From d95bce4b1469594e3cc26ce8890593aca167c4a8 Mon Sep 17 00:00:00 2001
From: Zhao Hang <wb-zh951434@alibaba-inc.com>
Date: Mon, 5 Aug 2024 15:50:25 +0800
Subject: [PATCH] update to pam-1.3.1-34.src.rpm

Signed-off-by: Zhao Hang <wb-zh951434@alibaba-inc.com>
---
 dist                                      |  2 +-
 pam-1.3.1-audit-messages-formatting.patch | 33 +++++++++++++++++++++++
 pam.spec                                  | 30 +++++++++++++++------
 3 files changed, 56 insertions(+), 9 deletions(-)
 create mode 100644 pam-1.3.1-audit-messages-formatting.patch

diff --git a/dist b/dist
index 9c0e36e..1fe92cf 100644
--- a/dist
+++ b/dist
@@ -1 +1 @@
-an8
+an8_10
diff --git a/pam-1.3.1-audit-messages-formatting.patch b/pam-1.3.1-audit-messages-formatting.patch
new file mode 100644
index 0000000..e152aa5
--- /dev/null
+++ b/pam-1.3.1-audit-messages-formatting.patch
@@ -0,0 +1,33 @@
+diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.audit-messages-formatting Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.audit-messages-formatting	2024-03-11 16:21:51.928946604 +0100
++++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c	2024-03-11 16:21:51.934946609 +0100
+@@ -334,7 +334,7 @@ check_tally(pam_handle_t *pamh, struct o
+ 
+ 				(void)pam_get_item(pamh, PAM_TTY, &tty);
+ 				(void)pam_get_item(pamh, PAM_RHOST, &rhost);
+-				snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
++				snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
+ 				audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+ 					rhost, NULL, tty, 1);
+ 			}
+@@ -450,7 +450,7 @@ write_tally(pam_handle_t *pamh, struct o
+ 			errno == EAFNOSUPPORT))
+ 			return PAM_SYSTEM_ERR;
+ 
+-		snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
++		snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
+ 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+ 			NULL, NULL, NULL, 1);
+ 
+diff -up Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c.audit-messages-formatting Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c.audit-messages-formatting	2024-03-11 16:21:51.934946609 +0100
++++ Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c	2024-03-11 16:23:24.521025061 +0100
+@@ -106,7 +106,7 @@ int send_audit_message(pam_handle_t *pam
+ 		pam_syslog(pamh, LOG_ERR, "Error translating selected context.");
+ 		selected_raw = NULL;
+ 	}
+-	if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
++	if (asprintf(&msg, "op=pam_selinux default-context=%s selected-context=%s",
+ 		     default_raw ? default_raw : (default_context ? default_context : "?"),
+ 		     selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
+ 		pam_syslog(pamh, LOG_ERR, "Error allocating memory.");
diff --git a/pam.spec b/pam.spec
index de5c36b..35f5bcd 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 28%{?dist}
+Release: 34%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -108,9 +108,11 @@ Patch67: pam-1.3.1-unix-default-rounds.patch
 Patch68: pam-1.3.1-faillock-create-tallydir.patch
 # https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f
 Patch69: pam-1.3.1-access-handle-hostnames.patch
-# Upstream fix for CVE-2024-22365: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
+# https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
 Patch70: pam-1.3.1-namespace-protect-dir.patch
-
+# https://github.com/linux-pam/linux-pam/commit/c85513220c1bd3150e39c6277422d29cfa44acc7
+# https://github.com/linux-pam/linux-pam/commit/1648734a69c31e9ce834da70144ac9a453296807
+Patch71: pam-1.3.1-audit-messages-formatting.patch
 
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@@ -229,6 +231,8 @@ cp %{SOURCE18} .
 %patch68 -p1 -b .faillock-create-tallydir
 %patch69 -p1 -b .access-handle-hostnames
 %patch70 -p1 -b .namespace-protect-dir
+%patch71 -p1 -b .audit-messages-formatting
+
 autoreconf -i
 
 %build
@@ -481,11 +485,21 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
-* Fri Jun 07 2024 Kai Song <songkai01@inspur.com> - 1.3.1-28
-- Fix CVE-2024-22365
-- pam_access: handle hostnames in access.conf
-- pam_faillock: create tallydir before creating tallyfile.
-- pam_unix: enable bcrypt.
+* Thu Apr  4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-34
+- fix formatting of audit messages. Resolves: RHEL-28620
+
+* Mon Feb 12 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-33
+- pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
+  situations. CVE-2024-22365. Resolves: RHEL-21242
+
+* Fri Jan 26 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-32
+- pam_access: handle hostnames in access.conf. Resolves: RHEL-3374
+
+* Mon Jan  8 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-31
+- pam_faillock: create tallydir before creating tallyfile. Resolves: RHEL-19810
+
+* Thu Nov  2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-30
+- pam_unix: enable bcrypt. Resolves: RHEL-5057
 
 * Mon Jun 26 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-27
 - pam_misc: make length of misc_conv() configurable and set to 4096. Resolves: #2209785
-- 
Gitee