diff options
-rw-r--r-- | .SRCINFO | 16 | ||||
-rw-r--r-- | CVE-2020-27780.patch | 95 | ||||
-rw-r--r-- | PKGBUILD | 23 |
3 files changed, 18 insertions, 116 deletions
@@ -1,7 +1,7 @@ pkgbase = pam-selinux pkgdesc = SELinux aware PAM (Pluggable Authentication Modules) library - pkgver = 1.5.0 - pkgrel = 2 + pkgver = 1.5.1 + pkgrel = 1 url = http://linux-pam.org arch = x86_64 groups = selinux @@ -18,8 +18,8 @@ pkgbase = pam-selinux depends = libaudit.so depends = libxcrypt depends = libcrypt.so - provides = pam=1.5.0-2 - provides = selinux-pam=1.5.0-2 + provides = pam=1.5.1-1 + provides = selinux-pam=1.5.1-1 conflicts = pam conflicts = selinux-pam options = !emptydirs @@ -32,15 +32,13 @@ pkgbase = pam-selinux backup = etc/security/pam_env.conf backup = etc/security/time.conf backup = etc/environment - source = https://github.com/linux-pam/linux-pam/releases/download/v1.5.0/Linux-PAM-1.5.0.tar.xz - source = https://github.com/linux-pam/linux-pam/releases/download/v1.5.0/Linux-PAM-1.5.0.tar.xz.asc - source = CVE-2020-27780.patch + source = https://github.com/linux-pam/linux-pam/releases/download/v1.5.1/Linux-PAM-1.5.1.tar.xz + source = https://github.com/linux-pam/linux-pam/releases/download/v1.5.1/Linux-PAM-1.5.1.tar.xz.asc source = pam.tmpfiles validpgpkeys = 8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB validpgpkeys = 296D6F29A020808E8717A8842DB5BD89A340AEB7 - sha256sums = 02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8 + sha256sums = 201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc sha256sums = SKIP - sha256sums = b785b637e4bf4c0a1601c296b562ee2eed09916cc589dc4021fa1abc6c5394c8 sha256sums = 5631f224e90c4f0459361c2a5b250112e3a91ba849754bb6f67d69d683a2e5ac pkgname = pam-selinux diff --git a/CVE-2020-27780.patch b/CVE-2020-27780.patch deleted file mode 100644 index b2e4504147c7..000000000000 --- a/CVE-2020-27780.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 30fdfb90d9864bcc254a62760aaa149d373fd4eb Mon Sep 17 00:00:00 2001 -From: Tomas Mraz <tmraz@fedoraproject.org> -Date: Fri, 20 Nov 2020 13:38:23 +0100 -Subject: [PATCH] Second blank check with root for non-existent users must - never return 1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The commit af0faf66 ("pam_unix: avoid determining if user exists") introduced -a regression where the blank check could return 1 if root had an empty -password hash because in the second case the password hash of root was -used. We now always return 0 in this case. - -The issue was found by Johannes Löthberg. - -Fixes #284 - -* modules/pam_unix/support.c (_unix_blankpasswd): Make the loop -to cover the complete blank check so both existing and non existing -cases are identical except for the possible return value. ---- - modules/pam_unix/support.c | 39 +++++++++++++------------------------- - 1 file changed, 13 insertions(+), 26 deletions(-) - -diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c -index d669e951..27ca7127 100644 ---- a/modules/pam_unix/support.c -+++ b/modules/pam_unix/support.c -@@ -601,8 +601,9 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name - char *salt = NULL; - int daysleft; - int retval; -- int execloop = 1; -- int nonexistent = 1; -+ int blank = 0; -+ int execloop; -+ int nonexistent_check = 1; - - D(("called")); - -@@ -632,43 +633,29 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name - * are equal, making it more difficult to differentiate existing from - * non-existing users. - */ -- while (execloop) { -+ for (execloop = 0; execloop < 2; ++execloop) { - retval = get_pwd_hash(pamh, name, &pwd, &salt); - - if (retval == PAM_UNIX_RUN_HELPER) { -- execloop = 0; -- if(nonexistent) { -- get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt); -- } -- /* salt will not be set here so we can return immediately */ - if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) -- return 1; -- else -- return 0; -+ blank = nonexistent_check; - } else if (retval == PAM_USER_UNKNOWN) { - name = "root"; -- nonexistent = 0; -- } else { -- execloop = 0; -+ nonexistent_check = 0; -+ continue; -+ } else if (salt != NULL) { -+ if (strlen(salt) == 0) -+ blank = nonexistent_check; - } -- } -- -- /* Does this user have a password? */ -- if (salt == NULL) { -- retval = 0; -- } else { -- if (strlen(salt) == 0) -- retval = 1; -- else -- retval = 0; -+ name = "pam_unix_non_existent:"; -+ /* non-existent user check will not affect the blank value */ - } - - /* tidy up */ -- - if (salt) - _pam_delete(salt); - -- return retval; -+ return blank; - } - - int _unix_verify_password(pam_handle_t * pamh, const char *name @@ -8,8 +8,8 @@ # If you want to help keep it up to date, please open a Pull Request there. pkgname=pam-selinux -pkgver=1.5.0 -pkgrel=2 +pkgver=1.5.1 +pkgrel=1 pkgdesc="SELinux aware PAM (Pluggable Authentication Modules) library" arch=('x86_64') license=('GPL2') @@ -23,32 +23,29 @@ provides=("${pkgname/-selinux}=${pkgver}-${pkgrel}" backup=(etc/security/{access.conf,faillock.conf,group.conf,limits.conf,namespace.conf,namespace.init,pam_env.conf,time.conf} etc/environment) groups=('selinux') source=(https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver.tar.xz{,.asc} - CVE-2020-27780.patch # https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb.patch ${pkgname/-selinux}.tmpfiles) validpgpkeys=( '8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB' # Thorsten Kukuk '296D6F29A020808E8717A8842DB5BD89A340AEB7' #Dimitry V. Levin <ldv@altlinux.org> ) -sha256sums=('02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8' +sha256sums=('201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc' 'SKIP' - 'b785b637e4bf4c0a1601c296b562ee2eed09916cc589dc4021fa1abc6c5394c8' '5631f224e90c4f0459361c2a5b250112e3a91ba849754bb6f67d69d683a2e5ac') options=('!emptydirs') -prepare() { - cd Linux-PAM-$pkgver - patch -Np1 < ../CVE-2020-27780.patch -} - build() { cd Linux-PAM-$pkgver # Enable building deprecated pam_tally2.so module (--enable-tally2) in order # to smooth the transition to pam_faillock.so # https://github.com/archlinuxhardened/selinux/issues/41#issuecomment-668202328 - ./configure --libdir=/usr/lib --sbindir=/usr/bin --disable-db \ - --enable-selinux --enable-tally2 + ./configure \ + --libdir=/usr/lib \ + --sbindir=/usr/bin \ + --disable-db \ + --enable-selinux \ + --enable-tally2 make } @@ -64,3 +61,5 @@ package() { # FS #40749 rm "$pkgdir"/usr/share/doc/Linux-PAM/sag-pam_userdb.html } + +# vim: ts=2 sw=2 et: |