Module Name: src
Committed By: bouyer
Date: Sat Nov 19 13:59:22 UTC 2011
Modified Files:
src/dist/openpam/lib [netbsd-5]: openpam_configure.c
Log Message:
Pull up following revision(s) (requested by drochner in ticket #1696):
dist/openpam/lib/openpam_configure.c: revision 1.6
Don't allow '/' characters in the "service" argument to pam_start()
The "service" is blindly appended to config directories ("/etc/pam.d/"),
and if a user can control the "service" it can get PAM to read config
files from any location.
This is not a problem with most software because the "service" is
usually a constant string. The check protects 3rd party software
from being abused.
(CVE-2011-4122)
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.5.10.1 src/dist/openpam/lib/openpam_configure.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/dist/openpam/lib/openpam_configure.c
diff -u src/dist/openpam/lib/openpam_configure.c:1.5 src/dist/openpam/lib/openpam_configure.c:1.5.10.1
--- src/dist/openpam/lib/openpam_configure.c:1.5 Sun Jan 27 01:22:59 2008
+++ src/dist/openpam/lib/openpam_configure.c Sat Nov 19 13:59:21 2011
@@ -32,7 +32,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $Id: openpam_configure.c,v 1.5 2008/01/27 01:22:59 christos Exp $
+ * $Id: openpam_configure.c,v 1.5.10.1 2011/11/19 13:59:21 bouyer Exp $
*/
#include <ctype.h>
@@ -289,6 +289,12 @@ openpam_load_chain(pam_handle_t *pamh,
size_t len;
int r;
+ /* don't allow to escape from policy_path */
+ if (strchr(service, '/')) {
+ openpam_log(PAM_LOG_ERROR, "illegal service \"%s\"", service);
+ return (-PAM_SYSTEM_ERR);
+ }
+
for (path = openpam_policy_path; *path != NULL; ++path) {
len = strlen(*path);
if ((*path)[len - 1] == '/') {
