Public bug reported:
Binary package hint: login
I have tried to use pam_script, which is generally works, but su program
is tried to use a strange value for the user home directory. The
pam_script runs a script with root privileges and su is tried to use
values like "t", "oot". If pam_script was disabled then su works without
any problem.
After some code analyzing I think that su use getpwent in an insecure
way since the result of the function maybe a static buffer that
subsequent code of PAM / PAM modules can overwrite and su don't copy it
for itself. Other programs in the shadow package may also use it in the
same bad way, but they may call getpwent after other PAM codes which may
mitigate the effect but I'm not sure these calls are for fix the
problem.
While PAM configuration is only-root writable and usually no user
programs are run from PAM and getpwent provides data for root owned
databases there is only a little risk of this problem is exploitable,
although it can cause strange behavior in shadow programs.
I'm using login 4.0.16-2ubuntu4 on an Ubuntu 6.10 Edgy, and problem is
in src/su.c:
lines 487-498: getpwent called and no memory copy done from the result data
structure
lines 761-790: call PAM session code where pam_script runs and call getpwent
with an other user as an argument and overwrites the result buffer
lines 806-808: sets HOME variable according the original data structure which
maybe modified by the PAM code since it requested
** Affects: shadow (Ubuntu)
Importance: Undecided
Status: Unconfirmed
--
pwent data can be overwritten by a PAM module in su source
https://launchpad.net/bugs/80610
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
