wok-current rev 25651
Patch PAM CVE-2024-22365
author | Stanislas Leduc <shann@slitaz.org> |
---|---|
date | Fri Feb 02 18:24:50 2024 +0000 (10 months ago) |
parents | fcd938260f25 |
children | b44c7dd8bb4b |
files | pam/receipt pam/stuff/CVE-2024-22365.patch |
line diff
1.1 --- a/pam/receipt Fri Feb 02 17:58:11 2024 +0000 1.2 +++ b/pam/receipt Fri Feb 02 18:24:50 2024 +0000 1.3 @@ -25,8 +25,13 @@ 1.4 # Rules to configure and make the package. 1.5 compile_rules() 1.6 { 1.7 + # Patch CVE-2024-22365 1.8 + # see https://seclists.org/oss-sec/2024/q1/31 1.9 + patch -p1 < $stuff/CVE-2024-22365.patch 1.10 + 1.11 sed -i 's|(uname -m)|(echo i686)|;s|`uname -m`|`echo i686`|' \ 1.12 configure build-aux/config.guess 1.13 + 1.14 ./configure --sysconfdir=/etc \ 1.15 $CONFIGURE_ARGS && 1.16 make && make install
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/pam/stuff/CVE-2024-22365.patch Fri Feb 02 18:24:50 2024 +0000 2.3 @@ -0,0 +1,36 @@ 2.4 +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c 2.5 +index 2528cff86..f72d67189 100644 2.6 +--- a/modules/pam_namespace/pam_namespace.c 2.7 ++++ b/modules/pam_namespace/pam_namespace.c 2.8 +@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, 2.9 + int dfd = AT_FDCWD; 2.10 + int dfd_next; 2.11 + int save_errno; 2.12 +- int flags = O_RDONLY; 2.13 ++ int flags = O_RDONLY | O_DIRECTORY; 2.14 + int rv = -1; 2.15 + struct stat st; 2.16 + 2.17 +@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, 2.18 + rv = openat(dfd, dir, flags); 2.19 + } 2.20 + 2.21 +- if (rv != -1) { 2.22 +- if (fstat(rv, &st) != 0) { 2.23 +- save_errno = errno; 2.24 +- close(rv); 2.25 +- rv = -1; 2.26 +- errno = save_errno; 2.27 +- goto error; 2.28 +- } 2.29 +- if (!S_ISDIR(st.st_mode)) { 2.30 +- close(rv); 2.31 +- errno = ENOTDIR; 2.32 +- rv = -1; 2.33 +- goto error; 2.34 +- } 2.35 +- } 2.36 +- 2.37 + if (flags & O_NOFOLLOW) { 2.38 + /* we are inside user-owned dir - protect */ 2.39 + if (protect_mount(rv, p, idata) == -1) {