Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package pam_u2f for openSUSE:Factory checked 
in at 2025-01-21 21:11:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam_u2f (Old)
 and      /work/SRC/openSUSE:Factory/.pam_u2f.new.5589 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "pam_u2f"

Tue Jan 21 21:11:24 2025 rev:14 rq:1239306 version:1.3.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/pam_u2f/pam_u2f.changes  2025-01-15 
17:45:30.310407462 +0100
+++ /work/SRC/openSUSE:Factory/.pam_u2f.new.5589/pam_u2f.changes        
2025-01-21 21:12:02.818852214 +0100
@@ -1,0 +2,7 @@
+Tue Jan 21 13:52:59 UTC 2025 - Paolo Perego <paolo.per...@suse.com>
+
+- update to 1.3.2:
+  * Relax authfile permission check to a warning instead of an error to prevent
+    a breaking change locking existing users out of their systems. 
+
+-------------------------------------------------------------------

Old:
----
  pam_u2f-1.3.1.tar.gz
  pam_u2f-1.3.1.tar.gz.sig

New:
----
  pam_u2f-1.3.2.tar.gz
  pam_u2f-1.3.2.tar.gz.sig

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pam_u2f.spec ++++++
--- /var/tmp/diff_new_pack.VPjTqS/_old  2025-01-21 21:12:03.266870576 +0100
+++ /var/tmp/diff_new_pack.VPjTqS/_new  2025-01-21 21:12:03.270870739 +0100
@@ -19,7 +19,7 @@
 %{!?_pam_moduledir: %define _pam_moduledir /%{_lib}/security}
 
 Name:           pam_u2f
-Version:        1.3.1
+Version:        1.3.2
 Release:        0
 Summary:        U2F authentication integration into PAM
 License:        BSD-2-Clause

++++++ pam_u2f-1.3.1.tar.gz -> pam_u2f-1.3.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pam_u2f-1.3.1/ChangeLog new/pam_u2f-1.3.2/ChangeLog
--- old/pam_u2f-1.3.1/ChangeLog 2025-01-14 16:00:55.000000000 +0100
+++ new/pam_u2f-1.3.2/ChangeLog 2025-01-16 13:22:44.000000000 +0100
@@ -1,3 +1,22 @@
+2025-01-16  Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+       * NEWS: release 1.3.2
+
+2025-01-15  Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+       * NEWS: NEWS: prepare for 1.3.2
+
+2025-01-15  Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+       * util.c: util: soften authfile permission check to a warning We'd like 
to make this a hard error but it has proven to break
+       existing installations. To avoid breaking changes, revert to trying
+       our hardest to inform the administrator that this user is
+       authenticating with a potentially unsafe authfile.
+
+2025-01-14  Ludvig Michaelsson <ludvig.michaels...@yubico.com>
+
+       * NEWS, configure.ac: Bump version
+
 2025-01-14  Ludvig Michaelsson <ludvig.michaels...@yubico.com>
 
        * NEWS: release 1.3.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pam_u2f-1.3.1/NEWS new/pam_u2f-1.3.2/NEWS
--- old/pam_u2f-1.3.1/NEWS      2025-01-14 15:47:44.000000000 +0100
+++ new/pam_u2f-1.3.2/NEWS      2025-01-16 13:13:56.000000000 +0100
@@ -2,6 +2,10 @@
 
 pam-u2f NEWS -- History of user-visible changes.          -*- outline -*-
 
+* Version 1.3.2 (released 2025-01-16)
+** Relax authfile permission check to a warning instead of an error to
+prevent a breaking change locking existing users out of their systems.
+
 * Version 1.3.1 (released 2025-01-14)
 ** Fix incorrect usage of PAM_IGNORE (YSA-2025-01, CVE-2025-23013).
 ** Changed return value when nouserok is enabled and the user has no
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pam_u2f-1.3.1/configure new/pam_u2f-1.3.2/configure
--- old/pam_u2f-1.3.1/configure 2025-01-14 15:48:22.000000000 +0100
+++ new/pam_u2f-1.3.2/configure 2025-01-16 13:20:57.000000000 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72 for pam_u2f 1.3.1.
+# Generated by GNU Autoconf 2.72 for pam_u2f 1.3.2.
 #
 # Report bugs to <https://github.com/Yubico/pam-u2f/issues>.
 #
@@ -674,8 +674,8 @@
 # Identity of this package.
 PACKAGE_NAME='pam_u2f'
 PACKAGE_TARNAME='pam_u2f'
-PACKAGE_VERSION='1.3.1'
-PACKAGE_STRING='pam_u2f 1.3.1'
+PACKAGE_VERSION='1.3.2'
+PACKAGE_STRING='pam_u2f 1.3.2'
 PACKAGE_BUGREPORT='https://github.com/Yubico/pam-u2f/issues'
 PACKAGE_URL='https://developers.yubico.com/pam-u2f/'
 
@@ -1439,7 +1439,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-'configure' configures pam_u2f 1.3.1 to adapt to many kinds of systems.
+'configure' configures pam_u2f 1.3.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1510,7 +1510,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of pam_u2f 1.3.1:";;
+     short | recursive ) echo "Configuration of pam_u2f 1.3.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1643,7 +1643,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-pam_u2f configure 1.3.1
+pam_u2f configure 1.3.2
 generated by GNU Autoconf 2.72
 
 Copyright (C) 2023 Free Software Foundation, Inc.
@@ -1867,7 +1867,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by pam_u2f $as_me 1.3.1, which was
+It was created by pam_u2f $as_me 1.3.2, which was
 generated by GNU Autoconf 2.72.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3423,7 +3423,7 @@
 
 # Define the identity of the package.
  PACKAGE='pam_u2f'
- VERSION='1.3.1'
+ VERSION='1.3.2'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -16750,7 +16750,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by pam_u2f $as_me 1.3.1, which was
+This file was extended by pam_u2f $as_me 1.3.2, which was
 generated by GNU Autoconf 2.72.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -16810,7 +16810,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-pam_u2f config.status 1.3.1
+pam_u2f config.status 1.3.2
 configured by $0, generated by GNU Autoconf 2.72,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pam_u2f-1.3.1/configure.ac 
new/pam_u2f-1.3.2/configure.ac
--- old/pam_u2f-1.3.1/configure.ac      2025-01-13 13:36:35.000000000 +0100
+++ new/pam_u2f-1.3.2/configure.ac      2025-01-16 13:12:29.000000000 +0100
@@ -1,6 +1,6 @@
 #  Copyright (C) 2014-2022 Yubico AB
 AC_PREREQ([2.65])
-AC_INIT([pam_u2f], [1.3.1], [https://github.com/Yubico/pam-u2f/issues],
+AC_INIT([pam_u2f], [1.3.2], [https://github.com/Yubico/pam-u2f/issues],
   [pam_u2f], [https://developers.yubico.com/pam-u2f/])
 
 AC_CONFIG_AUX_DIR([build-aux])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pam_u2f-1.3.1/man/pam_u2f.8 
new/pam_u2f-1.3.2/man/pam_u2f.8
--- old/pam_u2f-1.3.1/man/pam_u2f.8     2025-01-14 16:00:55.000000000 +0100
+++ new/pam_u2f-1.3.2/man/pam_u2f.8     2025-01-16 13:22:45.000000000 +0100
@@ -2,12 +2,12 @@
 .\"     Title: pam_u2f
 .\"    Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: Version 1.3.1
+.\"      Date: Version 1.3.2
 .\"    Manual: PAM U2F Module Manual
 .\"    Source: pam-u2f
 .\"  Language: English
 .\"
-.TH "PAM_U2F" "8" "Version 1\&.3\&.1" "pam\-u2f" "PAM U2F Module Manual"
+.TH "PAM_U2F" "8" "Version 1\&.3\&.2" "pam\-u2f" "PAM U2F Module Manual"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pam_u2f-1.3.1/man/pamu2fcfg.1 
new/pam_u2f-1.3.2/man/pamu2fcfg.1
--- old/pam_u2f-1.3.1/man/pamu2fcfg.1   2025-01-14 16:00:55.000000000 +0100
+++ new/pam_u2f-1.3.2/man/pamu2fcfg.1   2025-01-16 13:22:44.000000000 +0100
@@ -2,12 +2,12 @@
 .\"     Title: pamu2fcfg
 .\"    Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: Version 1.3.1
+.\"      Date: Version 1.3.2
 .\"    Manual: PAM U2F Configuration Tool
 .\"    Source: pamu2fcfg
 .\"  Language: English
 .\"
-.TH "PAMU2FCFG" "1" "Version 1\&.3\&.1" "pamu2fcfg" "PAM U2F Configuration 
Tool"
+.TH "PAMU2FCFG" "1" "Version 1\&.3\&.2" "pamu2fcfg" "PAM U2F Configuration 
Tool"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pam_u2f-1.3.1/util.c new/pam_u2f-1.3.2/util.c
--- old/pam_u2f-1.3.1/util.c    2025-01-13 13:36:35.000000000 +0100
+++ new/pam_u2f-1.3.2/util.c    2025-01-16 13:13:02.000000000 +0100
@@ -6,6 +6,7 @@
 #include <fido/es256.h>
 #include <fido/rs256.h>
 #include <fido/eddsa.h>
+#include <syslog.h>
 
 #include <openssl/ec.h>
 #include <openssl/obj_mac.h>
@@ -711,8 +712,22 @@
   }
 
   if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
-    debug_dbg(cfg, "Authentication file has insecure permissions");
-    goto err;
+    /* XXX: attempt to prevent two messages to syslog */
+    if (cfg->debug_file) {
+      debug_dbg(cfg,
+                "Permissions %04o for '%s' are too open. Please change the "
+                "file mode bits to 0644 or more restrictive. This may become "
+                "an error in the future!",
+                (unsigned int) st.st_mode & 0777, cfg->auth_file);
+    }
+#ifndef WITH_FUZZING
+    /* XXX: force a message to syslog, regardless of the debug level */
+    syslog(LOG_AUTHPRIV | LOG_WARNING,
+           "warning(pam_u2f): Permissions %04o for '%s' are too open. Please "
+           "change the file mode bits to 0644 or more restrictive. This may "
+           "become an error in the future!",
+           (unsigned int) st.st_mode & 0777, cfg->auth_file);
+#endif
   }
 
   opwfile_size = st.st_size;

Reply via email to