This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch master
in repository libpam4j.

commit 038e3a06fe88fddc9c7709a1cfe2d6d8eb4dfdbd
Author: Markus Koschany <a...@debian.org>
Date:   Tue Nov 7 13:37:40 2017 +0100

    Fix CVE-2017-12197
    
    Closes: #879001
---
 debian/patches/CVE-2017-12197.patch | 27 +++++++++++++++++++++++++++
 debian/patches/series               |  1 +
 2 files changed, 28 insertions(+)

diff --git a/debian/patches/CVE-2017-12197.patch 
b/debian/patches/CVE-2017-12197.patch
new file mode 100644
index 0000000..8462cbe
--- /dev/null
+++ b/debian/patches/CVE-2017-12197.patch
@@ -0,0 +1,27 @@
+From: Markus Koschany <a...@debian.org>
+Date: Tue, 7 Nov 2017 13:25:46 +0100
+Subject: CVE-2017-12197
+
+Reenable the check for pam_acct_mgmt module. It was possible to authenticate
+with an invalid account.
+
+Bug-Debian: https://bugs.debian.org/879001
+Bug-Upstream: https://github.com/kohsuke/libpam4j/issues/18
+Origin: 
https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d
+---
+ src/main/java/org/jvnet/libpam/PAM.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/jvnet/libpam/PAM.java 
b/src/main/java/org/jvnet/libpam/PAM.java
+index dc86f4e..566ca80 100644
+--- a/src/main/java/org/jvnet/libpam/PAM.java
++++ b/src/main/java/org/jvnet/libpam/PAM.java
+@@ -123,7 +123,7 @@ public class PAM {
+             check(libpam.pam_set_item(pht,PAM_USER,username),"pam_set_item 
failed");
+             check(libpam.pam_authenticate(pht,0),"pam_authenticate failed");
+             // several different error code seem to be used to represent 
authentication failures
+-//            check(libpam.pam_acct_mgmt(pht,0),"pam_acct_mgmt failed");
++            check(libpam.pam_acct_mgmt(pht,0),"pam_acct_mgmt failed");
+ 
+             PointerByReference r = new PointerByReference();
+             check(libpam.pam_get_item(pht,PAM_USER,r),"pam_get_item failed");
diff --git a/debian/patches/series b/debian/patches/series
index 9659ca5..4ccfdc5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 01-versioned-lib.patch
+CVE-2017-12197.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/libpam4j.git

_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to