* debian/patches-applied/pam_env-fix-overflow.patch: fix stack overflow

  in environment file parsing (CVE-2011-3148).
* debian/patches-applied/pam_env-fix-dos.patch: fix DoS in environment
  file parsing (CVE-2011-3149).

1 files changed, 33 insertions, 0 deletions

diff --git a/debian/patches-applied/pam_env-fix-dos.patch b/debian/patches-applied/pam_env-fix-dos.patch
new file mode 100644
index 00000000..523e1390
--- /dev/null
+++ b/debian/patches-applied/pam_env-fix-dos.patch
@@ -0,0 +1,33 @@
+Description: abort when encountering an overflowed environment variable
+ expansion (CVE-2011-3149).
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
+Author: Kees Cook <kees@debian.org>
+
+Index: pam-debian/modules/pam_env/pam_env.c
+===================================================================
+--- pam-debian.orig/modules/pam_env/pam_env.c	2011-10-14 12:47:23.433861595 -0700
++++ pam-debian/modules/pam_env/pam_env.c	2011-10-14 12:47:23.461861963 -0700
+@@ -567,6 +567,7 @@
+ 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
+ 	pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
+ 		 tmp, tmpptr);
++	return PAM_ABORT;
+       }
+       continue;
+     }
+@@ -628,6 +629,7 @@
+ 	    D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
+ 	    pam_syslog (pamh, LOG_ERR,
+ 			"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
++	    return PAM_ABORT;
+ 	  }
+ 	}
+       }           /* if ('{' != *orig++) */
+@@ -639,6 +641,7 @@
+ 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
+ 	pam_syslog(pamh, LOG_ERR,
+ 		   "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
++	return PAM_ABORT;
+       }
+     }
+   }              /* for (;*orig;) */