From 00a097bdd4cddadd6758a1c33b86902500f952b5 Mon Sep 17 00:00:00 2001
From: duyiwei <duyiwei@kylinos.cn>
Date: Fri, 17 Jun 2022 09:34:17 +0800
Subject: [PATCH] FIX-CVE-2022-1049

---
 0002-FIX-CVE-2022-1049.patch | 57 ++++++++++++++++++++++++++++++++++++
 pcs.spec                     |  6 +++-
 2 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 0002-FIX-CVE-2022-1049.patch

diff --git a/0002-FIX-CVE-2022-1049.patch b/0002-FIX-CVE-2022-1049.patch
new file mode 100644
index 0000000..315ace9
--- /dev/null
+++ b/0002-FIX-CVE-2022-1049.patch
@@ -0,0 +1,57 @@
+From 4aaee013a2ad016399bc86d13c50c008214ddea4 Mon Sep 17 00:00:00 2001
+From: duyiwei <duyiwei@kylinos.cn>
+Date: Fri, 17 Jun 2022 10:00:03 +0800
+Subject: [PATCH] CVE-2022-1049
+
+Signed-off-by: duyiwei <duyiwei@kylinos.cn>
+---
+ CHANGELOG.md       | 4 +++-
+ pcs/daemon/auth.py | 3 +++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG.md b/CHANGELOG.md
+index feefd72..9e44da5 100644
+--- a/CHANGELOG.md
++++ b/CHANGELOG.md
+@@ -17,6 +17,8 @@
+ - Removed unwanted logging to system log (/var/log/messages) ([rhbz#1917286])
+ - Fixed rare race condition in `pcs cluster start --wait` ([rhbz#1794062])
+ - Better error message when unable to connect to pcsd ([rhbz#1619818])
++- Pcs daemon was allowing expired accounts, and accounts with expired
++  passwords to login when using PAM auth. ([huntr#220307])
+ 
+ ### Deprecated
+ - Commands `pcs config import-cman` and `pcs config export
+@@ -38,7 +40,7 @@
+ [rhbz#1869399]: https://bugzilla.redhat.com/show_bug.cgi?id=1869399
+ [rhbz#1885841]: https://bugzilla.redhat.com/show_bug.cgi?id=1885841
+ [rhbz#1917286]: https://bugzilla.redhat.com/show_bug.cgi?id=1917286
+-
++[huntr#220307]: https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5/
+ 
+ ## [0.10.7] - 2020-09-30
+ 
+diff --git a/pcs/daemon/auth.py b/pcs/daemon/auth.py
+index 2c86b17..d99ae2d 100644
+--- a/pcs/daemon/auth.py
++++ b/pcs/daemon/auth.py
+@@ -52,6 +52,7 @@ libpam = CDLL(find_library("pam"))
+ strdup = prep_fn(libc.strdup, POINTER(c_char), [c_char_p])
+ calloc = prep_fn(libc.calloc, c_void_p, [c_uint, c_uint])
+ pam_authenticate = prep_fn(libpam.pam_authenticate, c_int, [pam_handle, c_int])
++pam_acct_mgmt = prep_fn(libpam.pam_acct_mgmt, c_int, [pam_handle, c_int])
+ pam_end = prep_fn(libpam.pam_end, c_int, [pam_handle, c_int])
+ pam_start = prep_fn(
+     libpam.pam_start,
+@@ -90,6 +91,8 @@ def authenticate_by_pam(username, password):
+     )
+     if returncode == PAM_SUCCESS:
+         returncode = pam_authenticate(pamh, 0)
++    if returncode == PAM_SUCCESS:
++        returncode = pam_acct_mgmt(pamh, 0)
+     pam_end(pamh, returncode)
+     return returncode == PAM_SUCCESS
+ 
+-- 
+2.33.0
+
diff --git a/pcs.spec b/pcs.spec
index 81aa9eb..8a45725 100644
--- a/pcs.spec
+++ b/pcs.spec
@@ -1,6 +1,6 @@
 Name:    pcs
 Version: 0.10.8
-Release: 1
+Release: 2
 License: GPLv2 and BSD-2-Clause and ASL 2.0 and MIT
 URL:     https://github.com/ClusterLabs/pcs
 Summary: Pacemaker Configuration System
@@ -42,6 +42,7 @@ Source3: https://github.com/idevat/pcs-web-ui/archive/%{ui_commit}/%{ui_src_name
 Source4: https://github.com/idevat/pcs-web-ui/releases/download/%{ui_commit}/pcs-web-ui-node-modules-%{ui_commit}.tar.xz
 
 Patch0:  0001-Resolve-the-failure-of-field-matching-in-test-cases.patch
+Patch1:  0002-FIX-CVE-2022-1049.patch
 # git for patches
 BuildRequires: make
 BuildRequires: git-core
@@ -386,6 +387,9 @@ remove_all_tests
 %license pyagentx_LICENSE.txt
 
 %changelog
+* Fri Jun 17 2022 duyiwei <duyiwei@kylinos.cn> - 0.10.8-2
+- FIX-CVE-2022-1049
+
 * Thu Mar 10 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 0.10.8-1
 - update to 0.10.8