[oath-toolkit] Added check for strdup failure (by strdup-null-check patch)
Jaroslav Škarvada
jskarvad at fedoraproject.org
Fri Nov 7 10:03:38 UTC 2014
commit f9a55d7324767934cadb2cd92db8fe991821bd77
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date: Fri Nov 7 11:03:27 2014 +0100
Added check for strdup failure (by strdup-null-check patch)
Resolves: rhbz#1161360
oath-toolkit-2.4.1-strdup-null-check.patch | 29 ++++++++++++++++++++++++++++
oath-toolkit.spec | 9 +++++++-
2 files changed, 37 insertions(+), 1 deletions(-)
---
diff --git a/oath-toolkit-2.4.1-strdup-null-check.patch b/oath-toolkit-2.4.1-strdup-null-check.patch
new file mode 100644
index 0000000..37a0576
--- /dev/null
+++ b/oath-toolkit-2.4.1-strdup-null-check.patch
@@ -0,0 +1,29 @@
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 8379358..e2d3363 100644
+--- a/pam_oath/pam_oath.c
++++ b/pam_oath/pam_oath.c
+@@ -146,6 +146,12 @@ pam_sm_authenticate (pam_handle_t * pamh,
+ char *query_prompt = NULL;
+ char *onlypasswd = strdup (""); /* empty passwords never match */
+
++ if (!onlypasswd)
++ {
++ retval = PAM_BUF_ERR;
++ goto done;
++ }
++
+ parse_cfg (flags, argc, argv, &cfg);
+
+ retval = pam_get_user (pamh, &user, NULL);
+@@ -265,6 +271,11 @@ pam_sm_authenticate (pam_handle_t * pamh,
+ {
+ free (onlypasswd);
+ onlypasswd = strdup (password);
++ if (!onlypasswd)
++ {
++ retval = PAM_BUF_ERR;
++ goto done;
++ }
+
+ /* user entered their system password followed by generated OTP? */
+
diff --git a/oath-toolkit.spec b/oath-toolkit.spec
index 6112656..44cfc47 100644
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@@ -1,6 +1,6 @@
Name: oath-toolkit
Version: 2.4.1
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv3+
Group: System Environment/Libraries
Summary: One-time password components
@@ -13,6 +13,8 @@ URL: http://www.nongnu.org/oath-toolkit/
# Escape leading single quotes in man pages which are misinterpreted as macros,
# patch sent upstream, upstream ticket #108312
Patch0: oath-toolkit-2.0.2-man-fix.patch
+# Add null check to strdup calls, upstream ticket #108456
+Patch1: oath-toolkit-2.4.1-strdup-null-check.patch
%description
The OATH Toolkit provide components for building one-time password
@@ -124,6 +126,7 @@ A PAM module for pluggable login authentication for OATH.
%prep
%setup -q
%patch0 -p1 -b .man-fix
+%patch1 -p1 -b .strdup-null-check
%build
%configure --with-pam-dir=%{_libdir}/security
@@ -204,6 +207,10 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
%{_libdir}/security/pam_oath.so
%changelog
+* Fri Nov 7 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 2.4.1-7
+- Added check for strdup failure (by strdup-null-check patch)
+ Resolves: rhbz#1161360
+
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
More information about the scm-commits
mailing list