diff options
Diffstat (limited to 'debian/patches-applied/cve-2015-3238.patch')
| -rw-r--r-- | debian/patches-applied/cve-2015-3238.patch | 213 |
1 files changed, 213 insertions, 0 deletions
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch new file mode 100644 index 00000000..50dd746e --- /dev/null +++ b/debian/patches-applied/cve-2015-3238.patch @@ -0,0 +1,213 @@ +From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk <kukuk@thkukuk.de> +Date: Mon, 22 Jun 2015 14:53:01 +0200 +Subject: Release version 1.2.1 + +Security fix: CVE-2015-3238 + +If the process executing pam_sm_authenticate or pam_sm_chauthtok method +of pam_unix is not privileged enough to check the password, e.g. +if selinux is enabled, the _unix_run_helper_binary function is called. +When a long enough password is supplied (16 pages or more, i.e. 65536+ +bytes on a system with 4K pages), this helper function hangs +indefinitely, blocked in the write(2) call while writing to a blocking +pipe that has a limited capacity. +With this fix, the verifiable password length will be limited to +PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. + +Index: pam/modules/pam_exec/pam_exec.8.xml +=================================================================== +--- pam.orig/modules/pam_exec/pam_exec.8.xml ++++ pam/modules/pam_exec/pam_exec.8.xml +@@ -106,7 +106,8 @@ + During authentication the calling command can read + the password from <citerefentry> + <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum> +- </citerefentry>. ++ </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis> ++ bytes of a password are provided to the command. + </para> + </listitem> + </varlistentry> +Index: pam/modules/pam_exec/pam_exec.c +=================================================================== +--- pam.orig/modules/pam_exec/pam_exec.c ++++ pam/modules/pam_exec/pam_exec.c +@@ -178,11 +178,11 @@ + } + + pam_set_item (pamh, PAM_AUTHTOK, resp); +- authtok = strdupa (resp); ++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + _pam_drop (resp); + } + else +- authtok = void_pass; ++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + + if (pipe(fds) != 0) + { +Index: pam/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix.8.xml ++++ pam/modules/pam_unix/pam_unix.8.xml +@@ -80,6 +80,13 @@ + </para> + + <para> ++ The maximum length of a password supported by the pam_unix module ++ via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis> ++ - currently 512 bytes. The rest of the password provided by the ++ conversation function to the module will be ignored. ++ </para> ++ ++ <para> + The password component of this module performs the task of updating + the user's password. The default encryption hash is taken from the + <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from +Index: pam/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam/modules/pam_unix/pam_unix_passwd.c +@@ -245,15 +245,22 @@ + /* wait for child */ + /* if the stored password is NULL */ + int rc=0; +- if (fromwhat) +- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); +- else +- pam_modutil_write(fds[1], "", 1); +- if (towhat) { +- pam_modutil_write(fds[1], towhat, strlen(towhat)+1); ++ if (fromwhat) { ++ int len = strlen(fromwhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], fromwhat, len); + } +- else +- pam_modutil_write(fds[1], "", 1); ++ pam_modutil_write(fds[1], "", 1); ++ if (towhat) { ++ int len = strlen(towhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], towhat, len); ++ } ++ pam_modutil_write(fds[1], "", 1); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); +Index: pam/modules/pam_unix/passverify.c +=================================================================== +--- pam.orig/modules/pam_unix/passverify.c ++++ pam/modules/pam_unix/passverify.c +@@ -1086,12 +1086,15 @@ + int + read_passwords(int fd, int npass, char **passwords) + { ++ /* The passwords array must contain npass preallocated ++ * buffers of length MAXPASS + 1 ++ */ + int rbytes = 0; + int offset = 0; + int i = 0; + char *pptr; + while (npass > 0) { +- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); + + if (rbytes < 0) { + if (errno == EINTR) continue; +Index: pam/modules/pam_unix/passverify.h +=================================================================== +--- pam.orig/modules/pam_unix/passverify.h ++++ pam/modules/pam_unix/passverify.h +@@ -8,7 +8,7 @@ + + #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT + +-#define MAXPASS 200 /* the maximum length of a password */ ++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ + + #define OLD_PASSWORDS_FILE "/etc/security/opasswd" + +Index: pam/modules/pam_unix/support.c +=================================================================== +--- pam.orig/modules/pam_unix/support.c ++++ pam/modules/pam_unix/support.c +@@ -632,7 +632,12 @@ + /* if the stored password is NULL */ + int rc=0; + if (passwd != NULL) { /* send the password to the child */ +- if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ int len = strlen(passwd); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ if (write(fds[1], passwd, len) == -1 || ++ write(fds[1], "", 1) == -1) { + pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_AUTH_ERR; + } +Index: pam/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix.8 ++++ pam/modules/pam_unix/pam_unix.8 +@@ -56,6 +56,10 @@ + \fBnoreap\fR + module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. + .PP ++The maximum length of a password supported by the pam_unix module via the helper binary is ++\fIPAM_MAX_RESP_SIZE\fR ++\- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&. ++.PP + The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the + \fBENCRYPT_METHOD\fR + variable from +Index: pam/modules/pam_exec/pam_exec.8 +=================================================================== +--- pam.orig/modules/pam_exec/pam_exec.8 ++++ pam/modules/pam_exec/pam_exec.8 +@@ -65,7 +65,9 @@ + \fBexpose_authtok\fR + .RS 4 + During authentication the calling command can read the password from +-\fBstdin\fR(3)\&. ++\fBstdin\fR(3)\&. Only first ++\fIPAM_MAX_RESP_SIZE\fR ++bytes of a password are provided to the command\&. + .RE + .PP + \fBlog=\fR\fB\fIfile\fR\fR +Index: pam/modules/pam_exec/README +=================================================================== +--- pam.orig/modules/pam_exec/README ++++ pam/modules/pam_exec/README +@@ -24,7 +24,8 @@ + expose_authtok + + During authentication the calling command can read the password from stdin +- (3). ++ (3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the ++ command. + + log=file + +Index: pam/modules/pam_unix/README +=================================================================== +--- pam.orig/modules/pam_unix/README ++++ pam/modules/pam_unix/README +@@ -34,6 +34,10 @@ + suppress this temporary shielding and may be needed for use with certain + applications. + ++The maximum length of a password supported by the pam_unix module via the ++helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the ++password provided by the conversation function to the module will be ignored. ++ + The password component of this module performs the task of updating the user's + password. The default encryption hash is taken from the ENCRYPT_METHOD variable + from /etc/login.defs |