SHA256
1
0
forked from pool/pam

- pam_tally2: remove invalid options from manpage (bnc#726071)

- fix possible overflow and DOS in pam_env (bnc#724480)
  CVE-2011-3148, CVE-2011-3149

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=83
This commit is contained in:
Michael Calmer 2011-10-25 12:29:41 +00:00 committed by Git OBS Bridge
parent a9c0827316
commit 28de8ae255
5 changed files with 131 additions and 1 deletions

View File

@ -0,0 +1,33 @@
Description: abort when encountering an overflowed environment variable
expansion (CVE-2011-3149).
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
Author: Kees Cook <kees@debian.org>
Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
+++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pam
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
tmp, tmpptr);
+ return PAM_ABORT;
}
continue;
}
@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pam
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog (pamh, LOG_ERR,
"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+ return PAM_ABORT;
}
}
} /* if ('{' != *orig++) */
@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pam
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog(pamh, LOG_ERR,
"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+ return PAM_ABORT;
}
}
} /* for (;*orig;) */

View File

@ -0,0 +1,29 @@
Description: correctly count leading whitespace when parsing environment
file (CVE-2011-3148).
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
Author: Kees Cook <kees@debian.org>
Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
+++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char
char *p = buffer;
char *s, *os;
int used = 0;
+ int whitespace;
/* loop broken with a 'break' when a non-'\\n' ended line is read */
@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char
/* skip leading spaces --- line may be blank */
- s = p + strspn(p, " \n\t");
+ whitespace = strspn(p, " \n\t");
+ s = p + whitespace;
if (*s && (*s != '#')) {
+ used += whitespace;
os = s;
/*

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Oct 25 14:24:27 CEST 2011 - mc@suse.de
- pam_tally2: remove invalid options from manpage (bnc#726071)
- fix possible overflow and DOS in pam_env (bnc#724480)
CVE-2011-3148, CVE-2011-3149
-------------------------------------------------------------------
Mon Jun 27 15:29:11 CEST 2011 - kukuk@suse.de

View File

@ -39,7 +39,7 @@ Obsoletes: pam-64bit
%endif
#
Version: 1.1.4
Release: 7
Release: 1
Summary: A Security Tool that Provides Authentication for Applications
Source: Linux-PAM-%{version}.tar.bz2
Source1: Linux-PAM-%{version}-docs.tar.bz2
@ -52,6 +52,9 @@ Source7: common-session.pamd
Source8: etc.environment
Source9: baselibs.conf
Patch0: pam_tally-deprecated.diff
Patch1: bug-724480_pam_env-fix-overflow.patch
Patch2: bug-724480_pam_env-fix-dos.patch
Patch3: pam_tally2-man.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -101,6 +104,9 @@ building both PAM-aware applications and modules for use with PAM.
%prep
%setup -q -n Linux-PAM-%{version} -b 1
%patch0 -p0
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \

55
pam_tally2-man.dif Normal file
View File

@ -0,0 +1,55 @@
Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8
===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8
+++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8
@@ -269,13 +269,6 @@ If the module is invoked by a user with
\fBsu\fR, otherwise this argument should be omitted\&.
.RE
.PP
-\fBno_lock_time\fR
-.RS 4
-Do not use the \&.fail_locktime field in
-\FC/var/log/faillog\F[]
-for this user\&.
-.RE
-.PP
\fBeven_deny_root\fR
.RS 4
Root account can become unavailable\&.
Index: Linux-PAM-1.1.4/modules/pam_tally2/README
===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_tally2/README
+++ Linux-PAM-1.1.4/modules/pam_tally2/README
@@ -76,10 +76,6 @@ AUTH OPTIONS
incremented. The sysadmin should use this for user launched services,
like su, otherwise this argument should be omitted.
- no_lock_time
-
- Do not use the .fail_locktime field in /var/log/faillog for this user.
-
even_deny_root
Root account can become unavailable.
Index: Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml
===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_tally2/pam_tally2.8.xml
+++ Linux-PAM-1.1.4/modules/pam_tally2/pam_tally2.8.xml
@@ -238,17 +238,6 @@
</varlistentry>
<varlistentry>
<term>
- <option>no_lock_time</option>
- </term>
- <listitem>
- <para>
- Do not use the .fail_locktime field in
- <filename>/var/log/faillog</filename> for this user.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
<option>even_deny_root</option>
</term>
<listitem>