diff --git a/SOURCES/pam-1.3.1-audit-messages-formatting.patch b/SOURCES/pam-1.3.1-audit-messages-formatting.patch new file mode 100644 index 0000000..e152aa5 --- /dev/null +++ b/SOURCES/pam-1.3.1-audit-messages-formatting.patch @@ -0,0 +1,33 @@ +diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.audit-messages-formatting Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.audit-messages-formatting 2024-03-11 16:21:51.928946604 +0100 ++++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c 2024-03-11 16:21:51.934946609 +0100 +@@ -334,7 +334,7 @@ check_tally(pam_handle_t *pamh, struct o + + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); +- snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); ++ snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, + rhost, NULL, tty, 1); + } +@@ -450,7 +450,7 @@ write_tally(pam_handle_t *pamh, struct o + errno == EAFNOSUPPORT)) + return PAM_SYSTEM_ERR; + +- snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); ++ snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, + NULL, NULL, NULL, 1); + +diff -up Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c.audit-messages-formatting Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c +--- Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c.audit-messages-formatting 2024-03-11 16:21:51.934946609 +0100 ++++ Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c 2024-03-11 16:23:24.521025061 +0100 +@@ -106,7 +106,7 @@ int send_audit_message(pam_handle_t *pam + pam_syslog(pamh, LOG_ERR, "Error translating selected context."); + selected_raw = NULL; + } +- if (asprintf(&msg, "pam: default-context=%s selected-context=%s", ++ if (asprintf(&msg, "op=pam_selinux default-context=%s selected-context=%s", + default_raw ? default_raw : (default_context ? default_context : "?"), + selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { + pam_syslog(pamh, LOG_ERR, "Error allocating memory."); diff --git a/SPECS/pam.spec b/SPECS/pam.spec index d9c2250..35f5bcd 100644 --- a/SPECS/pam.spec +++ b/SPECS/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 33%{?dist} +Release: 34%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -110,6 +110,9 @@ Patch68: pam-1.3.1-faillock-create-tallydir.patch Patch69: pam-1.3.1-access-handle-hostnames.patch # https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb Patch70: pam-1.3.1-namespace-protect-dir.patch +# https://github.com/linux-pam/linux-pam/commit/c85513220c1bd3150e39c6277422d29cfa44acc7 +# https://github.com/linux-pam/linux-pam/commit/1648734a69c31e9ce834da70144ac9a453296807 +Patch71: pam-1.3.1-audit-messages-formatting.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -228,6 +231,7 @@ cp %{SOURCE18} . %patch68 -p1 -b .faillock-create-tallydir %patch69 -p1 -b .access-handle-hostnames %patch70 -p1 -b .namespace-protect-dir +%patch71 -p1 -b .audit-messages-formatting autoreconf -i @@ -481,6 +485,9 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Thu Apr 4 2024 Iker Pedrosa - 1.3.1-34 +- fix formatting of audit messages. Resolves: RHEL-28620 + * Mon Feb 12 2024 Iker Pedrosa - 1.3.1-33 - pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations. CVE-2024-22365. Resolves: RHEL-21242