pam/bug-724480_pam_env-fix-dos.patch

Description: abort when encountering an overflowed environment variable
 expansion (CVE-2011-3149).
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
Author: Kees Cook <kees@debian.org>

Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c
===================================================================
--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c
+++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c
@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pam
 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
 		 tmp, tmpptr);
+	return PAM_ABORT;
       }
       continue;
     }
@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pam
 	    D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	    pam_syslog (pamh, LOG_ERR,
 			"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+	    return PAM_ABORT;
 	  }
 	}
       }           /* if ('{' != *orig++) */
@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pam
 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	pam_syslog(pamh, LOG_ERR,
 		   "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+	return PAM_ABORT;
       }
     }
   }              /* for (;*orig;) */
- pam_tally2: remove invalid options from manpage (bnc#726071) - fix possible overflow and DOS in pam_env (bnc#724480) CVE-2011-3148, CVE-2011-3149 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=83 2011-10-25 14:29:41 +02:00			`Description: abort when encountering an overflowed environment variable`
			`expansion (CVE-2011-3149).`
			`Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565`
			`Author: Kees Cook <kees@debian.org>`

			`Index: Linux-PAM-1.1.4/modules/pam_env/pam_env.c`
			`===================================================================`
			`--- Linux-PAM-1.1.4.orig/modules/pam_env/pam_env.c`
			`+++ Linux-PAM-1.1.4/modules/pam_env/pam_env.c`
			`@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pam`
			`D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));`
			`pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",`
			`tmp, tmpptr);`
			`+ return PAM_ABORT;`
			`}`
			`continue;`
			`}`
			`@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pam`
			`D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));`
			`pam_syslog (pamh, LOG_ERR,`
			`"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);`
			`+ return PAM_ABORT;`
			`}`
			`}`
			`} /* if ('{' != orig++) /`
			`@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pam`
			`D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));`
			`pam_syslog(pamh, LOG_ERR,`
			`"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);`
			`+ return PAM_ABORT;`
			`}`
			`}`
			`} /* for (;orig;) /`