Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pam_u2f for openSUSE:Factory checked in at 2025-01-21 21:11:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_u2f (Old) and /work/SRC/openSUSE:Factory/.pam_u2f.new.5589 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_u2f" Tue Jan 21 21:11:24 2025 rev:14 rq:1239306 version:1.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_u2f/pam_u2f.changes 2025-01-15 17:45:30.310407462 +0100 +++ /work/SRC/openSUSE:Factory/.pam_u2f.new.5589/pam_u2f.changes 2025-01-21 21:12:02.818852214 +0100 @@ -1,0 +2,7 @@ +Tue Jan 21 13:52:59 UTC 2025 - Paolo Perego <paolo.per...@suse.com> + +- update to 1.3.2: + * Relax authfile permission check to a warning instead of an error to prevent + a breaking change locking existing users out of their systems. + +------------------------------------------------------------------- Old: ---- pam_u2f-1.3.1.tar.gz pam_u2f-1.3.1.tar.gz.sig New: ---- pam_u2f-1.3.2.tar.gz pam_u2f-1.3.2.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_u2f.spec ++++++ --- /var/tmp/diff_new_pack.VPjTqS/_old 2025-01-21 21:12:03.266870576 +0100 +++ /var/tmp/diff_new_pack.VPjTqS/_new 2025-01-21 21:12:03.270870739 +0100 @@ -19,7 +19,7 @@ %{!?_pam_moduledir: %define _pam_moduledir /%{_lib}/security} Name: pam_u2f -Version: 1.3.1 +Version: 1.3.2 Release: 0 Summary: U2F authentication integration into PAM License: BSD-2-Clause ++++++ pam_u2f-1.3.1.tar.gz -> pam_u2f-1.3.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_u2f-1.3.1/ChangeLog new/pam_u2f-1.3.2/ChangeLog --- old/pam_u2f-1.3.1/ChangeLog 2025-01-14 16:00:55.000000000 +0100 +++ new/pam_u2f-1.3.2/ChangeLog 2025-01-16 13:22:44.000000000 +0100 @@ -1,3 +1,22 @@ +2025-01-16 Ludvig Michaelsson <ludvig.michaels...@yubico.com> + + * NEWS: release 1.3.2 + +2025-01-15 Ludvig Michaelsson <ludvig.michaels...@yubico.com> + + * NEWS: NEWS: prepare for 1.3.2 + +2025-01-15 Ludvig Michaelsson <ludvig.michaels...@yubico.com> + + * util.c: util: soften authfile permission check to a warning We'd like to make this a hard error but it has proven to break + existing installations. To avoid breaking changes, revert to trying + our hardest to inform the administrator that this user is + authenticating with a potentially unsafe authfile. + +2025-01-14 Ludvig Michaelsson <ludvig.michaels...@yubico.com> + + * NEWS, configure.ac: Bump version + 2025-01-14 Ludvig Michaelsson <ludvig.michaels...@yubico.com> * NEWS: release 1.3.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_u2f-1.3.1/NEWS new/pam_u2f-1.3.2/NEWS --- old/pam_u2f-1.3.1/NEWS 2025-01-14 15:47:44.000000000 +0100 +++ new/pam_u2f-1.3.2/NEWS 2025-01-16 13:13:56.000000000 +0100 @@ -2,6 +2,10 @@ pam-u2f NEWS -- History of user-visible changes. -*- outline -*- +* Version 1.3.2 (released 2025-01-16) +** Relax authfile permission check to a warning instead of an error to +prevent a breaking change locking existing users out of their systems. + * Version 1.3.1 (released 2025-01-14) ** Fix incorrect usage of PAM_IGNORE (YSA-2025-01, CVE-2025-23013). ** Changed return value when nouserok is enabled and the user has no diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_u2f-1.3.1/configure new/pam_u2f-1.3.2/configure --- old/pam_u2f-1.3.1/configure 2025-01-14 15:48:22.000000000 +0100 +++ new/pam_u2f-1.3.2/configure 2025-01-16 13:20:57.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72 for pam_u2f 1.3.1. +# Generated by GNU Autoconf 2.72 for pam_u2f 1.3.2. # # Report bugs to <https://github.com/Yubico/pam-u2f/issues>. # @@ -674,8 +674,8 @@ # Identity of this package. PACKAGE_NAME='pam_u2f' PACKAGE_TARNAME='pam_u2f' -PACKAGE_VERSION='1.3.1' -PACKAGE_STRING='pam_u2f 1.3.1' +PACKAGE_VERSION='1.3.2' +PACKAGE_STRING='pam_u2f 1.3.2' PACKAGE_BUGREPORT='https://github.com/Yubico/pam-u2f/issues' PACKAGE_URL='https://developers.yubico.com/pam-u2f/' @@ -1439,7 +1439,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures pam_u2f 1.3.1 to adapt to many kinds of systems. +'configure' configures pam_u2f 1.3.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1510,7 +1510,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pam_u2f 1.3.1:";; + short | recursive ) echo "Configuration of pam_u2f 1.3.2:";; esac cat <<\_ACEOF @@ -1643,7 +1643,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pam_u2f configure 1.3.1 +pam_u2f configure 1.3.2 generated by GNU Autoconf 2.72 Copyright (C) 2023 Free Software Foundation, Inc. @@ -1867,7 +1867,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pam_u2f $as_me 1.3.1, which was +It was created by pam_u2f $as_me 1.3.2, which was generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw @@ -3423,7 +3423,7 @@ # Define the identity of the package. PACKAGE='pam_u2f' - VERSION='1.3.1' + VERSION='1.3.2' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -16750,7 +16750,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pam_u2f $as_me 1.3.1, which was +This file was extended by pam_u2f $as_me 1.3.2, which was generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16810,7 +16810,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -pam_u2f config.status 1.3.1 +pam_u2f config.status 1.3.2 configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_u2f-1.3.1/configure.ac new/pam_u2f-1.3.2/configure.ac --- old/pam_u2f-1.3.1/configure.ac 2025-01-13 13:36:35.000000000 +0100 +++ new/pam_u2f-1.3.2/configure.ac 2025-01-16 13:12:29.000000000 +0100 @@ -1,6 +1,6 @@ # Copyright (C) 2014-2022 Yubico AB AC_PREREQ([2.65]) -AC_INIT([pam_u2f], [1.3.1], [https://github.com/Yubico/pam-u2f/issues], +AC_INIT([pam_u2f], [1.3.2], [https://github.com/Yubico/pam-u2f/issues], [pam_u2f], [https://developers.yubico.com/pam-u2f/]) AC_CONFIG_AUX_DIR([build-aux]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_u2f-1.3.1/man/pam_u2f.8 new/pam_u2f-1.3.2/man/pam_u2f.8 --- old/pam_u2f-1.3.1/man/pam_u2f.8 2025-01-14 16:00:55.000000000 +0100 +++ new/pam_u2f-1.3.2/man/pam_u2f.8 2025-01-16 13:22:45.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: pam_u2f .\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author] .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> -.\" Date: Version 1.3.1 +.\" Date: Version 1.3.2 .\" Manual: PAM U2F Module Manual .\" Source: pam-u2f .\" Language: English .\" -.TH "PAM_U2F" "8" "Version 1\&.3\&.1" "pam\-u2f" "PAM U2F Module Manual" +.TH "PAM_U2F" "8" "Version 1\&.3\&.2" "pam\-u2f" "PAM U2F Module Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_u2f-1.3.1/man/pamu2fcfg.1 new/pam_u2f-1.3.2/man/pamu2fcfg.1 --- old/pam_u2f-1.3.1/man/pamu2fcfg.1 2025-01-14 16:00:55.000000000 +0100 +++ new/pam_u2f-1.3.2/man/pamu2fcfg.1 2025-01-16 13:22:44.000000000 +0100 @@ -2,12 +2,12 @@ .\" Title: pamu2fcfg .\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author] .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> -.\" Date: Version 1.3.1 +.\" Date: Version 1.3.2 .\" Manual: PAM U2F Configuration Tool .\" Source: pamu2fcfg .\" Language: English .\" -.TH "PAMU2FCFG" "1" "Version 1\&.3\&.1" "pamu2fcfg" "PAM U2F Configuration Tool" +.TH "PAMU2FCFG" "1" "Version 1\&.3\&.2" "pamu2fcfg" "PAM U2F Configuration Tool" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_u2f-1.3.1/util.c new/pam_u2f-1.3.2/util.c --- old/pam_u2f-1.3.1/util.c 2025-01-13 13:36:35.000000000 +0100 +++ new/pam_u2f-1.3.2/util.c 2025-01-16 13:13:02.000000000 +0100 @@ -6,6 +6,7 @@ #include <fido/es256.h> #include <fido/rs256.h> #include <fido/eddsa.h> +#include <syslog.h> #include <openssl/ec.h> #include <openssl/obj_mac.h> @@ -711,8 +712,22 @@ } if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) { - debug_dbg(cfg, "Authentication file has insecure permissions"); - goto err; + /* XXX: attempt to prevent two messages to syslog */ + if (cfg->debug_file) { + debug_dbg(cfg, + "Permissions %04o for '%s' are too open. Please change the " + "file mode bits to 0644 or more restrictive. This may become " + "an error in the future!", + (unsigned int) st.st_mode & 0777, cfg->auth_file); + } +#ifndef WITH_FUZZING + /* XXX: force a message to syslog, regardless of the debug level */ + syslog(LOG_AUTHPRIV | LOG_WARNING, + "warning(pam_u2f): Permissions %04o for '%s' are too open. Please " + "change the file mode bits to 0644 or more restrictive. This may " + "become an error in the future!", + (unsigned int) st.st_mode & 0777, cfg->auth_file); +#endif } opwfile_size = st.st_size;