From e5d6334b09673bd2ba996a2a6bf597fda864a879 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 13 Oct 2011 12:46:01 -0700 Subject: debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use setresgid() to wipe out saved-gid just in case. --- debian/changelog | 7 +++++++ debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch | 8 ++++---- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index f386143e..1edb6d0b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +pam (1.1.3-5) UNRELEASED; urgency=low + + * debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use + setresgid() to wipe out saved-gid just in case. + + -- Kees Cook Thu, 13 Oct 2011 12:31:03 -0700 + pam (1.1.3-4) unstable; urgency=low * Make sure shared library links are also installed to the multiarch diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch index 80334841..87336651 100644 --- a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch +++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -7,10 +7,10 @@ Authors: Steve Langasek , Upstream status: to be submitted -Index: pam.deb/modules/pam_unix/unix_chkpwd.c +Index: pam-debian/modules/pam_unix/unix_chkpwd.c =================================================================== ---- pam.deb.orig/modules/pam_unix/unix_chkpwd.c -+++ pam.deb/modules/pam_unix/unix_chkpwd.c +--- pam-debian.orig/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:22:06.270705822 -0700 ++++ pam-debian/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:24:06.080224301 -0700 @@ -137,9 +137,10 @@ /* if the caller specifies the username, verify that user matches it */ @@ -19,7 +19,7 @@ Index: pam.deb/modules/pam_unix/unix_chkpwd.c user = argv[1]; /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) -+ if (setregid(gid, gid) != 0 || setuid(getuid()) != 0) ++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) return PAM_AUTH_ERR; } } -- cgit v1.2.3