diff options
Diffstat (limited to 'debian/patches-applied/cve-2015-3238.patch')
| -rw-r--r-- | debian/patches-applied/cve-2015-3238.patch | 213 |
1 files changed, 0 insertions, 213 deletions
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch deleted file mode 100644 index 50dd746e..00000000 --- a/debian/patches-applied/cve-2015-3238.patch +++ /dev/null @@ -1,213 +0,0 @@ -From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001 -From: Thorsten Kukuk <kukuk@thkukuk.de> -Date: Mon, 22 Jun 2015 14:53:01 +0200 -Subject: Release version 1.2.1 - -Security fix: CVE-2015-3238 - -If the process executing pam_sm_authenticate or pam_sm_chauthtok method -of pam_unix is not privileged enough to check the password, e.g. -if selinux is enabled, the _unix_run_helper_binary function is called. -When a long enough password is supplied (16 pages or more, i.e. 65536+ -bytes on a system with 4K pages), this helper function hangs -indefinitely, blocked in the write(2) call while writing to a blocking -pipe that has a limited capacity. -With this fix, the verifiable password length will be limited to -PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. - -Index: pam/modules/pam_exec/pam_exec.8.xml -=================================================================== ---- pam.orig/modules/pam_exec/pam_exec.8.xml -+++ pam/modules/pam_exec/pam_exec.8.xml -@@ -106,7 +106,8 @@ - During authentication the calling command can read - the password from <citerefentry> - <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum> -- </citerefentry>. -+ </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis> -+ bytes of a password are provided to the command. - </para> - </listitem> - </varlistentry> -Index: pam/modules/pam_exec/pam_exec.c -=================================================================== ---- pam.orig/modules/pam_exec/pam_exec.c -+++ pam/modules/pam_exec/pam_exec.c -@@ -178,11 +178,11 @@ - } - - pam_set_item (pamh, PAM_AUTHTOK, resp); -- authtok = strdupa (resp); -+ authtok = strndupa (resp, PAM_MAX_RESP_SIZE); - _pam_drop (resp); - } - else -- authtok = void_pass; -+ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); - - if (pipe(fds) != 0) - { -Index: pam/modules/pam_unix/pam_unix.8.xml -=================================================================== ---- pam.orig/modules/pam_unix/pam_unix.8.xml -+++ pam/modules/pam_unix/pam_unix.8.xml -@@ -80,6 +80,13 @@ - </para> - - <para> -+ The maximum length of a password supported by the pam_unix module -+ via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis> -+ - currently 512 bytes. The rest of the password provided by the -+ conversation function to the module will be ignored. -+ </para> -+ -+ <para> - The password component of this module performs the task of updating - the user's password. The default encryption hash is taken from the - <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from -Index: pam/modules/pam_unix/pam_unix_passwd.c -=================================================================== ---- pam.orig/modules/pam_unix/pam_unix_passwd.c -+++ pam/modules/pam_unix/pam_unix_passwd.c -@@ -245,15 +245,22 @@ - /* wait for child */ - /* if the stored password is NULL */ - int rc=0; -- if (fromwhat) -- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); -- else -- pam_modutil_write(fds[1], "", 1); -- if (towhat) { -- pam_modutil_write(fds[1], towhat, strlen(towhat)+1); -+ if (fromwhat) { -+ int len = strlen(fromwhat); -+ -+ if (len > PAM_MAX_RESP_SIZE) -+ len = PAM_MAX_RESP_SIZE; -+ pam_modutil_write(fds[1], fromwhat, len); - } -- else -- pam_modutil_write(fds[1], "", 1); -+ pam_modutil_write(fds[1], "", 1); -+ if (towhat) { -+ int len = strlen(towhat); -+ -+ if (len > PAM_MAX_RESP_SIZE) -+ len = PAM_MAX_RESP_SIZE; -+ pam_modutil_write(fds[1], towhat, len); -+ } -+ pam_modutil_write(fds[1], "", 1); - - close(fds[0]); /* close here to avoid possible SIGPIPE above */ - close(fds[1]); -Index: pam/modules/pam_unix/passverify.c -=================================================================== ---- pam.orig/modules/pam_unix/passverify.c -+++ pam/modules/pam_unix/passverify.c -@@ -1086,12 +1086,15 @@ - int - read_passwords(int fd, int npass, char **passwords) - { -+ /* The passwords array must contain npass preallocated -+ * buffers of length MAXPASS + 1 -+ */ - int rbytes = 0; - int offset = 0; - int i = 0; - char *pptr; - while (npass > 0) { -- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); -+ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); - - if (rbytes < 0) { - if (errno == EINTR) continue; -Index: pam/modules/pam_unix/passverify.h -=================================================================== ---- pam.orig/modules/pam_unix/passverify.h -+++ pam/modules/pam_unix/passverify.h -@@ -8,7 +8,7 @@ - - #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT - --#define MAXPASS 200 /* the maximum length of a password */ -+#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ - - #define OLD_PASSWORDS_FILE "/etc/security/opasswd" - -Index: pam/modules/pam_unix/support.c -=================================================================== ---- pam.orig/modules/pam_unix/support.c -+++ pam/modules/pam_unix/support.c -@@ -632,7 +632,12 @@ - /* if the stored password is NULL */ - int rc=0; - if (passwd != NULL) { /* send the password to the child */ -- if (write(fds[1], passwd, strlen(passwd)+1) == -1) { -+ int len = strlen(passwd); -+ -+ if (len > PAM_MAX_RESP_SIZE) -+ len = PAM_MAX_RESP_SIZE; -+ if (write(fds[1], passwd, len) == -1 || -+ write(fds[1], "", 1) == -1) { - pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); - retval = PAM_AUTH_ERR; - } -Index: pam/modules/pam_unix/pam_unix.8 -=================================================================== ---- pam.orig/modules/pam_unix/pam_unix.8 -+++ pam/modules/pam_unix/pam_unix.8 -@@ -56,6 +56,10 @@ - \fBnoreap\fR - module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. - .PP -+The maximum length of a password supported by the pam_unix module via the helper binary is -+\fIPAM_MAX_RESP_SIZE\fR -+\- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&. -+.PP - The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the - \fBENCRYPT_METHOD\fR - variable from -Index: pam/modules/pam_exec/pam_exec.8 -=================================================================== ---- pam.orig/modules/pam_exec/pam_exec.8 -+++ pam/modules/pam_exec/pam_exec.8 -@@ -65,7 +65,9 @@ - \fBexpose_authtok\fR - .RS 4 - During authentication the calling command can read the password from --\fBstdin\fR(3)\&. -+\fBstdin\fR(3)\&. Only first -+\fIPAM_MAX_RESP_SIZE\fR -+bytes of a password are provided to the command\&. - .RE - .PP - \fBlog=\fR\fB\fIfile\fR\fR -Index: pam/modules/pam_exec/README -=================================================================== ---- pam.orig/modules/pam_exec/README -+++ pam/modules/pam_exec/README -@@ -24,7 +24,8 @@ - expose_authtok - - During authentication the calling command can read the password from stdin -- (3). -+ (3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the -+ command. - - log=file - -Index: pam/modules/pam_unix/README -=================================================================== ---- pam.orig/modules/pam_unix/README -+++ pam/modules/pam_unix/README -@@ -34,6 +34,10 @@ - suppress this temporary shielding and may be needed for use with certain - applications. - -+The maximum length of a password supported by the pam_unix module via the -+helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the -+password provided by the conversation function to the module will be ignored. -+ - The password component of this module performs the task of updating the user's - password. The default encryption hash is taken from the ENCRYPT_METHOD variable - from /etc/login.defs |