commit pam-modules for openSUSE:11.3

29 Jul 2011

Hello community,

here is the log from the commit of package pam-modules for openSUSE:11.3
checked in at Fri Jul 29 18:07:01 CEST 2011.

Patchinfo file has no description
Patchinfo file has no description
Patchinfo file has no description


--------

--- old-versions/11.3/all/pam-modules/pam-modules.changes	2009-12-12 20:22:24.000000000 +0100
+++ 11.3/pam-modules/pam-modules.changes	2011-07-20 17:12:26.000000000 +0200
@@ -1,0 +2,6 @@
+Wed Jul 20 15:11:44 UTC 2011 - lnussel@suse.de
+
+- add compat mode options to deal with crypt_blowfish signedness bug
+  (bnc#700876, CVE-2011-2483)
+
+-------------------------------------------------------------------

Package does not exist at destination yet. Using Fallback old-versions/11.3/all/pam-modules
Destination is old-versions/11.3/UPDATES/all/pam-modules
calling whatdependson for 11.3-i586


New:
----
  pam_unix2-2.7.3-CVE-2011-2483.diff
  pam_unix2-2.7.3-retvalmagic.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pam-modules.spec ++++++
--- /var/tmp/diff_new_pack.VEjgNq/_old	2011-07-29 18:06:38.000000000 +0200
+++ /var/tmp/diff_new_pack.VEjgNq/_new	2011-07-29 18:06:38.000000000 +0200
@@ -1,7 +1,7 @@
 #
-# spec file for package pam-modules (Version 11.2)
+# spec file for package pam-modules
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,8 +25,8 @@
 
 Name:           pam-modules
 Summary:        Additional PAM Modules
-Version:        11.2
-Release:        4
+Version:        11.3
+Release:        0.<RELEASE2>
 License:        BSD3c ; GPLv2+
 Group:          System/Libraries
 AutoReqProv:    on
@@ -41,9 +41,12 @@
 Source50:       dlopen.sh
 #
 Patch:          pam-modules-10.3-pam_make-fix-open.dif
+Patch1:         pam_unix2-2.7.3-CVE-2011-2483.diff
+Patch2:         pam_unix2-2.7.3-retvalmagic.diff
 #
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         permissions
+Requires:       libxcrypt-crypt_blowfish >= 1.2
 BuildRequires:  libxcrypt-devel pam-devel
 BuildRequires:  cracklib-devel
 %if %{enable_selinux}
@@ -67,11 +70,17 @@
 %prep
 %setup -q -c %{name} -b1 -b2 -b5 
 %patch
+%patch1 -p0
+%patch2 -p0
 
 %build
+pushd pam_unix2-*
+autoreconf -f
+popd
 for i in * ; do
   cd $i;
   CFLAGS="$RPM_OPT_FLAGS" ./configure --enable-selinux \
+		--enable-blowfish-bug-compatmode \
 		--libdir=/%{_lib} --mandir=%{_mandir}
   make %{?_smp_mflags}
   cd ..

++++++ pam_unix2-2.7.3-CVE-2011-2483.diff ++++++
...
From 7a3e5fd2d79657674e72212ad13ea350d72e8306 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 13 Jul 2011 08:50:58 +0200
Subject: [PATCH 4/4] add workarounds for blowfish signedness bug
The option BLOWFISH_2a2x allows to enable compat modes.
---
 configure.in      |   18 +++++++++++++++++-
 etc/passwd        |   16 ++++++++++++++++
 src/get_options.c |   11 +++++++++++
 src/public.h      |    4 ++++
 src/support.c     |   30 ++++++++++++++++++++++++++++++
 src/unix_auth.c   |    8 +-------
 src/unix_passwd.c |   10 +++++++---
 7 files changed, 86 insertions(+), 11 deletions(-)

Index: pam_unix2-2.7.3/configure.in
===================================================================
--- pam_unix2-2.7.3/configure.in.orig
+++ pam_unix2-2.7.3/configure.in
@@ -4,6 +4,7 @@ AM_INIT_AUTOMAKE
 AC_CONFIG_SRCDIR([src/support.c])
 AM_CONFIG_HEADER(config.h)
 AC_PREFIX_DEFAULT(/usr)
+AM_GNU_GETTEXT_VERSION(0.12)
 
 dnl Set of available languages.
 
@@ -48,13 +49,29 @@ dnl Should we compile with SELinux suppo
 AC_ARG_ENABLE([selinux],
    AC_HELP_STRING([--disable-selinux],[Enable SELinux support (default=yes)]),
    WITH_SELINUX=$enableval, WITH_SELINUX=yes)
-if test "$WITH_SELINUX" == "yes" ; then
+if test "$WITH_SELINUX" = "yes" ; then
    AC_CHECK_LIB(selinux,is_selinux_enabled,
         [AC_DEFINE(WITH_SELINUX,1,
                 [Define if you want to compile in SELinux support])
          LIBS="$LIBS -lselinux"])
 fi
 
+AC_ARG_ENABLE([blowfish-bug-workaround],
+   AC_HELP_STRING([--disable-blowfish-bug-workaround],[Enable workarounds for blowfish signedness bug]),
+   CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS=$enableval, CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS=yes)
+if test "$CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS" = "yes" ; then
+        AC_DEFINE(CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS,1,
+                [Define if you want to enable workarounds for blowfish signedness bug])
+fi
+
+AC_ARG_ENABLE([blowfish-bug-compatmode],
+   AC_HELP_STRING([--enable-blowfish-bug-compatmode],[Enable blowfish compat mode by default]),
+   CRYPT_BLOWFISH_COMPATMODE=$enableval, CRYPT_BLOWFISH_COMPATMODE=no)
+if test "$CRYPT_BLOWFISH_COMPATMODE" = "yes" ; then
+	AC_DEFINE(CRYPT_BLOWFISH_COMPATMODE,1,
+		[Define if you want to enable blowfish compat mode by default])
+fi
+
 dnl Check standard headers
 AC_HEADER_STDC
 AC_CHECK_HEADERS(xcrypt.h crypt.h)
Index: pam_unix2-2.7.3/etc/passwd
===================================================================
--- pam_unix2-2.7.3/etc/passwd.orig
+++ pam_unix2-2.7.3/etc/passwd
@@ -25,3 +25,19 @@ BLOWFISH_CRYPT_FILES=5
 # For NIS, we should always use DES:
 CRYPT_YP=des
 
+# In June 2011 it was discovered that the Linux crypt_blowfish
+# implementation contained a bug that made passwords with non-ASCII
+# characters easier to crack (CVE-2011-2483). Affected passwords are
+# also incompatible with the original, correct OpenBSD
+# implementation. Therefore the $2a hash identifier previously used
+# for blowfish now is ambiguous as it could mean the hash was
+# generated with the correct implementation on OpenBSD or the buggy
+# one on Linux. To avoid the ambiguity two new identifier were
+# introduced. $2x now explicitly identifies hashes that were
+# generated with the buggy algorithm while $2y is used for hashes
+# generated with the correct algorithm. New passwords are now
+# generated with the $2y identifier.
+#
+# Setting the following option to "yes" tells the sytem that $2a
+# hashes are to be treated as generated with the buggy algorithm.
+BLOWFISH_2a2x=
Index: pam_unix2-2.7.3/src/get_options.c
===================================================================
--- pam_unix2-2.7.3/src/get_options.c.orig
+++ pam_unix2-2.7.3/src/get_options.c
@@ -138,6 +138,17 @@ get_options (pam_handle_t *pamh, options
   /* Set some default values, which could be overwritten later.  */
   options->use_crypt = NONE;
 
+#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS
+  options->blowfish_2a2x = getlogindefs_bool("BLOWFISH_2a2x",
+#ifdef CRYPT_BLOWFISH_COMPATMODE
+    1
+#else
+    0
+#endif
+    );
+  free_getlogindefs_data();
+#endif
+
   /* Parse parameters for module */
   for ( ; argc-- > 0; argv++)
     parse_option (pamh, *argv, type, options);
Index: pam_unix2-2.7.3/src/public.h
===================================================================
--- pam_unix2-2.7.3/src/public.h.orig
+++ pam_unix2-2.7.3/src/public.h
@@ -68,6 +68,7 @@ struct options_t {
   int nullok;
   int use_authtok;
   int use_first_pass;
+  int blowfish_2a2x;
   char **use_other_modules;
   char *nisdir;
   crypt_t use_crypt;
@@ -86,6 +87,9 @@ extern int __call_other_module(pam_handl
 			const char *mod_name, const char *func_name,
 			options_t *options);
 
+extern int __check_password_match (const char *hash, const char *pass,
+			options_t *options);
+
 extern int get_options (pam_handle_t *pamh, options_t *options,
 			const char *type, int argc, const char **argv);
 
Index: pam_unix2-2.7.3/src/support.c
===================================================================
--- pam_unix2-2.7.3/src/support.c.orig
+++ pam_unix2-2.7.3/src/support.c
@@ -48,6 +48,12 @@
 #include <security/pam_ext.h>
 #endif
 
+#if defined(HAVE_XCRYPT_H)
+#include <xcrypt.h>
+#elif defined(HAVE_CRYPT_H)
+#include <crypt.h>
+#endif
+
 #include "public.h"
 
 int
@@ -312,3 +318,28 @@ struct pam_module _pam_unix2_modstruct =
   pam_sm_chauthtok
 };
 #endif
+
+int
+__check_password_match (const char *hash, const char *pass, options_t *options)
+{
+  struct crypt_data output;
+  char *h = NULL;
+  int r;
+
+  memset (&output, 0, sizeof (output));
+
+#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS
+  if ((options->blowfish_2a2x)
+    && !strncmp(hash, "$2a$", 4))
+    {
+      h = strdupa(hash);
+      h[2] = 'x';
+      hash = h;
+    }
+#endif
+
+  r = (strcmp (hash, crypt_r (pass, hash, &output)) == 0);
+  if (h)
+    _pam_overwrite(h);
+  return r;
+}
Index: pam_unix2-2.7.3/src/unix_passwd.c
===================================================================
--- pam_unix2-2.7.3/src/unix_passwd.c.orig
+++ pam_unix2-2.7.3/src/unix_passwd.c
@@ -253,8 +253,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
 
   /* Check if the old password was correct.  */
   if ((getuid () || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) &&
-      strcmp (data->oldpassword,
-	      crypt_r (oldpass, data->oldpassword, &output)) != 0)
+      !__check_password_match(data->oldpassword, oldpass, &options))
     {
       if (options.debug)
 	pam_syslog (pamh, LOG_DEBUG,
@@ -713,7 +712,12 @@ __do_setpass (pam_handle_t *pamh, int fl
 #if defined(HAVE_XCRYPT_GENSALT_R)
       salt = make_crypt_salt ("$2a$", options->crypt_rounds, pamh, flags);
       if (salt != NULL)
-	newpassword = crypt_r (data->newpassword, salt, output);
+	{
+#ifdef CRYPT_BLOWFISH_SIGNEDNESS_BUG_WORKAROUNDS
+	  salt[2] = 'y';
+#endif
+	  newpassword = crypt_r (data->newpassword, salt, output);
+	}
       else
 	{
 	  __write_message (pamh, flags, PAM_ERROR_MSG,
Index: pam_unix2-2.7.3/src/unix_auth.c
===================================================================
--- pam_unix2-2.7.3/src/unix_auth.c.orig
+++ pam_unix2-2.7.3/src/unix_auth.c
@@ -126,7 +126,6 @@ int
 pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
 		     const char **argv)
 {
-  struct crypt_data output;
   int retval;
   int sp_buflen = 256;
   char *sp_buffer = alloca (sp_buflen);
@@ -143,7 +142,6 @@ pam_sm_authenticate (pam_handle_t *pamh,
   options_t options;
   int ask_user, ask_password;
 
-  memset (&output, 0, sizeof (output));
   memset (&options, 0, sizeof (options));
 
   if (get_options (pamh, &options, "auth", argc, argv) < 0)
@@ -327,7 +325,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
       *cp = '\0';
     }
 
-  if (strcmp (crypt_r (password, salt, &output), salt) != 0)
+  if (!__check_password_match(salt, password, &options))
     {
       if (options.debug)
 	pam_syslog (pamh, LOG_DEBUG, "wrong password, return PAM_AUTH_ERR");
++++++ pam_unix2-2.7.3-retvalmagic.diff ++++++
...
From f0e1dcc08789da62c26236e3bc0e3b68ba6d0fd0 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 20 Jul 2011 11:16:56 +0200
Subject: [PATCH] catch retval magic by ow-crypt/libxcrypt
Instead of returning NULL ow-crypt's retval magic returns "*0" or
"*1".
---
 src/unix_passwd.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

Index: pam_unix2-2.7.3/src/unix_passwd.c
===================================================================
--- pam_unix2-2.7.3/src/unix_passwd.c.orig
+++ pam_unix2-2.7.3/src/unix_passwd.c
@@ -773,7 +773,9 @@ __do_setpass (pam_handle_t *pamh, int fl
 		       options->use_crypt);
       return PAM_AUTHTOK_ERR;
     }
-  if (newpassword == NULL)
+  if (newpassword == NULL
+  /* catch retval magic by ow-crypt/libxcrypt */
+  || !strcmp(newpassword, "*0") || !strcmp(newpassword, "*1"))
     {
       __write_message (pamh, flags, PAM_ERROR_MSG,
 		       _("crypt_r() returns NULL pointer"));

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

root＠hilbert.suse.de

tags

participants (1)