Bug Fix Advisory pam bug fix and enhancement update

Advisory: RHBA-2009:1358-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2009-09-02
Last updated on: 2009-09-02
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
OVAL: N/A

Details

Updated pam packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 5.

Pluggable Authentication Modules (PAM) provide a system whereby
administrators can set up authentication policies without having to
recompile programs that handle authentication.

These updated pam packages provide fixes for the following bugs:

* when called from a screensaver running under a non-zero UserID, the
pam_tally2 module could repeatedly prompt for the user's password and then
log the following error to syslog: "Error opening /var/log/tallylog for
update: Permission denied". With this update, pam_tally2 correctly ignores
failures to open the tallylog in this situation. (BZ#429169)

* the pam_access module unnecessarily attempted to resolve entries listed
in the access.conf file through DNS lookups, even if the service was not
called from a network. The pam_access module has been changed so that it
does not attempt to resolve the origins of entries in access.conf which do
not contain an IP address or an IP addresses and a netmask value. (BZ#459057)

* the pam_keyinit module did not save the UserID (UID) of the process
during session close, which made it unable to switch back to that original
UID. An error message was output to the system log in that case. The UID is
now correctly saved with these updated packages, which makes the spurious
log message disappear. (BZ#466411)

* the pam_filter module was not able to open a new pseudoterminal, which
prevented the module from functioning properly. With this update,
pam_filter is able to open new pseudoterminals. (BZ#473970)

* when the "open_tty" module was used in combination with the
"pam_tty_audit" module in the system-auth pam configuration file,
pam_tty_audit could segmentation fault if the "open_only" option was set
and the open_tty module was called by the "su" command or another utility.
(BZ#476833)

* the "smbpasswd" utility allows a user to change their encrypted SMB
password, which is stored in the smbpasswd file. However, it was not
possible for non-root users to change their password with "smbpasswd" due
to overly strict checking in the helper of the pam_unix module. This has
been corrected so that users can once again change their SMB passwords
using "smbpasswd". (BZ#476904)

* the coreutils package was listed incorrectly as a prerequisite
requirement for the pam packages instead of a post-install requirement.
This dependency statement has been corrected in these updated packages.
(BZ#497570)

In addition, these updated packages provide the following enhancements:

* Gnome Display Manager's (GDM's) accessibility features did not function
correctly when an audio device was not properly configured. The
configuration file for console device modes now sets audio devices as owned
by the "audio" group if there is no console user. This provides support for
accessible login with GDM. (BZ#244688)

* the pam_tally2 module now supports a new option that allows serialized
access to the /var/log/tallylog file. Enabling this option prevents
possible failed authentication when two separate processes attempt to
authenticate nearly simultaneously when the lock_time option ("always deny
for n seconds after a failed attempt") is set to a value of one or greater.
(BZ#455217)

* these updated pam packages provide a new PAM module, pam_faildelay, which
can read the "FAIL_DELAY" value from the /etc/login.defs configuration file
and set the amount of delay between login prompts following a failed login
attempt to that value. (BZ#476217)

* these updated pam packages provide a new PAM module, pam_pwhistory, which
saves the last passwords for each user in order to force password change
history and keep the user from alternating between the same password too
frequently. (BZ#451085)

Users are advised to upgrade to these updated pam packages, which resolve
these issues and add these enhancements.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
pam-0.99.6.2-6.el5.src.rpm     ea522e94b65a2d942a6c2470d7ad9c55
 
IA-32:
pam-devel-0.99.6.2-6.el5.i386.rpm     5eeeeed6ef03d51a8f0431f71ce97978
 
x86_64:
pam-devel-0.99.6.2-6.el5.i386.rpm     5eeeeed6ef03d51a8f0431f71ce97978
pam-devel-0.99.6.2-6.el5.x86_64.rpm     fe88e559130abbb8f0eed1fec70d4332
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
pam-0.99.6.2-6.el5.src.rpm     ea522e94b65a2d942a6c2470d7ad9c55
 
IA-32:
pam-0.99.6.2-6.el5.i386.rpm     ee8f976040945ccec59a0247f4776db7
pam-devel-0.99.6.2-6.el5.i386.rpm     5eeeeed6ef03d51a8f0431f71ce97978
 
IA-64:
pam-0.99.6.2-6.el5.i386.rpm     ee8f976040945ccec59a0247f4776db7
pam-0.99.6.2-6.el5.ia64.rpm     5a7dd80c977b3d61554baad4e9e17a90
pam-devel-0.99.6.2-6.el5.ia64.rpm     79f15c3ea458886cca51e0b91ef140de
 
PPC:
pam-0.99.6.2-6.el5.ppc.rpm     316b973b568e77309131d3457c0db0b2
pam-0.99.6.2-6.el5.ppc64.rpm     96915a73089eca93e13d9d587e33b829
pam-devel-0.99.6.2-6.el5.ppc.rpm     182f939117adaa9cbfffef61a29edcfc
pam-devel-0.99.6.2-6.el5.ppc64.rpm     b3d442b0c5810735b31404ebe45f2ca1
 
s390x:
pam-0.99.6.2-6.el5.s390.rpm     f81160b5a4d7532f77b7d0604287e48a
pam-0.99.6.2-6.el5.s390x.rpm     ac4de4b22a454af66ad1df4f48a83837
pam-devel-0.99.6.2-6.el5.s390.rpm     0ce663f685162ac22e365c6879ef270a
pam-devel-0.99.6.2-6.el5.s390x.rpm     4d16b0355a3e70528b281517cc630f8e
 
x86_64:
pam-0.99.6.2-6.el5.i386.rpm     ee8f976040945ccec59a0247f4776db7
pam-0.99.6.2-6.el5.x86_64.rpm     75206ee538173542d0a3d35f6aecc26b
pam-devel-0.99.6.2-6.el5.i386.rpm     5eeeeed6ef03d51a8f0431f71ce97978
pam-devel-0.99.6.2-6.el5.x86_64.rpm     fe88e559130abbb8f0eed1fec70d4332
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
pam-0.99.6.2-6.el5.src.rpm     ea522e94b65a2d942a6c2470d7ad9c55
 
IA-32:
pam-0.99.6.2-6.el5.i386.rpm     ee8f976040945ccec59a0247f4776db7
 
x86_64:
pam-0.99.6.2-6.el5.i386.rpm     ee8f976040945ccec59a0247f4776db7
pam-0.99.6.2-6.el5.x86_64.rpm     75206ee538173542d0a3d35f6aecc26b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

429169 - pam_tally2 in system-auth prevents gnome-screensaver from unlocking
455217 - pam_tally2 race when authenticating more than once at the same time.
459057 - Use of pam_access in WBEM causes DNS-related slowdowns
462647 - Fix dereferencing type-punned pointer will break strict-aliasing rules in pam build
473970 - pam_filter does not work in Red Hat EL5
476217 - pam's login fail delay needs to be adjustable
476833 - "su" segfaults when "open_only" is used with "pam_tty_audit" in system-auth
476904 - selinux prevents smbpasswd from changing non-root's password when unix passwd sync is on
497570 - %post dependencies sometimes not resolved correctly


Keywords

access, aliasing, delay, DNS, filter, lock, pty, screensaver, segfault, tally, uid

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/