Fix issues detected by covscan tool
This commit is contained in:
parent
9ba9b6c09d
commit
d335a7441d
42
pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
Normal file
42
pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
From ec0e724fe53188c5c762c34ca9db6681c0de01b8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Thu, 1 Jul 2021 12:14:29 +0200
|
||||||
|
Subject: [PATCH] pam_filter: Close file after controlling tty
|
||||||
|
|
||||||
|
Failing to check the descriptor value meant that there was a bug in the
|
||||||
|
attempt to close the controlling tty. Moreover, this would lead to a
|
||||||
|
file descriptor leak as pointed out by the static analyzer tool:
|
||||||
|
|
||||||
|
Error: RESOURCE_LEAK (CWE-772): [#def26]
|
||||||
|
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
|
||||||
|
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
|
||||||
|
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious. "t" leaks when it is zero.
|
||||||
|
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
|
||||||
|
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
|
||||||
|
365| pam_syslog(pamh, LOG_ERR,
|
||||||
|
366| "child cannot become new session: %m");
|
||||||
|
367|-> return PAM_ABORT;
|
||||||
|
368| }
|
||||||
|
369|
|
||||||
|
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_filter/pam_filter.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c
|
||||||
|
index 2f0af4fb..6e6def37 100644
|
||||||
|
--- a/modules/pam_filter/pam_filter.c
|
||||||
|
+++ b/modules/pam_filter/pam_filter.c
|
||||||
|
@@ -354,7 +354,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
|
||||||
|
int t = open("/dev/tty", O_RDWR|O_NOCTTY);
|
||||||
|
#else
|
||||||
|
int t = open("/dev/tty",O_RDWR);
|
||||||
|
- if (t > 0) {
|
||||||
|
+ if (t >= 0) {
|
||||||
|
(void) ioctl(t, TIOCNOTTY, NULL);
|
||||||
|
close(t);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
8
pam.spec
8
pam.spec
@ -3,7 +3,7 @@
|
|||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.5.1
|
Version: 1.5.1
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -29,6 +29,8 @@ Patch2: pam-1.5.0-noflex.patch
|
|||||||
Patch3: pam-1.3.0-unix-nomsg.patch
|
Patch3: pam-1.3.0-unix-nomsg.patch
|
||||||
# https://github.com/linux-pam/linux-pam/pull/368
|
# https://github.com/linux-pam/linux-pam/pull/368
|
||||||
Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
|
Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
|
||||||
|
# https://github.com/linux-pam/linux-pam/commit/ec0e724fe53188c5c762c34ca9db6681c0de01b8
|
||||||
|
Patch5: pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
|
||||||
|
|
||||||
|
|
||||||
%global _pamlibdir %{_libdir}
|
%global _pamlibdir %{_libdir}
|
||||||
@ -114,6 +116,7 @@ cp %{SOURCE18} .
|
|||||||
%patch2 -p1 -b .noflex
|
%patch2 -p1 -b .noflex
|
||||||
%patch3 -p1 -b .nomsg
|
%patch3 -p1 -b .nomsg
|
||||||
%patch4 -p1 -b .no_crypt_checksalt_for_pw_expiration
|
%patch4 -p1 -b .no_crypt_checksalt_for_pw_expiration
|
||||||
|
%patch5 -p1 -b .pam_filter_close_file_after_controlling_tty
|
||||||
|
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
|
|
||||||
@ -381,6 +384,9 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \
|
|||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-8
|
||||||
|
- Fix issues detected by covscan tool
|
||||||
|
|
||||||
* Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.1-7
|
* Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.1-7
|
||||||
- Change the default password hash method to yescrypt
|
- Change the default password hash method to yescrypt
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user