From e48fc16f8518dfd888db337f2842bd8e59311b60 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 18 2015 13:39:28 +0000
Subject: import pam-1.1.8-12.el7_1.1


---

diff --git a/SOURCES/pam-1.1.8-cve-2015-3238.patch b/SOURCES/pam-1.1.8-cve-2015-3238.patch
new file mode 100644
index 0000000..24179d6
--- /dev/null
+++ b/SOURCES/pam-1.1.8-cve-2015-3238.patch
@@ -0,0 +1,130 @@
+diff -up linux-pam/modules/pam_exec/pam_exec.c.password-limit linux-pam/modules/pam_exec/pam_exec.c
+--- linux-pam/modules/pam_exec/pam_exec.c.password-limit	2014-08-26 14:02:19.000000000 +0200
++++ linux-pam/modules/pam_exec/pam_exec.c	2015-06-11 16:10:13.938035623 +0200
+@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_han
+ 		}
+ 
+ 	      pam_set_item (pamh, PAM_AUTHTOK, resp);
+-	      authtok = strdupa (resp);
++	      authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
+ 	      _pam_drop (resp);
+ 	    }
+ 	  else
+-	    authtok = void_pass;
++	    authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
+ 
+ 	  if (pipe(fds) != 0)
+ 	    {
+diff -up linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit linux-pam/modules/pam_exec/pam_exec.8.xml
+--- linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit	2013-09-11 13:59:00.072175034 +0200
++++ linux-pam/modules/pam_exec/pam_exec.8.xml	2015-06-11 16:09:06.446512718 +0200
+@@ -106,7 +106,8 @@
+               During authentication the calling command can read
+               the password from <citerefentry>
+               <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
+-              </citerefentry>.
++              </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++              bytes of a password are provided to the command.
+             </para>
+           </listitem>
+         </varlistentry>
+diff -up linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit linux-pam/modules/pam_unix/pam_unix_passwd.c
+--- linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit	2014-06-19 13:50:08.000000000 +0200
++++ linux-pam/modules/pam_unix/pam_unix_passwd.c	2015-06-11 16:34:02.226260435 +0200
+@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_h
+ 	/* wait for child */
+ 	/* if the stored password is NULL */
+         int rc=0;
+-	if (fromwhat)
+-	  pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
+-	else
+-	  pam_modutil_write(fds[1], "", 1);
+-	if (towhat) {
+-	  pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
++	if (fromwhat) {
++	    int len = strlen(fromwhat);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    pam_modutil_write(fds[1], fromwhat, len);
+ 	}
+-	else
+-	  pam_modutil_write(fds[1], "", 1);
++        pam_modutil_write(fds[1], "", 1);
++	if (towhat) {
++	    int len = strlen(towhat);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    pam_modutil_write(fds[1], towhat, len);
++        }
++        pam_modutil_write(fds[1], "", 1);
+ 
+ 	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
+ 	close(fds[1]);
+diff -up linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit linux-pam/modules/pam_unix/pam_unix.8.xml
+--- linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit	2015-06-11 15:46:55.000000000 +0200
++++ linux-pam/modules/pam_unix/pam_unix.8.xml	2015-06-11 16:38:42.628587102 +0200
+@@ -80,6 +80,13 @@
+     </para>
+ 
+     <para>
++      The maximum length of a password supported by the pam_unix module
++      via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++      - currently 512 bytes. The rest of the password provided by the
++      conversation function to the module will be ignored.
++    </para>
++
++    <para>
+       The password component of this module performs the task of updating
+       the user's password. The default encryption hash is taken from the
+       <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
+diff -up linux-pam/modules/pam_unix/passverify.c.password-limit linux-pam/modules/pam_unix/passverify.c
+--- linux-pam/modules/pam_unix/passverify.c.password-limit	2015-04-07 10:23:50.000000000 +0200
++++ linux-pam/modules/pam_unix/passverify.c	2015-06-15 10:53:32.903900010 +0200
+@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
+ int
+ read_passwords(int fd, int npass, char **passwords)
+ {
++        /* The passwords array must contain npass preallocated
++         * buffers of length MAXPASS + 1
++         */
+         int rbytes = 0;
+         int offset = 0;
+         int i = 0;
+         char *pptr;
+         while (npass > 0) {
+-                rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
++                rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset);
+ 
+                 if (rbytes < 0) {
+                         if (errno == EINTR) continue;
+diff -up linux-pam/modules/pam_unix/passverify.h.password-limit linux-pam/modules/pam_unix/passverify.h
+--- linux-pam/modules/pam_unix/passverify.h.password-limit	2011-03-21 21:59:22.000000000 +0100
++++ linux-pam/modules/pam_unix/passverify.h	2015-06-11 16:26:27.184994387 +0200
+@@ -8,7 +8,7 @@
+ 
+ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
+ 
+-#define MAXPASS		200	/* the maximum length of a password */
++#define MAXPASS PAM_MAX_RESP_SIZE  /* the maximum length of a password */
+ 
+ #define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
+ 
+diff -up linux-pam/modules/pam_unix/support.c.password-limit linux-pam/modules/pam_unix/support.c
+--- linux-pam/modules/pam_unix/support.c.password-limit	2014-01-27 18:08:28.000000000 +0100
++++ linux-pam/modules/pam_unix/support.c	2015-06-11 16:30:35.452595477 +0200
+@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_h
+ 	/* if the stored password is NULL */
+         int rc=0;
+ 	if (passwd != NULL) {            /* send the password to the child */
+-	    if (write(fds[1], passwd, strlen(passwd)+1) == -1) {
++	    int len = strlen(passwd);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    if (write(fds[1], passwd, len) == -1 ||
++	        write(fds[1], "", 1) == -1) {
+ 	      pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
+ 	      retval = PAM_AUTH_ERR;
+ 	    }
diff --git a/SPECS/pam.spec b/SPECS/pam.spec
index 58f87b8..f6f1c57 100644
--- a/SPECS/pam.spec
+++ b/SPECS/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.8
-Release: 12%{?dist}
+Release: 12%{?dist}.1
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -55,6 +55,7 @@ Patch40: pam-1.1.8-man-dbsuffix.patch
 Patch41: pam-1.1.8-limits-check-process.patch
 Patch42: pam-1.1.8-limits-docfix.patch
 Patch43: pam-1.1.8-audit-user-mgmt.patch
+Patch44: pam-1.1.8-cve-2015-3238.patch
 
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@@ -143,6 +144,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch41 -p1 -b .check-process
 %patch42 -p1 -b .docfix
 %patch43 -p1 -b .audit-user-mgmt
+%patch44 -p1 -b .password-limit
 
 %build
 autoreconf -i
@@ -391,6 +393,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Tue Aug  4 2015 Tomáš Mráz <tmraz@redhat.com> 1.1.8-12.1
+- fix CVE-2015-3238 - DoS due to blocking pipe with very long password
+
 * Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-12
 - use USER_MGMT type for auditing in the pam_tally2 and faillock
   apps (#1151576)