diff options
| -rw-r--r-- | debian/changelog | 11 | ||||
| -rw-r--r-- | debian/patches-applied/cve-2015-3238.patch | 26 |
2 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 977612a8..e0a780a9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +pam (1.1.8-3.6) unstable; urgency=medium + + * Non-maintainer upload. + * cve-2015-3238.patch: Add the changes in the generated pam_exec.8 + and pam_unix.8 in addition to (and after) the changes to the + source .xml files. This avoids unwanted rebuilds that can cause + problems due to differing files on different architectures of + the Multi-Arch: same libpam-modules. (Closes: #851545) + + -- Adrian Bunk <bunk@debian.org> Sat, 27 May 2017 18:44:02 +0300 + pam (1.1.8-3.5) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch index 7c75ee5c..cb5e8c06 100644 --- a/debian/patches-applied/cve-2015-3238.patch +++ b/debian/patches-applied/cve-2015-3238.patch @@ -152,3 +152,29 @@ index fdb45c2..abccd82 100644 pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); retval = PAM_AUTH_ERR; } +--- a/modules/pam_unix/pam_unix.8 2017-05-27 15:38:27.000000000 +0000 ++++ b/modules/pam_unix/pam_unix.8 2017-05-27 15:34:49.000000000 +0000 +@@ -56,6 +56,10 @@ + \fBnoreap\fR + module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. + .PP ++The maximum length of a password supported by the pam_unix module via the helper binary is ++\fIPAM_MAX_RESP_SIZE\fR ++\- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&. ++.PP + The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the + \fBENCRYPT_METHOD\fR + variable from +--- a/modules/pam_exec/pam_exec.8 2017-05-27 15:38:27.000000000 +0000 ++++ b/modules/pam_exec/pam_exec.8 2017-05-27 15:56:25.000000000 +0000 +@@ -65,7 +65,9 @@ + \fBexpose_authtok\fR + .RS 4 + During authentication the calling command can read the password from +-\fBstdin\fR(3)\&. ++\fBstdin\fR(3)\&. Only first ++\fIPAM_MAX_RESP_SIZE\fR ++bytes of a password are provided to the command\&. + .RE + .PP + \fBlog=\fR\fB\fIfile\fR\fR |