July 2011 - openSUSE Commits - openSUSE Mailing Lists

commit libsoup for openSUSE:11.4
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package libsoup for openSUSE:11.4 checked in at Fri Jul 29 18:12:28 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.4/all/libsoup/libsoup.changes 2010-11-30 10:36:16.000000000 +0100 +++ 11.4/libsoup/libsoup.changes 2011-07-29 10:21:22.000000000 +0200 @@ -1,0 +2,9 @@ +Fri Jul 29 10:18:00 CEST 2011 - vuntz(a)opensuse.org + +- Add libsoup-CVE-2011-2524.patch: Fixed a security hole that + caused some SoupServer users to unintentionally allow accessing + the entire local filesystem when they thought they were only + providing access to a single directory. Fix bnc#706630, + CVE-2011-2524. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libsoup Destination is old-versions/11.4/UPDATES/all/libsoup calling whatdependson for 11.4-i586 New: ---- libsoup-CVE-2011-2524.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.qpY9I8/_old 2011-07-29 18:12:05.000000000 +0200 +++ /var/tmp/diff_new_pack.qpY9I8/_new 2011-07-29 18:12:05.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libsoup (Version 2.32.2) +# spec file for package libsoup # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ Name: libsoup Summary: HTTP client/server library for GNOME Version: 2.32.2 -Release: 1 +Release: 3.<RELEASE4> License: LGPLv2.1+ Group: Development/Libraries/GNOME Url: http://www.gnome.org @@ -29,6 +29,8 @@ Source99: baselibs.conf # PATCH-FIX-OPENSUSE libsoup-gnutls-allow-tls.patch bnc#634040 vuntz(a)opensuse.org -- Allow TLS usage instead of being SSL 3.0-only. Upstream does not want this, and rewriting a lot of code is needed to fix this correctly. However, the openSUSE security team wants TLS to be used if possible. This might lead to some websites being not accessible with libsoup. Patch0: libsoup-gnutls-allow-tls.patch +# PATCH-FIX-UPSTREAM libsoup-CVE-2011-2524.patch bnc#706630 CVE-2011-2524 vuntz(a)opensuse.org -- filesystem exposure flaw due to bad parsing of ".." +Patch1: libsoup-CVE-2011-2524.patch BuildRequires: gconf2-devel BuildRequires: glib2-devel BuildRequires: gnutls-devel @@ -115,6 +117,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %build %configure\ ++++++ libsoup-CVE-2011-2524.patch ++++++ >From cbeeb7a0f7f0e8b16f2d382157496f9100218dea Mon Sep 17 00:00:00 2001 From: Dan Winship <danw(a)gnome.org> Date: Wed, 29 Jun 2011 14:04:06 +0000 Subject: SoupServer: fix to not allow smuggling ".." into path When SoupServer:raw-paths was set (the default), it was possible to sneak ".." segments into the path passed to the SoupServerHandler, which could then end up tricking some handlers into retrieving arbitrary files from the filesystem. Fix that. https://bugzilla.gnome.org/show_bug.cgi?id=653258 --- diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c index d56efd1..7225337 100644 --- a/libsoup/soup-server.c +++ b/libsoup/soup-server.c @@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client) uri = soup_message_get_uri (req); decoded_path = soup_uri_decode (uri->path); + + if (strstr (decoded_path, "/../") || + g_str_has_suffix (decoded_path, "/..")) { + /* Introducing new ".." segments is not allowed */ + g_free (decoded_path); + soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST); + return; + } + soup_uri_set_path (uri, decoded_path); g_free (decoded_path); } -- cgit v0.9 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit clamav for openSUSE:11.4
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package clamav for openSUSE:11.4 checked in at Fri Jul 29 18:12:03 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.4/UPDATES/all/clamav/clamav.changes 2011-06-10 16:49:23.000000000 +0200 +++ 11.4/clamav/clamav.changes 2011-07-28 15:15:16.000000000 +0200 @@ -1,0 +2,15 @@ +Tue Jul 26 08:55:27 UTC 2011 - max(a)novell.com + +- New version 0.97.2 (bnc#708263): + * libclamav/matcher-hash.c: off by one read in cli_hm_scan + (bb#2818, CVE-2011-2721). + * libclamav/pdf.c: fix encrypted pdf detection (bb #2988) + * clamav-milter/clamfi.c: fix typo in error message (bb#3040) + * libclamav/lzma_iface.c: shut up huge alloc warns for 7z/lzma + (bb#2913) + * libclamav/c++/bytecode2llvm.cpp: fix use of unaddressable data + in bytecode_watchdog. + * libclamav/phishcheck.c: fix safebrowsing detection on certain + URLs + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 Old: ---- clamav-0.97.1.tar.bz2 New: ---- clamav-0.97.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ clamav.spec ++++++ --- /var/tmp/diff_new_pack.GrfPQQ/_old 2011-07-29 18:11:48.000000000 +0200 +++ /var/tmp/diff_new_pack.GrfPQQ/_new 2011-07-29 18:11:48.000000000 +0200 @@ -36,7 +36,7 @@ %define clamav_check --disable-check %endif Summary: Antivirus Toolkit -Version: 0.97.1 +Version: 0.97.2 Release: 1.<RELEASE2> License: GPLv2 Group: Productivity/Security ++++++ clamav-0.97.1.tar.bz2 -> clamav-0.97.2.tar.bz2 ++++++ old-versions/11.4/UPDATES/all/clamav/clamav-0.97.1.tar.bz2 11.4/clamav/clamav-0.97.2.tar.bz2 differ: char 11, line 1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit pam-modules for openSUSE:11.4
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package pam-modules for openSUSE:11.4 checked in at Fri Jul 29 18:11:55 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.4/all/pam-modules/pam-modules.changes 2010-08-11 12:48:07.000000000 +0200 +++ 11.4/pam-modules/pam-modules.changes 2011-07-20 10:29:41.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Jul 20 08:29:05 UTC 2011 - lnussel(a)suse.de + +- add compat mode options to deal with crypt_blowfish signedness bug + (bnc#700876, CVE-2011-2483) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/pam-modules Destination is old-versions/11.4/UPDATES/all/pam-modules calling whatdependson for 11.4-i586 New: ---- pam_unix2-2.7.4-CVE-2011-2483.diff pam_unix2-2.7.4-retvalmagic.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam-modules.spec ++++++ --- /var/tmp/diff_new_pack.jx2X0A/_old 2011-07-29 18:11:44.000000000 +0200 +++ /var/tmp/diff_new_pack.jx2X0A/_new 2011-07-29 18:11:44.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package pam-modules (Version 11.4) +# spec file for package pam-modules # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,7 @@ Name: pam-modules Summary: Additional PAM Modules Version: 11.4 -Release: 1 +Release: 3.<RELEASE4> License: BSD3c ; GPLv2+ Group: System/Libraries AutoReqProv: on @@ -41,9 +41,12 @@ Source50: dlopen.sh # Patch: pam-modules-10.3-pam_make-fix-open.dif +Patch1: pam_unix2-2.7.4-CVE-2011-2483.diff +Patch2: pam_unix2-2.7.4-retvalmagic.diff # BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: permissions +Requires: libxcrypt-crypt_blowfish >= 1.2 BuildRequires: libxcrypt-devel pam-devel BuildRequires: cracklib-devel %if %{enable_selinux} @@ -67,11 +70,17 @@ %prep %setup -q -c %{name} -b1 -b2 -b5 %patch +%patch1 -p0 +%patch2 -p0 %build +pushd pam_unix2-* +autoreconf -f +popd for i in * ; do cd $i; CFLAGS="$RPM_OPT_FLAGS" ./configure --enable-selinux \ + --enable-blowfish-bug-compatmode \ --libdir=/%{_lib} --mandir=%{_mandir} make %{?_smp_mflags} cd .. ++++++ pam_unix2-2.7.4-CVE-2011-2483.diff ++++++ >From 7a3e5fd2d79657674e72212ad13ea350d72e8306 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel(a)suse.de> Date: Wed, 13 Jul 2011 08:50:58 +0200 Subject: [PATCH 4/4] add workarounds for blowfish signedness bug The option BLOWFISH_2a2x allows to enable compat modes. --- configure.in | 18 +++++++++++++++++- etc/passwd | 16 ++++++++++++++++ src/get_options.c | 11 +++++++++++ src/public.h | 4 ++++ src/support.c | 30 ++++++++++++++++++++++++++++++ src/unix_auth.c | 8 +------- src/unix_passwd.c | 10 +++++++--- 7 files changed, 86 insertions(+), 11 deletions(-) Index: pam_unix2-2.7.4/configure.in =================================================================== --- pam_unix2-2.7.4/configure.in.orig +++ pam_unix2-2.7.4/configure.in @@ -4,6 +4,7 @@ AM_INIT_AUTOMAKE AC_CONFIG_SRCDIR([src/support.c]) AM_CONFIG_HEADER(config.h) AC_PREFIX_DEFAULT(/usr) +AM_GNU_GETTEXT_VERSION(0.12) dnl Set of available languages. @@ -48,13 +49,29 @@ dnl Should we compile with SELinux suppo AC_ARG_ENABLE([selinux], AC_HELP_STRING([--disable-selinux],[Enable SELinux support (default=yes)]), WITH_SELINUX=$enableval, WITH_SELINUX=yes) -if test "$WITH_SELINUX" == "yes" ; then +if test "$WITH_SELINUX" = "yes" ; then AC_CHECK_LIB(selinux,is_selinux_enabled, [AC_DEFINE(WITH_SELINUX,1, [Define if you want to compile in SELinux support]) LIBS="$LIBS -lselinux"]) fi +AC_ARG_ENABLE([blowfish-bug-workaround], + AC_HELP_STRING([--disable-blowfish-bug-workaround],[Enable workarounds for blowfish signedness bug]), + CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS=$enableval, CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS=yes) +if test "$CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS" = "yes" ; then + AC_DEFINE(CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS,1, + [Define if you want to enable workarounds for blowfish signedness bug]) +fi + +AC_ARG_ENABLE([blowfish-bug-compatmode], + AC_HELP_STRING([--enable-blowfish-bug-compatmode],[Enable blowfish compat mode by default]), + CRYPT_BLOWFISH_COMPATMODE=$enableval, CRYPT_BLOWFISH_COMPATMODE=no) +if test "$CRYPT_BLOWFISH_COMPATMODE" = "yes" ; then + AC_DEFINE(CRYPT_BLOWFISH_COMPATMODE,1, + [Define if you want to enable blowfish compat mode by default]) +fi + dnl Check standard headers AC_HEADER_STDC AC_CHECK_HEADERS(xcrypt.h crypt.h) Index: pam_unix2-2.7.4/etc/passwd =================================================================== --- pam_unix2-2.7.4/etc/passwd.orig +++ pam_unix2-2.7.4/etc/passwd @@ -25,3 +25,19 @@ BLOWFISH_CRYPT_FILES=5 # For NIS, we should always use DES: CRYPT_YP=des +# In June 2011 it was discovered that the Linux crypt_blowfish +# implementation contained a bug that made passwords with non-ASCII +# characters easier to crack (CVE-2011-2483). Affected passwords are +# also incompatible with the original, correct OpenBSD +# implementation. Therefore the $2a hash identifier previously used +# for blowfish now is ambiguous as it could mean the hash was +# generated with the correct implementation on OpenBSD or the buggy +# one on Linux. To avoid the ambiguity two new identifier were +# introduced. $2x now explicitly identifies hashes that were +# generated with the buggy algorithm while $2y is used for hashes +# generated with the correct algorithm. New passwords are now +# generated with the $2y identifier. +# +# Setting the following option to "yes" tells the sytem that $2a +# hashes are to be treated as generated with the buggy algorithm. +BLOWFISH_2a2x= Index: pam_unix2-2.7.4/src/get_options.c =================================================================== --- pam_unix2-2.7.4/src/get_options.c.orig +++ pam_unix2-2.7.4/src/get_options.c @@ -138,6 +138,17 @@ get_options (pam_handle_t *pamh, options /* Set some default values, which could be overwritten later. */ options->use_crypt = NONE; +#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS + options->blowfish_2a2x = getlogindefs_bool("BLOWFISH_2a2x", +#ifdef CRYPT_BLOWFISH_COMPATMODE + 1 +#else + 0 +#endif + ); + free_getlogindefs_data(); +#endif + /* Parse parameters for module */ for ( ; argc-- > 0; argv++) parse_option (pamh, *argv, type, options); Index: pam_unix2-2.7.4/src/public.h =================================================================== --- pam_unix2-2.7.4/src/public.h.orig +++ pam_unix2-2.7.4/src/public.h @@ -68,6 +68,7 @@ struct options_t { int nullok; int use_authtok; int use_first_pass; + int blowfish_2a2x; char **use_other_modules; char *nisdir; crypt_t use_crypt; @@ -86,6 +87,9 @@ extern int __call_other_module(pam_handl const char *mod_name, const char *func_name, options_t *options); +extern int __check_password_match (const char *hash, const char *pass, + options_t *options); + extern int get_options (pam_handle_t *pamh, options_t *options, const char *type, int argc, const char **argv); Index: pam_unix2-2.7.4/src/support.c =================================================================== --- pam_unix2-2.7.4/src/support.c.orig +++ pam_unix2-2.7.4/src/support.c @@ -48,6 +48,12 @@ #include <security/pam_ext.h> #endif +#if defined(HAVE_XCRYPT_H) +#include <xcrypt.h> +#elif defined(HAVE_CRYPT_H) +#include <crypt.h> +#endif + #include "public.h" int @@ -312,3 +318,28 @@ struct pam_module _pam_unix2_modstruct = pam_sm_chauthtok }; #endif + +int +__check_password_match (const char *hash, const char *pass, options_t *options) +{ + struct crypt_data output; + char *h = NULL; + int r; + + memset (&output, 0, sizeof (output)); + +#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS + if ((options->blowfish_2a2x) + && !strncmp(hash, "$2a$", 4)) + { + h = strdupa(hash); + h[2] = 'x'; + hash = h; + } +#endif + + r = (strcmp (hash, crypt_r (pass, hash, &output)) == 0); + if (h) + _pam_overwrite(h); + return r; +} Index: pam_unix2-2.7.4/src/unix_passwd.c =================================================================== --- pam_unix2-2.7.4/src/unix_passwd.c.orig +++ pam_unix2-2.7.4/src/unix_passwd.c @@ -253,8 +253,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, in /* Check if the old password was correct. */ if ((getuid () || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) && - strcmp (data->oldpassword, - crypt_r (oldpass, data->oldpassword, &output)) != 0) + !__check_password_match(data->oldpassword, oldpass, &options)) { if (options.debug) pam_syslog (pamh, LOG_DEBUG, @@ -713,7 +712,12 @@ __do_setpass (pam_handle_t *pamh, int fl #if defined(HAVE_XCRYPT_GENSALT_R) salt = make_crypt_salt ("$2a$", options->crypt_rounds, pamh, flags); if (salt != NULL) - newpassword = crypt_r (data->newpassword, salt, output); + { +#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS + salt[2] = 'y'; +#endif + newpassword = crypt_r (data->newpassword, salt, output); + } else { __write_message (pamh, flags, PAM_ERROR_MSG, Index: pam_unix2-2.7.4/src/unix_auth.c =================================================================== --- pam_unix2-2.7.4/src/unix_auth.c.orig +++ pam_unix2-2.7.4/src/unix_auth.c @@ -126,7 +126,6 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) { - struct crypt_data output; int retval; int sp_buflen = 256; char *sp_buffer = alloca (sp_buflen); @@ -143,7 +142,6 @@ pam_sm_authenticate (pam_handle_t *pamh, options_t options; int ask_user, ask_password; - memset (&output, 0, sizeof (output)); memset (&options, 0, sizeof (options)); if (get_options (pamh, &options, "auth", argc, argv) < 0) @@ -327,7 +325,7 @@ pam_sm_authenticate (pam_handle_t *pamh, *cp = '\0'; } - if (strcmp (crypt_r (password, salt, &output), salt) != 0) + if (!__check_password_match(salt, password, &options)) { if (options.debug) pam_syslog (pamh, LOG_DEBUG, "wrong password, return PAM_AUTH_ERR"); ++++++ pam_unix2-2.7.4-retvalmagic.diff ++++++ >From f0e1dcc08789da62c26236e3bc0e3b68ba6d0fd0 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel(a)suse.de> Date: Wed, 20 Jul 2011 11:16:56 +0200 Subject: [PATCH] catch retval magic by ow-crypt/libxcrypt Instead of returning NULL ow-crypt's retval magic returns "*0" or "*1". --- src/unix_passwd.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) Index: pam_unix2-2.7.4/src/unix_passwd.c =================================================================== --- pam_unix2-2.7.4/src/unix_passwd.c.orig +++ pam_unix2-2.7.4/src/unix_passwd.c @@ -773,7 +773,9 @@ __do_setpass (pam_handle_t *pamh, int fl options->use_crypt); return PAM_AUTHTOK_ERR; } - if (newpassword == NULL) + if (newpassword == NULL + /* catch retval magic by ow-crypt/libxcrypt */ + || !strcmp(newpassword, "*0") || !strcmp(newpassword, "*1")) { __write_message (pamh, flags, PAM_ERROR_MSG, _("crypt_r() returns NULL pointer")); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libxcrypt for openSUSE:11.4
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package libxcrypt for openSUSE:11.4 checked in at Fri Jul 29 18:11:32 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.4/all/libxcrypt/libxcrypt.changes 2010-06-28 08:50:28.000000000 +0200 +++ 11.4/libxcrypt/libxcrypt.changes 2011-07-20 12:00:55.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Jul 19 15:45:39 UTC 2011 - lnussel(a)suse.de + +- update crypt_blowfish to version 1.2 (bnc#700876, CVE-2011-2483) + * due to the signedness bug fix 2a hashes are incompatible with + previous versions if the password contains 8bit chracters! + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libxcrypt Destination is old-versions/11.4/UPDATES/all/libxcrypt calling whatdependson for 11.4-i586 New: ---- crypt_blowfish-1.2.tar.gz crypt_blowfish-1.2.tar.gz.sign libxcrypt-3.0.4-blowfish-Makefile.in.diff libxcrypt-3.0.4-blowfish-noasm.diff libxcrypt-3.0.4-blowfish-xcrypt.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxcrypt.spec ++++++ --- /var/tmp/diff_new_pack.0Fvkub/_old 2011-07-29 18:11:19.000000000 +0200 +++ /var/tmp/diff_new_pack.0Fvkub/_new 2011-07-29 18:11:19.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libxcrypt (Version 3.0.3) +# spec file for package libxcrypt # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,6 +17,7 @@ # norootforbuild +%define crypt_bf_version 1.2 Name: libxcrypt License: LGPLv2.1+ ; Public Domain, Freeware @@ -27,11 +28,19 @@ Obsoletes: libxcrypt-64bit %endif Version: 3.0.3 -Release: 3 +Release: 9.<RELEASE10> Summary: Crypt Library for DES, MD5, Blowfish and others +Url: http://www.openwall.com/crypt/ Source: libxcrypt-%{version}.tar.bz2 -Source2: baselibs.conf +Source1: %{url}crypt_blowfish-%{crypt_bf_version}.tar.gz +Source2: %{url}crypt_blowfish-%{crypt_bf_version}.tar.gz.sign +Source3: baselibs.conf +Patch1: libxcrypt-3.0.4-blowfish-noasm.diff +Patch2: libxcrypt-3.0.4-blowfish-xcrypt.diff +# just patching Makefile.in to avoid autoreconf +Patch3: libxcrypt-3.0.4-blowfish-Makefile.in.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build +Provides: libxcrypt-crypt_blowfish = 1.2 %description Libxcrypt is a replacement for libcrypt, which comes with the GNU C @@ -62,7 +71,12 @@ %prep -%setup -q +%setup -q -a1 +%patch1 -p0 +%patch2 -p0 +%patch3 -p0 +cp crypt_blowfish-*/*.{c,h} plugins/blowfish +mv plugins/blowfish/wrapper.c plugins/blowfish/blowfish-test.c %build ./configure CFLAGS="$RPM_OPT_FLAGS -Wno-cast-align" \ @@ -83,6 +97,9 @@ rm $RPM_BUILD_ROOT/%{_lib}/xcrypt/lib*.{so,la} ln -sf ../../%{_lib}/libxcrypt.so.2 $RPM_BUILD_ROOT%{_libdir}/libxcrypt.so /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}/ +# +ln -s libxcrypt_2a.so.1 $RPM_BUILD_ROOT/%{_lib}/xcrypt/libxcrypt_2y.so.1 +ln -s libxcrypt_2a.so.1 $RPM_BUILD_ROOT/%{_lib}/xcrypt/libxcrypt_2x.so.1 %clean rm -rf $RPM_BUILD_ROOT ++++++ libxcrypt-3.0.4-blowfish-Makefile.in.diff ++++++ Index: plugins/blowfish/Makefile.in =================================================================== --- plugins/blowfish/Makefile.in.orig +++ plugins/blowfish/Makefile.in @@ -234,8 +234,8 @@ libxcrypt_2a_la_LDFLAGS = -version-info plugin_LTLIBRARIES = libxcrypt_2a.la libxcrypt_2a_la_SOURCES = crypt_blowfish.c -blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST_THREADS=10 -blowfish_test_LDADD = libxcrypt_2a.la -lpthread +blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST -DTEST_THREADS=4 -DXCRYPT +blowfish_test_LDADD = libxcrypt_2a.la -ldl -lpthread all: all-am .SUFFIXES: ++++++ libxcrypt-3.0.4-blowfish-noasm.diff ++++++ Index: crypt_blowfish-1.2/crypt_blowfish.c =================================================================== --- crypt_blowfish-1.2/crypt_blowfish.c.orig +++ crypt_blowfish-1.2/crypt_blowfish.c @@ -54,7 +54,7 @@ #include "crypt_blowfish.h" #ifdef __i386__ -#define BF_ASM 1 +#define BF_ASM 0 #define BF_SCALE 1 #elif defined(__x86_64__) || defined(__alpha__) || defined(__hppa__) #define BF_ASM 0 ++++++ libxcrypt-3.0.4-blowfish-xcrypt.diff ++++++ Index: crypt_blowfish-1.2/crypt_blowfish.c =================================================================== --- crypt_blowfish-1.2/crypt_blowfish.c.orig +++ crypt_blowfish-1.2/crypt_blowfish.c @@ -44,6 +44,7 @@ */ #include <string.h> +#include <stdio.h> #include <errno.h> #ifndef __set_errno @@ -64,6 +65,10 @@ #define BF_SCALE 0 #endif +#include "xcrypt-plugin.h" +#define _crypt_blowfish_rn __crypt_r +#include <dlfcn.h> + typedef unsigned int BF_word; typedef signed int BF_word_signed; @@ -900,3 +905,23 @@ char *_crypt_gensalt_blowfish_rn(const c return output; } + +/* dirty hack */ +static const char* _find_prefix(const char* prefix) +{ + Dl_info info; + if (dladdr(_find_prefix, &info) && strlen(info.dli_fname) > 8) + { + const char* sfx = info.dli_fname+strlen(info.dli_fname)-8; + if (!strncmp(sfx, "_2y.", 4)) + prefix = "$2y$"; + else if (!strncmp(sfx, "_2x.", 4)) + prefix = "$2x$"; + } + return prefix; +} + +char *__crypt_gensalt_r (unsigned long count, __const char *input, int size, char *output, int output_size) +{ + return _crypt_gensalt_blowfish_rn(_find_prefix("$2a$"), count, input, size, output, output_size); +} Index: crypt_blowfish-1.2/wrapper.c =================================================================== --- crypt_blowfish-1.2/wrapper.c.orig +++ crypt_blowfish-1.2/wrapper.c @@ -37,13 +37,19 @@ #define CRYPT_OUTPUT_SIZE (7 + 22 + 31 + 1) #define CRYPT_GENSALT_OUTPUT_SIZE (7 + 22 + 1) -#if defined(__GLIBC__) && defined(_LIBC) #define __SKIP_GNU -#endif +#include "xcrypt.h" +#include "xcrypt-plugin.h" #include "ow-crypt.h" #include "crypt_blowfish.h" +#ifndef XCRYPT #include "crypt_gensalt.h" +#else +#define _crypt_blowfish_rn __crypt_r +#undef crypt_r +char *crypt_r(const char *key, const char *setting, void *data); +#endif #if defined(__GLIBC__) && defined(_LIBC) /* crypt.h from glibc-crypt-2.1 will define struct crypt_data for us */ @@ -197,6 +203,7 @@ char *crypt(const char *key, const char #define __crypt_gensalt crypt_gensalt #endif +#ifndef XCRYPT char *__crypt_gensalt_rn(const char *prefix, unsigned long count, const char *input, int size, char *output, int output_size) { @@ -231,6 +238,13 @@ char *__crypt_gensalt_rn(const char *pre return use(prefix, count, input, size, output, output_size); } +#else +char *__crypt_gensalt_rn(const char *prefix __attribute__((unused)), unsigned long count, + const char *input, int size, char *output, int output_size) +{ + return __crypt_gensalt_r(count, input, size, output, output_size); +} +#endif char *__crypt_gensalt_ra(const char *prefix, unsigned long count, const char *input, int size) @@ -542,4 +556,21 @@ int main(void) return 0; } +#endif + +#ifdef XCRYPT +int _crypt_output_magic(const char *setting, char *output, int size) +{ + if (size < 3) + return -1; + + output[0] = '*'; + output[1] = '0'; + output[2] = '\0'; + + if (setting[0] == '*' && setting[1] == '0') + output[1] = '1'; + + return 0; +} #endif Index: plugins/blowfish/Makefile.am =================================================================== --- plugins/blowfish/Makefile.am.orig +++ plugins/blowfish/Makefile.am @@ -25,5 +25,5 @@ libxcrypt_2a_la_SOURCES = crypt_blowfish noinst_PROGRAMS = blowfish-test -blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST_THREADS=10 -blowfish_test_LDADD = libxcrypt_2a.la -lpthread +blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST -DTEST_THREADS=4 -DXCRYPT +blowfish_test_LDADD = libxcrypt_2a.la -ldl -lpthread ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit pwdutils for openSUSE:11.4
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package pwdutils for openSUSE:11.4 checked in at Fri Jul 29 18:11:30 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.4/all/pwdutils/pwdutils.changes 2011-02-02 13:05:56.000000000 +0100 +++ 11.4/pwdutils/pwdutils.changes 2011-07-20 17:21:36.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Jul 20 15:18:37 UTC 2011 - lnussel(a)suse.de + +- change blowfish id from 2a to 2y (bnc#700876, CVE-2011-2483) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/pwdutils Destination is old-versions/11.4/UPDATES/all/pwdutils calling whatdependson for 11.4-i586 New: ---- pwdutils-3.2.14-CVE-2011-2483.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pwdutils.spec ++++++ --- /var/tmp/diff_new_pack.yWtTws/_old 2011-07-29 18:11:18.000000000 +0200 +++ /var/tmp/diff_new_pack.yWtTws/_new 2011-07-29 18:11:18.000000000 +0200 @@ -29,14 +29,16 @@ Group: System/Base AutoReqProv: on Version: 3.2.14 -Release: 1 +Release: 4.<RELEASE5> Summary: Utilities to Manage User and Group Accounts Requires: pam-modules +Requires: libxcrypt-crypt_blowfish >= 1.2 Source: pwdutils-%{version}.tar.bz2 Source2: ldap.conf Source3: useradd.default Source4: baselibs.conf Patch0: %{name}-selinux-useradd.patch +Patch1: pwdutils-3.2.14-CVE-2011-2483.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -77,6 +79,7 @@ %prep %setup -q %patch0 +%patch1 -p1 %build %configure --with-ldap-conf-file=/etc/ldap.conf \ ++++++ pwdutils-3.2.14-CVE-2011-2483.diff ++++++ Index: pwdutils-3.2.14/src/chpasswd.c =================================================================== --- pwdutils-3.2.14.orig/src/chpasswd.c +++ pwdutils-3.2.14/src/chpasswd.c @@ -342,7 +342,7 @@ main (int argc, char *argv[]) /* blowfish has a limit of 72 characters */ if (use_crypt == BLOWFISH && strlen (cp) > 72) cp[72] = '\0'; - salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */); + salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */); if (salt != NULL) pw_data->newpassword = strdup (crypt_r (cp, salt, &output)); else Index: pwdutils-3.2.14/src/gpasswd.c =================================================================== --- pwdutils-3.2.14.orig/src/gpasswd.c +++ pwdutils-3.2.14/src/gpasswd.c @@ -432,7 +432,7 @@ main (int argc, char **argv) /* blowfish has a limit of 72 characters */ if (use_crypt == BLOWFISH && strlen (p1) > 72) p1[72] = '\0'; - salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */); + salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */); if (salt != NULL) gr_data->newpassword = strdup (crypt_r (p1, salt, &output)); else Index: pwdutils-3.2.14/etc/default/passwd =================================================================== --- pwdutils-3.2.14.orig/etc/default/passwd +++ pwdutils-3.2.14/etc/default/passwd @@ -26,3 +26,20 @@ BLOWFISH_CRYPT_FILES=10 # For NIS, we should always use DES: CRYPT_YP=des + +# In June 2011 it was discovered that the Linux crypt_blowfish +# implementation contained a bug that made passwords with non-ASCII +# characters easier to crack (CVE-2011-2483). Affected passwords are +# also incompatible with the original, correct OpenBSD +# implementation. Therefore the $2a hash identifier previously used +# for blowfish now is ambiguous as it could mean the hash was +# generated with the correct implementation on OpenBSD or the buggy +# one on Linux. To avoid the ambiguity two new identifier were +# introduced. $2x now explicitly identifies hashes that were +# generated with the buggy algorithm while $2y is used for hashes +# generated with the correct algorithm. New passwords are now +# generated with the $2y identifier. +# +# Setting the following option to "yes" tells the sytem that $2a +# hashes are to be treated as generated with the buggy algorithm. +BLOWFISH_2a2x=yes ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit glibc for openSUSE:11.4
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package glibc for openSUSE:11.4 checked in at Fri Jul 29 18:08:13 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.4/all/glibc/glibc.changes 2011-02-22 13:33:00.000000000 +0100 +++ 11.4/glibc/glibc.changes 2011-07-27 10:18:08.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Jul 19 11:55:41 UTC 2011 - lnussel(a)suse.de + +- update crypt_blowfish to version 1.2 (bnc#700876, CVE-2011-2483) + * due to the signedness bug fix 2a hashes are incompatible with + previous versions if the password contains 8bit chracters! + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/glibc Destination is old-versions/11.4/UPDATES/all/glibc calling whatdependson for 11.4-i586 Old: ---- minmem New: ---- crypt_blowfish-1.2.tar.gz crypt_blowfish-1.2.tar.gz.sign crypt_blowfish-noasm.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.Ro7xfn/_old 2011-07-29 18:07:34.000000000 +0200 +++ /var/tmp/diff_new_pack.Ro7xfn/_new 2011-07-29 18:07:34.000000000 +0200 @@ -17,6 +17,7 @@ # norootforbuild +%define crypt_bf_version 1.2 Name: glibc BuildRequires: gcc-c++ libstdc++-devel @@ -64,7 +65,7 @@ Provides: rtld(GNU_HASH) AutoReqProv: on Version: 2.11.3 -Release: 12.<RELEASE2> +Release: 12.<RELEASE17> Url: http://www.gnu.org/software/libc/libc.html PreReq: filesystem BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -80,6 +81,8 @@ Source12: glibc_post_upgrade.c Source15: glibc.rpmlintrc Source16: baselibs.conf +Source50: http://www.openwall.com/crypt/crypt_blowfish-%{crypt_bf_version}.tar.gz +Source51: http://www.openwall.com/crypt/crypt_blowfish-%{crypt_bf_version}.tar.gz.sign %if %_target_cpu == "i686" # We need to avoid to have only the src rpm from i686 on the media, # since it does not work on other architectures. @@ -92,6 +95,7 @@ Patch3: glibc-resolv-reload.diff Patch4: glibc-2.3.locales.diff.bz2 Patch5: crypt_blowfish-1.0-suse.diff +Patch6: crypt_blowfish-noasm.diff Patch7: glibc-version.diff Patch8: glibc-2.4.90-revert-only-euro.diff Patch9: glibc-2.3-regcomp.diff @@ -292,11 +296,12 @@ # add glibc-ports for arm # this is CURRENTLY BROKEN; ARM-interested contributors need to provide # new tested glibc-ports source -%setup -n glibc-%{version} -q -a 2 -a 3 -a 4 +%setup -n glibc-%{version} -q -a 2 -a 3 -a 4 -a 50 %else # any other leave out ports -%setup -n glibc-%{version} -q -a 3 -a 4 +%setup -n glibc-%{version} -q -a 3 -a 4 -a 50 %endif +mv crypt_blowfish-%crypt_bf_version/crypt_blowfish.[ch] crypt/ %patch0 # libNoVersion part is only active on ix86 %patch1 @@ -304,6 +309,7 @@ %patch3 %patch4 %patch5 +%patch6 %patch7 %patch8 %patch9 ++++++ crypt_blowfish-1.0-suse.diff ++++++ ++++ 773 lines (skipped) ++++ between old-versions/11.4/all/glibc/crypt_blowfish-1.0-suse.diff ++++ and 11.4/glibc/crypt_blowfish-1.0-suse.diff ++++++ crypt_blowfish-noasm.diff ++++++ Index: crypt/crypt_blowfish.c =================================================================== --- crypt/crypt_blowfish.c.orig +++ crypt/crypt_blowfish.c @@ -54,7 +54,7 @@ #include "crypt_blowfish.h" #ifdef __i386__ -#define BF_ASM 1 +#define BF_ASM 0 #define BF_SCALE 1 #elif defined(__x86_64__) || defined(__alpha__) || defined(__hppa__) #define BF_ASM 0 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libsoup for openSUSE:11.3
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package libsoup for openSUSE:11.3 checked in at Fri Jul 29 18:08:01 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.3/all/libsoup/libsoup.changes 2010-05-03 11:13:46.000000000 +0200 +++ 11.3/libsoup/libsoup.changes 2011-07-29 10:20:41.000000000 +0200 @@ -1,0 +2,9 @@ +Fri Jul 29 10:18:00 CEST 2011 - vuntz(a)opensuse.org + +- Add libsoup-CVE-2011-2524.patch: Fixed a security hole that + caused some SoupServer users to unintentionally allow accessing + the entire local filesystem when they thought they were only + providing access to a single directory. Fix bnc#706630, + CVE-2011-2524. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/libsoup Destination is old-versions/11.3/UPDATES/all/libsoup calling whatdependson for 11.3-i586 New: ---- libsoup-CVE-2011-2524.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.jTMmki/_old 2011-07-29 18:07:21.000000000 +0200 +++ /var/tmp/diff_new_pack.jTMmki/_new 2011-07-29 18:07:21.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libsoup (Version 2.30.1) +# spec file for package libsoup # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -38,9 +38,11 @@ # Summary: HTTP client/server library for GNOME Version: 2.30.1 -Release: 1 +Release: 2.<RELEASE2> Source: ftp://ftp.gnome.org/pub/GNOME/stable/sources/libsoup/2.2/%{name}-%{version}… Source99: baselibs.conf +# PATCH-FIX-UPSTREAM libsoup-CVE-2011-2524.patch bnc#706630 CVE-2011-2524 vuntz(a)opensuse.org -- filesystem exposure flaw due to bad parsing of ".." +Patch0: libsoup-CVE-2011-2524.patch Url: http://www.gnome.org BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: %{name}-2_4-1 = %{version} @@ -111,6 +113,7 @@ %prep %setup -q +%patch0 -p1 %build %configure\ ++++++ libsoup-CVE-2011-2524.patch ++++++ >From cbeeb7a0f7f0e8b16f2d382157496f9100218dea Mon Sep 17 00:00:00 2001 From: Dan Winship <danw(a)gnome.org> Date: Wed, 29 Jun 2011 14:04:06 +0000 Subject: SoupServer: fix to not allow smuggling ".." into path When SoupServer:raw-paths was set (the default), it was possible to sneak ".." segments into the path passed to the SoupServerHandler, which could then end up tricking some handlers into retrieving arbitrary files from the filesystem. Fix that. https://bugzilla.gnome.org/show_bug.cgi?id=653258 --- diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c index d56efd1..7225337 100644 --- a/libsoup/soup-server.c +++ b/libsoup/soup-server.c @@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client) uri = soup_message_get_uri (req); decoded_path = soup_uri_decode (uri->path); + + if (strstr (decoded_path, "/../") || + g_str_has_suffix (decoded_path, "/..")) { + /* Introducing new ".." segments is not allowed */ + g_free (decoded_path); + soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST); + return; + } + soup_uri_set_path (uri, decoded_path); g_free (decoded_path); } -- cgit v0.9 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit clamav for openSUSE:11.3
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package clamav for openSUSE:11.3 checked in at Fri Jul 29 18:07:20 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.3/UPDATES/all/clamav/clamav.changes 2011-06-10 16:49:23.000000000 +0200 +++ 11.3/clamav/clamav.changes 2011-07-28 15:15:16.000000000 +0200 @@ -1,0 +2,15 @@ +Tue Jul 26 08:55:27 UTC 2011 - max(a)novell.com + +- New version 0.97.2 (bnc#708263): + * libclamav/matcher-hash.c: off by one read in cli_hm_scan + (bb#2818, CVE-2011-2721). + * libclamav/pdf.c: fix encrypted pdf detection (bb #2988) + * clamav-milter/clamfi.c: fix typo in error message (bb#3040) + * libclamav/lzma_iface.c: shut up huge alloc warns for 7z/lzma + (bb#2913) + * libclamav/c++/bytecode2llvm.cpp: fix use of unaddressable data + in bytecode_watchdog. + * libclamav/phishcheck.c: fix safebrowsing detection on certain + URLs + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 Old: ---- clamav-0.97.1.tar.bz2 New: ---- clamav-0.97.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ clamav.spec ++++++ --- /var/tmp/diff_new_pack.FZm43q/_old 2011-07-29 18:07:02.000000000 +0200 +++ /var/tmp/diff_new_pack.FZm43q/_new 2011-07-29 18:07:02.000000000 +0200 @@ -36,7 +36,7 @@ %define clamav_check --disable-check %endif Summary: Antivirus Toolkit -Version: 0.97.1 +Version: 0.97.2 Release: 1.<RELEASE2> License: GPLv2 Group: Productivity/Security ++++++ clamav-0.97.1.tar.bz2 -> clamav-0.97.2.tar.bz2 ++++++ old-versions/11.3/UPDATES/all/clamav/clamav-0.97.1.tar.bz2 11.3/clamav/clamav-0.97.2.tar.bz2 differ: char 11, line 1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit pam-modules for openSUSE:11.3
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package pam-modules for openSUSE:11.3 checked in at Fri Jul 29 18:07:01 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.3/all/pam-modules/pam-modules.changes 2009-12-12 20:22:24.000000000 +0100 +++ 11.3/pam-modules/pam-modules.changes 2011-07-20 17:12:26.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Jul 20 15:11:44 UTC 2011 - lnussel(a)suse.de + +- add compat mode options to deal with crypt_blowfish signedness bug + (bnc#700876, CVE-2011-2483) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/pam-modules Destination is old-versions/11.3/UPDATES/all/pam-modules calling whatdependson for 11.3-i586 New: ---- pam_unix2-2.7.3-CVE-2011-2483.diff pam_unix2-2.7.3-retvalmagic.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam-modules.spec ++++++ --- /var/tmp/diff_new_pack.VEjgNq/_old 2011-07-29 18:06:38.000000000 +0200 +++ /var/tmp/diff_new_pack.VEjgNq/_new 2011-07-29 18:06:38.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package pam-modules (Version 11.2) +# spec file for package pam-modules # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,8 +25,8 @@ Name: pam-modules Summary: Additional PAM Modules -Version: 11.2 -Release: 4 +Version: 11.3 +Release: 0.<RELEASE2> License: BSD3c ; GPLv2+ Group: System/Libraries AutoReqProv: on @@ -41,9 +41,12 @@ Source50: dlopen.sh # Patch: pam-modules-10.3-pam_make-fix-open.dif +Patch1: pam_unix2-2.7.3-CVE-2011-2483.diff +Patch2: pam_unix2-2.7.3-retvalmagic.diff # BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: permissions +Requires: libxcrypt-crypt_blowfish >= 1.2 BuildRequires: libxcrypt-devel pam-devel BuildRequires: cracklib-devel %if %{enable_selinux} @@ -67,11 +70,17 @@ %prep %setup -q -c %{name} -b1 -b2 -b5 %patch +%patch1 -p0 +%patch2 -p0 %build +pushd pam_unix2-* +autoreconf -f +popd for i in * ; do cd $i; CFLAGS="$RPM_OPT_FLAGS" ./configure --enable-selinux \ + --enable-blowfish-bug-compatmode \ --libdir=/%{_lib} --mandir=%{_mandir} make %{?_smp_mflags} cd .. ++++++ pam_unix2-2.7.3-CVE-2011-2483.diff ++++++ >From 7a3e5fd2d79657674e72212ad13ea350d72e8306 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel(a)suse.de> Date: Wed, 13 Jul 2011 08:50:58 +0200 Subject: [PATCH 4/4] add workarounds for blowfish signedness bug The option BLOWFISH_2a2x allows to enable compat modes. --- configure.in | 18 +++++++++++++++++- etc/passwd | 16 ++++++++++++++++ src/get_options.c | 11 +++++++++++ src/public.h | 4 ++++ src/support.c | 30 ++++++++++++++++++++++++++++++ src/unix_auth.c | 8 +------- src/unix_passwd.c | 10 +++++++--- 7 files changed, 86 insertions(+), 11 deletions(-) Index: pam_unix2-2.7.3/configure.in =================================================================== --- pam_unix2-2.7.3/configure.in.orig +++ pam_unix2-2.7.3/configure.in @@ -4,6 +4,7 @@ AM_INIT_AUTOMAKE AC_CONFIG_SRCDIR([src/support.c]) AM_CONFIG_HEADER(config.h) AC_PREFIX_DEFAULT(/usr) +AM_GNU_GETTEXT_VERSION(0.12) dnl Set of available languages. @@ -48,13 +49,29 @@ dnl Should we compile with SELinux suppo AC_ARG_ENABLE([selinux], AC_HELP_STRING([--disable-selinux],[Enable SELinux support (default=yes)]), WITH_SELINUX=$enableval, WITH_SELINUX=yes) -if test "$WITH_SELINUX" == "yes" ; then +if test "$WITH_SELINUX" = "yes" ; then AC_CHECK_LIB(selinux,is_selinux_enabled, [AC_DEFINE(WITH_SELINUX,1, [Define if you want to compile in SELinux support]) LIBS="$LIBS -lselinux"]) fi +AC_ARG_ENABLE([blowfish-bug-workaround], + AC_HELP_STRING([--disable-blowfish-bug-workaround],[Enable workarounds for blowfish signedness bug]), + CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS=$enableval, CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS=yes) +if test "$CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS" = "yes" ; then + AC_DEFINE(CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS,1, + [Define if you want to enable workarounds for blowfish signedness bug]) +fi + +AC_ARG_ENABLE([blowfish-bug-compatmode], + AC_HELP_STRING([--enable-blowfish-bug-compatmode],[Enable blowfish compat mode by default]), + CRYPT_BLOWFISH_COMPATMODE=$enableval, CRYPT_BLOWFISH_COMPATMODE=no) +if test "$CRYPT_BLOWFISH_COMPATMODE" = "yes" ; then + AC_DEFINE(CRYPT_BLOWFISH_COMPATMODE,1, + [Define if you want to enable blowfish compat mode by default]) +fi + dnl Check standard headers AC_HEADER_STDC AC_CHECK_HEADERS(xcrypt.h crypt.h) Index: pam_unix2-2.7.3/etc/passwd =================================================================== --- pam_unix2-2.7.3/etc/passwd.orig +++ pam_unix2-2.7.3/etc/passwd @@ -25,3 +25,19 @@ BLOWFISH_CRYPT_FILES=5 # For NIS, we should always use DES: CRYPT_YP=des +# In June 2011 it was discovered that the Linux crypt_blowfish +# implementation contained a bug that made passwords with non-ASCII +# characters easier to crack (CVE-2011-2483). Affected passwords are +# also incompatible with the original, correct OpenBSD +# implementation. Therefore the $2a hash identifier previously used +# for blowfish now is ambiguous as it could mean the hash was +# generated with the correct implementation on OpenBSD or the buggy +# one on Linux. To avoid the ambiguity two new identifier were +# introduced. $2x now explicitly identifies hashes that were +# generated with the buggy algorithm while $2y is used for hashes +# generated with the correct algorithm. New passwords are now +# generated with the $2y identifier. +# +# Setting the following option to "yes" tells the sytem that $2a +# hashes are to be treated as generated with the buggy algorithm. +BLOWFISH_2a2x= Index: pam_unix2-2.7.3/src/get_options.c =================================================================== --- pam_unix2-2.7.3/src/get_options.c.orig +++ pam_unix2-2.7.3/src/get_options.c @@ -138,6 +138,17 @@ get_options (pam_handle_t *pamh, options /* Set some default values, which could be overwritten later. */ options->use_crypt = NONE; +#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS + options->blowfish_2a2x = getlogindefs_bool("BLOWFISH_2a2x", +#ifdef CRYPT_BLOWFISH_COMPATMODE + 1 +#else + 0 +#endif + ); + free_getlogindefs_data(); +#endif + /* Parse parameters for module */ for ( ; argc-- > 0; argv++) parse_option (pamh, *argv, type, options); Index: pam_unix2-2.7.3/src/public.h =================================================================== --- pam_unix2-2.7.3/src/public.h.orig +++ pam_unix2-2.7.3/src/public.h @@ -68,6 +68,7 @@ struct options_t { int nullok; int use_authtok; int use_first_pass; + int blowfish_2a2x; char **use_other_modules; char *nisdir; crypt_t use_crypt; @@ -86,6 +87,9 @@ extern int __call_other_module(pam_handl const char *mod_name, const char *func_name, options_t *options); +extern int __check_password_match (const char *hash, const char *pass, + options_t *options); + extern int get_options (pam_handle_t *pamh, options_t *options, const char *type, int argc, const char **argv); Index: pam_unix2-2.7.3/src/support.c =================================================================== --- pam_unix2-2.7.3/src/support.c.orig +++ pam_unix2-2.7.3/src/support.c @@ -48,6 +48,12 @@ #include <security/pam_ext.h> #endif +#if defined(HAVE_XCRYPT_H) +#include <xcrypt.h> +#elif defined(HAVE_CRYPT_H) +#include <crypt.h> +#endif + #include "public.h" int @@ -312,3 +318,28 @@ struct pam_module _pam_unix2_modstruct = pam_sm_chauthtok }; #endif + +int +__check_password_match (const char *hash, const char *pass, options_t *options) +{ + struct crypt_data output; + char *h = NULL; + int r; + + memset (&output, 0, sizeof (output)); + +#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS + if ((options->blowfish_2a2x) + && !strncmp(hash, "$2a$", 4)) + { + h = strdupa(hash); + h[2] = 'x'; + hash = h; + } +#endif + + r = (strcmp (hash, crypt_r (pass, hash, &output)) == 0); + if (h) + _pam_overwrite(h); + return r; +} Index: pam_unix2-2.7.3/src/unix_passwd.c =================================================================== --- pam_unix2-2.7.3/src/unix_passwd.c.orig +++ pam_unix2-2.7.3/src/unix_passwd.c @@ -253,8 +253,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, in /* Check if the old password was correct. */ if ((getuid () || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) && - strcmp (data->oldpassword, - crypt_r (oldpass, data->oldpassword, &output)) != 0) + !__check_password_match(data->oldpassword, oldpass, &options)) { if (options.debug) pam_syslog (pamh, LOG_DEBUG, @@ -713,7 +712,12 @@ __do_setpass (pam_handle_t *pamh, int fl #if defined(HAVE_XCRYPT_GENSALT_R) salt = make_crypt_salt ("$2a$", options->crypt_rounds, pamh, flags); if (salt != NULL) - newpassword = crypt_r (data->newpassword, salt, output); + { +#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS + salt[2] = 'y'; +#endif + newpassword = crypt_r (data->newpassword, salt, output); + } else { __write_message (pamh, flags, PAM_ERROR_MSG, Index: pam_unix2-2.7.3/src/unix_auth.c =================================================================== --- pam_unix2-2.7.3/src/unix_auth.c.orig +++ pam_unix2-2.7.3/src/unix_auth.c @@ -126,7 +126,6 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) { - struct crypt_data output; int retval; int sp_buflen = 256; char *sp_buffer = alloca (sp_buflen); @@ -143,7 +142,6 @@ pam_sm_authenticate (pam_handle_t *pamh, options_t options; int ask_user, ask_password; - memset (&output, 0, sizeof (output)); memset (&options, 0, sizeof (options)); if (get_options (pamh, &options, "auth", argc, argv) < 0) @@ -327,7 +325,7 @@ pam_sm_authenticate (pam_handle_t *pamh, *cp = '\0'; } - if (strcmp (crypt_r (password, salt, &output), salt) != 0) + if (!__check_password_match(salt, password, &options)) { if (options.debug) pam_syslog (pamh, LOG_DEBUG, "wrong password, return PAM_AUTH_ERR"); ++++++ pam_unix2-2.7.3-retvalmagic.diff ++++++ >From f0e1dcc08789da62c26236e3bc0e3b68ba6d0fd0 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel(a)suse.de> Date: Wed, 20 Jul 2011 11:16:56 +0200 Subject: [PATCH] catch retval magic by ow-crypt/libxcrypt Instead of returning NULL ow-crypt's retval magic returns "*0" or "*1". --- src/unix_passwd.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) Index: pam_unix2-2.7.3/src/unix_passwd.c =================================================================== --- pam_unix2-2.7.3/src/unix_passwd.c.orig +++ pam_unix2-2.7.3/src/unix_passwd.c @@ -773,7 +773,9 @@ __do_setpass (pam_handle_t *pamh, int fl options->use_crypt); return PAM_AUTHTOK_ERR; } - if (newpassword == NULL) + if (newpassword == NULL + /* catch retval magic by ow-crypt/libxcrypt */ + || !strcmp(newpassword, "*0") || !strcmp(newpassword, "*1")) { __write_message (pamh, flags, PAM_ERROR_MSG, _("crypt_r() returns NULL pointer")); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libxcrypt for openSUSE:11.3
by root＠hilbert.suse.de 29 Jul '11

29 Jul '11

Hello community, here is the log from the commit of package libxcrypt for openSUSE:11.3 checked in at Fri Jul 29 18:06:49 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.3/all/libxcrypt/libxcrypt.changes 2009-12-12 18:27:55.000000000 +0100 +++ 11.3/libxcrypt/libxcrypt.changes 2011-07-20 12:00:55.000000000 +0200 @@ -1,0 +2,12 @@ +Tue Jul 19 15:45:39 UTC 2011 - lnussel(a)suse.de + +- update crypt_blowfish to version 1.2 (bnc#700876, CVE-2011-2483) + * due to the signedness bug fix 2a hashes are incompatible with + previous versions if the password contains 8bit chracters! + +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh(a)medozas.de + +- use %_smp_mflags + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/libxcrypt Destination is old-versions/11.3/UPDATES/all/libxcrypt calling whatdependson for 11.3-i586 New: ---- crypt_blowfish-1.2.tar.gz crypt_blowfish-1.2.tar.gz.sign libxcrypt-3.0.4-blowfish-Makefile.in.diff libxcrypt-3.0.4-blowfish-noasm.diff libxcrypt-3.0.4-blowfish-xcrypt.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxcrypt.spec ++++++ --- /var/tmp/diff_new_pack.k0kktU/_old 2011-07-29 18:06:26.000000000 +0200 +++ /var/tmp/diff_new_pack.k0kktU/_new 2011-07-29 18:06:26.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libxcrypt (Version 3.0.3) +# spec file for package libxcrypt # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,6 +17,7 @@ # norootforbuild +%define crypt_bf_version 1.2 Name: libxcrypt License: LGPLv2.1+ ; Public Domain, Freeware @@ -27,11 +28,19 @@ Obsoletes: libxcrypt-64bit %endif Version: 3.0.3 -Release: 2 +Release: 5.<RELEASE2> Summary: Crypt Library for DES, MD5, Blowfish and others +Url: http://www.openwall.com/crypt/ Source: libxcrypt-%{version}.tar.bz2 -Source2: baselibs.conf +Source1: %{url}crypt_blowfish-%{crypt_bf_version}.tar.gz +Source2: %{url}crypt_blowfish-%{crypt_bf_version}.tar.gz.sign +Source3: baselibs.conf +Patch1: libxcrypt-3.0.4-blowfish-noasm.diff +Patch2: libxcrypt-3.0.4-blowfish-xcrypt.diff +# just patching Makefile.in to avoid autoreconf +Patch3: libxcrypt-3.0.4-blowfish-Makefile.in.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build +Provides: libxcrypt-crypt_blowfish = 1.2 %description Libxcrypt is a replacement for libcrypt, which comes with the GNU C @@ -62,13 +71,18 @@ %prep -%setup -q +%setup -q -a1 +%patch1 -p0 +%patch2 -p0 +%patch3 -p0 +cp crypt_blowfish-*/*.{c,h} plugins/blowfish +mv plugins/blowfish/wrapper.c plugins/blowfish/blowfish-test.c %build ./configure CFLAGS="$RPM_OPT_FLAGS -Wno-cast-align" \ --prefix=%{_prefix} \ --libdir=/%{_lib} --disable-static -make %{?jobs:-j%jobs} +make %{?_smp_mflags} %check %ifnarch %arm @@ -83,6 +97,9 @@ rm $RPM_BUILD_ROOT/%{_lib}/xcrypt/lib*.{so,la} ln -sf ../../%{_lib}/libxcrypt.so.2 $RPM_BUILD_ROOT%{_libdir}/libxcrypt.so /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}/ +# +ln -s libxcrypt_2a.so.1 $RPM_BUILD_ROOT/%{_lib}/xcrypt/libxcrypt_2y.so.1 +ln -s libxcrypt_2a.so.1 $RPM_BUILD_ROOT/%{_lib}/xcrypt/libxcrypt_2x.so.1 %clean rm -rf $RPM_BUILD_ROOT ++++++ libxcrypt-3.0.4-blowfish-Makefile.in.diff ++++++ Index: plugins/blowfish/Makefile.in =================================================================== --- plugins/blowfish/Makefile.in.orig +++ plugins/blowfish/Makefile.in @@ -234,8 +234,8 @@ libxcrypt_2a_la_LDFLAGS = -version-info plugin_LTLIBRARIES = libxcrypt_2a.la libxcrypt_2a_la_SOURCES = crypt_blowfish.c -blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST_THREADS=10 -blowfish_test_LDADD = libxcrypt_2a.la -lpthread +blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST -DTEST_THREADS=4 -DXCRYPT +blowfish_test_LDADD = libxcrypt_2a.la -ldl -lpthread all: all-am .SUFFIXES: ++++++ libxcrypt-3.0.4-blowfish-noasm.diff ++++++ Index: crypt_blowfish-1.2/crypt_blowfish.c =================================================================== --- crypt_blowfish-1.2/crypt_blowfish.c.orig +++ crypt_blowfish-1.2/crypt_blowfish.c @@ -54,7 +54,7 @@ #include "crypt_blowfish.h" #ifdef __i386__ -#define BF_ASM 1 +#define BF_ASM 0 #define BF_SCALE 1 #elif defined(__x86_64__) || defined(__alpha__) || defined(__hppa__) #define BF_ASM 0 ++++++ libxcrypt-3.0.4-blowfish-xcrypt.diff ++++++ Index: crypt_blowfish-1.2/crypt_blowfish.c =================================================================== --- crypt_blowfish-1.2/crypt_blowfish.c.orig +++ crypt_blowfish-1.2/crypt_blowfish.c @@ -44,6 +44,7 @@ */ #include <string.h> +#include <stdio.h> #include <errno.h> #ifndef __set_errno @@ -64,6 +65,10 @@ #define BF_SCALE 0 #endif +#include "xcrypt-plugin.h" +#define _crypt_blowfish_rn __crypt_r +#include <dlfcn.h> + typedef unsigned int BF_word; typedef signed int BF_word_signed; @@ -900,3 +905,23 @@ char *_crypt_gensalt_blowfish_rn(const c return output; } + +/* dirty hack */ +static const char* _find_prefix(const char* prefix) +{ + Dl_info info; + if (dladdr(_find_prefix, &info) && strlen(info.dli_fname) > 8) + { + const char* sfx = info.dli_fname+strlen(info.dli_fname)-8; + if (!strncmp(sfx, "_2y.", 4)) + prefix = "$2y$"; + else if (!strncmp(sfx, "_2x.", 4)) + prefix = "$2x$"; + } + return prefix; +} + +char *__crypt_gensalt_r (unsigned long count, __const char *input, int size, char *output, int output_size) +{ + return _crypt_gensalt_blowfish_rn(_find_prefix("$2a$"), count, input, size, output, output_size); +} Index: crypt_blowfish-1.2/wrapper.c =================================================================== --- crypt_blowfish-1.2/wrapper.c.orig +++ crypt_blowfish-1.2/wrapper.c @@ -37,13 +37,19 @@ #define CRYPT_OUTPUT_SIZE (7 + 22 + 31 + 1) #define CRYPT_GENSALT_OUTPUT_SIZE (7 + 22 + 1) -#if defined(__GLIBC__) && defined(_LIBC) #define __SKIP_GNU -#endif +#include "xcrypt.h" +#include "xcrypt-plugin.h" #include "ow-crypt.h" #include "crypt_blowfish.h" +#ifndef XCRYPT #include "crypt_gensalt.h" +#else +#define _crypt_blowfish_rn __crypt_r +#undef crypt_r +char *crypt_r(const char *key, const char *setting, void *data); +#endif #if defined(__GLIBC__) && defined(_LIBC) /* crypt.h from glibc-crypt-2.1 will define struct crypt_data for us */ @@ -197,6 +203,7 @@ char *crypt(const char *key, const char #define __crypt_gensalt crypt_gensalt #endif +#ifndef XCRYPT char *__crypt_gensalt_rn(const char *prefix, unsigned long count, const char *input, int size, char *output, int output_size) { @@ -231,6 +238,13 @@ char *__crypt_gensalt_rn(const char *pre return use(prefix, count, input, size, output, output_size); } +#else +char *__crypt_gensalt_rn(const char *prefix __attribute__((unused)), unsigned long count, + const char *input, int size, char *output, int output_size) +{ + return __crypt_gensalt_r(count, input, size, output, output_size); +} +#endif char *__crypt_gensalt_ra(const char *prefix, unsigned long count, const char *input, int size) @@ -542,4 +556,21 @@ int main(void) return 0; } +#endif + +#ifdef XCRYPT +int _crypt_output_magic(const char *setting, char *output, int size) +{ + if (size < 3) + return -1; + + output[0] = '*'; + output[1] = '0'; + output[2] = '\0'; + + if (setting[0] == '*' && setting[1] == '0') + output[1] = '1'; + + return 0; +} #endif Index: plugins/blowfish/Makefile.am =================================================================== --- plugins/blowfish/Makefile.am.orig +++ plugins/blowfish/Makefile.am @@ -25,5 +25,5 @@ libxcrypt_2a_la_SOURCES = crypt_blowfish noinst_PROGRAMS = blowfish-test -blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST_THREADS=10 -blowfish_test_LDADD = libxcrypt_2a.la -lpthread +blowfish_test_CFLAGS = $(AM_CFLAGS) -DTEST -DTEST_THREADS=4 -DXCRYPT +blowfish_test_LDADD = libxcrypt_2a.la -ldl -lpthread ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0