Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
salt.25404
fix-for-cve-2022-22967-bsc-1200566.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix-for-cve-2022-22967-bsc-1200566.patch of Package salt.25404
From a9c292fdf9ae53b86109337165214d8aadb155e7 Mon Sep 17 00:00:00 2001 From: Wayne Werner <wwerner@vmware.com> Date: Fri, 1 Apr 2022 14:21:57 -0500 Subject: [PATCH] Fix for CVE-2022-22967 (bsc#1200566) --- changelog/pam_auth.security | 1 + salt/auth/pam.py | 2 +- tests/pytests/unit/auth/test_pam.py | 32 +++++++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 changelog/pam_auth.security create mode 100644 tests/pytests/unit/auth/test_pam.py diff --git a/changelog/pam_auth.security b/changelog/pam_auth.security new file mode 100644 index 0000000000..52943680f4 --- /dev/null +++ b/changelog/pam_auth.security @@ -0,0 +1 @@ +Fixed PAM auth to reject auth attempt if user account is locked. diff --git a/salt/auth/pam.py b/salt/auth/pam.py index a9dde95149..d91883b743 100644 --- a/salt/auth/pam.py +++ b/salt/auth/pam.py @@ -209,7 +209,7 @@ def authenticate(username, password): retval = PAM_AUTHENTICATE(handle, 0) if retval == 0: - PAM_ACCT_MGMT(handle, 0) + retval = PAM_ACCT_MGMT(handle, 0) PAM_END(handle, 0) return retval == 0 diff --git a/tests/pytests/unit/auth/test_pam.py b/tests/pytests/unit/auth/test_pam.py new file mode 100644 index 0000000000..f5f49e65d8 --- /dev/null +++ b/tests/pytests/unit/auth/test_pam.py @@ -0,0 +1,32 @@ +import pytest +import salt.auth.pam +from tests.support.mock import patch + + +@pytest.fixture +def configure_loader_modules(): + return {salt.auth.pam: {}} + + +@pytest.fixture +def mock_pam(): + with patch("salt.auth.pam.CALLOC", autospec=True), patch( + "salt.auth.pam.pointer", autospec=True + ), patch("salt.auth.pam.PamHandle", autospec=True), patch( + "salt.auth.pam.PAM_START", autospec=True, return_value=0 + ), patch( + "salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0 + ), patch( + "salt.auth.pam.PAM_END", autospec=True + ): + yield + + +def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam): + with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42): + assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False + + +def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam): + with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0): + assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True -- 2.36.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor