76 lines
2.4 KiB
Diff
76 lines
2.4 KiB
Diff
|
From a9c292fdf9ae53b86109337165214d8aadb155e7 Mon Sep 17 00:00:00 2001
|
||
|
From: Wayne Werner <wwerner@vmware.com>
|
||
|
Date: Fri, 1 Apr 2022 14:21:57 -0500
|
||
|
Subject: [PATCH] Fix for CVE-2022-22967 (bsc#1200566)
|
||
|
|
||
|
---
|
||
|
changelog/pam_auth.security | 1 +
|
||
|
salt/auth/pam.py | 2 +-
|
||
|
tests/pytests/unit/auth/test_pam.py | 32 +++++++++++++++++++++++++++++
|
||
|
3 files changed, 34 insertions(+), 1 deletion(-)
|
||
|
create mode 100644 changelog/pam_auth.security
|
||
|
create mode 100644 tests/pytests/unit/auth/test_pam.py
|
||
|
|
||
|
diff --git a/changelog/pam_auth.security b/changelog/pam_auth.security
|
||
|
new file mode 100644
|
||
|
index 0000000000..52943680f4
|
||
|
--- /dev/null
|
||
|
+++ b/changelog/pam_auth.security
|
||
|
@@ -0,0 +1 @@
|
||
|
+Fixed PAM auth to reject auth attempt if user account is locked.
|
||
|
diff --git a/salt/auth/pam.py b/salt/auth/pam.py
|
||
|
index a9dde95149..d91883b743 100644
|
||
|
--- a/salt/auth/pam.py
|
||
|
+++ b/salt/auth/pam.py
|
||
|
@@ -209,7 +209,7 @@ def authenticate(username, password):
|
||
|
|
||
|
retval = PAM_AUTHENTICATE(handle, 0)
|
||
|
if retval == 0:
|
||
|
- PAM_ACCT_MGMT(handle, 0)
|
||
|
+ retval = PAM_ACCT_MGMT(handle, 0)
|
||
|
PAM_END(handle, 0)
|
||
|
return retval == 0
|
||
|
|
||
|
diff --git a/tests/pytests/unit/auth/test_pam.py b/tests/pytests/unit/auth/test_pam.py
|
||
|
new file mode 100644
|
||
|
index 0000000000..f5f49e65d8
|
||
|
--- /dev/null
|
||
|
+++ b/tests/pytests/unit/auth/test_pam.py
|
||
|
@@ -0,0 +1,32 @@
|
||
|
+import pytest
|
||
|
+import salt.auth.pam
|
||
|
+from tests.support.mock import patch
|
||
|
+
|
||
|
+
|
||
|
+@pytest.fixture
|
||
|
+def configure_loader_modules():
|
||
|
+ return {salt.auth.pam: {}}
|
||
|
+
|
||
|
+
|
||
|
+@pytest.fixture
|
||
|
+def mock_pam():
|
||
|
+ with patch("salt.auth.pam.CALLOC", autospec=True), patch(
|
||
|
+ "salt.auth.pam.pointer", autospec=True
|
||
|
+ ), patch("salt.auth.pam.PamHandle", autospec=True), patch(
|
||
|
+ "salt.auth.pam.PAM_START", autospec=True, return_value=0
|
||
|
+ ), patch(
|
||
|
+ "salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0
|
||
|
+ ), patch(
|
||
|
+ "salt.auth.pam.PAM_END", autospec=True
|
||
|
+ ):
|
||
|
+ yield
|
||
|
+
|
||
|
+
|
||
|
+def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam):
|
||
|
+ with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42):
|
||
|
+ assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False
|
||
|
+
|
||
|
+
|
||
|
+def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam):
|
||
|
+ with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0):
|
||
|
+ assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True
|
||
|
--
|
||
|
2.36.1
|
||
|
|
||
|
|