Supplying a password containing a NULL-byte to the PyPAM module, a double-free [1] condition is triggered. This leads to undefined behavior and may allow remote code execution. Temporary Solution: Filtering NULL-bytes in strings before passing them to the PyPAM module will mitigate the exploit. Also current GLIBC protections may prevent the double-free condition from being exploitable. It is advised to update to a fixed version of PyPAM.
Thanks to Marien Zwart for the help in reviewing the code and work for a patch.
Created attachment 304769 [details, diff] slightly more careful patch A slightly more careful/paranoid patch than nulling out *resp on errors: just leave it untouched completely. This is what pam_conv(3) says we should do. I suspect this code has other refcounting/memory-management issues (leaks), and its upstream homepage seems to have gone away. Do we need to keep this?
CVE-2012-1502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1502): Double free vulnerability in the PyPAM_conv in PAMmodule.c in PyPam 0.5.0 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a NULL byte in a password string.
mrueg points out http://pkgs.fedoraproject.org/cgit/PyPAM.git/ has additional patches. Their PyPAM-0.5.0-dealloc.patch is our pypam-0.5.0-python-2.5.patch (PyoObject_FREE and PyObject_Del do the same thing) with one extra fix. Their PyPAM-0.5.0-memory-errors.patch fixes the same problem my patch on this bug fixes, as well as several others (I did not review it in detail but superficially the changes look good). I don't know exactly what PyPAM-0.5.0-nofree.patch and PyPAM-0.5.0-return-value.patch fix (can probably be found in their revision history). PyPAM-dlopen.patch looks sensible but not normally necessary for us. PyPAM-python3-support.patch I didn't look at. Applying at least "dealloc" and "memory-errors" and probably also "nofree" and "memory-errors" sounds like a good idea.
*pypam-0.5.0-r3 (13 Jun 2015) 13 Jun 2015; Manuel Rüger <mrueg@gentoo.org> +files/PyPAM-0.5.0-dealloc.patch, +files/PyPAM-0.5.0-memory-errors.patch, +files/PyPAM-0.5.0-nofree.patch, +files/PyPAM-0.5.0-return-value.patch, +files/PyPAM-python3-support.patch, +pypam-0.5.0-r3.ebuild: Apply patches from Fedora fixing security bug #407603 and add support for Python3. files/PyPAM-0.5.0-memory-errors.patch fixes this CVE. Arch teams: Please get it stable. Security: Please prepare a GLSA.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
+ 17 Jun 2015; Justin Lecher <jlec@gentoo.org> + -files/pypam-0.5.0-python-2.5.patch, -pypam-0.5.0-r2.ebuild: + Drop vulnerable version + Cleaned.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201507-09 at https://security.gentoo.org/glsa/201507-09 by GLSA coordinator Mikle Kolyada (Zlogene).
