Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pam_u2f for openSUSE:Factory checked
in at 2021-05-20 19:25:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam_u2f (Old)
and /work/SRC/openSUSE:Factory/.pam_u2f.new.2988 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_u2f"
Thu May 20 19:25:42 2021 rev:8 rq:894632 version:1.1.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam_u2f/pam_u2f.changes 2020-10-18
16:35:23.156863737 +0200
+++ /work/SRC/openSUSE:Factory/.pam_u2f.new.2988/pam_u2f.changes
2021-05-20 19:26:14.317652540 +0200
@@ -1,0 +2,10 @@
+Thu May 20 13:04:05 UTC 2021 - Torsten Gruner <t.gru...@katodev.de>
+
+- Update to version 1.1.1 (released 2021-05-19)
+ * Fix an issue where PIN authentication could be bypassed (CVE-2021-31924).
+ * Fix an issue with nodetect and non-resident credentials.
+ * Fix build issues with musl libc.
+ * Add support for self-attestation in pamu2fcfg.
+ * Fix minor bugs found by fuzzing.
+
+-------------------------------------------------------------------
Old:
----
pam_u2f-1.1.0.tar.gz
pam_u2f-1.1.0.tar.gz.sig
New:
----
pam_u2f-1.1.1.tar.gz
pam_u2f-1.1.1.tar.gz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam_u2f.spec ++++++
--- /var/tmp/diff_new_pack.AMp7N1/_old 2021-05-20 19:26:14.861650308 +0200
+++ /var/tmp/diff_new_pack.AMp7N1/_new 2021-05-20 19:26:14.861650308 +0200
@@ -1,7 +1,7 @@
#
# spec file for package pam_u2f
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: pam_u2f
-Version: 1.1.0
+Version: 1.1.1
Release: 0
Summary: U2F authentication integration into PAM
License: BSD-2-Clause
@@ -29,7 +29,7 @@
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libcrypto)
-BuildRequires: pkgconfig(libfido2)
+BuildRequires: pkgconfig(libfido2) >= 1.3.0
%description
The PAM U2F module provides a way to integrate the Yubikey
++++++ pam_u2f-1.1.0.tar.gz -> pam_u2f-1.1.1.tar.gz ++++++
++++ 1659 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/ChangeLog new/pam_u2f-1.1.1/ChangeLog
--- old/pam_u2f-1.1.0/ChangeLog 2020-09-17 13:44:44.000000000 +0200
+++ new/pam_u2f-1.1.1/ChangeLog 2021-05-19 12:24:21.000000000 +0200
@@ -1,3 +1,117 @@
+2021-05-19 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+ * NEWS: Update NEWS file
+
+2021-05-19 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+ * fuzz/Makefile.am: fuzz: also include helper scripts in tarball
+
+2021-05-19 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+ * Makefile.am, configure.ac: fuzz: use COMPILER_CLANG conditional to
+ add subdir Otherwise, the fuzz subdirectory is not included in the
tarball
+ created by `make dist`. If one then tries to build from the tarball
+ with CC=clang, then `./configure` fails fails with config.status:
error: cannot find input file: `fuzz/Makefile.in'
+
+2021-05-19 pedro martelletto <pe...@yubico.com>
+
+ * util.c: Verify that the UV bit is set If PIN or other forms of user
verification are required, check that
+ the corresponding User Verification (UV) bit is set in the signed
+ payload obtained from the authenticator.
+
+2021-05-19 pedro martelletto <pe...@yubico.com>
+
+ * util.c: Handle converse() returning NULL If a PIN is required and
converse() returns NULL, abort the
+ authentication flow instead of reverting to FIDO2 without PIN.
+ Fixes #175.
+
+2021-03-16 Ludvig Michaelsson <4864502+l...@users.noreply.github.com>
+
+ * : Merge pull request #174 from Yubico/readme misc: update README,
gitignore
+
+2021-03-11 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+ * README: README: update dependency installation instructions
+
+2021-01-11 Alessio Di Mauro <a-...@users.noreply.github.com>
+
+ * : Merge pull request #169 from syscll/syscll-patch-1 README: update
Authorization Mapping Files link
+
+2020-12-09 Alessio Di Mauro <ales...@yubico.com>
+
+ * README, configure.ac: Bump minimum required version of libfido2 PR
#168 added support for self-attestation in pamu2fcfg which was
+ introduced in libfido2 v1.3.0.
+
+2020-12-09 Alessio Di Mauro <ales...@yubico.com>
+
+ * : Merge PR #168
+
+2020-12-01 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * .github/workflows/codeql-analysis.yml: actions: apt update
+
+2020-10-16 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * .github/workflows/scan.yml: actions: add xsltproc as dependency
+
+2020-10-16 Alessio Di Mauro <ales...@yubico.com>
+
+ * : Merge PR #165
+
+2020-06-15 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * .github/workflows/codeql-analysis.yml: actions: CodeQL scanning
+
+2020-09-29 Alessio Di Mauro <ales...@yubico.com>
+
+ * README, man/pam_u2f.8.txt: Clarify text around SELinux Relates to
#152.
+
+2020-09-28 Alessio Di Mauro <ales...@yubico.com>
+
+ * README, man/pam_u2f.8.txt: Add a note regarding SELinux on man and
+ README Relates to #152.
+
+2020-09-22 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * : Merge pull request #160 from Yubico/fuzz Add fuzzing harness for
fuzzing native and ssh formats
+
+2020-09-22 Alessio Di Mauro <ales...@yubico.com>
+
+ * util.c: Do not error out when nodetect is set and devices are
+ found
+
+2020-09-17 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * .github/workflows/linux_fuzz.yml, .gitignore,
+ build-aux/ci/fuzz-linux-asan.sh, configure.ac, fuzz/Makefile.am,
+ fuzz/coverage.sh, fuzz/fuzz_format_parsers.c, fuzz/make_seed.py:
+ fuzz: add fuzzing harness for the native and ssh formats o builds and
fuzzes in a github action flow.
+
+2020-09-17 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * : Merge pull request #159 from Yubico/ga Github Actions: build and
run tests on linux
+
+2020-09-17 Alessio Di Mauro <a-...@users.noreply.github.com>
+
+ * : Merge pull request #158 from Yubico/docs docs: cosmetics
+
+2020-09-17 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * README: docs: cosmetics
+
+2020-09-17 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * util.c: Check that strtok_s succeeded before continuing Avoids a
potential segfault found by fuzzing
+
+2020-09-17 Gabriel Kihlman <g.kihl...@yubico.com>
+
+ * tests/get_devices.c: tests: also free alloced memory before
+ exiting This makes LeakSanitizer happy
+
+2020-09-17 Alessio Di Mauro <ales...@yubico.com>
+
+ * NEWS, configure.ac: Bump version
+
2020-09-16 Alessio Di Mauro <ales...@yubico.com>
* NEWS: Update NEWS file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/Makefile.am new/pam_u2f-1.1.1/Makefile.am
--- old/pam_u2f-1.1.0/Makefile.am 2020-08-14 13:23:27.000000000 +0200
+++ new/pam_u2f-1.1.1/Makefile.am 2021-05-19 11:15:38.000000000 +0200
@@ -2,6 +2,10 @@
SUBDIRS = . pamu2fcfg tests
+if COMPILER_CLANG
+SUBDIRS += fuzz
+endif
+
ACLOCAL_AMFLAGS = -I m4
AM_CFLAGS = $(CWFLAGS)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/NEWS new/pam_u2f-1.1.1/NEWS
--- old/pam_u2f-1.1.0/NEWS 2020-09-17 13:41:17.000000000 +0200
+++ new/pam_u2f-1.1.1/NEWS 2021-05-19 11:21:11.000000000 +0200
@@ -1,7 +1,14 @@
-Copyright (c) 2014-2020 Yubico AB - See COPYING
+Copyright (c) 2014-2021 Yubico AB - See COPYING
pam-u2f NEWS -- History of user-visible changes. -*- outline -*-
+* Version 1.1.1 (released 2021-05-19)
+** Fix an issue where PIN authentication could be bypassed (CVE-2021-31924).
+** Fix an issue with nodetect and non-resident credentials.
+** Fix build issues with musl libc.
+** Add support for self-attestation in pamu2fcfg.
+** Fix minor bugs found by fuzzing.
+
* Version 1.1.0 (released 2020-09-17)
** Add support to FIDO2 (move from libu2f-host+libu2f-server to libfido2).
** Add support to User Verification
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/README new/pam_u2f-1.1.1/README
--- old/pam_u2f-1.1.0/README 2020-09-16 13:02:13.000000000 +0200
+++ new/pam_u2f-1.1.1/README 2021-05-10 10:34:20.000000000 +0200
@@ -16,10 +16,15 @@
to achieve portability and ease of use.
In addition, https://developers.yubico.com/libfido2['libfido2'] (>=
-1.2.0) is needed. Versions of this project up to 1.0.8 used
-`libu2f-host` and libu2f-server`.
+1.3.0) is needed. Versions of this project up to 1.0.8 used
+`libu2f-host` and `libu2f-server`. On Ubuntu, the necessary dependencies can be
+installed using
- Ubuntu: apt install autoconf automake libtool pkg-config libfido2-dev
--no-install-recommends
+[source]
+----
+# apt install --no-install-recommends autoconf automake libtool pkg-config \
+ libfido2-dev libpam-dev libssl-dev
+----
If you downloaded a tarball, build it as follows.
@@ -46,10 +51,16 @@
$ cd pam-u2f
----
-`autoconf`, `automake`, `libtool`, and `libpam` must be installed.
-`AsciiDoc` and `xsltproc` are used to generate the manpages.
-
- Ubuntu: apt install autoconf automake libtool libpam-dev libfido2-dev
asciidoc xsltproc libxml2-utils docbook-xml --no-install-recommends
+`autoconf`, `automake`, `gengetopt`, `libtool`, and `libpam` must be installed.
+`AsciiDoc` and `xsltproc` are used to generate the manpages. On Ubuntu, the
+necessary dependencies can be installed using
+
+[source]
+----
+# apt install --no-install-recommends autoconf automake libtool gengetopt \
+ pkg-config libfido2-dev libpam-dev libssl-dev asciidoc xsltproc \
+ libxml2-utils docbook-xml
+----
Generate the build system using:
@@ -108,7 +119,7 @@
second_keyHandle,second_public_key:...` the default location of the
file is $XDG_CONFIG_HOME/Yubico/u2f_keys. If the environment variable
is not set, $HOME/.config/Yubico/u2f_keys is used. (more on
-<<files,Authorization Mapping Files>>). An individual (per user) file
+<<authMappingFiles,Authorization Mapping Files>>). An individual (per user)
file
may be configured, see <<individualAuth>>.
authpending_file=file::
@@ -200,7 +211,7 @@
credentials. Once this option is enabled all credentials will be parsed
as SSH.
-[[files]]
+[[authMappingFiles]]
Authorization Mapping Files
---------------------------
@@ -323,3 +334,29 @@
in the configuration file of the module. If during an authentication
attempt a connected device is removed or a new device is plugged in,
the authentication restarts from the top of the list.
+
+SELinux Note
+------------
+
+Due to an issue with Fedora Linux, and possibly with other
+distributions that use SELinux, a system configured with pam-u2f may
+end up in a situation where access to the credentials file is denied.
+If the `nouserok` option is also set, this will result in a successful
+authentication within the module, without using the FIDO
+authenticator.
+
+In order to correctly update the security context the command
+`fixfiles onboot` should be used on existing installations
+
+Moreover, to allow read access to an authfile or directory placed in a
+non-standard location, the command
+
+[source, bash]
+----
+# chcon -R -t auth_home_t /path/to/target
+----
+
+should be used.
+
+For more information see
+https://access.redhat.com/security/cve/CVE-2020-24612[HERE].
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/b64.c new/pam_u2f-1.1.1/b64.c
--- old/pam_u2f-1.1.0/b64.c 2020-08-10 08:50:36.000000000 +0200
+++ new/pam_u2f-1.1.1/b64.c 2021-05-19 08:09:29.000000000 +0200
@@ -4,6 +4,7 @@
#include <openssl/bio.h>
#include <openssl/evp.h>
+#include <limits.h>
#include <stdint.h>
#include <string.h>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/configure.ac new/pam_u2f-1.1.1/configure.ac
--- old/pam_u2f-1.1.0/configure.ac 2020-09-17 13:39:54.000000000 +0200
+++ new/pam_u2f-1.1.1/configure.ac 2021-05-19 11:15:38.000000000 +0200
@@ -1,6 +1,6 @@
# Copyright (C) 2014-2019 Yubico AB
AC_PREREQ([2.65])
-AC_INIT([pam_u2f], [1.1.0], [https://github.com/Yubico/pam-u2f/issues],
+AC_INIT([pam_u2f], [1.1.1], [https://github.com/Yubico/pam-u2f/issues],
[pam_u2f], [https://developers.yubico.com/pam-u2f/])
AC_CONFIG_AUX_DIR([build-aux])
@@ -30,6 +30,20 @@
)
AM_CONDITIONAL([ENABLE_MAN], [test "$enable_man" = "yes"])
+AC_CACHE_CHECK([for clang],
+ _cv_clang,[
+ AC_TRY_COMPILE([], [
+ #ifdef __clang__
+ #else
+ #error "NOT CLANG"
+ #endif
+ return 0;
+ ],
+ [_cv_clang=yes],
+ [_cv_clang=no],
+ [])
+])
+AM_CONDITIONAL([COMPILER_CLANG], [test "$_cv_clang" = yes])
AC_CHECK_HEADERS([security/pam_appl.h], [],
[AC_MSG_ERROR([[PAM header files not found, install libpam-dev.]])])
@@ -57,7 +71,7 @@
PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto], [], [])
-PKG_CHECK_MODULES([LIBFIDO2], [libfido2 >= 1.2.0], [], [])
+PKG_CHECK_MODULES([LIBFIDO2], [libfido2 >= 1.3.0], [], [])
# Check for secure_getenv, readpassphrase, explicit_bzero, and memset_s
@@ -92,6 +106,7 @@
Makefile
pamu2fcfg/Makefile
tests/Makefile
+ fuzz/Makefile
])
creduser=$(whoami)
@@ -134,7 +149,6 @@
AC_CONFIG_FILES([tests/credentials/new_-V.cred])
AC_CONFIG_FILES([tests/credentials/old_credential.cred])
AC_CONFIG_FILES([tests/credentials/ssh_credential.cred])
-
AC_OUTPUT
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/fuzz/Makefile.am new/pam_u2f-1.1.1/fuzz/Makefile.am
--- old/pam_u2f-1.1.0/fuzz/Makefile.am 1970-01-01 01:00:00.000000000 +0100
+++ new/pam_u2f-1.1.1/fuzz/Makefile.am 2021-05-19 11:15:38.000000000 +0200
@@ -0,0 +1,16 @@
+# Copyright (C) 2020 Yubico AB - See COPYING
+
+AM_CFLAG = ${(WARN_FLAGS)
+AM_CPPFLAGS = $(LIBFIDO2_CFLAGS) $(LIBCRYPTO_CFLAGS) -I$(srcdir)/..
+AM_CPPFLAGS+=-fsanitize=fuzzer,address,signed-integer-overflow
+AM_CPPFLAGS+=-fno-sanitize-recover=all
+
+fuzz_format_parsers_SOURCES = fuzz_format_parsers.c
+
+fuzz_format_parsers_LDADD = -lpam $(LIBFIDO2_LIBS) $(LIBCRYPTO_LIBS)
+fuzz_format_parsers_LDFLAGS = -Wl,--wrap=strdup -Wl,--wrap=calloc
+fuzz_format_parsers_LDFLAGS+= -fsanitize=fuzzer,address,signed-integer-overflow
+
+bin_PROGRAMS = fuzz_format_parsers
+
+EXTRA_DIST = coverage.sh make_seed.py
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/fuzz/coverage.sh new/pam_u2f-1.1.1/fuzz/coverage.sh
--- old/pam_u2f-1.1.0/fuzz/coverage.sh 1970-01-01 01:00:00.000000000 +0100
+++ new/pam_u2f-1.1.1/fuzz/coverage.sh 2021-05-10 10:34:20.000000000 +0200
@@ -0,0 +1,15 @@
+#!/bin/sh -eux
+
+make CFLAGS="-fprofile-instr-generate -fcoverage-mapping" V=1
+if [ ! -e "corpus" ]; then
+ curl --retry 4 -s -o corpus.tgz
https://storage.googleapis.com/kroppkaka/corpus/pam-u2f.corpus.tgz
+ tar xzf corpus.tgz
+fi
+./fuzz_format_parsers -runs=1 -dump_coverage=1 corpus
+llvm-profdata merge -sparse *.profraw -o default.profdata
+llvm-cov report -show-functions -instr-profile=default.profdata
fuzz_format_parsers ../*.c
+
+# other report alternatives for convenience:
+#llvm-cov report -use-color=false -instr-profile=default.profdata
fuzz_format_parsers
+#llvm-cov show -format=html -tab-size=8 -instr-profile=default.profdata
-output-dir=report fuzz_format_parsers
+#llvm-cov show fuzz_format_parsers -instr-profile=default.profdata
-name=format -format=html > report.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/fuzz/fuzz_format_parsers.c
new/pam_u2f-1.1.1/fuzz/fuzz_format_parsers.c
--- old/pam_u2f-1.1.0/fuzz/fuzz_format_parsers.c 1970-01-01
01:00:00.000000000 +0100
+++ new/pam_u2f-1.1.1/fuzz/fuzz_format_parsers.c 2021-05-19
08:09:29.000000000 +0200
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2020 Yubico AB - See COPYING
+ */
+#include <string.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include "util.c"
+#include "b64.c"
+
+/* wrap some functions so we can let them fail some times to trigger error
+ * paths. compile with -Wl,--wrap=strdup -Wl,--wrap=calloc to activate.
+ * Note: idea taken from libfido2/fuzz/wrap.c
+ */
+extern char *__wrap_strdup(const char *);
+extern char *__real_strdup(const char *);
+char *__wrap_strdup(const char *s) {
+ if (random() < (RAND_MAX / 100) / 4) { // fail 0.25% of the time
+ errno = ENOMEM;
+ return NULL;
+ }
+
+ return __real_strdup(s);
+}
+
+extern void *__wrap_calloc(size_t, size_t);
+extern void *__real_calloc(size_t, size_t);
+void *__wrap_calloc(size_t nmemb, size_t size) {
+ if (random() < (RAND_MAX / 100) / 4) { // fail 0.25% of the time
+ errno = ENOMEM;
+ return NULL;
+ }
+
+ return __real_calloc(nmemb, size);
+}
+
+static void cleanup(device_t *devs, unsigned int n_devs) {
+ for (int i = 0; i < n_devs; i++) {
+ free(devs[i].keyHandle);
+ free(devs[i].publicKey);
+ free(devs[i].coseType);
+ free(devs[i].attributes);
+ devs[i].keyHandle = NULL;
+ devs[i].publicKey = NULL;
+ devs[i].coseType = NULL;
+ devs[i].attributes = NULL;
+ }
+}
+
+#define DEV_MAX_SIZE 10
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ char buf[DEVSIZE * DEV_MAX_SIZE]; /* DEVSIZE * cfg.max_size */
+ device_t devs[12] = {0};
+ unsigned int n_devs = 12;
+ FILE *fp = NULL;
+ size_t fp_len = 0;
+ size_t offset = 0;
+ char username[256] = {0};
+ size_t username_len = 0;
+ uint8_t ssh_format = 1;
+ cfg_t cfg = {0};
+ cfg.max_devs = DEV_MAX_SIZE;
+
+ /* first 6 byte decides which parser we should call, if
+ * we want to run with debug and also sets the initial seed
+ * for random().
+ */
+ if (size < 6) {
+ return -1;
+ }
+ /* do not always run with debug, only 8/255 times */
+ if (data[offset++] < 9) {
+ cfg.debug = 1;
+ }
+
+ /* predictable random for this seed */
+ srandom(data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 |
+ data[offset + 3]);
+ offset += 4;
+
+ /* choose which format parser to run, even == native, odd == ssh */
+ if (data[offset++] % 2) {
+ ssh_format = 0;
+ /* native format, get a random username first */
+ if (size < 7) {
+ return -1;
+ }
+ username_len = data[offset++];
+ if (username_len > (size - offset)) {
+ username_len = (size - offset);
+ }
+ memcpy(username, &data[offset], username_len);
+ offset += username_len;
+ }
+
+ fp_len = size - offset;
+ fp = tmpfile();
+ if (fp == NULL || (fwrite(&data[offset], 1, fp_len, fp)) != fp_len) {
+ fprintf(stderr, "failed to create file for parser: %s\n", strerror(errno));
+ if (fp != NULL) {
+ fclose(fp);
+ }
+ return -1;
+ }
+ (void) fseek(fp, 0L, SEEK_SET);
+
+ if (ssh_format) {
+ parse_ssh_format(&cfg, buf, sizeof(buf), fp, size, devs, &n_devs);
+ } else {
+ parse_native_format(&cfg, username, buf, fp, devs, &n_devs);
+ }
+
+ cleanup(devs, n_devs);
+
+ fclose(fp);
+
+ return 0;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/fuzz/make_seed.py new/pam_u2f-1.1.1/fuzz/make_seed.py
--- old/pam_u2f-1.1.0/fuzz/make_seed.py 1970-01-01 01:00:00.000000000 +0100
+++ new/pam_u2f-1.1.1/fuzz/make_seed.py 2021-05-10 10:34:20.000000000 +0200
@@ -0,0 +1,28 @@
+#!/usr/bin/env python3
+
+# append the 1 byte the fuzzer needs to decide which format to choose,
+# 1 byte for debug or not and then 4 bytes for the srandom() seed.
+# run this script and then merge the generated seeds to the corpus.
+# Note: this has already been done with the existing corpus. This
+# script is included in case new credentials tests are added
+# ./make_seed.py
+# ./fuzz_format_parsers corpus seed -merge=1
+
+import os
+
+if not os.path.exists("./seed"):
+ os.mkdir("./seed")
+
+with os.scandir("../tests/credentials") as entries:
+ for entry in entries:
+ if not entry.is_file():
+ continue
+ print(entry.name)
+ with open("./seed/{}".format(entry.name), "wb") as w:
+ w.write(bytes([1,1,1,1,1,1]))
+ with open("../tests/credentials/{}".format(entry.name), "rb") as r:
+ w.write(r.read())
+ with open("./seed/{}.ssh".format(entry.name), "wb") as w:
+ w.write(bytes([0,1,1,1,1,1]))
+ with open("../tests/credentials/{}".format(entry.name), "rb") as r:
+ w.write(r.read())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/man/pam_u2f.8 new/pam_u2f-1.1.1/man/pam_u2f.8
--- old/pam_u2f-1.1.0/man/pam_u2f.8 2020-09-17 13:28:34.000000000 +0200
+++ new/pam_u2f-1.1.1/man/pam_u2f.8 2021-05-19 12:24:22.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: pam_u2f
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: Version 1.1.0
+.\" Date: Version 1.1.1
.\" Manual: PAM U2F Module Manual
.\" Source: pam-u2f
.\" Language: English
.\"
-.TH "PAM_U2F" "8" "Version 1\&.1\&.0" "pam\-u2f" "PAM U2F Module Manual"
+.TH "PAM_U2F" "8" "Version 1\&.1\&.1" "pam\-u2f" "PAM U2F Module Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -155,11 +155,35 @@
Using pam\-u2f to secure the login to a computer while storing the mapping
file in an encrypted home directory, will result in the impossibility of
logging into the system\&. The partition is decrypted after login and the
mapping file can not be accessed\&.
.SH "NOTES"
.sp
+\fBNodetect\fR
+.sp
The "nodetect" option should be used with caution\&. pam_u2f checks that a key
configured for the user is inserted before performing the full tactile
authentication\&. This detection is done by sending a "check\-only"
authentication request to all inserted tokens to so see if at least one of them
responds affirmatively to one or more of the keyhandles configured for the
user\&. By doing this, pam_u2f can avoid emitting the "cue" prompt (if
configured), which can cause some confusing UI issues if the cue is emitted
followed by the underlying library immediately failing the tactile
authentication\&. This option is also useful to avoid an unintended 1\-second
delay prior to the tactile authentication caused by versions of libu2f\-host <=
1\&.1\&.5\&.
.sp
If pam_u2f is configured to "cue" and "nodetect", an attacker can determine
that pam_u2f is part of the authentication stack by inserting any random U2F
token and performing an authentication attempt\&. In this scenario, the
attacker would see the cue message followed by an immediate failure, whereas
with detection enabled, the U2F authentication will fail silently\&. Understand
that an attacker could choose a U2F token that alerts him or her in some way to
the "check\-only" authentication attempt, so this precaution only pushes the
issue back a step\&.
.sp
In summary, the detection feature was added to avoid confusing UI issues and
to prevent leaking information about the authentication stack in very specific
scenario when "cue" is configured\&. The "nodetect" option was added to avoid
buggy sleep behavior in older versions of libu2f\-host and for hypothetical
tokens that do not tolerate the double authentication\&. Detection is
performed, and likewise "nodetect" honored, regardless of whether "cue" is also
specified\&.
+.sp
+\fBSELinux\fR
+.sp
+Due to an issue with Fedora Linux, and possibly with other distributions that
use SELinux, a system configured with pam\-u2f may end up in a situation where
access to the credentials file is denied\&. If the nouserok option is also set,
this will result in a successful authentication within the module, without
using the FIDO authenticator\&.
+.sp
+In order to correctly update the security context the command \fBfixfiles
onboot\fR should be used on existing installations
+.sp
+Moreover, to allow read access to an authfile or directory placed in a
non\-standard location, the command
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+# chcon \-R \-t auth_home_t /path/to/authfile
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+should be used\&.
+.sp
+For more information see
https://access\&.redhat\&.com/security/cve/CVE\-2020\-24612\&;.
.SH "BUGS"
.sp
Report pam\-u2f bugs in the issue tracker:
https://github\&.com/Yubico/pam\-u2f/issues
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/man/pam_u2f.8.txt new/pam_u2f-1.1.1/man/pam_u2f.8.txt
--- old/pam_u2f-1.1.0/man/pam_u2f.8.txt 2020-09-16 13:02:13.000000000 +0200
+++ new/pam_u2f-1.1.1/man/pam_u2f.8.txt 2021-05-10 10:34:20.000000000 +0200
@@ -141,6 +141,9 @@
after login and the mapping file can not be accessed.
== NOTES
+
+*Nodetect*
+
The "nodetect" option should be used with caution. pam_u2f checks that
a key configured for the user is inserted before performing the full
tactile authentication. This detection is done by sending a
@@ -172,6 +175,28 @@
likewise "nodetect" honored, regardless of whether "cue" is also
specified.
+*SELinux*
+
+Due to an issue with Fedora Linux, and possibly with other
+distributions that use SELinux, a system configured with pam-u2f may
+end up in a situation where access to the credentials file is denied.
+If the `nouserok` option is also set, this will result in a successful
+authentication within the module, without using the FIDO
+authenticator.
+
+In order to correctly update the security context the command
+*fixfiles onboot* should be used on existing installations
+
+Moreover, to allow read access to an authfile or directory placed in a
+non-standard location, the command
+
+ # chcon -R -t auth_home_t /path/to/authfile
+
+should be used.
+
+For more information see
+https://access.redhat.com/security/cve/CVE-2020-24612.
+
== BUGS
Report pam-u2f bugs in the issue tracker:
https://github.com/Yubico/pam-u2f/issues
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/man/pamu2fcfg.1 new/pam_u2f-1.1.1/man/pamu2fcfg.1
--- old/pam_u2f-1.1.0/man/pamu2fcfg.1 2020-09-17 13:29:27.000000000 +0200
+++ new/pam_u2f-1.1.1/man/pamu2fcfg.1 2021-05-19 12:24:22.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: pamu2fcfg
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: Version 1.1.0
+.\" Date: Version 1.1.1
.\" Manual: PAM U2F Configuration Tool
.\" Source: pamu2fcfg
.\" Language: English
.\"
-.TH "PAMU2FCFG" "1" "Version 1\&.1\&.0" "pamu2fcfg" "PAM U2F Configuration
Tool"
+.TH "PAMU2FCFG" "1" "Version 1\&.1\&.1" "pamu2fcfg" "PAM U2F Configuration
Tool"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/pamu2fcfg/pamu2fcfg.c new/pam_u2f-1.1.1/pamu2fcfg/pamu2fcfg.c
--- old/pam_u2f-1.1.0/pamu2fcfg/pamu2fcfg.c 2020-08-10 09:19:44.000000000
+0200
+++ new/pam_u2f-1.1.1/pamu2fcfg/pamu2fcfg.c 2021-05-19 08:09:29.000000000
+0200
@@ -285,10 +285,18 @@
exit(EXIT_FAILURE);
}
- r = fido_cred_verify(cred);
- if (r != FIDO_OK) {
- fprintf(stderr, "error: fido_cred_verify (%d) %s\n", r, fido_strerr(r));
- exit(EXIT_FAILURE);
+ if (fido_cred_x5c_ptr(cred) == NULL) {
+ r = fido_cred_verify_self(cred);
+ if (r != FIDO_OK) {
+ fprintf(stderr, "error: fido_cred_verify_self (%d) %s\n", r,
fido_strerr(r));
+ exit(EXIT_FAILURE);
+ }
+ } else {
+ r = fido_cred_verify(cred);
+ if (r != FIDO_OK) {
+ fprintf(stderr, "error: fido_cred_verify (%d) %s\n", r, fido_strerr(r));
+ exit(EXIT_FAILURE);
+ }
}
kh = fido_cred_id_ptr(cred);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/tests/get_devices.c new/pam_u2f-1.1.1/tests/get_devices.c
--- old/pam_u2f-1.1.0/tests/get_devices.c 2020-08-17 11:36:26.000000000
+0200
+++ new/pam_u2f-1.1.1/tests/get_devices.c 2021-05-19 08:09:29.000000000
+0200
@@ -1186,5 +1186,10 @@
0);
assert(dev[0].old_format == 1);
+ free(dev[0].coseType);
+ free(dev[0].attributes);
+ free(dev[0].keyHandle);
+ free(dev[0].publicKey);
+
return 0;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/pam_u2f-1.1.0/util.c new/pam_u2f-1.1.1/util.c
--- old/pam_u2f-1.1.0/util.c 2020-08-10 09:19:44.000000000 +0200
+++ new/pam_u2f-1.1.1/util.c 2021-05-19 09:46:21.000000000 +0200
@@ -9,6 +9,7 @@
#include <openssl/ec.h>
#include <openssl/obj_mac.h>
+#include <limits.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
@@ -203,6 +204,14 @@
s_token = strtok_r(s_credential, ",", &credsaveptr);
+ if (!s_token) {
+ if (cfg->debug) {
+ D(cfg->debug_file,
+ "Unable to retrieve keyHandle for device %d", i + 1);
+ }
+ return retval;
+ }
+
if (cfg->debug) {
D(cfg->debug_file, "KeyHandle for device number %d: %s", i + 1,
s_token);
@@ -1114,7 +1123,7 @@
}
}
- if (kh == NULL && j != 0)
+ if (j != 0)
return (1);
else {
if (cfg->debug)
@@ -1370,8 +1379,13 @@
goto out;
}
- if (pin_verification == FIDO_OPT_TRUE)
+ if (pin_verification == FIDO_OPT_TRUE) {
pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: ");
+ if (pin == NULL) {
+ D(cfg->debug_file, "converse() returned NULL");
+ goto out;
+ }
+ }
if (user_presence == FIDO_OPT_TRUE ||
user_verification == FIDO_OPT_TRUE) {
if (cfg->manual == 0 && cfg->cue && !cued) {
@@ -1387,6 +1401,14 @@
pin = NULL;
}
if (r == FIDO_OK) {
+ if (pin_verification == FIDO_OPT_TRUE ||
+ user_verification == FIDO_OPT_TRUE) {
+ r = fido_assert_set_uv(assert, FIDO_OPT_TRUE);
+ if (r != FIDO_OK) {
+ D(cfg->debug_file, "Failed to set UV");
+ goto out;
+ }
+ }
r = fido_assert_verify(assert, 0, cose_type,
cose_type == COSE_ES256
? (const void *) es256_pk
