pam: 1.1.8 -> 1.2.0
This commit is contained in:
William A. Kennington III
parent
df3d2010ae
commit
5a117814b8
|
|
@ -1,49 +0,0 @@
|
|||
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Wed, 26 Mar 2014 22:17:23 +0000
|
||||
Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
|
||||
|
||||
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
|
||||
the timestamp pathname it creates, so extra care should be taken to
|
||||
avoid potential directory traversal issues.
|
||||
|
||||
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
|
||||
"." and ".." tty values as invalid.
|
||||
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
|
||||
value containing '/', as invalid.
|
||||
|
||||
Fixes CVE-2014-2583.
|
||||
|
||||
Reported-by: Sebastian Krahmer <krahmer@suse.de>
|
||||
|
||||
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||
index 5193733..b3f08b1 100644
|
||||
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||
@@ -158,7 +158,7 @@ check_tty(const char *tty)
|
||||
tty = strrchr(tty, '/') + 1;
|
||||
}
|
||||
/* Make sure the tty wasn't actually a directory (no basename). */
|
||||
- if (strlen(tty) == 0) {
|
||||
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
|
||||
return NULL;
|
||||
}
|
||||
return tty;
|
||||
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
|
||||
if (pwd != NULL) {
|
||||
ruser = pwd->pw_name;
|
||||
}
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * This ruser is used by format_timestamp_name as a component
|
||||
+ * of constructed timestamp pathname, so ".", "..", and '/'
|
||||
+ * are disallowed to avoid potential path traversal issues.
|
||||
+ */
|
||||
+ if (!strcmp(ruser, ".") ||
|
||||
+ !strcmp(ruser, "..") ||
|
||||
+ strchr(ruser, '/')) {
|
||||
+ ruser = NULL;
|
||||
+ }
|
||||
}
|
||||
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
|
||||
*ruserbuf = '\0';
|
||||
|
|
@ -1,15 +1,14 @@
|
|||
{ stdenv, fetchurl, flex, cracklib }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "linux-pam-1.1.8";
|
||||
name = "linux-pam-${version}";
|
||||
version = "1.2.0";
|
||||
|
||||
src = fetchurl {
|
||||
url = http://www.linux-pam.org/library/Linux-PAM-1.1.8.tar.bz2;
|
||||
sha256 = "0m8ygb40l1c13nsd4hkj1yh4p1ldawhhg8pyjqj9w5kd4cxg5cf4";
|
||||
url = "http://www.linux-pam.org/library/Linux-PAM-${version}.tar.bz2";
|
||||
sha256 = "192y2fgf24a5qsg7rl1mzgw5axs5lg8kqamkfff2x50yjv2ym2yd";
|
||||
};
|
||||
|
||||
patches = [ ./CVE-2014-2583.patch ];
|
||||
|
||||
nativeBuildInputs = [ flex ];
|
||||
|
||||
buildInputs = [ cracklib ];
|
||||
|
|
|
|||
Loading…
Reference in a new issue