mirror of
https://gitlab.com/CinnamonSlackBuilds/csb.git
synced 2024-12-26 21:59:28 +01:00
pam: Fix 2 CVEs.
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackware-id.org>
This commit is contained in:
parent
268a2fd2db
commit
dfe444c0ce
3 changed files with 113 additions and 2 deletions
52
pam/pam-1.1.8-cve-2013-7041.patch
Normal file
52
pam/pam-1.1.8-cve-2013-7041.patch
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||||
|
Date: Fri, 24 Jan 2014 22:18:32 +0000
|
||||||
|
Subject: [PATCH] pam_userdb: fix password hash comparison
|
||||||
|
|
||||||
|
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
|
||||||
|
passwords support in pam_userdb, hashes are compared case-insensitively.
|
||||||
|
This bug leads to accepting hashes for completely different passwords in
|
||||||
|
addition to those that should be accepted.
|
||||||
|
|
||||||
|
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
|
||||||
|
modern password hashes with different lengths and settings, did not
|
||||||
|
update the hash comparison accordingly, which leads to accepting
|
||||||
|
computed hashes longer than stored hashes when the latter is a prefix
|
||||||
|
of the former.
|
||||||
|
|
||||||
|
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
|
||||||
|
hash whose length differs from the stored hash length.
|
||||||
|
Compare computed and stored hashes case-sensitively.
|
||||||
|
Fixes CVE-2013-7041.
|
||||||
|
|
||||||
|
Bug-Debian: http://bugs.debian.org/731368
|
||||||
|
---
|
||||||
|
modules/pam_userdb/pam_userdb.c | 9 ++++++---
|
||||||
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
|
||||||
|
index de8b5b1..ff040e6 100644
|
||||||
|
--- a/modules/pam_userdb/pam_userdb.c
|
||||||
|
+++ b/modules/pam_userdb/pam_userdb.c
|
||||||
|
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
||||||
|
} else {
|
||||||
|
cryptpw = crypt (pass, data.dptr);
|
||||||
|
|
||||||
|
- if (cryptpw) {
|
||||||
|
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
|
||||||
|
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
||||||
|
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
|
||||||
|
} else {
|
||||||
|
compare = -2;
|
||||||
|
if (ctrl & PAM_DEBUG_ARG) {
|
||||||
|
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||||
|
+ if (cryptpw)
|
||||||
|
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
||||||
|
+ else
|
||||||
|
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
56
pam/pam-1.1.8-cve-2014-2583.patch
Normal file
56
pam/pam-1.1.8-cve-2014-2583.patch
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||||
|
Date: Wed, 26 Mar 2014 22:17:23 +0000
|
||||||
|
Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
|
||||||
|
(ticket #27)
|
||||||
|
|
||||||
|
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
|
||||||
|
the timestamp pathname it creates, so extra care should be taken to
|
||||||
|
avoid potential directory traversal issues.
|
||||||
|
|
||||||
|
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
|
||||||
|
"." and ".." tty values as invalid.
|
||||||
|
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
|
||||||
|
value containing '/', as invalid.
|
||||||
|
|
||||||
|
Fixes CVE-2014-2583.
|
||||||
|
|
||||||
|
Reported-by: Sebastian Krahmer <krahmer@suse.de>
|
||||||
|
---
|
||||||
|
modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
|
||||||
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||||
|
index 5193733..b3f08b1 100644
|
||||||
|
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||||
|
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||||
|
@@ -158,7 +158,7 @@ check_tty(const char *tty)
|
||||||
|
tty = strrchr(tty, '/') + 1;
|
||||||
|
}
|
||||||
|
/* Make sure the tty wasn't actually a directory (no basename). */
|
||||||
|
- if (strlen(tty) == 0) {
|
||||||
|
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
return tty;
|
||||||
|
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
|
||||||
|
if (pwd != NULL) {
|
||||||
|
ruser = pwd->pw_name;
|
||||||
|
}
|
||||||
|
+ } else {
|
||||||
|
+ /*
|
||||||
|
+ * This ruser is used by format_timestamp_name as a component
|
||||||
|
+ * of constructed timestamp pathname, so ".", "..", and '/'
|
||||||
|
+ * are disallowed to avoid potential path traversal issues.
|
||||||
|
+ */
|
||||||
|
+ if (!strcmp(ruser, ".") ||
|
||||||
|
+ !strcmp(ruser, "..") ||
|
||||||
|
+ strchr(ruser, '/')) {
|
||||||
|
+ ruser = NULL;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
|
||||||
|
*ruserbuf = '\0';
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
|
@ -27,7 +27,7 @@
|
||||||
SRCNAM=Linux-PAM
|
SRCNAM=Linux-PAM
|
||||||
PRGNAM=pam
|
PRGNAM=pam
|
||||||
VERSION=${VERSION:-1.1.8}
|
VERSION=${VERSION:-1.1.8}
|
||||||
BUILD=${BUILD:-1}
|
BUILD=${BUILD:-2}
|
||||||
TAG=${TAG:-_csb}
|
TAG=${TAG:-_csb}
|
||||||
|
|
||||||
if [ -z "$ARCH" ]; then
|
if [ -z "$ARCH" ]; then
|
||||||
|
@ -73,7 +73,10 @@ find -L . \
|
||||||
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
|
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
|
||||||
-o -perm 511 \) -exec chmod 755 {} \; -o \
|
-o -perm 511 \) -exec chmod 755 {} \; -o \
|
||||||
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
|
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
|
||||||
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
|
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
|
||||||
|
|
||||||
|
patch -p1 < $CWD/pam-1.1.8-cve-2013-7041.patch
|
||||||
|
patch -p1 < $CWD/pam-1.1.8-cve-2014-2583.patch
|
||||||
|
|
||||||
CFLAGS="$SLKCFLAGS" \
|
CFLAGS="$SLKCFLAGS" \
|
||||||
CXXFLAGS="$SLKCFLAGS" \
|
CXXFLAGS="$SLKCFLAGS" \
|
||||||
|
|
Loading…
Reference in a new issue