import UBI pam-1.3.1-39.el8_10

2025-12-17 17:44:21 +00:00 · 2025-12-17 17:44:21 +00:00 · 8b2e8f4ab2
commit 8b2e8f4ab2
parent 0c4d7809b2
2 changed files with 114 additions and 1 deletions
--- a/SOURCES/pam-1.3.1-pam-unix-blank-expiration.patch
+++ b/SOURCES/pam-1.3.1-pam-unix-blank-expiration.patch
@ -0,0 +1,104 @@
+diff -up Linux-PAM-1.5.1/modules/pam_unix/passverify.c.pam-unix-blank-expiration Linux-PAM-1.5.1/modules/pam_unix/passverify.c
+--- Linux-PAM-1.5.1/modules/pam_unix/passverify.c.pam-unix-blank-expiration	2025-04-14 14:40:34.181165272 +0200
+++ Linux-PAM-1.5.1/modules/pam_unix/passverify.c	2025-04-14 14:42:11.740385381 +0200
+@@ -5,6 +5,7 @@
+ #include <security/_pam_macros.h>
+ #include <security/pam_modules.h>
+ #include "support.h"
+#include <limits.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <sys/types.h>
+@@ -286,14 +286,29 @@ PAMH_ARG_DECL(int get_pwd_hash,
+ 	return PAM_SUCCESS;
+ }
+ 
+/*
+ * invariant: 0 <= num1
+ * invariant: 0 <= num2
+ */
+static int
+subtract(long num1, long num2)
+{
+	long value = num1 - num2;
+	if (value < INT_MIN)
+		return INT_MIN;
+	if (value > INT_MAX)
+		return INT_MAX;
+	return (int)value;
+}
+
+ PAMH_ARG_DECL(int check_shadow_expiry,
+ 	struct spwd *spent, int *daysleft)
+ {
+-	long int curdays;
+	long int curdays, passed;
+ 	*daysleft = -1;
+ 	curdays = (long int)(time(NULL) / (60 * 60 * 24));
+-	D(("today is %d, last change %d", curdays, spent->sp_lstchg));
+-	if ((curdays >= spent->sp_expire) && (spent->sp_expire != -1)) {
+	D(("today is %ld, last change %ld", curdays, spent->sp_lstchg));
+	if (spent->sp_expire >= 0 && curdays >= spent->sp_expire) {
+ 		D(("account expired"));
+ 		return PAM_ACCT_EXPIRED;
+ 	}
+@@ -308,31 +323,41 @@ PAMH_ARG_DECL(int check_shadow_expiry,
+ 		*daysleft = 0;
+ 		return PAM_NEW_AUTHTOK_REQD;
+ 	}
+	if (spent->sp_lstchg < 0) {
+		D(("password aging disabled"));
+		return PAM_SUCCESS;
+	}
+ 	if (curdays < spent->sp_lstchg) {
+ 		pam_syslog(pamh, LOG_DEBUG,
+ 			 "account %s has password changed in future",
+ 			 spent->sp_namp);
+ 		return PAM_SUCCESS;
+ 	}
+-	if ((curdays - spent->sp_lstchg > spent->sp_max)
+-	    && (curdays - spent->sp_lstchg > spent->sp_inact)
+-	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
+-	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
+-		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
+-		D(("authtok expired"));
+-		return PAM_AUTHTOK_EXPIRED;
+-	}
+-	if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) {
+-		D(("need a new password 2"));
+-		return PAM_NEW_AUTHTOK_REQD;
+-	}
+-	if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn)
+-	    && (spent->sp_max != -1) && (spent->sp_warn != -1)) {
+-		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
+-		D(("warn before expiry"));
+	passed = curdays - spent->sp_lstchg;
+	if (spent->sp_max >= 0) {
+		if (spent->sp_inact >= 0) {
+			long inact = spent->sp_max < LONG_MAX - spent->sp_inact ?
+			    spent->sp_max + spent->sp_inact : LONG_MAX;
+			if (passed >= inact) {
+				*daysleft = subtract(inact, passed);
+				D(("authtok expired"));
+				return PAM_AUTHTOK_EXPIRED;
+			}
+		}
+		if (passed >= spent->sp_max) {
+			D(("need a new password 2"));
+			return PAM_NEW_AUTHTOK_REQD;
+		}
+		if (spent->sp_warn > 0) {
+			long warn = spent->sp_warn > spent->sp_max ? -1 :
+			    spent->sp_max - spent->sp_warn;
+			if (passed >= warn) {
+				*daysleft = subtract(spent->sp_max, passed);
+				D(("warn before expiry"));
+			}
+		}
+ 	}
+-	if ((curdays - spent->sp_lstchg < spent->sp_min)
+-	    && (spent->sp_min != -1)) {
+	if (spent->sp_min > 0 && passed < spent->sp_min) {
+ 		/*
+ 		 * The last password change was too recent. This error will be ignored
+ 		 * if no password change is attempted.
--- a/SPECS/pam.spec
+++ b/SPECS/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 38%{?dist}
+Release: 39%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -127,6 +127,10 @@ Patch75: pam-1.3.1-pam-access-resolve-ip.patch
 Patch76: pam-1.3.1-pam-inline-pam-asprintf.patch
 # https://github.com/linux-pam/linux-pam/commit/475bd60c552b98c7eddb3270b0b4196847c0072e
 Patch77: pam-1.3.1-pam-namespace-rebase.patch
+# https://github.com/linux-pam/linux-pam/commit/2c711ce57ced9f97c2cf4c8d59c1730447a7bd7f
+# https://github.com/linux-pam/linux-pam/commit/51a06bc8cc2278c6e81c9c08a9381c9eb0d2de96
+# https://github.com/linux-pam/linux-pam/commit/470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200
+Patch78: pam-1.3.1-pam-unix-blank-expiration.patch

 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@ -252,6 +256,7 @@ cp %{SOURCE18} .
 %patch75 -p1 -b .pam-access-resolve-ip
 %patch76 -p1 -b .pam-inline-pam-asprintf
 %patch77 -p1 -b .pam-namespace-rebase
+%patch78 -p1 -b .pam-unix-blank-expiration

 autoreconf -i

@ -505,6 +510,10 @@ done
 %doc doc/specs/rfc86.0.txt

 %changelog
+* Fri Nov 14 2025 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-39
+- pam_unix: sync expiry checks with shadow.
+  Resolves: RHEL-70476
+
 * Wed Aug  6 2025 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-38
 - pam_namespace: fix potential privilege escalation.
  Resolves: CVE-2025-6020 and RHEL-96724