Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pam_kwallet for openSUSE:Factory checked in at 2023-04-05 21:26:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_kwallet (Old) and /work/SRC/openSUSE:Factory/.pam_kwallet.new.19717 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_kwallet" Wed Apr 5 21:26:36 2023 rev:123 rq:1077286 version:5.27.4 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_kwallet/pam_kwallet.changes 2023-03-17 17:01:56.408950361 +0100 +++ /work/SRC/openSUSE:Factory/.pam_kwallet.new.19717/pam_kwallet.changes 2023-04-05 21:34:25.834149129 +0200 @@ -1,0 +2,16 @@ +Tue Apr 4 15:05:39 UTC 2023 - Fabian Vogt <fab...@ritter-vogt.de> + +- Update to 5.27.4 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/plasma/5/5.27.4 +- Changes since 5.27.3: + * Exit early if the target user is root + * Don't do anything if the password is empty + * Verify that XDG_RUNTIME_DIR is usable +- Drop patches, now upstream: + * 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch + * 0002-Don-t-do-anything-if-the-password-is-empty.patch + * 0003-Exit-early-if-the-target-user-is-root.patch + +------------------------------------------------------------------- Old: ---- 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch 0002-Don-t-do-anything-if-the-password-is-empty.patch 0003-Exit-early-if-the-target-user-is-root.patch kwallet-pam-5.27.3.tar.xz kwallet-pam-5.27.3.tar.xz.sig New: ---- kwallet-pam-5.27.4.tar.xz kwallet-pam-5.27.4.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_kwallet.spec ++++++ --- /var/tmp/diff_new_pack.9y76BM/_old 2023-04-05 21:34:26.358152120 +0200 +++ /var/tmp/diff_new_pack.9y76BM/_new 2023-04-05 21:34:26.366152166 +0200 @@ -18,7 +18,7 @@ %bcond_without released Name: pam_kwallet -Version: 5.27.3 +Version: 5.27.4 Release: 0 Summary: A PAM Module for KWallet signing License: GPL-2.0-or-later AND LGPL-2.1-only AND GPL-3.0-only @@ -31,9 +31,6 @@ %endif Source3: baselibs.conf # PATCH-FIX-UPSTREAM https://invent.kde.org/plasma/kwallet-pam/-/merge_requests/12 -Patch1: 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch -Patch2: 0002-Don-t-do-anything-if-the-password-is-empty.patch -Patch3: 0003-Exit-early-if-the-target-user-is-root.patch Patch4: 0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch BuildRequires: extra-cmake-modules >= 1.2.0 BuildRequires: kf5-filesystem ++++++ kwallet-pam-5.27.3.tar.xz -> kwallet-pam-5.27.4.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kwallet-pam-5.27.3/CMakeLists.txt new/kwallet-pam-5.27.4/CMakeLists.txt --- old/kwallet-pam-5.27.3/CMakeLists.txt 2023-03-14 13:24:23.000000000 +0100 +++ new/kwallet-pam-5.27.4/CMakeLists.txt 2023-04-04 12:38:24.000000000 +0200 @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.16) set(KF5_MIN_VERSION "5.102.0") set(KDE_COMPILERSETTINGS_LEVEL "5.82") -set(PROJECT_VERSION "5.27.3") +set(PROJECT_VERSION "5.27.4") set(PROJECT_VERSION_MAJOR 5) find_package (ECM ${KF5_MIN_VERSION} REQUIRED NO_MODULE) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kwallet-pam-5.27.3/pam_kwallet.c new/kwallet-pam-5.27.4/pam_kwallet.c --- old/kwallet-pam-5.27.3/pam_kwallet.c 2023-03-14 13:24:23.000000000 +0100 +++ new/kwallet-pam-5.27.4/pam_kwallet.c 2023-04-04 12:38:24.000000000 +0200 @@ -265,6 +265,11 @@ return PAM_IGNORE; } + if (userInfo->pw_uid == 0) { + pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix); + return PAM_IGNORE; + } + const char *password; result = pam_get_item(pamh, PAM_AUTHTOK, (const void**)&password); @@ -294,6 +299,11 @@ return PAM_IGNORE; } + if (password[0] == '\0') { + pam_syslog(pamh, LOG_NOTICE, "%s: Empty or missing password, doing nothing", logPrefix); + return PAM_IGNORE; + } + char *key = strdup(password); result = pam_set_data(pamh, kwalletPamDataKey, key, cleanup_free); @@ -455,6 +465,19 @@ snprintf(fullSocket, needed, "%s/%s_%s%s", socketPath, socketPrefix, userInfo->pw_name, ".socket"); } else { socketPath = get_env(pamh, "XDG_RUNTIME_DIR"); + // Check whether XDG_RUNTIME_DIR is usable + if (socketPath) { + struct stat rundir_stat; + if (stat(socketPath, &rundir_stat) != 0) { + pam_syslog(pamh, LOG_ERR, "%s: Failed to stat %s", logPrefix, socketPath); + socketPath = NULL; + } else if(!S_ISDIR(rundir_stat.st_mode) || (rundir_stat.st_mode & ~S_IFMT) != 0700 + || rundir_stat.st_uid != userInfo->pw_uid) { + pam_syslog(pamh, LOG_ERR, "%s: %s has wrong type, perms or ownership", logPrefix, socketPath); + socketPath = NULL; + } + } + if (socketPath) { size_t needed = snprintf(NULL, 0, "%s/%s%s", socketPath, socketPrefix, ".socket"); needed += 1; @@ -551,6 +574,11 @@ return PAM_IGNORE; } + if (userInfo->pw_uid == 0) { + pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix); + return PAM_IGNORE; + } + char *password; result = pam_get_data(pamh, kwalletPamDataKey, (const void **)&password);