summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKees Cook <kees@debian.org>2011-10-14 19:47:23 +0000
committerDmitry V. Levin <ldv@altlinux.org>2011-10-14 19:47:23 +0000
commit109823cb621c900c07c4b6cdc99070d354d19444 (patch)
treef75f2de0f16559f9dbbd60d8aa5312d22b5a7b56
parentcaf5e7f61c8d9288daa49b4f61962e6b1239121d (diff)
pam_env: abort when encountering an overflowed environment variable expansion
* modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an overflowed environment variable expansion. Fixes CVE-2011-3149. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
-rw-r--r--ChangeLog5
-rw-r--r--modules/pam_env/pam_env.c3
2 files changed, 8 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index f823d23e..107f7651 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2011-10-14 Kees Cook <kees@debian.org>
+ * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
+ overflowed environment variable expansion.
+ Fixes CVE-2011-3149.
+ Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
+
* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
whitespace.
Fixes CVE-2011-3148.
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index b7cd387f..e04f5b53 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
tmp, tmpptr);
+ return PAM_BUF_ERR;
}
continue;
}
@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog (pamh, LOG_ERR,
"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+ return PAM_BUF_ERR;
}
}
} /* if ('{' != *orig++) */
@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog(pamh, LOG_ERR,
"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+ return PAM_BUF_ERR;
}
}
} /* for (;*orig;) */