From 109823cb621c900c07c4b6cdc99070d354d19444 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 14 Oct 2011 19:47:23 +0000 Subject: pam_env: abort when encountering an overflowed environment variable expansion * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an overflowed environment variable expansion. Fixes CVE-2011-3149. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565 --- ChangeLog | 5 +++++ modules/pam_env/pam_env.c | 3 +++ 2 files changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index f823d23e..107f7651 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 2011-10-14 Kees Cook + * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an + overflowed environment variable expansion. + Fixes CVE-2011-3149. + Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565 + * modules/pam_env/pam_env.c (_assemble_line): Correctly count leading whitespace. Fixes CVE-2011-3148. diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index b7cd387f..e04f5b53 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_BUF_ERR; } continue; } @@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_BUF_ERR; } } } /* if ('{' != *orig++) */ @@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog(pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + return PAM_BUF_ERR; } } } /* for (;*orig;) */ -- cgit v1.2.3