diff options
Diffstat (limited to 'debian/patches-applied')
-rw-r--r-- | debian/patches-applied/cve-2010-4708.patch (renamed from debian/patches-applied/cve-2011-4708.patch) | 2 | ||||
-rw-r--r-- | debian/patches-applied/cve-2013-7041.patch | 44 | ||||
-rw-r--r-- | debian/patches-applied/cve-2014-2583.patch | 47 | ||||
-rw-r--r-- | debian/patches-applied/cve-2015-3238.patch | 154 | ||||
-rw-r--r-- | debian/patches-applied/make_documentation_reproducible.patch | 28 | ||||
-rw-r--r-- | debian/patches-applied/pam-loginuid-in-containers | 52 | ||||
-rw-r--r-- | debian/patches-applied/pam_namespace_fix_bashism.patch | 61 | ||||
-rw-r--r-- | debian/patches-applied/series | 7 | ||||
-rw-r--r-- | debian/patches-applied/update-motd | 12 |
9 files changed, 378 insertions, 29 deletions
diff --git a/debian/patches-applied/cve-2011-4708.patch b/debian/patches-applied/cve-2010-4708.patch index c0fbb1ee..cf23e318 100644 --- a/debian/patches-applied/cve-2011-4708.patch +++ b/debian/patches-applied/cve-2010-4708.patch @@ -1,4 +1,4 @@ -Description: fix cve-2011-4708: .pam_environment privilege issue +Description: fix cve-2010-4708: .pam_environment privilege issue Index: pam.debian/modules/pam_env/pam_env.c =================================================================== --- pam.debian.orig/modules/pam_env/pam_env.c diff --git a/debian/patches-applied/cve-2013-7041.patch b/debian/patches-applied/cve-2013-7041.patch new file mode 100644 index 00000000..dac35b25 --- /dev/null +++ b/debian/patches-applied/cve-2013-7041.patch @@ -0,0 +1,44 @@ +From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@altlinux.org> +Date: Fri, 24 Jan 2014 22:18:32 +0000 +Subject: pam_userdb: fix password hash comparison + +Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed +passwords support in pam_userdb, hashes are compared case-insensitively. +This bug leads to accepting hashes for completely different passwords in +addition to those that should be accepted. + +Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for +modern password hashes with different lengths and settings, did not +update the hash comparison accordingly, which leads to accepting +computed hashes longer than stored hashes when the latter is a prefix +of the former. + +* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed +hash whose length differs from the stored hash length. +Compare computed and stored hashes case-sensitively. +Fixes CVE-2013-7041. + +Bug-Debian: http://bugs.debian.org/731368 + +--- a/modules/pam_userdb/pam_userdb.c ++++ b/modules/pam_userdb/pam_userdb.c +@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, + } else { + cryptpw = crypt (pass, data.dptr); + +- if (cryptpw) { +- compare = strncasecmp (data.dptr, cryptpw, data.dsize); ++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { ++ compare = memcmp(data.dptr, cryptpw, data.dsize); + } else { + compare = -2; + if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); ++ if (cryptpw) ++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); ++ else ++ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); + } + }; + diff --git a/debian/patches-applied/cve-2014-2583.patch b/debian/patches-applied/cve-2014-2583.patch new file mode 100644 index 00000000..3eb91702 --- /dev/null +++ b/debian/patches-applied/cve-2014-2583.patch @@ -0,0 +1,47 @@ +From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@altlinux.org> +Date: Wed, 26 Mar 2014 22:17:23 +0000 +Subject: pam_timestamp: fix potential directory traversal issue (ticket #27) + +pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of +the timestamp pathname it creates, so extra care should be taken to +avoid potential directory traversal issues. + +* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat +"." and ".." tty values as invalid. +(get_ruser): Treat "." and ".." ruser values, as well as any ruser +value containing '/', as invalid. + +Fixes CVE-2014-2583. + +Reported-by: Sebastian Krahmer <krahmer@suse.de> + +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -158,7 +158,7 @@ check_tty(const char *tty) + tty = strrchr(tty, '/') + 1; + } + /* Make sure the tty wasn't actually a directory (no basename). */ +- if (strlen(tty) == 0) { ++ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { + return NULL; + } + return tty; +@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) + if (pwd != NULL) { + ruser = pwd->pw_name; + } ++ } else { ++ /* ++ * This ruser is used by format_timestamp_name as a component ++ * of constructed timestamp pathname, so ".", "..", and '/' ++ * are disallowed to avoid potential path traversal issues. ++ */ ++ if (!strcmp(ruser, ".") || ++ !strcmp(ruser, "..") || ++ strchr(ruser, '/')) { ++ ruser = NULL; ++ } + } + if (ruser == NULL || strlen(ruser) >= ruserbuflen) { + *ruserbuf = '\0'; diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch new file mode 100644 index 00000000..7c75ee5c --- /dev/null +++ b/debian/patches-applied/cve-2015-3238.patch @@ -0,0 +1,154 @@ +From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk <kukuk@thkukuk.de> +Date: Mon, 22 Jun 2015 14:53:01 +0200 +Subject: Release version 1.2.1 + +Security fix: CVE-2015-3238 + +If the process executing pam_sm_authenticate or pam_sm_chauthtok method +of pam_unix is not privileged enough to check the password, e.g. +if selinux is enabled, the _unix_run_helper_binary function is called. +When a long enough password is supplied (16 pages or more, i.e. 65536+ +bytes on a system with 4K pages), this helper function hangs +indefinitely, blocked in the write(2) call while writing to a blocking +pipe that has a limited capacity. +With this fix, the verifiable password length will be limited to +PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. + +diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml +index 2379366..d1b00a2 100644 +--- a/modules/pam_exec/pam_exec.8.xml ++++ b/modules/pam_exec/pam_exec.8.xml +@@ -106,7 +106,8 @@ + During authentication the calling command can read + the password from <citerefentry> + <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum> +- </citerefentry>. ++ </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis> ++ bytes of a password are provided to the command. + </para> + </listitem> + </varlistentry> +diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c +index 5ab9630..17ba6ca 100644 +--- a/modules/pam_exec/pam_exec.c ++++ b/modules/pam_exec/pam_exec.c +@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, + } + + pam_set_item (pamh, PAM_AUTHTOK, resp); +- authtok = strdupa (resp); ++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + _pam_drop (resp); + } + else +- authtok = void_pass; ++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + + if (pipe(fds) != 0) + { +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index 4008402..a8b64bb 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -80,6 +80,13 @@ + </para> + + <para> ++ The maximum length of a password supported by the pam_unix module ++ via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis> ++ - currently 512 bytes. The rest of the password provided by the ++ conversation function to the module will be ignored. ++ </para> ++ ++ <para> + The password component of this module performs the task of updating + the user's password. The default encryption hash is taken from the + <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index 2d330e5..c2e5de5 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const + /* wait for child */ + /* if the stored password is NULL */ + int rc=0; +- if (fromwhat) +- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); +- else +- pam_modutil_write(fds[1], "", 1); +- if (towhat) { +- pam_modutil_write(fds[1], towhat, strlen(towhat)+1); ++ if (fromwhat) { ++ int len = strlen(fromwhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], fromwhat, len); + } +- else +- pam_modutil_write(fds[1], "", 1); ++ pam_modutil_write(fds[1], "", 1); ++ if (towhat) { ++ int len = strlen(towhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], towhat, len); ++ } ++ pam_modutil_write(fds[1], "", 1); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index b325602..e79b55e 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -1115,12 +1115,15 @@ getuidname(uid_t uid) + int + read_passwords(int fd, int npass, char **passwords) + { ++ /* The passwords array must contain npass preallocated ++ * buffers of length MAXPASS + 1 ++ */ + int rbytes = 0; + int offset = 0; + int i = 0; + char *pptr; + while (npass > 0) { +- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); + + if (rbytes < 0) { + if (errno == EINTR) continue; +diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h +index 3de6759..caf7ae8 100644 +--- a/modules/pam_unix/passverify.h ++++ b/modules/pam_unix/passverify.h +@@ -8,7 +8,7 @@ + + #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT + +-#define MAXPASS 200 /* the maximum length of a password */ ++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ + + #define OLD_PASSWORDS_FILE "/etc/security/opasswd" + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index fdb45c2..abccd82 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + /* if the stored password is NULL */ + int rc=0; + if (passwd != NULL) { /* send the password to the child */ +- if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ int len = strlen(passwd); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ if (write(fds[1], passwd, len) == -1 || ++ write(fds[1], "", 1) == -1) { + pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_AUTH_ERR; + } diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch new file mode 100644 index 00000000..26f16503 --- /dev/null +++ b/debian/patches-applied/make_documentation_reproducible.patch @@ -0,0 +1,28 @@ +Description: Make documentation reproducible + Add LC_ALL=C to w3m to avoid changes in the output when build the + documentation with different locales. +Author: Juan Picca <jumapico@gmail.com> +Last-Update: 2015-07-11 + +--- pam.orig/configure ++++ pam/configure +@@ -15162,7 +15162,7 @@ fi + + + if test ! -z "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="LC_ALL=C $BROWSER -T text/html -dump" + else + enable_docu=no + fi +--- pam.orig/configure.in ++++ pam/configure.in +@@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou + + AC_PATH_PROG([BROWSER], [w3m]) + if test ! -z "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="LC_ALL=C $BROWSER -T text/html -dump" + else + enable_docu=no + fi diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers index bea1e32f..1e965b2d 100644 --- a/debian/patches-applied/pam-loginuid-in-containers +++ b/debian/patches-applied/pam-loginuid-in-containers @@ -29,11 +29,11 @@ Description: pam_loginuid: Ignore failure in user namespaces Signed-off-by: Steve Langasek <vorlon@debian.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> -Index: pam.deb/modules/pam_loginuid/pam_loginuid.c +Index: ubuntu/modules/pam_loginuid/pam_loginuid.c =================================================================== ---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c -+++ pam.deb/modules/pam_loginuid/pam_loginuid.c -@@ -46,25 +46,49 @@ +--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000 ++++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000 +@@ -47,25 +47,56 @@ /* * This function writes the loginuid to the /proc system. It returns @@ -50,48 +50,58 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c + char loginuid[24], buf[24]; + static const char host_uid_map[] = " 0 0 4294967295\n"; + char uid_map[sizeof(host_uid_map)]; ++ ++ /* loginuid in user namespaces currently isn't writable and in some ++ case, not even readable, so consider any failure as ignorable (but try ++ anyway, in case we hit a kernel which supports it). */ ++ fd = open("/proc/self/uid_map", O_RDONLY); ++ if (fd >= 0) { ++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); ++ if (strncmp(uid_map, host_uid_map, count) != 0) ++ rc = PAM_IGNORE; ++ close(fd); ++ } - count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); +- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); - fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); if (fd < 0) { - if (errno != ENOENT) { - rc = 1; +- pam_syslog(pamh, LOG_ERR, +- "Cannot open /proc/self/loginuid: %m"); + if (errno == ENOENT) { + rc = PAM_IGNORE; -+ } else if (errno == EACCES) { -+ fd = open("/proc/self/uid_map", O_RDONLY); -+ if (fd >= 0) { -+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); -+ if (strncmp(uid_map, host_uid_map, count) != 0) -+ rc = PAM_IGNORE; -+ close(fd); -+ } -+ if (rc != PAM_IGNORE) -+ errno = EACCES; + } + if (rc != PAM_IGNORE) { - pam_syslog(pamh, LOG_ERR, - "Cannot open /proc/self/loginuid: %m"); ++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", ++ "/proc/self/loginuid"); } return rc; } - if (pam_modutil_write(fd, loginuid, count) != count) - rc = 1; + ++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); + if (pam_modutil_read(fd, buf, sizeof(buf)) == count && + memcmp(buf, loginuid, count) == 0) { + rc = PAM_SUCCESS; + goto done; /* already correct */ + } + if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && -+ pam_modutil_write(fd, loginuid, count) == count) ++ pam_modutil_write(fd, loginuid, count) == count) { + rc = PAM_SUCCESS; ++ } else { ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m", ++ "/proc/self/loginuid"); ++ } ++ } + done: close(fd); return rc; } -@@ -164,6 +188,7 @@ +@@ -165,6 +196,7 @@ { const char *user = NULL; struct passwd *pwd; @@ -99,7 +109,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c #ifdef HAVE_LIBAUDIT int require_auditd = 0; #endif -@@ -182,9 +207,14 @@ +@@ -183,9 +215,14 @@ return PAM_SESSION_ERR; } @@ -117,7 +127,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c } #ifdef HAVE_LIBAUDIT -@@ -194,11 +224,12 @@ +@@ -195,11 +232,12 @@ argv++; } diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch new file mode 100644 index 00000000..6c6f1861 --- /dev/null +++ b/debian/patches-applied/pam_namespace_fix_bashism.patch @@ -0,0 +1,61 @@ +From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001 +From: Steve Langasek <vorlon@debian.org> +Date: Tue, 14 Jan 2014 19:48:51 -0800 +Subject: pam_namespace: don't use bashisms in default namespace.init script + +* modules/pam_namespace/pam_namespace.c: call setuid() before execing the +namespace init script, so that scripts run with maximum privilege regardless +of the shell implementation. +* modules/pam_namespace/namespace.init: drop the '-p' bashism from the +shebang line + +This is not a POSIX standard option, it's a bashism. The bash manpage says +that it's used to prevent the effective user id from being reset to the real +user id on startup, and to ignore certain unsafe variables from the +environment. + +In the case of pam_namespace, the -p is not necessary for environment +sanitizing because the PAM module (properly) sanitizes the environment +before execing the script. + +The stated reason given in CVS history for passing -p is to "preserve euid +when called from setuid apps (su, newrole)." This should be done more +portably, by calling setuid() before spawning the shell. + +Signed-off-by: Steve Langasek <vorlon@debian.org> +Bug-Debian: http://bugs.debian.org/624842 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323 +--- + modules/pam_namespace/namespace.init | 2 +- + modules/pam_namespace/pam_namespace.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init +index 9ab5806..67d4aa2 100755 +--- a/modules/pam_namespace/namespace.init ++++ b/modules/pam_namespace/namespace.init +@@ -1,4 +1,4 @@ +-#!/bin/sh -p ++#!/bin/sh + # It receives polydir path as $1, the instance path as $2, + # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, + # and user name in $4. +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index e0d5e30..92883f5 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, + _exit(1); + } + #endif ++ /* Pass maximum privs when we exec() */ ++ if (setuid(geteuid()) < 0) { ++ /* ignore failures, they don't matter */ ++ } ++ + if (execle(init_script, init_script, + polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0) + _exit(1); +-- +cgit v0.12 + diff --git a/debian/patches-applied/series b/debian/patches-applied/series index 346e6106..51598ca8 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -15,10 +15,15 @@ hurd_no_setfsuid 045_pam_dispatch_jump_is_ignore 054_pam_security_abstract_securetty_handling 055_pam_unix_nullok_secure -cve-2011-4708.patch +cve-2010-4708.patch PAM-manpage-section update-motd no_PATH_MAX_on_hurd lib_security_multiarch_compat pam-loginuid-in-containers +cve-2013-7041.patch +cve-2014-2583.patch +cve-2015-3238.patch pam-limits-nofile-fd-setsize-cap +pam_namespace_fix_bashism.patch +make_documentation_reproducible.patch diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd index a89655df..6c2af5bb 100644 --- a/debian/patches-applied/update-motd +++ b/debian/patches-applied/update-motd @@ -86,16 +86,16 @@ Index: pam.debian/modules/pam_motd/pam_motd.c - - pam_info (pamh, "%s", mtmp); - break; -+ /* Run the update-motd dynamic motd scripts, outputting to /var/run/motd. -+ If /etc/motd -> /var/run/motd, the displayed MOTD will be dynamic. -+ Otherwise, the admin can force a static MOTD by breaking that symlink -+ and publishing into an /etc/motd text file. */ ++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic. ++ This will be displayed only when calling pam_motd with ++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd ++ display both this file and /etc/motd. */ + if (do_update && (stat("/etc/update-motd.d", &st) == 0) + && S_ISDIR(st.st_mode)) + { + mode_t old_mask = umask(0022); -+ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /var/run/motd.new")) -+ rename("/var/run/motd.new", "/var/run/motd"); ++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new")) ++ rename("/run/motd.dynamic.new", "/run/motd.dynamic"); + umask(old_mask); } |