/[packages]/cauldron/pam/current/SOURCES/pam-1.1.8-cve-2014-2583.patch
ViewVC logotype

Annotation of /cauldron/pam/current/SOURCES/pam-1.1.8-cve-2014-2583.patch

Parent Directory Parent Directory | Revision Log Revision Log

Revision 650771 - (hide annotations) (download)
Tue Jul 8 19:34:02 2014 UTC (9 years, 5 months ago) by luigiwalser
File size: 1847 byte(s) 
- add patches from fedora to fix CVE-2013-7041 and CVE-2014-2583
- update pam-redhat tarball to 0.99.11 (from fedora)
- rename 90-nproc.conf to 20-nproc.conf (from fedora)
- remove patches 7 and 11 (from fedora)
1 luigiwalser 650771 From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
2     From: "Dmitry V. Levin" <ldv@altlinux.org>
3     Date: Wed, 26 Mar 2014 22:17:23 +0000
4     Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
5     (ticket #27)
6    
7     pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
8     the timestamp pathname it creates, so extra care should be taken to
9     avoid potential directory traversal issues.
10    
11     * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
12     "." and ".." tty values as invalid.
13     (get_ruser): Treat "." and ".." ruser values, as well as any ruser
14     value containing '/', as invalid.
15    
16     Fixes CVE-2014-2583.
17    
18     Reported-by: Sebastian Krahmer <krahmer@suse.de>
19     ---
20     modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
21     1 file changed, 12 insertions(+), 1 deletion(-)
22    
23     diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
24     index 5193733..b3f08b1 100644
25     --- a/modules/pam_timestamp/pam_timestamp.c
26     +++ b/modules/pam_timestamp/pam_timestamp.c
27     @@ -158,7 +158,7 @@ check_tty(const char *tty)
28     tty = strrchr(tty, '/') + 1;
29     }
30     /* Make sure the tty wasn't actually a directory (no basename). */
31     - if (strlen(tty) == 0) {
32     + if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
33     return NULL;
34     }
35     return tty;
36     @@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
37     if (pwd != NULL) {
38     ruser = pwd->pw_name;
39     }
40     + } else {
41     + /*
42     + * This ruser is used by format_timestamp_name as a component
43     + * of constructed timestamp pathname, so ".", "..", and '/'
44     + * are disallowed to avoid potential path traversal issues.
45     + */
46     + if (!strcmp(ruser, ".") ||
47     + !strcmp(ruser, "..") ||
48     + strchr(ruser, '/')) {
49     + ruser = NULL;
50     + }
51     }
52     if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
53     *ruserbuf = '\0';
54     --
55     1.8.3.1
56    
  ViewVC Help
Powered by ViewVC 1.1.28