summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKees Cook <kees@debian.org>2011-10-14 19:32:25 +0000
committerDmitry V. Levin <ldv@altlinux.org>2011-10-14 19:32:25 +0000
commitcaf5e7f61c8d9288daa49b4f61962e6b1239121d (patch)
tree4eb2a6ea8e8de07a13ccabec4be6691a5da1245e
parentc5cbe7a04f82ac89372dd2765979aac66188dca1 (diff)
pam_env: correctly count leading whitespace when parsing environment file
* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading whitespace. Fixes CVE-2011-3148. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
-rw-r--r--ChangeLog7
-rw-r--r--modules/pam_env/pam_env.c5
2 files changed, 11 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index bb859b9d..f823d23e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-10-14 Kees Cook <kees@debian.org>
+
+ * modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
+ whitespace.
+ Fixes CVE-2011-3148.
+ Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
+
2011-10-10 Tomas Mraz <tm@t8m.info>
* modules/pam_access/pam_access.c: Add hostname resolution
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 1ec01ca5..b7cd387f 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
char *p = buffer;
char *s, *os;
int used = 0;
+ int whitespace;
/* loop broken with a 'break' when a non-'\\n' ended line is read */
@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
/* skip leading spaces --- line may be blank */
- s = p + strspn(p, " \n\t");
+ whitespace = strspn(p, " \n\t");
+ s = p + whitespace;
if (*s && (*s != '#')) {
+ used += whitespace;
os = s;
/*