libpam: Applied fix for CVE-2014-2583
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This commit is contained in:
Nikos Mavrogiannopoulos
parent
85c31a6ca5
commit
0a232ca6c6
|
|
@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=libpam
|
||||
PKG_VERSION:=1.1.8
|
||||
PKG_RELEASE:=3
|
||||
PKG_RELEASE:=4
|
||||
|
||||
PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2
|
||||
PKG_SOURCE_URL:=http://www.linux-pam.org/library/
|
||||
PKG_SOURCE_URL:=http://www.linux-pam.org/
|
||||
PKG_MD5SUM:=35b6091af95981b1b2cd60d813b5e4ee
|
||||
PKG_INSTALL:=1
|
||||
PKG_FIXUP:=autoreconf
|
||||
|
|
|
|||
|
|
@ -0,0 +1,52 @@
|
|||
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Wed, 26 Mar 2014 22:17:23 +0000
|
||||
Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
|
||||
|
||||
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
|
||||
the timestamp pathname it creates, so extra care should be taken to
|
||||
avoid potential directory traversal issues.
|
||||
|
||||
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
|
||||
"." and ".." tty values as invalid.
|
||||
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
|
||||
value containing '/', as invalid.
|
||||
|
||||
Fixes CVE-2014-2583.
|
||||
|
||||
Reported-by: Sebastian Krahmer <krahmer@suse.de>
|
||||
|
||||
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||
index 5193733..b3f08b1 100644
|
||||
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||
@@ -158,7 +158,7 @@ check_tty(const char *tty)
|
||||
tty = strrchr(tty, '/') + 1;
|
||||
}
|
||||
/* Make sure the tty wasn't actually a directory (no basename). */
|
||||
- if (strlen(tty) == 0) {
|
||||
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
|
||||
return NULL;
|
||||
}
|
||||
return tty;
|
||||
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
|
||||
if (pwd != NULL) {
|
||||
ruser = pwd->pw_name;
|
||||
}
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * This ruser is used by format_timestamp_name as a component
|
||||
+ * of constructed timestamp pathname, so ".", "..", and '/'
|
||||
+ * are disallowed to avoid potential path traversal issues.
|
||||
+ */
|
||||
+ if (!strcmp(ruser, ".") ||
|
||||
+ !strcmp(ruser, "..") ||
|
||||
+ strchr(ruser, '/')) {
|
||||
+ ruser = NULL;
|
||||
+ }
|
||||
}
|
||||
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
|
||||
*ruserbuf = '\0';
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
||||
Loading…
Reference in New Issue