diff --git a/SOURCES/pam-1.3.1-pam-misc-configurable.patch b/SOURCES/pam-1.3.1-pam-misc-configurable.patch new file mode 100644 index 0000000..045e70e --- /dev/null +++ b/SOURCES/pam-1.3.1-pam-misc-configurable.patch @@ -0,0 +1,29 @@ +diff -up Linux-PAM-1.3.1/configure.ac.pam-misc-configurable Linux-PAM-1.3.1/configure.ac +--- Linux-PAM-1.3.1/configure.ac.pam-misc-configurable 2023-06-26 09:57:00.243146563 +0200 ++++ Linux-PAM-1.3.1/configure.ac 2023-06-26 09:59:45.353636685 +0200 +@@ -621,6 +621,13 @@ if test x"$opt_kerneloverflowuid" == x; + fi + AC_DEFINE_UNQUOTED(PAM_USERTYPE_OVERFLOW_UID, $opt_kerneloverflowuid, [Kernel overflow uid.]) + ++AC_ARG_WITH([misc-conv-bufsize], ++AS_HELP_STRING([--with-misc-conv-bufsize=], ++ [Size of input buffer for libpam_misc's misc_conv() conversation function, default=4096]), ++ [], ++ [with_misc_conv_bufsize=4096]) ++AC_DEFINE_UNQUOTED(PAM_MISC_CONV_BUFSIZE, $with_misc_conv_bufsize, [libpam_misc misc_conv() buffer size.]) ++ + dnl Files to be created from when we run configure + AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \ + libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ +diff -up Linux-PAM-1.3.1/libpam_misc/misc_conv.c.pam-misc-configurable Linux-PAM-1.3.1/libpam_misc/misc_conv.c +--- Linux-PAM-1.3.1/libpam_misc/misc_conv.c.pam-misc-configurable 2023-06-26 09:57:00.242146560 +0200 ++++ Linux-PAM-1.3.1/libpam_misc/misc_conv.c 2023-06-26 10:00:38.023787972 +0200 +@@ -18,7 +18,7 @@ + #include + #include + +-#define INPUTSIZE PAM_MAX_MSG_SIZE /* maximum length of input+1 */ ++#define INPUTSIZE PAM_MISC_CONV_BUFSIZE /* maximum length of input+1 */ + #define CONV_ECHO_ON 1 /* types of echo state */ + #define CONV_ECHO_OFF 0 + diff --git a/SOURCES/smartcard-auth.pamd b/SOURCES/smartcard-auth.pamd index 9572770..e8a6745 100644 --- a/SOURCES/smartcard-auth.pamd +++ b/SOURCES/smartcard-auth.pamd @@ -1,19 +1,4 @@ #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authselect is run. -auth required pam_env.so -auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card -auth required pam_deny.so - -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so - -password optional pam_pkcs11.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so +auth sufficient pam_sss.so allow_missing_name diff --git a/SPECS/pam.spec b/SPECS/pam.spec index 25deb7d..ef59553 100644 --- a/SPECS/pam.spec +++ b/SPECS/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 25%{?dist} +Release: 27%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -97,6 +97,9 @@ Patch62: pam-1.5.1-pam-lastlog-check-localtime_r-return-value.patch Patch63: pam-1.5.1-pam-faillock-clarify-missing-user.patch # https://github.com/linux-pam/linux-pam/commit/10086bc69663fa819277af244eeb5b629a2403b8 Patch64: pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch +# https://github.com/linux-pam/linux-pam/commit/55f206447a1e4ee26e307e7a9c069236e823b1a5 +# https://github.com/linux-pam/linux-pam/commit/80bfda5962e5be3daa70e0fc8c75fc97d1c55121 +Patch65: pam-1.3.1-pam-misc-configurable.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -209,6 +212,7 @@ cp %{SOURCE18} . %patch62 -p1 -b .pam-lastlog-check-localtime_r-return-value %patch63 -p1 -b .pam-faillock-clarify-missing-user %patch64 -p1 -b .pam-faillock-avoid-logging-erroneous +%patch65 -p1 -b .pam-misc-configurable autoreconf -i @@ -462,6 +466,12 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Mon Jun 26 2023 Iker Pedrosa - 1.3.1-27 +- pam_misc: make length of misc_conv() configurable and set to 4096. Resolves: #2209785 + +* Tue May 16 2023 Iker Pedrosa - 1.3.1-26 +- smartcard-auth: modify the content to remove unnecessary modules. Resolves: #1983683 + * Tue Nov 29 2022 Iker Pedrosa - 1.3.1-25 - pam_motd: avoid unnecessary logging. Resolves: #2091062 - pam_lastlog: check localtime_r() return value. Resolves: #2012871