import UBI pam-1.6.1-8.el10

2025-11-11 21:46:13 +00:00 · 2025-11-11 21:46:13 +00:00 · f30edb86b8
commit f30edb86b8
parent 430af8b206
3 changed files with 1760 additions and 1 deletions
--- a/pam-1.6.1-pam-inline-pam-asprintf.patch
+++ b/pam-1.6.1-pam-inline-pam-asprintf.patch
@ -0,0 +1,94 @@
+From 10b80543807e3fc5af5f8bcfd8bb6e219bb3cecc Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@strace.io>
+Date: Tue, 18 Feb 2025 08:00:00 +0000
+Subject: [PATCH] pam_inline: introduce pam_asprintf(), pam_snprintf(), and
+ pam_sprintf()
+
+pam_asprintf() is essentially asprintf() with the following semantic
+difference: it returns the string itself instead of its length.
+
+pam_snprintf() is essentially snprintf() with the following semantic
+difference: it returns -1 in case of truncation.
+
+pam_sprintf() is essentially snprintf() but with a check that the buffer
+is an array, and with an automatically calculated buffer size.
+
+Use of these helpers would make error checking simpler.
+---
+ libpam/include/pam_cc_compat.h |  6 ++++++
+ libpam/include/pam_inline.h    | 35 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/libpam/include/pam_cc_compat.h b/libpam/include/pam_cc_compat.h
+index 0a6e32d5..af054283 100644
+--- a/libpam/include/pam_cc_compat.h
+++ b/libpam/include/pam_cc_compat.h
+@@ -21,6 +21,12 @@
+ # define PAM_ATTRIBUTE_ALIGNED(arg)	/* empty */
+ #endif
+ 
+#if PAM_GNUC_PREREQ(3, 0)
+# define PAM_ATTRIBUTE_MALLOC		__attribute__((__malloc__))
+#else
+# define PAM_ATTRIBUTE_MALLOC		/* empty */
+#endif
+
+ #if PAM_GNUC_PREREQ(4, 6)
+ # define DIAG_PUSH_IGNORE_CAST_QUAL					\
+ 	_Pragma("GCC diagnostic push");					\
+diff --git a/libpam/include/pam_inline.h b/libpam/include/pam_inline.h
+index cc302248..d79d6fdf 100644
+--- a/libpam/include/pam_inline.h
+++ b/libpam/include/pam_inline.h
+@@ -9,6 +9,8 @@
+ #define PAM_INLINE_H
+ 
+ #include "pam_cc_compat.h"
+#include <stdarg.h>
+#include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
+@@ -145,6 +147,39 @@ pam_drop_response(struct pam_response *reply, int replies)
+ 	free(reply);
+ }
+ 
+static inline char * PAM_FORMAT((printf, 1, 2)) PAM_NONNULL((1)) PAM_ATTRIBUTE_MALLOC
+pam_asprintf(const char *fmt, ...)
+{
+	int rc;
+	char *res;
+	va_list ap;
+
+	va_start(ap, fmt);
+	rc = vasprintf(&res, fmt, ap);
+	va_end(ap);
+
+	return rc < 0 ? NULL : res;
+}
+
+static inline int PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3))
+pam_snprintf(char *str, size_t size, const char *fmt, ...)
+{
+	int rc;
+	va_list ap;
+
+	va_start(ap, fmt);
+	rc = vsnprintf(str, size, fmt, ap);
+	va_end(ap);
+
+	if (rc < 0 || (unsigned int) rc >= size)
+		return -1;
+	return rc;
+}
+
+#define pam_sprintf(str_, fmt_, ...)						\
+	pam_snprintf((str_), sizeof(str_) + PAM_MUST_BE_ARRAY(str_), (fmt_),	\
+		     ##__VA_ARGS__)
+
+ 
+ static inline int
+ pam_read_passwords(int fd, int npass, char **passwords)
+-- 
+2.50.0
+
--- a/pam-1.6.1-pam-namespace-rebase.patch
+++ b/pam-1.6.1-pam-namespace-rebase.patch
--- a/pam.spec
+++ b/pam.spec
@ -4,7 +4,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.6.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp and pam_loginuid modules are GPLv2+.
@ -33,6 +33,10 @@ Patch5:  pam-1.6.1-pam-env-econf-read-file-fixes.patch
 Patch6:  pam-1.6.1-pam-access-local.patch
 # https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628
 Patch7:  pam-1.6.1-pam-access-resolve-ip.patch
+# https://github.com/linux-pam/linux-pam/commit/10b80543807e3fc5af5f8bcfd8bb6e219bb3cecc
+Patch8: pam-1.6.1-pam-inline-pam-asprintf.patch
+# https://github.com/linux-pam/linux-pam/commit/976c20079358d133514568fc7fd95c02df8b5773
+Patch9:  pam-1.6.1-pam-namespace-rebase.patch

 %{load:%{SOURCE3}}

@ -130,6 +134,8 @@ cp %{SOURCE18} .
 %patch -P 5 -p1 -b .pam-env-econf-read-file-fixes
 %patch -P 6 -p1 -b .pam-access-local
 %patch -P 7 -p1 -b .pam-access-resolve-ip
+%patch -P 8 -p1 -b .pam-inline-pam-asprintf
+%patch -P 9 -p1 -b .pam-namespace-rebase

 autoreconf -i

@ -368,6 +374,10 @@ done
 %{_pam_libdir}/libpam_misc.so.%{so_ver}*

 %changelog
+* Tue Jul  1 2025 Iker Pedrosa <ipedrosa@redhat.com> - 1.6.1-8
+- pam_namespace: fix potential privilege escalation.
+  Resolves: CVE-2025-6020 and RHEL-101174
+
 * Thu Nov 21 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.6.1-7
 - pam_access: rework resolving of tokens as hostname.
  Resolves: CVE-2024-10963 and RHEL-66241