Overview

File fix-for-cve-2022-22967-bsc-1200566.patch of Package salt.26883

From a9c292fdf9ae53b86109337165214d8aadb155e7 Mon Sep 17 00:00:00 2001
From: Wayne Werner <wwerner@vmware.com>
Date: Fri, 1 Apr 2022 14:21:57 -0500
Subject: [PATCH] Fix for CVE-2022-22967 (bsc#1200566)

---
 changelog/pam_auth.security         |  1 +
 salt/auth/pam.py                    |  2 +-
 tests/pytests/unit/auth/test_pam.py | 32 +++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 changelog/pam_auth.security
 create mode 100644 tests/pytests/unit/auth/test_pam.py

diff --git a/changelog/pam_auth.security b/changelog/pam_auth.security
new file mode 100644
index 0000000000..52943680f4
--- /dev/null
+++ b/changelog/pam_auth.security
@@ -0,0 +1 @@
+Fixed PAM auth to reject auth attempt if user account is locked.
diff --git a/salt/auth/pam.py b/salt/auth/pam.py
index a9dde95149..d91883b743 100644
--- a/salt/auth/pam.py
+++ b/salt/auth/pam.py
@@ -209,7 +209,7 @@ def authenticate(username, password):
 
     retval = PAM_AUTHENTICATE(handle, 0)
     if retval == 0:
-        PAM_ACCT_MGMT(handle, 0)
+        retval = PAM_ACCT_MGMT(handle, 0)
     PAM_END(handle, 0)
     return retval == 0
 
diff --git a/tests/pytests/unit/auth/test_pam.py b/tests/pytests/unit/auth/test_pam.py
new file mode 100644
index 0000000000..f5f49e65d8
--- /dev/null
+++ b/tests/pytests/unit/auth/test_pam.py
@@ -0,0 +1,32 @@
+import pytest
+import salt.auth.pam
+from tests.support.mock import patch
+
+
+@pytest.fixture
+def configure_loader_modules():
+    return {salt.auth.pam: {}}
+
+
+@pytest.fixture
+def mock_pam():
+    with patch("salt.auth.pam.CALLOC", autospec=True), patch(
+        "salt.auth.pam.pointer", autospec=True
+    ), patch("salt.auth.pam.PamHandle", autospec=True), patch(
+        "salt.auth.pam.PAM_START", autospec=True, return_value=0
+    ), patch(
+        "salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0
+    ), patch(
+        "salt.auth.pam.PAM_END", autospec=True
+    ):
+        yield
+
+
+def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam):
+    with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42):
+        assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False
+
+
+def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam):
+    with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0):
+        assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True
-- 
2.36.1
openSUSE Build Service is sponsored by
Places