debian/patches-applied/pam_env-fix-overflow.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

Description: correctly count leading whitespace when parsing environment
 file (CVE-2011-3148).
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
Author: Kees Cook <kees@debian.org>

Index: pam-debian/modules/pam_env/pam_env.c
===================================================================
--- pam-debian.orig/modules/pam_env/pam_env.c	2011-10-14 10:51:30.973701139 -0700
+++ pam-debian/modules/pam_env/pam_env.c	2011-10-14 12:32:25.578188004 -0700
@@ -287,6 +287,7 @@
     char *p = buffer;
     char *s, *os;
     int used = 0;
+    int whitespace;
 
     /* loop broken with a 'break' when a non-'\\n' ended line is read */
 
@@ -309,8 +310,10 @@
 
 	/* skip leading spaces --- line may be blank */
 
-	s = p + strspn(p, " \n\t");
+	whitespace = strspn(p, " \n\t");
+	s = p + whitespace;
 	if (*s && (*s != '#')) {
+	    used += whitespace;
 	    os = s;
 
 	    /*