diff --git a/pam-1.0.4-unix-safeguards.patch b/pam-1.0.4-unix-safeguards.patch index 94a2878..d3377dd 100644 --- a/pam-1.0.4-unix-safeguards.patch +++ b/pam-1.0.4-unix-safeguards.patch @@ -1,6 +1,6 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c --- Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards 2009-03-17 11:25:11.000000000 +0100 -+++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c 2009-03-17 11:25:11.000000000 +0100 ++++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:29:32.000000000 +0100 @@ -139,7 +139,7 @@ static int _unix_run_update_binary(pam_h const char *fromwhat, const char *towhat, int remember) { @@ -28,7 +28,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards Linux-PAM struct rlimit rlim; static char *envp[] = { NULL }; char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; -@@ -171,15 +173,14 @@ static int _unix_run_update_binary(pam_h +@@ -171,15 +173,18 @@ static int _unix_run_update_binary(pam_h /* XXX - should really tidy up PAM here too */ @@ -36,6 +36,10 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards Linux-PAM /* reopen stdin as pipe */ - close(fds[1]); dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - for (i=2; i < rlim.rlim_max; i++) { @@ -48,7 +52,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards Linux-PAM } } -@@ -239,8 +240,8 @@ static int _unix_run_update_binary(pam_h +@@ -239,8 +244,8 @@ static int _unix_run_update_binary(pam_h retval = PAM_AUTH_ERR; } @@ -61,7 +65,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards Linux-PAM return retval; diff -up Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/support.c --- Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards 2009-03-17 11:25:11.000000000 +0100 -+++ Linux-PAM-1.0.4/modules/pam_unix/support.c 2009-03-17 11:25:11.000000000 +0100 ++++ Linux-PAM-1.0.4/modules/pam_unix/support.c 2009-03-26 10:29:54.000000000 +0100 @@ -396,7 +396,7 @@ static int _unix_run_helper_binary(pam_h unsigned int ctrl, const char *user) { @@ -82,7 +86,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards Linux-PAM-1.0.4/m } /* fork */ -@@ -427,15 +429,14 @@ static int _unix_run_helper_binary(pam_h +@@ -427,15 +429,18 @@ static int _unix_run_helper_binary(pam_h /* XXX - should really tidy up PAM here too */ @@ -90,6 +94,10 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards Linux-PAM-1.0.4/m /* reopen stdin as pipe */ - close(fds[1]); dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - for (i=2; i < (int)rlim.rlim_max; i++) { @@ -102,7 +110,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards Linux-PAM-1.0.4/m } } -@@ -488,8 +489,8 @@ static int _unix_run_helper_binary(pam_h +@@ -488,8 +493,8 @@ static int _unix_run_helper_binary(pam_h retval = PAM_AUTH_ERR; } @@ -115,7 +123,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards Linux-PAM-1.0.4/m D(("returning %d", retval)); diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c --- Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards 2009-03-03 10:00:31.000000000 +0100 -+++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c 2009-03-17 15:14:09.000000000 +0100 ++++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:29:17.000000000 +0100 @@ -65,7 +65,7 @@ int _unix_run_verify_binary(pam_handle_t const char *user, int *daysleft) { @@ -125,7 +133,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards Linux-PAM-1 D(("running verify_binary")); /* create a pipe for the messages */ -@@ -85,29 +85,32 @@ int _unix_run_verify_binary(pam_handle_t +@@ -85,29 +85,33 @@ int _unix_run_verify_binary(pam_handle_t * The "noreap" module argument is provided so that the admin can * override this behavior. */ @@ -149,9 +157,10 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards Linux-PAM-1 - close(fds[0]); + /* reopen stdout as pipe */ dup2(fds[1], STDOUT_FILENO); -+ /* and replace also the stdin so we do not exec the helper with ++ /* and replace also the stdin, stderr so we do not exec the helper with + tty as stdin, it will not read anything from there anyway */ + dup2(fds[0], STDIN_FILENO); ++ dup2(fds[1], STDERR_FILENO); /* XXX - should really tidy up PAM here too */ @@ -167,7 +176,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards Linux-PAM-1 } } -@@ -126,7 +129,6 @@ int _unix_run_verify_binary(pam_handle_t +@@ -126,7 +130,6 @@ int _unix_run_verify_binary(pam_handle_t pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m"); /* should not get here: exit with error */ @@ -175,7 +184,7 @@ diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards Linux-PAM-1 D(("helper binary is not available")); printf("-1\n"); exit(PAM_AUTHINFO_UNAVAIL); -@@ -162,9 +164,11 @@ int _unix_run_verify_binary(pam_handle_t +@@ -162,9 +165,11 @@ int _unix_run_verify_binary(pam_handle_t } close(fds[0]); } diff --git a/pam.spec b/pam.spec index 8d36e0b..b0cb73b 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: A security tool which provides authentication for applications Name: pam Version: 1.0.4 -Release: 2%{?dist} +Release: 3%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # pam_rhosts_auth module is BSD with advertising @@ -336,6 +336,9 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Thu Mar 26 2009 Tomas Mraz 1.0.4-3 +- replace all std descriptors when calling helpers (#491471) + * Tue Mar 17 2009 Tomas Mraz 1.0.4-2 - update to new upstream minor release (bugfixes and minor security fixes)