From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 22 Jun 2015 14:53:01 +0200 Subject: Release version 1.2.1 Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise --- modules/pam_exec/pam_exec.8.xml | 3 ++- modules/pam_exec/pam_exec.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'modules/pam_exec') diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml index 23793668..d1b00a21 100644 --- a/modules/pam_exec/pam_exec.8.xml +++ b/modules/pam_exec/pam_exec.8.xml @@ -106,7 +106,8 @@ During authentication the calling command can read the password from stdin3 - . + . Only first PAM_MAX_RESP_SIZE + bytes of a password are provided to the command. diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 5ab96303..17ba6ca2 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } pam_set_item (pamh, PAM_AUTHTOK, resp); - authtok = strdupa (resp); + authtok = strndupa (resp, PAM_MAX_RESP_SIZE); _pam_drop (resp); } else - authtok = void_pass; + authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); if (pipe(fds) != 0) { -- cgit v1.2.3