Hello community, here is the log from the commit of package oath-toolkit for openSUSE:Factory checked in at 2018-07-13 10:15:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/oath-toolkit (Old) and /work/SRC/openSUSE:Factory/.oath-toolkit.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "oath-toolkit" Fri Jul 13 10:15:39 2018 rev:5 rq:621209 version:2.6.2 Changes: -------- --- /work/SRC/openSUSE:Factory/oath-toolkit/oath-toolkit.changes 2018-05-25 21:36:38.833417800 +0200 +++ /work/SRC/openSUSE:Factory/.oath-toolkit.new/oath-toolkit.changes 2018-07-13 10:15:45.414056434 +0200 @@ -1,0 +2,6 @@ +Thu Jul 5 17:00:51 UTC 2018 - matthias.gerst...@suse.com + +- Add patch 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch: + - fix potential security issue in low memory situation (bsc#1089114) + +------------------------------------------------------------------- New: ---- 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ oath-toolkit.spec ++++++ --- /var/tmp/diff_new_pack.OqdSm8/_old 2018-07-13 10:15:46.290057468 +0200 +++ /var/tmp/diff_new_pack.OqdSm8/_new 2018-07-13 10:15:46.294057473 +0200 @@ -26,6 +26,7 @@ Source: http://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz Patch1: 0001-Fix-no-return-in-nonvoid-function-errors-reported-by.patch Patch2: 0002-update_gnulibs_files.patch +Patch3: 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch BuildRequires: bison BuildRequires: gengetopt BuildRequires: libgcrypt-devel @@ -130,6 +131,7 @@ %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build autoreconf -fiv ++++++ 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch ++++++ >From 70722be5a76d28df8ebbf8a706c6346c57cebb62 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerst...@suse.de> Date: Thu, 5 Jul 2018 18:39:48 +0200 Subject: [PATCH] pam_oath: assign safe default to alwaysok config member The way this was before allowed for the PAM authentication to potentially succeed when the first `goto done` line is hit. If the undefined data behind alwaysok is non-zero (which is quite probable) this would happen. In theory a local attacker could try to exhaust memory just enough to hit this spot and get e.g. root access. --- pam_oath/pam_oath.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c index 57fd33c..cfc3331 100644 --- a/pam_oath/pam_oath.c +++ b/pam_oath/pam_oath.c @@ -146,6 +146,8 @@ pam_sm_authenticate (pam_handle_t * pamh, char *query_prompt = NULL; char *onlypasswd = strdup (""); /* empty passwords never match */ + cfg.alwaysok = false; /* make sure this gets a safe default */ + if (!onlypasswd) { retval = PAM_BUF_ERR; -- 2.16.4