rpms / pam

Clone
Source Code
GIT

Blame SOURCES/pam-1.1.8-cve-2014-2583.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c22a38cf307ce0a39feadc88f74590c68fbcdfac
  2.   SOURCES
  3.   pam-1.1.8-cve-2014-2583.patch
Blob History Raw
c22a38 
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
c22a38 
From: "Dmitry V. Levin" <ldv@altlinux.org>
c22a38 
Date: Wed, 26 Mar 2014 22:17:23 +0000
c22a38 
Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
c22a38 
 (ticket #27)
c22a38
c22a38 
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
c22a38 
the timestamp pathname it creates, so extra care should be taken to
c22a38 
avoid potential directory traversal issues.
c22a38
c22a38 
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
c22a38 
"." and ".." tty values as invalid.
c22a38 
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
c22a38 
value containing '/', as invalid.
c22a38
c22a38 
Fixes CVE-2014-2583.
c22a38
c22a38 
Reported-by: Sebastian Krahmer <krahmer@suse.de>
c22a38 
---
c22a38 
 modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
c22a38 
 1 file changed, 12 insertions(+), 1 deletion(-)
c22a38
c22a38 
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
c22a38 
index 5193733..b3f08b1 100644
c22a38 
--- a/modules/pam_timestamp/pam_timestamp.c
c22a38 
+++ b/modules/pam_timestamp/pam_timestamp.c
c22a38 
@@ -158,7 +158,7 @@ check_tty(const char *tty)
c22a38 
 		tty = strrchr(tty, '/') + 1;
c22a38 
 	}
c22a38 
 	/* Make sure the tty wasn't actually a directory (no basename). */
c22a38 
-	if (strlen(tty) == 0) {
c22a38 
+	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
c22a38 
 		return NULL;
c22a38 
 	}
c22a38 
 	return tty;
c22a38 
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
c22a38 
 		if (pwd != NULL) {
c22a38 
 			ruser = pwd->pw_name;
c22a38 
 		}
c22a38 
+	} else {
c22a38 
+		/*
c22a38 
+		 * This ruser is used by format_timestamp_name as a component
c22a38 
+		 * of constructed timestamp pathname, so ".", "..", and '/'
c22a38 
+		 * are disallowed to avoid potential path traversal issues.
c22a38 
+		 */
c22a38 
+		if (!strcmp(ruser, ".") ||
c22a38 
+		    !strcmp(ruser, "..") ||
c22a38 
+		    strchr(ruser, '/')) {
c22a38 
+			ruser = NULL;
c22a38 
+		}
c22a38 
 	}
c22a38 
 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
c22a38 
 		*ruserbuf = '\0';
c22a38 
--
c22a38 
1.8.3.1
c22a38

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation