Date: Monday, July 16, 2018 @ 07:40:09 Author: alucryd Revision: 359633
archrelease: copy trunk to multilib-x86_64 Added: lib32-pam/repos/multilib-x86_64/PKGBUILD (from rev 359632, lib32-pam/trunk/PKGBUILD) Deleted: lib32-pam/repos/multilib-x86_64/PKGBUILD lib32-pam/repos/multilib-x86_64/pam-1.1.8-cve-2013-7041.patch lib32-pam/repos/multilib-x86_64/pam-1.1.8-cve-2014-2583.patch lib32-pam/repos/multilib-x86_64/pam_unix2-glibc216.patch -------------------------------+ PKGBUILD | 89 ++++++++++++++++++++-------------------- pam-1.1.8-cve-2013-7041.patch | 52 ----------------------- pam-1.1.8-cve-2014-2583.patch | 56 ------------------------- pam_unix2-glibc216.patch | 20 -------- 4 files changed, 45 insertions(+), 172 deletions(-) Deleted: PKGBUILD =================================================================== --- PKGBUILD 2018-07-16 07:39:58 UTC (rev 359632) +++ PKGBUILD 2018-07-16 07:40:09 UTC (rev 359633) @@ -1,44 +0,0 @@ -# $Id$ -# Maintainer: Maxime Gauduin <aluc...@archlinux.org> -# Contributor: jtts <juss...@mbnet.fi> -# Contributor: josephgbr <rafael.f...@gmail.com> -# Contributor: Janax <jana...@yahoo.com> -# Contributor: Tobias Powalowski <tp...@archlinux.org> -# Contributor: judd <jvi...@zeroflux.org> - -pkgname=lib32-pam -pkgver=1.3.0 -pkgrel=2 -pkgdesc='Pluggable Authentication Modules' -arch=('x86_64') -url='http://linux-pam.org' -license=('GPL2') -depends=('lib32-cracklib' 'lib32-libnsl' 'lib32-libtirpc' 'pam') -makedepends=('gcc-multilib' 'lib32-flex') -source=("http://linux-pam.org/library/Linux-PAM-${pkgver}.tar.bz2") -sha256sums=('241aed1ef522f66ed672719ecf2205ec513fd0075ed80cda8e086a5b1a01d1bb') -options=('!emptydirs') - -build() { - cd Linux-PAM-${pkgver} - - export CC='gcc -m32' - export CXX='g++ -m32' - export PKG_CONFIG_PATH='/usr/lib32/pkgconfig' - - ./configure \ - --prefix='/usr' \ - --libdir='/usr/lib32' \ - --sbindir='/usr/bin' \ - --disable-db - make -} - -package() { - cd Linux-PAM-${pkgver} - - make DESTDIR="${pkgdir}" SCONFIGDIR='/etc/security' install - rm -rf "${pkgdir}"/{etc,usr/{include,share,bin}} -} - -# vim: ts=2 sw=2 et: Copied: lib32-pam/repos/multilib-x86_64/PKGBUILD (from rev 359632, lib32-pam/trunk/PKGBUILD) =================================================================== --- PKGBUILD (rev 0) +++ PKGBUILD 2018-07-16 07:40:09 UTC (rev 359633) @@ -0,0 +1,45 @@ +# $Id$ +# Maintainer: Maxime Gauduin <aluc...@archlinux.org> +# Contributor: jtts <juss...@mbnet.fi> +# Contributor: josephgbr <rafael.f...@gmail.com> +# Contributor: Janax <jana...@yahoo.com> +# Contributor: Tobias Powalowski <tp...@archlinux.org> +# Contributor: judd <jvi...@zeroflux.org> + +pkgname=lib32-pam +pkgver=1.3.1 +pkgrel=1 +pkgdesc='Pluggable Authentication Modules' +arch=('x86_64') +url='http://linux-pam.org' +license=('GPL2') +depends=('lib32-cracklib' 'lib32-libnsl' 'lib32-libtirpc' 'pam') +makedepends=('docbook-xml' 'docbook-xsl' 'git' 'lib32-flex' 'w3m') +source=("git+https://github.com/linux-pam/linux-pam.git#tag=v${pkgver}") +sha256sums=('SKIP') +options=('!emptydirs') + +build() { + cd linux-pam + + export CC='gcc -m32' + export CXX='g++ -m32' + export PKG_CONFIG_PATH='/usr/lib32/pkgconfig' + + ./autogen.sh + ./configure \ + --prefix='/usr' \ + --libdir='/usr/lib32' \ + --sbindir='/usr/bin' \ + --disable-db + make +} + +package() { + cd linux-pam + + make DESTDIR="${pkgdir}" SCONFIGDIR='/etc/security' install + rm -rf "${pkgdir}"/{etc,usr/{include,share,bin}} +} + +# vim: ts=2 sw=2 et: Deleted: pam-1.1.8-cve-2013-7041.patch =================================================================== --- pam-1.1.8-cve-2013-7041.patch 2018-07-16 07:39:58 UTC (rev 359632) +++ pam-1.1.8-cve-2013-7041.patch 2018-07-16 07:40:09 UTC (rev 359633) @@ -1,52 +0,0 @@ -From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" <l...@altlinux.org> -Date: Fri, 24 Jan 2014 22:18:32 +0000 -Subject: [PATCH] pam_userdb: fix password hash comparison - -Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed -passwords support in pam_userdb, hashes are compared case-insensitively. -This bug leads to accepting hashes for completely different passwords in -addition to those that should be accepted. - -Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for -modern password hashes with different lengths and settings, did not -update the hash comparison accordingly, which leads to accepting -computed hashes longer than stored hashes when the latter is a prefix -of the former. - -* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed -hash whose length differs from the stored hash length. -Compare computed and stored hashes case-sensitively. -Fixes CVE-2013-7041. - -Bug-Debian: http://bugs.debian.org/731368 ---- - modules/pam_userdb/pam_userdb.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c -index de8b5b1..ff040e6 100644 ---- a/modules/pam_userdb/pam_userdb.c -+++ b/modules/pam_userdb/pam_userdb.c -@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, - } else { - cryptpw = crypt (pass, data.dptr); - -- if (cryptpw) { -- compare = strncasecmp (data.dptr, cryptpw, data.dsize); -+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { -+ compare = memcmp(data.dptr, cryptpw, data.dsize); - } else { - compare = -2; - if (ctrl & PAM_DEBUG_ARG) { -- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); -+ if (cryptpw) -+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); -+ else -+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); - } - }; - --- -1.8.3.1 - Deleted: pam-1.1.8-cve-2014-2583.patch =================================================================== --- pam-1.1.8-cve-2014-2583.patch 2018-07-16 07:39:58 UTC (rev 359632) +++ pam-1.1.8-cve-2014-2583.patch 2018-07-16 07:40:09 UTC (rev 359633) @@ -1,56 +0,0 @@ -From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" <l...@altlinux.org> -Date: Wed, 26 Mar 2014 22:17:23 +0000 -Subject: [PATCH] pam_timestamp: fix potential directory traversal issue - (ticket #27) - -pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of -the timestamp pathname it creates, so extra care should be taken to -avoid potential directory traversal issues. - -* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat -"." and ".." tty values as invalid. -(get_ruser): Treat "." and ".." ruser values, as well as any ruser -value containing '/', as invalid. - -Fixes CVE-2014-2583. - -Reported-by: Sebastian Krahmer <krah...@suse.de> ---- - modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c -index 5193733..b3f08b1 100644 ---- a/modules/pam_timestamp/pam_timestamp.c -+++ b/modules/pam_timestamp/pam_timestamp.c -@@ -158,7 +158,7 @@ check_tty(const char *tty) - tty = strrchr(tty, '/') + 1; - } - /* Make sure the tty wasn't actually a directory (no basename). */ -- if (strlen(tty) == 0) { -+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { - return NULL; - } - return tty; -@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) - if (pwd != NULL) { - ruser = pwd->pw_name; - } -+ } else { -+ /* -+ * This ruser is used by format_timestamp_name as a component -+ * of constructed timestamp pathname, so ".", "..", and '/' -+ * are disallowed to avoid potential path traversal issues. -+ */ -+ if (!strcmp(ruser, ".") || -+ !strcmp(ruser, "..") || -+ strchr(ruser, '/')) { -+ ruser = NULL; -+ } - } - if (ruser == NULL || strlen(ruser) >= ruserbuflen) { - *ruserbuf = '\0'; --- -1.8.3.1 - Deleted: pam_unix2-glibc216.patch =================================================================== --- pam_unix2-glibc216.patch 2018-07-16 07:39:58 UTC (rev 359632) +++ pam_unix2-glibc216.patch 2018-07-16 07:40:09 UTC (rev 359633) @@ -1,20 +0,0 @@ -Index: pam_unix2-2.9.1/src/read-files.c -=================================================================== ---- pam_unix2-2.9.1.orig/src/read-files.c -+++ pam_unix2-2.9.1/src/read-files.c -@@ -30,8 +30,14 @@ - #include <errno.h> - #include <fcntl.h> - #include <nss.h> --#include <bits/libc-lock.h> -+#include <pthread.h> - #define __libc_lock_t pthread_mutex_t -+#define __libc_lock_define_initialized(CLASS,NAME) \ -+ CLASS __libc_lock_t NAME = PTHREAD_MUTEX_INITIALIZER; -+#define __libc_lock_lock(NAME) \ -+ pthread_mutex_lock, (&(NAME)) -+#define __libc_lock_unlock(NAME) \ -+ pthread_mutex_unlock, (&(NAME)) - - #include "read-files.h" -