From patchwork Wed Nov 20 21:49:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8269 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Xtw4N755Cz3wx3 for ; Wed, 20 Nov 2024 21:49:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Xtw4L4sW5z4Vj; Wed, 20 Nov 2024 21:49:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Xtw4L0q35z33pQ; Wed, 20 Nov 2024 21:49:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Xtw4D5Ylkz349f for ; Wed, 20 Nov 2024 21:49:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Xtw4D1D91zfX; Wed, 20 Nov 2024 21:49:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1732139356; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FGSOhFRBoPmUAv88N+h6ORrvTV2OYzPfienqddkQ/q8=; b=VujRDeAsXcwP5GES18GNc7c3VCsseJgPOXVdA3kkngXJYg2FJAd7bbouqD87/FqmSt6EDO HcYJH7Iiy3y6lQAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1732139356; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FGSOhFRBoPmUAv88N+h6ORrvTV2OYzPfienqddkQ/q8=; b=ZelhvSXXvk4qTTtlAmeWvwbTfiC6go1ePGA0oBRieJareB+809+LnlBJu2TK5cSoEZkXWk LCfw4ZyUhiNoaH3QiNe1Oyx+Q6pObR6WsjzSl9KElESrRUEZGnJfl4a2u1nZ6AEZtrB0wf kiq+uqua2yAzNEwBRPU8XOA9SYSKc7GW/SxV8M9M7U5xo2jK5UywvA8SKTSg2uM8rAgAPa vbVZVRBLU4pHLp7LfDyaJy6HqXOfTF300LSvPd/h5j1NAeQJ9tChyjLbtEb0DebjbbIMcv FRITUyRQw3AIBg9DY35TE3UT8vTtaL1L2ZCpS0XE7mYZXBLKxwzc6eu1aupkaw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] oath-toolkit: Update to version 2.6.12 Date: Wed, 20 Nov 2024 22:49:07 +0100 Message-ID: <20241120214909.2717383-5-adolf.belka@ipfire.org> In-Reply-To: <20241120214909.2717383-1-adolf.belka@ipfire.org> References: <20241120214909.2717383-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: HAGTF4SD4F2CBHZQP6ZVX6HMXTXVUZNS X-Message-ID-Hash: HAGTF4SD4F2CBHZQP6ZVX6HMXTXVUZNS X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 2.6.11 to 2.6.12 - Update of rootfile not required - Changelog 2.6.12 ** pam_oath: Drop privs when ${HOME} is used in the usersfile= setting. Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191. See . Security bug triggered by new feature in pam_oath v2.6.7 released on 2021-05-01 with the USER/HOME placeholder strings, see . Quoting a writeup in an alternate patch by Matthias Gerstner (SUSE): With the addition of the possibility to place a usersfile also into a user's home directory via variable expansion of ${HOME} and ${USER} in the `usersfile=` path specification, security issues sneaked in. The PAM process usually runs with root privileges. The file operations in an unprivileged user's home directory follow symlinks both when reading and creating files, allowing for a potential local root exploit, because of the `fchown()` performed on the newly created usersfile. We drop privileges to the user that is being logged into, assuming it has the necessary permissions for the usersfile belonging in their home directory. This restricts the ability for non-root users to affect files beyond their control via liboath. ** liboath: Don't follow symbolic links for usersfile updates. Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191. See . Security bug triggered by new feature in pam_oath v2.6.7 released on 2021-05-01 with the USER/HOME placeholder strings, see . The fix is to open files for writing in exclusive mode (i.e., fail if the file exists including if it is a symbolic link). We offer a brief self-test to reproduce the problem in liboath/tests/tst_fopen-wx.c which you may use as follows: cc -o tst_fopen-wx tst_fopen-wx.c $(pkg-config --libs --cflags liboath) rm -f cve.oath cve.oath.new cve.sshd-config cve.oath.lock printf 'HOTP/E/8\tsilver\t4711\t3132333435363738393031323334353637383930313233343536373839303132\n' > cve.oath echo my-magic-cookie > cve.sshd-config ln -s cve.sshd-config cve.oath.new ./tst_fopen-wx cve.oath silver 670691 4711 If this is linked with a vulnerable liboath it will print: FAIL: Liboath VULNERABLE to fopen(wx) bug. If you link it to a fixed liboath it will print: PASS: Your liboath is NOT VULNERABLE to fopen(wx) bug. For convenience, the liboath/tests/tst_fopen-wx.sh script can be used to setup and invoke tst_fopen-wx. ** We publish a minimal source-only tarball generated by 'git archive'. This tarball only contains the files stored in version controlled sources, and no auxilliary files. The source-only tarball may be reproduced on a Trisquel 11 platform using Git at (or near) version 2.46 from Guix. If something results in the 'git archive' format changing again, the tarball can only be reproduced using an earlier system. The git version in AlmaLinux 8, AlmaLinux 9, RockyLinux 8 and RockyLinux 9 should all produce the same identical 'git archive' tarball. The git version used on Debian 11, PureOS 10, Trisquel 11 and Ubuntu 22.04 should all produce an identical tarball. These two 'git archive' outputs are not the same, due to how Git works. ** oathtool: Fix test suite on 32-bit big-endian platforms. Fixes: #44. Patch by Helge Deller and thanks to Jan Zerebecki. See and . ** libpskc: Don't call deprecated xmlMemoryDump. ** libpskc: fix implicit declaration with musl. See . ** libpskc: Fix linker warning when linked with mold. Thanks to Jan Palus, see and for regression testing. ** Various build fixes including updated gnulib files. Fixes Windows tzset build errors, among other things. Signed-off-by: Adolf Belka --- lfs/oath-toolkit | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/oath-toolkit b/lfs/oath-toolkit index c71399985..c031f97d1 100644 --- a/lfs/oath-toolkit +++ b/lfs/oath-toolkit @@ -24,7 +24,7 @@ include Config -VER = 2.6.11 +VER = 2.6.12 THISAPP = oath-toolkit-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = f3fa3ab1818f4f9bbf7c8c88432cd3432fbfb30dfcc660ab85f07e2d3d7e1616fc24579900bc55bbf72fb81b2eac4a6591553968872f07d8b3955ce4e6495afd +$(DL_FILE)_BLAKE2 = 8bd184fa7166bc35af3bd632d0dd24ae00480f78a850e2ed4f058ec22711852757f01623ede16c8990daa366752578430be7c93a27d87c8ae92faf9a3aade1a1 install : $(TARGET)