Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 381762 Details for
Bug 505604
<sys-libs/pam-1.1.8-r3: path traversal issue in pam_timestamp's format_timestamp_name()
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
pam-1.1.8-cve-2014-2583.patch
pam-1.1.8-cve-2014-2583.patch (text/plain), 1.80 KB, created by
Andrey Ovcharov
on 2014-07-29 06:42:47 UTC
(
hide
)
Description:
pam-1.1.8-cve-2014-2583.patch
Filename:
MIME Type:
Creator:
Andrey Ovcharov
Created:
2014-07-29 06:42:47 UTC
Size:
1.80 KB
patch
obsolete
>From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 >From: "Dmitry V. Levin" <ldv@altlinux.org> >Date: Wed, 26 Mar 2014 22:17:23 +0000 >Subject: [PATCH] pam_timestamp: fix potential directory traversal issue > (ticket #27) > >pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of >the timestamp pathname it creates, so extra care should be taken to >avoid potential directory traversal issues. > >* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat >"." and ".." tty values as invalid. >(get_ruser): Treat "." and ".." ruser values, as well as any ruser >value containing '/', as invalid. > >Fixes CVE-2014-2583. > >Reported-by: Sebastian Krahmer <krahmer@suse.de> >--- > modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) > >diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c >index 5193733..b3f08b1 100644 >--- a/modules/pam_timestamp/pam_timestamp.c >+++ b/modules/pam_timestamp/pam_timestamp.c >@@ -158,7 +158,7 @@ check_tty(const char *tty) > tty = strrchr(tty, '/') + 1; > } > /* Make sure the tty wasn't actually a directory (no basename). */ >- if (strlen(tty) == 0) { >+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { > return NULL; > } > return tty; >@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) > if (pwd != NULL) { > ruser = pwd->pw_name; > } >+ } else { >+ /* >+ * This ruser is used by format_timestamp_name as a component >+ * of constructed timestamp pathname, so ".", "..", and '/' >+ * are disallowed to avoid potential path traversal issues. >+ */ >+ if (!strcmp(ruser, ".") || >+ !strcmp(ruser, "..") || >+ strchr(ruser, '/')) { >+ ruser = NULL; >+ } > } > if (ruser == NULL || strlen(ruser) >= ruserbuflen) { > *ruserbuf = '\0'; >-- >1.8.3.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 505604
: 381762