summaryrefslogtreecommitdiff
path: root/modules/pam_unix/support.c
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2015-06-22 14:53:01 +0200
committerThorsten Kukuk <kukuk@thkukuk.de>2015-06-22 14:53:01 +0200
commite89d4c97385ff8180e6e81e84c5aa745daf28a79 (patch)
tree17ef8bacb38a0f60a7476420ab62627cc8af440c /modules/pam_unix/support.c
parentf4fbbbcc52696d67ebe57ee8214fbbdf4c479dbc (diff)
Release version 1.2.1
Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise
Diffstat (limited to 'modules/pam_unix/support.c')
-rw-r--r--modules/pam_unix/support.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index fdb45c20..abccd828 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
/* if the stored password is NULL */
int rc=0;
if (passwd != NULL) { /* send the password to the child */
- if (write(fds[1], passwd, strlen(passwd)+1) == -1) {
+ int len = strlen(passwd);
+
+ if (len > PAM_MAX_RESP_SIZE)
+ len = PAM_MAX_RESP_SIZE;
+ if (write(fds[1], passwd, len) == -1 ||
+ write(fds[1], "", 1) == -1) {
pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
retval = PAM_AUTH_ERR;
}