diff --git a/SOURCES/pam-1.5.1-pam-access-resolve-ip.patch b/SOURCES/pam-1.5.1-pam-access-resolve-ip.patch
new file mode 100644
index 0000000..27cbdf5
--- /dev/null
+++ b/SOURCES/pam-1.5.1-pam-access-resolve-ip.patch
@@ -0,0 +1,211 @@
+diff -up Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml
+--- Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml.pam-access-resolve-ip 2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml 2024-11-21 10:04:58.553127026 +0100
+@@ -226,6 +226,14 @@
+ item and the line will be most probably ignored. For this reason, it is not
+ recommended to put spaces around the ':' characters.
+
++
++ An IPv6 link local host address must contain the interface
++ identifier. IPv6 link local network/netmask is not supported.
++
++
++ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
++ confusion with device names or PAM service names.
++
+
+
+
+diff -up Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml
+--- Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml.pam-access-resolve-ip 2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml 2024-11-21 10:04:58.553127026 +0100
+@@ -25,11 +25,14 @@
+
+ debug
+
++
++ noaudit
++
+
+ nodefgroup
+
+-
+- noaudit
++
++ nodns
+
+
+ accessfile=file
+@@ -114,7 +117,46 @@
+
+
+
+-
++ nodefgroup
++
++
++
++ User tokens which are not enclosed in parentheses will not be
++ matched against the group database. The backwards compatible default is
++ to try the group database match even for tokens not enclosed
++ in parentheses.
++
++
++
++
++
++
++ nodns
++
++
++
++ Do not try to resolve tokens as hostnames, only IPv4 and IPv6
++ addresses will be resolved. Which means to allow login from a
++ remote host, the IP addresses need to be specified in access.conf.
++
++
++
++
++
++
++ quiet_log
++
++
++
++ Do not log denials with
++ syslog3.
++
++
++
++
++
++
++ fieldsep=separators
+
+
+
+@@ -152,20 +194,6 @@
+
+
+
+-
+-
+-
+-
+-
+-
+-
+- User tokens which are not enclosed in parentheses will not be
+- matched against the group database. The backwards compatible default is
+- to try the group database match even for tokens not enclosed
+- in parentheses.
+-
+-
+-
+
+
+
+diff -up Linux-PAM-1.5.1/modules/pam_access/pam_access.c.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/pam_access.c
+--- Linux-PAM-1.5.1/modules/pam_access/pam_access.c.pam-access-resolve-ip 2024-11-21 10:04:58.547127010 +0100
++++ Linux-PAM-1.5.1/modules/pam_access/pam_access.c 2024-11-21 10:04:58.553127026 +0100
+@@ -92,6 +92,7 @@ struct login_info {
+ int debug; /* Print debugging messages. */
+ int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
+ int noaudit; /* Do not audit denials */
++ int nodns; /* Do not try to resolve tokens as hostnames */
+ const char *fs; /* field separator */
+ const char *sep; /* list-element separator */
+ int from_remote_host; /* If PAM_RHOST was used for from */
+@@ -143,6 +144,8 @@ parse_args(pam_handle_t *pamh, struct lo
+ loginfo->only_new_group_syntax = YES;
+ } else if (strcmp (argv[i], "noaudit") == 0) {
+ loginfo->noaudit = YES;
++ } else if (strcmp (argv[i], "nodns") == 0) {
++ loginfo->nodns = YES;
+ } else {
+ pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
+ }
+@@ -700,6 +703,39 @@ string_match (pam_handle_t *pamh, const
+ }
+
+
++static int
++is_device (pam_handle_t *pamh, const char *tok)
++{
++ struct stat st;
++ const char *dev = "/dev/";
++ char *devname;
++
++ devname = malloc (strlen(dev) + strlen (tok) + 1);
++ if (devname == NULL) {
++ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
++ /*
++ * We should return an error and abort, but pam_access has no good
++ * error handling.
++ */
++ return NO;
++ }
++
++ char *cp = stpcpy (devname, dev);
++ strcpy (cp, tok);
++
++ if (lstat(devname, &st) != 0)
++ {
++ free (devname);
++ return NO;
++ }
++ free (devname);
++
++ if (S_ISCHR(st.st_mode))
++ return YES;
++
++ return NO;
++}
++
+ /* network_netmask_match - match a string against one token
+ * where string is a hostname or ip (v4,v6) address and tok
+ * represents either a hostname, a single ip (v4,v6) address
+@@ -761,10 +797,42 @@ network_netmask_match (pam_handle_t *pam
+ return NO;
+ }
+ }
++ else if (isipaddr(tok, NULL, NULL) == YES)
++ {
++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
++ {
++ if (item->debug)
++ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
++
++ return NO;
++ }
++ netmask_ptr = NULL;
++ }
++ else if (item->nodns)
++ {
++ /* Only hostnames are left, which we would need to resolve via DNS */
++ return NO;
++ }
+ else
+ {
++ /* Bail out on X11 Display entries and ttys. */
++ if (tok[0] == ':')
++ {
++ if (item->debug)
++ pam_syslog (pamh, LOG_DEBUG,
++ "network_netmask_match: tok=%s is X11 display", tok);
++ return NO;
++ }
++ if (is_device (pamh, tok))
++ {
++ if (item->debug)
++ pam_syslog (pamh, LOG_DEBUG,
++ "network_netmask_match: tok=%s is a TTY", tok);
++ return NO;
++ }
++
+ /*
+- * It is either an IP address or a hostname.
++ * It is most likely a hostname.
+ * Let getaddrinfo sort everything out
+ */
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
diff --git a/SOURCES/pam-1.5.1-pam-unix-shadow-password.patch b/SOURCES/pam-1.5.1-pam-unix-shadow-password.patch
new file mode 100644
index 0000000..ffdba93
--- /dev/null
+++ b/SOURCES/pam-1.5.1-pam-unix-shadow-password.patch
@@ -0,0 +1,114 @@
+diff -up Linux-PAM-1.5.1/modules/pam_unix/passverify.c.fail1 Linux-PAM-1.5.1/modules/pam_unix/passverify.c
+--- Linux-PAM-1.5.1/modules/pam_unix/passverify.c.fail1 2024-11-04 11:42:51.962791265 +0100
++++ Linux-PAM-1.5.1/modules/pam_unix/passverify.c 2024-11-04 11:45:18.246218579 +0100
+@@ -239,17 +239,21 @@ PAMH_ARG_DECL(int get_account_info,
+ return PAM_UNIX_RUN_HELPER;
+ #endif
+ } else if (is_pwd_shadowed(*pwd)) {
++#ifdef HELPER_COMPILE
+ /*
+- * ...and shadow password file entry for this user,
++ * shadow password file entry for this user,
+ * if shadowing is enabled
+ */
+-#ifndef HELPER_COMPILE
+- if (geteuid() || SELINUX_ENABLED)
+- return PAM_UNIX_RUN_HELPER;
+-#endif
+- *spwdent = pam_modutil_getspnam(pamh, name);
++ *spwdent = getspnam(name);
+ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ return PAM_AUTHINFO_UNAVAIL;
++#else
++ /*
++ * The helper has to be invoked to deal with
++ * the shadow password file entry.
++ */
++ return PAM_UNIX_RUN_HELPER;
++#endif
+ }
+ } else {
+ return PAM_USER_UNKNOWN;
+
+
+From 8d0c575336ad301cd14e16ad2fdec6fe621764b8 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich
+Date: Thu, 28 Mar 2024 21:58:35 +0000
+Subject: [PATCH] pam_unix: allow empty passwords with non-empty hashes
+
+Before the change pam_unix has different behaviours for a user with
+empty password for these two `/etc/shadow` entries:
+
+ nulloktest:$6$Yy4ty2jJ$bsVQWo8qlXC6UHq1/qTC3UR60ZJKmKApJ3Wj7DreAy8FxlVKtlDnplFQ7jMLVlDqordE7e4t49GvTb.aI59TP0:1::::::
+ nulloktest::1::::::
+
+The entry with a hash was rejected and the entry without was accepted.
+
+The rejection happened because 9e74e90147c "pam_unix: avoid determining
+if user exists" introduced the following rejection check (slightly
+simplified):
+
+ ...
+ } else if (p[0] == '\0' && nullok) {
+ if (hash[0] != '\0') {
+ retval = PAM_AUTH_ERR;
+ }
+
+We should not reject the user with a hash assuming it's non-empty.
+The change does that by pushing empty password check into
+`verify_pwd_hash()`.
+
+`NixOS` generates such hashed entries for empty passwords as if they
+were non-empty using the following perl code:
+
+ sub hashPassword {
+ my ($password) = @_;
+ my $salt = "";
+ my @chars = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
+ $salt .= $chars[rand 64] for (1..8);
+ return crypt($password, '$6$' . $salt . '$');
+ }
+
+Resolves: https://github.com/linux-pam/linux-pam/issues/758
+Fixes: 9e74e90147c "pam_unix: avoid determining if user exists"
+Signed-off-by: Sergei Trofimovich
+---
+ modules/pam_unix/passverify.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 30045333..1c83f1aa 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -76,9 +76,13 @@ PAMH_ARG_DECL(int verify_pwd_hash,
+
+ strip_hpux_aging(hash);
+ hash_len = strlen(hash);
+- if (!hash_len) {
++
++ if (p && p[0] == '\0' && !nullok) {
++ /* The passed password is empty */
++ retval = PAM_AUTH_ERR;
++ } else if (!hash_len) {
+ /* the stored password is NULL */
+- if (nullok) { /* this means we've succeeded */
++ if (p && p[0] == '\0' && nullok) { /* this means we've succeeded */
+ D(("user has empty password - access granted"));
+ retval = PAM_SUCCESS;
+ } else {
+@@ -1109,12 +1113,6 @@ helper_verify_password(const char *name, const char *p, int nullok)
+ if (pwd == NULL || hash == NULL) {
+ helper_log_err(LOG_NOTICE, "check pass; user unknown");
+ retval = PAM_USER_UNKNOWN;
+- } else if (p[0] == '\0' && nullok) {
+- if (hash[0] == '\0') {
+- retval = PAM_SUCCESS;
+- } else {
+- retval = PAM_AUTH_ERR;
+- }
+ } else {
+ retval = verify_pwd_hash(p, hash, nullok);
+ }
+--
+2.47.0
+
diff --git a/SPECS/pam.spec b/SPECS/pam.spec
index ca7b45f..4e5675d 100644
--- a/SPECS/pam.spec
+++ b/SPECS/pam.spec
@@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.5.1
-Release: 20%{?dist}
+Release: 22%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -67,6 +67,11 @@ Patch19: pam-1.5.1-access-handle-hostnames.patch
Patch20: pam-1.5.1-namespace-protect-dir.patch
# https://github.com/linux-pam/linux-pam/commit/ec1fb9ddc6c252d8c61379e9385ca19c036fcb96
Patch21: pam-1.5.1-libpam-support-long-lines.patch
+# https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be
+# https://github.com/linux-pam/linux-pam/commit/8d0c575336ad301cd14e16ad2fdec6fe621764b8
+Patch22: pam-1.5.1-pam-unix-shadow-password.patch
+# https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628
+Patch23: pam-1.5.1-pam-access-resolve-ip.patch
%global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security
@@ -170,6 +175,8 @@ cp %{SOURCE18} .
%patch19 -p1 -b .access-handle-hostnames
%patch20 -p1 -b .namespace-protect-dir
%patch21 -p1 -b .libpam-support-long-lines
+%patch22 -p1 -b .pam-unix-shadow-password
+%patch23 -p1 -b .pam-access-resolve-ip
autoreconf -i
@@ -425,6 +432,14 @@ done
%doc doc/sag/*.txt doc/sag/html
%changelog
+* Thu Nov 21 2024 Iker Pedrosa - 1.5.1-22
+- pam_access: rework resolving of tokens as hostname.
+ Resolves: CVE-2024-10963 and RHEL-66245
+
+* Wed Nov 6 2024 Diaa Sami - 1.5.1-21
+- pam_unix: always run the helper to obtain shadow password file entries.
+ CVE-2024-10041. Resolves: RHEL-62880
+
* Tue Jun 18 2024 Iker Pedrosa - 1.5.1-20
- libpam: support long lines in service files. Resolves: RHEL-40705