3 Errata 2023 06 27 b
Dag-Erling Smørgrav edited this page 2023-06-27 17:13:16 +00:00

Errata: Buffer overrun in openpam_subst()

Date:: 2023-06-27

Affects:: All releases prior to Ximenia

Description:: If the template ends in a % character, openpam_subst(3) will read past the end.

Workaround:: Ensure that the user prompt (see pam_get_user(3) manual page for details) does not end in a % character.

Fix:: Upgrade to OpenPAM Ximenia. If you are unable or unwilling to upgrade, apply the following patch:

--- lib/libpam/openpam_subst.c.orig
+++ lib/libpam/openpam_subst.c
@@ -104,7 +104,8 @@ openpam_subst(const pam_handle_t *pamh,
                                subst_char('%');
                                subst_char(*template);
                        }
-                       ++template;
+                       if (*template)
+                               ++template;
                } else {
                        subst_char(*template++);
                }