Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pam_u2f for openSUSE:Factory checked
in at 2025-01-21 21:11:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam_u2f (Old)
and /work/SRC/openSUSE:Factory/.pam_u2f.new.5589 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_u2f"
Tue Jan 21 21:11:24 2025 rev:14 rq:1239306 version:1.3.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam_u2f/pam_u2f.changes 2025-01-15
17:45:30.310407462 +0100
+++ /work/SRC/openSUSE:Factory/.pam_u2f.new.5589/pam_u2f.changes
2025-01-21 21:12:02.818852214 +0100
@@ -1,0 +2,7 @@
+Tue Jan 21 13:52:59 UTC 2025 - Paolo Perego <paolo.per...@suse.com>
+
+- update to 1.3.2:
+ * Relax authfile permission check to a warning instead of an error to prevent
+ a breaking change locking existing users out of their systems.
+
+-------------------------------------------------------------------
Old:
----
pam_u2f-1.3.1.tar.gz
pam_u2f-1.3.1.tar.gz.sig
New:
----
pam_u2f-1.3.2.tar.gz
pam_u2f-1.3.2.tar.gz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam_u2f.spec ++++++
--- /var/tmp/diff_new_pack.VPjTqS/_old 2025-01-21 21:12:03.266870576 +0100
+++ /var/tmp/diff_new_pack.VPjTqS/_new 2025-01-21 21:12:03.270870739 +0100
@@ -19,7 +19,7 @@
%{!?_pam_moduledir: %define _pam_moduledir /%{_lib}/security}
Name: pam_u2f
-Version: 1.3.1
+Version: 1.3.2
Release: 0
Summary: U2F authentication integration into PAM
License: BSD-2-Clause
++++++ pam_u2f-1.3.1.tar.gz -> pam_u2f-1.3.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_u2f-1.3.1/ChangeLog new/pam_u2f-1.3.2/ChangeLog
--- old/pam_u2f-1.3.1/ChangeLog 2025-01-14 16:00:55.000000000 +0100
+++ new/pam_u2f-1.3.2/ChangeLog 2025-01-16 13:22:44.000000000 +0100
@@ -1,3 +1,22 @@
+2025-01-16 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+ * NEWS: release 1.3.2
+
+2025-01-15 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+ * NEWS: NEWS: prepare for 1.3.2
+
+2025-01-15 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+ * util.c: util: soften authfile permission check to a warning We'd like
to make this a hard error but it has proven to break
+ existing installations. To avoid breaking changes, revert to trying
+ our hardest to inform the administrator that this user is
+ authenticating with a potentially unsafe authfile.
+
+2025-01-14 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+ * NEWS, configure.ac: Bump version
+
2025-01-14 Ludvig Michaelsson <ludvig.michaels...@yubico.com>
* NEWS: release 1.3.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_u2f-1.3.1/NEWS new/pam_u2f-1.3.2/NEWS
--- old/pam_u2f-1.3.1/NEWS 2025-01-14 15:47:44.000000000 +0100
+++ new/pam_u2f-1.3.2/NEWS 2025-01-16 13:13:56.000000000 +0100
@@ -2,6 +2,10 @@
pam-u2f NEWS -- History of user-visible changes. -*- outline -*-
+* Version 1.3.2 (released 2025-01-16)
+** Relax authfile permission check to a warning instead of an error to
+prevent a breaking change locking existing users out of their systems.
+
* Version 1.3.1 (released 2025-01-14)
** Fix incorrect usage of PAM_IGNORE (YSA-2025-01, CVE-2025-23013).
** Changed return value when nouserok is enabled and the user has no
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_u2f-1.3.1/configure new/pam_u2f-1.3.2/configure
--- old/pam_u2f-1.3.1/configure 2025-01-14 15:48:22.000000000 +0100
+++ new/pam_u2f-1.3.2/configure 2025-01-16 13:20:57.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72 for pam_u2f 1.3.1.
+# Generated by GNU Autoconf 2.72 for pam_u2f 1.3.2.
#
# Report bugs to <https://github.com/Yubico/pam-u2f/issues>.
#
@@ -674,8 +674,8 @@
# Identity of this package.
PACKAGE_NAME='pam_u2f'
PACKAGE_TARNAME='pam_u2f'
-PACKAGE_VERSION='1.3.1'
-PACKAGE_STRING='pam_u2f 1.3.1'
+PACKAGE_VERSION='1.3.2'
+PACKAGE_STRING='pam_u2f 1.3.2'
PACKAGE_BUGREPORT='https://github.com/Yubico/pam-u2f/issues'
PACKAGE_URL='https://developers.yubico.com/pam-u2f/'
@@ -1439,7 +1439,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-'configure' configures pam_u2f 1.3.1 to adapt to many kinds of systems.
+'configure' configures pam_u2f 1.3.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1510,7 +1510,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of pam_u2f 1.3.1:";;
+ short | recursive ) echo "Configuration of pam_u2f 1.3.2:";;
esac
cat <<\_ACEOF
@@ -1643,7 +1643,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-pam_u2f configure 1.3.1
+pam_u2f configure 1.3.2
generated by GNU Autoconf 2.72
Copyright (C) 2023 Free Software Foundation, Inc.
@@ -1867,7 +1867,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by pam_u2f $as_me 1.3.1, which was
+It was created by pam_u2f $as_me 1.3.2, which was
generated by GNU Autoconf 2.72. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3423,7 +3423,7 @@
# Define the identity of the package.
PACKAGE='pam_u2f'
- VERSION='1.3.1'
+ VERSION='1.3.2'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -16750,7 +16750,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by pam_u2f $as_me 1.3.1, which was
+This file was extended by pam_u2f $as_me 1.3.2, which was
generated by GNU Autoconf 2.72. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -16810,7 +16810,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-pam_u2f config.status 1.3.1
+pam_u2f config.status 1.3.2
configured by $0, generated by GNU Autoconf 2.72,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_u2f-1.3.1/configure.ac
new/pam_u2f-1.3.2/configure.ac
--- old/pam_u2f-1.3.1/configure.ac 2025-01-13 13:36:35.000000000 +0100
+++ new/pam_u2f-1.3.2/configure.ac 2025-01-16 13:12:29.000000000 +0100
@@ -1,6 +1,6 @@
# Copyright (C) 2014-2022 Yubico AB
AC_PREREQ([2.65])
-AC_INIT([pam_u2f], [1.3.1], [https://github.com/Yubico/pam-u2f/issues],
+AC_INIT([pam_u2f], [1.3.2], [https://github.com/Yubico/pam-u2f/issues],
[pam_u2f], [https://developers.yubico.com/pam-u2f/])
AC_CONFIG_AUX_DIR([build-aux])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_u2f-1.3.1/man/pam_u2f.8
new/pam_u2f-1.3.2/man/pam_u2f.8
--- old/pam_u2f-1.3.1/man/pam_u2f.8 2025-01-14 16:00:55.000000000 +0100
+++ new/pam_u2f-1.3.2/man/pam_u2f.8 2025-01-16 13:22:45.000000000 +0100
@@ -2,12 +2,12 @@
.\" Title: pam_u2f
.\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: Version 1.3.1
+.\" Date: Version 1.3.2
.\" Manual: PAM U2F Module Manual
.\" Source: pam-u2f
.\" Language: English
.\"
-.TH "PAM_U2F" "8" "Version 1\&.3\&.1" "pam\-u2f" "PAM U2F Module Manual"
+.TH "PAM_U2F" "8" "Version 1\&.3\&.2" "pam\-u2f" "PAM U2F Module Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_u2f-1.3.1/man/pamu2fcfg.1
new/pam_u2f-1.3.2/man/pamu2fcfg.1
--- old/pam_u2f-1.3.1/man/pamu2fcfg.1 2025-01-14 16:00:55.000000000 +0100
+++ new/pam_u2f-1.3.2/man/pamu2fcfg.1 2025-01-16 13:22:44.000000000 +0100
@@ -2,12 +2,12 @@
.\" Title: pamu2fcfg
.\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: Version 1.3.1
+.\" Date: Version 1.3.2
.\" Manual: PAM U2F Configuration Tool
.\" Source: pamu2fcfg
.\" Language: English
.\"
-.TH "PAMU2FCFG" "1" "Version 1\&.3\&.1" "pamu2fcfg" "PAM U2F Configuration
Tool"
+.TH "PAMU2FCFG" "1" "Version 1\&.3\&.2" "pamu2fcfg" "PAM U2F Configuration
Tool"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_u2f-1.3.1/util.c new/pam_u2f-1.3.2/util.c
--- old/pam_u2f-1.3.1/util.c 2025-01-13 13:36:35.000000000 +0100
+++ new/pam_u2f-1.3.2/util.c 2025-01-16 13:13:02.000000000 +0100
@@ -6,6 +6,7 @@
#include <fido/es256.h>
#include <fido/rs256.h>
#include <fido/eddsa.h>
+#include <syslog.h>
#include <openssl/ec.h>
#include <openssl/obj_mac.h>
@@ -711,8 +712,22 @@
}
if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
- debug_dbg(cfg, "Authentication file has insecure permissions");
- goto err;
+ /* XXX: attempt to prevent two messages to syslog */
+ if (cfg->debug_file) {
+ debug_dbg(cfg,
+ "Permissions %04o for '%s' are too open. Please change the "
+ "file mode bits to 0644 or more restrictive. This may become "
+ "an error in the future!",
+ (unsigned int) st.st_mode & 0777, cfg->auth_file);
+ }
+#ifndef WITH_FUZZING
+ /* XXX: force a message to syslog, regardless of the debug level */
+ syslog(LOG_AUTHPRIV | LOG_WARNING,
+ "warning(pam_u2f): Permissions %04o for '%s' are too open. Please "
+ "change the file mode bits to 0644 or more restrictive. This may "
+ "become an error in the future!",
+ (unsigned int) st.st_mode & 0777, cfg->auth_file);
+#endif
}
opwfile_size = st.st_size;
