Compare commits
3 Commits
Author | SHA1 | Date |
---|---|---|
Tomas Mraz | 58164a7568 | |
Tomas Mraz | 15be917e6c | |
Tomas Mraz | 4f5c509ee6 |
|
@ -0,0 +1,36 @@
|
|||
diff -up Linux-PAM-1.1.6/modules/pam_userdb/pam_userdb.c.case Linux-PAM-1.1.6/modules/pam_userdb/pam_userdb.c
|
||||
--- Linux-PAM-1.1.6/modules/pam_userdb/pam_userdb.c.case 2014-12-04 11:46:33.225540015 +0100
|
||||
+++ Linux-PAM-1.1.6/modules/pam_userdb/pam_userdb.c 2014-12-04 11:48:54.492734888 +0100
|
||||
@@ -214,24 +214,23 @@ user_lookup (pam_handle_t *pamh, const c
|
||||
/* crypt(3) password storage */
|
||||
|
||||
char *cryptpw;
|
||||
- char salt[2];
|
||||
|
||||
- if (data.dsize != 13) {
|
||||
+ if (data.dsize < 13) {
|
||||
compare = -2;
|
||||
} else if (ctrl & PAM_ICASE_ARG) {
|
||||
compare = -2;
|
||||
} else {
|
||||
- salt[0] = *data.dptr;
|
||||
- salt[1] = *(data.dptr + 1);
|
||||
+ cryptpw = crypt (pass, data.dptr);
|
||||
|
||||
- cryptpw = crypt (pass, salt);
|
||||
-
|
||||
- if (cryptpw) {
|
||||
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
|
||||
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
||||
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
|
||||
} else {
|
||||
compare = -2;
|
||||
if (ctrl & PAM_DEBUG_ARG) {
|
||||
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||
+ if (cryptpw)
|
||||
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
||||
+ else
|
||||
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||
}
|
||||
};
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Wed, 26 Mar 2014 22:17:23 +0000
|
||||
Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
|
||||
(ticket #27)
|
||||
|
||||
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
|
||||
the timestamp pathname it creates, so extra care should be taken to
|
||||
avoid potential directory traversal issues.
|
||||
|
||||
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
|
||||
"." and ".." tty values as invalid.
|
||||
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
|
||||
value containing '/', as invalid.
|
||||
|
||||
Fixes CVE-2014-2583.
|
||||
|
||||
Reported-by: Sebastian Krahmer <krahmer@suse.de>
|
||||
---
|
||||
modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||
index 5193733..b3f08b1 100644
|
||||
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||
@@ -158,7 +158,7 @@ check_tty(const char *tty)
|
||||
tty = strrchr(tty, '/') + 1;
|
||||
}
|
||||
/* Make sure the tty wasn't actually a directory (no basename). */
|
||||
- if (strlen(tty) == 0) {
|
||||
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
|
||||
return NULL;
|
||||
}
|
||||
return tty;
|
||||
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
|
||||
if (pwd != NULL) {
|
||||
ruser = pwd->pw_name;
|
||||
}
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * This ruser is used by format_timestamp_name as a component
|
||||
+ * of constructed timestamp pathname, so ".", "..", and '/'
|
||||
+ * are disallowed to avoid potential path traversal issues.
|
||||
+ */
|
||||
+ if (!strcmp(ruser, ".") ||
|
||||
+ !strcmp(ruser, "..") ||
|
||||
+ strchr(ruser, '/')) {
|
||||
+ ruser = NULL;
|
||||
+ }
|
||||
}
|
||||
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
|
||||
*ruserbuf = '\0';
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
|
||||
index 836d713..c36628e 100644
|
||||
--- a/modules/pam_pwhistory/opasswd.c
|
||||
+++ b/modules/pam_pwhistory/opasswd.c
|
||||
@@ -82,10 +82,15 @@ parse_entry (char *line, opwd *data)
|
||||
{
|
||||
const char delimiters[] = ":";
|
||||
char *endptr;
|
||||
+ char *count;
|
||||
|
||||
data->user = strsep (&line, delimiters);
|
||||
data->uid = strsep (&line, delimiters);
|
||||
- data->count = strtol (strsep (&line, delimiters), &endptr, 10);
|
||||
+ count = strsep (&line, delimiters);
|
||||
+ if (data->user == NULL || data->uid == NULL || count == NULL)
|
||||
+ return 1;
|
||||
+
|
||||
+ data->count = strtol (count, &endptr, 10);
|
||||
if (endptr != NULL && *endptr != '\0')
|
||||
return 1;
|
||||
|
||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
||||
index 4840bb2..7f7bc49 100644
|
||||
--- a/modules/pam_unix/passverify.c
|
||||
+++ b/modules/pam_unix/passverify.c
|
||||
@@ -639,11 +639,23 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
|
||||
continue;
|
||||
buf[strlen(buf) - 1] = '\0';
|
||||
s_luser = strtok_r(buf, ":", &sptr);
|
||||
+ if (s_luser == NULL) {
|
||||
+ found = 0;
|
||||
+ continue;
|
||||
+ }
|
||||
s_uid = strtok_r(NULL, ":", &sptr);
|
||||
+ if (s_uid == NULL) {
|
||||
+ found = 0;
|
||||
+ continue;
|
||||
+ }
|
||||
s_npas = strtok_r(NULL, ":", &sptr);
|
||||
+ if (s_npas == NULL) {
|
||||
+ found = 0;
|
||||
+ continue;
|
||||
+ }
|
||||
s_pas = strtok_r(NULL, ":", &sptr);
|
||||
npas = strtol(s_npas, NULL, 10) + 1;
|
||||
- while (npas > howmany) {
|
||||
+ while (npas > howmany && s_pas != NULL) {
|
||||
s_pas = strpbrk(s_pas, ",");
|
||||
if (s_pas != NULL)
|
||||
s_pas++;
|
17
pam.spec
17
pam.spec
|
@ -3,7 +3,7 @@
|
|||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.1.6
|
||||
Release: 12%{?dist}
|
||||
Release: 13%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
|
@ -60,6 +60,9 @@ Patch27: pam-1.1.6-strict-aliasing.patch
|
|||
Patch28: pam-1.1.6-selinux-manualctx.patch
|
||||
Patch29: pam-1.1.6-pwhistory-helper.patch
|
||||
Patch30: pam-1.1.6-rootok-audit.patch
|
||||
Patch35: pam-1.1.6-cve-2013-7041.patch
|
||||
Patch36: pam-1.1.8-cve-2014-2583.patch
|
||||
Patch38: pam-1.1.8-opasswd-tolerant.patch
|
||||
|
||||
%define _pamlibdir %{_libdir}
|
||||
%define _moduledir %{_libdir}/security
|
||||
|
@ -145,7 +148,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
|||
%patch28 -p1 -b .manualctx
|
||||
%patch29 -p1 -b .pwhhelper
|
||||
%patch30 -p1 -b .audit
|
||||
|
||||
%patch35 -p1 -b .case
|
||||
%patch36 -p1 -b .timestamp-ruser
|
||||
%patch38 -p1 -b .opasswd-tolerant
|
||||
|
||||
%build
|
||||
autoreconf -i
|
||||
|
@ -393,10 +398,18 @@ fi
|
|||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Thu Dec 4 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.6-13
|
||||
- fix CVE-2014-2583: potential path traversal issue in pam_timestamp
|
||||
- fix CVE-2013-7041: use case sensitive comparison in pam_userdb
|
||||
- be tolerant to corrupted opasswd file
|
||||
|
||||
* Thu Jul 11 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-12
|
||||
- add auditing of SELinux policy violation in pam_rootok (#965723)
|
||||
- add SELinux helper to pam_pwhistory
|
||||
|
||||
* Wed Jun 12 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-11.1
|
||||
- disable lastlog messages for gdm
|
||||
|
||||
* Tue May 7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-11
|
||||
- the default isadir is more correct
|
||||
|
||||
|
|
|
@ -2,6 +2,6 @@
|
|||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authconfig is run.
|
||||
|
||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* quiet
|
||||
session [default=1] pam_lastlog.so nowtmp showfailed
|
||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
||||
session [default=1] pam_lastlog.so silent nowtmp
|
||||
session optional pam_lastlog.so silent noupdate showfailed
|
||||
|
|
Loading…
Reference in New Issue