From 4f4687ce8045418f678c323bb22c837f35d7b9fa Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 22 Jun 2012 14:52:35 +0200 Subject: [PATCH] fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent is not running, most probably not exploitable update pam_ssh_agent_auth to 0.9.3 upstream version --- .gitignore | 1 + openssh.spec | 22 ++++++++++--- pam_ssh_agent_auth-0.9.2-visibility.patch | 21 ++++++++++++ ...ch => pam_ssh_agent_auth-0.9.3-build.patch | 33 +++++++------------ sources | 2 +- 5 files changed, 51 insertions(+), 28 deletions(-) create mode 100644 pam_ssh_agent_auth-0.9.2-visibility.patch rename pam_ssh_agent_auth-0.9-build.patch => pam_ssh_agent_auth-0.9.3-build.patch (78%) diff --git a/.gitignore b/.gitignore index 2cf244c..57ab32a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-5.8p1-noacss.tar.bz2 /openssh-5.8p2-noacss.tar.bz2 /openssh-5.9p1-noacss.tar.bz2 +/pam_ssh_agent_auth-0.9.3.tar.bz2 diff --git a/openssh.spec b/openssh.spec index 1d97131..95f9f99 100644 --- a/openssh.spec +++ b/openssh.spec @@ -75,9 +75,9 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.9p1 -%define openssh_rel 22 -%define pam_ssh_agent_ver 0.9.2 -%define pam_ssh_agent_rel 32 +%define openssh_rel 23 +%define pam_ssh_agent_ver 0.9.3 +%define pam_ssh_agent_rel 1 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -134,8 +134,12 @@ Patch204: openssh-5.9p1-audit4.patch Patch205: openssh-5.9p1-audit5.patch # --- pam_ssh-agent --- -Patch300: pam_ssh_agent_auth-0.9-build.patch +# make it build reusing the openssh sources +Patch300: pam_ssh_agent_auth-0.9.3-build.patch +# check return value of seteuid() Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch +# explicitly make pam callbacks visible +Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) Patch400: openssh-5.9p1-role.patch @@ -410,6 +414,7 @@ The module is most useful for su and sudo service stacks. pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} %patch300 -p1 -b .psaa-build %patch301 -p1 -b .psaa-seteuid +%patch302 -p1 -b .psaa-visibility # Remove duplicate headers rm -f $(cat %{SOURCE5}) popd @@ -471,7 +476,9 @@ autoreconf popd %build -CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS +# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth +# and it makes the ssh build more clean and even optimized better +CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS %if %{rescue} CFLAGS="$CFLAGS -Os" %endif @@ -796,6 +803,11 @@ fi %endif %changelog +* Fri Jun 22 2012 Tomas Mraz 5.9p1-23 + 0.9.3-1 +- fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent + is not running, most probably not exploitable +- update pam_ssh_agent_auth to 0.9.3 upstream version + * Fri Apr 06 2012 Petr Lautrbach 5.9p1-22 + 0.9.2-32 - don't create RSA1 key in FIPS mode - don't install sshd-keygen.service (#810419) diff --git a/pam_ssh_agent_auth-0.9.2-visibility.patch b/pam_ssh_agent_auth-0.9.2-visibility.patch new file mode 100644 index 0000000..f229144 --- /dev/null +++ b/pam_ssh_agent_auth-0.9.2-visibility.patch @@ -0,0 +1,21 @@ +diff -up pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c +--- pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility 2009-12-21 20:57:34.000000000 +0100 ++++ pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c 2012-06-21 20:01:31.356259429 +0200 +@@ -68,7 +68,7 @@ char *__progname; + extern char *__progname; + #endif + +-PAM_EXTERN int ++PAM_EXTERN int __attribute__ ((visibility ("default"))) + pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) + { + char **argv_ptr; +@@ -184,7 +184,7 @@ pam_sm_authenticate(pam_handle_t * pamh, + } + + +-PAM_EXTERN int ++PAM_EXTERN int __attribute__ ((visibility ("default"))) + pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) + { + return PAM_SUCCESS; diff --git a/pam_ssh_agent_auth-0.9-build.patch b/pam_ssh_agent_auth-0.9.3-build.patch similarity index 78% rename from pam_ssh_agent_auth-0.9-build.patch rename to pam_ssh_agent_auth-0.9.3-build.patch index ddacff6..40ab19d 100644 --- a/pam_ssh_agent_auth-0.9-build.patch +++ b/pam_ssh_agent_auth-0.9.3-build.patch @@ -1,7 +1,7 @@ -diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c ---- pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build 2009-08-08 11:51:04.000000000 +0200 -+++ pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c 2009-10-16 15:20:55.000000000 +0200 -@@ -41,7 +41,16 @@ +diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c +--- pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build 2010-01-13 03:17:01.000000000 +0100 ++++ pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2012-06-21 20:14:56.432527764 +0200 +@@ -37,7 +37,16 @@ #include "buffer.h" #include "key.h" #include "authfd.h" @@ -18,7 +18,7 @@ diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agen #include #include "userauth_pubkey_from_id.h" -@@ -73,6 +82,96 @@ session_id2_gen() +@@ -69,6 +78,96 @@ session_id2_gen() return cookie; } @@ -115,7 +115,7 @@ diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agen int find_authorized_keys(uid_t uid) { -@@ -85,7 +184,7 @@ find_authorized_keys(uid_t uid) +@@ -81,7 +180,7 @@ find_authorized_keys(uid_t uid) OpenSSL_add_all_digests(); session_id2 = session_id2_gen(); @@ -124,14 +124,14 @@ diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agen verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid); for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) { -@@ -113,3 +212,4 @@ find_authorized_keys(uid_t uid) +@@ -109,3 +208,4 @@ find_authorized_keys(uid_t uid) EVP_cleanup(); return retval; } + -diff -up pam_ssh_agent_auth-0.9/Makefile.in.psaa-build pam_ssh_agent_auth-0.9/Makefile.in ---- pam_ssh_agent_auth-0.9/Makefile.in.psaa-build 2009-08-06 07:40:16.000000000 +0200 -+++ pam_ssh_agent_auth-0.9/Makefile.in 2009-10-16 15:20:55.000000000 +0200 +diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.3/Makefile.in +--- pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build 2009-10-27 21:19:41.000000000 +0100 ++++ pam_ssh_agent_auth-0.9.3/Makefile.in 2012-06-21 20:14:56.432527764 +0200 @@ -28,7 +28,7 @@ PATHS= CC=@CC@ LD=@LD@ @@ -176,15 +176,4 @@ diff -up pam_ssh_agent_auth-0.9/Makefile.in.psaa-build pam_ssh_agent_auth-0.9/Ma $(MANPAGES): $(MANPAGES_IN) pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8 -diff -up pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c ---- pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build 2009-07-29 02:46:38.000000000 +0200 -+++ pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c 2009-10-16 15:50:36.000000000 +0200 -@@ -94,7 +94,7 @@ parse_authorized_key_file(const char *us - /* - * temporary copy, so that both tilde expansion and percent expansion both get to apply to the path - */ -- strncat(auth_keys_file_buf, authorized_keys_file_input, 4096); -+ strncat(auth_keys_file_buf, authorized_keys_file_input, sizeof(auth_keys_file_buf)-1); - - if(allow_user_owned_authorized_keys_file) - authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid; +diff -up pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c diff --git a/sources b/sources index 3245ab1..96ec085 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 085cfbb262f1b8b875aadea6fba60b1b openssh-5.9p1-noacss.tar.bz2 -b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2 +9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2