Hello community, here is the log from the commit of package pam for openSUSE:Factory checked in at 2018-12-03 10:02:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam (Old) and /work/SRC/openSUSE:Factory/.pam.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pam" Mon Dec 3 10:02:42 2018 rev:94 rq:651302 version:1.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/pam/pam.changes 2018-11-05 22:47:03.592688065 +0100 +++ /work/SRC/openSUSE:Factory/.pam.new.19453/pam.changes 2018-12-03 10:02:42.544131686 +0100 @@ -1,0 +2,10 @@ +Thu Nov 15 15:41:08 UTC 2018 - josef.moellers@suse.com + +- When comparing an incoming IP address with an entry in + access.conf that only specified a single host (ie no netmask), + the incoming IP address was used rather than the IP address from + access.conf, effectively comparing the incoming address with + itself. (Also fixed a small typo while I was at it) + {bsc#1115640, use-correct-IP-address.patch, CVE-2018-17953] + +------------------------------------------------------------------- New: ---- use-correct-IP-address.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.w53hbT/_old 2018-12-03 10:02:43.468130845 +0100 +++ /var/tmp/diff_new_pack.w53hbT/_new 2018-12-03 10:02:43.468130845 +0100 @@ -66,6 +66,7 @@ Patch2: pam-limit-nproc.patch Patch3: encryption_method_nis.diff Patch4: pam-hostnames-in-access_conf.patch +Patch5: use-correct-IP-address.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libdb-4_8-devel # Remove with next version update: @@ -118,6 +119,7 @@ %patch2 -p1 %patch3 -p0 %patch4 -p0 +%patch5 -p1 %build autoreconf -fiv ++++++ use-correct-IP-address.patch ++++++ Index: Linux-PAM-1.3.1/modules/pam_access/pam_access.c =================================================================== --- Linux-PAM-1.3.1.orig/modules/pam_access/pam_access.c +++ Linux-PAM-1.3.1/modules/pam_access/pam_access.c @@ -716,7 +716,7 @@ network_netmask_match (pam_handle_t *pam if (item->debug) pam_syslog (pamh, LOG_DEBUG, - "network_netmask_match: tok=%s, item=%s", tok, string); + "network_netmask_match: tok=%s, string=%s", tok, string); /* OK, check if tok is of type addr/mask */ if ((netmask_ptr = strchr(tok, '/')) != NULL) @@ -734,7 +734,7 @@ network_netmask_match (pam_handle_t *pam /* check netmask */ if (isipaddr(netmask_ptr, NULL, NULL) == NO) - { /* netmask as integre value */ + { /* netmask as integer value */ char *endptr = NULL; netmask = strtol(netmask_ptr, &endptr, 0); if ((endptr == netmask_ptr) || (*endptr != '\0')) @@ -778,9 +778,9 @@ network_netmask_match (pam_handle_t *pam ai = NULL; /* just to be on the safe side */ - if (getaddrinfo (string, NULL, &hint, &ai) != 0) + if (getaddrinfo (tok, NULL, &hint, &ai) != 0) { - pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", string); + pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); return NO; }