Page:
Errata 2011 11 08
Pages
Errata 2011 11 08
Errata 2013 03 04
Errata 2014 02 26
Errata 2014 06 02
Errata 2014 10 22
Errata 2017 01 18
Errata 2017 02 19
Errata 2019 02 22
Errata 2023 06 27 a
Errata 2023 06 27 b
Errata
History
Home
MigrationToSubversionAndTrac
ObtainingAndInstalling
Releases Calamite
Releases Caliopsis
Releases Cantaloupe
Releases Celandine
Releases Centaury
Releases Checklist
Releases Cinchona
Releases Cineraria
Releases Cinnamon
Releases Cinquefoil
Releases Citronella
Releases Cyclamen
Releases Daffodil
Releases Dianthus
Releases Digitalis
Releases Dogwood
Releases Eelgrass
Releases Feterita
Releases Figwort
Releases Hydrangea
Releases Lycopsida
Releases Micrampelis
Releases Nummularia
Releases Ourouparia
Releases Radula
Releases Resedacea
Releases Tabebuia
Releases Ximenia
Releases
No results
3
Errata 2011 11 08
Dag-Erling Smørgrav edited this page 2023-06-26 18:04:27 +00:00
Table of Contents
Errata: Service name validation
Date:: 2011-11-08
Affects:: All releases prior to Lycopsida
References:: http://c-skills.blogspot.com/2011/11/openpam-trickery.html
Description:: Some setuid programs (e.g. KDE's kcheckpass
) allow the user to specify the service name. Due to insufficient validation in OpenPAM's configuration parser, this can be exploited to load a PAM policy from an arbitrary (user-crafted) file and thus execute arbitrary code with root privileges.
Workaround:: Remove or restrict any program that allows the user to specify the service name.
Fix:: OpenPAM Lycopsida features a completely rewritten configuration parser. If you are unable or unwilling to upgrade, apply the following patch (courtesy of NetBSD's Matthias Drochner):
--- lib/openpam_configure.c (revision 228464)
+++ lib/openpam_configure.c (revision 228465)
@@ -285,6 +285,13 @@
size_t len;
int r;
+ /* don't allow to escape from policy_path */
+ if (strchr(service, '/')) {
+ openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
+ service);
+ return (-PAM_SYSTEM_ERR);
+ }
+
for (path = openpam_policy_path; *path != NULL; ++path) {
len = strlen(*path);
if ((*path)[len - 1] == '/') {