diff --git a/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch b/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch new file mode 100644 index 0000000..c775131 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch @@ -0,0 +1,46 @@ +From e34fccc883e1fb6e7c0e1663e11ff9f96191971f Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 27 Jan 2014 17:04:32 +0100 +Subject: [PATCH 1/2] Fix use after free in read_hostent and read_netent. + +if NSS_STATUS_TRYAGAIN is returned from read_one_hostent or +read_one_netent function tio_skipall will be called with NULL pointer +It could happend in functions: + _nss_ldap_getnetbyname_r + _nss_ldap_getnetbyaddr_r + _nss_ldap_gethostbyname2_r + _nss_ldap_gethostbyaddr_r +--- + nss/hosts.c | 2 -- + nss/networks.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/nss/hosts.c b/nss/hosts.c +index 86b6a77..0e7027e 100644 +--- a/nss/hosts.c ++++ b/nss/hosts.c +@@ -51,8 +51,6 @@ + + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ +- (void)tio_close(fp); \ +- fp=NULL; \ + *errnop=ERANGE; \ + *h_errnop=TRY_AGAIN; \ + return NSS_STATUS_TRYAGAIN; +diff --git a/nss/networks.c b/nss/networks.c +index 859ef0e..1403b45 100644 +--- a/nss/networks.c ++++ b/nss/networks.c +@@ -51,8 +51,6 @@ + + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ +- (void)tio_close(fp); \ +- fp=NULL; \ + *errnop=ERANGE; \ + *h_errnop=TRY_AGAIN; \ + return NSS_STATUS_TRYAGAIN; +-- +1.8.5.3 + diff --git a/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch b/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch new file mode 100644 index 0000000..82b7c47 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch @@ -0,0 +1,41 @@ +From ec86b3d715ae9583288b12686a0552586caa6270 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 27 Jan 2014 17:17:33 +0100 +Subject: [PATCH 2/2] Use right h_errnop for retrying with larger buffer. + +The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when +it needs to try again with a larger buffer. +--- + nss/hosts.c | 2 +- + nss/networks.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nss/hosts.c b/nss/hosts.c +index 0e7027e..2bf4c86 100644 +--- a/nss/hosts.c ++++ b/nss/hosts.c +@@ -52,7 +52,7 @@ + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ + *errnop=ERANGE; \ +- *h_errnop=TRY_AGAIN; \ ++ *h_errnop=NETDB_INTERNAL; \ + return NSS_STATUS_TRYAGAIN; + + #undef ERROR_OUT_WRITEERROR +diff --git a/nss/networks.c b/nss/networks.c +index 1403b45..f3cb269 100644 +--- a/nss/networks.c ++++ b/nss/networks.c +@@ -52,7 +52,7 @@ + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ + *errnop=ERANGE; \ +- *h_errnop=TRY_AGAIN; \ ++ *h_errnop=NETDB_INTERNAL; \ + return NSS_STATUS_TRYAGAIN; + + #undef ERROR_OUT_WRITEERROR +-- +1.8.5.3 + diff --git a/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch b/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch new file mode 100644 index 0000000..7a014f3 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch @@ -0,0 +1,30 @@ +diff -up nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect +--- nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs 2014-01-20 15:32:33.253018468 +0100 ++++ nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect 2014-01-20 15:38:00.452957296 +0100 +@@ -40,7 +40,7 @@ proc reset_password {} { + expect { + "LDAP administrator password" { send "test\r"; exp_continue } + -regexp "(New|Retype new) password:" { send "test\r"; exp_continue } +- "password updated successfully" {} ++ "passwd: all authentication tokens updated successfully" {} + "Invalid credentials" abort + "Authentication token manipulation error" abort + default abort +@@ -114,7 +114,7 @@ proc test_login_unknown {uid passwd} { + expect { + "Password:" { send "$passwd\r"; exp_continue } + "Unknown id" {} +- "No passwd entry for user" {} ++ "su: user $uid does not exist" {} + "\$ " abort + default abort + } +@@ -156,7 +156,7 @@ expect { + } + expect { + -regexp "(New|Retype new) password:" { send "newpassword\r"; exp_continue } +- "password updated successfully" {} ++ "passwd: all authentication tokens updated successfully" {} + "Invalid credentials" abort + "Authentication token manipulation error" abort + "\$ " abort diff --git a/SPECS/nss-pam-ldapd.spec b/SPECS/nss-pam-ldapd.spec index 485b826..72aa77f 100644 --- a/SPECS/nss-pam-ldapd.spec +++ b/SPECS/nss-pam-ldapd.spec @@ -39,7 +39,7 @@ Name: nss-pam-ldapd Version: 0.8.13 -Release: 4%{?dist} +Release: 8%{?dist} Summary: An nsswitch module which uses directory servers Group: System Environment/Base License: LGPLv2+ @@ -54,6 +54,10 @@ Patch2: nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patc Patch3: nss-pam-ldapd-0.8.12-uid-overflow.patch Patch4: nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch Patch5: nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch +Patch6: nss-pam-ldapd-rh-msgs-in-tests.patch +Patch7: nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch +Patch8: nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openldap-devel, krb5-devel BuildRequires: autoconf, automake @@ -105,6 +109,9 @@ nsswitch module. %patch3 -p1 -b .overflow %patch4 -p1 -b .skiptimeout %patch5 -p1 -b .readall +%patch6 -p1 -b .test_msgs +%patch7 -p1 -b .use_after_free +%patch8 -p1 -b .errnop_val autoreconf -f -i %build @@ -341,6 +348,21 @@ exit 0 %endif %changelog +* Wed Jan 29 2014 Jakub Hrozek 0.8.13-8 +- Fix a potential use-after-free in nsswitch module +- Resolves: rhbz#1036030 - New defect found in nss-pam-ldapd-0.8.13-4.el7 + +* Fri Jan 24 2014 Daniel Mach - 0.8.13-7 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Jakub Hrozek 0.8.13-6 +- Change the error messages the tests expect to those printed on RH based + systems +- Resolves: rhbz#1044482 + +* Fri Dec 27 2013 Daniel Mach - 0.8.13-5 +- Mass rebuild 2013-12-27 + * Fri Oct 18 2013 Nalin Dahyabhai 0.8.13-4 - compile nslcd/log.c with -fPIC instead of the current hardened-build default of -fPIE, which doesn't seem to avoid relocations for its thread-local