diff options
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/patches-applied/pam_env-fix-dos.patch | 33 | ||||
| -rw-r--r-- | debian/patches-applied/pam_env-fix-overflow.patch | 29 | ||||
| -rw-r--r-- | debian/patches-applied/series | 2 |
4 files changed, 68 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 47a4ff4c..2ce66045 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,10 @@ pam (1.1.3-5) UNRELEASED; urgency=low * debian/patches-applied/hurd_no_setfsuid: check all set*id() calls. * debian/patches-applied/update-motd: correctly clear environment when building motd. + * debian/patches-applied/pam_env-fix-overflow.patch: fix stack overflow + in environment file parsing (CVE-2011-3148). + * debian/patches-applied/pam_env-fix-dos.patch: fix DoS in environment + file parsing (CVE-2011-3149). -- Kees Cook <kees@debian.org> Thu, 13 Oct 2011 12:31:03 -0700 diff --git a/debian/patches-applied/pam_env-fix-dos.patch b/debian/patches-applied/pam_env-fix-dos.patch new file mode 100644 index 00000000..523e1390 --- /dev/null +++ b/debian/patches-applied/pam_env-fix-dos.patch @@ -0,0 +1,33 @@ +Description: abort when encountering an overflowed environment variable + expansion (CVE-2011-3149). +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565 +Author: Kees Cook <kees@debian.org> + +Index: pam-debian/modules/pam_env/pam_env.c +=================================================================== +--- pam-debian.orig/modules/pam_env/pam_env.c 2011-10-14 12:47:23.433861595 -0700 ++++ pam-debian/modules/pam_env/pam_env.c 2011-10-14 12:47:23.461861963 -0700 +@@ -567,6 +567,7 @@ + D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); + pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", + tmp, tmpptr); ++ return PAM_ABORT; + } + continue; + } +@@ -628,6 +629,7 @@ + D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); + pam_syslog (pamh, LOG_ERR, + "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); ++ return PAM_ABORT; + } + } + } /* if ('{' != *orig++) */ +@@ -639,6 +641,7 @@ + D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); + pam_syslog(pamh, LOG_ERR, + "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); ++ return PAM_ABORT; + } + } + } /* for (;*orig;) */ diff --git a/debian/patches-applied/pam_env-fix-overflow.patch b/debian/patches-applied/pam_env-fix-overflow.patch new file mode 100644 index 00000000..7797359a --- /dev/null +++ b/debian/patches-applied/pam_env-fix-overflow.patch @@ -0,0 +1,29 @@ +Description: correctly count leading whitespace when parsing environment + file (CVE-2011-3148). +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469 +Author: Kees Cook <kees@debian.org> + +Index: pam-debian/modules/pam_env/pam_env.c +=================================================================== +--- pam-debian.orig/modules/pam_env/pam_env.c 2011-10-14 10:51:30.973701139 -0700 ++++ pam-debian/modules/pam_env/pam_env.c 2011-10-14 12:32:25.578188004 -0700 +@@ -287,6 +287,7 @@ + char *p = buffer; + char *s, *os; + int used = 0; ++ int whitespace; + + /* loop broken with a 'break' when a non-'\\n' ended line is read */ + +@@ -309,8 +310,10 @@ + + /* skip leading spaces --- line may be blank */ + +- s = p + strspn(p, " \n\t"); ++ whitespace = strspn(p, " \n\t"); ++ s = p + whitespace; + if (*s && (*s != '#')) { ++ used += whitespace; + os = s; + + /* diff --git a/debian/patches-applied/series b/debian/patches-applied/series index fc0ee341..9006ae52 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -22,3 +22,5 @@ fix-man-crud sys-types-include.patch no_PATH_MAX_on_hurd lib_security_multiarch_compat +pam_env-fix-overflow.patch +pam_env-fix-dos.patch |