diff --git a/Linux-PAM-1.5.3.tar.xz b/Linux-PAM-1.5.3.tar.xz deleted file mode 100644 index 30c2aff12635721146cdb96e319b70266b6e10ad..0000000000000000000000000000000000000000 Binary files a/Linux-PAM-1.5.3.tar.xz and /dev/null differ diff --git a/Linux-PAM-1.5.3.tar.xz.asc b/Linux-PAM-1.5.3.tar.xz.asc deleted file mode 100644 index 3b243543f8670bb3d06ee1905b356ab12dbd278e..0000000000000000000000000000000000000000 --- a/Linux-PAM-1.5.3.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABCgAGBQJkWBFQAAoJEKgEH6g54W42OoMP/R1O9dvpncrR4DfD3yJViTPw -To3isPszsdHhw/uZUzCBEUMxhJgUgefzHGAng1EbTyX2eTLk/cnLY8pZLXr3pzC0 -5CfacxAqgjK8B/7CbchsZQCDal84E5jR8qyzVCM3IPxZQfpiR3HJzXVjhg/gnBcY -L6v7FbLpcdM2keHHT1C/hyQfTnzyIdmwyzRdE1DF3ERbe3/1VlNmANNOacZ1H2T9 -Hs5dVIFiXwOO11Xku42oOo99LCqXyIsRnEogBFCORHNjD7B88lCdJAHssBdvWq5t -/CJnoGtJrVCXs11JVPSNyW0rm24rZH9YCC6yVRIuMq6jjMBawFUlMAqamLoSA3hK -4BPuPqQjHYk/D5H+m0HF2qRDpz76Bj1zdmYofqspeJf4QJOyOpMSXFY3pgsohuKW -P8YQ44cAkmMswFqMSKGi9EVnf6SVXWQFoHJhtlbUgi7ef/4IICrbtgSSE96OGdlg -Sdoplu3n+1HClaYqlHbjkd/m0Hc8QvOjovctb0Zoclnlup+u2JH4rDNqjxFUvkWB -8CeILjebgBrNRqAFDx7fKBEQyHs5FLOtUU1SwBLXXSyMCHuMhr/tKBHcbDgMhpVP -IiIyYGyEGUoIR/er5AgIX9e6/zcQbc8OvY+gTu9t+tw+HIt8hGvUUkuYX8LB1k6r -zf06e/iTT4GL6AhJtbh3 -=2hyW ------END PGP SIGNATURE----- diff --git a/Linux-PAM-1.6.1.tar.xz b/Linux-PAM-1.6.1.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..1c0c11ca8b54c9f7e8834ec98193036284b38e3e Binary files /dev/null and b/Linux-PAM-1.6.1.tar.xz differ diff --git a/Linux-PAM-1.6.1.tar.xz.asc b/Linux-PAM-1.6.1.tar.xz.asc new file mode 100644 index 0000000000000000000000000000000000000000..3e67bc40f1e2167e27427e1e39ee330a0f59aec0 --- /dev/null +++ b/Linux-PAM-1.6.1.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1 +sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq +47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub +RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT +mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet +cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ +fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd +PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku +o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR +0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB +9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2 +UoUkHsbCWJU/ksn/9BIQ +=Dbz2 +-----END PGP SIGNATURE----- diff --git a/pam-1.5.3-unix-nomsg.patch b/pam-1.5.3-unix-nomsg.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a8abbb1a77b9b56926d81ba9705d1d20e7d37b3 --- /dev/null +++ b/pam-1.5.3-unix-nomsg.patch @@ -0,0 +1,17 @@ +Index: Linux-PAM-1.5.3/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- Linux-PAM-1.5.3.orig/modules/pam_unix/pam_unix_passwd.c ++++ Linux-PAM-1.5.3/modules/pam_unix/pam_unix_passwd.c +@@ -678,12 +678,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int + return PAM_SUCCESS; + } else if (off(UNIX__IAMROOT, ctrl) || + (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) { +- /* instruct user what is happening */ +- if (off(UNIX__QUIET, ctrl)) { +- retval = pam_info(pamh, _("Changing password for %s."), user); +- if (retval != PAM_SUCCESS) +- return retval; +- } + retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL); + + if (retval != PAM_SUCCESS) { diff --git a/pam-1.6.0-redhat-modules.patch b/pam-1.6.0-redhat-modules.patch new file mode 100644 index 0000000000000000000000000000000000000000..66aa8ff487a3bf4cd676ed021cb56c6a03f61517 --- /dev/null +++ b/pam-1.6.0-redhat-modules.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.6.0/configure.ac.redhat-modules Linux-PAM-1.6.0/configure.ac +--- Linux-PAM-1.6.0/configure.ac.redhat-modules 2024-01-23 13:16:34.854753145 +0100 ++++ Linux-PAM-1.6.0/configure.ac 2024-01-23 13:17:52.855859922 +0100 +@@ -774,6 +774,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + po/Makefile.in \ + Make.xml.rules \ + modules/Makefile \ ++ modules/pam_chroot/Makefile \ ++ modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile \ + modules/pam_canonicalize_user/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ +diff -up Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules Linux-PAM-1.6.0/modules/Makefile.am +--- Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules 2024-01-17 11:29:36.000000000 +0100 ++++ Linux-PAM-1.6.0/modules/Makefile.am 2024-01-23 13:16:34.855753147 +0100 +@@ -48,6 +48,8 @@ SUBDIRS := \ + pam_debug \ + pam_deny \ + pam_echo \ ++ pam_chroot \ ++ pam_postgresok \ + pam_env \ + pam_exec \ + pam_faildelay \ diff --git a/pam-1.6.1-noflex.patch b/pam-1.6.1-noflex.patch new file mode 100644 index 0000000000000000000000000000000000000000..fa35dc7108e5050a892b751fda6717436a7f548b --- /dev/null +++ b/pam-1.6.1-noflex.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.6.1/doc/Makefile.am.noflex Linux-PAM-1.6.1/doc/Makefile.am +--- Linux-PAM-1.6.1/doc/Makefile.am.noflex 2024-04-09 18:22:59.000000000 +0200 ++++ Linux-PAM-1.6.1/doc/Makefile.am 2024-04-10 11:09:39.304086982 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + DISTCLEANFILES = custom-html.xsl custom-man.xsl +diff -up Linux-PAM-1.6.1/Makefile.am.noflex Linux-PAM-1.6.1/Makefile.am +--- Linux-PAM-1.6.1/Makefile.am.noflex 2024-04-10 11:09:39.304086982 +0200 ++++ Linux-PAM-1.6.1/Makefile.am 2024-04-10 11:13:15.057352362 +0200 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news + +-SUBDIRS = libpam_internal libpam tests libpamc libpam_misc modules po conf \ ++SUBDIRS = libpam_internal libpam tests libpamc libpam_misc modules po doc \ + xtests + + if HAVE_DOC diff --git a/pam-1.6.1-pam-access-local.patch b/pam-1.6.1-pam-access-local.patch new file mode 100644 index 0000000000000000000000000000000000000000..89a0d3904ad03e92def1d01593f7833cf6c55073 --- /dev/null +++ b/pam-1.6.1-pam-access-local.patch @@ -0,0 +1,119 @@ +From ecaaf4456e5aeacae1acdb1775bb5aadd3b19e13 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 16 Oct 2024 12:41:09 +0200 +Subject: [PATCH 1/2] pam_access: always match local address + +* modules/pam_access/pam_access.c: match the local address regardless of + the IP version in use. + +In some circumstances the `localhost` may be translated to IPv4 or IPv6, +but the configuration file only indicated the address for one of the two +versions. Since the originating value is set in `PAM_RHOST` and PAM has +no control over it, let's match the local addresses regardless of the IP +version in use. + +Resolves: https://issues.redhat.com/browse/RHEL-23018 +Signed-off-by: Iker Pedrosa +--- + modules/pam_access/pam_access.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index bfbc6d57..48e7c7e9 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -306,6 +306,23 @@ isipaddr (const char *string, int *addr_type, + return is_ip; + } + ++/* is_local_addr - checks if the IP address is local */ ++static int ++is_local_addr (const char *string, int addr_type) ++{ ++ if (addr_type == AF_INET) { ++ if (strcmp(string, "127.0.0.1") == 0) { ++ return YES; ++ } ++ } else if (addr_type == AF_INET6) { ++ if (strcmp(string, "::1") == 0) { ++ return YES; ++ } ++ } ++ ++ return NO; ++} ++ + + /* are_addresses_equal - translate IP address strings to real IP + * addresses and compare them to find out if they are equal. +@@ -327,9 +344,18 @@ are_addresses_equal (const char *ipaddr0, const char *ipaddr1, + if (isipaddr (ipaddr1, &addr_type1, &addr1) == NO) + return NO; + +- if (addr_type0 != addr_type1) +- /* different address types */ ++ if (addr_type0 != addr_type1) { ++ /* different address types, but there is still a possibility that they are ++ * both local addresses ++ */ ++ int local1 = is_local_addr(ipaddr0, addr_type0); ++ int local2 = is_local_addr(ipaddr1, addr_type1); ++ ++ if (local1 == YES && local2 == YES) ++ return YES; ++ + return NO; ++ } + + if (netmask != NULL) { + /* Got a netmask, so normalize addresses? */ +-- +2.47.0 + + +From 641dfd1084508c63f3590e93a35b80ffc50774e5 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Fri, 18 Oct 2024 10:27:07 +0200 +Subject: [PATCH 2/2] pam_access: clarify `LOCAL` keyword behaviour + +* modules/pam_access/access.conf.5.xml: `LOCAL` keyword behaviour + explanation was focused on the development internals. Let's clarify it + by rephrasing it to something a sysadmin can understand. + +Resolves: https://issues.redhat.com/browse/RHEL-39943 +Signed-off-by: Iker Pedrosa +--- + modules/pam_access/access.conf.5.xml | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml +index 35a1a8fe..0b93db00 100644 +--- a/modules/pam_access/access.conf.5.xml ++++ b/modules/pam_access/access.conf.5.xml +@@ -79,17 +79,12 @@ + with network mask (where network mask can be a decimal number or an + internet address also), ALL (which always matches) + or LOCAL. The LOCAL +- keyword matches if and only if +- pam_get_item3, +- when called with an item_type of +- PAM_RHOST, returns NULL or an +- empty string (and therefore the +- origins field is compared against the +- return value of +- pam_get_item3 +- called with an item_type of +- PAM_TTY or, absent that, +- PAM_SERVICE). ++ keyword matches when the user connects without a network ++ connection (e.g., su, ++ login). A connection through the loopback ++ device (e.g., ssh user@localhost) is ++ considered a network connection, and thus, the ++ LOCAL keyword does not match. + + + +-- +2.47.0 + diff --git a/pam-1.6.1-pam-env-econf-read-file-fixes.patch b/pam-1.6.1-pam-env-econf-read-file-fixes.patch new file mode 100644 index 0000000000000000000000000000000000000000..066358827a4a0b41770c36834fe683679571046d --- /dev/null +++ b/pam-1.6.1-pam-env-econf-read-file-fixes.patch @@ -0,0 +1,86 @@ +From aabd5314a6d76968c377969b49118a2df3f97003 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Sun, 19 May 2024 15:00:00 +0000 +Subject: [PATCH 1/2] pam_env: fix NULL dereference on error path in + econf_read_file + +* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Handle NULL +value returned by econf_getStringValue(). + +Resolves: https://github.com/linux-pam/linux-pam/issues/796 +--- + modules/pam_env/pam_env.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index 2cc58228..6d39bb24 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -287,7 +287,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + char *val; + + error = econf_getStringValue (key_file, NULL, keys[i], &val); +- if (error != ECONF_SUCCESS) { ++ if (error != ECONF_SUCCESS || val == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to get string from key %s: %s", + keys[i], + econf_errString(error)); +-- +2.45.1 + + +From 75292685a625153c6e28bdd820e97421c258c04a Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Sun, 19 May 2024 15:00:00 +0000 +Subject: [PATCH 2/2] pam_env: fix error handling in econf_read_file + +* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Make sure +the returned array of strings is properly initialized +when econf_getStringValue() fails to return a value. +--- + modules/pam_env/pam_env.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index 6d39bb24..7c146439 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -273,7 +273,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + return PAM_ABORT; + } + +- *lines = malloc((key_number +1)* sizeof(char**)); ++ *lines = calloc((key_number + 1), sizeof(char**)); + if (*lines == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); +@@ -281,8 +281,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + return PAM_BUF_ERR; + } + +- (*lines)[key_number] = 0; +- ++ size_t n = 0; + for (size_t i = 0; i < key_number; i++) { + char *val; + +@@ -293,7 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + econf_errString(error)); + } else { + econf_unescnl(val); +- if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) { ++ if (asprintf(&(*lines)[n],"%s%c%s", keys[i], delim[0], val) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); + econf_freeFile(key_file); +@@ -303,6 +302,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + return PAM_BUF_ERR; + } + free (val); ++ n++; + } + } + +-- +2.45.1 + diff --git a/pam-1.6.1-sast-fixes.patch b/pam-1.6.1-sast-fixes.patch new file mode 100644 index 0000000000000000000000000000000000000000..d2557c4796fc334c3f3dc07eecb91a2e3f716b50 --- /dev/null +++ b/pam-1.6.1-sast-fixes.patch @@ -0,0 +1,212 @@ +From 5eccaf9b3488d3f6da800281363697e4e4834e77 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 11:16:28 +0200 +Subject: [PATCH 1/5] pam_faillock: close the audit socket after use + +* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit +socket when it will no longer be used. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open". +Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()". +Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message". +Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle. +256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, +257| rhost, NULL, tty, 1); +258|-> } +259| #endif +260| opts->flags |= FAILLOCK_FLAG_UNLOCKED; +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_faillock/pam_faillock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c +index e636a24e..f39a9d95 100644 +--- a/modules/pam_faillock/pam_faillock.c ++++ b/modules/pam_faillock/pam_faillock.c +@@ -255,6 +255,7 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies + snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, + rhost, NULL, tty, 1); ++ audit_close(audit_fd); + } + #endif + opts->flags |= FAILLOCK_FLAG_UNLOCKED; +-- +2.45.2 + + +From d00f6cb366b492de455f9b72fcbd2e49abf323e0 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 11:20:02 +0200 +Subject: [PATCH 2/5] pam_rootok: close the audit socket on error path + +* modules/pam_rootok/pam_rootok.c (log_callback): Close the audit socket +if vasprintf returned an error. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: open_fn: Returning handle opened by "audit_open". +Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()". +Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:69: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle. +67| va_end(ap); +68| if (ret < 0) { +69|-> return 0; +70| } +71| audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_rootok/pam_rootok.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c +index 6d2dfa07..1b88fb19 100644 +--- a/modules/pam_rootok/pam_rootok.c ++++ b/modules/pam_rootok/pam_rootok.c +@@ -66,6 +66,7 @@ log_callback (int type UNUSED, const char *fmt, ...) + ret = vasprintf (&buf, fmt, ap); + va_end(ap); + if (ret < 0) { ++ audit_close(audit_fd); + return 0; + } + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, +-- +2.45.2 + + +From 1ca5bfed50bd9f6c2f1e3e36c2df3253923dadf6 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 12:27:00 +0200 +Subject: [PATCH 3/5] pam_timestamp: close the timestamp file on error path + +* modules/pam_timestamp/pam_timestamp.c (pam_sm_authenticate) +[WITH_OPENSSL]: Close the timestamp file if hmac_size returned +an error. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] +Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: var_assign: Assigning: "fd" = handle returned from "open(path, 131072)". +Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:460: noescape: Resource "fd" is not freed or pointed-to in "fstat". +Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:484: leaked_handle: Handle variable "fd" going out of scope leaks the handle. +482| #ifdef WITH_OPENSSL +483| if (hmac_size(pamh, debug, &maclen)) { +484|-> return PAM_AUTH_ERR; +485| } +486| #else +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_timestamp/pam_timestamp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c +index 7c5457c4..edecc052 100644 +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -481,6 +481,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + + #ifdef WITH_OPENSSL + if (hmac_size(pamh, debug, &maclen)) { ++ close(fd); + return PAM_AUTH_ERR; + } + #else +-- +2.45.2 + + +From 667204d7e3e4a0341c529f7566d62dd64dd80866 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 12:25:34 +0200 +Subject: [PATCH 4/5] pam_namespace: free SELinux context + +* modules/pam_namespace/pam_namespace.c [WITH_SELINUX] (form_context): +Free SELinux context before returning. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:928: alloc_arg: "getexeccon" allocates memory that is stored into "scon". +Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1004: leaked_storage: Variable "scon" going out of scope leaks the storage it points to. +1002| } +1003| /* Should never get here */ +1004|-> return PAM_SUCCESS; +1005| } +1006| #endif +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_namespace/pam_namespace.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index e499d95a..781dac20 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1003,6 +1003,7 @@ static int form_context(const struct polydir_s *polyptr, + return rc; + } + /* Should never get here */ ++ freecon(scon); + return PAM_SUCCESS; + } + #endif +-- +2.45.2 + + +From bd2f695b3d89efe0c52bba975f9540634125178a Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 12:29:07 +0200 +Subject: [PATCH 5/5] pam_namespace: free SELinux context on error path + +* modules/pam_namespace/pam_namespace.c (create_polydir) [WITH_SELINUX]: +Free SELinux context in case of an error. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1433: alloc_arg: "getfscreatecon_raw" allocates memory that is stored into "oldcon_raw". +Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1462: leaked_storage: Variable "oldcon_raw" going out of scope leaks the storage it points to. +1460| pam_syslog(idata->pamh, LOG_ERR, +1461| "Error creating directory %s: %m", dir); +1462|-> return PAM_SESSION_ERR; +1463| } +1464| +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_namespace/pam_namespace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 781dac20..2dab49ef 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1462,6 +1462,9 @@ static int create_polydir(struct polydir_s *polyptr, + if (rc == -1) { + pam_syslog(idata->pamh, LOG_ERR, + "Error creating directory %s: %m", dir); ++#ifdef WITH_SELINUX ++ freecon(oldcon_raw); ++#endif + return PAM_SESSION_ERR; + } + +-- +2.45.2 + diff --git a/pam-redhat-1.2.0.tar.xz b/pam-redhat-1.2.0.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..d390e70325dfc63bc9de51a5283428f34e45315c Binary files /dev/null and b/pam-redhat-1.2.0.tar.xz differ diff --git a/pam.spec b/pam.spec index 855f735de9e1e7391f9e04b5e0aafee6e7da0132..f5b630e3e8ecd78e7aa013f12302dc5a94c5f584 100644 --- a/pam.spec +++ b/pam.spec @@ -1,8 +1,8 @@ -%define anolis_release 2 +%define anolis_release 1 %global soname_version 0 Name: pam -Version: 1.5.3 +Version: 1.6.1.3 Release: %{anolis_release}%{?dist} Summary: A Security Interface for Applications in Authentication activities @@ -31,6 +31,12 @@ Patch2: 0001-change-ndbm-to-gdbm.patch Patch3: 0001-add-sm3-crypt-support.patch # https://github.com/linux-pam/linux-pam/pull/686/commits/b3020da7da384d769f27a8713257fbe1001878be Patch4: 0002-Fix-CVE-2024-10041.patch +Patch5: pam-1.5.3-unix-nomsg.patch +Patch6: pam-1.6.1-pam-env-econf-read-file-fixes.patch +Patch7: pam-1.6.0-redhat-modules.patch +Patch8: pam-1.6.1-noflex.patch +Patch9: pam-1.6.1-sast-fixes.patch +Patch10: pam-1.6.1-pam-access-local.patch BuildRequires: audit-libs-devel BuildRequires: autoconf @@ -345,6 +351,17 @@ done %{abidir}/libpam*.dump %changelog +* Thu Jun 19 2025 wenyuzifang - 1.6.1-1 +- Updated to version 1.6.1 to fix xxxxxxx + + +* Thu Jun 19 2025 wenyuzifang - 1.6.1-2 +- Apply patch to fix potential NULL dereference and improve error handling in pam_env module. +- Apply patch to fix resource leaks, improving system stability and preventing potential resource exhaustion. +- Apply patch to fix inconsistent localhost matching and clarify LOCAL keyword behavior for better usability. +``` + +This entry reflects the introduction of the three new patches into the existing spec file, summarizing their purpose and impact on the project. It adheres to the typical format used in the `%changelog` section of RPM spec files. * Tue May 20 2025 wenxin - 1.5.3-2 - Fix CVE-2024-10041 @@ -367,4 +384,4 @@ done - Remove pam_unix.so dependency to avoid build failed; * Wed Mar 9 2022 James Wang - 1.5.2-1 -- Inital version +- Inital version \ No newline at end of file