Respect USE=pie #459784 by Agostino Sarubbo. Change ISA dir to "." #464016 by Michał Górny. Fix from upstream for password case checks #493432 by Agostino Sarubbo. Fix from upstream for timestamp handling #505604 by Agostino Sarubbo. Install docs to the right path #533332 by Chris Mayo.

(Portage version: 2.2.19/cvs/Linux x86_64, signed Manifest commit with key D2E96200)

4 files changed, 315 insertions, 2 deletions

diff --git a/sys-libs/pam/ChangeLog b/sys-libs/pam/ChangeLog
index 6b82df44a97f..6f42f0571035 100644
--- a/sys-libs/pam/ChangeLog
+++ b/sys-libs/pam/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-libs/pam
-# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/ChangeLog,v 1.348 2014/10/27 01:43:30 vapier Exp $
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/ChangeLog,v 1.349 2015/05/17 03:17:27 vapier Exp $
+
+*pam-1.1.8-r3 (17 May 2015)
+
+  17 May 2015; Mike Frysinger <vapier@gentoo.org>
+  +files/pam-1.1.8-CVE-2013-7041.patch, +files/pam-1.1.8-CVE-2014-2583.patch,
+  +pam-1.1.8-r3.ebuild:
+  Respect USE=pie #459784 by Agostino Sarubbo.  Change ISA dir to "." #464016 by
+  Michał Górny.  Fix from upstream for password case checks #493432 by Agostino
+  Sarubbo.  Fix from upstream for timestamp handling #505604 by Agostino
+  Sarubbo.  Install docs to the right path #533332 by Chris Mayo.
 
   27 Oct 2014; Mike Frysinger <vapier@gentoo.org> pam-1.1.8-r2.ebuild:
   Mark arm64/m68k/s390/sh stable.
diff --git a/sys-libs/pam/files/pam-1.1.8-CVE-2013-7041.patch b/sys-libs/pam/files/pam-1.1.8-CVE-2013-7041.patch
new file mode 100644
index 000000000000..f540c6ff445d
--- /dev/null
+++ b/sys-libs/pam/files/pam-1.1.8-CVE-2013-7041.patch
@@ -0,0 +1,52 @@
+From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Fri, 24 Jan 2014 22:18:32 +0000
+Subject: [PATCH] pam_userdb: fix password hash comparison
+
+Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
+passwords support in pam_userdb, hashes are compared case-insensitively.
+This bug leads to accepting hashes for completely different passwords in
+addition to those that should be accepted.
+
+Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
+modern password hashes with different lengths and settings, did not
+update the hash comparison accordingly, which leads to accepting
+computed hashes longer than stored hashes when the latter is a prefix
+of the former.
+
+* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
+hash whose length differs from the stored hash length.
+Compare computed and stored hashes case-sensitively.
+Fixes CVE-2013-7041.
+
+Bug-Debian: http://bugs.debian.org/731368
+---
+ modules/pam_userdb/pam_userdb.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
+index de8b5b1..ff040e6 100644
+--- a/modules/pam_userdb/pam_userdb.c
++++ b/modules/pam_userdb/pam_userdb.c
+@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
+ 	  } else {
+ 	    cryptpw = crypt (pass, data.dptr);
+ 
+-	    if (cryptpw) {
+-	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);
++	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
++	      compare = memcmp(data.dptr, cryptpw, data.dsize);
+ 	    } else {
+ 	      compare = -2;
+ 	      if (ctrl & PAM_DEBUG_ARG) {
+-		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
++		if (cryptpw)
++		  pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
++		else
++		  pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ 	      }
+ 	    };
+ 
+-- 
+2.4.0
+
diff --git a/sys-libs/pam/files/pam-1.1.8-CVE-2014-2583.patch b/sys-libs/pam/files/pam-1.1.8-CVE-2014-2583.patch
new file mode 100644
index 000000000000..7a8971dbe652
--- /dev/null
+++ b/sys-libs/pam/files/pam-1.1.8-CVE-2014-2583.patch
@@ -0,0 +1,56 @@
+From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 26 Mar 2014 22:17:23 +0000
+Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
+ (ticket #27)
+
+pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
+the timestamp pathname it creates, so extra care should be taken to
+avoid potential directory traversal issues.
+
+* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
+"." and ".." tty values as invalid.
+(get_ruser): Treat "." and ".." ruser values, as well as any ruser
+value containing '/', as invalid.
+
+Fixes CVE-2014-2583.
+
+Reported-by: Sebastian Krahmer <krahmer@suse.de>
+---
+ modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
+index 5193733..b3f08b1 100644
+--- a/modules/pam_timestamp/pam_timestamp.c
++++ b/modules/pam_timestamp/pam_timestamp.c
+@@ -158,7 +158,7 @@ check_tty(const char *tty)
+ 		tty = strrchr(tty, '/') + 1;
+ 	}
+ 	/* Make sure the tty wasn't actually a directory (no basename). */
+-	if (strlen(tty) == 0) {
++	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
+ 		return NULL;
+ 	}
+ 	return tty;
+@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
+ 		if (pwd != NULL) {
+ 			ruser = pwd->pw_name;
+ 		}
++	} else {
++		/*
++		 * This ruser is used by format_timestamp_name as a component
++		 * of constructed timestamp pathname, so ".", "..", and '/'
++		 * are disallowed to avoid potential path traversal issues.
++		 */
++		if (!strcmp(ruser, ".") ||
++		    !strcmp(ruser, "..") ||
++		    strchr(ruser, '/')) {
++			ruser = NULL;
++		}
+ 	}
+ 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
+ 		*ruserbuf = '\0';
+-- 
+2.4.0
+
diff --git a/sys-libs/pam/pam-1.1.8-r3.ebuild b/sys-libs/pam/pam-1.1.8-r3.ebuild
new file mode 100644
index 000000000000..c471ad92ea03
--- /dev/null
+++ b/sys-libs/pam/pam-1.1.8-r3.ebuild
@@ -0,0 +1,195 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/pam-1.1.8-r3.ebuild,v 1.1 2015/05/17 03:17:27 vapier Exp $
+
+EAPI=5
+
+inherit libtool multilib multilib-minimal eutils pam toolchain-funcs flag-o-matic db-use
+
+MY_PN="Linux-PAM"
+MY_P="${MY_PN}-${PV}"
+
+HOMEPAGE="https://fedorahosted.org/linux-pam/"
+DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
+SRC_URI="http://www.linux-pam.org/library/${MY_P}.tar.bz2
+	http://www.linux-pam.org/documentation/${MY_P}-docs.tar.bz2"
+
+LICENSE="|| ( BSD GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~ia64-linux ~x86-linux"
+IUSE="audit berkdb cracklib debug nis nls +pie selinux test vim-syntax"
+
+RDEPEND="nls? ( >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] )
+	cracklib? ( >=sys-libs/cracklib-2.9.1-r1[${MULTILIB_USEDEP}] )
+	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
+	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
+	berkdb? ( >=sys-libs/db-4.8.30-r1[${MULTILIB_USEDEP}] )
+	nis? ( >=net-libs/libtirpc-0.2.4-r2[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=sys-devel/libtool-2
+	>=sys-devel/flex-2.5.39-r1[${MULTILIB_USEDEP}]
+	nls? ( sys-devel/gettext )
+	>=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]"
+PDEPEND="sys-auth/pambase
+	vim-syntax? ( app-vim/pam-syntax )"
+RDEPEND="${RDEPEND}
+	!<sys-apps/openrc-0.11.8
+	!sys-auth/openpam
+	!sys-auth/pam_userdb
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r7
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+
+S="${WORKDIR}/${MY_P}"
+
+check_old_modules() {
+	local retval="0"
+
+	if sed -e 's:#.*::' "${EROOT}"/etc/pam.d/* 2>/dev/null | fgrep -q pam_stack.so; then
+		eerror ""
+		eerror "Your current setup is using the pam_stack module."
+		eerror "This module is deprecated and no longer supported, and since version"
+		eerror "0.99 is no longer installed, nor provided by any other package."
+		eerror "The package will be built (to allow binary package builds), but will"
+		eerror "not be installed."
+		eerror "Please replace pam_stack usage with proper include directive usage,"
+		eerror "following the PAM Upgrade guide at the following URL"
+		eerror "  http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml"
+		eerror ""
+
+		retval=1
+	fi
+
+	if sed -e 's:#.*::' "${EROOT}"/etc/pam.d/* 2>/dev/null | egrep -q 'pam_(pwdb|console)'; then
+		eerror ""
+		eerror "Your current setup is using one or more of the following modules,"
+		eerror "that are not built or supported anymore:"
+		eerror "pam_pwdb, pam_console"
+		eerror "If you are in real need for these modules, please contact the maintainers"
+		eerror "of PAM through http://bugs.gentoo.org/ providing information about its"
+		eerror "use cases."
+		eerror "Please also make sure to read the PAM Upgrade guide at the following URL:"
+		eerror "  http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml"
+		eerror ""
+
+		retval=1
+	fi
+
+	return ${retval}
+}
+
+pkg_pretend() {
+	# do not error out, this is just a warning, one could build a binpkg
+	# with old modules enabled.
+	check_old_modules
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-1.1.8-doc-install.patch #473650
+	epatch "${FILESDIR}"/${PN}-1.1.8-CVE-2013-7041.patch #493432
+	epatch "${FILESDIR}"/${PN}-1.1.8-CVE-2014-2583.patch #505604
+
+	elibtoolize
+}
+
+multilib_src_configure() {
+	# Disable automatic detection of libxcrypt; we _don't_ want the
+	# user to link libxcrypt in by default, since we won't track the
+	# dependency and allow to break PAM this way.
+	export ac_cv_header_xcrypt_h=no
+
+	local myconf=(
+		--docdir='$(datarootdir)'/doc/${PF}
+		--htmldir='$(docdir)/html'
+		--libdir='$(prefix)'/$(get_libdir)
+		--enable-securedir="${EPREFIX}"/$(get_libdir)/security
+		--enable-isadir='.' #464016
+		$(use_enable nls)
+		$(use_enable selinux)
+		$(use_enable cracklib)
+		$(use_enable audit)
+		$(use_enable debug)
+		$(use_enable berkdb db)
+		$(use_enable nis)
+		$(use_enable pie)
+		--with-db-uniquename=-$(db_findver sys-libs/db)
+		--disable-prelude
+	)
+
+	ECONF_SOURCE=${S} \
+	econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+	emake sepermitlockdir="${EPREFIX}/run/sepermit"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install \
+		sepermitlockdir="${EPREFIX}/run/sepermit"
+
+	local prefix
+	if multilib_is_native_abi; then
+		prefix=
+		gen_usr_ldscript -a pam pamc pam_misc
+	else
+		prefix=/usr
+	fi
+
+	# create extra symlinks just in case something depends on them...
+	local lib
+	for lib in pam pamc pam_misc; do
+		if ! [[ -f "${ED}"${prefix}/$(get_libdir)/lib${lib}$(get_libname) ]]; then
+			dosym lib${lib}$(get_libname 0) ${prefix}/$(get_libdir)/lib${lib}$(get_libname)
+		fi
+	done
+}
+
+DOCS=( CHANGELOG ChangeLog README AUTHORS Copyright NEWS )
+
+multilib_src_install_all() {
+	einstalldocs
+	prune_libtool_files --all
+
+	# Need to be suid
+	fperms 4711 /sbin/unix_chkpwd
+
+	docinto modules
+	local dir
+	for dir in modules/pam_*; do
+		newdoc "${dir}"/README README."$(basename "${dir}")"
+	done
+
+	if use selinux; then
+		dodir /usr/lib/tmpfiles.d
+		cat - > "${D}"/usr/lib/tmpfiles.d/${CATEGORY}:${PN}:${SLOT}.conf <<EOF
+d /run/sepermit 0755 root root
+EOF
+	fi
+}
+
+pkg_preinst() {
+	check_old_modules || die "deprecated PAM modules still used"
+}
+
+pkg_postinst() {
+	ewarn "Some software with pre-loaded PAM libraries might experience"
+	ewarn "warnings or failures related to missing symbols and/or versions"
+	ewarn "after any update. While unfortunate this is a limit of the"
+	ewarn "implementation of PAM and the software, and it requires you to"
+	ewarn "restart the software manually after the update."
+	ewarn ""
+	ewarn "You can get a list of such software running a command like"
+	ewarn "  lsof / | egrep -i 'del.*libpam\\.so'"
+	ewarn ""
+	ewarn "Alternatively, simply reboot your system."
+	if [[ -x "${EROOT}"/var/log/tallylog ]] ; then
+		elog ""
+		elog "Because of a bug present up to version 1.1.1-r2, you have"
+		elog "an executable /var/log/tallylog file. You can safely"
+		elog "correct it by running the command"
+		elog "  chmod -x /var/log/tallylog"
+		elog ""
+	fi
+}