From 4baf0f69498c50ad5cc9b1e89de742396154e4b5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 1 Nov 2010 23:42:26 +0100
Subject: [PATCH] - upgrade to new upstream release fixing CVE-2010-3316
 CVE-2010-3435   CVE-2010-3853 - try to connect to an abstract X-socket first
 to verify we are   at real console (#647191)

---
 .gitignore                                    |  1 +
 ...r.bz2.sign => Linux-PAM-1.1.3.tar.bz2.sign |  6 +-
 pam-1.1.3-console-abstract.patch              | 82 +++++++++++++++++++
 pam-1.1.3-nouserenv.patch                     | 27 ++++++
 pam.spec                                      | 12 ++-
 sources                                       |  2 +-
 6 files changed, 125 insertions(+), 5 deletions(-)
 rename Linux-PAM-1.1.2.tar.bz2.sign => Linux-PAM-1.1.3.tar.bz2.sign (61%)
 create mode 100644 pam-1.1.3-console-abstract.patch
 create mode 100644 pam-1.1.3-nouserenv.patch

diff --git a/.gitignore b/.gitignore
index af1e684..993ef43 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ pam-redhat-0.99.10-1.tar.bz2
 Linux-PAM-1.1.1.tar.bz2
 /Linux-PAM-1.1.2.tar.bz2
 /pam-redhat-0.99.10-1.tar.bz2
+/Linux-PAM-1.1.3.tar.bz2
diff --git a/Linux-PAM-1.1.2.tar.bz2.sign b/Linux-PAM-1.1.3.tar.bz2.sign
similarity index 61%
rename from Linux-PAM-1.1.2.tar.bz2.sign
rename to Linux-PAM-1.1.3.tar.bz2.sign
index ebf862e..10af18a 100644
--- a/Linux-PAM-1.1.2.tar.bz2.sign
+++ b/Linux-PAM-1.1.3.tar.bz2.sign
@@ -2,7 +2,7 @@
 Version: GnuPG v1.4.9 (GNU/Linux)
 Comment: See http://www.kernel.org/signature.html for info
 
-iD8DBQBMfOpRyGugalF9Dw4RAthOAJ4z/JltpEbOUu6dnmDp1ukQ//1UHwCeJu/F
-99nWVREWCPTqNSuGz6H/Zo4=
-=G1D5
+iD8DBQBMyYZZyGugalF9Dw4RAtMkAJwIeAEXVkGZ3mL4YQKixP5zx3D6iACghePh
+sG43bk6Idz0UGC24QRQPDYE=
+=lJnB
 -----END PGP SIGNATURE-----
diff --git a/pam-1.1.3-console-abstract.patch b/pam-1.1.3-console-abstract.patch
new file mode 100644
index 0000000..ed14ddd
--- /dev/null
+++ b/pam-1.1.3-console-abstract.patch
@@ -0,0 +1,82 @@
+diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c
+--- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract	2008-12-16 13:37:52.000000000 +0100
++++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c	2010-11-01 17:01:55.000000000 +0100
+@@ -34,6 +34,8 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/param.h>
++#include <sys/socket.h>
++#include <sys/un.h>
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <stdio.h>
+@@ -136,6 +138,32 @@ check_one_console_name(const char *name,
+ }
+ 
+ static int
++try_xsocket(const char *path, size_t len) {
++    int fd;
++    union {
++       struct sockaddr    sa;
++       struct sockaddr_un su;
++    } addr;
++
++    fd = socket(AF_UNIX, SOCK_STREAM, 0);
++    if (fd < 0)
++        return 0;
++
++    memset(&addr, 0, sizeof(addr));
++    addr.su.sun_family = AF_UNIX;
++
++    if (len > sizeof(addr.su.sun_path))
++        return 0;
++    memcpy(addr.su.sun_path, path, len);
++    if (connect(fd, &addr.sa, sizeof(addr.su)) == 0) {
++        close(fd);
++        return 1;
++    }
++    close(fd);
++    return 0;
++}
++
++static int
+ check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) {
+     int found = 0;
+     int statted = 0;
+@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c
+     if (!statted && (consolename[0] == ':')) {
+         int l;
+         char *dot = NULL;
+-        strcpy(full_path, "/tmp/.X11-unix/X");
+-        l = sizeof(full_path) - 1 - strlen(full_path);
++        char *path = full_path + 1;
++        
++        full_path[0] = '\0';
++        strcpy(path, "/tmp/.X11-unix/X");
++        l = sizeof(full_path) - 2 - strlen(path);
+         dot = strchr(consolename + 1, '.');
+         if (dot != NULL) {
+             l = (l < dot - consolename - 1) ? l : dot - consolename - 1;
+         }
+-        strncat(full_path, consolename + 1, l);
++        strncat(path, consolename + 1, l);
+ 	full_path[sizeof(full_path) - 1] = '\0';
+-        _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"",
+-		 full_path);
+-        if (lstat(full_path, &st) != -1) {
++        _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"",
++		 path);
++
++        /* this will work because st.st_uid is 0 */
++        if (try_xsocket(full_path, strlen(path)+1)) {
++           statted = 1;
++        } else if (try_xsocket(path, strlen(path))) {
+            statted = 1;
+         }
+         else if (!on_set) {  /* there is no X11 socket in case of X11 crash */
+             _pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename);
+-            statted = 1; /* this will work because st.st_uid is 0 */
++            statted = 1; 
+         }
+     }
+ 
diff --git a/pam-1.1.3-nouserenv.patch b/pam-1.1.3-nouserenv.patch
new file mode 100644
index 0000000..f3a742c
--- /dev/null
+++ b/pam-1.1.3-nouserenv.patch
@@ -0,0 +1,27 @@
+diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
+--- pam/modules/pam_env/pam_env.c.nouserenv	2010-10-20 09:59:30.000000000 +0200
++++ pam/modules/pam_env/pam_env.c	2010-11-01 14:42:01.000000000 +0100
+@@ -10,7 +10,7 @@
+ #define DEFAULT_READ_ENVFILE    1
+ 
+ #define DEFAULT_USER_ENVFILE    ".pam_environment"
+-#define DEFAULT_USER_READ_ENVFILE 1
++#define DEFAULT_USER_READ_ENVFILE 0
+ 
+ #include "config.h"
+ 
+diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
+--- pam/modules/pam_env/pam_env.8.xml.nouserenv	2010-10-20 09:59:30.000000000 +0200
++++ pam/modules/pam_env/pam_env.8.xml	2010-11-01 14:42:01.000000000 +0100
+@@ -147,7 +147,10 @@
+         <listitem>
+           <para>
+             Turns on or off the reading of the user specific environment
+-            file. 0 is off, 1 is on. By default this option is on.
++            file. 0 is off, 1 is on. By default this option is off as user
++            supplied environment variables in the PAM environment could affect
++            behavior of subsequent modules in the stack without the consent
++            of the system administrator.
+           </para>
+         </listitem>
+       </varlistentry>
diff --git a/pam.spec b/pam.spec
index a52a66e..cd81c71 100644
--- a/pam.spec
+++ b/pam.spec
@@ -2,7 +2,7 @@
 
 Summary: An extensible library which provides authentication for applications
 Name: pam
-Version: 1.1.2
+Version: 1.1.3
 Release: 1%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
@@ -28,6 +28,8 @@ Patch5:  pam-1.1.0-notally.patch
 Patch7:  pam-1.1.0-console-fixes.patch
 Patch8:  pam-1.1.1-faillock.patch
 Patch9:  pam-1.1.2-noflex.patch
+Patch10: pam-1.1.3-nouserenv.patch
+Patch11: pam-1.1.3-console-abstract.patch
 
 %define _sbindir /sbin
 %define _moduledir /%{_lib}/security
@@ -95,6 +97,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch7 -p1 -b .console-fixes
 %patch8 -p1 -b .faillock
 %patch9 -p1 -b .noflex
+%patch10 -p1 -b .nouserenv
+%patch11 -p1 -b .abstract
 
 libtoolize -f
 autoreconf
@@ -339,6 +343,12 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Mon Nov  1 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-1
+- upgrade to new upstream release fixing CVE-2010-3316 CVE-2010-3435
+  CVE-2010-3853
+- try to connect to an abstract X-socket first to verify we are
+  at real console (#647191)
+
 * Mon Sep 20 2010 Tomas Mraz <tmraz@redhat.com> 1.1.2-1
 - add pam_faillock module implementing temporary account lock out based
   on authentication failures during a specified interval
diff --git a/sources b/sources
index 6f70057..efbbf75 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-81173dfeffe69d726081f9c5667cd3e7  Linux-PAM-1.1.2.tar.bz2
 c115640346a987356f6b76ec1d425185  pam-redhat-0.99.10-1.tar.bz2
+6db7fcb5db6253350e3a4648ceac40e7  Linux-PAM-1.1.3.tar.bz2