From a7f26badebd37091f82fedbf15309aedee06d2db Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 05:05:27 -0500 Subject: [PATCH] import pam-1.3.1-15.el8 --- ...b-prevent-garbage-characters-from-db.patch | 111 ++++++++++++++++++ SPECS/pam.spec | 8 +- 2 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 SOURCES/pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch diff --git a/SOURCES/pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch b/SOURCES/pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch new file mode 100644 index 0000000..37b3e72 --- /dev/null +++ b/SOURCES/pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch @@ -0,0 +1,111 @@ +From a7453aeeb398d6cbb7a709c4e2a1d75905220fff Mon Sep 17 00:00:00 2001 +From: Stanislav Zidek +Date: Fri, 16 Apr 2021 19:14:18 +0200 +Subject: [PATCH] pam_userdb: Prevent garbage characters from db + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791965 +--- + modules/pam_userdb/pam_userdb.8.xml | 3 +- + modules/pam_userdb/pam_userdb.c | 56 +++++++++++++++++------------ + 2 files changed, 36 insertions(+), 23 deletions(-) + +diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml +index fa628ada..bce92850 100644 +--- a/modules/pam_userdb/pam_userdb.8.xml ++++ b/modules/pam_userdb/pam_userdb.8.xml +@@ -100,7 +100,8 @@ + + + +- Print debug information. ++ Print debug information. Note that password hashes, both from db ++ and computed, will be printed to syslog. + + + +diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c +index dc2ca232..d59801bf 100644 +--- a/modules/pam_userdb/pam_userdb.c ++++ b/modules/pam_userdb/pam_userdb.c +@@ -194,7 +194,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, + } + + if (data.dptr != NULL) { +- int compare = 0; ++ int compare = -2; + + if (ctrl & PAM_KEY_ONLY_ARG) + { +@@ -209,36 +209,48 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, + char *cryptpw = NULL; + + if (data.dsize < 13) { +- compare = -2; ++ /* hash is too short */ ++ pam_syslog(pamh, LOG_INFO, "password hash in database is too short"); + } else if (ctrl & PAM_ICASE_ARG) { +- compare = -2; ++ pam_syslog(pamh, LOG_INFO, ++ "case-insensitive comparison only works with plaintext passwords"); + } else { ++ /* libdb is not guaranteed to produce null terminated strings */ ++ char *pwhash = strndup(data.dptr, data.dsize); ++ ++ if (pwhash == NULL) { ++ pam_syslog(pamh, LOG_CRIT, "strndup failed: data.dptr"); ++ } else { + #ifdef HAVE_CRYPT_R +- struct crypt_data *cdata = NULL; +- cdata = malloc(sizeof(*cdata)); +- if (cdata != NULL) { +- cdata->initialized = 0; +- cryptpw = crypt_r(pass, data.dptr, cdata); +- } ++ struct crypt_data *cdata = NULL; ++ cdata = malloc(sizeof(*cdata)); ++ if (cdata == NULL) { ++ pam_syslog(pamh, LOG_CRIT, "malloc failed: struct crypt_data"); ++ } else { ++ cdata->initialized = 0; ++ cryptpw = crypt_r(pass, pwhash, cdata); ++ } + #else +- cryptpw = crypt (pass, data.dptr); ++ cryptpw = crypt (pass, pwhash); + #endif +- if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { +- compare = memcmp(data.dptr, cryptpw, data.dsize); +- } else { +- compare = -2; +- if (ctrl & PAM_DEBUG_ARG) { +- if (cryptpw) +- pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); +- else +- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); ++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { ++ compare = memcmp(data.dptr, cryptpw, data.dsize); ++ } else { ++ if (ctrl & PAM_DEBUG_ARG) { ++ if (cryptpw) { ++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); ++ pam_syslog(pamh, LOG_INFO, "computed hash: %s", cryptpw); ++ } else { ++ pam_syslog(pamh, LOG_ERR, "crypt() returned NULL"); ++ } ++ } + } +- } + #ifdef HAVE_CRYPT_R +- free(cdata); ++ free(cdata); + #endif ++ } ++ free(pwhash); + } +- + } else { + + /* Unknown password encryption method - +-- +2.30.2 + diff --git a/SPECS/pam.spec b/SPECS/pam.spec index c6b8ed4..551c746 100644 --- a/SPECS/pam.spec +++ b/SPECS/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 14%{?dist} +Release: 15%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -65,6 +65,8 @@ Patch47: pam-1.3.1-pam-modutil-close-write.patch Patch48: pam-1.3.1-wheel-pam_ruser-fallback.patch # https://github.com/linux-pam/linux-pam/commit/491e5500b6b3913f531574208274358a2df88659 Patch49: pam-1.3.1-namespace-gdm-doc.patch +# https://github.com/linux-pam/linux-pam/commit/a7453aeeb398d6cbb7a709c4e2a1d75905220fff +Patch50: pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -162,6 +164,7 @@ cp %{SOURCE18} . %patch47 -p1 -b .pam-modutil-close-write %patch48 -p1 -b .wheel-pam_ruser-fallback %patch49 -p1 -b .namespace-gdm-doc +%patch50 -p1 -b .pam-userdb-prevent-garbage-characters-from-db autoreconf -i %build @@ -407,6 +410,9 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Mon May 3 2021 Iker Pedrosa 1.3.1-15 +- pam_userdb: Prevent garbage characters from db (#1791965) + * Thu Nov 5 2020 Iker Pedrosa 1.3.1-14 - Revert 1.3.1-12