diff --git a/SOURCES/pam-1.1.8-cve-2015-3238.patch b/SOURCES/pam-1.1.8-cve-2015-3238.patch new file mode 100644 index 0000000..24179d6 --- /dev/null +++ b/SOURCES/pam-1.1.8-cve-2015-3238.patch @@ -0,0 +1,130 @@ +diff -up linux-pam/modules/pam_exec/pam_exec.c.password-limit linux-pam/modules/pam_exec/pam_exec.c +--- linux-pam/modules/pam_exec/pam_exec.c.password-limit 2014-08-26 14:02:19.000000000 +0200 ++++ linux-pam/modules/pam_exec/pam_exec.c 2015-06-11 16:10:13.938035623 +0200 +@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_han + } + + pam_set_item (pamh, PAM_AUTHTOK, resp); +- authtok = strdupa (resp); ++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + _pam_drop (resp); + } + else +- authtok = void_pass; ++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + + if (pipe(fds) != 0) + { +diff -up linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit linux-pam/modules/pam_exec/pam_exec.8.xml +--- linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit 2013-09-11 13:59:00.072175034 +0200 ++++ linux-pam/modules/pam_exec/pam_exec.8.xml 2015-06-11 16:09:06.446512718 +0200 +@@ -106,7 +106,8 @@ + During authentication the calling command can read + the password from + stdin3 +- . ++ . Only first PAM_MAX_RESP_SIZE ++ bytes of a password are provided to the command. + + + +diff -up linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit linux-pam/modules/pam_unix/pam_unix_passwd.c +--- linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit 2014-06-19 13:50:08.000000000 +0200 ++++ linux-pam/modules/pam_unix/pam_unix_passwd.c 2015-06-11 16:34:02.226260435 +0200 +@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_h + /* wait for child */ + /* if the stored password is NULL */ + int rc=0; +- if (fromwhat) +- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); +- else +- pam_modutil_write(fds[1], "", 1); +- if (towhat) { +- pam_modutil_write(fds[1], towhat, strlen(towhat)+1); ++ if (fromwhat) { ++ int len = strlen(fromwhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], fromwhat, len); + } +- else +- pam_modutil_write(fds[1], "", 1); ++ pam_modutil_write(fds[1], "", 1); ++ if (towhat) { ++ int len = strlen(towhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], towhat, len); ++ } ++ pam_modutil_write(fds[1], "", 1); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); +diff -up linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit linux-pam/modules/pam_unix/pam_unix.8.xml +--- linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit 2015-06-11 15:46:55.000000000 +0200 ++++ linux-pam/modules/pam_unix/pam_unix.8.xml 2015-06-11 16:38:42.628587102 +0200 +@@ -80,6 +80,13 @@ + + + ++ The maximum length of a password supported by the pam_unix module ++ via the helper binary is PAM_MAX_RESP_SIZE ++ - currently 512 bytes. The rest of the password provided by the ++ conversation function to the module will be ignored. ++ ++ ++ + The password component of this module performs the task of updating + the user's password. The default encryption hash is taken from the + ENCRYPT_METHOD variable from +diff -up linux-pam/modules/pam_unix/passverify.c.password-limit linux-pam/modules/pam_unix/passverify.c +--- linux-pam/modules/pam_unix/passverify.c.password-limit 2015-04-07 10:23:50.000000000 +0200 ++++ linux-pam/modules/pam_unix/passverify.c 2015-06-15 10:53:32.903900010 +0200 +@@ -1115,12 +1115,15 @@ getuidname(uid_t uid) + int + read_passwords(int fd, int npass, char **passwords) + { ++ /* The passwords array must contain npass preallocated ++ * buffers of length MAXPASS + 1 ++ */ + int rbytes = 0; + int offset = 0; + int i = 0; + char *pptr; + while (npass > 0) { +- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); + + if (rbytes < 0) { + if (errno == EINTR) continue; +diff -up linux-pam/modules/pam_unix/passverify.h.password-limit linux-pam/modules/pam_unix/passverify.h +--- linux-pam/modules/pam_unix/passverify.h.password-limit 2011-03-21 21:59:22.000000000 +0100 ++++ linux-pam/modules/pam_unix/passverify.h 2015-06-11 16:26:27.184994387 +0200 +@@ -8,7 +8,7 @@ + + #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT + +-#define MAXPASS 200 /* the maximum length of a password */ ++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ + + #define OLD_PASSWORDS_FILE "/etc/security/opasswd" + +diff -up linux-pam/modules/pam_unix/support.c.password-limit linux-pam/modules/pam_unix/support.c +--- linux-pam/modules/pam_unix/support.c.password-limit 2014-01-27 18:08:28.000000000 +0100 ++++ linux-pam/modules/pam_unix/support.c 2015-06-11 16:30:35.452595477 +0200 +@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_h + /* if the stored password is NULL */ + int rc=0; + if (passwd != NULL) { /* send the password to the child */ +- if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ int len = strlen(passwd); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ if (write(fds[1], passwd, len) == -1 || ++ write(fds[1], "", 1) == -1) { + pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_AUTH_ERR; + } diff --git a/SPECS/pam.spec b/SPECS/pam.spec index 58f87b8..f6f1c57 100644 --- a/SPECS/pam.spec +++ b/SPECS/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.8 -Release: 12%{?dist} +Release: 12%{?dist}.1 # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -55,6 +55,7 @@ Patch40: pam-1.1.8-man-dbsuffix.patch Patch41: pam-1.1.8-limits-check-process.patch Patch42: pam-1.1.8-limits-docfix.patch Patch43: pam-1.1.8-audit-user-mgmt.patch +Patch44: pam-1.1.8-cve-2015-3238.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -143,6 +144,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch41 -p1 -b .check-process %patch42 -p1 -b .docfix %patch43 -p1 -b .audit-user-mgmt +%patch44 -p1 -b .password-limit %build autoreconf -i @@ -391,6 +393,9 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Tue Aug 4 2015 Tomáš Mráz 1.1.8-12.1 +- fix CVE-2015-3238 - DoS due to blocking pipe with very long password + * Fri Oct 17 2014 Tomáš Mráz 1.1.8-12 - use USER_MGMT type for auditing in the pam_tally2 and faillock apps (#1151576)