- upgrade to new upstream release fixing CVE-2010-3316 CVE-2010-3435
CVE-2010-3853 - try to connect to an abstract X-socket first to verify we are at real console (#647191)
This commit is contained in:
parent
acc35880d3
commit
4baf0f6949
1
.gitignore
vendored
1
.gitignore
vendored
@ -4,3 +4,4 @@ pam-redhat-0.99.10-1.tar.bz2
|
|||||||
Linux-PAM-1.1.1.tar.bz2
|
Linux-PAM-1.1.1.tar.bz2
|
||||||
/Linux-PAM-1.1.2.tar.bz2
|
/Linux-PAM-1.1.2.tar.bz2
|
||||||
/pam-redhat-0.99.10-1.tar.bz2
|
/pam-redhat-0.99.10-1.tar.bz2
|
||||||
|
/Linux-PAM-1.1.3.tar.bz2
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Version: GnuPG v1.4.9 (GNU/Linux)
|
Version: GnuPG v1.4.9 (GNU/Linux)
|
||||||
Comment: See http://www.kernel.org/signature.html for info
|
Comment: See http://www.kernel.org/signature.html for info
|
||||||
|
|
||||||
iD8DBQBMfOpRyGugalF9Dw4RAthOAJ4z/JltpEbOUu6dnmDp1ukQ//1UHwCeJu/F
|
iD8DBQBMyYZZyGugalF9Dw4RAtMkAJwIeAEXVkGZ3mL4YQKixP5zx3D6iACghePh
|
||||||
99nWVREWCPTqNSuGz6H/Zo4=
|
sG43bk6Idz0UGC24QRQPDYE=
|
||||||
=G1D5
|
=lJnB
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
82
pam-1.1.3-console-abstract.patch
Normal file
82
pam-1.1.3-console-abstract.patch
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c
|
||||||
|
--- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract 2008-12-16 13:37:52.000000000 +0100
|
||||||
|
+++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c 2010-11-01 17:01:55.000000000 +0100
|
||||||
|
@@ -34,6 +34,8 @@
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <sys/param.h>
|
||||||
|
+#include <sys/socket.h>
|
||||||
|
+#include <sys/un.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
@@ -136,6 +138,32 @@ check_one_console_name(const char *name,
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
+try_xsocket(const char *path, size_t len) {
|
||||||
|
+ int fd;
|
||||||
|
+ union {
|
||||||
|
+ struct sockaddr sa;
|
||||||
|
+ struct sockaddr_un su;
|
||||||
|
+ } addr;
|
||||||
|
+
|
||||||
|
+ fd = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||||
|
+ if (fd < 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ memset(&addr, 0, sizeof(addr));
|
||||||
|
+ addr.su.sun_family = AF_UNIX;
|
||||||
|
+
|
||||||
|
+ if (len > sizeof(addr.su.sun_path))
|
||||||
|
+ return 0;
|
||||||
|
+ memcpy(addr.su.sun_path, path, len);
|
||||||
|
+ if (connect(fd, &addr.sa, sizeof(addr.su)) == 0) {
|
||||||
|
+ close(fd);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ close(fd);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) {
|
||||||
|
int found = 0;
|
||||||
|
int statted = 0;
|
||||||
|
@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c
|
||||||
|
if (!statted && (consolename[0] == ':')) {
|
||||||
|
int l;
|
||||||
|
char *dot = NULL;
|
||||||
|
- strcpy(full_path, "/tmp/.X11-unix/X");
|
||||||
|
- l = sizeof(full_path) - 1 - strlen(full_path);
|
||||||
|
+ char *path = full_path + 1;
|
||||||
|
+
|
||||||
|
+ full_path[0] = '\0';
|
||||||
|
+ strcpy(path, "/tmp/.X11-unix/X");
|
||||||
|
+ l = sizeof(full_path) - 2 - strlen(path);
|
||||||
|
dot = strchr(consolename + 1, '.');
|
||||||
|
if (dot != NULL) {
|
||||||
|
l = (l < dot - consolename - 1) ? l : dot - consolename - 1;
|
||||||
|
}
|
||||||
|
- strncat(full_path, consolename + 1, l);
|
||||||
|
+ strncat(path, consolename + 1, l);
|
||||||
|
full_path[sizeof(full_path) - 1] = '\0';
|
||||||
|
- _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"",
|
||||||
|
- full_path);
|
||||||
|
- if (lstat(full_path, &st) != -1) {
|
||||||
|
+ _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"",
|
||||||
|
+ path);
|
||||||
|
+
|
||||||
|
+ /* this will work because st.st_uid is 0 */
|
||||||
|
+ if (try_xsocket(full_path, strlen(path)+1)) {
|
||||||
|
+ statted = 1;
|
||||||
|
+ } else if (try_xsocket(path, strlen(path))) {
|
||||||
|
statted = 1;
|
||||||
|
}
|
||||||
|
else if (!on_set) { /* there is no X11 socket in case of X11 crash */
|
||||||
|
_pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename);
|
||||||
|
- statted = 1; /* this will work because st.st_uid is 0 */
|
||||||
|
+ statted = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
27
pam-1.1.3-nouserenv.patch
Normal file
27
pam-1.1.3-nouserenv.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
|
||||||
|
--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200
|
||||||
|
+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
#define DEFAULT_READ_ENVFILE 1
|
||||||
|
|
||||||
|
#define DEFAULT_USER_ENVFILE ".pam_environment"
|
||||||
|
-#define DEFAULT_USER_READ_ENVFILE 1
|
||||||
|
+#define DEFAULT_USER_READ_ENVFILE 0
|
||||||
|
|
||||||
|
#include "config.h"
|
||||||
|
|
||||||
|
diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
|
||||||
|
--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200
|
||||||
|
+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100
|
||||||
|
@@ -147,7 +147,10 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Turns on or off the reading of the user specific environment
|
||||||
|
- file. 0 is off, 1 is on. By default this option is on.
|
||||||
|
+ file. 0 is off, 1 is on. By default this option is off as user
|
||||||
|
+ supplied environment variables in the PAM environment could affect
|
||||||
|
+ behavior of subsequent modules in the stack without the consent
|
||||||
|
+ of the system administrator.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
12
pam.spec
12
pam.spec
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.1.2
|
Version: 1.1.3
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
||||||
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
|
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
|
||||||
@ -28,6 +28,8 @@ Patch5: pam-1.1.0-notally.patch
|
|||||||
Patch7: pam-1.1.0-console-fixes.patch
|
Patch7: pam-1.1.0-console-fixes.patch
|
||||||
Patch8: pam-1.1.1-faillock.patch
|
Patch8: pam-1.1.1-faillock.patch
|
||||||
Patch9: pam-1.1.2-noflex.patch
|
Patch9: pam-1.1.2-noflex.patch
|
||||||
|
Patch10: pam-1.1.3-nouserenv.patch
|
||||||
|
Patch11: pam-1.1.3-console-abstract.patch
|
||||||
|
|
||||||
%define _sbindir /sbin
|
%define _sbindir /sbin
|
||||||
%define _moduledir /%{_lib}/security
|
%define _moduledir /%{_lib}/security
|
||||||
@ -95,6 +97,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
|||||||
%patch7 -p1 -b .console-fixes
|
%patch7 -p1 -b .console-fixes
|
||||||
%patch8 -p1 -b .faillock
|
%patch8 -p1 -b .faillock
|
||||||
%patch9 -p1 -b .noflex
|
%patch9 -p1 -b .noflex
|
||||||
|
%patch10 -p1 -b .nouserenv
|
||||||
|
%patch11 -p1 -b .abstract
|
||||||
|
|
||||||
libtoolize -f
|
libtoolize -f
|
||||||
autoreconf
|
autoreconf
|
||||||
@ -339,6 +343,12 @@ fi
|
|||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 1 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-1
|
||||||
|
- upgrade to new upstream release fixing CVE-2010-3316 CVE-2010-3435
|
||||||
|
CVE-2010-3853
|
||||||
|
- try to connect to an abstract X-socket first to verify we are
|
||||||
|
at real console (#647191)
|
||||||
|
|
||||||
* Mon Sep 20 2010 Tomas Mraz <tmraz@redhat.com> 1.1.2-1
|
* Mon Sep 20 2010 Tomas Mraz <tmraz@redhat.com> 1.1.2-1
|
||||||
- add pam_faillock module implementing temporary account lock out based
|
- add pam_faillock module implementing temporary account lock out based
|
||||||
on authentication failures during a specified interval
|
on authentication failures during a specified interval
|
||||||
|
Loading…
Reference in New Issue
Block a user