import pam-1.3.1-15.el8

2021-11-09 05:05:27 -05:00 · 2021-11-09 05:05:27 -05:00 · a7f26badeb
commit a7f26badeb
parent fdabea30c6
2 changed files with 118 additions and 1 deletions
--- a/SOURCES/pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch
+++ b/SOURCES/pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch
@ -0,0 +1,111 @@
 From a7453aeeb398d6cbb7a709c4e2a1d75905220fff Mon Sep 17 00:00:00 2001
 From: Stanislav Zidek <szidek@redhat.com>
 Date: Fri, 16 Apr 2021 19:14:18 +0200
 Subject: [PATCH] pam_userdb: Prevent garbage characters from db
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791965
 ---
 modules/pam_userdb/pam_userdb.8.xml |  3 +-
 modules/pam_userdb/pam_userdb.c     | 56 +++++++++++++++++------------
 2 files changed, 36 insertions(+), 23 deletions(-)
 diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml
 index fa628ada..bce92850 100644
 --- a/modules/pam_userdb/pam_userdb.8.xml
 +++ b/modules/pam_userdb/pam_userdb.8.xml
@@ -100,7 +100,8 @@
         </term>
         <listitem>
           <para>
 -            Print debug information.
 +            Print debug information. Note that password hashes, both from db
 +            and computed, will be printed to syslog.
           </para>
         </listitem>
       </varlistentry>
 diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
 index dc2ca232..d59801bf 100644
 --- a/modules/pam_userdb/pam_userdb.c
 +++ b/modules/pam_userdb/pam_userdb.c
@@ -194,7 +194,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
     }
     if (data.dptr != NULL) {
 -	int compare = 0;
 +	int compare = -2;
 	if (ctrl & PAM_KEY_ONLY_ARG)
 	  {
@@ -209,36 +209,48 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
 	  char *cryptpw = NULL;
 	  if (data.dsize < 13) {
 -	    compare = -2;
 +	    /* hash is too short */
 +	    pam_syslog(pamh, LOG_INFO, "password hash in database is too short");
 	  } else if (ctrl & PAM_ICASE_ARG) {
 -	    compare = -2;
 +	    pam_syslog(pamh, LOG_INFO,
 +	       "case-insensitive comparison only works with plaintext passwords");
 	  } else {
 +	    /* libdb is not guaranteed to produce null terminated strings */
 +	    char *pwhash = strndup(data.dptr, data.dsize);
 +
 +	    if (pwhash == NULL) {
 +	      pam_syslog(pamh, LOG_CRIT, "strndup failed: data.dptr");
 +	    } else {
 #ifdef HAVE_CRYPT_R
 -	    struct crypt_data *cdata = NULL;
 -	    cdata = malloc(sizeof(*cdata));
 -	    if (cdata != NULL) {
 -		cdata->initialized = 0;
 -		cryptpw = crypt_r(pass, data.dptr, cdata);
 -	    }
 +	      struct crypt_data *cdata = NULL;
 +	      cdata = malloc(sizeof(*cdata));
 +	      if (cdata == NULL) {
 +	        pam_syslog(pamh, LOG_CRIT, "malloc failed: struct crypt_data");
 +	      } else {
 +	        cdata->initialized = 0;
 +	        cryptpw = crypt_r(pass, pwhash, cdata);
 +	      }
 #else
 -	    cryptpw = crypt (pass, data.dptr);
 +	      cryptpw = crypt (pass, pwhash);
 #endif
 -	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
 -	      compare = memcmp(data.dptr, cryptpw, data.dsize);
 -	    } else {
 -	      compare = -2;
 -	      if (ctrl & PAM_DEBUG_ARG) {
 -		if (cryptpw)
 -		  pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
 -		else
 -		  pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
 +	      if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
 +	        compare = memcmp(data.dptr, cryptpw, data.dsize);
 +	      } else {
 +	        if (ctrl & PAM_DEBUG_ARG) {
 +	          if (cryptpw) {
 +	            pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
 +	            pam_syslog(pamh, LOG_INFO, "computed hash: %s", cryptpw);
 +	          } else {
 +	            pam_syslog(pamh, LOG_ERR, "crypt() returned NULL");
 +	          }
 +	        }
 	      }
 -	    }
 #ifdef HAVE_CRYPT_R
 -	    free(cdata);
 +	      free(cdata);
 #endif
 +	    }
 +	    free(pwhash);
 	  }
 -
 	} else {
 	  /* Unknown password encryption method -
 -- 
 2.30.2
--- a/SPECS/pam.spec
+++ b/SPECS/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 14%{?dist}
+Release: 15%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -65,6 +65,8 @@ Patch47: pam-1.3.1-pam-modutil-close-write.patch
 Patch48: pam-1.3.1-wheel-pam_ruser-fallback.patch
 # https://github.com/linux-pam/linux-pam/commit/491e5500b6b3913f531574208274358a2df88659
 Patch49: pam-1.3.1-namespace-gdm-doc.patch
 # https://github.com/linux-pam/linux-pam/commit/a7453aeeb398d6cbb7a709c4e2a1d75905220fff
 Patch50: pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@ -162,6 +164,7 @@ cp %{SOURCE18} .
 %patch47 -p1 -b .pam-modutil-close-write
 %patch48 -p1 -b .wheel-pam_ruser-fallback
 %patch49 -p1 -b .namespace-gdm-doc
 %patch50 -p1 -b .pam-userdb-prevent-garbage-characters-from-db
 autoreconf -i
 %build
@ -407,6 +410,9 @@ done
 %doc doc/specs/rfc86.0.txt
 %changelog
 * Mon May  3 2021 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-15
 - pam_userdb: Prevent garbage characters from db (#1791965)
 * Thu Nov  5 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-14
 - Revert 1.3.1-12