summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/pam/libpam
diff options
context:
space:
mode:
authorYue Tao <Yue.Tao@windriver.com>2014-06-17 04:23:59 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-06-17 10:23:53 +0100
commit9d40ce5dd1ea563f64869e27cda6db9254478145 (patch)
tree0d9f645d47c2b30e35ceecc9d2e5e3fe62f60ca6 /meta/recipes-extended/pam/libpam
parent6aa8d74ab22b55aa56ac9a0b32e1f099b5bf5e46 (diff)
downloadpoky-9d40ce5dd1ea563f64869e27cda6db9254478145.tar.gz
libpam: Security Advisory - CVE-2014-2583
v2 changes: * update format for commit log * add Upstream-Status for patch Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2583 (From OE-Core rev: 69255c84ebd99629da8174e1e73fd8c715e49b52) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/pam/libpam')
-rw-r--r--meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch63
1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch b/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch
new file mode 100644
index 0000000000..06cca13abe
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch
@@ -0,0 +1,63 @@
1From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
2From: "Dmitry V. Levin" <ldv@altlinux.org>
3Date: Wed, 26 Mar 2014 22:17:23 +0000
4Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
5 (ticket #27)
6
7commit 9dcead87e6d7f66d34e7a56d11a30daca367dffb upstream
8
9pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
10the timestamp pathname it creates, so extra care should be taken to
11avoid potential directory traversal issues.
12
13* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
14"." and ".." tty values as invalid.
15(get_ruser): Treat "." and ".." ruser values, as well as any ruser
16value containing '/', as invalid.
17
18Fixes CVE-2014-2583.
19
20Reported-by: Sebastian Krahmer <krahmer@suse.de>
21
22Upstream-Status: Backport
23
24Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
25Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
26---
27 modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
28 1 files changed, 12 insertions(+), 1 deletions(-)
29
30diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
31index 5193733..b3f08b1 100644
32--- a/modules/pam_timestamp/pam_timestamp.c
33+++ b/modules/pam_timestamp/pam_timestamp.c
34@@ -158,7 +158,7 @@ check_tty(const char *tty)
35 tty = strrchr(tty, '/') + 1;
36 }
37 /* Make sure the tty wasn't actually a directory (no basename). */
38- if (strlen(tty) == 0) {
39+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
40 return NULL;
41 }
42 return tty;
43@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
44 if (pwd != NULL) {
45 ruser = pwd->pw_name;
46 }
47+ } else {
48+ /*
49+ * This ruser is used by format_timestamp_name as a component
50+ * of constructed timestamp pathname, so ".", "..", and '/'
51+ * are disallowed to avoid potential path traversal issues.
52+ */
53+ if (!strcmp(ruser, ".") ||
54+ !strcmp(ruser, "..") ||
55+ strchr(ruser, '/')) {
56+ ruser = NULL;
57+ }
58 }
59 if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
60 *ruserbuf = '\0';
61--
621.7.5.4
63