No Description

007-cve-2014-2583.patch 1.7KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152
  1. From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
  2. From: "Dmitry V. Levin" <ldv@altlinux.org>
  3. Date: Wed, 26 Mar 2014 22:17:23 +0000
  4. Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
  5. pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
  6. the timestamp pathname it creates, so extra care should be taken to
  7. avoid potential directory traversal issues.
  8. * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
  9. "." and ".." tty values as invalid.
  10. (get_ruser): Treat "." and ".." ruser values, as well as any ruser
  11. value containing '/', as invalid.
  12. Fixes CVE-2014-2583.
  13. Reported-by: Sebastian Krahmer <krahmer@suse.de>
  14. diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
  15. index 5193733..b3f08b1 100644
  16. --- a/modules/pam_timestamp/pam_timestamp.c
  17. +++ b/modules/pam_timestamp/pam_timestamp.c
  18. @@ -158,7 +158,7 @@ check_tty(const char *tty)
  19. tty = strrchr(tty, '/') + 1;
  20. }
  21. /* Make sure the tty wasn't actually a directory (no basename). */
  22. - if (strlen(tty) == 0) {
  23. + if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
  24. return NULL;
  25. }
  26. return tty;
  27. @@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
  28. if (pwd != NULL) {
  29. ruser = pwd->pw_name;
  30. }
  31. + } else {
  32. + /*
  33. + * This ruser is used by format_timestamp_name as a component
  34. + * of constructed timestamp pathname, so ".", "..", and '/'
  35. + * are disallowed to avoid potential path traversal issues.
  36. + */
  37. + if (!strcmp(ruser, ".") ||
  38. + !strcmp(ruser, "..") ||
  39. + strchr(ruser, '/')) {
  40. + ruser = NULL;
  41. + }
  42. }
  43. if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
  44. *ruserbuf = '\0';
  45. --
  46. cgit v0.10.2