Hello community, here is the log from the commit of package pam for openSUSE:Factory checked in at 2014-04-22 07:49:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam (Old) and /work/SRC/openSUSE:Factory/.pam.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam" Changes: -------- --- /work/SRC/openSUSE:Factory/pam/pam.changes 2014-04-09 13:15:15.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.pam.new/pam.changes 2014-04-22 07:49:16.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Apr 9 16:02:17 UTC 2014 - [email protected] + +- Fix CVE-2014-2583: pam_timestamp path injection (bnc#870433) + bug-870433_pam_timestamp-fix-directory-traversal.patch + +------------------------------------------------------------------- New: ---- bug-870433_pam_timestamp-fix-directory-traversal.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.hhrxbV/_old 2014-04-22 07:49:16.000000000 +0200 +++ /var/tmp/diff_new_pack.hhrxbV/_new 2014-04-22 07:49:16.000000000 +0200 @@ -55,6 +55,7 @@ Patch1: Linux-PAM-git-20140127.diff Patch2: pam_loginuid-log_write_errors.diff Patch3: pam_xauth-sigpipe.diff +Patch4: bug-870433_pam_timestamp-fix-directory-traversal.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -102,6 +103,7 @@ %patch1 -p2 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build export CFLAGS="%optflags -DNDEBUG" ++++++ bug-870433_pam_timestamp-fix-directory-traversal.patch ++++++ >From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" <[email protected]> Date: Wed, 26 Mar 2014 22:17:23 +0000 Subject: [PATCH] pam_timestamp: fix potential directory traversal issue (ticket #27) pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of the timestamp pathname it creates, so extra care should be taken to avoid potential directory traversal issues. * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat "." and ".." tty values as invalid. (get_ruser): Treat "." and ".." ruser values, as well as any ruser value containing '/', as invalid. Fixes CVE-2014-2583. Reported-by: Sebastian Krahmer <[email protected]> --- modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index 5193733..b3f08b1 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -158,7 +158,7 @@ check_tty(const char *tty) tty = strrchr(tty, '/') + 1; } /* Make sure the tty wasn't actually a directory (no basename). */ - if (strlen(tty) == 0) { + if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { return NULL; } return tty; @@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) if (pwd != NULL) { ruser = pwd->pw_name; } + } else { + /* + * This ruser is used by format_timestamp_name as a component + * of constructed timestamp pathname, so ".", "..", and '/' + * are disallowed to avoid potential path traversal issues. + */ + if (!strcmp(ruser, ".") || + !strcmp(ruser, "..") || + strchr(ruser, '/')) { + ruser = NULL; + } } if (ruser == NULL || strlen(ruser) >= ruserbuflen) { *ruserbuf = '\0'; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
