diff --git a/Linux-PAM-1.5.3.tar.xz b/Linux-PAM-1.5.3.tar.xz deleted file mode 100644 index 30c2aff12635721146cdb96e319b70266b6e10ad..0000000000000000000000000000000000000000 Binary files a/Linux-PAM-1.5.3.tar.xz and /dev/null differ diff --git a/Linux-PAM-1.5.3.tar.xz.asc b/Linux-PAM-1.5.3.tar.xz.asc deleted file mode 100644 index 3b243543f8670bb3d06ee1905b356ab12dbd278e..0000000000000000000000000000000000000000 --- a/Linux-PAM-1.5.3.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABCgAGBQJkWBFQAAoJEKgEH6g54W42OoMP/R1O9dvpncrR4DfD3yJViTPw -To3isPszsdHhw/uZUzCBEUMxhJgUgefzHGAng1EbTyX2eTLk/cnLY8pZLXr3pzC0 -5CfacxAqgjK8B/7CbchsZQCDal84E5jR8qyzVCM3IPxZQfpiR3HJzXVjhg/gnBcY -L6v7FbLpcdM2keHHT1C/hyQfTnzyIdmwyzRdE1DF3ERbe3/1VlNmANNOacZ1H2T9 -Hs5dVIFiXwOO11Xku42oOo99LCqXyIsRnEogBFCORHNjD7B88lCdJAHssBdvWq5t -/CJnoGtJrVCXs11JVPSNyW0rm24rZH9YCC6yVRIuMq6jjMBawFUlMAqamLoSA3hK -4BPuPqQjHYk/D5H+m0HF2qRDpz76Bj1zdmYofqspeJf4QJOyOpMSXFY3pgsohuKW -P8YQ44cAkmMswFqMSKGi9EVnf6SVXWQFoHJhtlbUgi7ef/4IICrbtgSSE96OGdlg -Sdoplu3n+1HClaYqlHbjkd/m0Hc8QvOjovctb0Zoclnlup+u2JH4rDNqjxFUvkWB -8CeILjebgBrNRqAFDx7fKBEQyHs5FLOtUU1SwBLXXSyMCHuMhr/tKBHcbDgMhpVP -IiIyYGyEGUoIR/er5AgIX9e6/zcQbc8OvY+gTu9t+tw+HIt8hGvUUkuYX8LB1k6r -zf06e/iTT4GL6AhJtbh3 -=2hyW ------END PGP SIGNATURE----- diff --git a/Linux-PAM-1.6.1.tar.xz b/Linux-PAM-1.6.1.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..1c0c11ca8b54c9f7e8834ec98193036284b38e3e Binary files /dev/null and b/Linux-PAM-1.6.1.tar.xz differ diff --git a/Linux-PAM-1.6.1.tar.xz.asc b/Linux-PAM-1.6.1.tar.xz.asc new file mode 100644 index 0000000000000000000000000000000000000000..3e67bc40f1e2167e27427e1e39ee330a0f59aec0 --- /dev/null +++ b/Linux-PAM-1.6.1.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1 +sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq +47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub +RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT +mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet +cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ +fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd +PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku +o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR +0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB +9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2 +UoUkHsbCWJU/ksn/9BIQ +=Dbz2 +-----END PGP SIGNATURE----- diff --git a/pam-1.5.3-unix-nomsg.patch b/pam-1.5.3-unix-nomsg.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a8abbb1a77b9b56926d81ba9705d1d20e7d37b3 --- /dev/null +++ b/pam-1.5.3-unix-nomsg.patch @@ -0,0 +1,17 @@ +Index: Linux-PAM-1.5.3/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- Linux-PAM-1.5.3.orig/modules/pam_unix/pam_unix_passwd.c ++++ Linux-PAM-1.5.3/modules/pam_unix/pam_unix_passwd.c +@@ -678,12 +678,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int + return PAM_SUCCESS; + } else if (off(UNIX__IAMROOT, ctrl) || + (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) { +- /* instruct user what is happening */ +- if (off(UNIX__QUIET, ctrl)) { +- retval = pam_info(pamh, _("Changing password for %s."), user); +- if (retval != PAM_SUCCESS) +- return retval; +- } + retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL); + + if (retval != PAM_SUCCESS) { diff --git a/pam-1.6.0-redhat-modules.patch b/pam-1.6.0-redhat-modules.patch new file mode 100644 index 0000000000000000000000000000000000000000..66aa8ff487a3bf4cd676ed021cb56c6a03f61517 --- /dev/null +++ b/pam-1.6.0-redhat-modules.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.6.0/configure.ac.redhat-modules Linux-PAM-1.6.0/configure.ac +--- Linux-PAM-1.6.0/configure.ac.redhat-modules 2024-01-23 13:16:34.854753145 +0100 ++++ Linux-PAM-1.6.0/configure.ac 2024-01-23 13:17:52.855859922 +0100 +@@ -774,6 +774,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + po/Makefile.in \ + Make.xml.rules \ + modules/Makefile \ ++ modules/pam_chroot/Makefile \ ++ modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile \ + modules/pam_canonicalize_user/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ +diff -up Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules Linux-PAM-1.6.0/modules/Makefile.am +--- Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules 2024-01-17 11:29:36.000000000 +0100 ++++ Linux-PAM-1.6.0/modules/Makefile.am 2024-01-23 13:16:34.855753147 +0100 +@@ -48,6 +48,8 @@ SUBDIRS := \ + pam_debug \ + pam_deny \ + pam_echo \ ++ pam_chroot \ ++ pam_postgresok \ + pam_env \ + pam_exec \ + pam_faildelay \ diff --git a/pam-1.6.1-noflex.patch b/pam-1.6.1-noflex.patch new file mode 100644 index 0000000000000000000000000000000000000000..fa35dc7108e5050a892b751fda6717436a7f548b --- /dev/null +++ b/pam-1.6.1-noflex.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.6.1/doc/Makefile.am.noflex Linux-PAM-1.6.1/doc/Makefile.am +--- Linux-PAM-1.6.1/doc/Makefile.am.noflex 2024-04-09 18:22:59.000000000 +0200 ++++ Linux-PAM-1.6.1/doc/Makefile.am 2024-04-10 11:09:39.304086982 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + DISTCLEANFILES = custom-html.xsl custom-man.xsl +diff -up Linux-PAM-1.6.1/Makefile.am.noflex Linux-PAM-1.6.1/Makefile.am +--- Linux-PAM-1.6.1/Makefile.am.noflex 2024-04-10 11:09:39.304086982 +0200 ++++ Linux-PAM-1.6.1/Makefile.am 2024-04-10 11:13:15.057352362 +0200 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news + +-SUBDIRS = libpam_internal libpam tests libpamc libpam_misc modules po conf \ ++SUBDIRS = libpam_internal libpam tests libpamc libpam_misc modules po doc \ + xtests + + if HAVE_DOC diff --git a/pam-1.6.1-pam-access-local.patch b/pam-1.6.1-pam-access-local.patch new file mode 100644 index 0000000000000000000000000000000000000000..89a0d3904ad03e92def1d01593f7833cf6c55073 --- /dev/null +++ b/pam-1.6.1-pam-access-local.patch @@ -0,0 +1,119 @@ +From ecaaf4456e5aeacae1acdb1775bb5aadd3b19e13 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 16 Oct 2024 12:41:09 +0200 +Subject: [PATCH 1/2] pam_access: always match local address + +* modules/pam_access/pam_access.c: match the local address regardless of + the IP version in use. + +In some circumstances the `localhost` may be translated to IPv4 or IPv6, +but the configuration file only indicated the address for one of the two +versions. Since the originating value is set in `PAM_RHOST` and PAM has +no control over it, let's match the local addresses regardless of the IP +version in use. + +Resolves: https://issues.redhat.com/browse/RHEL-23018 +Signed-off-by: Iker Pedrosa +--- + modules/pam_access/pam_access.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index bfbc6d57..48e7c7e9 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -306,6 +306,23 @@ isipaddr (const char *string, int *addr_type, + return is_ip; + } + ++/* is_local_addr - checks if the IP address is local */ ++static int ++is_local_addr (const char *string, int addr_type) ++{ ++ if (addr_type == AF_INET) { ++ if (strcmp(string, "127.0.0.1") == 0) { ++ return YES; ++ } ++ } else if (addr_type == AF_INET6) { ++ if (strcmp(string, "::1") == 0) { ++ return YES; ++ } ++ } ++ ++ return NO; ++} ++ + + /* are_addresses_equal - translate IP address strings to real IP + * addresses and compare them to find out if they are equal. +@@ -327,9 +344,18 @@ are_addresses_equal (const char *ipaddr0, const char *ipaddr1, + if (isipaddr (ipaddr1, &addr_type1, &addr1) == NO) + return NO; + +- if (addr_type0 != addr_type1) +- /* different address types */ ++ if (addr_type0 != addr_type1) { ++ /* different address types, but there is still a possibility that they are ++ * both local addresses ++ */ ++ int local1 = is_local_addr(ipaddr0, addr_type0); ++ int local2 = is_local_addr(ipaddr1, addr_type1); ++ ++ if (local1 == YES && local2 == YES) ++ return YES; ++ + return NO; ++ } + + if (netmask != NULL) { + /* Got a netmask, so normalize addresses? */ +-- +2.47.0 + + +From 641dfd1084508c63f3590e93a35b80ffc50774e5 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Fri, 18 Oct 2024 10:27:07 +0200 +Subject: [PATCH 2/2] pam_access: clarify `LOCAL` keyword behaviour + +* modules/pam_access/access.conf.5.xml: `LOCAL` keyword behaviour + explanation was focused on the development internals. Let's clarify it + by rephrasing it to something a sysadmin can understand. + +Resolves: https://issues.redhat.com/browse/RHEL-39943 +Signed-off-by: Iker Pedrosa +--- + modules/pam_access/access.conf.5.xml | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml +index 35a1a8fe..0b93db00 100644 +--- a/modules/pam_access/access.conf.5.xml ++++ b/modules/pam_access/access.conf.5.xml +@@ -79,17 +79,12 @@ + with network mask (where network mask can be a decimal number or an + internet address also), ALL (which always matches) + or LOCAL. The LOCAL +- keyword matches if and only if +- pam_get_item3, +- when called with an item_type of +- PAM_RHOST, returns NULL or an +- empty string (and therefore the +- origins field is compared against the +- return value of +- pam_get_item3 +- called with an item_type of +- PAM_TTY or, absent that, +- PAM_SERVICE). ++ keyword matches when the user connects without a network ++ connection (e.g., su, ++ login). A connection through the loopback ++ device (e.g., ssh user@localhost) is ++ considered a network connection, and thus, the ++ LOCAL keyword does not match. + + + +-- +2.47.0 + diff --git a/pam-1.6.1-pam-env-econf-read-file-fixes.patch b/pam-1.6.1-pam-env-econf-read-file-fixes.patch new file mode 100644 index 0000000000000000000000000000000000000000..066358827a4a0b41770c36834fe683679571046d --- /dev/null +++ b/pam-1.6.1-pam-env-econf-read-file-fixes.patch @@ -0,0 +1,86 @@ +From aabd5314a6d76968c377969b49118a2df3f97003 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Sun, 19 May 2024 15:00:00 +0000 +Subject: [PATCH 1/2] pam_env: fix NULL dereference on error path in + econf_read_file + +* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Handle NULL +value returned by econf_getStringValue(). + +Resolves: https://github.com/linux-pam/linux-pam/issues/796 +--- + modules/pam_env/pam_env.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index 2cc58228..6d39bb24 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -287,7 +287,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + char *val; + + error = econf_getStringValue (key_file, NULL, keys[i], &val); +- if (error != ECONF_SUCCESS) { ++ if (error != ECONF_SUCCESS || val == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to get string from key %s: %s", + keys[i], + econf_errString(error)); +-- +2.45.1 + + +From 75292685a625153c6e28bdd820e97421c258c04a Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Sun, 19 May 2024 15:00:00 +0000 +Subject: [PATCH 2/2] pam_env: fix error handling in econf_read_file + +* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Make sure +the returned array of strings is properly initialized +when econf_getStringValue() fails to return a value. +--- + modules/pam_env/pam_env.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index 6d39bb24..7c146439 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -273,7 +273,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + return PAM_ABORT; + } + +- *lines = malloc((key_number +1)* sizeof(char**)); ++ *lines = calloc((key_number + 1), sizeof(char**)); + if (*lines == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); +@@ -281,8 +281,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + return PAM_BUF_ERR; + } + +- (*lines)[key_number] = 0; +- ++ size_t n = 0; + for (size_t i = 0; i < key_number; i++) { + char *val; + +@@ -293,7 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + econf_errString(error)); + } else { + econf_unescnl(val); +- if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) { ++ if (asprintf(&(*lines)[n],"%s%c%s", keys[i], delim[0], val) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); + econf_freeFile(key_file); +@@ -303,6 +302,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + return PAM_BUF_ERR; + } + free (val); ++ n++; + } + } + +-- +2.45.1 + diff --git a/pam-1.6.1-sast-fixes.patch b/pam-1.6.1-sast-fixes.patch new file mode 100644 index 0000000000000000000000000000000000000000..d2557c4796fc334c3f3dc07eecb91a2e3f716b50 --- /dev/null +++ b/pam-1.6.1-sast-fixes.patch @@ -0,0 +1,212 @@ +From 5eccaf9b3488d3f6da800281363697e4e4834e77 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 11:16:28 +0200 +Subject: [PATCH 1/5] pam_faillock: close the audit socket after use + +* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit +socket when it will no longer be used. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open". +Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()". +Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message". +Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle. +256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, +257| rhost, NULL, tty, 1); +258|-> } +259| #endif +260| opts->flags |= FAILLOCK_FLAG_UNLOCKED; +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_faillock/pam_faillock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c +index e636a24e..f39a9d95 100644 +--- a/modules/pam_faillock/pam_faillock.c ++++ b/modules/pam_faillock/pam_faillock.c +@@ -255,6 +255,7 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies + snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, + rhost, NULL, tty, 1); ++ audit_close(audit_fd); + } + #endif + opts->flags |= FAILLOCK_FLAG_UNLOCKED; +-- +2.45.2 + + +From d00f6cb366b492de455f9b72fcbd2e49abf323e0 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 11:20:02 +0200 +Subject: [PATCH 2/5] pam_rootok: close the audit socket on error path + +* modules/pam_rootok/pam_rootok.c (log_callback): Close the audit socket +if vasprintf returned an error. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: open_fn: Returning handle opened by "audit_open". +Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()". +Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:69: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle. +67| va_end(ap); +68| if (ret < 0) { +69|-> return 0; +70| } +71| audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_rootok/pam_rootok.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c +index 6d2dfa07..1b88fb19 100644 +--- a/modules/pam_rootok/pam_rootok.c ++++ b/modules/pam_rootok/pam_rootok.c +@@ -66,6 +66,7 @@ log_callback (int type UNUSED, const char *fmt, ...) + ret = vasprintf (&buf, fmt, ap); + va_end(ap); + if (ret < 0) { ++ audit_close(audit_fd); + return 0; + } + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, +-- +2.45.2 + + +From 1ca5bfed50bd9f6c2f1e3e36c2df3253923dadf6 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 12:27:00 +0200 +Subject: [PATCH 3/5] pam_timestamp: close the timestamp file on error path + +* modules/pam_timestamp/pam_timestamp.c (pam_sm_authenticate) +[WITH_OPENSSL]: Close the timestamp file if hmac_size returned +an error. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] +Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: var_assign: Assigning: "fd" = handle returned from "open(path, 131072)". +Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:460: noescape: Resource "fd" is not freed or pointed-to in "fstat". +Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:484: leaked_handle: Handle variable "fd" going out of scope leaks the handle. +482| #ifdef WITH_OPENSSL +483| if (hmac_size(pamh, debug, &maclen)) { +484|-> return PAM_AUTH_ERR; +485| } +486| #else +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_timestamp/pam_timestamp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c +index 7c5457c4..edecc052 100644 +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -481,6 +481,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + + #ifdef WITH_OPENSSL + if (hmac_size(pamh, debug, &maclen)) { ++ close(fd); + return PAM_AUTH_ERR; + } + #else +-- +2.45.2 + + +From 667204d7e3e4a0341c529f7566d62dd64dd80866 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 12:25:34 +0200 +Subject: [PATCH 4/5] pam_namespace: free SELinux context + +* modules/pam_namespace/pam_namespace.c [WITH_SELINUX] (form_context): +Free SELinux context before returning. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:928: alloc_arg: "getexeccon" allocates memory that is stored into "scon". +Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1004: leaked_storage: Variable "scon" going out of scope leaks the storage it points to. +1002| } +1003| /* Should never get here */ +1004|-> return PAM_SUCCESS; +1005| } +1006| #endif +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_namespace/pam_namespace.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index e499d95a..781dac20 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1003,6 +1003,7 @@ static int form_context(const struct polydir_s *polyptr, + return rc; + } + /* Should never get here */ ++ freecon(scon); + return PAM_SUCCESS; + } + #endif +-- +2.45.2 + + +From bd2f695b3d89efe0c52bba975f9540634125178a Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 22 May 2024 12:29:07 +0200 +Subject: [PATCH 5/5] pam_namespace: free SELinux context on error path + +* modules/pam_namespace/pam_namespace.c (create_polydir) [WITH_SELINUX]: +Free SELinux context in case of an error. + +``` +Error: RESOURCE_LEAK (CWE-772): +Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1433: alloc_arg: "getfscreatecon_raw" allocates memory that is stored into "oldcon_raw". +Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1462: leaked_storage: Variable "oldcon_raw" going out of scope leaks the storage it points to. +1460| pam_syslog(idata->pamh, LOG_ERR, +1461| "Error creating directory %s: %m", dir); +1462|-> return PAM_SESSION_ERR; +1463| } +1464| +``` + +Resolves: https://issues.redhat.com/browse/RHEL-36475 +Signed-off-by: Iker Pedrosa +--- + modules/pam_namespace/pam_namespace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 781dac20..2dab49ef 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1462,6 +1462,9 @@ static int create_polydir(struct polydir_s *polyptr, + if (rc == -1) { + pam_syslog(idata->pamh, LOG_ERR, + "Error creating directory %s: %m", dir); ++#ifdef WITH_SELINUX ++ freecon(oldcon_raw); ++#endif + return PAM_SESSION_ERR; + } + +-- +2.45.2 + diff --git a/pam-redhat-1.2.0.tar.xz b/pam-redhat-1.2.0.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..d390e70325dfc63bc9de51a5283428f34e45315c Binary files /dev/null and b/pam-redhat-1.2.0.tar.xz differ diff --git a/pam.spec b/pam.spec index 855f735de9e1e7391f9e04b5e0aafee6e7da0132..fc193703602974eb1317ff2f273ed15a0f32cbf7 100644 --- a/pam.spec +++ b/pam.spec @@ -1,8 +1,8 @@ -%define anolis_release 2 +%define anolis_release 1 %global soname_version 0 Name: pam -Version: 1.5.3 +Version: 1.6.1.3 Release: %{anolis_release}%{?dist} Summary: A Security Interface for Applications in Authentication activities @@ -31,6 +31,12 @@ Patch2: 0001-change-ndbm-to-gdbm.patch Patch3: 0001-add-sm3-crypt-support.patch # https://github.com/linux-pam/linux-pam/pull/686/commits/b3020da7da384d769f27a8713257fbe1001878be Patch4: 0002-Fix-CVE-2024-10041.patch +Patch5: pam-1.6.1-noflex.patch +Patch6: pam-1.6.1-pam-access-local.patch +Patch7: pam-1.6.0-redhat-modules.patch +Patch8: pam-1.5.3-unix-nomsg.patch +Patch9: pam-1.6.1-pam-env-econf-read-file-fixes.patch +Patch10: pam-1.6.1-sast-fixes.patch BuildRequires: audit-libs-devel BuildRequires: autoconf @@ -345,6 +351,12 @@ done %{abidir}/libpam*.dump %changelog +* Thu Jun 19 2025 wenyuzifang - 1.6.1-1 +- Updated to version 1.6.1 to fix xxxxxxx +- Apply patch to fix potential NULL dereference and improve error handling in pam_env module. +- Apply patch to fix resource leaks, improving system stability and preventing potential resource exhaustion. +- Apply patch to fix inconsistent localhost matching and clarify LOCAL keyword behavior for better usability. + * Tue May 20 2025 wenxin - 1.5.3-2 - Fix CVE-2024-10041 @@ -367,4 +379,4 @@ done - Remove pam_unix.so dependency to avoid build failed; * Wed Mar 9 2022 James Wang - 1.5.2-1 -- Inital version +- Inital version \ No newline at end of file