From 50a4a0ce1f5128874f7354179b40926d72c4b923 Mon Sep 17 00:00:00 2001 From: Britney Fransen Date: Tue, 29 Nov 2016 13:48:14 +0000 Subject: pam: update to 1.3.0 --- abs/core/pam/PKGBUILD | 18 ++++------ abs/core/pam/__changelog | 1 + abs/core/pam/pam-1.1.8-cve-2013-7041.patch | 52 --------------------------- abs/core/pam/pam-1.1.8-cve-2014-2583.patch | 56 ------------------------------ 4 files changed, 7 insertions(+), 120 deletions(-) create mode 100644 abs/core/pam/__changelog delete mode 100644 abs/core/pam/pam-1.1.8-cve-2013-7041.patch delete mode 100644 abs/core/pam/pam-1.1.8-cve-2014-2583.patch diff --git a/abs/core/pam/PKGBUILD b/abs/core/pam/PKGBUILD index 9290c1e..3279743 100644 --- a/abs/core/pam/PKGBUILD +++ b/abs/core/pam/PKGBUILD @@ -3,7 +3,7 @@ # Contributor: judd pkgname=pam -pkgver=1.2.1 +pkgver=1.3.0 pkgrel=1 pkgdesc="PAM (Pluggable Authentication Modules) library" arch=('i686' 'x86_64') @@ -15,7 +15,7 @@ backup=(etc/security/{access.conf,group.conf,limits.conf,namespace.conf,namespac source=(http://linux-pam.org/library/Linux-PAM-$pkgver.tar.bz2 https://sources.archlinux.org/other/pam_unix2/pam_unix2-2.9.1.tar.bz2 pam_unix2-glibc216.patch) -md5sums=('9dc53067556d2dd567808fd509519dd6' +md5sums=('da4b2289b7cfb19583d54e9eaaef1c3a' 'da6a46e5f8cd3eaa7cbc4fc3a7e2b555' 'dac109f68e04a4df37575fda6001ea17') @@ -53,16 +53,6 @@ package() { cd $srcdir/pam_unix2-2.9.1 make DESTDIR=$pkgdir install - # add the realtime permissions for audio users - sed -i 's|# End of file||' $pkgdir/etc/security/limits.conf - cat >>$pkgdir/etc/security/limits.conf <<_EOT -* - rtprio 0 -* - nice 0 -@audio - rtprio 65 -@audio - nice -10 -@audio - memlock 40000 -_EOT - # fix some missing symlinks from old pam for compatibility cd $pkgdir/usr/lib/security ln -s pam_unix.so pam_unix_acct.so @@ -75,4 +65,8 @@ _EOT # remove doc which is not used anymore # FS #40749 rm $pkgdir/usr/share/doc/Linux-PAM/sag-pam_userdb.html + + # disable coredumps + sed -i 's|# End of file||' $pkgdir/etc/security/limits.conf + echo "* hard core 0" >> $pkgdir/etc/security/limits.conf } diff --git a/abs/core/pam/__changelog b/abs/core/pam/__changelog new file mode 100644 index 0000000..5f2315e --- /dev/null +++ b/abs/core/pam/__changelog @@ -0,0 +1 @@ +PKGBUILD: disable coredumps in limits.conf diff --git a/abs/core/pam/pam-1.1.8-cve-2013-7041.patch b/abs/core/pam/pam-1.1.8-cve-2013-7041.patch deleted file mode 100644 index 96fa916..0000000 --- a/abs/core/pam/pam-1.1.8-cve-2013-7041.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Fri, 24 Jan 2014 22:18:32 +0000 -Subject: [PATCH] pam_userdb: fix password hash comparison - -Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed -passwords support in pam_userdb, hashes are compared case-insensitively. -This bug leads to accepting hashes for completely different passwords in -addition to those that should be accepted. - -Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for -modern password hashes with different lengths and settings, did not -update the hash comparison accordingly, which leads to accepting -computed hashes longer than stored hashes when the latter is a prefix -of the former. - -* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed -hash whose length differs from the stored hash length. -Compare computed and stored hashes case-sensitively. -Fixes CVE-2013-7041. - -Bug-Debian: http://bugs.debian.org/731368 ---- - modules/pam_userdb/pam_userdb.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c -index de8b5b1..ff040e6 100644 ---- a/modules/pam_userdb/pam_userdb.c -+++ b/modules/pam_userdb/pam_userdb.c -@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, - } else { - cryptpw = crypt (pass, data.dptr); - -- if (cryptpw) { -- compare = strncasecmp (data.dptr, cryptpw, data.dsize); -+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { -+ compare = memcmp(data.dptr, cryptpw, data.dsize); - } else { - compare = -2; - if (ctrl & PAM_DEBUG_ARG) { -- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); -+ if (cryptpw) -+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); -+ else -+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); - } - }; - --- -1.8.3.1 - diff --git a/abs/core/pam/pam-1.1.8-cve-2014-2583.patch b/abs/core/pam/pam-1.1.8-cve-2014-2583.patch deleted file mode 100644 index f2aa2de..0000000 --- a/abs/core/pam/pam-1.1.8-cve-2014-2583.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Wed, 26 Mar 2014 22:17:23 +0000 -Subject: [PATCH] pam_timestamp: fix potential directory traversal issue - (ticket #27) - -pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of -the timestamp pathname it creates, so extra care should be taken to -avoid potential directory traversal issues. - -* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat -"." and ".." tty values as invalid. -(get_ruser): Treat "." and ".." ruser values, as well as any ruser -value containing '/', as invalid. - -Fixes CVE-2014-2583. - -Reported-by: Sebastian Krahmer ---- - modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c -index 5193733..b3f08b1 100644 ---- a/modules/pam_timestamp/pam_timestamp.c -+++ b/modules/pam_timestamp/pam_timestamp.c -@@ -158,7 +158,7 @@ check_tty(const char *tty) - tty = strrchr(tty, '/') + 1; - } - /* Make sure the tty wasn't actually a directory (no basename). */ -- if (strlen(tty) == 0) { -+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { - return NULL; - } - return tty; -@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) - if (pwd != NULL) { - ruser = pwd->pw_name; - } -+ } else { -+ /* -+ * This ruser is used by format_timestamp_name as a component -+ * of constructed timestamp pathname, so ".", "..", and '/' -+ * are disallowed to avoid potential path traversal issues. -+ */ -+ if (!strcmp(ruser, ".") || -+ !strcmp(ruser, "..") || -+ strchr(ruser, '/')) { -+ ruser = NULL; -+ } - } - if (ruser == NULL || strlen(ruser) >= ruserbuflen) { - *ruserbuf = '\0'; --- -1.8.3.1 - -- cgit v0.12