Summary: | <dev-python/pypam-0.5.0-r3: NULL-byte password triggers Double Free Corruption (CVE-2012-1502) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Harrison <n0idx80> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | marienz, python | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.securityfocus.com/archive/1/521930/30/0/threaded | ||||||
Whiteboard: | C2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Michael Harrison
2012-03-10 01:12:08 UTC
Thanks to Marien Zwart for the help in reviewing the code and work for a patch. Created attachment 304769 [details, diff]
slightly more careful patch
A slightly more careful/paranoid patch than nulling out *resp on errors: just leave it untouched completely. This is what pam_conv(3) says we should do.
I suspect this code has other refcounting/memory-management issues (leaks), and its upstream homepage seems to have gone away. Do we need to keep this?
CVE-2012-1502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1502): Double free vulnerability in the PyPAM_conv in PAMmodule.c in PyPam 0.5.0 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a NULL byte in a password string. mrueg points out http://pkgs.fedoraproject.org/cgit/PyPAM.git/ has additional patches. Their PyPAM-0.5.0-dealloc.patch is our pypam-0.5.0-python-2.5.patch (PyoObject_FREE and PyObject_Del do the same thing) with one extra fix. Their PyPAM-0.5.0-memory-errors.patch fixes the same problem my patch on this bug fixes, as well as several others (I did not review it in detail but superficially the changes look good). I don't know exactly what PyPAM-0.5.0-nofree.patch and PyPAM-0.5.0-return-value.patch fix (can probably be found in their revision history). PyPAM-dlopen.patch looks sensible but not normally necessary for us. PyPAM-python3-support.patch I didn't look at. Applying at least "dealloc" and "memory-errors" and probably also "nofree" and "memory-errors" sounds like a good idea. *pypam-0.5.0-r3 (13 Jun 2015) 13 Jun 2015; Manuel Rüger <mrueg@gentoo.org> +files/PyPAM-0.5.0-dealloc.patch, +files/PyPAM-0.5.0-memory-errors.patch, +files/PyPAM-0.5.0-nofree.patch, +files/PyPAM-0.5.0-return-value.patch, +files/PyPAM-python3-support.patch, +pypam-0.5.0-r3.ebuild: Apply patches from Fedora fixing security bug #407603 and add support for Python3. files/PyPAM-0.5.0-memory-errors.patch fixes this CVE. Arch teams: Please get it stable. Security: Please prepare a GLSA. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. + 17 Jun 2015; Justin Lecher <jlec@gentoo.org> + -files/pypam-0.5.0-python-2.5.patch, -pypam-0.5.0-r2.ebuild: + Drop vulnerable version + Cleaned. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. This issue was resolved and addressed in GLSA 201507-09 at https://security.gentoo.org/glsa/201507-09 by GLSA coordinator Mikle Kolyada (Zlogene). |