CVS commit: src/external/bsd/openpam/dist/lib

Tue, 03 Jun 2014 13:23:39 -0700 

Module Name:    src
Committed By:   christos
Date:           Tue Jun  3 20:21:32 UTC 2014

Modified Files:
        src/external/bsd/openpam/dist/lib: openpam_configure.c

Log Message:
CVE-2014-3879: Incorrect error handling in PAM policy parser:
Missing module files were treated as soft failures leading to
unexpected behavior if policy files were copied between hosts with
differently installed modules or in the short period during upgrades
when module files were being replaced.


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 \
    src/external/bsd/openpam/dist/lib/openpam_configure.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/external/bsd/openpam/dist/lib/openpam_configure.c
diff -u src/external/bsd/openpam/dist/lib/openpam_configure.c:1.7 src/external/bsd/openpam/dist/lib/openpam_configure.c:1.8
--- src/external/bsd/openpam/dist/lib/openpam_configure.c:1.7	Fri Jan  3 17:49:21 2014
+++ src/external/bsd/openpam/dist/lib/openpam_configure.c	Tue Jun  3 16:21:32 2014
@@ -1,8 +1,8 @@
-/*	$NetBSD: openpam_configure.c,v 1.7 2014/01/03 22:49:21 joerg Exp $	*/
+/*	$NetBSD: openpam_configure.c,v 1.8 2014/06/03 20:21:32 christos Exp $	*/
 
 /*-
  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2012 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2014 Dag-Erling Smørgrav
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project by ThinkSec AS and
@@ -195,6 +195,7 @@ openpam_parse_chain(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid facility",
 			    filename, lineno);
+			errno = EINVAL;
 			goto fail;
 		}
 		if (facility != fclt && facility != PAM_FACILITY_ANY) {
@@ -210,18 +211,28 @@ openpam_parse_chain(pam_handle_t *pamh,
 				openpam_log(PAM_LOG_ERROR,
 				    "%s(%d): missing or invalid service name",
 				    filename, lineno);
+				errno = EINVAL;
 				goto fail;
 			}
 			if (wordv[i] != NULL) {
 				openpam_log(PAM_LOG_ERROR,
 				    "%s(%d): garbage at end of line",
 				    filename, lineno);
+				errno = EINVAL;
 				goto fail;
 			}
 			ret = openpam_load_chain(pamh, servicename, fclt);
 			FREEV(wordc, wordv);
-			if (ret < 0)
+			if (ret < 0) {
+				/*
+				 * Bogus errno, but this ensures that the
+				 * outer loop does not just ignore the
+				 * error and keep searching.
+				 */
+				if (errno == ENOENT)
+					errno = EINVAL;
 				goto fail;
+			}
 			continue;
 		}
 
@@ -231,6 +242,7 @@ openpam_parse_chain(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid control flag",
 			    filename, lineno);
+			errno = EINVAL;
 			goto fail;
 		}
 
@@ -240,6 +252,7 @@ openpam_parse_chain(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid module name",
 			    filename, lineno);
+			errno = EINVAL;
 			goto fail;
 		}
 
@@ -249,8 +262,11 @@ openpam_parse_chain(pam_handle_t *pamh,
 		this->flag = ctlf;
 
 		/* load module */
-		if ((this->module = openpam_load_module(modulename)) == NULL)
+		if ((this->module = openpam_load_module(modulename)) == NULL) {
+			if (errno == ENOENT)
+				errno = ENOEXEC;
 			goto fail;
+		}
 
 		/*
 		 * The remaining items in wordv are the module's
@@ -283,7 +299,11 @@ openpam_parse_chain(pam_handle_t *pamh,
 	 * The loop ended because openpam_readword() returned NULL, which
 	 * can happen for four different reasons: an I/O error (ferror(f)
 	 * is true), a memory allocation failure (ferror(f) is false,
-	 * errno is non-zero)
+	 * feof(f) is false, errno is non-zero), the file ended with an
+	 * unterminated quote or backslash escape (ferror(f) is false,
+	 * feof(f) is true, errno is non-zero), or the end of the file was
+	 * reached without error (ferror(f) is false, feof(f) is true,
+	 * errno is zero).
 	 */
 	if (ferror(f) || errno != 0)
 		goto syserr;
@@ -404,6 +424,9 @@ openpam_load_chain(pam_handle_t *pamh,
 		}
 		ret = openpam_load_file(pamh, service, facility,
 		    filename, style);
+		/* success */
+		if (ret > 0)
+			RETURNN(ret);
 		/* the file exists, but an error occurred */
 		if (ret == -1 && errno != ENOENT)
 			RETURNN(ret);
@@ -413,7 +436,8 @@ openpam_load_chain(pam_handle_t *pamh,
 	}
 
 	/* no hit */
-	RETURNN(0);
+	errno = ENOENT;
+	RETURNN(-1);
 }
 
 /*
@@ -434,8 +458,10 @@ openpam_configure(pam_handle_t *pamh,
 		openpam_log(PAM_LOG_ERROR, "invalid service name");
 		RETURNC(PAM_SYSTEM_ERR);
 	}
-	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0)
-		goto load_err;
+	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
+		if (errno != ENOENT)
+			goto load_err;
+	}
 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
 		if (pamh->chains[fclt] != NULL)
 			continue;

Reply via email to