~roguescholar/pam/+git/upstream:master

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

8562cb1... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden> on 2024-05-24

pam_xauth: improve error logging on selabel lookup

Log in case the database could not be initialized.

Include the errno on lookup failure.

5d548fe... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden> on 2024-05-24

pam_namespace: log getfscreatecon(3) failure

Log in case the current fscreate context could not be retrieved.

bd2f695... by Iker Pedrosa <email address hidden> on 2024-05-22

pam_namespace: free SELinux context on error path

* modules/pam_namespace/pam_namespace.c (create_polydir) [WITH_SELINUX]:
Free SELinux context in case of an error.

```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1433: alloc_arg: "getfscreatecon_raw" allocates memory that is stored into "oldcon_raw".
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1462: leaked_storage: Variable "oldcon_raw" going out of scope leaks the storage it points to.
1460| pam_syslog(idata->pamh, LOG_ERR,
1461| "Error creating directory %s: %m", dir);
1462|-> return PAM_SESSION_ERR;
1463| }
1464|
```

Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <email address hidden>

667204d... by Iker Pedrosa <email address hidden> on 2024-05-22

pam_namespace: free SELinux context

* modules/pam_namespace/pam_namespace.c [WITH_SELINUX] (form_context):
Free SELinux context before returning.

```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:928: alloc_arg: "getexeccon" allocates memory that is stored into "scon".
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1004: leaked_storage: Variable "scon" going out of scope leaks the storage it points to.
1002| }
1003| /* Should never get here */
1004|-> return PAM_SUCCESS;
1005| }
1006| #endif
```

Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <email address hidden>

1ca5bfe... by Iker Pedrosa <email address hidden> on 2024-05-22

pam_timestamp: close the timestamp file on error path

* modules/pam_timestamp/pam_timestamp.c (pam_sm_authenticate)
[WITH_OPENSSL]: Close the timestamp file if hmac_size returned
an error.

```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: var_assign: Assigning: "fd" = handle returned from "open(path, 131072)".
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:460: noescape: Resource "fd" is not freed or pointed-to in "fstat".
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:484: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
482| #ifdef WITH_OPENSSL
483| if (hmac_size(pamh, debug, &maclen)) {
484|-> return PAM_AUTH_ERR;
485| }
486| #else
```

Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <email address hidden>

d00f6cb... by Iker Pedrosa <email address hidden> on 2024-05-22

pam_rootok: close the audit socket on error path

* modules/pam_rootok/pam_rootok.c (log_callback): Close the audit socket
if vasprintf returned an error.

```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:69: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
67| va_end(ap);
68| if (ret < 0) {
69|-> return 0;
70| }
71| audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
```

Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <email address hidden>

5eccaf9... by Iker Pedrosa <email address hidden> on 2024-05-22

pam_faillock: close the audit socket after use

* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit
socket when it will no longer be used.

```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
257| rhost, NULL, tty, 1);
258|-> }
259| #endif
260| opts->flags |= FAILLOCK_FLAG_UNLOCKED;
```

Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <email address hidden>

7529268... by "Dmitry V. Levin" <email address hidden> on 2024-05-19

pam_env: fix error handling in econf_read_file

* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Make sure
the returned array of strings is properly initialized
when econf_getStringValue() fails to return a value.

aabd531... by "Dmitry V. Levin" <email address hidden> on 2024-05-19

pam_env: fix NULL dereference on error path in econf_read_file

* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Handle NULL
value returned by econf_getStringValue().

Resolves: https://github.com/linux-pam/linux-pam/issues/796

0f6796e... by "Dmitry V. Levin" <email address hidden> on 2024-05-11

Move all historic changelog files to a top-level ChangeLog.old directory

Move all historic changelog files away to avoid confusion.