summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog7
-rw-r--r--debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch8
2 files changed, 11 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog
index f386143e..1edb6d0b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pam (1.1.3-5) UNRELEASED; urgency=low
+
+ * debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use
+ setresgid() to wipe out saved-gid just in case.
+
+ -- Kees Cook <kees@debian.org> Thu, 13 Oct 2011 12:31:03 -0700
+
pam (1.1.3-4) unstable; urgency=low
* Make sure shared library links are also installed to the multiarch
diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
index 80334841..87336651 100644
--- a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
+++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
@@ -7,10 +7,10 @@ Authors: Steve Langasek <vorlon@debian.org>,
Upstream status: to be submitted
-Index: pam.deb/modules/pam_unix/unix_chkpwd.c
+Index: pam-debian/modules/pam_unix/unix_chkpwd.c
===================================================================
---- pam.deb.orig/modules/pam_unix/unix_chkpwd.c
-+++ pam.deb/modules/pam_unix/unix_chkpwd.c
+--- pam-debian.orig/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:22:06.270705822 -0700
++++ pam-debian/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:24:06.080224301 -0700
@@ -137,9 +137,10 @@
/* if the caller specifies the username, verify that user
matches it */
@@ -19,7 +19,7 @@ Index: pam.deb/modules/pam_unix/unix_chkpwd.c
user = argv[1];
/* no match -> permanently change to the real user and proceed */
- if (setuid(getuid()) != 0)
-+ if (setregid(gid, gid) != 0 || setuid(getuid()) != 0)
++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
return PAM_AUTH_ERR;
}
}