Hello community, here is the log from the commit of package pam-modules for openSUSE:11.4 checked in at Fri Jul 29 18:11:55 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.4/all/pam-modules/pam-modules.changes 2010-08-11 12:48:07.000000000 +0200 +++ 11.4/pam-modules/pam-modules.changes 2011-07-20 10:29:41.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Jul 20 08:29:05 UTC 2011 - lnussel@suse.de + +- add compat mode options to deal with crypt_blowfish signedness bug + (bnc#700876, CVE-2011-2483) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/pam-modules Destination is old-versions/11.4/UPDATES/all/pam-modules calling whatdependson for 11.4-i586 New: ---- pam_unix2-2.7.4-CVE-2011-2483.diff pam_unix2-2.7.4-retvalmagic.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam-modules.spec ++++++ --- /var/tmp/diff_new_pack.jx2X0A/_old 2011-07-29 18:11:44.000000000 +0200 +++ /var/tmp/diff_new_pack.jx2X0A/_new 2011-07-29 18:11:44.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package pam-modules (Version 11.4) +# spec file for package pam-modules # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,7 @@ Name: pam-modules Summary: Additional PAM Modules Version: 11.4 -Release: 1 +Release: 3.<RELEASE4> License: BSD3c ; GPLv2+ Group: System/Libraries AutoReqProv: on @@ -41,9 +41,12 @@ Source50: dlopen.sh # Patch: pam-modules-10.3-pam_make-fix-open.dif +Patch1: pam_unix2-2.7.4-CVE-2011-2483.diff +Patch2: pam_unix2-2.7.4-retvalmagic.diff # BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: permissions +Requires: libxcrypt-crypt_blowfish >= 1.2 BuildRequires: libxcrypt-devel pam-devel BuildRequires: cracklib-devel %if %{enable_selinux} @@ -67,11 +70,17 @@ %prep %setup -q -c %{name} -b1 -b2 -b5 %patch +%patch1 -p0 +%patch2 -p0 %build +pushd pam_unix2-* +autoreconf -f +popd for i in * ; do cd $i; CFLAGS="$RPM_OPT_FLAGS" ./configure --enable-selinux \ + --enable-blowfish-bug-compatmode \ --libdir=/%{_lib} --mandir=%{_mandir} make %{?_smp_mflags} cd .. ++++++ pam_unix2-2.7.4-CVE-2011-2483.diff ++++++
From 7a3e5fd2d79657674e72212ad13ea350d72e8306 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel
Date: Wed, 13 Jul 2011 08:50:58 +0200 Subject: [PATCH 4/4] add workarounds for blowfish signedness bug
The option BLOWFISH_2a2x allows to enable compat modes.
---
configure.in | 18 +++++++++++++++++-
etc/passwd | 16 ++++++++++++++++
src/get_options.c | 11 +++++++++++
src/public.h | 4 ++++
src/support.c | 30 ++++++++++++++++++++++++++++++
src/unix_auth.c | 8 +-------
src/unix_passwd.c | 10 +++++++---
7 files changed, 86 insertions(+), 11 deletions(-)
Index: pam_unix2-2.7.4/configure.in
===================================================================
--- pam_unix2-2.7.4/configure.in.orig
+++ pam_unix2-2.7.4/configure.in
@@ -4,6 +4,7 @@ AM_INIT_AUTOMAKE
AC_CONFIG_SRCDIR([src/support.c])
AM_CONFIG_HEADER(config.h)
AC_PREFIX_DEFAULT(/usr)
+AM_GNU_GETTEXT_VERSION(0.12)
dnl Set of available languages.
@@ -48,13 +49,29 @@ dnl Should we compile with SELinux suppo
AC_ARG_ENABLE([selinux],
AC_HELP_STRING([--disable-selinux],[Enable SELinux support (default=yes)]),
WITH_SELINUX=$enableval, WITH_SELINUX=yes)
-if test "$WITH_SELINUX" == "yes" ; then
+if test "$WITH_SELINUX" = "yes" ; then
AC_CHECK_LIB(selinux,is_selinux_enabled,
[AC_DEFINE(WITH_SELINUX,1,
[Define if you want to compile in SELinux support])
LIBS="$LIBS -lselinux"])
fi
+AC_ARG_ENABLE([blowfish-bug-workaround],
+ AC_HELP_STRING([--disable-blowfish-bug-workaround],[Enable workarounds for blowfish signedness bug]),
+ CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS=$enableval, CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS=yes)
+if test "$CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS" = "yes" ; then
+ AC_DEFINE(CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS,1,
+ [Define if you want to enable workarounds for blowfish signedness bug])
+fi
+
+AC_ARG_ENABLE([blowfish-bug-compatmode],
+ AC_HELP_STRING([--enable-blowfish-bug-compatmode],[Enable blowfish compat mode by default]),
+ CRYPT_BLOWFISH_COMPATMODE=$enableval, CRYPT_BLOWFISH_COMPATMODE=no)
+if test "$CRYPT_BLOWFISH_COMPATMODE" = "yes" ; then
+ AC_DEFINE(CRYPT_BLOWFISH_COMPATMODE,1,
+ [Define if you want to enable blowfish compat mode by default])
+fi
+
dnl Check standard headers
AC_HEADER_STDC
AC_CHECK_HEADERS(xcrypt.h crypt.h)
Index: pam_unix2-2.7.4/etc/passwd
===================================================================
--- pam_unix2-2.7.4/etc/passwd.orig
+++ pam_unix2-2.7.4/etc/passwd
@@ -25,3 +25,19 @@ BLOWFISH_CRYPT_FILES=5
# For NIS, we should always use DES:
CRYPT_YP=des
+# In June 2011 it was discovered that the Linux crypt_blowfish
+# implementation contained a bug that made passwords with non-ASCII
+# characters easier to crack (CVE-2011-2483). Affected passwords are
+# also incompatible with the original, correct OpenBSD
+# implementation. Therefore the $2a hash identifier previously used
+# for blowfish now is ambiguous as it could mean the hash was
+# generated with the correct implementation on OpenBSD or the buggy
+# one on Linux. To avoid the ambiguity two new identifier were
+# introduced. $2x now explicitly identifies hashes that were
+# generated with the buggy algorithm while $2y is used for hashes
+# generated with the correct algorithm. New passwords are now
+# generated with the $2y identifier.
+#
+# Setting the following option to "yes" tells the sytem that $2a
+# hashes are to be treated as generated with the buggy algorithm.
+BLOWFISH_2a2x=
Index: pam_unix2-2.7.4/src/get_options.c
===================================================================
--- pam_unix2-2.7.4/src/get_options.c.orig
+++ pam_unix2-2.7.4/src/get_options.c
@@ -138,6 +138,17 @@ get_options (pam_handle_t *pamh, options
/* Set some default values, which could be overwritten later. */
options->use_crypt = NONE;
+#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS
+ options->blowfish_2a2x = getlogindefs_bool("BLOWFISH_2a2x",
+#ifdef CRYPT_BLOWFISH_COMPATMODE
+ 1
+#else
+ 0
+#endif
+ );
+ free_getlogindefs_data();
+#endif
+
/* Parse parameters for module */
for ( ; argc-- > 0; argv++)
parse_option (pamh, *argv, type, options);
Index: pam_unix2-2.7.4/src/public.h
===================================================================
--- pam_unix2-2.7.4/src/public.h.orig
+++ pam_unix2-2.7.4/src/public.h
@@ -68,6 +68,7 @@ struct options_t {
int nullok;
int use_authtok;
int use_first_pass;
+ int blowfish_2a2x;
char **use_other_modules;
char *nisdir;
crypt_t use_crypt;
@@ -86,6 +87,9 @@ extern int __call_other_module(pam_handl
const char *mod_name, const char *func_name,
options_t *options);
+extern int __check_password_match (const char *hash, const char *pass,
+ options_t *options);
+
extern int get_options (pam_handle_t *pamh, options_t *options,
const char *type, int argc, const char **argv);
Index: pam_unix2-2.7.4/src/support.c
===================================================================
--- pam_unix2-2.7.4/src/support.c.orig
+++ pam_unix2-2.7.4/src/support.c
@@ -48,6 +48,12 @@
#include
From f0e1dcc08789da62c26236e3bc0e3b68ba6d0fd0 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel
Date: Wed, 20 Jul 2011 11:16:56 +0200 Subject: [PATCH] catch retval magic by ow-crypt/libxcrypt
Instead of returning NULL ow-crypt's retval magic returns "*0" or "*1". --- src/unix_passwd.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) Index: pam_unix2-2.7.4/src/unix_passwd.c =================================================================== --- pam_unix2-2.7.4/src/unix_passwd.c.orig +++ pam_unix2-2.7.4/src/unix_passwd.c @@ -773,7 +773,9 @@ __do_setpass (pam_handle_t *pamh, int fl options->use_crypt); return PAM_AUTHTOK_ERR; } - if (newpassword == NULL) + if (newpassword == NULL + /* catch retval magic by ow-crypt/libxcrypt */ + || !strcmp(newpassword, "*0") || !strcmp(newpassword, "*1")) { __write_message (pamh, flags, PAM_ERROR_MSG, _("crypt_r() returns NULL pointer")); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org