Hello community, here is the log from the commit of package pam_kwallet for openSUSE:Factory checked in at 2018-10-08 17:46:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_kwallet (Old) and /work/SRC/openSUSE:Factory/.pam_kwallet.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_kwallet" Mon Oct 8 17:46:16 2018 rev:37 rq:640309 version:5.14.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_kwallet/pam_kwallet.changes 2018-09-05 13:49:13.610325214 +0200 +++ /work/SRC/openSUSE:Factory/.pam_kwallet.new/pam_kwallet.changes 2018-10-08 17:49:24.306179482 +0200 @@ -1,0 +2,31 @@ +Fri Oct 5 10:01:11 UTC 2018 - [email protected] + +- Update to 5.14.0 + * New bugfix release + * For more details please see: + * https://www.kde.org/announcements/plasma-5.14.0.php +- No code changes since 5.13.90 + +------------------------------------------------------------------- +Sat Sep 15 16:25:29 UTC 2018 - [email protected] + +- Add tarball signature and keyring containing keys of release managers + Jonathan Riddell and Bhushan Shah + +------------------------------------------------------------------- +Thu Sep 13 17:25:02 UTC 2018 - [email protected] + +- Update to 5.13.90 + * New feature release + * For more details please see: + * https://www.kde.org/announcements/plasma-5.13.90.php +- Changes since 5.13.5: + * Move remaining salt file operations into unprivileged processes + * Drop privileges when reading the salt file + * Revert "do not search for C++ compiler" + * use pid_t for fork() result + * store string literal in const variable + * do not search for C++ compiler + * use explicit_bzero() if it is present + +------------------------------------------------------------------- Old: ---- kwallet-pam-5.13.5.tar.xz New: ---- kwallet-pam-5.14.0.tar.xz kwallet-pam-5.14.0.tar.xz.sig plasma.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_kwallet.spec ++++++ --- /var/tmp/diff_new_pack.0anp9O/_old 2018-10-08 17:49:24.962178645 +0200 +++ /var/tmp/diff_new_pack.0anp9O/_new 2018-10-08 17:49:24.962178645 +0200 @@ -16,15 +16,21 @@ # +%bcond_without lang + Name: pam_kwallet -Version: 5.13.5 +Version: 5.14.0 Release: 0 Summary: A PAM Module for KWallet signing License: LGPL-2.1-only AND GPL-2.0-or-later AND GPL-3.0-only Group: System/GUI/KDE Url: http://www.kde.org/ -Source: http://download.kde.org/stable/plasma/%{version}/kwallet-pam-%{version}.tar.xz -Source1: baselibs.conf +Source: kwallet-pam-%{version}.tar.xz +%if %{with lang} +Source1: kwallet-pam-%{version}.tar.xz.sig +Source2: plasma.keyring +%endif +Source3: baselibs.conf BuildRequires: extra-cmake-modules >= 1.2.0 BuildRequires: kf5-filesystem BuildRequires: libgcrypt-devel >= 1.5.0 ++++++ kwallet-pam-5.13.5.tar.xz -> kwallet-pam-5.14.0.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kwallet-pam-5.13.5/CMakeLists.txt new/kwallet-pam-5.14.0/CMakeLists.txt --- old/kwallet-pam-5.13.5/CMakeLists.txt 2018-09-04 12:12:51.000000000 +0200 +++ new/kwallet-pam-5.14.0/CMakeLists.txt 2018-10-05 19:07:19.000000000 +0200 @@ -1,12 +1,13 @@ project(pam_kwallet) cmake_minimum_required(VERSION 2.8.12) -set(PROJECT_VERSION "5.13.5") +set(PROJECT_VERSION "5.14.0") set(PROJECT_VERSION_MAJOR 5) find_package (ECM 1.2.0 REQUIRED NO_MODULE) set (CMAKE_MODULE_PATH ${ECM_MODULE_PATH} "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules" ) +include(CheckFunctionExists) include(KDEInstallDirs) find_package(PAM REQUIRED) @@ -58,6 +59,14 @@ add_definitions(-DHAVE_PAM_APPL) endif() +set(CMAKE_REQUIRED_INCLUDES "string.h") +check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO) +set(CMAKE_REQUIRED_INCLUDES) + +if (HAVE_EXPLICIT_BZERO) + add_definitions(-DHAVE_EXPLICIT_BZERO) +endif() + add_library (${library_name} SHARED ${pam_kwallet_SRCS}) set_target_properties (${library_name} PROPERTIES PREFIX "") target_link_libraries (${library_name} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kwallet-pam-5.13.5/pam_kwallet.c new/kwallet-pam-5.14.0/pam_kwallet.c --- old/kwallet-pam-5.13.5/pam_kwallet.c 2018-09-04 12:12:51.000000000 +0200 +++ new/kwallet-pam-5.14.0/pam_kwallet.c 2018-10-05 19:07:19.000000000 +0200 @@ -21,6 +21,7 @@ #include <signal.h> #include <unistd.h> #include <stdlib.h> +#include <string.h> #include <errno.h> #include <grp.h> @@ -177,11 +178,13 @@ return; } - size_t len; + const size_t len = strlen (str); +#if HAVE_EXPLICIT_BZERO + explicit_bzero(str, len); +#else volatile char *vp; /* Defeats some optimizations */ - len = strlen (str); memset (str, 0xAA, len); memset (str, 0xBB, len); @@ -190,6 +193,7 @@ while (*vp) { *(vp++) = 0xAA; } +#endif free (str); } @@ -473,7 +477,7 @@ writtenBytes += result; } - return 0; + return writtenBytes; } static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const char *kwalletKey) @@ -662,7 +666,7 @@ static void createNewSalt(pam_handle_t *pamh, const char *path, struct passwd *userInfo) { - const int pid = fork(); + const pid_t pid = fork(); if (pid == -1) { pam_syslog(pamh, LOG_ERR, "%s: Couldn't fork to create salt file", logPrefix); } else if (pid == 0) { @@ -672,6 +676,14 @@ exit(-1); } + // Don't re-create it if it already exists + struct stat info; + if (stat(path, &info) == 0 && + info.st_size != 0 && + S_ISREG(info.st_mode)) { + exit(0); + } + unlink(path);//in case the file already exists char *dir = strdup(path); @@ -702,6 +714,87 @@ } } +static int readSaltFile(pam_handle_t *pamh, char *path, struct passwd *userInfo, char *saltOut) +{ + int readSaltPipe[2]; + if (pipe(readSaltPipe) < 0) { + pam_syslog(pamh, LOG_ERR, "%s: Couldn't create read salt pipes", logPrefix); + return 0; + } + + const pid_t pid = fork(); + if (pid == -1) { + syslog(LOG_ERR, "%s: Couldn't fork to read salt file", logPrefix); + close(readSaltPipe[0]); + close(readSaltPipe[1]); + return 0; + } else if (pid == 0) { + // Child process + close(readSaltPipe[0]); // we won't be reading from the pipe + if (drop_privileges(userInfo) < 0) { + syslog(LOG_ERR, "%s: could not set gid/uid/euid/egit for salt file reading", logPrefix); + free(path); + close(readSaltPipe[1]); + exit(-1); + } + + struct stat info; + if (stat(path, &info) != 0 || info.st_size == 0 || !S_ISREG(info.st_mode)) { + syslog(LOG_ERR, "%s: Failed to ensure %s looks like a salt file", logPrefix, path); + free(path); + close(readSaltPipe[1]); + exit(-1); + } + + FILE *fd = fopen(path, "r"); + if (fd == NULL) { + syslog(LOG_ERR, "%s: Couldn't open file: %s because: %d-%s", logPrefix, path, errno, strerror(errno)); + free(path); + close(readSaltPipe[1]); + exit(-1); + } + free(path); + char salt[KWALLET_PAM_SALTSIZE] = {}; + const int bytesRead = fread(salt, 1, KWALLET_PAM_SALTSIZE, fd); + fclose(fd); + if (bytesRead != KWALLET_PAM_SALTSIZE) { + syslog(LOG_ERR, "%s: Couldn't read the full salt file contents from file. %d:%d", logPrefix, bytesRead, KWALLET_PAM_SALTSIZE); + exit(-1); + } + + const ssize_t written = better_write(readSaltPipe[1], salt, KWALLET_PAM_SALTSIZE); + + close(readSaltPipe[1]); + if (written != KWALLET_PAM_SALTSIZE) { + syslog(LOG_ERR, "%s: Couldn't write the full salt file contents to pipe", logPrefix); + exit(-1); + } + + exit(0); + } + + close(readSaltPipe[1]); // we won't be writting from the pipe + + // pam process, just wait for child to finish + int status; + waitpid(pid, &status, 0); + int success = 1; + if (status == 0) { + const ssize_t readBytes = read(readSaltPipe[0], saltOut, KWALLET_PAM_SALTSIZE); + if (readBytes != KWALLET_PAM_SALTSIZE) { + pam_syslog(pamh, LOG_ERR, "%s: Couldn't read the full salt file contents from pipe", logPrefix); + success = 0; + } + } else { + pam_syslog(pamh, LOG_ERR, "%s: Couldn't read salt file", logPrefix); + success = 0; + } + + close(readSaltPipe[0]); + + return success; +} + int kwallet_hash(pam_handle_t *pamh, const char *passphrase, struct passwd *userInfo, char *key) { if (!gcry_check_version("1.5.0")) { @@ -716,38 +809,20 @@ } #ifdef KWALLET5 - char *fixpath = "kwalletd/kdewallet.salt"; + const char *fixpath = "kwalletd/kdewallet.salt"; #else - char *fixpath = "share/apps/kwallet/kdewallet.salt"; + const char *fixpath = "share/apps/kwallet/kdewallet.salt"; #endif size_t pathSize = strlen(userInfo->pw_dir) + strlen(kdehome) + strlen(fixpath) + 3;//3 == /, / and \0 char *path = (char*) malloc(pathSize); sprintf(path, "%s/%s/%s", userInfo->pw_dir, kdehome, fixpath); - char *salt = NULL; - if (stat(path, &info) != 0 || info.st_size == 0 || !S_ISREG(info.st_mode)) { - createNewSalt(pamh, path, userInfo); - } + createNewSalt(pamh, path, userInfo); - if (stat(path, &info) != 0 || info.st_size == 0 || !S_ISREG(info.st_mode)) { - syslog(LOG_ERR, "%s: Failed to ensure %s looks like a salt file", logPrefix, path); - free(path); - return 1; - } - - FILE *fd = fopen(path, "r"); - if (fd == NULL) { - syslog(LOG_ERR, "%s: Couldn't open file: %s because: %d-%s", logPrefix, path, errno, strerror(errno)); - free(path); - return 1; - } - salt = (char*) malloc(KWALLET_PAM_SALTSIZE); - memset(salt, '\0', KWALLET_PAM_SALTSIZE); - fread(salt, KWALLET_PAM_SALTSIZE, 1, fd); - fclose(fd); + char salt[KWALLET_PAM_SALTSIZE] = {}; + const int readSaltSuccess = readSaltFile(pamh, path, userInfo, salt); free(path); - - if (salt == NULL) { + if (!readSaltSuccess) { syslog(LOG_ERR, "%s-kwalletd: Couldn't create or read the salt file", logPrefix); return 1; } @@ -774,6 +849,5 @@ salt, KWALLET_PAM_SALTSIZE, KWALLET_PAM_ITERATIONS,KWALLET_PAM_KEYSIZE, key); - free(salt); return (int) error; // gcry_kdf_derive returns 0 on success }
