From patchwork Tue Jan 23 11:26:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7485 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TK4Yq4V0xz3wmx for ; Tue, 23 Jan 2024 11:27:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TK4Yn1sk1z7P7; Tue, 23 Jan 2024 11:27:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TK4Yn10gqz30TY; Tue, 23 Jan 2024 11:27:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TK4YV38NWz30Sx for ; Tue, 23 Jan 2024 11:26:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4TK4YV1dqGz1jX; Tue, 23 Jan 2024 11:26:54 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1706009214; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kkb+9sIzpvMJl0pdZeGHN4dYB7rURwE5oxsr5aRxP4o=; b=D42JzRkzkzVJuN+QVGFMx3XN5cEooCQqiNHhz95p/2Gtb+hUvy3OHm7U2xkpMg3UGXsgG7 V917wtucWeKVV1Ag== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1706009214; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kkb+9sIzpvMJl0pdZeGHN4dYB7rURwE5oxsr5aRxP4o=; b=sJ05Fs+lG2hMRu66SuJAe7iaYO1wYjbms0P7ZfnjG2q0DmPhERspA13WBuZottqr8luks8 Rt3vKNrxwKELBdtvSbE01Sp5lzEfKiofK0NiDvDYSXlbzNF471tu4QPmKbm4IUi8Ic9N2E o+hkJ0bdGa9hNmhfWfzsroYvIKswFAP1+sGrYUzAp4If1LODIBWpELpnZJGdCSbUohLyNu VTI9rp8K2VdLZnEfnXgC7+X3XjYjznqWUOuDq8Z3DXel4Db2N2hE9Nv9SzN9H+hB9kN7uF EEp3pjzZw/dbg6xm4dRizSN1f5eDEYsFK6drbst1hoqTNIOM0VEKBuJmzEMT+Q== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] pam: Update to version 1.6.0 Date: Tue, 23 Jan 2024 12:26:45 +0100 Message-ID: <20240123112647.8800-7-adolf.belka@ipfire.org> In-Reply-To: <20240123112647.8800-1-adolf.belka@ipfire.org> References: <20240123112647.8800-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: QKT2DL576ILYHZQWZGEPYFK4EYPZZEV4 X-Message-ID-Hash: QKT2DL576ILYHZQWZGEPYFK4EYPZZEV4 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 1.5.3 to 1.6.0 - Update of rootfile - A build bug was found with 1.6.0 if --enable-read-both-confs was set in the configure. A commit fixing this has been released and converted into a patch for IPFire. This will end up in the next pam release version and the IPFire patch can then be removed. - Changelog 1.6.0 * Added support of configuration files with arbitrarily long lines. * build: fixed build outside of the source tree. * libpam: added use of getrandom(2) as a source of randomness if available. * libpam: fixed calculation of fail delay with very long delays. * libpam: fixed potential infinite recursion with includes. * libpam: implemented string to number conversions validation when parsing controls in configuration. * pam_access: added quiet_log option. * pam_access: fixed truncation of very long group names. * pam_canonicalize_user: new module to canonicalize user name. * pam_echo: fixed file handling to prevent overflows and short reads. * pam_env: added support of '\' character in environment variable values. * pam_exec: allowed expose_authtok for password PAM_TYPE. * pam_exec: fixed stack overflow with binary output of programs. * pam_faildelay: implemented parameter ranges validation. * pam_listfile: changed to treat \r and \n exactly the same in configuration. * pam_mkhomedir: hardened directory creation against timing attacks. Please note that using *at functions leads to more open file handles during creation. * pam_namespace: fixed potential local DoS (CVE-2024-22365). * pam_nologin: fixed file handling to prevent short reads. * pam_pwhistory: helper binary is now built only if SELinux support is enabled. * pam_pwhistory: implemented reliable usernames handling when remembering passwords. * pam_shells: changed to allow shell entries with absolute paths only. * pam_succeed_if: fixed treating empty strings as numerical value 0. * pam_unix: added support of disabled password aging. * pam_unix: synchronized password aging with shadow. * pam_unix: implemented string to number conversions validation. * pam_unix: fixed truncation of very long user names. * pam_unix: corrected rounds retrieval for configured encryption method. * pam_unix: implemented reliable usernames handling when remembering passwords. * pam_unix: changed to always run the helper to obtain shadow password entries. * pam_unix: unix_update helper binary is now built only if SELinux support is enabled. * pam_unix: added audit support to unix_update helper. * pam_userdb: added gdbm support. * Multiple minor bug fixes, portability fixes, documentation improvements, and translation updates. Signed-off-by: Adolf Belka --- config/rootfiles/common/pam | 3 +++ lfs/pam | 7 ++++--- ...pam:_fix_build_with_--enable-read-both-confs.patch | 11 +++++++++++ 3 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enable-read-both-confs.patch diff --git a/config/rootfiles/common/pam b/config/rootfiles/common/pam index e25fc9c26..de5c5b466 100644 --- a/config/rootfiles/common/pam +++ b/config/rootfiles/common/pam @@ -17,6 +17,8 @@ etc/security #lib/security/mkhomedir_helper #lib/security/pam_access.la lib/security/pam_access.so +#lib/security/pam_canonicalize_user.la +#lib/security/pam_canonicalize_user.so #lib/security/pam_debug.la #lib/security/pam_debug.so #lib/security/pam_deny.la @@ -193,6 +195,7 @@ usr/lib/libpamc.so.0.82.1 #usr/share/man/man8/mkhomedir_helper.8 #usr/share/man/man8/pam.8 #usr/share/man/man8/pam_access.8 +#usr/share/man/man8/pam_canonicalize_user.8 #usr/share/man/man8/pam_debug.8 #usr/share/man/man8/pam_deny.8 #usr/share/man/man8/pam_echo.8 diff --git a/lfs/pam b/lfs/pam index 020de981c..5e315a027 100644 --- a/lfs/pam +++ b/lfs/pam @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 1.5.3 +VER = 1.6.0 THISAPP = Linux-PAM-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb +$(DL_FILE)_BLAKE2 = 8ad3ed2d58b48cf43d065f15669788c113eee2aa3fc86cf38565a0e4835b142564ff1af5bcd3377db08af77141d25b4e93752a387ff7eabc00b4a826aa9ea39d install : $(TARGET) @@ -70,6 +70,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enable-read-both-confs.patch $(UPDATE_AUTOMAKE) cd $(DIR_APP) && ./configure --libdir=/usr/lib \ --sbindir=/lib/security \ diff --git a/src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enable-read-both-confs.patch b/src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enable-read-both-confs.patch new file mode 100644 index 000000000..1736c5f35 --- /dev/null +++ b/src/patches/Linux-PAM-1.6.0-libpam:_fix_build_with_--enable-read-both-confs.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-1.6.0/libpam/pam_handlers.c.orig 2024-01-17 11:29:36.000000000 +0100 ++++ Linux-PAM-1.6.0/libpam/pam_handlers.c 2024-01-22 16:02:45.546376172 +0100 +@@ -500,7 +500,7 @@ + + if (pamh->confdir == NULL + && (f = fopen(PAM_CONFIG,"r")) != NULL) { +- retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 1); ++ retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 0, 1); + fclose(f); + } else + #endif /* PAM_READ_BOTH_CONFS */