New version

Resolves: rhbz#2316447 Dropped privileges when operating on user files Resolves: CVE-2024-47191
4 months ago · fe9dcd1c7a
parent 5689902e58
commit fe9dcd1c7a
3 changed files with 23 additions and 17 deletions
--- a/oath-toolkit-2.6.12-lockfile.patch
+++ b/oath-toolkit-2.6.12-lockfile.patch
@ -1,5 +1,5 @@
 diff --git a/liboath/global.c b/liboath/global.c
-index 8c60c20..acaa3eb 100644
+index d1a0e4d..4c6e5ca 100644
 --- a/liboath/global.c
 +++ b/liboath/global.c
@@ -25,9 +25,12 @@
@ -61,7 +61,7 @@ index 8c60c20..acaa3eb 100644
 +  return OATH_OK;
 +}
 diff --git a/liboath/liboath.map b/liboath/liboath.map
-index 5493358..a1be2fb 100644
+index d980107..a001f6d 100644
 --- a/liboath/liboath.map
 +++ b/liboath/liboath.map
@@ -75,6 +75,7 @@ LIBOATH_2.2.0
@ -73,7 +73,7 @@ index 5493358..a1be2fb 100644
 
 LIBOATH_2.6.0
 diff --git a/liboath/oath.h b/liboath/oath.h
-index 3a4077f..bd592c8 100644
+index 01b7a3c..a5d7787 100644
 --- a/liboath/oath.h
 +++ b/liboath/oath.h
@@ -159,11 +159,15 @@ extern "C"
@ -93,7 +93,7 @@ index 3a4077f..bd592c8 100644
 
   extern OATHAPI const char *oath_strerror (int err);
 diff --git a/liboath/oath.h.in b/liboath/oath.h.in
-index b14df98..2bc89de 100644
+index b8b4fbd..99e5fd0 100644
 --- a/liboath/oath.h.in
 +++ b/liboath/oath.h.in
@@ -159,11 +159,15 @@ extern "C"
@ -113,7 +113,7 @@ index b14df98..2bc89de 100644
 
   extern OATHAPI const char *oath_strerror (int err);
 diff --git a/liboath/usersfile.c b/liboath/usersfile.c
-index 582c657..f8f6446 100644
+index 68268a2..eb78fe0 100644
 --- a/liboath/usersfile.c
 +++ b/liboath/usersfile.c
@@ -325,9 +325,18 @@ update_usersfile (const char *usersfile,
@ -136,13 +136,13 @@ index 582c657..f8f6446 100644
 +        return OATH_PRINTF_ERROR;
 +    }
 
-     lockfh = fopen (lockfile, "w");
+     lockfh = fopen (lockfile, "wx");
     if (!lockfh)
 diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
-index 0a88a1c..28afd9b 100644
+index 2a85030..6a83195 100644
 --- a/pam_oath/pam_oath.c
 +++ b/pam_oath/pam_oath.c
-@@ -73,6 +73,7 @@ struct cfg
+@@ -75,6 +75,7 @@ struct cfg
   int try_first_pass;
   int use_first_pass;
   char *usersfile;
@ -150,7 +150,7 @@ index 0a88a1c..28afd9b 100644
   unsigned digits;
   unsigned window;
 };
-@@ -87,6 +88,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
+@@ -89,6 +90,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
   cfg->try_first_pass = 0;
   cfg->use_first_pass = 0;
   cfg->usersfile = NULL;
@ -158,7 +158,7 @@ index 0a88a1c..28afd9b 100644
   cfg->digits = -1;
   cfg->window = 5;
 
-@@ -102,6 +104,8 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
+@@ -104,6 +106,8 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
 	cfg->use_first_pass = 1;
       if (strncmp (argv[i], "usersfile=", 10) == 0)
 	cfg->usersfile = (char *) argv[i] + 10;
@ -167,7 +167,7 @@ index 0a88a1c..28afd9b 100644
       if (strncmp (argv[i], "digits=", 7) == 0)
 	cfg->digits = atoi (argv[i] + 7);
       if (strncmp (argv[i], "window=", 7) == 0)
-@@ -127,6 +131,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
+@@ -129,6 +133,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
       D (("try_first_pass=%d", cfg->try_first_pass));
       D (("use_first_pass=%d", cfg->use_first_pass));
       D (("usersfile=%s", cfg->usersfile ? cfg->usersfile : "(null)"));
@ -175,7 +175,7 @@ index 0a88a1c..28afd9b 100644
       D (("digits=%d", cfg->digits));
       D (("window=%d", cfg->window));
     }
-@@ -337,6 +342,17 @@ pam_sm_authenticate (pam_handle_t * pamh,
+@@ -369,6 +374,17 @@ pam_sm_authenticate (pam_handle_t *pamh,
       goto done;
     }
 
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@ -1,6 +1,6 @@
 Name:          oath-toolkit
-Version:       2.6.11
-Release:       6%{?dist}
+Version:       2.6.12
+Release:       1%{?dist}
 # Automatically converted from old format: GPLv3+ - review is highly recommended.
 License:       GPL-3.0-or-later
 Summary:       One-time password components
@ -20,7 +20,7 @@ Source1:       https://download.savannah.nongnu.org/releases/%{name}/%{name}-%{v
 # gpg2 --armor --export D73CF638C53C06BE > keyring.asc
 Source2:       keyring.asc
 URL:           https://www.nongnu.org/oath-toolkit/
-Patch0:        oath-toolkit-2.6.9-lockfile.patch
+Patch0:        oath-toolkit-2.6.12-lockfile.patch

 %description
 The OATH Toolkit provide components for building one-time password
@ -189,6 +189,12 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
 %{_libdir}/security/pam_oath.so

 %changelog
+* Thu Oct 10 2024 Jaroslav Škarvada <jskarvad@redhat.com> - 2.6.12-1
+- New version
+  Resolves: rhbz#2316447
+- Dropped privileges when operating on user files
+  Resolves: CVE-2024-47191
+
 * Thu Jul  25 2024 Miroslav Suchý <msuchy@redhat.com> - 2.6.11-6
 - convert license to SPDX

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (oath-toolkit-2.6.11.tar.gz) = 42df879bebccdde3d38558ba735e09db14d0c916b9f0d3a1842e0ecc80614b7d1ee44db39d3097970a2a7108446da6eefd09bdd32dd2fb81d6aed06dc19552fd
-SHA512 (oath-toolkit-2.6.11.tar.gz.sig) = 07126e759ea6688b6964d51769d7414e2568228c6b0c271117e95db1a29b5b6faccff1b2aee8cfe34e8c27309bdbf067b522fc1cd089e864692b92302277bcf5
+SHA512 (oath-toolkit-2.6.12.tar.gz) = f82967e4b86bac57bec4b048fedd351ca7ae6f368f4b3a61135057c28c531a2c9845b51660dee2a6f5db66d5065619d22921b94229c672d1889077a710a0f0ce
+SHA512 (oath-toolkit-2.6.12.tar.gz.sig) = 1596132d6e88f3c0f4af8b8ac57815d448d05af51f3f276b9dd3ba4d41d1a95f2d6ba726f1963e63d4d2aa967cfc0d08983b61ff62454f1355e5e67206a09f82