Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 407603 (CVE-2012-1502) - <dev-python/pypam-0.5.0-r3: NULL-byte password triggers Double Free Corruption (CVE-2012-1502)
Summary: <dev-python/pypam-0.5.0-r3: NULL-byte password triggers Double Free Corruptio...
Status: RESOLVED FIXED
Alias: CVE-2012-1502
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: C2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-10 01:12 UTC by Michael Harrison
Modified: 2015-07-09 18:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
slightly more careful patch (pypam-0.5.0-cve-2012-1502.patch,1.50 KB, patch)
2012-03-10 01:24 UTC, Marien Zwart (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-03-10 01:12:08 UTC
Supplying a password containing a NULL-byte to the PyPAM module, a double-free [1]
condition is triggered. This leads to undefined behavior and may allow
remote code execution.

Temporary Solution:
Filtering NULL-bytes in strings before passing them to the PyPAM module
will mitigate the exploit. Also current GLIBC protections may prevent
the double-free condition from being exploitable. It is advised to update
to a fixed version of PyPAM.
Comment 1 Michael Harrison 2012-03-10 01:19:15 UTC
Thanks to Marien Zwart for the help in reviewing the code and work for a patch.
Comment 2 Marien Zwart (RETIRED) gentoo-dev 2012-03-10 01:24:41 UTC
Created attachment 304769 [details, diff]
slightly more careful patch

A slightly more careful/paranoid patch than nulling out *resp on errors: just leave it untouched completely. This is what pam_conv(3) says we should do.

I suspect this code has other refcounting/memory-management issues (leaks), and its upstream homepage seems to have gone away. Do we need to keep this?
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-06-29 21:01:01 UTC
CVE-2012-1502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1502):
  Double free vulnerability in the PyPAM_conv in PAMmodule.c in PyPam 0.5.0
  and earlier allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a NULL byte in a
  password string.
Comment 4 Marien Zwart (RETIRED) gentoo-dev 2015-06-13 09:05:15 UTC
mrueg points out http://pkgs.fedoraproject.org/cgit/PyPAM.git/ has additional patches.

Their PyPAM-0.5.0-dealloc.patch is our pypam-0.5.0-python-2.5.patch (PyoObject_FREE and PyObject_Del do the same thing) with one extra fix.

Their PyPAM-0.5.0-memory-errors.patch fixes the same problem my patch on this bug fixes, as well as several others (I did not review it in detail but superficially the changes look good).

I don't know exactly what PyPAM-0.5.0-nofree.patch and PyPAM-0.5.0-return-value.patch fix (can probably be found in their revision history).

PyPAM-dlopen.patch looks sensible but not normally necessary for us.

PyPAM-python3-support.patch I didn't look at.

Applying at least "dealloc" and "memory-errors" and probably also "nofree" and "memory-errors" sounds like a good idea.
Comment 5 Manuel Rüger (RETIRED) gentoo-dev 2015-06-13 14:16:03 UTC
*pypam-0.5.0-r3 (13 Jun 2015)

  13 Jun 2015; Manuel Rüger <mrueg@gentoo.org> +files/PyPAM-0.5.0-dealloc.patch,
  +files/PyPAM-0.5.0-memory-errors.patch, +files/PyPAM-0.5.0-nofree.patch,
  +files/PyPAM-0.5.0-return-value.patch, +files/PyPAM-python3-support.patch,
  +pypam-0.5.0-r3.ebuild:
  Apply patches from Fedora fixing security bug #407603 and add support for
  Python3.


files/PyPAM-0.5.0-memory-errors.patch fixes this CVE.

Arch teams: Please get it stable.

Security: Please prepare a GLSA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-06-16 07:19:11 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-17 07:32:16 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Justin Lecher gentoo-dev 2015-06-17 07:49:51 UTC
+  17 Jun 2015; Justin Lecher <jlec@gentoo.org>
+  -files/pypam-0.5.0-python-2.5.patch, -pypam-0.5.0-r2.ebuild:
+  Drop vulnerable version
+

Cleaned.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-06-21 03:26:08 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-07-09 18:54:23 UTC
This issue was resolved and addressed in
 GLSA 201507-09 at https://security.gentoo.org/glsa/201507-09
by GLSA coordinator Mikle Kolyada (Zlogene).