From 9c6260ee768c1c7f298dbf480e75b856eaa8ecbd Mon Sep 17 00:00:00 2001 From: hugel <2712504175@qq.com> Date: Fri, 29 Nov 2024 09:47:37 +0800 Subject: [PATCH] fix CVE-2024-10963 --- backport-CVE-2024-10963.patch | 228 ++++++++++++++++++ ...non-resolveable-hostname-a-debug-out.patch | 33 +++ pam.spec | 8 +- 3 files changed, 267 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2024-10963.patch create mode 100644 backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch diff --git a/backport-CVE-2024-10963.patch b/backport-CVE-2024-10963.patch new file mode 100644 index 0000000..131847f --- /dev/null +++ b/backport-CVE-2024-10963.patch @@ -0,0 +1,228 @@ +From 940747f88c16e029b69a74e80a2e94f65cb3e628 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Thu, 14 Nov 2024 10:27:28 +0100 +Subject: [PATCH] pam_access: rework resolving of tokens as hostname + +Conflict:Context adaptation +Reference:https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628 + +* modules/pam_access/pam_access.c: separate resolving of IP addresses + from hostnames. Don't resolve TTYs or display variables as hostname + (#834). + Add "nodns" option to disallow resolving of tokens as hostname. +* modules/pam_access/pam_access.8.xml: document nodns option +* modules/pam_access/access.conf.5.xml: document that hostnames should + be written as FQHN. +--- + modules/pam_access/access.conf.5.xml | 4 ++ + modules/pam_access/pam_access.8.xml | 46 ++++++++++++------ + modules/pam_access/pam_access.c | 72 +++++++++++++++++++++++++++- + 3 files changed, 105 insertions(+), 17 deletions(-) + +diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml +index 0b93db00..10b8ba92 100644 +--- a/modules/pam_access/access.conf.5.xml ++++ b/modules/pam_access/access.conf.5.xml +@@ -226,6 +226,10 @@ + item and the line will be most probably ignored. For this reason, it is not + recommended to put spaces around the ':' characters. + ++ ++ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid ++ confusion with device names or PAM service names. ++ + + + +diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml +index c991d7a0..71a4f7ee 100644 +--- a/modules/pam_access/pam_access.8.xml ++++ b/modules/pam_access/pam_access.8.xml +@@ -25,11 +25,14 @@ + + debug + ++ ++ noaudit ++ + + nodefgroup + + +- noaudit ++ nodns + + + accessfile=file +@@ -112,6 +115,33 @@ + + + ++ ++ ++ nodefgroup ++ ++ ++ ++ User tokens which are not enclosed in parentheses will not be ++ matched against the group database. The backwards compatible default is ++ to try the group database match even for tokens not enclosed ++ in parentheses. ++ ++ ++ ++ ++ ++ ++ nodns ++ ++ ++ ++ Do not try to resolve tokens as hostnames, only IPv4 and IPv6 ++ addresses will be resolved. Which means to allow login from a ++ remote host, the IP addresses need to be specified in access.conf. ++ ++ ++ ++ + + + fieldsep=separators +@@ -153,20 +183,6 @@ + + + +- +- +- nodefgroup +- +- +- +- User tokens which are not enclosed in parentheses will not be +- matched against the group database. The backwards compatible default is +- to try the group database match even for tokens not enclosed +- in parentheses. +- +- +- +- + + + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index 48e7c7e9..109115e9 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -92,6 +92,7 @@ struct login_info { + int debug; /* Print debugging messages. */ + int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */ + int noaudit; /* Do not audit denials */ ++ int nodns; /* Do not try to resolve tokens as hostnames */ + const char *fs; /* field separator */ + const char *sep; /* list-element separator */ + int from_remote_host; /* If PAM_RHOST was used for from */ +@@ -143,6 +144,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, + loginfo->only_new_group_syntax = YES; + } else if (strcmp (argv[i], "noaudit") == 0) { + loginfo->noaudit = YES; ++ } else if (strcmp (argv[i], "nodns") == 0) { ++ loginfo->nodns = YES; + } else { + pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); + } +@@ -637,7 +640,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) + if ((str_len = strlen(string)) > tok_len + && strcasecmp(tok, string + str_len - tok_len) == 0) + return YES; +- } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ ++ } else if (tok[tok_len - 1] == '.') { /* internet network numbers/subnet (end with ".") */ + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); +@@ -712,6 +715,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, + } + + ++static int ++is_device (pam_handle_t *pamh, const char *tok) ++{ ++ struct stat st; ++ const char *dev = "/dev/"; ++ char *devname; ++ ++ devname = malloc (strlen(dev) + strlen (tok) + 1); ++ if (devname == NULL) { ++ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m"); ++ /* ++ * We should return an error and abort, but pam_access has no good ++ * error handling. ++ */ ++ return NO; ++ } ++ ++ char *cp = stpcpy (devname, dev); ++ strcpy (cp, tok); ++ ++ if (lstat(devname, &st) != 0) ++ { ++ free (devname); ++ return NO; ++ } ++ free (devname); ++ ++ if (S_ISCHR(st.st_mode)) ++ return YES; ++ ++ return NO; ++} ++ + /* network_netmask_match - match a string against one token + * where string is a hostname or ip (v4,v6) address and tok + * represents either a hostname, a single ip (v4,v6) address +@@ -773,10 +809,42 @@ network_netmask_match (pam_handle_t *pamh, + return NO; + } + } ++ else if (isipaddr(tok, NULL, NULL) == YES) ++ { ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) ++ { ++ if (item->debug) ++ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok); ++ ++ return NO; ++ } ++ netmask_ptr = NULL; ++ } ++ else if (item->nodns) ++ { ++ /* Only hostnames are left, which we would need to resolve via DNS */ ++ return NO; ++ } + else + { ++ /* Bail out on X11 Display entries and ttys. */ ++ if (tok[0] == ':') ++ { ++ if (item->debug) ++ pam_syslog (pamh, LOG_DEBUG, ++ "network_netmask_match: tok=%s is X11 display", tok); ++ return NO; ++ } ++ if (is_device (pamh, tok)) ++ { ++ if (item->debug) ++ pam_syslog (pamh, LOG_DEBUG, ++ "network_netmask_match: tok=%s is a TTY", tok); ++ return NO; ++ } ++ + /* +- * It is either an IP address or a hostname. ++ * It is most likely a hostname. + * Let getaddrinfo sort everything out + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) +-- +2.33.0 + diff --git a/backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch b/backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch new file mode 100644 index 0000000..e3e2e8b --- /dev/null +++ b/backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch @@ -0,0 +1,33 @@ +From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Fri, 4 Aug 2023 15:46:16 +0200 +Subject: [PATCH] pam_access: make non-resolveable hostname a debug output + (#590) + +Conflict:NA +Reference:https://github.com/linux-pam/linux-pam/commit/741acf4ff707d53b94947736a01eeeda5e2c7e98 + +* modules/pam_access/pam_access.c (network_netmask_match): Don't print +an error if a string is not resolveable, only a debug message in debug +mode. We even don't know if that entry is for remote logins or not. +--- + modules/pam_access/pam_access.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index f70b7e49..985dc7de 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh, + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { +- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); ++ if (item->debug) ++ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok); + + return NO; + } +-- +2.33.0 + diff --git a/pam.spec b/pam.spec index 9105b7a..0931d65 100644 --- a/pam.spec +++ b/pam.spec @@ -4,7 +4,7 @@ %define _pamconfdir %{_sysconfdir}/pam.d Name: pam Version: 1.5.3 -Release: 6 +Release: 7 Summary: Pluggable Authentication Modules for Linux License: BSD-3-Clause AND GPL-2.0-or-later URL: http://www.linux-pam.org/ @@ -24,7 +24,8 @@ Patch2: backport-CVE-2024-22365-pam_namespace-protect_dir-use-O_DIRECTORY-to-pre Patch3: backport-pam_pwhistory-fix-passing-NULL-filename-argument-to-pwhistory-helper.patch Patch4: backport-pam_shells-Plug-econf-memory-leak.patch Patch5: backport-pam_selinux-fix-formatting-of-audit-messages.patch - +Patch6: backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch +Patch7: backport-CVE-2024-10963.patch Patch9000:change-ndbm-to-gdbm.patch Patch9001:add-sm3-crypt-support.patch @@ -164,6 +165,9 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam %changelog +* Fri Nov 29 2024 hugel - 1.5.3-7 +- fix CVE-2024-10963 + * Sat Aug 10 2024 Funda Wang - 1.5.3-6 - cleanup spec -- Gitee