fix CVE-2014-2583: potential path traversal issue in pam_timestamp
This commit is contained in:
Tomas Mraz
parent
0cfc638648
commit
9b30e30268
56
pam-1.1.8-cve-2014-2583.patch
Normal file
56
pam-1.1.8-cve-2014-2583.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Wed, 26 Mar 2014 22:17:23 +0000
|
||||
Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
|
||||
(ticket #27)
|
||||
|
||||
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
|
||||
the timestamp pathname it creates, so extra care should be taken to
|
||||
avoid potential directory traversal issues.
|
||||
|
||||
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
|
||||
"." and ".." tty values as invalid.
|
||||
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
|
||||
value containing '/', as invalid.
|
||||
|
||||
Fixes CVE-2014-2583.
|
||||
|
||||
Reported-by: Sebastian Krahmer <krahmer@suse.de>
|
||||
---
|
||||
modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||
index 5193733..b3f08b1 100644
|
||||
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||
@@ -158,7 +158,7 @@ check_tty(const char *tty)
|
||||
tty = strrchr(tty, '/') + 1;
|
||||
}
|
||||
/* Make sure the tty wasn't actually a directory (no basename). */
|
||||
- if (strlen(tty) == 0) {
|
||||
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
|
||||
return NULL;
|
||||
}
|
||||
return tty;
|
||||
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
|
||||
if (pwd != NULL) {
|
||||
ruser = pwd->pw_name;
|
||||
}
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * This ruser is used by format_timestamp_name as a component
|
||||
+ * of constructed timestamp pathname, so ".", "..", and '/'
|
||||
+ * are disallowed to avoid potential path traversal issues.
|
||||
+ */
|
||||
+ if (!strcmp(ruser, ".") ||
|
||||
+ !strcmp(ruser, "..") ||
|
||||
+ strchr(ruser, '/')) {
|
||||
+ ruser = NULL;
|
||||
+ }
|
||||
}
|
||||
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
|
||||
*ruserbuf = '\0';
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
7
pam.spec
7
pam.spec
@ -3,7 +3,7 @@
|
||||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.1.8
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
@ -46,6 +46,7 @@ Patch32: pam-1.1.7-tty-audit-init.patch
|
||||
Patch33: pam-1.1.8-translation-updates.patch
|
||||
Patch34: pam-1.1.8-canonicalize-username.patch
|
||||
Patch35: pam-1.1.8-cve-2013-7041.patch
|
||||
Patch36: pam-1.1.8-cve-2014-2583.patch
|
||||
|
||||
%define _pamlibdir %{_libdir}
|
||||
%define _moduledir %{_libdir}/security
|
||||
@ -125,6 +126,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
||||
%patch33 -p2 -b .translations
|
||||
%patch34 -p1 -b .canonicalize
|
||||
%patch35 -p1 -b .case
|
||||
%patch36 -p1 -b .timestamp-ruser
|
||||
|
||||
%build
|
||||
autoreconf -i
|
||||
@ -373,6 +375,9 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Mon Mar 31 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-10
|
||||
- fix CVE-2014-2583: potential path traversal issue in pam_timestamp
|
||||
|
||||
* Wed Mar 26 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-9
|
||||
- pam_pwhistory: call the helper if SELinux enabled
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user