pam_timestamp: fix potential directory traversal issue (ticket #27) - pam.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Dmitry V. Levin <ldv@altlinux.org>	2014-03-26 22:17:23 +0000
committer	Dmitry V. Levin <ldv@altlinux.org>	2014-03-26 22:17:23 +0000
commit	9dcead87e6d7f66d34e7a56d11a30daca367dffb (patch)
tree	27a38640b5de24d1cd42eff5fcdd80bbc2c2b5c1 /modules/pam_unix/md5_crypt.c
parent	d332be7fa933f5424abee6c7e385f0de174603d2 (diff)
download	pam-9dcead87e6d7f66d34e7a56d11a30daca367dffb.tar.gz pam-9dcead87e6d7f66d34e7a56d11a30daca367dffb.tar.bz2 pam-9dcead87e6d7f66d34e7a56d11a30daca367dffb.zip

pam_timestamp: fix potential directory traversal issue (ticket #27)

pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of the timestamp pathname it creates, so extra care should be taken to avoid potential directory traversal issues. * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat "." and ".." tty values as invalid. (get_ruser): Treat "." and ".." ruser values, as well as any ruser value containing '/', as invalid. Fixes CVE-2014-2583. Reported-by: Sebastian Krahmer <krahmer@suse.de>

Diffstat (limited to 'modules/pam_unix/md5_crypt.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: