam # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,32 +15,36 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild %define enable_selinux 1 Name: pam Url: http://www.kernel.org/pub/linux/libs/pam/ -BuildRequires: bison cracklib-devel db-devel flex BuildRequires: audit-devel -BuildRequires: libtirpc-devel +BuildRequires: bison +BuildRequires: cracklib-devel +BuildRequires: db-devel +BuildRequires: flex +BuildRequires: pkgconfig(libtirpc) %if %{enable_selinux} BuildRequires: libselinux-devel %endif %define libpam_so_version 0.83.1 %define libpam_misc_so_version 0.82.0 %define libpamc_so_version 0.82.1 -License: GPL-2.0+ or BSD-3-Clause -Group: System/Libraries -AutoReqProv: on # bug437293 %ifarch ppc64 Obsoletes: pam-64bit %endif # -Version: 1.1.4 -Release: 1 +Version: 1.1.5 +Release: 0 Summary: A Security Tool that Provides Authentication for Applications +License: GPL-2.0+ or BSD-3-Clause +Group: System/Libraries + +###DL-URL: http://www.kernel.org/pub/linux/libs/pam/library/ +#DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/ Source: Linux-PAM-%{version}.tar.bz2 Source1: Linux-PAM-%{version}-docs.tar.bz2 Source2: securetty @@ -52,9 +56,6 @@ Source7: common-session.pamd Source8: etc.environment Source9: baselibs.conf Patch0: pam_tally-deprecated.diff -Patch1: bug-724480_pam_env-fix-overflow.patch -Patch2: bug-724480_pam_env-fix-dos.patch -Patch3: pam_tally2-man.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -65,10 +66,11 @@ having to recompile programs that do authentication. %package doc -License: GPL-2.0+ or BSD-3-Clause Summary: Documentation for Pluggable Authentication Modules Group: Documentation/HTML -###BuildArch: noarch +%if 0%{?suse_version} >= 1140 +BuildArch: noarch +%endif %description doc PAM (Pluggable Authentication Modules) is a system security tool that @@ -80,11 +82,9 @@ This package contains the documentation. %package devel -License: GPL-2.0+ or BSD-3-Clause Summary: Include Files and Libraries for PAM-Development Group: Development/Libraries/C and C++ Requires: pam = %{version} glibc-devel -AutoReqProv: on # bug437293 %ifarch ppc64 Obsoletes: pam-devel-64bit @@ -104,15 +104,12 @@ building both PAM-aware applications and modules for use with PAM. %prep %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p0 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 %build -CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \ -./configure \ - --infodir=%{_infodir} \ - --mandir=%{_mandir} \ +export CFLAGS="%optflags -DNDEBUG" +%configure \ + --sbindir=/sbin \ + --includedir=%_includedir/security \ --docdir=%{_docdir}/pam \ --htmldir=%{_docdir}/pam/html \ --pdfdir=%{_docdir}/pam/pdf \ @@ -179,15 +176,12 @@ install -m 644 NEWS COPYING $DOC # Create filelist with translatins %{find_lang} Linux-PAM -%clean -rm -rf $RPM_BUILD_ROOT +%verifyscript +%verify_permissions -e /sbin/unix_chkpwd %post -p /sbin/ldconfig -%postun -/sbin/ldconfig -%verifyscript -%verify_permissions -e /sbin/unix_chkpwd +%postun -p /sbin/ldconfig %files -f Linux-PAM.lang %defattr(-,root,root) diff --git a/pam_tally2-man.dif b/pam_tally2-man.dif deleted file mode 100644 index cee8222..0000000 --- a/pam_tally2-man.dif +++ /dev/null @@ -1,55 +0,0 @@ -Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8 -=================================================================== ---- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8 -+++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8 -@@ -269,13 +269,6 @@ If the module is invoked by a user with - \fBsu\fR, otherwise this argument should be omitted\&. - .RE - .PP --\fBno_lock_time\fR --.RS 4 --Do not use the \&.fail_locktime field in --\FC/var/log/faillog\F[] --for this user\&. --.RE --.PP - \fBeven_deny_root\fR - .RS 4 - Root account can become unavailable\&. -Index: Linux-PAM-1.1.4/modules/pam_tally2/README -=================================================================== ---- Linux-PAM-1.1.4.orig/modules/pam_tally2/README -+++ Linux-PAM-1.1.4/modules/pam_tally2/README -@@ -76,10 +76,6 @@ AUTH OPTIONS - incremented. The sysadmin should use this for user launched services, - like su, otherwise this argument should be omitted. - -- no_lock_time -- -- Do not use the .fail_locktime field in /var/log/faillog for this user. -- - even_deny_root - - Root account can become unavailable. -Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml -=================================================================== ---- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8.xml -+++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml -@@ -238,17 +238,6 @@ - - - -- -- -- -- -- Do not use the .fail_locktime field in -- /var/log/faillog for this user. -- -- -- -- -- - - -