commit 73de95d36e857327b631d3567a9c37648e38c6fc Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:57:44 2019 -0400 Package init diff --git a/0001-Fix-harmless-one-byte-buffer-underflow-on-read.patch b/0001-Fix-harmless-one-byte-buffer-underflow-on-read.patch new file mode 100644 index 0000000..2521bfe --- /dev/null +++ b/0001-Fix-harmless-one-byte-buffer-underflow-on-read.patch @@ -0,0 +1,46 @@ +From 9d6140b4c37f39cdd0c1947adf07dc5ca1762055 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 26 Mar 2019 10:12:09 +0100 +Subject: [PATCH 1/2] Fix harmless one byte buffer underflow on read + +When settings file has comments spanning a whole line there +is harmless one byte read before the line buffer. + +Thanks Emiel Bruijntjes for finding the issue. +--- + src/settings.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/settings.c b/src/settings.c +index 4f11537..922a55d 100644 +--- a/src/settings.c ++++ b/src/settings.c +@@ -134,7 +134,8 @@ read_config_file(pwquality_settings_t *pwq, const char *cfgfile, void **auxerror + int eq; + + len = strlen(linebuf); +- if (linebuf[len - 1] != '\n' && !feof(f)) { ++ /* len cannot be 0 unless there is a bug in fgets */ ++ if (len && linebuf[len - 1] != '\n' && !feof(f)) { + (void) fclose(f); + return PWQ_ERROR_CFGFILE_MALFORMED; + } +@@ -146,13 +147,13 @@ read_config_file(pwquality_settings_t *pwq, const char *cfgfile, void **auxerror + } + + /* drop terminating whitespace including the \n */ +- do { ++ while (ptr > linebuf) { + if (!isspace(*(ptr-1))) { + *ptr = '\0'; + break; + } + --ptr; +- } while (ptr > linebuf); ++ } + + /* skip initial whitespace */ + for (ptr = linebuf; isspace(*ptr); ptr++); +-- +1.8.3.1 + diff --git a/0006-pam_pwquality-Abort-the-retry-loop-when-user-cancels.patch b/0006-pam_pwquality-Abort-the-retry-loop-when-user-cancels.patch new file mode 100644 index 0000000..9493509 --- /dev/null +++ b/0006-pam_pwquality-Abort-the-retry-loop-when-user-cancels.patch @@ -0,0 +1,69 @@ +From bddd1dfe5a13e39e04ed1593cba4263dfd528fad Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 17 May 2018 15:32:16 +0200 +Subject: [PATCH 06/11] pam_pwquality: Abort the retry loop when user cancels + prompt + +The retry loop must be aborted for any pam_get_authtok() error +except for PAM_TRY_AGAIN. + +Fixes: #7 +--- + src/pam_pwquality.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/src/pam_pwquality.c b/src/pam_pwquality.c +index dd72380..9c9849d 100644 +--- a/src/pam_pwquality.c ++++ b/src/pam_pwquality.c +@@ -209,11 +209,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, + */ + + retval = pam_get_authtok_noverify(pamh, &newtoken, NULL); +- if (retval != PAM_SUCCESS) { +- pam_syslog(pamh, LOG_ERR, "pam_get_authtok_noverify returned error: %s", +- pam_strerror(pamh, retval)); +- continue; +- } else if (newtoken == NULL) { /* user aborted password change, quit */ ++ if (retval != PAM_SUCCESS || newtoken == NULL) { ++ if (retval == PAM_AUTHTOK_ERR || newtoken == NULL) ++ pam_syslog(pamh, LOG_INFO, "user aborted password change"); ++ else ++ pam_syslog(pamh, LOG_ERR, "pam_get_authtok_noverify returned error: %s", ++ pam_strerror(pamh, retval)); + pwquality_free_settings(options.pwq); + return PAM_AUTHTOK_ERR; + } +@@ -248,12 +249,15 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, + } + + retval = pam_get_authtok_verify(pamh, &newtoken, NULL); +- if (retval != PAM_SUCCESS) { +- pam_syslog(pamh, LOG_ERR, "pam_get_authtok_verify returned error: %s", +- pam_strerror(pamh, retval)); ++ if (retval != PAM_SUCCESS || newtoken == NULL) { + pam_set_item(pamh, PAM_AUTHTOK, NULL); +- continue; +- } else if (newtoken == NULL) { /* user aborted password change, quit */ ++ if (retval == PAM_TRY_AGAIN) ++ continue; ++ if (retval == PAM_AUTHTOK_ERR || newtoken == NULL) ++ pam_syslog(pamh, LOG_INFO, "user aborted password change"); ++ else ++ pam_syslog(pamh, LOG_ERR, "pam_get_authtok_verify returned error: %s", ++ pam_strerror(pamh, retval)); + pwquality_free_settings(options.pwq); + return PAM_AUTHTOK_ERR; + } +@@ -270,7 +274,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, + if (options.retry_times > 1) + return PAM_MAXTRIES; + else +- return retval; ++ return PAM_AUTHTOK_ERR; + } else { + pwquality_free_settings(options.pwq); + if (ctrl & PAM_DEBUG_ARG) +-- +1.8.3.1 + diff --git a/fix-password-similarity.patch b/fix-password-similarity.patch new file mode 100644 index 0000000..56592b6 --- /dev/null +++ b/fix-password-similarity.patch @@ -0,0 +1,24 @@ +From d0a20b9fa44fa39e8401eb1de57bce063bea007e Mon Sep 17 00:00:00 2001 +From: cangyi +Date: Tue, 9 Apr 2019 04:58:14 -0400 + +--- + src/pwqprivate.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pwqprivate.h b/src/pwqprivate.h +index 4ac96a7..68cd087 100644 +--- a/src/pwqprivate.h ++++ b/src/pwqprivate.h +@@ -37,7 +37,7 @@ struct setting_mapping { + int type; + }; + +-#define PWQ_DEFAULT_DIFF_OK 1 ++#define PWQ_DEFAULT_DIFF_OK 5 + #define PWQ_DEFAULT_MIN_LENGTH 8 + #define PWQ_DEFAULT_DIG_CREDIT 0 + #define PWQ_DEFAULT_UP_CREDIT 0 +-- +1.8.3.1 + diff --git a/libpwquality-1.4.0.tar.bz2 b/libpwquality-1.4.0.tar.bz2 new file mode 100644 index 0000000..78c19a8 Binary files /dev/null and b/libpwquality-1.4.0.tar.bz2 differ diff --git a/libpwquality.spec b/libpwquality.spec new file mode 100644 index 0000000..d0f6936 --- /dev/null +++ b/libpwquality.spec @@ -0,0 +1,131 @@ +%define _moduledir %{_libdir}/security +%define _secconfdir %{_sysconfdir}/security + +Name: libpwquality +Version: 1.4.0 +Release: 11 +Summary: Library for password quality checking and generating random passwords. +License: BSD or GPLv2+ +URL: https://github.com/libpwquality/libpwquality/ +Source0: https://github.com/libpwquality/libpwquality/releases/download/libpwquality-%{version}/libpwquality-%{version}.tar.bz2 + +#patch from Fedora +Patch6000: 0006-pam_pwquality-Abort-the-retry-loop-when-user-cancels.patch +#patch from Fedora +Patch6001: 0001-Fix-harmless-one-byte-buffer-underflow-on-read.patch + +Patch9000: modify-pwquality_conf.patch +Patch9001: fix-password-similarity.patch + +BuildRequires: gcc cracklib-devel gettext pam-devel +BuildRequires: python2-devel python3-devel + +Recommends: cracklib >= 2.8 +Requires: pam + +%description +The libpwquality library purpose is to provide common functions for password quality checking and also scoring them based on their apparent randomness. +The library also provides a function for generating random passwords with good pronounceability. +The library supports reading and parsing of a configuration file. + +%package devel +Summary: Support for development of applications using the libpwquality library +Requires: libpwquality = %{version}-%{release} +Requires: pkgconfig + +%description devel +Files needed for development of applications using the libpwquality library. +See the pwquality.h header file for the API. + +%package -n python2-pwquality +Summary: Python2 bindings for the libpwquality library +Requires: libpwquality = %{version}-%{release} + +%description -n python2-pwquality +This package provides Python2 bindings for the libpwquality library. + +%package -n python3-pwquality +Summary: Python3 bindings for the libpwquality library +Requires: libpwquality = %{version}-%{release} + +%description -n python3-pwquality +This package provides Python3 bindings for the libpwquality library. + +%package_help + +%prep +%autosetup -n %{name}-%{version} -p1 + +rm -rf %{py3dir} +cp -a . %{py3dir} + +%build +#python2 +%configure --with-securedir=%{_moduledir} \ + --with-pythonsitedir=%{python2_sitearch} \ + --with-python-binary=%{__python2} \ + --disable-static + +%make_build + +#python3 +cd %{py3dir} +%configure --with-securedir=%{_moduledir} \ + --with-pythonsitedir=%{python3_sitearch} \ + --with-python-binary=%{__python3} \ + --disable-static + +%make_build +cd - + +%install +%make_install + +cd %{py3dir} +%make_install -C python +cd - + +rm -f %{buildroot}%{_libdir}/*.la +rm -f %{buildroot}%{_moduledir}/*.la + +mkdir %{buildroot}%{_secconfdir}/pwquality.conf.d + +%find_lang libpwquality + +%check + +%ldconfig_scriptlets + + + +%files -f libpwquality.lang +%license COPYING +%doc README NEWS AUTHORS +%{_bindir}/pwmake +%{_bindir}/pwscore +%{_moduledir}/pam_pwquality.so +%{_libdir}/libpwquality.so.* +%config(noreplace) %{_secconfdir}/pwquality.conf +%{_secconfdir}/pwquality.conf.d + +%files devel +%{_includedir}/pwquality.h +%{_libdir}/libpwquality.so +%{_libdir}/pkgconfig/*.pc + +%files -n python2-pwquality +%{python2_sitearch}/pwquality.so +%{python2_sitearch}/*.egg-info + +%files -n python3-pwquality +%{python3_sitearch}/*.so +%{python3_sitearch}/*.egg-info + +%files help +%{_mandir}/man1/* +%{_mandir}/man5/* +%{_mandir}/man3/* +%{_mandir}/man8/* +%changelog +* Wed Sep 4 2019 openEuler Buildteam - 1.4.0-11 +- Package init diff --git a/modify-pwquality_conf.patch b/modify-pwquality_conf.patch new file mode 100644 index 0000000..856650b --- /dev/null +++ b/modify-pwquality_conf.patch @@ -0,0 +1,40 @@ +diff -Nupr libpwquality-1.2.3.orig/src/pwquality.conf libpwquality-1.2.3/src/pwquality.conf +--- libpwquality-1.2.3.orig/src/pwquality.conf 2015-08-18 10:29:38.000000000 +0800 ++++ libpwquality-1.2.3/src/pwquality.conf 2015-08-18 10:30:57.000000000 +0800 +@@ -8,30 +8,30 @@ + # Minimum acceptable size for the new password (plus one if + # credits are not disabled which is the default). (See pam_cracklib manual.) + # Cannot be set to lower value than 6. +-# minlen = 8 ++minlen = 8 + # + # The maximum credit for having digits in the new password. If less than 0 + # it is the minimum number of digits in the new password. +-# dcredit = 0 ++dcredit = 0 + # + # The maximum credit for having uppercase characters in the new password. + # If less than 0 it is the minimum number of uppercase characters in the new + # password. +-# ucredit = 0 ++ucredit = 0 + # + # The maximum credit for having lowercase characters in the new password. + # If less than 0 it is the minimum number of lowercase characters in the new + # password. +-# lcredit = 0 ++lcredit = 0 + # + # The maximum credit for having other characters in the new password. + # If less than 0 it is the minimum number of other characters in the new + # password. +-# ocredit = 0 ++ocredit = 0 + # + # The minimum number of required classes of characters for the new + # password (digits, uppercase, lowercase, others). +-# minclass = 0 ++minclass = 3 + # + # The maximum number of allowed consecutive same characters in the new password. + # The check is disabled if the value is 0.