Date: Tuesday, November 24, 2020 @ 19:04:33 Author: anthraxx Revision: 401836
upgpkg: pam 1.5.0-2: backport security fix fox CVE-2020-27780 - adding soname provides - adding a transitive dependency Modified: pam/trunk/PKGBUILD Deleted: pam/trunk/0e9b286afe1224b91ff00936058b084ad4b776e4.patch pam/trunk/395915dae1571e10e2766c999974de864655ea3a.patch pam/trunk/af0faf666c5008e54dfe43684f210e3581ff1bca.patch pam/trunk/other ------------------------------------------------+ 0e9b286afe1224b91ff00936058b084ad4b776e4.patch | 31 -------- 395915dae1571e10e2766c999974de864655ea3a.patch | 47 ------------ PKGBUILD | 21 ++--- af0faf666c5008e54dfe43684f210e3581ff1bca.patch | 85 ----------------------- other | 5 - 5 files changed, 11 insertions(+), 178 deletions(-) Deleted: 0e9b286afe1224b91ff00936058b084ad4b776e4.patch =================================================================== --- 0e9b286afe1224b91ff00936058b084ad4b776e4.patch 2020-11-24 18:02:37 UTC (rev 401835) +++ 0e9b286afe1224b91ff00936058b084ad4b776e4.patch 2020-11-24 19:04:33 UTC (rev 401836) @@ -1,31 +0,0 @@ -From 0e9b286afe1224b91ff00936058b084ad4b776e4 Mon Sep 17 00:00:00 2001 -From: ikerexxe <ipedr...@redhat.com> -Date: Tue, 16 Jun 2020 14:44:04 +0200 -Subject: [PATCH] pam_usertype: avoid determining if user exists - -Taking a look at the time for the password prompt to appear it was -possible to determine if a user existed in a system. Solved it by -matching the runtime until the password prompt was shown by always -checking the password hash for an existing and a non-existing user. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 ---- - modules/pam_usertype/pam_usertype.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c -index 2807c306..d03b73b5 100644 ---- a/modules/pam_usertype/pam_usertype.c -+++ b/modules/pam_usertype/pam_usertype.c -@@ -139,8 +139,11 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts, - "error retrieving information about user %s", username); - } - -+ pam_modutil_getpwnam(pamh, "root"); -+ - return PAM_USER_UNKNOWN; - } -+ pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:"); - - *_uid = pwd->pw_uid; - Deleted: 395915dae1571e10e2766c999974de864655ea3a.patch =================================================================== --- 395915dae1571e10e2766c999974de864655ea3a.patch 2020-11-24 18:02:37 UTC (rev 401835) +++ 395915dae1571e10e2766c999974de864655ea3a.patch 2020-11-24 19:04:33 UTC (rev 401836) @@ -1,47 +0,0 @@ -From 395915dae1571e10e2766c999974de864655ea3a Mon Sep 17 00:00:00 2001 -From: ikerexxe <ipedr...@redhat.com> -Date: Mon, 15 Jun 2020 09:52:11 +0200 -Subject: [PATCH] pam_faillock: change /run/faillock/$USER permissions to 0660 - -Nowadays, /run/faillock/$USER files have user:root ownership and 0600 -permissions. This forces the process that writes to these files to have -CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660 -the capability can be removed, which leads to a more secure system. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822 ---- - modules/pam_faillock/faillock.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c -index e492f5f9..4ea94cbe 100644 ---- a/modules/pam_faillock/faillock.c -+++ b/modules/pam_faillock/faillock.c -@@ -76,7 +76,7 @@ open_tally (const char *dir, const char *user, uid_t uid, int create) - flags |= O_CREAT; - } - -- fd = open(path, flags, 0600); -+ fd = open(path, flags, 0660); - - free(path); - -@@ -88,6 +88,18 @@ open_tally (const char *dir, const char *user, uid_t uid, int create) - if (st.st_uid != uid) { - ignore_return(fchown(fd, uid, -1)); - } -+ -+ /* -+ * If umask is set to 022, as will probably in most systems, then the -+ * group will not be able to write to the file. So, change the file -+ * permissions just in case. -+ * Note: owners of this file are user:root, so if the permissions are -+ * not changed the root process writing to this file will require -+ * CAP_DAC_OVERRIDE. -+ */ -+ if (!(st.st_mode & S_IWGRP)) { -+ ignore_return(fchmod(fd, 0660)); -+ } - } - } - Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-11-24 18:02:37 UTC (rev 401835) +++ PKGBUILD 2020-11-24 19:04:33 UTC (rev 401836) @@ -3,19 +3,17 @@ pkgname=pam pkgver=1.5.0 -pkgrel=1 +pkgrel=2 pkgdesc="PAM (Pluggable Authentication Modules) library" arch=('x86_64') license=('GPL2') url="http://linux-pam.org"; -depends=('glibc' 'libtirpc' 'pambase' 'audit') +depends=('glibc' 'libtirpc' 'pambase' 'audit' 'libaudit.so' 'libxcrypt' 'libcrypt.so') makedepends=('flex' 'w3m' 'docbook-xml>=4.4' 'docbook-xsl') +provides=('libpam.so' 'libpamc.so' 'libpam_misc.so') backup=(etc/security/{access.conf,faillock.conf,group.conf,limits.conf,namespace.conf,namespace.init,pam_env.conf,time.conf} etc/environment) -source=(https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver.tar.xz - https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver.tar.xz.asc - 395915dae1571e10e2766c999974de864655ea3a.patch - af0faf666c5008e54dfe43684f210e3581ff1bca.patch - 0e9b286afe1224b91ff00936058b084ad4b776e4.patch +source=(https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver.tar.xz{,.asc} + CVE-2020-27780.patch::https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb.patch $pkgname.tmpfiles) validpgpkeys=( '8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB' # Thorsten Kukuk @@ -24,13 +22,16 @@ sha256sums=('02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8' 'SKIP' - 'cd2440d7bec55fa91e499060c0bf248f4fd20e7a0ef613eb7a06ee083f7ce21b' - 'ac3e1d307756f5975587a7846500414c02d2b60acb271017b9c7aa6f47c89875' - '68f81b67dde5ee6003524b6b14e2d6f27edcfc0a2bde4c55a1cacbc6e299c207' + 'b785b637e4bf4c0a1601c296b562ee2eed09916cc589dc4021fa1abc6c5394c8' '5631f224e90c4f0459361c2a5b250112e3a91ba849754bb6f67d69d683a2e5ac') options=('!emptydirs') +prepare() { + cd Linux-PAM-$pkgver + patch -Np1 < ../CVE-2020-27780.patch +} + build() { cd Linux-PAM-$pkgver ./configure --libdir=/usr/lib --sbindir=/usr/bin --disable-db Deleted: af0faf666c5008e54dfe43684f210e3581ff1bca.patch =================================================================== --- af0faf666c5008e54dfe43684f210e3581ff1bca.patch 2020-11-24 18:02:37 UTC (rev 401835) +++ af0faf666c5008e54dfe43684f210e3581ff1bca.patch 2020-11-24 19:04:33 UTC (rev 401836) @@ -1,85 +0,0 @@ -From af0faf666c5008e54dfe43684f210e3581ff1bca Mon Sep 17 00:00:00 2001 -From: ikerexxe <ipedr...@redhat.com> -Date: Tue, 16 Jun 2020 14:32:36 +0200 -Subject: [PATCH] pam_unix: avoid determining if user exists - -Taking a look at the time for the password prompt to appear it was -possible to determine if a user existed in a system. Solved it by -matching the runtime until the password prompt was shown by always -checking the password hash for an existing and a non-existing user. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 ---- - modules/pam_unix/passverify.c | 6 ++++++ - modules/pam_unix/support.c | 33 ++++++++++++++++++++++++++------- - 2 files changed, 32 insertions(+), 7 deletions(-) - -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index a571b4f7..7455eae6 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok) - if (pwd == NULL || hash == NULL) { - helper_log_err(LOG_NOTICE, "check pass; user unknown"); - retval = PAM_USER_UNKNOWN; -+ } else if (p[0] == '\0' && nullok) { -+ if (hash[0] == '\0') { -+ retval = PAM_SUCCESS; -+ } else { -+ retval = PAM_AUTH_ERR; -+ } - } else { - retval = verify_pwd_hash(p, hash, nullok); - } -diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c -index 41db1f04..dc67238c 100644 ---- a/modules/pam_unix/support.c -+++ b/modules/pam_unix/support.c -@@ -601,6 +601,8 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name - char *salt = NULL; - int daysleft; - int retval; -+ int execloop = 1; -+ int nonexistent = 1; - - D(("called")); - -@@ -624,14 +626,31 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name - - /* UNIX passwords area */ - -- retval = get_pwd_hash(pamh, name, &pwd, &salt); -+ /* -+ * Execute this loop twice: one checking the password hash of an existing -+ * user and another one for a non-existing user. This way the runtimes -+ * are equal, making it more difficult to differentiate existing from -+ * non-existing users. -+ */ -+ while (execloop) { -+ retval = get_pwd_hash(pamh, name, &pwd, &salt); - -- if (retval == PAM_UNIX_RUN_HELPER) { -- /* salt will not be set here so we can return immediately */ -- if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) -- return 1; -- else -- return 0; -+ if (retval == PAM_UNIX_RUN_HELPER) { -+ execloop = 0; -+ if(nonexistent) { -+ get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt); -+ } -+ /* salt will not be set here so we can return immediately */ -+ if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) -+ return 1; -+ else -+ return 0; -+ } else if (retval == PAM_USER_UNKNOWN) { -+ name = "root"; -+ nonexistent = 0; -+ } else { -+ execloop = 0; -+ } - } - - /* Does this user have a password? */ Deleted: other =================================================================== --- other 2020-11-24 18:02:37 UTC (rev 401835) +++ other 2020-11-24 19:04:33 UTC (rev 401836) @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth required pam_unix.so -account required pam_unix.so -password required pam_unix.so -session required pam_unix.so
