From b38262e712a6034a63cf85daa957e19455dbac03 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 19 Mar 2013 16:29:42 +0100
Subject: [PATCH] check NULL return from crypt() calls (#915316)

---
 pam-1.1.6-crypt-null-check.patch | 55 ++++++++++++++++++++++++++++++++
 pam.spec                         |  8 ++++-
 2 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 pam-1.1.6-crypt-null-check.patch

diff --git a/pam-1.1.6-crypt-null-check.patch b/pam-1.1.6-crypt-null-check.patch
new file mode 100644
index 0000000..78d7b91
--- /dev/null
+++ b/pam-1.1.6-crypt-null-check.patch
@@ -0,0 +1,55 @@
+From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 8 Feb 2013 15:04:26 +0100
+Subject: [PATCH] Add checks for crypt() returning NULL.
+
+modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
+modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
+---
+ modules/pam_pwhistory/opasswd.c |    2 +-
+ modules/pam_unix/bigcrypt.c     |    9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletions(-)
+
+diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
+index 274fdb9..836d713 100644
+--- a/modules/pam_pwhistory/opasswd.c
++++ b/modules/pam_pwhistory/opasswd.c
+@@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass)
+   outval = crypt (newpass, oldpass);
+ #endif
+ 
+-  return strcmp(outval, oldpass) == 0;
++  return outval != NULL && strcmp(outval, oldpass) == 0;
+ }
+ 
+ /* Check, if the new password is already in the opasswd file.  */
+diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c
+index e10d1c5..e1d57a0 100644
+--- a/modules/pam_unix/bigcrypt.c
++++ b/modules/pam_unix/bigcrypt.c
+@@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt)
+ #else
+ 	tmp_ptr = crypt(plaintext_ptr, salt);	/* libc crypt() */
+ #endif
++	if (tmp_ptr == NULL) {
++		free(dec_c2_cryptbuf);
++		return NULL;
++	}
+ 	/* and place in the static area */
+ 	strncpy(cipher_ptr, tmp_ptr, 13);
+ 	cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
+@@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt)
+ #else
+ 			tmp_ptr = crypt(plaintext_ptr, salt_ptr);
+ #endif
++			if (tmp_ptr == NULL) {
++				_pam_overwrite(dec_c2_cryptbuf);
++				free(dec_c2_cryptbuf);
++				return NULL;
++			}
+ 
+ 			/* skip the salt for seg!=0 */
+ 			strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
+-- 
+1.7.7.6
+
diff --git a/pam.spec b/pam.spec
index 1246b4b..d322fd2 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.6
-Release: 7%{?dist}
+Release: 8%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -50,6 +50,8 @@ Patch22: pam-1.1.5-unix-build.patch
 Patch23: pam-1.1.6-autoupdate.patch
 # Upstreamed
 Patch24: pam-1.1.6-namespace-mntopts.patch
+# Upstreamed
+Patch25: pam-1.1.6-crypt-null-check.patch
 
 %define _sbindir /sbin
 %define _moduledir /%{_lib}/security
@@ -130,6 +132,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch22 -p1 -b .build
 %patch23 -p1 -b .autoupdate
 %patch24 -p1 -b .mntopts
+%patch25 -p1 -b .null-check
 
 %build
 autoreconf -i
@@ -383,6 +386,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Tue Mar 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-8
+- check NULL return from crypt() calls (#915316)
+
 * Thu Mar 14 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-7
 - add workaround for low nproc limit for confined root user (#432903)