oath-toolkit: Update to version 2.6.12

- Update from version 2.6.11 to 2.6.12
- Update of rootfile not required
- Changelog
    2.6.12
	** pam_oath: Drop privs when ${HOME} is used in the usersfile= setting.
	   Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191.
	   See <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43>.
	   Security bug triggered by new feature in pam_oath v2.6.7 released on
	   2021-05-01 with the USER/HOME placeholder strings, see
	   <https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12>.
	   Quoting a writeup in an alternate patch by Matthias Gerstner (SUSE):
	   With the addition of the possibility to place a usersfile also into a
	   user's home directory via variable expansion of ${HOME} and ${USER} in
	   the `usersfile=` path specification, security issues sneaked in.  The
	   PAM process usually runs with root privileges.  The file operations in
	   an unprivileged user's home directory follow symlinks both when
	   reading and creating files, allowing for a potential local root
	   exploit, because of the `fchown()` performed on the newly created
	   usersfile.
	   We drop privileges to the user that is being logged into, assuming it
	   has the necessary permissions for the usersfile belonging in their
	   home directory.  This restricts the ability for non-root users to
	   affect files beyond their control via liboath.
	** liboath: Don't follow symbolic links for usersfile updates.
	   Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191.
	   See <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43>.
	   Security bug triggered by new feature in pam_oath v2.6.7 released on
	   2021-05-01 with the USER/HOME placeholder strings, see
	   <https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12>.
	   The fix is to open files for writing in exclusive mode (i.e., fail if
	   the file exists including if it is a symbolic link).
	   We offer a brief self-test to reproduce the problem in
	   liboath/tests/tst_fopen-wx.c which you may use as follows:
		   cc -o tst_fopen-wx tst_fopen-wx.c $(pkg-config --libs --cflags liboath)
		   rm -f cve.oath cve.oath.new cve.sshd-config cve.oath.lock
		   printf 'HOTP/E/8\tsilver\t4711\t3132333435363738393031323334353637383930313233343536373839303132\n' > cve.oath
		   echo my-magic-cookie > cve.sshd-config
		   ln -s cve.sshd-config cve.oath.new
		   ./tst_fopen-wx cve.oath silver 670691 4711
	   If this is linked with a vulnerable liboath it will print:
		   FAIL: Liboath VULNERABLE to fopen(wx) bug.
	   If you link it to a fixed liboath it will print:
		   PASS: Your liboath is NOT VULNERABLE to fopen(wx) bug.
	   For convenience, the liboath/tests/tst_fopen-wx.sh script can be used
	   to setup and invoke tst_fopen-wx.
	** We publish a minimal source-only tarball generated by 'git archive'.
	   This tarball only contains the files stored in version controlled
	   sources, and no auxilliary files.  The source-only tarball may be
	   reproduced on a Trisquel 11 platform using Git at (or near) version
	   2.46 from Guix.  If something results in the 'git archive' format
	   changing again, the tarball can only be reproduced using an earlier
	   system.  The git version in AlmaLinux 8, AlmaLinux 9, RockyLinux 8 and
	   RockyLinux 9 should all produce the same identical 'git archive'
	   tarball.  The git version used on Debian 11, PureOS 10, Trisquel 11
	   and Ubuntu 22.04 should all produce an identical tarball.  These two
	   'git archive' outputs are not the same, due to how Git works.
	** oathtool: Fix test suite on 32-bit big-endian platforms.  Fixes: #44.
	   Patch by Helge Deller and thanks to Jan Zerebecki.  See
	   <https://lists.nongnu.org/archive/html/oath-toolkit-help/2024-04/msg00000.html>
	   and <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/44>.
	** libpskc: Don't call deprecated xmlMemoryDump.
	** libpskc: fix implicit declaration with musl.
	   See <https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/39>.
	** libpskc: Fix linker warning when linked with mold.
	   Thanks to Jan Palus, see
	   <https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/30> and
	   <https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/36> for
	   regression testing.
	** Various build fixes including updated gnulib files.
	   Fixes Windows tzset build errors, among other things.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/lfs/oath-toolkit b/lfs/oath-toolkit
index c71399985b438040b759f38fd9d3980e959d5e7d..c031f97d1d04af010887f5409b1dbc8c4563a421 100644 (file)
--- a/lfs/oath-toolkit
+++ b/lfs/oath-toolkit
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 2.6.11
+VER        = 2.6.12
 
 THISAPP    = oath-toolkit-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = f3fa3ab1818f4f9bbf7c8c88432cd3432fbfb30dfcc660ab85f07e2d3d7e1616fc24579900bc55bbf72fb81b2eac4a6591553968872f07d8b3955ce4e6495afd
+$(DL_FILE)_BLAKE2 = 8bd184fa7166bc35af3bd632d0dd24ae00480f78a850e2ed4f058ec22711852757f01623ede16c8990daa366752578430be7c93a27d87c8ae92faf9a3aade1a1
 
 install : $(TARGET)