From f9a55d7324767934cadb2cd92db8fe991821bd77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
Date: Fri, 7 Nov 2014 11:03:27 +0100
Subject: [PATCH] Added check for strdup failure (by strdup-null-check patch)

  Resolves: rhbz#1161360
---
 oath-toolkit-2.4.1-strdup-null-check.patch | 29 ++++++++++++++++++++++
 oath-toolkit.spec                          |  9 ++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 oath-toolkit-2.4.1-strdup-null-check.patch

diff --git a/oath-toolkit-2.4.1-strdup-null-check.patch b/oath-toolkit-2.4.1-strdup-null-check.patch
new file mode 100644
index 0000000..37a0576
--- /dev/null
+++ b/oath-toolkit-2.4.1-strdup-null-check.patch
@@ -0,0 +1,29 @@
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 8379358..e2d3363 100644
+--- a/pam_oath/pam_oath.c
++++ b/pam_oath/pam_oath.c
+@@ -146,6 +146,12 @@ pam_sm_authenticate (pam_handle_t * pamh,
+   char *query_prompt = NULL;
+   char *onlypasswd = strdup ("");	/* empty passwords never match */
+ 
++  if (!onlypasswd)
++    {
++      retval = PAM_BUF_ERR;
++      goto done;
++    }
++
+   parse_cfg (flags, argc, argv, &cfg);
+ 
+   retval = pam_get_user (pamh, &user, NULL);
+@@ -265,6 +271,11 @@ pam_sm_authenticate (pam_handle_t * pamh,
+     {
+       free (onlypasswd);
+       onlypasswd = strdup (password);
++      if (!onlypasswd)
++        {
++          retval = PAM_BUF_ERR;
++          goto done;
++        }
+ 
+       /* user entered their system password followed by generated OTP? */
+ 
diff --git a/oath-toolkit.spec b/oath-toolkit.spec
index 6112656..44cfc47 100644
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@@ -1,6 +1,6 @@
 Name:          oath-toolkit
 Version:       2.4.1
-Release:       6%{?dist}
+Release:       7%{?dist}
 License:       GPLv3+
 Group:         System Environment/Libraries
 Summary:       One-time password components
@@ -13,6 +13,8 @@ URL:           http://www.nongnu.org/oath-toolkit/
 # Escape leading single quotes in man pages which are misinterpreted as macros,
 # patch sent upstream, upstream ticket #108312
 Patch0:        oath-toolkit-2.0.2-man-fix.patch
+# Add null check to strdup calls, upstream ticket #108456
+Patch1:        oath-toolkit-2.4.1-strdup-null-check.patch
 
 %description
 The OATH Toolkit provide components for building one-time password
@@ -124,6 +126,7 @@ A PAM module for pluggable login authentication for OATH.
 %prep
 %setup -q
 %patch0 -p1 -b .man-fix
+%patch1 -p1 -b .strdup-null-check
 
 %build
 %configure --with-pam-dir=%{_libdir}/security
@@ -204,6 +207,10 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
 %{_libdir}/security/pam_oath.so
 
 %changelog
+* Fri Nov  7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.1-7
+- Added check for strdup failure (by strdup-null-check patch)
+  Resolves: rhbz#1161360
+
 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.1-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild