'[linux-pam] pam_env: abort when encountering an overflowed environment variable expansion'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-pam-commits
Subject:    [linux-pam] pam_env: abort when encountering an overflowed environment variable expansion
From:       ldv () fedoraproject ! org (ldv)
Date:       2011-10-24 18:53:15
Message-ID: 20111024185315.EC9D2120289 () lists ! fedorahosted ! org
[Download RAW message or body]

commit 109823cb621c900c07c4b6cdc99070d354d19444
Author: Kees Cook <kees at debian.org>
Date:   Fri Oct 14 19:47:23 2011 +0000

    pam_env: abort when encountering an overflowed environment variable expansion
    
    * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
    overflowed environment variable expansion.
    Fixes CVE-2011-3149.
    Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565

 ChangeLog                 |    5 +++++
 modules/pam_env/pam_env.c |    3 +++
 2 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index f823d23..107f765 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2011-10-14  Kees Cook <kees at debian.org>
 
+	* modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
+	overflowed environment variable expansion.
+	Fixes CVE-2011-3149.
+	Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
+
 	* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
 	whitespace.
 	Fixes CVE-2011-3148.
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index b7cd387..e04f5b5 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
 		 tmp, tmpptr);
+	return PAM_BUF_ERR;
       }
       continue;
     }
@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
 	    D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	    pam_syslog (pamh, LOG_ERR,
 			"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+	    return PAM_BUF_ERR;
 	  }
 	}
       }           /* if ('{' != *orig++) */
@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	pam_syslog(pamh, LOG_ERR,
 		   "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+	return PAM_BUF_ERR;
       }
     }
   }              /* for (;*orig;) */

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic