Accepting request 109933 from Linux-PAM

- Update to new upstream release 1.1.5 * pam_env: Fix CVE-2011-3148: correctly count leading whitespace when parsing environment file in pam_env * Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in pam_env * pam_access: Add hostname resolution cache (forwarded request 107892 from jengelh) OBS-URL: https://build.opensuse.org/request/show/109933 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=52
2012-03-20 16:47:35 +00:00 · 2012-03-20 16:47:35 +00:00 · c704d4fd14
commit c704d4fd14
parent ff351dd822 04ace596ec
9 changed files with 39 additions and 152 deletions
--- a/Linux-PAM-1.1.4-docs.tar.bz2
+++ b/Linux-PAM-1.1.4-docs.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a3bcdbcede0865f0ce40aa1c1363afc2c51a878334a31689f959b0bdcf53cc6e
 size 498363
--- a/Linux-PAM-1.1.4.tar.bz2
+++ b/Linux-PAM-1.1.4.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:13cf4775ffd4fdd8c79a88610d569ebacef738eb2be729eaf8655c942bcd9e50
 size 1123198
--- a/Linux-PAM-1.1.5-docs.tar.bz2
+++ b/Linux-PAM-1.1.5-docs.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e4b10ffebe2e5cc355bd37c4e17a2288eb90d1396b06961738a7e7ef848c754c
 size 498228
--- a/Linux-PAM-1.1.5.tar.bz2
+++ b/Linux-PAM-1.1.5.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:65def4df04254dc4c5156859d36c34ad6d7afbcf3adbf2780530ebc4dbf2a116
 size 1123524
--- a/bug-724480_pam_env-fix-dos.patch
+++ b/bug-724480_pam_env-fix-dos.patch
@ -1,33 +0,0 @@
 Description: abort when encountering an overflowed environment variable
 expansion (CVE-2011-3149).
 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
 Author: Kees Cook <kees@debian.org>
 Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
 ===================================================================
 --- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
 +++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pam
 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
 		 tmp, tmpptr);
 +	return PAM_ABORT;
       }
       continue;
     }
@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pam
 	    D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	    pam_syslog (pamh, LOG_ERR,
 			"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
 +	    return PAM_ABORT;
 	  }
 	}
       }           /* if ('{' != *orig++) */
@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pam
 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	pam_syslog(pamh, LOG_ERR,
 		   "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
 +	return PAM_ABORT;
       }
     }
   }              /* for (;*orig;) */
--- a/bug-724480_pam_env-fix-overflow.patch
+++ b/bug-724480_pam_env-fix-overflow.patch
@ -1,29 +0,0 @@
 Description: correctly count leading whitespace when parsing environment
 file (CVE-2011-3148).
 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
 Author: Kees Cook <kees@debian.org>
 Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
 ===================================================================
 --- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
 +++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char
     char *p = buffer;
     char *s, *os;
     int used = 0;
 +    int whitespace;
     /* loop broken with a 'break' when a non-'\\n' ended line is read */
@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char
 	/* skip leading spaces --- line may be blank */
 -	s = p + strspn(p, " \n\t");
 +	whitespace = strspn(p, " \n\t");
 +	s = p + whitespace;
 	if (*s && (*s != '#')) {
 +	    used += whitespace;
 	    os = s;
 	    /*
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,13 @@
 -------------------------------------------------------------------
 Sat Mar  3 15:16:42 UTC 2012 - jengelh@medozas.de
 - Update to new upstream release 1.1.5
 * pam_env: Fix CVE-2011-3148: correctly count leading whitespace
  when parsing environment file in pam_env
 * Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in
  pam_env
 * pam_access: Add hostname resolution cache
 -------------------------------------------------------------------
 Tue Oct 25 14:24:27 CEST 2011 - mc@suse.de
--- a/pam.spec
+++ b/pam.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -15,32 +15,36 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 # norootforbuild
 %define enable_selinux 1
 Name:           pam
 Url:            http://www.kernel.org/pub/linux/libs/pam/
 BuildRequires:  bison cracklib-devel db-devel flex
 BuildRequires:  audit-devel
-BuildRequires:  libtirpc-devel
+BuildRequires:  bison
 BuildRequires:  cracklib-devel
 BuildRequires:  db-devel
 BuildRequires:  flex
 BuildRequires:  pkgconfig(libtirpc)
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
 %define libpam_so_version 0.83.1
 %define libpam_misc_so_version 0.82.0
 %define libpamc_so_version 0.82.1
 License:        GPL-2.0+ or BSD-3-Clause
 Group:          System/Libraries
 AutoReqProv:    on
 # bug437293
 %ifarch ppc64
 Obsoletes:      pam-64bit
 %endif
 #
-Version:        1.1.4
+Version:        1.1.5
-Release:        1
+Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0+ or BSD-3-Clause
 Group:          System/Libraries
 ###DL-URL:	http://www.kernel.org/pub/linux/libs/pam/library/
 #DL-URL:	https://fedorahosted.org/releases/l/i/linux-pam/
 Source:         Linux-PAM-%{version}.tar.bz2
 Source1:        Linux-PAM-%{version}-docs.tar.bz2
 Source2:        securetty
@ -52,9 +56,6 @@ Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         pam_tally-deprecated.diff
 Patch1:         bug-724480_pam_env-fix-overflow.patch
 Patch2:         bug-724480_pam_env-fix-dos.patch
 Patch3:         pam_tally2-man.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
@ -65,10 +66,11 @@ having to recompile programs that do authentication.
 %package doc
 License:        GPL-2.0+ or BSD-3-Clause
 Summary:        Documentation for Pluggable Authentication Modules
 Group:          Documentation/HTML
-###BuildArch:      noarch
+%if 0%{?suse_version} >= 1140
 BuildArch:      noarch
 %endif
 %description doc
 PAM (Pluggable Authentication Modules) is a system security tool that
@ -80,11 +82,9 @@ This package contains the documentation.
 %package devel
 License:        GPL-2.0+ or BSD-3-Clause
 Summary:        Include Files and Libraries for PAM-Development
 Group:          Development/Libraries/C and C++
 Requires:       pam = %{version} glibc-devel
 AutoReqProv:    on
 # bug437293
 %ifarch ppc64
 Obsoletes:      pam-devel-64bit
@ -104,15 +104,12 @@ building both PAM-aware applications and modules for use with PAM.
 %prep
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p0
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %build
-CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \
+export CFLAGS="%optflags -DNDEBUG"
-./configure \
+%configure \
-        --infodir=%{_infodir} \
+	--sbindir=/sbin \
-        --mandir=%{_mandir} \
+	--includedir=%_includedir/security \
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
@ -179,15 +176,12 @@ install -m 644 NEWS COPYING $DOC
 # Create filelist with translatins
 %{find_lang} Linux-PAM
-%clean
+%verifyscript
-rm -rf $RPM_BUILD_ROOT
+%verify_permissions -e /sbin/unix_chkpwd
 %post -p /sbin/ldconfig
-%postun
+%postun -p /sbin/ldconfig
 /sbin/ldconfig
 %verifyscript
 %verify_permissions -e /sbin/unix_chkpwd
 %files -f Linux-PAM.lang
 %defattr(-,root,root)
--- a/pam_tally2-man.dif
+++ b/pam_tally2-man.dif
@ -1,55 +0,0 @@
 Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8
 ===================================================================
 --- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8
 +++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8
@@ -269,13 +269,6 @@ If the module is invoked by a user with
 \fBsu\fR, otherwise this argument should be omitted\&.
 .RE
 .PP
 -\fBno_lock_time\fR
 -.RS 4
 -Do not use the \&.fail_locktime field in
 -\FC/var/log/faillog\F[]
 -for this user\&.
 -.RE
 -.PP
 \fBeven_deny_root\fR
 .RS 4
 Root account can become unavailable\&.
 Index: Linux-PAM-1.1.4/modules/pam_tally2/README
 ===================================================================
 --- Linux-PAM-1.1.4.orig/modules/pam_tally2/README
 +++ Linux-PAM-1.1.4/modules/pam_tally2/README
@@ -76,10 +76,6 @@ AUTH OPTIONS
         incremented. The sysadmin should use this for user launched services,
         like su, otherwise this argument should be omitted.
 -    no_lock_time
 -
 -        Do not use the .fail_locktime field in /var/log/faillog for this user.
 -
     even_deny_root
         Root account can become unavailable.
 Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml
 ===================================================================
 --- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8.xml
 +++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml
@@ -238,17 +238,6 @@
             </varlistentry>
             <varlistentry>
               <term>
 -                <option>no_lock_time</option>
 -              </term>
 -              <listitem>
 -                <para>
 -                  Do not use the .fail_locktime field in
 -                  <filename>/var/log/faillog</filename> for this user.
 -                </para>
 -              </listitem>
 -            </varlistentry>
 -            <varlistentry>
 -              <term>
                 <option>even_deny_root</option>
               </term>
               <listitem>