diff --git a/107.patch b/107.patch deleted file mode 100644 index a5c3221..0000000 --- a/107.patch +++ /dev/null @@ -1,33 +0,0 @@ - -diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c -index 5193733..b3f08b1 100644 ---- a/modules/pam_timestamp/pam_timestamp.c -+++ b/modules/pam_timestamp/pam_timestamp.c -@@ -158,7 +158,7 @@ check_tty(const char *tty) - tty = strrchr(tty, '/') + 1; - } - /* Make sure the tty wasn't actually a directory (no basename). */ -- if (strlen(tty) == 0) { -+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { - return NULL; - } - return tty; -@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) - if (pwd != NULL) { - ruser = pwd->pw_name; - } -+ } else { -+ /* -+ * This ruser is used by format_timestamp_name as a component -+ * of constructed timestamp pathname, so ".", "..", and '/' -+ * are disallowed to avoid potential path traversal issues. -+ */ -+ if (!strcmp(ruser, ".") || -+ !strcmp(ruser, "..") || -+ strchr(ruser, '/')) { -+ ruser = NULL; -+ } - } - if (ruser == NULL || strlen(ruser) >= ruserbuflen) { - *ruserbuf = '\0'; - diff --git a/pam-CVE-2013-7041.patch b/pam-CVE-2013-7041.patch new file mode 100644 index 0000000..61f86b2 --- /dev/null +++ b/pam-CVE-2013-7041.patch @@ -0,0 +1,36 @@ +diff -pruN a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c +--- a/modules/pam_userdb/pam_userdb.c 2011-06-21 16:04:56.000000000 +0700 ++++ b/modules/pam_userdb/pam_userdb.c 2014-08-28 17:41:35.243954732 +0700 +@@ -214,24 +214,23 @@ user_lookup (pam_handle_t *pamh, const c + /* crypt(3) password storage */ + + char *cryptpw; +- char salt[2]; + +- if (data.dsize != 13) { ++ if (data.dsize < 13) { + compare = -2; + } else if (ctrl & PAM_ICASE_ARG) { + compare = -2; + } else { +- salt[0] = *data.dptr; +- salt[1] = *(data.dptr + 1); ++ cryptpw = crypt (pass, data.dptr); + +- cryptpw = crypt (pass, salt); +- +- if (cryptpw) { +- compare = strncasecmp (data.dptr, cryptpw, data.dsize); ++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { ++ compare = memcmp(data.dptr, cryptpw, data.dsize); + } else { + compare = -2; + if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); ++ if (cryptpw) ++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); ++ else ++ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); + } + }; + diff --git a/pam.spec b/pam.spec index 5e80a85..51b429b 100644 --- a/pam.spec +++ b/pam.spec @@ -19,7 +19,7 @@ Epoch: 1 Summary: A security tool which provides authentication for applications Name: pam Version: 1.1.4 -Release: 15 +Release: 16 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -72,6 +72,7 @@ Patch702: Linux-PAM-1.1.4-add-now-missing-nis-constant.patch # (akdengi> add user to default group users which need for Samba Patch801: Linux-PAM-1.1.4-group_add_users.patch Patch802: pam-CVE-2014-2583.patch +Patch803: pam-CVE-2013-7041.patch BuildRequires: selinux-devel >= 2.1.6-7 BuildRequires: bison @@ -177,6 +178,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch702 -p1 -b .nis_const~ %patch801 -p1 -b .group_users %patch802 -p1 +%patch803 -p1 # 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this # just makes things easier but is not meant to be a permanent solution @@ -334,6 +336,11 @@ fi %changelog +* Fri Aug 28 2014 Kuzma Kazygashev 1.1.14-16 +- Added security fix for CVE-2013-7041 + +* Wed Jul 23 2014 Danila Leontiev 1.1.14-15 +- Added security fix for CVE-2014-2583 * Tue Feb 26 2013 Alexander Romanov - Rosa initial commit