Bugzilla – Bug 1217183
AUDIT-WHITELIST: pam_kwallet6: new revision of PAM module pam_kwallet6
Last modified: 2024-02-21 14:46:39 UTC
+++ This bug was initially created as a clone of Bug #1217076 In KDE6 the kwallet PAM module has been renamed. Package is found in KDE:Unstable:Frameworks/pam_kwallet6 pam_kwallet6.x86_64: E: pam-file-unauthorized (Badness: 10) /usr/lib64/security/pam_kwallet5.so
I will look into it.
I am through with the review. The codebase for this PAM module can surely use a lot of love to make it clean and proper. Security wise no show stoppers are found in there, although there is a TOCTOU issue regarding the use of the XDG_RUNTIME_DIR directory. It seems like this cannot be usefully exploited though. To improve readability and handling I share my review findings in a GitHub PR# here: https://github.com/mgerstner/reviews/pull/1/commits/2aff49872fbb42b4187560cd034bd225bda45636 Maybe someone upstream can be found to address at least the more problematic issues like the missing free() or the missing rename from kwallet5 to kwallet 6. Otherwise there's quite a lot of inconsistency, redundancy and incompletess found in this small piece of code. It would be a good candidate for a major refactoring or a rewrite in C++ (why wasn't C++ used here anyway since all the rest of KDE uses it?). The upstream commit I reviewed here is c0b0ce0. Once the KDE6 release is drawing near I will do a short follow-up review of any additional changes and whitelist the package.
https://invent.kde.org/plasma/kwallet-pam/-/issues/2
The package to be submitted is now found in KDE:Frameworks/pam_kwallet6. It is version 5.93.0. It contains no relevant changes since I performed the review. I will start the whitelisting process.
The whitelisting is in Factory now. Closing as fixed.