diff -Nru pam-1.4.0/debian/changelog pam-1.4.0/debian/changelog --- pam-1.4.0/debian/changelog 2023-01-24 11:37:01.000000000 +0000 +++ pam-1.4.0/debian/changelog 2023-02-02 09:21:46.000000000 +0000 @@ -1,3 +1,12 @@ +pam (1.4.0-11ubuntu2.3) jammy-security; urgency=medium + + * SECURITY REGRESSION: fix CVE-2022-28321 patch location + - debian/patches-applied/CVE-2022-28321.patch: pam_access: handle + hostnames in access.conf + - CVE-2022-28321 + + -- Nishit Majithia Thu, 02 Feb 2023 14:51:46 +0530 + pam (1.4.0-11ubuntu2.1) jammy-security; urgency=medium * SECURITY UPDATE: authentication bypass vulnerability diff -Nru pam-1.4.0/debian/patches/CVE-2022-28321.patch pam-1.4.0/debian/patches/CVE-2022-28321.patch --- pam-1.4.0/debian/patches/CVE-2022-28321.patch 2023-01-24 11:28:49.000000000 +0000 +++ pam-1.4.0/debian/patches/CVE-2022-28321.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,163 +0,0 @@ -Backport of d275f22cf28da287e93b5e5a1fdb8a68b2815982 - - function remote_match() doesn not exist, since the changes in - function remote_match() is trivial, it is fine to ignore those - changes - - function string_match() does not exist, since the changes in function - string_match() is trivial, it is fine to ignore those changes - - Backport second hunk for function network_netmask_match() -From d275f22cf28da287e93b5e5a1fdb8a68b2815982 Mon Sep 17 00:00:00 2001 -From: Thorsten Kukuk -Date: Thu, 24 Feb 2022 10:37:32 +0100 -Subject: [PATCH] pam_access: handle hostnames in access.conf - -According to the manual page, the following entry is valid but does not -work: --:root:ALL EXCEPT localhost - -See https://bugzilla.suse.com/show_bug.cgi?id=1019866 - -Patched is based on PR#226 from Josef Moellers ---- - modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++------- - 1 file changed, 76 insertions(+), 19 deletions(-) - ---- pam-1.4.0.orig/modules/pam_access/pam_access.c -+++ pam-1.4.0/modules/pam_access/pam_access.c -@@ -711,10 +711,12 @@ network_netmask_match (pam_handle_t *pam - char *netmask_ptr; - char netmask_string[MAXHOSTNAMELEN + 1]; - int addr_type; -+ struct addrinfo *ai = NULL; - - if (item->debug) -- pam_syslog (pamh, LOG_DEBUG, -+ pam_syslog (pamh, LOG_DEBUG, - "network_netmask_match: tok=%s, item=%s", tok, string); -+ - /* OK, check if tok is of type addr/mask */ - if ((netmask_ptr = strchr(tok, '/')) != NULL) - { -@@ -748,54 +750,108 @@ network_netmask_match (pam_handle_t *pam - netmask_ptr = number_to_netmask(netmask, addr_type, - netmask_string, MAXHOSTNAMELEN); - } -- } -+ -+ /* -+ * Construct an addrinfo list from the IP address. -+ * This should not fail as the input is a correct IP address... -+ */ -+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) -+ { -+ return NO; -+ } -+ } - else -- /* NO, then check if it is only an addr */ -- if (isipaddr(tok, NULL, NULL) != YES) -+ { -+ /* -+ * It is either an IP address or a hostname. -+ * Let getaddrinfo sort everything out -+ */ -+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) - { -+ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); -+ - return NO; - } -+ netmask_ptr = NULL; -+ } - - if (isipaddr(string, NULL, NULL) != YES) - { -- /* Assume network/netmask with a name of a host. */ - struct addrinfo hint; - -+ /* Assume network/netmask with a name of a host. */ - memset (&hint, '\0', sizeof (hint)); - hint.ai_flags = AI_CANONNAME; - hint.ai_family = AF_UNSPEC; - - if (item->gai_rv != 0) -+ { -+ freeaddrinfo(ai); - return NO; -+ } - else if (!item->res && - (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0) -+ { -+ freeaddrinfo(ai); - return NO; -+ } - else - { - struct addrinfo *runp = item->res; -+ struct addrinfo *runp1; - - while (runp != NULL) - { - char buf[INET6_ADDRSTRLEN]; - -- DIAG_PUSH_IGNORE_CAST_ALIGN; -- inet_ntop (runp->ai_family, -- runp->ai_family == AF_INET -- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr -- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, -- buf, sizeof (buf)); -- DIAG_POP_IGNORE_CAST_ALIGN; -- -- if (are_addresses_equal(buf, tok, netmask_ptr)) -+ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0) - { -- return YES; -+ freeaddrinfo(ai); -+ return NO; -+ } -+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) -+ { -+ char buf1[INET6_ADDRSTRLEN]; -+ -+ if (runp->ai_family != runp1->ai_family) -+ continue; -+ -+ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0) -+ { -+ freeaddrinfo(ai); -+ return NO; -+ } -+ -+ if (are_addresses_equal (buf, buf1, netmask_ptr)) -+ { -+ freeaddrinfo(ai); -+ return YES; -+ } -+ - } - runp = runp->ai_next; - } - } - } - else -- return (are_addresses_equal(string, tok, netmask_ptr)); -+ { -+ struct addrinfo *runp1; -+ -+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) -+ { -+ char buf1[INET6_ADDRSTRLEN]; -+ -+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); -+ -+ if (are_addresses_equal(string, buf1, netmask_ptr)) -+ { -+ freeaddrinfo(ai); -+ return YES; -+ } -+ } -+ } -+ -+ freeaddrinfo(ai); - - return NO; - } diff -Nru pam-1.4.0/debian/patches/series pam-1.4.0/debian/patches/series --- pam-1.4.0/debian/patches/series 2023-01-24 11:07:37.000000000 +0000 +++ pam-1.4.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -CVE-2022-28321.patch diff -Nru pam-1.4.0/debian/patches-applied/CVE-2022-28321.patch pam-1.4.0/debian/patches-applied/CVE-2022-28321.patch --- pam-1.4.0/debian/patches-applied/CVE-2022-28321.patch 1970-01-01 00:00:00.000000000 +0000 +++ pam-1.4.0/debian/patches-applied/CVE-2022-28321.patch 2023-01-24 11:28:49.000000000 +0000 @@ -0,0 +1,163 @@ +Backport of d275f22cf28da287e93b5e5a1fdb8a68b2815982 + - function remote_match() doesn not exist, since the changes in + function remote_match() is trivial, it is fine to ignore those + changes + - function string_match() does not exist, since the changes in function + string_match() is trivial, it is fine to ignore those changes + - Backport second hunk for function network_netmask_match() +From d275f22cf28da287e93b5e5a1fdb8a68b2815982 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Thu, 24 Feb 2022 10:37:32 +0100 +Subject: [PATCH] pam_access: handle hostnames in access.conf + +According to the manual page, the following entry is valid but does not +work: +-:root:ALL EXCEPT localhost + +See https://bugzilla.suse.com/show_bug.cgi?id=1019866 + +Patched is based on PR#226 from Josef Moellers +--- + modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++------- + 1 file changed, 76 insertions(+), 19 deletions(-) + +--- pam-1.4.0.orig/modules/pam_access/pam_access.c ++++ pam-1.4.0/modules/pam_access/pam_access.c +@@ -711,10 +711,12 @@ network_netmask_match (pam_handle_t *pam + char *netmask_ptr; + char netmask_string[MAXHOSTNAMELEN + 1]; + int addr_type; ++ struct addrinfo *ai = NULL; + + if (item->debug) +- pam_syslog (pamh, LOG_DEBUG, ++ pam_syslog (pamh, LOG_DEBUG, + "network_netmask_match: tok=%s, item=%s", tok, string); ++ + /* OK, check if tok is of type addr/mask */ + if ((netmask_ptr = strchr(tok, '/')) != NULL) + { +@@ -748,54 +750,108 @@ network_netmask_match (pam_handle_t *pam + netmask_ptr = number_to_netmask(netmask, addr_type, + netmask_string, MAXHOSTNAMELEN); + } +- } ++ ++ /* ++ * Construct an addrinfo list from the IP address. ++ * This should not fail as the input is a correct IP address... ++ */ ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) ++ { ++ return NO; ++ } ++ } + else +- /* NO, then check if it is only an addr */ +- if (isipaddr(tok, NULL, NULL) != YES) ++ { ++ /* ++ * It is either an IP address or a hostname. ++ * Let getaddrinfo sort everything out ++ */ ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { ++ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); ++ + return NO; + } ++ netmask_ptr = NULL; ++ } + + if (isipaddr(string, NULL, NULL) != YES) + { +- /* Assume network/netmask with a name of a host. */ + struct addrinfo hint; + ++ /* Assume network/netmask with a name of a host. */ + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = AI_CANONNAME; + hint.ai_family = AF_UNSPEC; + + if (item->gai_rv != 0) ++ { ++ freeaddrinfo(ai); + return NO; ++ } + else if (!item->res && + (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0) ++ { ++ freeaddrinfo(ai); + return NO; ++ } + else + { + struct addrinfo *runp = item->res; ++ struct addrinfo *runp1; + + while (runp != NULL) + { + char buf[INET6_ADDRSTRLEN]; + +- DIAG_PUSH_IGNORE_CAST_ALIGN; +- inet_ntop (runp->ai_family, +- runp->ai_family == AF_INET +- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr +- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, +- buf, sizeof (buf)); +- DIAG_POP_IGNORE_CAST_ALIGN; +- +- if (are_addresses_equal(buf, tok, netmask_ptr)) ++ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0) + { +- return YES; ++ freeaddrinfo(ai); ++ return NO; ++ } ++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) ++ { ++ char buf1[INET6_ADDRSTRLEN]; ++ ++ if (runp->ai_family != runp1->ai_family) ++ continue; ++ ++ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0) ++ { ++ freeaddrinfo(ai); ++ return NO; ++ } ++ ++ if (are_addresses_equal (buf, buf1, netmask_ptr)) ++ { ++ freeaddrinfo(ai); ++ return YES; ++ } ++ + } + runp = runp->ai_next; + } + } + } + else +- return (are_addresses_equal(string, tok, netmask_ptr)); ++ { ++ struct addrinfo *runp1; ++ ++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) ++ { ++ char buf1[INET6_ADDRSTRLEN]; ++ ++ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); ++ ++ if (are_addresses_equal(string, buf1, netmask_ptr)) ++ { ++ freeaddrinfo(ai); ++ return YES; ++ } ++ } ++ } ++ ++ freeaddrinfo(ai); + + return NO; + } diff -Nru pam-1.4.0/debian/patches-applied/series pam-1.4.0/debian/patches-applied/series --- pam-1.4.0/debian/patches-applied/series 2022-02-07 16:46:51.000000000 +0000 +++ pam-1.4.0/debian/patches-applied/series 2023-02-02 09:21:46.000000000 +0000 @@ -33,3 +33,4 @@ pam_unix_avoid_checksalt pam_env-allow-environment-files-without-EOL-at-EOF.patch +CVE-2022-28321.patch