Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't allow '/' characters in the "service" argument to pam_start() 

The "service" is blindly appended to config directories ("/etc/pam.d/"),
and if a user can control the "service" it can get PAM to read config
files from any location.
This is not a problem with most software because the "service" is
usually a constant string. The check protects 3rd party software
from being abused.
(CVE-2011-4122)
This commit is contained in:
drochner 2011-11-09 20:26:41 +00:00
parent 7621b801a7
commit 8e6899dea3
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
dist/openpam/lib/openpam_configure.c vendored
View File

@ -32,7 +32,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: openpam_configure.c,v 1.5 2008/01/27 01:22:59 christos Exp $
* $Id: openpam_configure.c,v 1.6 2011/11/09 20:26:41 drochner Exp $
*/
#include <ctype.h>
@ -289,6 +289,12 @@ openpam_load_chain(pam_handle_t *pamh,
size_t len;
int r;
/* don't allow to escape from policy_path */
if (strchr(service, '/')) {
openpam_log(PAM_LOG_ERROR, "illegal service \"%s\"", service);
return (-PAM_SYSTEM_ERR);
}
for (path = openpam_policy_path; *path != NULL; ++path) {
len = strlen(*path);
if ((*path)[len - 1] == '/') {