Added check for strdup failure (by strdup-null-check patch)

Resolves: rhbz#1161360
10 years ago · f9a55d7324
parent 2965eda54f
commit f9a55d7324
2 changed files with 37 additions and 1 deletions
--- a/oath-toolkit-2.4.1-strdup-null-check.patch
+++ b/oath-toolkit-2.4.1-strdup-null-check.patch
@ -0,0 +1,29 @@
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 8379358..e2d3363 100644
+--- a/pam_oath/pam_oath.c
+++ b/pam_oath/pam_oath.c
+@@ -146,6 +146,12 @@ pam_sm_authenticate (pam_handle_t * pamh,
+   char *query_prompt = NULL;
+   char *onlypasswd = strdup ("");	/* empty passwords never match */
+ 
+  if (!onlypasswd)
+    {
+      retval = PAM_BUF_ERR;
+      goto done;
+    }
+
+   parse_cfg (flags, argc, argv, &cfg);
+ 
+   retval = pam_get_user (pamh, &user, NULL);
+@@ -265,6 +271,11 @@ pam_sm_authenticate (pam_handle_t * pamh,
+     {
+       free (onlypasswd);
+       onlypasswd = strdup (password);
+      if (!onlypasswd)
+        {
+          retval = PAM_BUF_ERR;
+          goto done;
+        }
+ 
+       /* user entered their system password followed by generated OTP? */
+ 
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@ -1,6 +1,6 @@
 Name:          oath-toolkit
 Version:       2.4.1
-Release:       6%{?dist}
+Release:       7%{?dist}
 License:       GPLv3+
 Group:         System Environment/Libraries
 Summary:       One-time password components
@ -13,6 +13,8 @@ URL:           http://www.nongnu.org/oath-toolkit/
 # Escape leading single quotes in man pages which are misinterpreted as macros,
 # patch sent upstream, upstream ticket #108312
 Patch0:        oath-toolkit-2.0.2-man-fix.patch
+# Add null check to strdup calls, upstream ticket #108456
+Patch1:        oath-toolkit-2.4.1-strdup-null-check.patch

 %description
 The OATH Toolkit provide components for building one-time password
@ -124,6 +126,7 @@ A PAM module for pluggable login authentication for OATH.
 %prep
 %setup -q
 %patch0 -p1 -b .man-fix
+%patch1 -p1 -b .strdup-null-check

 %build
 %configure --with-pam-dir=%{_libdir}/security
@ -204,6 +207,10 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
 %{_libdir}/security/pam_oath.so

 %changelog
+* Fri Nov  7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.1-7
+- Added check for strdup failure (by strdup-null-check patch)
+  Resolves: rhbz#1161360
+
 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.1-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild