diff options
| author | Steve Langasek <vorlon@debian.org> | 2019-01-08 01:43:00 +0000 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2019-01-08 22:12:52 -0800 |
| commit | 8b35e983dc8b4fa7d5a27b928999950c3b6ffc3e (patch) | |
| tree | 42f064dd708977f425c3f42728e73797a04dc5a9 /debian/patches-applied/cve-2015-3238.patch | |
| parent | 4b9ee4f1ec73d87668ce40f0a362ecbc58159d9f (diff) | |
Consistently include documentation changes in patches, for clean source package
Diffstat (limited to 'debian/patches-applied/cve-2015-3238.patch')
| -rw-r--r-- | debian/patches-applied/cve-2015-3238.patch | 105 |
1 files changed, 69 insertions, 36 deletions
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch index cb5e8c06..50dd746e 100644 --- a/debian/patches-applied/cve-2015-3238.patch +++ b/debian/patches-applied/cve-2015-3238.patch @@ -15,10 +15,10 @@ pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. -diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml -index 2379366..d1b00a2 100644 ---- a/modules/pam_exec/pam_exec.8.xml -+++ b/modules/pam_exec/pam_exec.8.xml +Index: pam/modules/pam_exec/pam_exec.8.xml +=================================================================== +--- pam.orig/modules/pam_exec/pam_exec.8.xml ++++ pam/modules/pam_exec/pam_exec.8.xml @@ -106,7 +106,8 @@ During authentication the calling command can read the password from <citerefentry> @@ -29,11 +29,11 @@ index 2379366..d1b00a2 100644 </para> </listitem> </varlistentry> -diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c -index 5ab9630..17ba6ca 100644 ---- a/modules/pam_exec/pam_exec.c -+++ b/modules/pam_exec/pam_exec.c -@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, +Index: pam/modules/pam_exec/pam_exec.c +=================================================================== +--- pam.orig/modules/pam_exec/pam_exec.c ++++ pam/modules/pam_exec/pam_exec.c +@@ -178,11 +178,11 @@ } pam_set_item (pamh, PAM_AUTHTOK, resp); @@ -47,10 +47,10 @@ index 5ab9630..17ba6ca 100644 if (pipe(fds) != 0) { -diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml -index 4008402..a8b64bb 100644 ---- a/modules/pam_unix/pam_unix.8.xml -+++ b/modules/pam_unix/pam_unix.8.xml +Index: pam/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix.8.xml ++++ pam/modules/pam_unix/pam_unix.8.xml @@ -80,6 +80,13 @@ </para> @@ -65,11 +65,11 @@ index 4008402..a8b64bb 100644 The password component of this module performs the task of updating the user's password. The default encryption hash is taken from the <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from -diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c -index 2d330e5..c2e5de5 100644 ---- a/modules/pam_unix/pam_unix_passwd.c -+++ b/modules/pam_unix/pam_unix_passwd.c -@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const +Index: pam/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam/modules/pam_unix/pam_unix_passwd.c +@@ -245,15 +245,22 @@ /* wait for child */ /* if the stored password is NULL */ int rc=0; @@ -100,11 +100,11 @@ index 2d330e5..c2e5de5 100644 close(fds[0]); /* close here to avoid possible SIGPIPE above */ close(fds[1]); -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index b325602..e79b55e 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -1115,12 +1115,15 @@ getuidname(uid_t uid) +Index: pam/modules/pam_unix/passverify.c +=================================================================== +--- pam.orig/modules/pam_unix/passverify.c ++++ pam/modules/pam_unix/passverify.c +@@ -1086,12 +1086,15 @@ int read_passwords(int fd, int npass, char **passwords) { @@ -121,10 +121,10 @@ index b325602..e79b55e 100644 if (rbytes < 0) { if (errno == EINTR) continue; -diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h -index 3de6759..caf7ae8 100644 ---- a/modules/pam_unix/passverify.h -+++ b/modules/pam_unix/passverify.h +Index: pam/modules/pam_unix/passverify.h +=================================================================== +--- pam.orig/modules/pam_unix/passverify.h ++++ pam/modules/pam_unix/passverify.h @@ -8,7 +8,7 @@ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT @@ -134,11 +134,11 @@ index 3de6759..caf7ae8 100644 #define OLD_PASSWORDS_FILE "/etc/security/opasswd" -diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c -index fdb45c2..abccd82 100644 ---- a/modules/pam_unix/support.c -+++ b/modules/pam_unix/support.c -@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, +Index: pam/modules/pam_unix/support.c +=================================================================== +--- pam.orig/modules/pam_unix/support.c ++++ pam/modules/pam_unix/support.c +@@ -632,7 +632,12 @@ /* if the stored password is NULL */ int rc=0; if (passwd != NULL) { /* send the password to the child */ @@ -152,8 +152,10 @@ index fdb45c2..abccd82 100644 pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); retval = PAM_AUTH_ERR; } ---- a/modules/pam_unix/pam_unix.8 2017-05-27 15:38:27.000000000 +0000 -+++ b/modules/pam_unix/pam_unix.8 2017-05-27 15:34:49.000000000 +0000 +Index: pam/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix.8 ++++ pam/modules/pam_unix/pam_unix.8 @@ -56,6 +56,10 @@ \fBnoreap\fR module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. @@ -165,8 +167,10 @@ index fdb45c2..abccd82 100644 The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the \fBENCRYPT_METHOD\fR variable from ---- a/modules/pam_exec/pam_exec.8 2017-05-27 15:38:27.000000000 +0000 -+++ b/modules/pam_exec/pam_exec.8 2017-05-27 15:56:25.000000000 +0000 +Index: pam/modules/pam_exec/pam_exec.8 +=================================================================== +--- pam.orig/modules/pam_exec/pam_exec.8 ++++ pam/modules/pam_exec/pam_exec.8 @@ -65,7 +65,9 @@ \fBexpose_authtok\fR .RS 4 @@ -178,3 +182,32 @@ index fdb45c2..abccd82 100644 .RE .PP \fBlog=\fR\fB\fIfile\fR\fR +Index: pam/modules/pam_exec/README +=================================================================== +--- pam.orig/modules/pam_exec/README ++++ pam/modules/pam_exec/README +@@ -24,7 +24,8 @@ + expose_authtok + + During authentication the calling command can read the password from stdin +- (3). ++ (3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the ++ command. + + log=file + +Index: pam/modules/pam_unix/README +=================================================================== +--- pam.orig/modules/pam_unix/README ++++ pam/modules/pam_unix/README +@@ -34,6 +34,10 @@ + suppress this temporary shielding and may be needed for use with certain + applications. + ++The maximum length of a password supported by the pam_unix module via the ++helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the ++password provided by the conversation function to the module will be ignored. ++ + The password component of this module performs the task of updating the user's + password. The default encryption hash is taken from the ENCRYPT_METHOD variable + from /etc/login.defs |