Coverity fixes, pam_umask added to postlogin

add pam_umask to postlogin PAM configuration file
fix some issues found by Coverity scan

fingerprint-auth.pamd

@@ -1,6 +1,6 @@
 #%PAM-1.0
 # This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
+# User changes will be destroyed the next time authselect is run.
 auth        required      pam_env.so
 auth        sufficient    pam_fprintd.so
 auth        required      pam_deny.so

pam-1.3.1-coverity.patch

@@ -0,0 +1,185 @@
+diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
+index 106ef7c..b2e94c7 100644
+--- a/libpam/pam_handlers.c
++++ b/libpam/pam_handlers.c
+@@ -282,7 +282,6 @@ _pam_open_config_file(pam_handle_t *pamh
+ {
+     char *p;
+     FILE *f;
+-    int err = 0;
+ 
+     /* Absolute path */
+     if (service[0] == '/') {
+diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
+index be53f34..07dce36 100644
+--- a/libpam_misc/misc_conv.c
++++ b/libpam_misc/misc_conv.c
+@@ -211,7 +211,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
+ 		    line[nc] = '\0';
+ 		}
+ 		*retstr = strdup(line);
+-		_pam_overwrite(line);
++		_pam_overwrite_n(line, sizeof(line));
+ 		if (!*retstr) {
+ 		    D(("no memory for response string"));
+ 		    nc = -1;
+@@ -244,7 +244,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
+     D(("the timer appears to have expired"));
+ 
+     *retstr = NULL;
+-    _pam_overwrite(line);
++    _pam_overwrite_n(line, sizeof(line));
+ 
+  cleanexit:
+ 
+diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
+index 80d885d..3801862 100644
+--- a/modules/pam_access/pam_access.c
++++ b/modules/pam_access/pam_access.c
+@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
+     const char *user=NULL;
+     const void *void_from=NULL;
+     const char *from;
+-    const char const *default_config = PAM_ACCESS_CONFIG;
++    const char * const default_config = PAM_ACCESS_CONFIG;
+     struct passwd *user_pw;
+     char hostname[MAXHOSTNAMELEN + 1];
+     int rv;
+diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
+index 4bc4ae7..f8476b4 100644
+--- a/modules/pam_limits/pam_limits.c
++++ b/modules/pam_limits/pam_limits.c
+@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] = {
+ #endif
+ };
+ 
+-static int str2rlimit(char *name) {
++static int str2rlimit(const char *name) {
+     int i;
+     if (!name || *name == '\0')
+         return -1;
+@@ -352,7 +352,7 @@ static int str2rlimit(char *name) {
+     return -1;
+ }
+ 
+-static rlim_t str2rlim_t(char *value) {
++static rlim_t str2rlim_t(const char *value) {
+     unsigned long long rlimit = 0;
+ 
+     if (!value) return (rlim_t)rlimit;
+@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int
+     FILE *limitsfile;
+     const char *proclimits = "/proc/1/limits";
+     char line[256];
+-    char *units, *hard, *soft, *name;
++    const char *units, *hard, *soft, *name;
+ 
+     if (!(limitsfile = fopen(proclimits, "r"))) {
+         pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
+diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
+index 96bfd98..66d202c 100644
+--- a/modules/pam_loginuid/pam_loginuid.c
++++ b/modules/pam_loginuid/pam_loginuid.c
+@@ -64,7 +64,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
+ 	fd = open("/proc/self/uid_map", O_RDONLY);
+ 	if (fd >= 0) {
+ 		count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
+-		if (strncmp(uid_map, host_uid_map, count) != 0)
++		if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0)
+ 			rc = PAM_IGNORE;
+ 		close(fd);
+ 	}
+diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c
+index 9e204c1..4b8d6b7 100644
+--- a/modules/pam_mkhomedir/mkhomedir_helper.c
++++ b/modules/pam_mkhomedir/mkhomedir_helper.c
+@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd,
+       {
+          pam_syslog(NULL, LOG_DEBUG,
+ 		    "unable to open or stat src file %s: %m", newsource);
++         if (srcfd >= 0)
++            close(srcfd);
+          closedir(d);
+ 
+ #ifndef PATH_MAX
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index f541f89..85f5efa 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1418,6 +1418,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *
+     if (fstat(fd, &newstatbuf) < 0) {
+         pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
+ 		ipath);
++	close(fd);
+ 	rmdir(ipath);
+         return PAM_SESSION_ERR;
+     }
+diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
+index e6cf346..813f579 100644
+--- a/modules/pam_pwhistory/opasswd.c
++++ b/modules/pam_pwhistory/opasswd.c
+@@ -326,6 +326,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
+ 	n = strlen (buf);
+ #endif /* HAVE_GETLINE / HAVE_GETDELIM */
+ 
++	if (n < 1)
++	  break;
++
+ 	cp = buf;
+ 	save = strdup (buf); /* Copy to write the original data back.  */
+ 	if (save == NULL)
+@@ -336,9 +339,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
+ 	    goto error_opasswd;
+           }
+ 
+-	if (n < 1)
+-	  break;
+-
+ 	tmp = strchr (cp, '#');  /* remove comments */
+ 	if (tmp)
+ 	  *tmp = '\0';
+diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
+index 17baabe..a9d9140 100644
+--- a/modules/pam_rootok/pam_rootok.c
++++ b/modules/pam_rootok/pam_rootok.c
+@@ -66,14 +66,17 @@ log_callback (int type, const char *fmt, ...)
+     int audit_fd;
+     va_list ap;
+ 
+-    va_start(ap, fmt);
+ #ifdef HAVE_LIBAUDIT
+     audit_fd = audit_open();
+ 
+     if (audit_fd >= 0) {
+ 	char *buf;
++	int ret;
+ 
+-	if (vasprintf (&buf, fmt, ap) < 0)
++	va_start(ap, fmt);
++	ret = vasprintf (&buf, fmt, ap)
++	va_end(ap);
++	if (ret < 0)
+ 		return 0;
+ 	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ 				   NULL, 0);
+@@ -83,6 +86,7 @@ log_callback (int type, const char *fmt, ...)
+     }
+ 
+ #endif
++    va_start(ap, fmt);
+     vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+     va_end(ap);
+     return 0;
+diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
+index c653290..f37af0f 100644
+--- a/modules/pam_sepermit/pam_sepermit.c
++++ b/modules/pam_sepermit/pam_sepermit.c
+@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
+ 		if (*sense == PAM_SUCCESS) {
+ 			if (ignore)
+ 				*sense = PAM_IGNORE;
+-			if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
++			if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1)
+ 				if (sepermit_lock(pamh, user, debug) < 0)
+ 					*sense = PAM_AUTH_ERR;
+ 		}

pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -42,6 +42,7 @@ Patch29: pam-1.3.0-pwhistory-helper.patch
 Patch31: pam-1.1.8-audit-user-mgmt.patch
 Patch32: pam-1.2.1-console-devname.patch
 Patch33: pam-1.3.0-unix-nomsg.patch
+Patch34: pam-1.3.1-coverity.patch
 
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@@ -123,6 +124,7 @@ cp %{SOURCE18} .
 %patch31 -p1 -b .audit-user-mgmt
 %patch32 -p1 -b .devname
 %patch33 -p1 -b .nomsg
+%patch34 -p1 -b .coverity
 autoreconf -i
 
 %build
@@ -366,6 +368,10 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
+* Mon Sep 10 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-4
+- add pam_umask to postlogin PAM configuration file
+- fix some issues found by Coverity scan
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 

password-auth.pamd

@@ -1,6 +1,6 @@
 #%PAM-1.0
 # This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
+# User changes will be destroyed the next time authselect is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so try_first_pass nullok
 auth        required      pam_deny.so

postlogin.pamd

@@ -1,7 +1,8 @@
 #%PAM-1.0
 # This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
+# User changes will be destroyed the next time authselect is run.
 
-session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
-session     [default=1]   pam_lastlog.so nowtmp showfailed
-session     optional      pam_lastlog.so silent noupdate showfailed
+session optional                   pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1]                pam_lastlog.so nowtmp showfailed
+session optional                   pam_lastlog.so silent noupdate showfailed

smartcard-auth.pamd

@@ -1,6 +1,6 @@
 #%PAM-1.0
 # This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
+# User changes will be destroyed the next time authselect is run.
 auth        required      pam_env.so
 auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
 auth        required      pam_deny.so

system-auth.pamd

@@ -1,6 +1,6 @@
 #%PAM-1.0
 # This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
+# User changes will be destroyed the next time authselect is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so try_first_pass nullok
 auth        required      pam_deny.so