Hello community, here is the log from the commit of package pam for openSUSE:11.3 checked in at Tue Oct 25 16:55:03 CEST 2011.
ignoring line "This announcement marks the end of the security and maintenance patch" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "overlap period for SUSE Linux Enterprise Server 10 Service Pack 3." in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Regular maintenance and support for SUSE Linux Enterprise Server 10" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Service Pack 4 started on April 12th, 2011 and will continue until" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "the end of General Support for SUSE Linux Enterprise 10, which is" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "currently scheduled for July 31st, 2013." in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "In order to keep your systems up to date and secure, please migrate your" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "systems to SUSE Linux Enterprise Server 10 Service Pack 4. All customers" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "with active SUSE Linux Enterprise Server Subscription can migrate to" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "SUSE Linux Enterprise Server 10 Service Pack 4 or SUSE Linux Enterprise" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Server 11 Service Pack at no additional cost." in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "For more information on how to upgrade to SUSE Linux Enterprise" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Server 10 Service Pack 4, please read:" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "http://www.novell.com/support/documentLink.do?externalID=7008357"; in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Please ensure that you applied all maintenance updates provided" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "for SUSE Linux Enterprise Server 10 Service Pack 3 before starting" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "the migration." in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "If you want to receive continued support for SUSE Linux Enterprise" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Server 10 Service Pack 3, SUSE offers an optional Long Term Service" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Pack Support program." in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "For more information on SUSE's Long Term Service Pack Support program," in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "please see:" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "http://www.suse.com/support/programs/long-term-service-pack-support.html"; in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Contact your SUSE sales representative if you would like to purchase" in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header ignoring line "Long Term Service Pack Support now." in PATCHINFO/SWAMP-PROOFREAD-DONE/sp3-end-of-maintenance, status is header -------- --- old-versions/11.3/all/pam/pam.changes 2010-05-10 14:23:45.000000000 +0200 +++ 11.3/pam/pam.changes 2011-10-25 14:30:04.000000000 +0200 @@ -1,0 +2,8 @@ +Mon Oct 24 10:51:41 CEST 2011 - [email protected] + +- fix possible overflow and DOS in pam_env (bnc#724480) + CVE-2011-3148, CVE-2011-3149 +- fix pam_xauth not checking return value of setuid (bnc#631802) + CVE-2010-3316 + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/pam Destination is old-versions/11.3/UPDATES/all/pam calling whatdependson for 11.3-i586 New: ---- bug-631802_pam_xauth-unchecked-ret-of-setuid.dif bug-724480_pam_env-fix-dos.patch bug-724480_pam_env-fix-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.UuzP9U/_old 2011-10-25 16:39:22.000000000 +0200 +++ /var/tmp/diff_new_pack.UuzP9U/_new 2011-10-25 16:39:22.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package pam (Version 1.1.1.90) +# spec file for package pam # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -38,7 +38,7 @@ %endif # Version: 1.1.1.90 -Release: 1 +Release: 2.<RELEASE2> Summary: A Security Tool that Provides Authentication for Applications Source: Linux-PAM-%{version}.tar.bz2 Source1: Linux-PAM-%{version}-docs.tar.bz2 @@ -50,7 +50,10 @@ Source7: common-session.pamd Source8: etc.environment Source9: baselibs.conf -Patch: pam_tally-deprecated.diff +Patch0: pam_tally-deprecated.diff +Patch1: bug-724480_pam_env-fix-overflow.patch +Patch2: bug-724480_pam_env-fix-dos.patch +Patch3: bug-631802_pam_xauth-unchecked-ret-of-setuid.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -99,7 +102,10 @@ %prep %setup -q -n Linux-PAM-%{version} -b 1 -%patch -p0 +%patch0 -p0 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \ ++++++ bug-631802_pam_xauth-unchecked-ret-of-setuid.dif ++++++ Index: Linux-PAM-1.1.1.90/modules/pam_xauth/pam_xauth.c =================================================================== --- Linux-PAM-1.1.1.90.orig/modules/pam_xauth/pam_xauth.c +++ Linux-PAM-1.1.1.90/modules/pam_xauth/pam_xauth.c @@ -87,7 +87,7 @@ static const char * const xauthpaths[] = /* Run a given command (with a NULL-terminated argument list), feeding it the * given input on stdin, and storing any output it generates. */ static int -run_coprocess(const char *input, char **output, +run_coprocess(pam_handle_t *pamh, const char *input, char **output, uid_t uid, gid_t gid, const char *command, ...) { int ipipe[2], opipe[2], i; @@ -126,9 +126,26 @@ run_coprocess(const char *input, char ** const char *tmp; int maxopened; /* Drop privileges. */ - setgid(gid); - setgroups(0, NULL); - setuid(uid); + if (setgid(gid) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "setgid(%lu) failed: %m", + (unsigned long) getegid ()); + _exit (err); + } + if (setgroups(0, NULL) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "setgroups() failed: %m"); + _exit (err); + } + if (setuid(uid) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "setuid(%lu) failed: %m", + (unsigned long) geteuid ()); + _exit (err); + } /* Initialize the argument list. */ memset(args, 0, sizeof(args)); /* Set the pipe descriptors up as stdin and stdout, and close @@ -216,7 +233,7 @@ check_acl(pam_handle_t *pamh, char path[PATH_MAX]; struct passwd *pwd; FILE *fp; - int i; + int i, save_errno; uid_t euid; /* Check this user's <sense> file. */ pwd = pam_modutil_getpwnam(pamh, this_user); @@ -236,6 +253,7 @@ check_acl(pam_handle_t *pamh, euid = geteuid(); setfsuid(pwd->pw_uid); fp = fopen(path, "r"); + save_errno = errno; setfsuid(euid); if (fp != NULL) { char buf[LINE_MAX], *tmp; @@ -268,6 +286,7 @@ check_acl(pam_handle_t *pamh, return PAM_PERM_DENIED; } else { /* Default to okay if the file doesn't exist. */ + errno = save_errno; switch (errno) { case ENOENT: if (noent_code == PAM_SUCCESS) { @@ -463,7 +482,7 @@ pam_sm_open_session (pam_handle_t *pamh, xauth, "-f", cookiefile, "nlist", display, (unsigned long) getuid(), (unsigned long) getgid()); } - if (run_coprocess(NULL, &cookie, + if (run_coprocess(pamh, NULL, &cookie, getuid(), getgid(), xauth, "-f", cookiefile, "nlist", display, NULL) == 0) { @@ -521,7 +540,7 @@ pam_sm_open_session (pam_handle_t *pamh, (unsigned long) getuid(), (unsigned long) getgid()); } - run_coprocess(NULL, &cookie, + run_coprocess(pamh, NULL, &cookie, getuid(), getgid(), xauth, "-f", cookiefile, "nlist", t, NULL); @@ -669,7 +688,7 @@ pam_sm_open_session (pam_handle_t *pamh, (unsigned long) tpwd->pw_uid, (unsigned long) tpwd->pw_gid); } - run_coprocess(cookie, &tmp, + run_coprocess(pamh, cookie, &tmp, tpwd->pw_uid, tpwd->pw_gid, xauth, "-f", cookiefile, "nmerge", "-", NULL); ++++++ bug-724480_pam_env-fix-dos.patch ++++++ Description: abort when encountering an overflowed environment variable expansion (CVE-2011-3149). Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565 Author: Kees Cook <[email protected]> Index: pam-debian/modules/pam_env/pam_env.c =================================================================== --- pam-debian.orig/modules/pam_env/pam_env.c 2011-10-14 12:47:23.433861595 -0700 +++ pam-debian/modules/pam_env/pam_env.c 2011-10-14 12:47:23.461861963 -0700 @@ -567,6 +567,7 @@ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_ABORT; } continue; } @@ -628,6 +629,7 @@ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_ABORT; } } } /* if ('{' != *orig++) */ @@ -639,6 +641,7 @@ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog(pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_ABORT; } } } /* for (;*orig;) */ ++++++ bug-724480_pam_env-fix-overflow.patch ++++++ Description: correctly count leading whitespace when parsing environment file (CVE-2011-3148). Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469 Author: Kees Cook <[email protected]> Index: pam-debian/modules/pam_env/pam_env.c =================================================================== --- pam-debian.orig/modules/pam_env/pam_env.c 2011-10-14 10:51:30.973701139 -0700 +++ pam-debian/modules/pam_env/pam_env.c 2011-10-14 12:32:25.578188004 -0700 @@ -287,6 +287,7 @@ char *p = buffer; char *s, *os; int used = 0; + int whitespace; /* loop broken with a 'break' when a non-'\\n' ended line is read */ @@ -309,8 +310,10 @@ /* skip leading spaces --- line may be blank */ - s = p + strspn(p, " \n\t"); + whitespace = strspn(p, " \n\t"); + s = p + whitespace; if (*s && (*s != '#')) { + used += whitespace; os = s; /* continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
