[oath-toolkit/el6] Fixed CVE-2013-7322
Jaroslav Škarvada
jskarvad at fedoraproject.org
Mon Feb 17 10:26:15 UTC 2014
commit 4ec53dbe6e74d1de475b6c44d92cafb05182dbf5
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date: Mon Feb 17 11:26:56 2014 +0100
Fixed CVE-2013-7322
Resolves: CVE-2013-7322
oath-toolkit-2.0.2-CVE-2013-7322.patch | 51 ++++++++++++++++++++++++++++++++
oath-toolkit.spec | 15 +++++++++-
2 files changed, 65 insertions(+), 1 deletions(-)
---
diff --git a/oath-toolkit-2.0.2-CVE-2013-7322.patch b/oath-toolkit-2.0.2-CVE-2013-7322.patch
new file mode 100644
index 0000000..5129da7
--- /dev/null
+++ b/oath-toolkit-2.0.2-CVE-2013-7322.patch
@@ -0,0 +1,51 @@
+diff --git a/liboath/usersfile.c b/liboath/usersfile.c
+index 462926d..6410f70 100644
+--- a/liboath/usersfile.c
++++ b/liboath/usersfile.c
+@@ -232,24 +232,23 @@ update_usersfile2 (const char *username,
+ char *origline;
+ const char *user, *type, *passwd, *secret;
+ int r;
++ unsigned digits, totpstepsize;
+
+ origline = strdup (*lineptr);
+
+ type = strtok_r (*lineptr, whitespace, &saveptr);
+ if (type == NULL)
+- continue;
++ goto skip_line;
++
++ /* Read token type */
++ if (parse_type (type, &digits, &totpstepsize) != 0)
++ goto skip_line;
+
+ /* Read username */
+ user = strtok_r (NULL, whitespace, &saveptr);
+ if (user == NULL || strcmp (user, username) != 0
+ || got_users++ != skipped_users)
+- {
+- r = fprintf (outfh, "%s", origline);
+- free (origline);
+- if (r <= 0)
+- return OATH_PRINTF_ERROR;
+- continue;
+- }
++ goto skip_line;
+
+ passwd = strtok_r (NULL, whitespace, &saveptr);
+ if (passwd == NULL)
+@@ -265,6 +264,14 @@ update_usersfile2 (const char *username,
+ free (origline);
+ if (r <= 0)
+ return OATH_PRINTF_ERROR;
++ continue;
++
++ skip_line:
++ r = fprintf (outfh, "%s", origline);
++ free (origline);
++ if (r <= 0)
++ return OATH_PRINTF_ERROR;
++ continue;
+ }
+
+ return OATH_OK;
diff --git a/oath-toolkit.spec b/oath-toolkit.spec
index d51a18b..d455b1b 100644
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@@ -1,15 +1,17 @@
Name: oath-toolkit
Version: 2.0.2
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv3+
Group: System Environment/Libraries
Summary: One-time password components
BuildRequires: xmlsec1-devel, pam-devel, gtk-doc, libtool, libtool-ltdl-devel
+BuildRequires: xmlsec1-openssl-devel
Source: http://download.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz
URL: http://www.nongnu.org/oath-toolkit/
# Escape leading single quotes in man pages which are misinterpreted as macros,
# patch sent upstream, upstream ticket #108312
Patch0: oath-toolkit-2.0.2-man-fix.patch
+Patch1: oath-toolkit-2.0.2-CVE-2013-7322.patch
%description
The OATH Toolkit provide components for building one-time password
@@ -116,6 +118,13 @@ A PAM module for pluggable login authentication for OATH.
%prep
%setup -q
%patch0 -p1 -b .man-fix
+%patch1 -p1 -b .CVE-2013-7322
+
+# build fix
+# we do not need to re-build manual pages and deal with bootstraping, etc.
+pushd liboath/man
+touch *.3
+popd
%build
%configure --with-pam-dir=%{_libdir}/security
@@ -190,6 +199,10 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
%{_libdir}/security/pam_oath.so
%changelog
+* Mon Feb 17 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 2.0.2-4
+- Fixed CVE-2013-7322
+ Resolves: CVE-2013-7322
+
* Wed Jun 5 2013 Jaroslav Škarvada <jskarvad at redhat.com> - 2.0.2-3
- Fixed requirements according to reviewer comments
- Linked with --as-needed
More information about the scm-commits
mailing list