027754f831
- Add patch 0003-pam_oath-assign-safe-default-to-alwaysok-config-memb.patch: - fix potential security issue in low memory situation (bsc#1089114) OBS-URL: https://build.opensuse.org/request/show/621183 OBS-URL: https://build.opensuse.org/package/show/security/oath-toolkit?expand=0&rev=21
33 lines
1.0 KiB
Diff
33 lines
1.0 KiB
Diff
From 70722be5a76d28df8ebbf8a706c6346c57cebb62 Mon Sep 17 00:00:00 2001
|
|
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
|
Date: Thu, 5 Jul 2018 18:39:48 +0200
|
|
Subject: [PATCH] pam_oath: assign safe default to alwaysok config member
|
|
|
|
The way this was before allowed for the PAM authentication to
|
|
potentially succeed when the first `goto done` line is hit. If the
|
|
undefined data behind alwaysok is non-zero (which is quite probable)
|
|
this would happen.
|
|
|
|
In theory a local attacker could try to exhaust memory just enough to
|
|
hit this spot and get e.g. root access.
|
|
---
|
|
pam_oath/pam_oath.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
|
|
index 57fd33c..cfc3331 100644
|
|
--- a/pam_oath/pam_oath.c
|
|
+++ b/pam_oath/pam_oath.c
|
|
@@ -146,6 +146,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
|
|
char *query_prompt = NULL;
|
|
char *onlypasswd = strdup (""); /* empty passwords never match */
|
|
|
|
+ cfg.alwaysok = false; /* make sure this gets a safe default */
|
|
+
|
|
if (!onlypasswd)
|
|
{
|
|
retval = PAM_BUF_ERR;
|
|
--
|
|
2.16.4
|
|
|