Hello community, here is the log from the commit of package pam for openSUSE:11.4 checked in at Tue Oct 25 17:04:04 CEST 2011.
-------- --- old-versions/11.4/all/pam/pam.changes 2011-02-23 13:46:27.000000000 +0100 +++ 11.4/pam/pam.changes 2011-10-25 14:30:23.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Oct 24 10:55:45 CEST 2011 - [email protected] + +- fix possible overflow and DOS in pam_env (bnc#724480) + CVE-2011-3148, CVE-2011-3149 + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/pam Destination is old-versions/11.4/UPDATES/all/pam calling whatdependson for 11.4-i586 New: ---- bug-724480_pam_env-fix-dos.patch bug-724480_pam_env-fix-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.sNcW1d/_old 2011-10-25 17:00:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sNcW1d/_new 2011-10-25 17:00:38.000000000 +0200 @@ -38,7 +38,7 @@ %endif # Version: 1.1.3 -Release: 4.<RELEASE2> +Release: 4.<RELEASE9> Summary: A Security Tool that Provides Authentication for Applications Source: Linux-PAM-%{version}.tar.bz2 Source1: Linux-PAM-%{version}-docs.tar.bz2 @@ -53,6 +53,8 @@ Patch0: pam_tally-deprecated.diff # fix for bnc#673826 (pam_listfile logging) Patch1: pam_listfile-quiet.patch +Patch2: bug-724480_pam_env-fix-overflow.patch +Patch3: bug-724480_pam_env-fix-dos.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -103,6 +105,8 @@ %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p0 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \ ++++++ bug-724480_pam_env-fix-dos.patch ++++++ Description: abort when encountering an overflowed environment variable expansion (CVE-2011-3149). Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565 Author: Kees Cook <[email protected]> Index: pam-debian/modules/pam_env/pam_env.c =================================================================== --- pam-debian.orig/modules/pam_env/pam_env.c 2011-10-14 12:47:23.433861595 -0700 +++ pam-debian/modules/pam_env/pam_env.c 2011-10-14 12:47:23.461861963 -0700 @@ -567,6 +567,7 @@ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_ABORT; } continue; } @@ -628,6 +629,7 @@ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_ABORT; } } } /* if ('{' != *orig++) */ @@ -639,6 +641,7 @@ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog(pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_ABORT; } } } /* for (;*orig;) */ ++++++ bug-724480_pam_env-fix-overflow.patch ++++++ Description: correctly count leading whitespace when parsing environment file (CVE-2011-3148). Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469 Author: Kees Cook <[email protected]> Index: pam-debian/modules/pam_env/pam_env.c =================================================================== --- pam-debian.orig/modules/pam_env/pam_env.c 2011-10-14 10:51:30.973701139 -0700 +++ pam-debian/modules/pam_env/pam_env.c 2011-10-14 12:32:25.578188004 -0700 @@ -287,6 +287,7 @@ char *p = buffer; char *s, *os; int used = 0; + int whitespace; /* loop broken with a 'break' when a non-'\\n' ended line is read */ @@ -309,8 +310,10 @@ /* skip leading spaces --- line may be blank */ - s = p + strspn(p, " \n\t"); + whitespace = strspn(p, " \n\t"); + s = p + whitespace; if (*s && (*s != '#')) { + used += whitespace; os = s; /* continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
