fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent

is not running, most probably not exploitable update pam_ssh_agent_auth to 0.9.3 upstream version
2012-06-22 14:52:35 +02:00 · 2012-06-22 14:52:35 +02:00 · 4f4687ce80
commit 4f4687ce80
parent c4fd069940
5 changed files with 51 additions and 28 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,3 +5,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-5.8p1-noacss.tar.bz2
 /openssh-5.8p2-noacss.tar.bz2
 /openssh-5.9p1-noacss.tar.bz2
+/pam_ssh_agent_auth-0.9.3.tar.bz2
--- a/openssh.spec
+++ b/openssh.spec
@ -75,9 +75,9 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.9p1
-%define openssh_rel 22
-%define pam_ssh_agent_ver 0.9.2
-%define pam_ssh_agent_rel 32
+%define openssh_rel 23
+%define pam_ssh_agent_ver 0.9.3
+%define pam_ssh_agent_rel 1

 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
@ -134,8 +134,12 @@ Patch204: openssh-5.9p1-audit4.patch
 Patch205: openssh-5.9p1-audit5.patch

 # --- pam_ssh-agent ---
-Patch300: pam_ssh_agent_auth-0.9-build.patch
+# make it build reusing the openssh sources
+Patch300: pam_ssh_agent_auth-0.9.3-build.patch
+# check return value of seteuid()
 Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
+# explicitly make pam callbacks visible
+Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch

 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
 Patch400: openssh-5.9p1-role.patch
@ -410,6 +414,7 @@ The module is most useful for su and sudo service stacks.
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 %patch300 -p1 -b .psaa-build
 %patch301 -p1 -b .psaa-seteuid
+%patch302 -p1 -b .psaa-visibility
 # Remove duplicate headers
 rm -f $(cat %{SOURCE5})
 popd
@ -471,7 +476,9 @@ autoreconf
 popd

 %build
-CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
+# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
+# and it makes the ssh build more clean and even optimized better
+CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
 %if %{rescue}
 CFLAGS="$CFLAGS -Os"
 %endif
@ -796,6 +803,11 @@ fi
 %endif

 %changelog
+* Fri Jun 22 2012 Tomas Mraz <tmraz@redhat.com> 5.9p1-23 + 0.9.3-1
+- fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent
+  is not running, most probably not exploitable
+- update pam_ssh_agent_auth to 0.9.3 upstream version
+
 * Fri Apr 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-22 + 0.9.2-32
 - don't create RSA1 key in FIPS mode
 - don't install sshd-keygen.service (#810419)
--- a/pam_ssh_agent_auth-0.9.2-visibility.patch
+++ b/pam_ssh_agent_auth-0.9.2-visibility.patch
@ -0,0 +1,21 @@
+diff -up pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c
+--- pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility	2009-12-21 20:57:34.000000000 +0100
+++ pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c	2012-06-21 20:01:31.356259429 +0200
+@@ -68,7 +68,7 @@ char           *__progname;
+ extern char    *__progname;
+ #endif
+ 
+-PAM_EXTERN int
+PAM_EXTERN int __attribute__ ((visibility ("default")))
+ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
+ {
+     char          **argv_ptr;
+@@ -184,7 +184,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
+ }
+ 
+ 
+-PAM_EXTERN int
+PAM_EXTERN int __attribute__ ((visibility ("default")))
+ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
+ {
+     return PAM_SUCCESS;
--- a/pam_ssh_agent_auth-0.9.3-build.patch
+++ b/pam_ssh_agent_auth-0.9.3-build.patch
@ -1,7 +1,7 @@
-diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c
--- pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build	2009-08-08 11:51:04.000000000 +0200
-+++ pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c	2009-10-16 15:20:55.000000000 +0200
-@@ -41,7 +41,16 @@
+diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
+--- pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build	2010-01-13 03:17:01.000000000 +0100
+++ pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c	2012-06-21 20:14:56.432527764 +0200
+@@ -37,7 +37,16 @@
 #include "buffer.h"
 #include "key.h"
 #include "authfd.h"
@ -18,7 +18,7 @@ diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agen
 #include <openssl/evp.h>
 
 #include "userauth_pubkey_from_id.h"
-@@ -73,6 +82,96 @@ session_id2_gen()
+@@ -69,6 +78,96 @@ session_id2_gen()
     return cookie;
 }
 
@ -115,7 +115,7 @@ diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agen
 int
 find_authorized_keys(uid_t uid)
 {
-@@ -85,7 +184,7 @@ find_authorized_keys(uid_t uid)
+@@ -81,7 +180,7 @@ find_authorized_keys(uid_t uid)
     OpenSSL_add_all_digests();
     session_id2 = session_id2_gen();
 
@ -124,14 +124,14 @@ diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agen
         verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
         for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) 
         {
-@@ -113,3 +212,4 @@ find_authorized_keys(uid_t uid)
+@@ -109,3 +208,4 @@ find_authorized_keys(uid_t uid)
     EVP_cleanup();
     return retval;
 }
 +
-diff -up pam_ssh_agent_auth-0.9/Makefile.in.psaa-build pam_ssh_agent_auth-0.9/Makefile.in
--- pam_ssh_agent_auth-0.9/Makefile.in.psaa-build	2009-08-06 07:40:16.000000000 +0200
-+++ pam_ssh_agent_auth-0.9/Makefile.in	2009-10-16 15:20:55.000000000 +0200
+diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.3/Makefile.in
+--- pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build	2009-10-27 21:19:41.000000000 +0100
+++ pam_ssh_agent_auth-0.9.3/Makefile.in	2012-06-21 20:14:56.432527764 +0200
@@ -28,7 +28,7 @@ PATHS=
 CC=@CC@
 LD=@LD@
@ -176,15 +176,4 @@ diff -up pam_ssh_agent_auth-0.9/Makefile.in.psaa-build pam_ssh_agent_auth-0.9/Ma
 
 $(MANPAGES): $(MANPAGES_IN)
 	pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
-diff -up pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c
--- pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build	2009-07-29 02:46:38.000000000 +0200
-+++ pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c	2009-10-16 15:50:36.000000000 +0200
-@@ -94,7 +94,7 @@ parse_authorized_key_file(const char *us
-     /*
-      * temporary copy, so that both tilde expansion and percent expansion both get to apply to the path
-      */
-    strncat(auth_keys_file_buf, authorized_keys_file_input, 4096);
-+    strncat(auth_keys_file_buf, authorized_keys_file_input, sizeof(auth_keys_file_buf)-1);
- 
-     if(allow_user_owned_authorized_keys_file)
-         authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
+diff -up pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 085cfbb262f1b8b875aadea6fba60b1b  openssh-5.9p1-noacss.tar.bz2
-b68f1c385d7885fbe2c3626bf77aa3d6  pam_ssh_agent_auth-0.9.2.tar.bz2
+9872ca1983e566ff5a89c240529e223d  pam_ssh_agent_auth-0.9.3.tar.bz2