From e9460e6d11135b1ba14521bbb73c4d4d0c58a02c Mon Sep 17 00:00:00 2001 From: bizhiyuan Date: Thu, 19 Oct 2023 18:00:22 +0800 Subject: [PATCH] Fix CVE-2022-1049 --- Fix-CVE-2022-1049.patch | 56 +++++++++++++++++++++++++++++++++++++++++ pcs.spec | 6 ++++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 Fix-CVE-2022-1049.patch diff --git a/Fix-CVE-2022-1049.patch b/Fix-CVE-2022-1049.patch new file mode 100644 index 0000000..f17e146 --- /dev/null +++ b/Fix-CVE-2022-1049.patch @@ -0,0 +1,56 @@ +From 32d90eab80ee957350c4c218ecf7ed5ac7efc7d0 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 16:54:43 +0800 +Subject: [PATCH] FIX CVE-2022-1049 + +--- + CHANGELOG.md | 4 +++- + pcs/daemon/auth.py | 3 +++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG.md b/CHANGELOG.md +index 7949064..c6007ac 100644 +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -17,7 +17,8 @@ + cluster cib-upgrade` manually is not needed ([rhbz#2022463]) + - Fix displaying differences between configuration checkpoints in + `pcs config checkpoint diff` command ([rhbz#2175881]) +- ++- Pcs daemon was allowing expired accounts, and accounts with expired ++ passwords to login when using PAM auth. ([huntr#220307]) + + [ghissue#441]: https://github.com/ClusterLabs/pcs/issues/441 + [ghpull#431]: https://github.com/ClusterLabs/pcs/pull/431 +@@ -28,6 +29,7 @@ + [rhbz#2033248]: https://bugzilla.redhat.com/show_bug.cgi?id=2033248 + [rhbz#2036633]: https://bugzilla.redhat.com/show_bug.cgi?id=2036633 + [rhbz#2175881]: https://bugzilla.redhat.com/show_bug.cgi?id=2175881 ++[huntr#220307]: https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5/ + + ## [0.11.1] - 2021-11-30 + +diff --git a/pcs/daemon/auth.py b/pcs/daemon/auth.py +index 592aa63..1ae2ed2 100644 +--- a/pcs/daemon/auth.py ++++ b/pcs/daemon/auth.py +@@ -52,6 +52,7 @@ libpam = CDLL(find_library("pam")) + strdup = prep_fn(libc.strdup, POINTER(c_char), [c_char_p]) + calloc = prep_fn(libc.calloc, c_void_p, [c_uint, c_uint]) + pam_authenticate = prep_fn(libpam.pam_authenticate, c_int, [pam_handle, c_int]) ++pam_acct_mgmt = prep_fn(libpam.pam_acct_mgmt, c_int, [pam_handle, c_int]) + pam_end = prep_fn(libpam.pam_end, c_int, [pam_handle, c_int]) + pam_start = prep_fn( + libpam.pam_start, +@@ -90,6 +91,8 @@ def authenticate_by_pam(username, password): + ) + if returncode == PAM_SUCCESS: + returncode = pam_authenticate(pamh, 0) ++ if returncode == PAM_SUCCESS: ++ returncode = pam_acct_mgmt(pamh, 0) + pam_end(pamh, returncode) + return returncode == PAM_SUCCESS + +-- +2.27.0 + diff --git a/pcs.spec b/pcs.spec index 50ce3bb..f9cbd55 100644 --- a/pcs.spec +++ b/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.11.2 -Release: 6 +Release: 7 License: GPLv2 and BSD-2-Clause and ASL 2.0 and MIT URL: https://github.com/ClusterLabs/pcs Summary: Pacemaker Configuration System @@ -46,6 +46,7 @@ Patch6: fix-pcs-config-checkpoint-diff-command.patch #https://github.com/ClusterLabs/pcs/pull/522 Patch7: fix-pcs-quorum-device-remove.patch Patch8: tests-fix-datetime-race-condition.patch +Patch9: Fix-CVE-2022-1049.patch # git for patches BuildRequires: git-core @@ -409,6 +410,9 @@ run_all_tests %license pyagentx_LICENSE.txt %changelog +* Thu Oct 19 2023 bizhiyuan - 0.11.2-7 +- Fix CVE-2022-1049 + * Wed Sep 06 2023 bizhiyuan - 0.11.2-6 - fix datetime race condition -- Gitee