From caf5e7f61c8d9288daa49b4f61962e6b1239121d Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Fri, 14 Oct 2011 19:32:25 +0000
Subject: pam_env: correctly count leading whitespace when parsing environment
 file

* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
whitespace.
Fixes CVE-2011-3148.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
---
 ChangeLog                 | 7 +++++++
 modules/pam_env/pam_env.c | 5 ++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index bb859b9d..f823d23e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-10-14  Kees Cook <kees@debian.org>
+
+	* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
+	whitespace.
+	Fixes CVE-2011-3148.
+	Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
+
 2011-10-10  Tomas Mraz  <tm@t8m.info>
 
 	* modules/pam_access/pam_access.c: Add hostname resolution
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 1ec01ca5..b7cd387f 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
     char *p = buffer;
     char *s, *os;
     int used = 0;
+    int whitespace;
 
     /* loop broken with a 'break' when a non-'\\n' ended line is read */
 
@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
 
 	/* skip leading spaces --- line may be blank */
 
-	s = p + strspn(p, " \n\t");
+	whitespace = strspn(p, " \n\t");
+	s = p + whitespace;
 	if (*s && (*s != '#')) {
+	    used += whitespace;
 	    os = s;
 
 	    /*
-- 
cgit v1.2.3