/[packages]/cauldron/pam/current/SOURCES/pam-1.1.8-cve-2014-2583.patch
ViewVC logotype

Contents of /cauldron/pam/current/SOURCES/pam-1.1.8-cve-2014-2583.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 650771 - (show annotations) (download)
Tue Jul 8 19:34:02 2014 UTC (9 years, 8 months ago) by luigiwalser
File size: 1847 byte(s)
- add patches from fedora to fix CVE-2013-7041 and CVE-2014-2583
- update pam-redhat tarball to 0.99.11 (from fedora)
- rename 90-nproc.conf to 20-nproc.conf (from fedora)
- remove patches 7 and 11 (from fedora)

1 From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
2 From: "Dmitry V. Levin" <ldv@altlinux.org>
3 Date: Wed, 26 Mar 2014 22:17:23 +0000
4 Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
5 (ticket #27)
6
7 pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
8 the timestamp pathname it creates, so extra care should be taken to
9 avoid potential directory traversal issues.
10
11 * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
12 "." and ".." tty values as invalid.
13 (get_ruser): Treat "." and ".." ruser values, as well as any ruser
14 value containing '/', as invalid.
15
16 Fixes CVE-2014-2583.
17
18 Reported-by: Sebastian Krahmer <krahmer@suse.de>
19 ---
20 modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
21 1 file changed, 12 insertions(+), 1 deletion(-)
22
23 diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
24 index 5193733..b3f08b1 100644
25 --- a/modules/pam_timestamp/pam_timestamp.c
26 +++ b/modules/pam_timestamp/pam_timestamp.c
27 @@ -158,7 +158,7 @@ check_tty(const char *tty)
28 tty = strrchr(tty, '/') + 1;
29 }
30 /* Make sure the tty wasn't actually a directory (no basename). */
31 - if (strlen(tty) == 0) {
32 + if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
33 return NULL;
34 }
35 return tty;
36 @@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
37 if (pwd != NULL) {
38 ruser = pwd->pw_name;
39 }
40 + } else {
41 + /*
42 + * This ruser is used by format_timestamp_name as a component
43 + * of constructed timestamp pathname, so ".", "..", and '/'
44 + * are disallowed to avoid potential path traversal issues.
45 + */
46 + if (!strcmp(ruser, ".") ||
47 + !strcmp(ruser, "..") ||
48 + strchr(ruser, '/')) {
49 + ruser = NULL;
50 + }
51 }
52 if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
53 *ruserbuf = '\0';
54 --
55 1.8.3.1
56

  ViewVC Help
Powered by ViewVC 1.1.30