Patch 061: fix a double free in pam_issue, caused by overuse (and misuse)

of strdup (similar to patch 059).  Already fixed upstream.  Closes: #327272.

2 files changed, 79 insertions, 0 deletions

diff --git a/changelog b/changelog
index c8d31ef8..1f395611 100644
--- a/changelog
+++ b/changelog
@@ -11,6 +11,9 @@ pam (0.79-4) UNRELEASED; urgency=low
     compatibility.
   * Patch 060: fix a segfault in pam_tally caused by misuse of
     pam_get_data(); already fixed upstream.  Closes: #335273.
+  * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse)
+    of strdup (similar to patch 059).  Already fixed upstream.
+    Closes: #327272.
 
  -- Steve Langasek <vorlon@debian.org>  Sun, 23 Oct 2005 23:17:24 -0700
 
diff --git a/patches-applied/061_pam_issue_double_free b/patches-applied/061_pam_issue_double_free
new file mode 100644
index 00000000..79a42527
--- /dev/null
+++ b/patches-applied/061_pam_issue_double_free
@@ -0,0 +1,76 @@
+Index: Linux-PAM/modules/pam_issue/pam_issue.c
+===================================================================
+--- Linux-PAM/modules/pam_issue/pam_issue.c	(revision 363)
++++ Linux-PAM/modules/pam_issue/pam_issue.c	(working copy)
+@@ -64,11 +64,11 @@
+ 
+     for ( ; argc-- > 0 ; ++argv ) {
+ 	if (!strncmp(*argv,"issue=",6)) {
+-	    issue_file = (char *) strdup(6+*argv);
+-	    if (issue_file != NULL) {
++	    issue_file = 6+*argv;
++	    if (*issue_file != '\0') {
+ 		D(("set issue_file to: %s", issue_file));
+ 	    } else {
+-		D(("failed to strdup issue_file - ignored"));
++		D(("empty issue= value - ignored"));
+ 		return PAM_IGNORE;
+ 	    }
+ 	} else if (!strcmp(*argv,"noesc")) {
+@@ -79,15 +79,13 @@
+     }
+ 
+     if (issue_file == NULL)
+-	issue_file = strdup("/etc/issue");
++	issue_file = "/etc/issue";
+ 
+     if ((fd = fopen(issue_file, "r")) != NULL) {
+ 	int tot_size = 0;
+ 
+ 	if (fstat(fileno(fd), &st) < 0) {
+ 	    fclose(fd);
+-	    if (issue_file)
+-	        free(issue_file);
+ 	    return PAM_IGNORE;
+ 	}
+ 
+@@ -95,8 +93,6 @@
+ 			      (const void **) &cur_prompt);
+ 	if (retval != PAM_SUCCESS) {
+ 	    fclose(fd);
+-	    if (issue_file)
+-	        free(issue_file);
+ 	    return PAM_IGNORE;
+ 	}
+ 	if (cur_prompt == NULL) {
+@@ -109,8 +105,6 @@
+ 	    prompt_tmp = do_prompt(fd);
+ 	    if (prompt_tmp == NULL) {
+ 	        fclose(fd);
+-	        if (issue_file)
+-	           free(issue_file);
+ 		return PAM_IGNORE;
+ 	    }
+ 	} else {
+@@ -119,8 +113,6 @@
+ 	    prompt_tmp = malloc(st.st_size + 1);
+ 	    if (prompt_tmp == NULL) {
+ 	        fclose(fd);
+-	        if (issue_file)
+-	           free(issue_file);
+ 		return PAM_IGNORE;
+ 	    }
+ 	    memset (prompt_tmp, '\0', st.st_size + 1);
+@@ -160,12 +152,10 @@
+ 			      (const char *) prompt_tmp);
+ 
+     cleanup:
+-	free(issue_file);
+ 	free(prompt_tmp);
+ 
+     } else {
+ 	D(("could not open issue_file: %s", issue_file));
+-	free(issue_file);
+ 	return PAM_IGNORE;
+     }
+