Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pam_radius.16474 for openSUSE:Leap:15.2:Update checked in at 2021-06-12 00:07:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/pam_radius.16474 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.pam_radius.16474.new.32437 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_radius.16474" Sat Jun 12 00:07:02 2021 rev:1 rq:898526 version:1.4.0 Changes: -------- New Changes file: --- /dev/null 2021-05-27 11:03:55.685848939 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.pam_radius.16474.new.32437/pam_radius.changes 2021-06-12 00:07:02.712270669 +0200 @@ -0,0 +1,117 @@ +------------------------------------------------------------------- +Tue May 18 13:39:18 UTC 2021 - Wolfgang Engel <[email protected]> + +- Adding patch pam_radius-bufferoverflow-CVE-2015-9542-fix.patch + to fix buffer overflow in password field (CVE-2015-9542) + (bsc#1163933 - VUL-0: CVE-2015-9542: pam_radius: buffer overflow + in password field) + +------------------------------------------------------------------- +Mon Apr 6 04:00:47 UTC 2015 - [email protected] + +- Some spec cleanups + +------------------------------------------------------------------- +Sun Mar 8 23:21:50 UTC 2015 - [email protected] + +- Update to version 1.4.0 + * The entry of the ChangeLog for this version is empty +- Use %configure macro +- Enable parallel build with %{?_smp_mflags} +- Remove obsolete patches + * pam_radius-1.3.16.diff + * pam_radius-md5-ppc-fix.patch +- Use download Url as source +- Remove obsolete AUTHORS section +- Do not copy INSTALL file into the package + +------------------------------------------------------------------- +Fri May 31 17:17:10 UTC 2013 - [email protected] + +- Fix /etc/raddb attributes to avoid conflict with freeradius-server + +------------------------------------------------------------------- +Mon Feb 1 12:20:29 UTC 2010 - [email protected] + +- package baselibs.conf + +------------------------------------------------------------------- +Wed Jun 24 19:33:44 CEST 2009 - [email protected] + +- Supplement pam-32bit/pam-64bit in baselibs.conf (bnc#354164). + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - [email protected] + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Wed Feb 27 08:15:10 CET 2008 - [email protected] + +- Fix MD5 support on PPC (360648). + +------------------------------------------------------------------- +Wed May 17 19:13:16 CEST 2006 - [email protected] + +- Use RPM_OPT_FLAGS. +- Fix linking of shared library. + +------------------------------------------------------------------- +Wed Jan 25 21:39:15 CET 2006 - [email protected] + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Jan 16 13:06:06 CET 2004 - [email protected] + +- Add pam-devel to neededforbuild + +------------------------------------------------------------------- +Sun Jan 11 10:08:08 CET 2004 - [email protected] + +- add %defattr + +------------------------------------------------------------------- +Fri Nov 28 06:54:24 CET 2003 - [email protected] + +- update to 1.3.16 + * Added dummy pam_sm_acct_mgmt() function, which is + needed by pppd 2.4 + * Increase the allowed length of user names + +------------------------------------------------------------------- +Mon Aug 18 08:06:00 CEST 2003 - [email protected] + +- packaged /etc/raddb with mode 755 (#29062) + +------------------------------------------------------------------- +Wed Jun 12 07:05:39 CEST 2002 - [email protected] + +- update to version 1.3.15 + * Bug fix: don't try to free() static storage when using + skip_passwd + * Implement retry option +- use %{_lib} for 32/64bit coexistence + +------------------------------------------------------------------- +Tue Sep 18 07:20:09 CEST 2001 - [email protected] + +- update to version 1.3.14: + - Solaris 8 changed their header files for PAM. - Bug fix to work on HURD: Don't use PATH_MAX. + +------------------------------------------------------------------- +Wed May 23 10:40:13 CEST 2001 - [email protected] + +- update to version 1.3.13 + +------------------------------------------------------------------- +Tue Mar 13 14:45:23 CET 2001 - [email protected] + +- update to version 1.3.12 (security fixes) + +------------------------------------------------------------------- +Thu Jan 4 09:32:44 CET 2001 - [email protected] + +- initial package + New: ---- baselibs.conf pam_radius-1.4.0.tar.gz pam_radius-bufferoverflow-CVE-2015-9542-fix.patch pam_radius.changes pam_radius.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_radius.spec ++++++ # # spec file for package pam_radius # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: pam_radius Version: 1.4.0 Release: 0 Summary: A PAM Module for User Authentication using a Radius Server License: GPL-2.0+ Group: Productivity/Security Url: http://freeradius.org/pam_radius_auth/ Source: ftp://ftp.freeradius.org/pub/radius/%{name}-%{version}.tar.gz Source2: baselibs.conf Patch: pam_radius-bufferoverflow-CVE-2015-9542-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pam-devel Requires: pam %description This is the PAM to RADIUS authentication module. It allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. You will need a RADIUS server to perform the actual authentication. %prep %setup -q %patch -p1 %build %configure export CFLAGS="%{optflags} -fPIC" make %{?_smp_mflags} %install install -d -m 755 %{buildroot}/%{_lib}/security/ install -m 755 pam_radius_auth.so %{buildroot}/%{_lib}/security/ install -d -m 750 %{buildroot}%{_sysconfdir}/raddb/ install -m 600 pam_radius_auth.conf %{buildroot}%{_sysconfdir}/raddb/server %files %defattr(-,root,root) %doc Changelog LICENSE README.rst TODO USAGE index.html pam_radius_auth.conf %attr(750,root,radiusd) %dir %{_sysconfdir}/raddb/ %config(noreplace) %{_sysconfdir}/raddb/server /%{_lib}/security/pam_radius_auth.so %changelog ++++++ baselibs.conf ++++++ pam_radius supplements "packageand(pam_radius:pam-<targettype>)" ++++++ pam_radius-bufferoverflow-CVE-2015-9542-fix.patch ++++++ Index: pam_radius-1.4.0/src/pam_radius_auth.c =================================================================== --- pam_radius-1.4.0.orig/src/pam_radius_auth.c +++ pam_radius-1.4.0/src/pam_radius_auth.c @@ -528,6 +528,9 @@ static void add_password(AUTH_HDR *reque length = MAXPASS; } + memset(hashed + length, 0, sizeof(hashed) - length); + memcpy(hashed, password, length); + if (length == 0) { length = AUTH_PASS_LEN; /* 0 maps to 16 */ } if ((length & (AUTH_PASS_LEN - 1)) != 0) { @@ -535,9 +538,6 @@ static void add_password(AUTH_HDR *reque length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ } /* 16*N maps to itself */ - memset(hashed, 0, length); - memcpy(hashed, password, strlen(password)); - attr = find_attribute(request, PW_PASSWORD); if (type == PW_PASSWORD) {
