Date: Thu, 13 Feb 2003 15:05:45 +0300 From: Sergey Matveychuk <sem@ciam.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/48239: [UPDATE] security/pam-mysql update to 0.5 and OpenPAM support Message-ID: <E18jI7d-00059e-00@sem-home.ciam.ru>
next in thread | raw e-mail | index | archive | help
>Number: 48239 >Category: ports >Synopsis: [UPDATE] security/pam-mysql update to 0.5 and OpenPAM support >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Feb 13 04:10:11 PST 2003 >Closed-Date: >Last-Modified: >Originator: Sergey Matveychuk >Release: FreeBSD 5.0-RELEASE i386 >Organization: >Environment: System: FreeBSD sem-home.ciam.ru 5.0-RELEASE FreeBSD 5.0-RELEASE #2: Mon Jan 20 12:56:36 MSK 2003 root@sem-home.ciam.ru:/usr/obj/usr/src/sys/SEM-HOME i386 >Description: 1) Update port to 0.5: Added md5 support by default -ksmith added a makefile that works fon FreeBSD -ksmith More buffer overflow related fixes -jo2y added -lz flag to link against the libz library -jo2y backport of sql logging into main branch -jo2y fixed a memoryleak with mysql_free_result() -jo2y Fixes buffer overflow in parseArgs() -jo2y Add askForPassword() for new passwords in pam_sm_chauthtok() -ksmith all instances of syslog() now have a format string -ksmith Many fixes from B J Black 2) Add OpenPAM support New file: files/patch-ab >How-To-Repeat: >Fix: diff -ruN /usr/ports/security/pam-mysql/Makefile pam-mysql/Makefile --- /usr/ports/security/pam-mysql/Makefile Thu Apr 11 02:28:01 2002 +++ pam-mysql/Makefile Thu Feb 13 13:48:08 2003 @@ -6,7 +6,7 @@ # PORTNAME= pam_mysql -PORTVERSION= 0.4.7 +PORTVERSION= 0.5 CATEGORIES= security databases MASTER_SITES= http://download.sourceforge.net/pam-mysql/ \ http://atreides.freenix.no/~anders/ @@ -20,10 +20,6 @@ WRKSRC= ${WRKDIR}/${PORTNAME} .include <bsd.port.pre.mk> - -.if !exists(/usr/include/security/_pam_types.h) && ${OSVERSION} >= 500031 -BROKEN= "Does not work with OpenPAM (yet)" -.endif post-patch: @cd ${WRKSRC} && ${GMAKE} clean diff -ruN /usr/ports/security/pam-mysql/distinfo pam-mysql/distinfo --- /usr/ports/security/pam-mysql/distinfo Sat Oct 14 00:18:29 2000 +++ pam-mysql/distinfo Mon Feb 10 06:00:00 2003 @@ -1 +1 @@ -MD5 (pam_mysql-0.4.7.tar.gz) = 8442ec07c3de929720bbb8783750a1ff +MD5 (pam_mysql-0.5.tar.gz) = 8cf002392292ae2a5774545324739a94 diff -ruN /usr/ports/security/pam-mysql/files/patch-aa pam-mysql/files/patch-aa --- /usr/ports/security/pam-mysql/files/patch-aa Sat Oct 14 00:18:33 2000 +++ pam-mysql/files/patch-aa Thu Feb 13 13:46:55 2003 @@ -1,63 +1,18 @@ ---- pam_mysql.c.old Sun Sep 24 02:26:17 2000 -+++ pam_mysql.c Sun Sep 24 02:42:23 2000 -@@ -14,7 +14,6 @@ - #include <unistd.h> - #include <syslog.h> - #include <stdarg.h> --#include <alloca.h> - #include <string.h> +--- Makefile.orig Thu Nov 21 05:13:01 2002 ++++ Makefile Thu Feb 13 13:39:07 2003 +@@ -3,13 +3,9 @@ + ifndef FULL_LINUX_PAM_SOURCE_TREE + export DYNAMIC=-DPAM_DYNAMIC + export CC=gcc +-export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ +- -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ +- -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ +- -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ +- -Wshadow -pedantic -fPIC ++export CFLAGS=-O2 -I/usr/local/include -fPIC + export MKDIR=mkdir -p +-export LD_D=gcc -shared -Xlinker -x -L/usr/lib/mysql -lz ++export LD_D=gcc -shared -Xlinker -x -L/usr/local/lib/mysql -lz + endif - #include <mysql/mysql.h> -@@ -332,40 +331,40 @@ - } - strcpy (junk, argv[i]); - if ((strchr (junk, (int) '=') != NULL)) { -- strncpy (mybuf, strtok (junk, "="), 255); -- strncpy (myval, strtok (NULL, "="), 255); -+ strlcpy (mybuf, strtok (junk, "="), 255); -+ strlcpy (myval, strtok (NULL, "="), 255); - free (junk); - if (!strcasecmp ("host", mybuf)) { -- strncpy (options.host, myval, 255); -+ strlcpy (options.host, myval, 255); - D (("host changed.")); - } else if (!strcasecmp ("where", mybuf)) { - while ( (mj = strtok(NULL,"=")) != NULL ) - { -- strcat(myval, "="); -- strcat(myval, mj); -+ strlcat(myval, "=", 255); -+ strlcat(myval, mj, 255); - } -- strncpy (options.where, myval, 256); -+ strlcpy (options.where, myval, 256); - D (("where changed.")); - #ifdef DEBUG - syslog(LOG_ERR, "pam_mysql: where now is %s", options.where); - #endif - } else if (!strcasecmp ("db", mybuf)) { -- strncpy (options.database, myval, 16); -+ strlcpy (options.database, myval, 16); - D (("database changed.")); - } else if (!strcasecmp ("user", mybuf)) { -- strncpy (options.dbuser, myval, 16); -+ strlcpy (options.dbuser, myval, 16); - D (("dbuser changed.")); - } else if (!strcasecmp ("passwd", mybuf)) { -- strncpy (options.dbpasswd, myval, 16); -+ strlcpy (options.dbpasswd, myval, 16); - D (("dbpasswd changed.")); - } else if (!strcasecmp ("table", mybuf)) { -- strncpy (options.table, myval, 16); -+ strlcpy (options.table, myval, 16); - D (("table changed.")); - } else if (!strcasecmp ("usercolumn", mybuf)) { -- strncpy (options.usercolumn, myval, 16); -+ strlcpy (options.usercolumn, myval, 16); - D (("usercolumn changed.")); - } else if (!strcasecmp ("passwdcolumn", mybuf)) { -- strncpy (options.passwdcolumn, myval, 16); -+ strlcpy (options.passwdcolumn, myval, 16); - D (("passwdcolumn changed.")); - } else if (!strcasecmp ("crypt", mybuf)) { - if ((!strcmp (myval, "1")) || + # diff -ruN /usr/ports/security/pam-mysql/files/patch-ab pam-mysql/files/patch-ab --- /usr/ports/security/pam-mysql/files/patch-ab Thu Jan 1 03:00:00 1970 +++ pam-mysql/files/patch-ab Thu Feb 13 14:58:41 2003 @@ -0,0 +1,90 @@ +--- pam_mysql.c.orig Sun Sep 15 10:28:58 2002 ++++ pam_mysql.c Thu Feb 13 14:58:21 2003 +@@ -23,6 +23,7 @@ + #include <sys/socket.h> + #include <netinet/in.h> + #include <arpa/inet.h> ++#include <time.h> + + + /* AFAIK, only FreeBSD has MD5Data() defined in md5.h +@@ -54,7 +55,53 @@ + #define DEBUG + + #include <security/pam_modules.h> ++#ifdef _OPENPAM ++#include <security/pam_appl.h> ++#else + #include <security/pam_misc.h> ++#endif ++ ++#ifdef _OPENPAM ++/* some macros not defined in OpenPAM */ ++ ++/* Good policy to strike out passwords with some characters not just ++ free the memory */ ++ ++#define _pam_overwrite(x) \ ++do { \ ++ register char *__xx__; \ ++ if ((__xx__=(x))) \ ++ while (*__xx__) \ ++ *__xx__++ = '\0'; \ ++} while (0) ++ ++/* ++ * Don't just free it, forget it too. ++ */ ++ ++#define _pam_drop(X) \ ++do { \ ++ if (X) { \ ++ free(X); \ ++ X=NULL; \ ++ } \ ++} while (0) ++ ++#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ ++do { \ ++ int reply_i; \ ++ \ ++ for (reply_i=0; reply_i<replies; ++reply_i) { \ ++ if (reply[reply_i].resp) { \ ++ _pam_overwrite(reply[reply_i].resp); \ ++ free(reply[reply_i].resp); \ ++ } \ ++ } \ ++ if (reply) \ ++ free(reply); \ ++} while (0) ++ ++#endif + + struct optionstruct { + char host[257]; +@@ -620,7 +667,11 @@ + retval = conv->conv(nargs, + (const struct pam_message **) message, + response, conv->appdata_ptr); +- if ((retval != PAM_SUCCESS) && (retval != PAM_CONV_AGAIN)) ++ if ((retval != PAM_SUCCESS) ++#ifndef _OPENPAM ++ && (retval != PAM_CONV_AGAIN) ++#endif ++ ) + syslog(LOG_DEBUG, "pam_mysql: conversation failure [%s]", + pam_strerror(pamh, retval)); + } else { +@@ -827,8 +878,12 @@ + if (retval != PAM_SUCCESS) { + if (resp != NULL) + _pam_drop_reply(resp,i); ++#ifndef _OPENPAM + return ((retval == PAM_CONV_AGAIN) + ? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL); ++#else ++ return PAM_AUTHINFO_UNAVAIL; ++#endif + } + + /* we have a password so set AUTHTOK >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E18jI7d-00059e-00>