packages/kiran-session-guard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!17 修复问题:已经过期的账户持有凭证仍然能登录

Browse Source 
From: @liubuguiii 
Reviewed-by: @tangjie02 
Signed-off-by: @tangjie02
This commit is contained in:
openeuler-ci-bot 2022-11-14 12:59:38 +00:00 committed by Gitee
commit 0e4f0e875d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 45 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
0001-fix-CVE-PAM-authorization-bypass-due-to-incorrect-us.patch Normal file
View File

@ -0,0 +1,40 @@
From 308c40306db937dda0ed99c7a426c7730c3d326c Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Mon, 14 Nov 2022 16:50:36 +0800
Subject: [PATCH] fix(CVE): PAM authorization bypass due to incorrect usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 修复问题: 已经过期的账户持有凭证仍然能登录
---
libexec/session-guard-checkpass/main.cpp | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libexec/session-guard-checkpass/main.cpp b/libexec/session-guard-checkpass/main.cpp
index e667bde..4606411 100644
--- a/libexec/session-guard-checkpass/main.cpp
+++ b/libexec/session-guard-checkpass/main.cpp
@@ -203,7 +203,6 @@ int main(int argc, char *argv[])
int authRes = PAM_SUCCESS;
authRes = pam_authenticate(pamh, 0);
-
const char *newUserName;
if (pam_get_item(pamh, PAM_USER, (const void **)&newUserName) != PAM_SUCCESS)
{
@@ -211,6 +210,11 @@ int main(int argc, char *argv[])
return EXIT_FAILURE;
}
+ if( authRes == PAM_SUCCESS )
+ {
+ authRes = pam_acct_mgmt(pamh, 0);
+ }
+
const char *authResultString = pam_strerror(pamh, authRes);
CompleteEvent event(true, authRes == PAM_SUCCESS, QString(authResultString));
kiran_pam_message_send_event(CHANNEL_WRITE, &event);
--
2.33.0

7
kiran-session-guard.spec
View File

@ -1,12 +1,12 @@
Name: kiran-session-guard Name: kiran-session-guard
Version: 2.4.0 Version: 2.4.0
Release: 1 Release: 2
Summary: Kiran desktop environment login and lock screen dialog Summary: Kiran desktop environment login and lock screen dialog
Summary(zh_CN): Kiran桌面环境登录和解锁框 Summary(zh_CN): Kiran桌面环境登录和解锁框
License: MulanPSL-2.0 License: MulanPSL-2.0
Source0: %{name}-%{version}.tar.gz Source0: %{name}-%{version}.tar.gz
Patch01: 0001-fix-CVE-PAM-authorization-bypass-due-to-incorrect-us.patch
%define SHOW_VIRTUAL_KEYBOARD 0 %define SHOW_VIRTUAL_KEYBOARD 0
@ -134,6 +134,9 @@ gtk-update-icon-cache -f /usr/share/icons/hicolor/
rm -rf %{buildroot} rm -rf %{buildroot}
%changelog %changelog
* Mon Nov 14 2022 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.4.0-2
- KYOS-F: fix PAM authorization bypass due to incorrect usage
* Fri Nov 04 2022 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.4.0-1 * Fri Nov 04 2022 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.4.0-1
- KYOS-F: release 2.4, kiran-control-panel greeter plugin support color block - KYOS-F: release 2.4, kiran-control-panel greeter plugin support color block