Hello community, here is the log from the commit of package pam-python for openSUSE:Factory checked in at 2019-09-30 15:58:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam-python (Old) and /work/SRC/openSUSE:Factory/.pam-python.new.2352 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam-python" Mon Sep 30 15:58:05 2019 rev:4 rq:733647 version:1.0.7 Changes: -------- --- /work/SRC/openSUSE:Factory/pam-python/pam-python.changes 2018-07-28 12:45:32.369004902 +0200 +++ /work/SRC/openSUSE:Factory/.pam-python.new.2352/pam-python.changes 2019-09-30 15:58:06.585422479 +0200 @@ -1,0 +2,16 @@ +Fri Sep 27 08:47:08 UTC 2019 - Malte Kraus <malte.kr...@suse.com> + +- python scripts are now searched for in /lib64/security just like + regular PAM modules on 64bit platforms + +------------------------------------------------------------------- +Tue Sep 24 09:37:44 UTC 2019 - alexander_nau...@opensuse.org + +- Update to version 1.0.7: + * Bugfix: local root exploit (CVE-2019-16729) + +- Adding 'python2.7' as a dependency +- Adding 'gcc' as a build dependency +- Remove not_null_argument_for_strcmp.patch + +------------------------------------------------------------------- Old: ---- not_null_argument_for_strcmp.patch pam-python-1.0.6.tar.gz New: ---- pam-python-1.0.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam-python.spec ++++++ --- /var/tmp/diff_new_pack.HZjjbv/_old 2019-09-30 15:58:07.021421318 +0200 +++ /var/tmp/diff_new_pack.HZjjbv/_new 2019-09-30 15:58:07.025421307 +0200 @@ -1,7 +1,7 @@ # # spec file for package pam-python # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,23 +12,24 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: pam-python -Version: 1.0.6 +Version: 1.0.7 Release: 0 Summary: PAM module that allows PAM modules to be written in Python -License: AGPL-3.0 +License: AGPL-3.0-only Group: Productivity/Security Url: http://pam-python.sourceforge.net/ Source: pam-python-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: gcc BuildRequires: pam-devel BuildRequires: python-devel BuildRequires: python-sphinx -Patch0: not_null_argument_for_strcmp.patch +Requires: python = 2.7 Patch1: werror.patch %description @@ -37,15 +38,16 @@ %prep %setup -%patch0 -p1 %patch1 -p1 %build +# XX: the build system overrides CFLAGS, but flags for the preprocessor are passed to the C compiler +export CPPFLAGS='-DDEFAULT_SECURITY_DIR=\"/%{_lib}/security\" %{optflags}' make %install -mkdir -p $RPM_BUILD_ROOT/%{_lib}/security -install --mode=755 --strip src/pam_python.so $RPM_BUILD_ROOT/%{_lib}/security +export LIBDIR=$RPM_BUILD_ROOT/%{_lib}/security +make install-lib %files %defattr(-,root,root) ++++++ pam-python-1.0.6.tar.gz -> pam-python-1.0.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam-python-1.0.6/ChangeLog.txt new/pam-python-1.0.7/ChangeLog.txt --- old/pam-python-1.0.6/ChangeLog.txt 2016-08-27 13:36:51.000000000 +0200 +++ new/pam-python-1.0.7/ChangeLog.txt 2019-09-18 12:24:55.000000000 +0200 @@ -1,3 +1,7 @@ +pam-python-1.0.7 Wed, 18 Sep 2019 20:23:54 +1000 + + Bug: Local root exploit. + pam-python-1.0.6 Sat, 27 Aug 2016 21:35:36 +1000 New: Update Makefile.release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam-python-1.0.6/Makefile.release new/pam-python-1.0.7/Makefile.release --- old/pam-python-1.0.6/Makefile.release 2016-08-27 14:27:10.000000000 +0200 +++ new/pam-python-1.0.7/Makefile.release 2019-09-21 15:30:38.000000000 +0200 @@ -1,5 +1,11 @@ # -# Do a release. Does the following: +# Do a release. +# +# This is file is identical for _all_ sourceforge projects I host. It is +# designed to one thing: automate my sourceforce work flow. Be warned that +# I will selfishly reject any patches that don't do that. +# +# It does the following: # # 1. Verifies the changelogs have been updated to a consistent version. # @@ -18,7 +24,7 @@ # 7. Sends the HTML file, and other files references by it, to the web # site. # -# Copyright (c) 2013,2014,2015,2016 Russell Stuart. +# Copyright (c) 2013,2014,2015,2016,2017,2018,2019 Russell Stuart. # Licensed (at your choice) under GPLv2, or any later version, # or AGPL-3.0+, or any later version. # @@ -97,7 +103,7 @@ # # Insert the debian packates into the release. # - DEBIAN_KERNEL_USE_CCACHE="yes" debuild --preserve-env --preserve-envvar="PATH" -k0xE7843A8C -sa --lintian-opts --info --display-info --display-experimental + DEBIAN_KERNEL_USE_CCACHE="yes" debuild --preserve-env --preserve-envvar="PATH" -k0xF5231C62E7843A8C -sa --lintian-opts --info --display-info --display-experimental mkdir -p "$(RELEASE_FILES)" rm ../$(RELEASE_PACKAGE_NAME)_$(RELEASE_DEBIAN_VERSION)_*.build set -xve; mv $$(sed -n '1,/^Files:/d;/^$$/q;s:.* :../:p' ../$(RELEASE_PACKAGE_NAME)_$(RELEASE_DEBIAN_VERSION)_*.changes) ../$(RELEASE_PACKAGE_NAME)_$(RELEASE_DEBIAN_VERSION)_*.changes $(RELEASE_FILES) @@ -141,11 +147,11 @@ .PHONY: release-customise release-customise:: -.PHONY: upload -upload: upload-htdocs upload-files +.PHONY: release-upload +release-upload: release-upload-htdocs release-upload-files -.PHONY: upload-htdocs -upload-htdocs: $(RELEASE_DIR)/release.stamp +.PHONY: release-upload-htdocs +release-upload-htdocs: $(RELEASE_DIR)/release.stamp # # Send the files that a symlink'ed first, otherwise it fails on the # 1st send. @@ -153,8 +159,8 @@ cd $(RELEASE_DIR); rsync -avPR $$(for f in $$(find htdocs -name index.html -type l); do ff=$$(readlink "$${f}"); echo $${f%/*}/$${ff}; done) rstuart,$(RELEASE_PACKAGE_NAME)@web.sourceforge.net:. rsync -avP --delete $(RELEASE_HTDOCS)/. rstuart,$(RELEASE_PACKAGE_NAME)@web.sourceforge.net:htdocs/. -.PHONY: upload-files -upload-files: $(RELEASE_DIR)/release.stamp +.PHONY: release-upload-files +release-upload-files: $(RELEASE_DIR)/release.stamp rsync -avP --delete $(RELEASE_FILES) rstuart,$(RELEASE_PACKAGE_NAME)@frs.sourceforge.net:/home/frs/project/$(RELEASE_PACKAGE_NAME)/. .PHONY: release-clean diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam-python-1.0.6/README.txt new/pam-python-1.0.7/README.txt --- old/pam-python-1.0.6/README.txt 2016-08-27 14:27:10.000000000 +0200 +++ new/pam-python-1.0.7/README.txt 2019-09-21 15:30:38.000000000 +0200 @@ -9,7 +9,7 @@ HTML documentation style. All documentation is readable online at the home page: - http://pam-pathon.sourceforge.net/ + http://pam-python.sourceforge.net/ Dependencies @@ -17,6 +17,8 @@ Python >= 2.6, http://www.python.org pam >= 0.76, http://pam.sourceforge.net/ + PyPAM (Debian package python-pam, needed for testing only) + Building and Installing @@ -31,6 +33,7 @@ In addition the unit test requires: - sudo, http://www.sudo.ws/ - An account with root privileges. + - PyPAM (for testing only) To build the re-distributable, in the directory containing this file run: @@ -46,7 +49,7 @@ License ------- - Copyright (c) 2007-2014,2016 Russell Stuart. + Copyright (c) 2007-2014,2016,2019 Russell Stuart. This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam-python-1.0.6/doc/conf.py new/pam-python-1.0.7/doc/conf.py --- old/pam-python-1.0.6/doc/conf.py 2016-08-27 14:27:10.000000000 +0200 +++ new/pam-python-1.0.7/doc/conf.py 2019-09-21 15:30:38.000000000 +0200 @@ -1,7 +1,7 @@ master_doc = 'pam_python' project = u'pam_python' -copyright = u'2010,2014,2016, Russell Stuart' -version = '1.0.6' -release = '1.0.6' +copyright = u'2010,2014,2016,2019, Russell Stuart' +version = '1.0.7' +release = '1.0.7' extensions = ['sphinx.ext.intersphinx'] intersphinx_mapping = {'python': ('http://docs.python.org/2.7', None)} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam-python-1.0.6/pam-python.html new/pam-python-1.0.7/pam-python.html --- old/pam-python-1.0.6/pam-python.html 2016-08-27 14:27:10.000000000 +0200 +++ new/pam-python-1.0.7/pam-python.html 2019-09-21 15:30:38.000000000 +0200 @@ -44,7 +44,7 @@ <h2>Copyright and License</h2> <p> - Pam-python is copyright © 2007-2012,2014,2016 Russell Stuart. + Pam-python is copyright © 2007-2012,2014,2016,2019 Russell Stuart. It is licensed under the <a href="agpl-3.0.txt">GNU Affero General Public License</a>. </p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam-python-1.0.6/src/Makefile new/pam-python-1.0.7/src/Makefile --- old/pam-python-1.0.6/src/Makefile 2016-08-27 14:27:10.000000000 +0200 +++ new/pam-python-1.0.7/src/Makefile 2019-09-21 15:30:38.000000000 +0200 @@ -23,6 +23,7 @@ clean: rm -rf build ctest pam_python.so test-pam_python.pam test.pyc core [ ! -e /etc/pam.d/test-pam_python.pam ] || { s=$$([ $$(id -u) = 0 ] || echo sudo); $$s rm -f /etc/pam.d/test-pam_python.pam; } + [ ! -e /etc/pam.d/test-pam_python-installed.pam ] || { s=$$([ $$(id -u) = 0 ] || echo sudo); $$s rm -f /etc/pam.d/test-pam_python-installed.pam; } .PHONY: ctest ctest: ctest.c Makefile @@ -39,3 +40,15 @@ test: pam_python.so ctest /etc/pam.d/test-pam_python.pam python test.py ./ctest + +test-pam_python-installed.pam: test-pam_python.pam.in Makefile + sed "s,\\\$$PWD/pam-python.so,pam-python.so,;s,\\\$$PWD,$$(pwd),g" "$@.in" >"$@.tmp" + mv $@.tmp $@ + +/etc/pam.d/test-pam_python-installed.pam: test-pam_python-installed.pam + s=$$([ $$(id -u) = 0 ] || echo sudo); $$s ln -sf $$(pwd)/test-pam_python-installed.pam /etc/pam.d + +.PHONY: installed-test +installed-test: ctest /etc/pam.d/test-pam_python-installed.pam + python test.py + ./ctest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam-python-1.0.6/src/pam_python.c new/pam-python-1.0.7/src/pam_python.c --- old/pam-python-1.0.6/src/pam_python.c 2016-08-27 14:27:10.000000000 +0200 +++ new/pam-python-1.0.7/src/pam_python.c 2019-09-21 15:30:38.000000000 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2012,2014,2016 Russell Stuart + * Copyright (c) 2007-2012,2014,2016,2019 Russell Stuart * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as published @@ -67,6 +67,8 @@ const char libpam_python_version[] = "1.0.3"; const char libpam_python_date[] = "2014-05-05"; +#define PyCFunctionKwds_cast (PyCFunction)(Py_ssize_t) + /* * Add typedef for Py_ssize_t if it you have an older python. */ @@ -85,6 +87,11 @@ static void initialise_python(void) { #if PY_MAJOR_VERSION*100 + PY_MINOR_VERSION >= 204 + Py_DontWriteBytecodeFlag = 1; + Py_IgnoreEnvironmentFlag = 1; + /* Py_IsolatedFlag = 1; Python3 only */ + Py_NoSiteFlag = 1; + Py_NoUserSiteDirectory = 1; Py_InitializeEx(0); #else size_t signum; @@ -317,7 +324,7 @@ { { "write", - (PyCFunction)SyslogFile_write, + PyCFunctionKwds_cast SyslogFile_write, METH_VARARGS|METH_KEYWORDS, 0 }, @@ -1349,16 +1356,16 @@ static PyMethodDef PamEnv_Methods[] = { - {"__contains__", (PyCFunction)PamEnv_has_key,METH_VARARGS|METH_KEYWORDS, 0}, - {"__getitem__", (PyCFunction)PamEnv_getitem,METH_VARARGS|METH_KEYWORDS, 0}, - {"get", (PyCFunction)PamEnv_get, METH_VARARGS|METH_KEYWORDS, 0}, - {"has_key", (PyCFunction)PamEnv_has_key,METH_VARARGS|METH_KEYWORDS, 0}, - {"items", (PyCFunction)PamEnv_items, METH_VARARGS|METH_KEYWORDS, 0}, - {"iteritems", (PyCFunction)PamEnv_iteritems,METH_VARARGS|METH_KEYWORDS, 0}, - {"iterkeys", (PyCFunction)PamEnv_iterkeys,METH_VARARGS|METH_KEYWORDS, 0}, - {"itervalues", (PyCFunction)PamEnv_itervalues,METH_VARARGS|METH_KEYWORDS, 0}, - {"keys", (PyCFunction)PamEnv_keys, METH_VARARGS|METH_KEYWORDS, 0}, - {"values", (PyCFunction)PamEnv_values, METH_VARARGS|METH_KEYWORDS, 0}, + {"__contains__", PyCFunctionKwds_cast PamEnv_has_key,METH_VARARGS|METH_KEYWORDS, 0}, + {"__getitem__", PyCFunctionKwds_cast PamEnv_getitem,METH_VARARGS|METH_KEYWORDS, 0}, + {"get", PyCFunctionKwds_cast PamEnv_get, METH_VARARGS|METH_KEYWORDS, 0}, + {"has_key", PyCFunctionKwds_cast PamEnv_has_key,METH_VARARGS|METH_KEYWORDS, 0}, + {"items", PyCFunctionKwds_cast PamEnv_items, METH_VARARGS|METH_KEYWORDS, 0}, + {"iteritems", PyCFunctionKwds_cast PamEnv_iteritems,METH_VARARGS|METH_KEYWORDS, 0}, + {"iterkeys", PyCFunctionKwds_cast PamEnv_iterkeys,METH_VARARGS|METH_KEYWORDS, 0}, + {"itervalues", PyCFunctionKwds_cast PamEnv_itervalues,METH_VARARGS|METH_KEYWORDS, 0}, + {"keys", PyCFunctionKwds_cast PamEnv_keys, METH_VARARGS|METH_KEYWORDS, 0}, + {"values", PyCFunctionKwds_cast PamEnv_values, METH_VARARGS|METH_KEYWORDS, 0}, {0,0,0,0} /* Sentinel */ }; @@ -2029,7 +2036,7 @@ { { "conversation", - (PyCFunction)PamHandle_conversation, + PyCFunctionKwds_cast PamHandle_conversation, METH_VARARGS|METH_KEYWORDS, MODULE_NAME "." PAMHANDLE_NAME "." "conversation(prompts)\n" " Ask the application to issue the prompts to the user and return the\n" @@ -2039,7 +2046,7 @@ }, { "fail_delay", - (PyCFunction)PamHandle_fail_delay, + PyCFunctionKwds_cast PamHandle_fail_delay, METH_VARARGS|METH_KEYWORDS, MODULE_NAME "." PAMHANDLE_NAME "." "fail_delay(micro_sec)\n" " Sets the amount of time a failed authenticate attempt should delay for\n" @@ -2048,7 +2055,7 @@ }, { "get_user", - (PyCFunction)PamHandle_get_user, + PyCFunctionKwds_cast PamHandle_get_user, METH_VARARGS|METH_KEYWORDS, MODULE_NAME "." PAMHANDLE_NAME "." "getuser([prompt])\n" " If " PAMHANDLE_NAME ".user isn't None return it, otherwise ask the\n" @@ -2057,7 +2064,7 @@ }, { "strerror", - (PyCFunction)PamHandle_strerror, + PyCFunctionKwds_cast PamHandle_strerror, METH_VARARGS|METH_KEYWORDS, MODULE_NAME "." PAMHANDLE_NAME "." "strerror(errnum)\n" " Return a string describing the pam error errnum." @@ -2226,7 +2233,7 @@ goto error_exit; } dot = strrchr(user_module_name, '.'); - if (dot != 0 || strcmp(dot, ".py") == 0) + if (dot != 0 && strcmp(dot, ".py") == 0) *dot = '\0'; *user_module = PyModule_New(user_module_name); if (*user_module == 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam-python-1.0.6/src/setup.py new/pam-python-1.0.7/src/setup.py --- old/pam-python-1.0.6/src/setup.py 2016-08-27 14:27:10.000000000 +0200 +++ new/pam-python-1.0.7/src/setup.py 2019-09-21 15:30:38.000000000 +0200 @@ -43,7 +43,7 @@ setup( name="pam_python", - version="1.0.6", + version="1.0.7", description="Enabled PAM Modules to be written in Python", keywords="pam,embed,authentication,security", platforms="Unix",