pam_access: add forgotten patch

Resolves: RHEL-39943 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2024-11-04 17:17:10 +01:00 · 2024-11-04 17:17:10 +01:00 · 67bc312e7e
commit 67bc312e7e
parent 82c088fbad
2 changed files with 99 additions and 2 deletions
--- a/pam-1.5.1-pam-access-local.patch
+++ b/pam-1.5.1-pam-access-local.patch
@ -1,3 +1,99 @@
+From 08992030c56c940c0707ccbc442b1c325aa01e6d Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Tue, 6 Apr 2021 12:27:38 +0200
+Subject: [PATCH] pam_access: clean up the remote host matching code
+
+* modules/pam_access/pam_access.c (from_match): Split out remote_match()
+  function and avoid calling it when matching against LOCAL keyword.
+  There is also no point in doing domain match against TTY or SERVICE.
+---
+ modules/pam_access/pam_access.c | 44 +++++++++++++++++++++------------
+ 1 file changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
+index 98848c54..277192b9 100644
+--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
+@@ -160,6 +160,7 @@ static int list_match (pam_handle_t *, char *, char *, struct login_info *,
+ static int user_match (pam_handle_t *, char *, struct login_info *);
+ static int group_match (pam_handle_t *, const char *, const char *, int);
+ static int from_match (pam_handle_t *, char *, struct login_info *);
+static int remote_match (pam_handle_t *, char *, struct login_info *);
+ static int string_match (pam_handle_t *, const char *, const char *, int);
+ static int network_netmask_match (pam_handle_t *, const char *, const char *, struct login_info *);
+ 
+@@ -589,11 +590,9 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr,
+ /* from_match - match a host or tty against a list of tokens */
+ 
+ static int
+-from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+from_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+ {
+     const char *string = item->from;
+-    int        tok_len;
+-    int        str_len;
+     int        rv;
+ 
+     if (item->debug)
+@@ -616,14 +615,29 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+     } else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
+         /* ALL or exact match */
+ 	return rv;
+-    } else if (tok[0] == '.') {			/* domain: match last fields */
+-	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
+-	    && strcasecmp(tok, string + str_len - tok_len) == 0)
+-	    return (YES);
+-    } else if (item->from_remote_host == 0) {	/* local: no PAM_RHOSTS */
+-	if (strcasecmp(tok, "LOCAL") == 0)
+-	    return (YES);
+-    } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
+    } else if (strcasecmp(tok, "LOCAL") == 0) {
+	    /* LOCAL matches only local accesses */
+	    if (!item->from_remote_host)
+	        return YES;
+	    return NO;
+    } else if (item->from_remote_host) {
+        return remote_match(pamh, tok, item);
+    }
+    return NO;
+}
+
+static int
+remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+{
+    const char *string = item->from;
+    size_t tok_len = strlen(tok);
+    size_t str_len;
+
+    if (tok[0] == '.') {			/* domain: match last fields */
+      if ((str_len = strlen(string)) > tok_len
+	  && strcasecmp(tok, string + str_len - tok_len) == 0)
+	return YES;
+    } else if (tok[tok_len - 1] == '.') {
+       struct addrinfo hint;
+ 
+       memset (&hint, '\0', sizeof (hint));
+@@ -661,13 +675,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+ 	      runp = runp->ai_next;
+ 	    }
+ 	}
+-    } else {
+-      /* Assume network/netmask, IP address or hostname.  */
+-      if (network_netmask_match(pamh, tok, string, item))
+-	return YES;
+      return NO;
+     }
+ 
+-    return NO;
+    /* Assume network/netmask with an IP of a host.  */
+    return network_netmask_match(pamh, tok, string, item);
+ }
+ 
+ /* string_match - match a string against one token */
+-- 
+2.47.0
+
+
 From ecaaf4456e5aeacae1acdb1775bb5aadd3b19e13 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Wed, 16 Oct 2024 12:41:09 +0200
--- a/pam.spec
+++ b/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.5.1
-Release: 21%{?dist}
+Release: 22%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -70,6 +70,7 @@ Patch21: pam-1.5.1-libpam-support-long-lines.patch
 # https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be
 # https://github.com/linux-pam/linux-pam/commit/8d0c575336ad301cd14e16ad2fdec6fe621764b8
 Patch22: pam-1.5.1-pam-unix-shadow-password.patch
+# https://github.com/linux-pam/linux-pam/commit/08992030c56c940c0707ccbc442b1c325aa01e6d
 # https://github.com/linux-pam/linux-pam/commit/641dfd1084508c63f3590e93a35b80ffc50774e5
 Patch23: pam-1.5.1-pam-access-local.patch

@ -432,7 +433,7 @@ done
 %doc doc/sag/*.txt doc/sag/html

 %changelog
-* Mon Nov  4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-21
+* Mon Nov  4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-22
 - pam_unix: always run the helper to obtain shadow password file entries.
  CVE-2024-10041. Resolves: RHEL-62879
 - pam_access: always match local address and clarify LOCAL keyword behaviour.