libpam: update to 1.5.0
Fixes CVE-2020-27780 Removed upstreamed patches. Signed-off-by: Rosen Penev <rosenp@gmail.com>
This commit is contained in:
Rosen Penev
parent
1d3c84d4e6
commit
0f317e9fbd
3 changed files with 2 additions and 147 deletions
|
|
@ -8,12 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=libpam
|
||||
PKG_VERSION:=1.4.0
|
||||
PKG_VERSION:=1.5.0
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.xz
|
||||
PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam/releases/download/v$(PKG_VERSION)
|
||||
PKG_HASH:=cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034
|
||||
PKG_HASH:=02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8
|
||||
PKG_BUILD_DIR:=$(BUILD_DIR)/Linux-PAM-$(PKG_VERSION)
|
||||
|
||||
PKG_MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
From aef363c7e8e942224e6cffc4398366c6e5d31749 Mon Sep 17 00:00:00 2001
|
||||
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
Date: Thu, 11 Jun 2020 00:04:32 +0200
|
||||
Subject: [PATCH] configure.ac: fix build failure when crypt() does not require
|
||||
libcrypt
|
||||
|
||||
Since commit 522246d20e4cd92fadc2d760228cb7e78cbeb4c5, the build fails
|
||||
if "none required" is returned by AC_SEARCH_LIBS for libcrypt.
|
||||
|
||||
Resolves: https://github.com/linux-pam/linux-pam/pull/235
|
||||
Fixes: http://autobuild.buildroot.org/results/92b3dd7c984d2b843ac9aacacd69eec99f28743e
|
||||
Fixes: v1.4.0~228 ("Use cached 'crypt' library result correctly")
|
||||
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
---
|
||||
configure.ac | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index ea08a7a3..c1862ea7 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -428,7 +428,11 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
|
||||
[crypt_libs="crypt"])
|
||||
|
||||
BACKUP_LIBS=$LIBS
|
||||
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_cv_search_crypt}", LIBCRYPT="")
|
||||
+AC_SEARCH_LIBS([crypt],[$crypt_libs])
|
||||
+case "$ac_cv_search_crypt" in
|
||||
+ -l*) LIBCRYPT="$ac_cv_search_crypt" ;;
|
||||
+ *) LIBCRYPT="" ;;
|
||||
+esac
|
||||
AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
|
||||
LIBS=$BACKUP_LIBS
|
||||
AC_SUBST(LIBCRYPT)
|
||||
|
|
@ -1,110 +0,0 @@
|
|||
--- a/modules/pam_faillock/pam_faillock.c
|
||||
+++ b/modules/pam_faillock/pam_faillock.c
|
||||
@@ -348,42 +348,81 @@ set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const c
|
||||
static int
|
||||
check_local_user (pam_handle_t *pamh, const char *user)
|
||||
{
|
||||
- struct passwd pw, *pwp;
|
||||
- char buf[16384];
|
||||
- int found = 0;
|
||||
+ int rc;
|
||||
+ size_t user_len;
|
||||
FILE *fp;
|
||||
- int errn;
|
||||
+ char line[BUFSIZ];
|
||||
|
||||
- fp = fopen(PATH_PASSWD, "r");
|
||||
- if (fp == NULL) {
|
||||
- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m",
|
||||
- PATH_PASSWD);
|
||||
- return -1;
|
||||
+ /* Validate the user name. */
|
||||
+ if ((user_len = strlen(user)) == 0) {
|
||||
+ pam_syslog(pamh, LOG_NOTICE, "user name is not valid");
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (user_len > sizeof(line) - sizeof(":")) {
|
||||
+ pam_syslog(pamh, LOG_NOTICE, "user name is too long");
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (strchr(user, ':') != NULL) {
|
||||
+ /*
|
||||
+ * "root:x" is not a local user name even if the passwd file
|
||||
+ * contains a line starting with "root:x:".
|
||||
+ */
|
||||
+ return PAM_PERM_DENIED;
|
||||
}
|
||||
|
||||
- for (;;) {
|
||||
- errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp);
|
||||
- if (errn == ERANGE) {
|
||||
- pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?",
|
||||
- PATH_PASSWD);
|
||||
+ /* Open the passwd file. */
|
||||
+ FILE *file_name = "/etc/passwd";
|
||||
+ if ((fp = fopen(file_name, "r")) == NULL) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name);
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Scan the file using fgets() instead of fgetpwent_r() because
|
||||
+ * the latter is not flexible enough in handling long lines
|
||||
+ * in passwd files.
|
||||
+ */
|
||||
+ rc = PAM_PERM_DENIED;
|
||||
+ while (fgets(line, sizeof(line), fp) != NULL) {
|
||||
+ size_t line_len;
|
||||
+ const char *str;
|
||||
+
|
||||
+ /*
|
||||
+ * Does this line start with the user name
|
||||
+ * followed by a colon?
|
||||
+ */
|
||||
+ if (strncmp(user, line, user_len) == 0 &&
|
||||
+ line[user_len] == ':') {
|
||||
+ rc = PAM_SUCCESS;
|
||||
break;
|
||||
}
|
||||
- if (errn != 0)
|
||||
- break;
|
||||
- if (strcmp(pwp->pw_name, user) == 0) {
|
||||
- found = 1;
|
||||
+ /* Has a newline been read? */
|
||||
+ line_len = strlen(line);
|
||||
+ if (line_len < sizeof(line) - 1 ||
|
||||
+ line[line_len - 1] == '\n') {
|
||||
+ /* Yes, continue with the next line. */
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ /* No, read till the end of this line first. */
|
||||
+ while ((str = fgets(line, sizeof(line), fp)) != NULL) {
|
||||
+ line_len = strlen(line);
|
||||
+ if (line_len == 0 ||
|
||||
+ line[line_len - 1] == '\n') {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ if (str == NULL) {
|
||||
+ /* fgets returned NULL, we are done. */
|
||||
break;
|
||||
}
|
||||
+ /* Continue with the next line. */
|
||||
}
|
||||
|
||||
- fclose (fp);
|
||||
-
|
||||
- if (errn != 0 && errn != ENOENT) {
|
||||
- pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m");
|
||||
- return -1;
|
||||
- } else {
|
||||
- return found;
|
||||
- }
|
||||
+ fclose(fp);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
static int
|
||||
Loading…
Reference in a new issue