- upgrade to new upstream version resolving CVE-2007-0003

- pam_namespace: unmount poly dir for override users

.cvsignore

@@ -1,5 +1,5 @@
 db-4.5.20.tar.gz
 *.src.rpm
 *.tar.bz2
-Linux-PAM-0.99.7.0.tar.bz2
 pam-redhat-0.99.7-1.tar.bz2
+Linux-PAM-0.99.7.1.tar.bz2

Linux-PAM-0.99.7.1.tar.bz2.sign

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.6 (GNU/Linux)
+Comment: See http://www.kernel.org/signature.html for info
+
+iD8DBQBFtgDAyGugalF9Dw4RArOyAJ0duc7/WqnlX1+LfjYsUOQsJhICOgCfdWDb
+aMzAtzhCqvu+IxJTFwXx/kk=
+=I+NT
+-----END PGP SIGNATURE-----

pam-0.99.7.0-namespace-unmnt-override.patch

@@ -0,0 +1,125 @@
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.unmnt-override	2007-01-22 14:06:31.000000000 +0100
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c	2007-01-23 16:41:57.000000000 +0100
+@@ -417,17 +417,18 @@
+  * uids for the polyinstantiated directory, polyinstantiation is not
+  * performed for that user for that directory.
+  */
+-static int ns_override(struct polydir_s *polyptr, struct instance_data *idata)
++static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
++		uid_t uid)
+ {
+     unsigned int i;
+ 
+     if (idata->flags & PAMNS_DEBUG)
+     	pam_syslog(idata->pamh, LOG_DEBUG,
+ 		"Checking for ns override in dir %s for uid %d",
+-		polyptr->dir, idata->uid);
++		polyptr->dir, uid);
+ 
+     for (i = 0; i < polyptr->num_uids; i++) {
+-        if (idata->uid == polyptr->uid[i]) {
++        if (uid == polyptr->uid[i]) {
+             return 1;
+         }
+     }
+@@ -1013,21 +1014,46 @@
+     int retval = 0, need_poly = 0, changing_dir = 0;
+     char *cptr, *fptr, poly_parent[PATH_MAX];
+     struct polydir_s *pptr;
++    uid_t req_uid;
++    const void *ruser_name;
++    struct passwd *pwd;
+ 
+     if (idata->flags & PAMNS_DEBUG)
+         pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d",
+ 		getpid());
+ 
++    retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name);
++    if (ruser_name == NULL || retval != PAM_SUCCESS) {
++	retval = PAM_SUCCESS;
++	req_uid = getuid();
++    } else {
++        pwd = pam_modutil_getpwnam(idata->pamh, ruser_name);
++        if (pwd != NULL) {
++    	    req_uid = pwd->pw_uid;
++        } else {
++	    req_uid = getuid();
++        }
++    }
++
+     /*
+      * Cycle through all polyinstantiated directory entries to see if
+      * polyinstantiation is needed at all.
+      */
+     for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+-        if (ns_override(pptr, idata)) {
+-            if (idata->flags & PAMNS_DEBUG)
+-                pam_syslog(idata->pamh, LOG_DEBUG,
++        if (ns_override(pptr, idata, idata->uid)) {
++    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
++        	if (idata->flags & PAMNS_DEBUG)
++        	    pam_syslog(idata->pamh, LOG_DEBUG,
+ 			"Overriding poly for user %d for dir %s",
+ 			idata->uid, pptr->dir);
++	    } else {
++        	if (idata->flags & PAMNS_DEBUG)
++            	    pam_syslog(idata->pamh, LOG_DEBUG,
++			"Need unmount ns for user %d for dir %s",
++			idata->uid, pptr->dir);
++		need_poly = 1;
++		break;
++	    }
+             continue;
+         } else {
+             if (idata->flags & PAMNS_DEBUG)
+@@ -1057,15 +1083,20 @@
+      * call ns_setup to setup polyinstantiation for a particular entry.
+      */
+     for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+-        if (ns_override(pptr, idata))
+-            continue;
+-        else {
+-            if (idata->flags & PAMNS_DEBUG)
++	enum unmnt_op dir_unmnt = unmnt;
++        if (ns_override(pptr, idata, idata->uid)) {
++    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
++    		continue;
++	    } else {
++		dir_unmnt = UNMNT_ONLY;
++	    }
++	}
++	if (idata->flags & PAMNS_DEBUG)
+                 pam_syslog(idata->pamh, LOG_DEBUG,
+ 			"Setting poly ns for user %d for dir %s",
+                       idata->uid, pptr->dir);
+ 
+-            if ((unmnt == UNMNT_REMNT) || (unmnt == UNMNT_ONLY)) {
++	if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) {
+                 /*
+                  * Check to see if process current directory is in the
+                  * bind mounted instance_parent directory that we are trying to
+@@ -1105,13 +1136,12 @@
+                 } else if (idata->flags & PAMNS_DEBUG)
+                     pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
+ 				pptr->dir);
+-            }
++	}
+ 
+-	    if (unmnt != UNMNT_ONLY) {
++	if (dir_unmnt != UNMNT_ONLY) {
+                 retval = ns_setup(pptr, idata);
+                 if (retval != PAM_SUCCESS)
+                      break;
+-	    }
+         }
+     }
+ 
+@@ -1138,7 +1168,7 @@
+      * appropriate polyinstantiated instance directories.
+      */
+     for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+-        if (ns_override(pptr, idata))
++        if (ns_override(pptr, idata, idata->uid))
+             continue;
+         else {
+             if (idata->flags & PAMNS_DEBUG)

pam.spec

@@ -10,8 +10,8 @@
 
 Summary: A security tool which provides authentication for applications
 Name: pam
-Version: 0.99.7.0
+Version: 0.99.7.1
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: GPL or BSD
 Group: System Environment/Base
 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -25,9 +25,7 @@ Source8: dlopen.sh
 Source9: system-auth.5
 Source10: config-util.5
 Patch1:  pam-0.99.7.0-redhat-modules.patch
-Patch2:  pam-0.99.7.0-selinux-build.patch
 Patch21: pam-0.78-unix-hpux-aging.patch
-Patch22: pam-0.99.7.0-unix-minsalt.patch
 Patch34: pam-0.99.7.0-dbpam.patch
 Patch70: pam-0.99.2.1-selinux-nofail.patch
 Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
@@ -38,6 +36,7 @@ Patch86: pam-0.99.7.0-namespace-no-unmount.patch
 Patch87: pam-0.99.6.2-namespace-preserve-uid.patch
 Patch92: pam-0.99.6.2-selinux-select-context.patch
 Patch93: pam-0.99.7.0-namespace-level.patch
+Patch94: pam-0.99.7.0-namespace-unmnt-override.patch
 Patch95: pam-0.99.6.2-selinux-use-current-range.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -92,9 +91,7 @@ cp %{SOURCE6} .
 cp %{SOURCE7} .
 
 %patch1 -p1 -b .redhat-modules
-%patch2 -p1 -b .build
 %patch21 -p1 -b .unix-hpux-aging
-%patch22 -p1 -b .minsalt
 %patch34 -p1 -b .dbpam
 %patch70 -p1 -b .nofail
 %patch80 -p1 -b .drop-multiple
@@ -105,6 +102,7 @@ cp %{SOURCE7} .
 %patch87 -p1 -b .preserve-uid
 %patch92 -p1 -b .select-context
 %patch93 -p1 -b .level
+%patch94 -p1 -b .unmnt-override
 %patch95 -p1 -b .range
 autoreconf
 
@@ -397,9 +395,13 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Wed Jan 24 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-1
+- upgrade to new upstream version resolving CVE-2007-0003
+- pam_namespace: unmount poly dir for override users
+
 * Mon Jan 22 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.0-2
 - add back min salt length requirement which was erroneously removed
-  upstream
+  upstream (CVE-2007-0003)
 
 * Fri Jan 19 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.0-1
 - upgrade to new upstream version

sources

@@ -1,3 +1,3 @@
 b0f1c777708cb8e9d37fb47e7ed3312d  db-4.5.20.tar.gz
-e4c9e503ac6af0efdd6031a46bdf506f  Linux-PAM-0.99.7.0.tar.bz2
 66845048120c71205bd3363264f2bfe7  pam-redhat-0.99.7-1.tar.bz2
+385458dfb4633071594e255a6ebec9da  Linux-PAM-0.99.7.1.tar.bz2