SHA256
1
0
forked from pool/pam

- Update to version 1.6.0

- Added support of configuration files with arbitrarily long lines.
  - build: fixed build outside of the source tree.
  - libpam: added use of getrandom(2) as a source of randomness if available.
  - libpam: fixed calculation of fail delay with very long delays.
  - libpam: fixed potential infinite recursion with includes.
  - libpam: implemented string to number conversions validation when parsing
    controls in configuration.
  - pam_access: added quiet_log option.
  - pam_access: fixed truncation of very long group names.
  - pam_canonicalize_user: new module to canonicalize user name.
  - pam_echo: fixed file handling to prevent overflows and short reads.
  - pam_env: added support of '\' character in environment variable values.
  - pam_exec: allowed expose_authtok for password PAM_TYPE.
  - pam_exec: fixed stack overflow with binary output of programs.
  - pam_faildelay: implemented parameter ranges validation.
  - pam_listfile: changed to treat \r and \n exactly the same in configuration.
  - pam_mkhomedir: hardened directory creation against timing attacks.
  - Please note that using *at functions leads to more open file handles
    during creation.
  - pam_namespace: fixed potential local DoS (CVE-2024-22365).
  - pam_nologin: fixed file handling to prevent short reads.
  - pam_pwhistory: helper binary is now built only if SELinux support is
    enabled.
  - pam_pwhistory: implemented reliable usernames handling when remembering
    passwords.
  - pam_shells: changed to allow shell entries with absolute paths only.
  - pam_succeed_if: fixed treating empty strings as numerical value 0.
  - pam_unix: added support of disabled password aging.
  - pam_unix: synchronized password aging with shadow.

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=280
This commit is contained in:
Thorsten Kukuk 2024-01-18 09:18:10 +00:00 committed by Git OBS Bridge
parent add873f61e
commit e352b2c661
11 changed files with 77 additions and 196 deletions

BIN
Linux-PAM-1.5.3.tar.xz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJkWBFQAAoJEKgEH6g54W42OoMP/R1O9dvpncrR4DfD3yJViTPw
To3isPszsdHhw/uZUzCBEUMxhJgUgefzHGAng1EbTyX2eTLk/cnLY8pZLXr3pzC0
5CfacxAqgjK8B/7CbchsZQCDal84E5jR8qyzVCM3IPxZQfpiR3HJzXVjhg/gnBcY
L6v7FbLpcdM2keHHT1C/hyQfTnzyIdmwyzRdE1DF3ERbe3/1VlNmANNOacZ1H2T9
Hs5dVIFiXwOO11Xku42oOo99LCqXyIsRnEogBFCORHNjD7B88lCdJAHssBdvWq5t
/CJnoGtJrVCXs11JVPSNyW0rm24rZH9YCC6yVRIuMq6jjMBawFUlMAqamLoSA3hK
4BPuPqQjHYk/D5H+m0HF2qRDpz76Bj1zdmYofqspeJf4QJOyOpMSXFY3pgsohuKW
P8YQ44cAkmMswFqMSKGi9EVnf6SVXWQFoHJhtlbUgi7ef/4IICrbtgSSE96OGdlg
Sdoplu3n+1HClaYqlHbjkd/m0Hc8QvOjovctb0Zoclnlup+u2JH4rDNqjxFUvkWB
8CeILjebgBrNRqAFDx7fKBEQyHs5FLOtUU1SwBLXXSyMCHuMhr/tKBHcbDgMhpVP
IiIyYGyEGUoIR/er5AgIX9e6/zcQbc8OvY+gTu9t+tw+HIt8hGvUUkuYX8LB1k6r
zf06e/iTT4GL6AhJtbh3
=2hyW
-----END PGP SIGNATURE-----

BIN
Linux-PAM-1.6.0.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI
n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm
NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY
U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3
XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw
6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi
Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2
gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n
b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n
NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ
LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox
zxDFnUsJ/JgmJm3y47J2
=wzV/
-----END PGP SIGNATURE-----

View File

@ -1,51 +0,0 @@
From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001
From: Pino Toscano <toscano.pino@tiscali.it>
Date: Mon, 8 May 2023 18:39:36 +0200
Subject: [PATCH] configure.ac: add --enable-examples option
Allow the user to not build the examples through --disable-examples
(enabled by default); this can be useful:
- when cross-compiling, as the examples are not useful
- in distribution builds, not building stuff that is not used in any
way
---
Makefile.am | 5 ++++-
configure.ac | 5 +++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index deb252680..2e8fede7b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,11 +4,14 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests
if HAVE_DOC
SUBDIRS += doc
endif
+if HAVE_EXAMPLES
+SUBDIRS += examples
+endif
CLEANFILES = *~
diff --git a/configure.ac b/configure.ac
index b9b0f8392..6666b1b26 100644
--- a/configure.ac
+++ b/configure.ac
@@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc],
WITH_DOC=$enableval, WITH_DOC=yes)
AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"])
+AC_ARG_ENABLE([examples],
+ AS_HELP_STRING([--disable-examples],[Do not build the examples]),
+ WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes)
+AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"])
+
AC_ARG_ENABLE([prelude],
AS_HELP_STRING([--disable-prelude],[do not use prelude]),
WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)

View File

@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != cda62ec4158236270a5a30ba1875fa2795926f23 ; then
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2

View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Thu Jan 18 08:28:14 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
- Update to version 1.6.0
- Added support of configuration files with arbitrarily long lines.
- build: fixed build outside of the source tree.
- libpam: added use of getrandom(2) as a source of randomness if available.
- libpam: fixed calculation of fail delay with very long delays.
- libpam: fixed potential infinite recursion with includes.
- libpam: implemented string to number conversions validation when parsing
controls in configuration.
- pam_access: added quiet_log option.
- pam_access: fixed truncation of very long group names.
- pam_canonicalize_user: new module to canonicalize user name.
- pam_echo: fixed file handling to prevent overflows and short reads.
- pam_env: added support of '\' character in environment variable values.
- pam_exec: allowed expose_authtok for password PAM_TYPE.
- pam_exec: fixed stack overflow with binary output of programs.
- pam_faildelay: implemented parameter ranges validation.
- pam_listfile: changed to treat \r and \n exactly the same in configuration.
- pam_mkhomedir: hardened directory creation against timing attacks.
- Please note that using *at functions leads to more open file handles
during creation.
- pam_namespace: fixed potential local DoS (CVE-2024-22365).
- pam_nologin: fixed file handling to prevent short reads.
- pam_pwhistory: helper binary is now built only if SELinux support is
enabled.
- pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
- pam_shells: changed to allow shell entries with absolute paths only.
- pam_succeed_if: fixed treating empty strings as numerical value 0.
- pam_unix: added support of disabled password aging.
- pam_unix: synchronized password aging with shadow.
- pam_unix: implemented string to number conversions validation.
- pam_unix: fixed truncation of very long user names.
- pam_unix: corrected rounds retrieval for configured encryption method.
- pam_unix: implemented reliable usernames handling when remembering
passwords.
- pam_unix: changed to always run the helper to obtain shadow password
entries.
- pam_unix: unix_update helper binary is now built only if SELinux support
is enabled.
- pam_unix: added audit support to unix_update helper.
- pam_userdb: added gdbm support.
- Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
- The following patches are obsolete with the update:
- pam_access-doc-IPv6-link-local.patch
- pam_access-hostname-debug.patch
- pam_shells-fix-econf-memory-leak.patch
- pam_shells-fix-econf-memory-leak.patch
- pam-login_defs-check.sh: adjust checksum, SHA_CRYPT_MAX_ROUNDS
is no longer used.
-------------------------------------------------------------------
Wed Aug 23 09:20:06 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>

View File

@ -71,7 +71,7 @@
#
Name: pam%{name_suffix}
#
Version: 1.5.3
Version: 1.6.0
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause
@ -96,14 +96,6 @@ Source22: postlogin-account.pamd
Source23: postlogin-password.pamd
Source24: postlogin-session.pamd
Patch1: pam-limit-nproc.patch
# https://github.com/linux-pam/linux-pam/pull/594
Patch2: pam_access-doc-IPv6-link-local.patch
# https://github.com/linux-pam/linux-pam/pull/596
Patch3: pam_access-hostname-debug.patch
# https://github.com/linux-pam/linux-pam/pull/581
Patch4: pam_shells-fix-econf-memory-leak.patch
# https://github.com/linux-pam/linux-pam/pull/574
Patch5: disable-examples.patch
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: flex
@ -214,10 +206,6 @@ building both PAM-aware applications and modules for use with PAM.
%setup -q -n Linux-PAM-%{version}
cp -a %{SOURCE12} .
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
bash ./pam-login_defs-check.sh
@ -237,7 +225,9 @@ autoreconf
--enable-isadir=../..%{_pam_moduledir} \
--enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_prefix}/etc \
%if "%{flavor}" == "full"
--enable-logind \
%endif
--disable-examples \
--disable-nis \
%if %{with debug}

View File

@ -1,63 +0,0 @@
From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Thu, 3 Aug 2023 17:11:32 +0200
Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582)
* modules/pam_access/access.conf.5.xml: Add example and note for IPv6
link-local addresses
* modules/pam_access/access.conf: Add example for IPv6 link-local
addresses
---
modules/pam_access/access.conf | 3 +++
modules/pam_access/access.conf.5.xml | 12 +++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf
index 47b6b84c1..9c8e21716 100644
--- a/modules/pam_access/access.conf
+++ b/modules/pam_access/access.conf
@@ -115,6 +115,9 @@
# User "john" should get access from ipv6 host address (same as above)
#+:john:2001:4ca0:0:101:0:0:0:1
#
+# User "john" should get access from ipv6 local link host address
+#+:john:fe80::de95:818c:1b55:7e42%eth0
+#
# User "john" should get access from ipv6 net/mask
#+:john:2001:4ca0:0:101::/64
#
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index ff1cb2237..2dc5d477c 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -188,6 +188,12 @@
</para>
<para>+:john foo:2001:db8:0:101::1</para>
+ <para>
+ User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
+ should get access from IPv6 link local host address.
+ </para>
+ <para>+:john foo:fe80::de95:818c:1b55:7e42%eth1</para>
+
<para>
User <emphasis>john</emphasis> should get access from IPv6 net/mask.
</para>
@@ -222,6 +228,10 @@
item and the line will be most probably ignored. For this reason, it is not
recommended to put spaces around the ':' characters.
</para>
+ <para>
+ An IPv6 link local host address must contain the interface
+ identifier. IPv6 link local network/netmask is not supported.
+ </para>
</refsect1>
<refsect1 xml:id="access.conf-see_also">
@@ -246,4 +256,4 @@
introduced by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
</para>
</refsect1>
-</refentry>
\ No newline at end of file
+</refentry>

View File

@ -1,27 +0,0 @@
From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Fri, 4 Aug 2023 15:46:16 +0200
Subject: [PATCH] pam_access: make non-resolveable hostname a debug output
(#590)
* modules/pam_access/pam_access.c (network_netmask_match): Don't print
an error if a string is not resolveable, only a debug message in debug
mode. We even don't know if that entry is for remote logins or not.
---
modules/pam_access/pam_access.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index f70b7e495..985dc7de2 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh,
*/
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
{
- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
+ if (item->debug)
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
return NO;
}

View File

@ -1,22 +0,0 @@
From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 18 May 2023 17:55:21 +0200
Subject: [PATCH] pam_shells: Plug econf memory leak
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_shells/pam_shells.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
index 05c09c656..276a56dd5 100644
--- a/modules/pam_shells/pam_shells.c
+++ b/modules/pam_shells/pam_shells.c
@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh)
if (!retval)
break;
}
+ econf_free (keys);
econf_free (key_file);
#else
char shellFileLine[256];