From f4b22a2f215f6f80558d9e4075c9de306c8b9953 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 16:22:53 +0200
Subject: Adding debian version 1.5.2-6+deb12u1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../pam_unix_dont_trust_chkpwd_caller.patch        | 25 ++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch

(limited to 'debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch')

diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
new file mode 100644
index 0000000..6a9e525
--- /dev/null
+++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
@@ -0,0 +1,25 @@
+Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd
+helper could be sgid shadow instead of suid root, as it is in Debian and
+Ubuntu by default.  Drop any sgid bits as well.
+
+Authors: Steve Langasek <vorlon@debian.org>,
+         Michael Spang <mspang@csclub.uwaterloo.ca>
+
+Upstream status: to be submitted
+
+Index: pam/modules/pam_unix/unix_chkpwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/unix_chkpwd.c
++++ pam/modules/pam_unix/unix_chkpwd.c
+@@ -138,9 +138,10 @@
+ 	  /* if the caller specifies the username, verify that user
+ 	     matches it */
+ 	  if (user == NULL || strcmp(user, argv[1])) {
++	    gid_t gid = getgid();
+ 	    user = argv[1];
+ 	    /* no match -> permanently change to the real user and proceed */
+-	    if (setuid(getuid()) != 0)
++	    if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
+ 		return PAM_AUTH_ERR;
+ 	  }
+ 	}
-- 
cgit v1.2.3