diff options
| -rw-r--r-- | changelog | 7 | ||||
| -rw-r--r-- | patches-applied/limits_stupid_strncpy | 83 | ||||
| -rw-r--r-- | patches-applied/series | 1 |
3 files changed, 91 insertions, 0 deletions
@@ -1,3 +1,10 @@ +pam (0.99.7.1-3) UNRELEASED; urgency=low + + * Fix unnecessary manipulations of string buffers, including an illegal use + of strncpy(). Thanks to Paul Hampson for reporting. Closes: #331278. + + -- Steve Langasek <vorlon@debian.org> Sun, 26 Aug 2007 20:51:28 -0700 + pam (0.99.7.1-2) unstable; urgency=low * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz diff --git a/patches-applied/limits_stupid_strncpy b/patches-applied/limits_stupid_strncpy new file mode 100644 index 00000000..293cb098 --- /dev/null +++ b/patches-applied/limits_stupid_strncpy @@ -0,0 +1,83 @@ +Index: pam/Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_limits/pam_limits.c ++++ pam/Linux-PAM/modules/pam_limits/pam_limits.c +@@ -516,8 +516,6 @@ + } + #undef CONF_FILE + +- /* init things */ +- memset(buf, 0, sizeof(buf)); + /* start the show */ + while (fgets(buf, LINE_LENGTH, fil) != NULL) { + char domain[LINE_LENGTH]; +@@ -526,46 +524,40 @@ + char value[LINE_LENGTH]; + int i; + size_t j; +- char *tptr; ++ char *tptr,*line; + +- tptr = buf; ++ line = buf; + /* skip the leading white space */ +- while (*tptr && isspace(*tptr)) +- tptr++; +- strncpy(buf, tptr, sizeof(buf)-1); +- buf[sizeof(buf)-1] = '\0'; ++ while (*line && isspace(*line)) ++ line++; + + /* Rip off the comments */ +- tptr = strchr(buf,'#'); ++ tptr = strchr(line,'#'); + if (tptr) + *tptr = '\0'; + /* Rip off the newline char */ +- tptr = strchr(buf,'\n'); ++ tptr = strchr(line,'\n'); + if (tptr) + *tptr = '\0'; + /* Anything left ? */ +- if (!strlen(buf)) { +- memset(buf, 0, sizeof(buf)); ++ if (!strlen(line)) + continue; +- } + +- memset(domain, 0, sizeof(domain)); +- memset(ltype, 0, sizeof(ltype)); +- memset(item, 0, sizeof(item)); +- memset(value, 0, sizeof(value)); ++ domain[0] = ltype[0] = item[0] = value[0] = '\0'; + +- i = sscanf(buf,"%s%s%s%s", domain, ltype, item, value); ++ i = sscanf(line,"%s%s%s%s", domain, ltype, item, value); + D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]", + i, domain, ltype, item, value)); + + for(j=0; j < strlen(ltype); j++) + ltype[j]=tolower(ltype[j]); +- for(j=0; j < strlen(item); j++) +- item[j]=tolower(item[j]); +- for(j=0; j < strlen(value); j++) +- value[j]=tolower(value[j]); + + if (i == 4) { /* a complete line */ ++ for(j=0; j < strlen(item); j++) ++ item[j]=tolower(item[j]); ++ for(j=0; j < strlen(value); j++) ++ value[j]=tolower(value[j]); ++ + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); + else if (domain[0]=='@' && !pl->root) { +@@ -611,7 +603,7 @@ + return PAM_IGNORE; + } + } else { +- pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", buf); ++ pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line); + } + } + fclose(fil); diff --git a/patches-applied/series b/patches-applied/series index df0d86c3..6120aeec 100644 --- a/patches-applied/series +++ b/patches-applied/series @@ -29,4 +29,5 @@ hurd_no_setfsuid -p0 065_pam_unix_cracklib_disable PAM-manpage-section no_pthread_mutexes +limits_stupid_strncpy autoconf.patch |