From ffef56590d68c334819ecf26118a257bdafccf6b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Mon, 18 May 2020 19:17:21 +0000 Subject: Mon May 18 19:17:21 UTC 2020 Greetings! After three months in /testing, the PAM merge into the main tree is now complete. When updating, be sure to install the new pam, cracklib, and libpwquality packages or you may find yourself locked out of your machine. Otherwise, these changes should be completely transparent and you shouldn't notice any obvious operational differences. Be careful if you make any changes in /etc/pam.d/ - leaving an extra console logged in while testing PAM config changes is a recommended standard procedure. Thanks again to Robby Workman, Vincent Batts, Phantom X, and ivandi for help implementing this. It's not done yet and there will be more fine-tuning of the config files, but now we can move on to build some other updates. Enjoy! a/cracklib-2.9.7-x86_64-1.txz: Added. a/kernel-firmware-20200517_f8d32e4-noarch-1.txz: Upgraded. a/libcgroup-0.41-x86_64-7.txz: Rebuilt. Rebuilt to add PAM support. a/libpwquality-1.4.2-x86_64-1.txz: Added. a/lilo-24.2-x86_64-9.txz: Rebuilt. Enable the "compact" option by default. liloconfig: correctly set the root partition. a/pam-1.3.1-x86_64-1.txz: Added. a/shadow-4.8.1-x86_64-7.txz: Rebuilt. Rebuilt to add PAM support. a/utempter-1.2.0-x86_64-1.txz: Upgraded. a/util-linux-2.35.1-x86_64-6.txz: Rebuilt. Rebuilt to add PAM support. a/xfsprogs-5.6.0-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. ap/at-3.2.1-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. ap/cups-2.3.3-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. ap/hplip-3.20.5-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. ap/mariadb-10.4.13-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. ap/screen-4.8.0-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. ap/soma-3.3.0-noarch-1.txz: Upgraded. Thanks to David Woodfall. ap/sqlite-3.31.1-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. ap/sudo-1.9.0-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. ap/vim-8.2.0788-x86_64-1.txz: Upgraded. d/bison-3.6.2-x86_64-1.txz: Upgraded. d/meson-0.54.2-x86_64-1.txz: Upgraded. d/python-setuptools-46.4.0-x86_64-1.txz: Upgraded. d/vala-0.48.6-x86_64-1.txz: Upgraded. kde/calligra-2.9.11-x86_64-36.txz: Rebuilt. Recompiled against icu4c-67.1. kde/kde-workspace-4.11.22-x86_64-7.txz: Rebuilt. Rebuilt to add PAM support. l/ConsoleKit2-1.2.1-x86_64-4.txz: Rebuilt. Rebuilt to add PAM support. l/boost-1.73.0-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. l/gnome-keyring-3.36.0-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. l/harfbuzz-2.6.6-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. l/icu4c-67.1-x86_64-1.txz: Upgraded. Shared library .so-version bump. l/imagemagick-7.0.10_13-x86_64-1.txz: Upgraded. l/libcap-2.34-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. l/libical-3.0.8-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. l/libuv-1.38.0-x86_64-1.txz: Upgraded. l/libvisio-0.1.7-x86_64-3.txz: Rebuilt. Recompiled against icu4c-67.1. l/polkit-0.116-x86_64-3.txz: Rebuilt. Rebuilt to add PAM support. l/qt-4.8.7-x86_64-16.txz: Rebuilt. Recompiled against icu4c-67.1. l/qt5-5.13.2-x86_64-4.txz: Rebuilt. Recompiled against icu4c-67.1. l/qt5-webkit-5.212.0_alpha4-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. l/raptor2-2.0.15-x86_64-9.txz: Rebuilt. Recompiled against icu4c-67.1. l/system-config-printer-1.5.12-x86_64-4.txz: Rebuilt. Rebuilt to add PAM support. l/vte-0.60.2-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. n/cifs-utils-6.10-x86_64-4.txz: Rebuilt. Rebuilt to add PAM support. n/cyrus-sasl-2.1.27-x86_64-4.txz: Rebuilt. Rebuilt to add PAM support. n/dovecot-2.3.10.1-x86_64-1.txz: Upgraded. Rebuilt to add PAM support. Compiled against icu4c-67.1. This update fixes several denial-of-service vulnerabilities. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967 (* Security fix *) n/mutt-1.14.1-x86_64-1.txz: Upgraded. n/netatalk-3.1.12-x86_64-3.txz: Rebuilt. Rebuilt to add PAM support. n/netkit-rsh-0.17-x86_64-3.txz: Rebuilt. Rebuilt to add PAM support. n/nss-pam-ldapd-0.9.11-x86_64-1.txz: Added. n/openssh-8.2p1-x86_64-3.txz: Rebuilt. Rebuilt to add PAM support. n/openvpn-2.4.9-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. n/pam-krb5-4.9-x86_64-1.txz: Added. n/php-7.4.6-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. n/popa3d-1.0.3-x86_64-4.txz: Rebuilt. Rebuilt to add PAM support. n/postfix-3.5.2-x86_64-1.txz: Upgraded. Compiled against icu4c-67.1. n/ppp-2.4.8-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. n/proftpd-1.3.6c-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. n/samba-4.12.2-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. Recompiled against icu4c-67.1. n/tin-2.4.4-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. n/vsftpd-3.0.3-x86_64-6.txz: Rebuilt. Rebuilt to add PAM support. t/texlive-2019.190626-x86_64-4.txz: Rebuilt. Recompiled against icu4c-67.1. x/vulkan-sdk-1.2.135.0-x86_64-1.txz: Upgraded. x/xdm-1.1.11-x86_64-10.txz: Rebuilt. Rebuilt to add PAM support. x/xisxwayland-1-x86_64-1.txz: Added. xap/sane-1.0.30-x86_64-1.txz: Upgraded. This update fixes several security issues. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864 (* Security fix *) xap/vim-gvim-8.2.0788-x86_64-1.txz: Upgraded. xap/xlockmore-5.63-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. xap/xscreensaver-5.44-x86_64-2.txz: Rebuilt. Rebuilt to add PAM support. extra/brltty/brltty-6.1-x86_64-2.txz: Rebuilt. Recompiled against icu4c-67.1. extra/pure-alsa-system/qt5-5.13.2-x86_64-4_alsa.txz: Rebuilt. Recompiled against icu4c-67.1. isolinux/initrd.img: Rebuilt. Added PAM libraries, security modules, and config files. usb-and-pxe-installers/usbboot.img: Rebuilt. Added PAM libraries, security modules, and config files. --- .../a/pam/fedora-patches/pam-1.3.1-coverity.patch | 185 +++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 source/a/pam/fedora-patches/pam-1.3.1-coverity.patch (limited to 'source/a/pam/fedora-patches/pam-1.3.1-coverity.patch') diff --git a/source/a/pam/fedora-patches/pam-1.3.1-coverity.patch b/source/a/pam/fedora-patches/pam-1.3.1-coverity.patch new file mode 100644 index 000000000..cecf768f6 --- /dev/null +++ b/source/a/pam/fedora-patches/pam-1.3.1-coverity.patch @@ -0,0 +1,185 @@ +diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c +index 106ef7c..b2e94c7 100644 +--- a/libpam/pam_handlers.c ++++ b/libpam/pam_handlers.c +@@ -282,7 +282,6 @@ _pam_open_config_file(pam_handle_t *pamh + { + char *p; + FILE *f; +- int err = 0; + + /* Absolute path */ + if (service[0] == '/') { +diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c +index be53f34..07dce36 100644 +--- a/libpam_misc/misc_conv.c ++++ b/libpam_misc/misc_conv.c +@@ -211,7 +211,7 @@ static int read_string(int echo, const char *prompt, char **retstr) + line[nc] = '\0'; + } + *retstr = strdup(line); +- _pam_overwrite(line); ++ _pam_overwrite_n(line, sizeof(line)); + if (!*retstr) { + D(("no memory for response string")); + nc = -1; +@@ -244,7 +244,7 @@ static int read_string(int echo, const char *prompt, char **retstr) + D(("the timer appears to have expired")); + + *retstr = NULL; +- _pam_overwrite(line); ++ _pam_overwrite_n(line, sizeof(line)); + + cleanexit: + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index 80d885d..3801862 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + const char *user=NULL; + const void *void_from=NULL; + const char *from; +- const char const *default_config = PAM_ACCESS_CONFIG; ++ const char * const default_config = PAM_ACCESS_CONFIG; + struct passwd *user_pw; + char hostname[MAXHOSTNAMELEN + 1]; + int rv; +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 4bc4ae7..f8476b4 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] = { + #endif + }; + +-static int str2rlimit(char *name) { ++static int str2rlimit(const char *name) { + int i; + if (!name || *name == '\0') + return -1; +@@ -352,7 +352,7 @@ static int str2rlimit(char *name) { + return -1; + } + +-static rlim_t str2rlim_t(char *value) { ++static rlim_t str2rlim_t(const char *value) { + unsigned long long rlimit = 0; + + if (!value) return (rlim_t)rlimit; +@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int + FILE *limitsfile; + const char *proclimits = "/proc/1/limits"; + char line[256]; +- char *units, *hard, *soft, *name; ++ const char *units, *hard, *soft, *name; + + if (!(limitsfile = fopen(proclimits, "r"))) { + pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno)); +diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c +index 96bfd98..66d202c 100644 +--- a/modules/pam_loginuid/pam_loginuid.c ++++ b/modules/pam_loginuid/pam_loginuid.c +@@ -64,7 +64,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid) + fd = open("/proc/self/uid_map", O_RDONLY); + if (fd >= 0) { + count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); +- if (strncmp(uid_map, host_uid_map, count) != 0) ++ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0) + rc = PAM_IGNORE; + close(fd); + } +diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c +index 9e204c1..4b8d6b7 100644 +--- a/modules/pam_mkhomedir/mkhomedir_helper.c ++++ b/modules/pam_mkhomedir/mkhomedir_helper.c +@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd, + { + pam_syslog(NULL, LOG_DEBUG, + "unable to open or stat src file %s: %m", newsource); ++ if (srcfd >= 0) ++ close(srcfd); + closedir(d); + + #ifndef PATH_MAX +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index f541f89..85f5efa 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1418,6 +1418,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * + if (fstat(fd, &newstatbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", + ipath); ++ close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } +diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c +index e6cf346..813f579 100644 +--- a/modules/pam_pwhistory/opasswd.c ++++ b/modules/pam_pwhistory/opasswd.c +@@ -326,6 +326,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, + n = strlen (buf); + #endif /* HAVE_GETLINE / HAVE_GETDELIM */ + ++ if (n < 1) ++ break; ++ + cp = buf; + save = strdup (buf); /* Copy to write the original data back. */ + if (save == NULL) +@@ -336,9 +339,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, + goto error_opasswd; + } + +- if (n < 1) +- break; +- + tmp = strchr (cp, '#'); /* remove comments */ + if (tmp) + *tmp = '\0'; +diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c +index 17baabe..a9d9140 100644 +--- a/modules/pam_rootok/pam_rootok.c ++++ b/modules/pam_rootok/pam_rootok.c +@@ -66,14 +66,17 @@ log_callback (int type, const char *fmt, ...) + int audit_fd; + va_list ap; + +- va_start(ap, fmt); + #ifdef HAVE_LIBAUDIT + audit_fd = audit_open(); + + if (audit_fd >= 0) { + char *buf; ++ int ret; + +- if (vasprintf (&buf, fmt, ap) < 0) ++ va_start(ap, fmt); ++ ret = vasprintf (&buf, fmt, ap); ++ va_end(ap); ++ if (ret < 0) + return 0; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); +@@ -83,6 +86,7 @@ log_callback (int type, const char *fmt, ...) + } + + #endif ++ va_start(ap, fmt); + vsyslog (LOG_USER | LOG_INFO, fmt, ap); + va_end(ap); + return 0; +diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c +index c653290..f37af0f 100644 +--- a/modules/pam_sepermit/pam_sepermit.c ++++ b/modules/pam_sepermit/pam_sepermit.c +@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, + if (*sense == PAM_SUCCESS) { + if (ignore) + *sense = PAM_IGNORE; +- if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1) ++ if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1) + if (sepermit_lock(pamh, user, debug) < 0) + *sense = PAM_AUTH_ERR; + } -- cgit v1.2.3