main/linux-pam: security upgrade to 1.2.1 (CVE-2015-3238)

ref #4387
fixes #4391

2 files changed, 41 insertions, 6 deletions

diff --git a/main/linux-pam/APKBUILD b/main/linux-pam/APKBUILD
index 5b71afcd5f..64d88c3318 100644
--- a/main/linux-pam/APKBUILD
+++ b/main/linux-pam/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: William Pitcock <nenolod@dereferenced.org>
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=linux-pam
-pkgver=1.1.8
-pkgrel=2
+pkgver=1.2.1
+pkgrel=0
 pkgdesc="pluggable authentication modules for linux"
 url="http://www.kernel.org/pub/linux/libs/pam"
 arch="all"
@@ -13,10 +13,11 @@ makedepends="$depends_dev bison flex-dev autoconf automake libtool"
 install=""
 options="suid"
 subpackages="$pkgname-dev $pkgname-doc"
-source="https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-$pkgver.tar.bz2
+source="http://linux-pam.org/library/Linux-PAM-$pkgver.tar.bz2
         linux-pam-innetgr.patch
         fix-compat.patch
         libpam-fix-build-with-eglibc-2.16.patch
+        musl-fix-pam_exec.patch
 
         base-auth.pamd
         base-account.pamd
@@ -84,30 +85,33 @@ package() {
                 && chmod g+s "$pkgdir"/sbin/unix_chkpwd || return 1
 }
 
-md5sums="35b6091af95981b1b2cd60d813b5e4ee  Linux-PAM-1.1.8.tar.bz2
+md5sums="9dc53067556d2dd567808fd509519dd6  Linux-PAM-1.2.1.tar.bz2
 c309401e103cc86e8b25557ff3eb0b53  linux-pam-innetgr.patch
 283a399db933a7598fc63ada5d3eb38c  fix-compat.patch
 23320dadf8e36846b6bbd7903f95ece5  libpam-fix-build-with-eglibc-2.16.patch
+9ade1e4582b34e138368664ff145fd94  musl-fix-pam_exec.patch
 aa5bb7c9d8e4687aea1ae69b7447254a  base-auth.pamd
 fafcf29cb9bab788cb4933106be31883  base-account.pamd
 117535e4938f478efced1398b408cf96  base-password.pamd
 baec6808544bf6cebc59e07467f8c213  base-session.pamd
 afbdd8eb4db5c31dfd8e8da35c698b90  base-session-noninteractive.pamd
 b8e839ece64df173f16d28520eb8d66c  other.pamd"
-sha256sums="c4b1f23a236d169e2496fea20721578d864ba00f7242d2b41d81050ac87a1e55  Linux-PAM-1.1.8.tar.bz2
+sha256sums="342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9  Linux-PAM-1.2.1.tar.bz2
 fb609212837c67da7da033a0daa01d1c2e34166867530e6924102b655e00ebde  linux-pam-innetgr.patch
 4e1f855779a73960f48e570ce507884325a3aef374721e3973e1e22a60b9bec0  fix-compat.patch
 01c9216a2a833d10c2b42e1182b161b125d869e8620e60989636feb721d466c5  libpam-fix-build-with-eglibc-2.16.patch
+c0e51d82de9271d38217209d8a55b444b743a226ac9d7a3220b433d49236bd11  musl-fix-pam_exec.patch
 daedb66d2b6c324f62100657383f3da6af196ad516837f36a3142da5318b8874  base-auth.pamd
 51dba5c32d8cfa0c1795b2ed72af7aa5871f7943a20f89d2e4ad00b9053bc9c8  base-account.pamd
 16c2d6f750f8bb320d64537554c48e3474f13623e7f6e231135d2cd2362745a3  base-password.pamd
 5bf97347375ffc626fd3ed2e8d39abde566c2eca3f5e06a737ccffd48aede5de  base-session.pamd
 a65802b72a44b0c2083bce7e7d0cd1b04782272a6281a65c5b0075b8f9bccd5f  base-session-noninteractive.pamd
 2e4850ba8db3aee3fe97eaf76286ada585d821cd8affc97c845eb58b2bf68bb6  other.pamd"
-sha512sums="245785ab4e187ceaab6393967352c8d2a2319c64e1e83285d0251cc02995dc2edab8e3001301b6d9f6774c441b7557d9caf4dfdf94c7cd5d44aa53ae759d9e5d  Linux-PAM-1.1.8.tar.bz2
+sha512sums="4572aa1eaf5a1312410c74b5ed055b2592c5efe2bb82f59981da4e9e93555ad40aee3a89f446d9dc6c6af79efc04c33f739f66db9edc07e02479475a14e426da  Linux-PAM-1.2.1.tar.bz2
 ca32ecdacfc5b8f1482031203b616932b646a008b02080315ea2589af5962180d4ff4339c27fe9f6a878a89f47fb69429f4ac75d67b0e70ad7765a4db1dc74d9  linux-pam-innetgr.patch
 52b97e23084f7b835ce1fa441663f91a50ea797cb38ba2c6662bcdaf0d25ba487118442674ac347fb17353af126dd6b3b696612faa56cac428dd842d14e1c90d  fix-compat.patch
 f49edf3876cc6bcb87bbea4e7beaeb0a382d596898c755f5fbaf6c2ed4e0c8f082b2cd16dde8a74af82bb09a1334f463e07a4bb5b8a48f023ff90a67ad2fdd44  libpam-fix-build-with-eglibc-2.16.patch
+bc443d2a9b1d90b81959ce6fa154042365d5e7840f8696f847a145bbaaeffcbe1e9cd2b8ba76131a7b48737929e281f4fe864582fa4fc40315f2d10c650e0cd9  musl-fix-pam_exec.patch
 0672ab21adb969af2a0082e2559f1196d8a4f8b1cff2836f97e5f24edb03b6aed156c61cf335a4df978e423dcd9934ffee8cb5784ed5dde704d7e5ddec4ba9f6  base-auth.pamd
 85462201a4044c7e170e617d39b0eceb4790abc6c0504999117548030a16d80a9d2078d1ad97690d7d346e6374201f0c52e792ccb08ce2b1c4bbf0cc2be96f5b  base-account.pamd
 8223b815148c3b9b874d2c283840f6428c266e56c7cf49ce8fc508c4945ae31c837bef96dab17f64a60812d1c9cd0055cf0a50d7951d23070b69bd2e5bb9666d  base-password.pamd
diff --git a/main/linux-pam/musl-fix-pam_exec.patch b/main/linux-pam/musl-fix-pam_exec.patch
new file mode 100644
index 0000000000..b6b999faed
--- /dev/null
+++ b/main/linux-pam/musl-fix-pam_exec.patch
@@ -0,0 +1,31 @@
+--- ./modules/pam_exec/pam_exec.c.orig
++++ ./modules/pam_exec/pam_exec.c
+@@ -103,11 +103,14 @@
+   int optargc;
+   const char *logfile = NULL;
+   const char *authtok = NULL;
++  char authtok_buf[PAM_MAX_RESP_SIZE+1];
++
+   pid_t pid;
+   int fds[2];
+   int stdout_fds[2];
+   FILE *stdout_file = NULL;
+ 
++  memset(authtok_buf, 0, sizeof(authtok_buf));
+   if (argc < 1) {
+     pam_syslog (pamh, LOG_ERR,
+                "This module needs at least one argument");
+@@ -178,11 +181,11 @@
+                }
+ 
+              pam_set_item (pamh, PAM_AUTHTOK, resp);
+-             authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
++             authtok = strncpy(authtok_buf, resp, sizeof(authtok_buf));
+              _pam_drop (resp);
+            }
+          else
+-           authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
++           authtok = strncpy(authtok_buf, void_pass, sizeof(authtok_buf));
+ 
+          if (pipe(fds) != 0)
+            {