From d335a7441db043d79296e4b0b5dccb75f41e73b5 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Fri, 9 Jul 2021 12:12:49 +0200 Subject: [PATCH] Fix issues detected by covscan tool --- ...ter_close_file_after_controlling_tty.patch | 42 +++++++++++++++++++ pam.spec | 8 +++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch diff --git a/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch b/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch new file mode 100644 index 0000000..27af9c4 --- /dev/null +++ b/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch @@ -0,0 +1,42 @@ +From ec0e724fe53188c5c762c34ca9db6681c0de01b8 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 1 Jul 2021 12:14:29 +0200 +Subject: [PATCH] pam_filter: Close file after controlling tty + +Failing to check the descriptor value meant that there was a bug in the +attempt to close the controlling tty. Moreover, this would lead to a +file descriptor leak as pointed out by the static analyzer tool: + +Error: RESOURCE_LEAK (CWE-772): [#def26] +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)". +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious. "t" leaks when it is zero. +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero? +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle. + 365| pam_syslog(pamh, LOG_ERR, + 366| "child cannot become new session: %m"); + 367|-> return PAM_ABORT; + 368| } + 369| + +Signed-off-by: Iker Pedrosa +--- + modules/pam_filter/pam_filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c +index 2f0af4fb..6e6def37 100644 +--- a/modules/pam_filter/pam_filter.c ++++ b/modules/pam_filter/pam_filter.c +@@ -354,7 +354,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, + int t = open("/dev/tty", O_RDWR|O_NOCTTY); + #else + int t = open("/dev/tty",O_RDWR); +- if (t > 0) { ++ if (t >= 0) { + (void) ioctl(t, TIOCNOTTY, NULL); + close(t); + } +-- +2.31.1 + diff --git a/pam.spec b/pam.spec index cace185..c6edf8f 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.5.1 -Release: 7%{?dist} +Release: 8%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -29,6 +29,8 @@ Patch2: pam-1.5.0-noflex.patch Patch3: pam-1.3.0-unix-nomsg.patch # https://github.com/linux-pam/linux-pam/pull/368 Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch +# https://github.com/linux-pam/linux-pam/commit/ec0e724fe53188c5c762c34ca9db6681c0de01b8 +Patch5: pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch %global _pamlibdir %{_libdir} @@ -114,6 +116,7 @@ cp %{SOURCE18} . %patch2 -p1 -b .noflex %patch3 -p1 -b .nomsg %patch4 -p1 -b .no_crypt_checksalt_for_pw_expiration +%patch5 -p1 -b .pam_filter_close_file_after_controlling_tty autoreconf -i @@ -381,6 +384,9 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \ exit 0 %changelog +* Fri Jul 9 2021 Iker Pedrosa - 1.5.1-8 +- Fix issues detected by covscan tool + * Thu Jun 10 2021 Björn Esser - 1.5.1-7 - Change the default password hash method to yescrypt