wiki:Errata

Errata

Policy loading

Date
2014-06-02
Affects
Nummularia and Micrampelis
References
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:13.pam.asc, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3879
Description
When loading a module or processing an include directive, an ENOENT (file not found) error would incorrectly be propagated up the call stack and be interpreted as a missing policy, which is a soft error, rather than an invalid policy, which is a hard error. Depending on the circumstances, this could result in a fail-open scenario.
Workaround
Verify the spelling of all policies. When updating third-party modules (which will result in a brief window during which the module is missing), shut down affected services.
Fix
Apply r795.

Character classification

Date
2014-02-26
Affects
Nummularia
References
http://blog.des.no/2013/03/on-testing-part-iii/
Description
The is_upper() character classification predicate only accepts the letter A as an upper-case character instead of the entire A-Z range. The result is that OpenPAM will not accept service names or module names or paths containing upper-case letters other than A.
Workaround
Rename affected services and modules.
Fix
Apply r761, and optionally r760 which adds unit tests for the character classification predicates.

Configuration parsing

Date
2013-03-04
Affects
Micrampelis
References
http://blog.des.no/2013/03/on-testing-part-ii/
Description
When openpam_readword() encounters a string in which unquoted text precedes quoted text, it will return an empty string. This affects the PAM policy parser as well as any third-party code that relies on openpam_readword() and / or openpam_readlinev().
Workaround
Quote the entire string, e.g. "text=hello world" instead of text="hello world".
Fix
Apply r634 and r636.

Service name validation

Date
2011-11-08
Affects
All releases prior to Lycopsida
References
http://c-skills.blogspot.com/2011/11/openpam-trickery.html
Description
Some setuid programs (e.g. KDE's kcheckpass) allow the user to specify the service name. Due to insufficient validation in OpenPAM's configuration parser, this can be exploited to load a PAM policy from an arbitrary (user-crafted) file and thus execute arbitrary code with root privileges.
Workaround
Remove or restrict any program that allows the user to specify the service name.
Fix
OpenPAM Lycopsida features a completely rewritten configuration parser. If you are unable or unwilling to upgrade, apply the following patch (courtesy of NetBSD's Matthias Drochner):
--- lib/openpam_configure.c	(revision 228464)
+++ lib/openpam_configure.c	(revision 228465)
@@ -285,6 +285,13 @@
 	size_t len;
 	int r;
 
+	/* don't allow to escape from policy_path */
+	if (strchr(service, '/')) {
+		openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
+		    service);
+		return (-PAM_SYSTEM_ERR);
+	}
+
 	for (path = openpam_policy_path; *path != NULL; ++path) {
 		len = strlen(*path);
 		if ((*path)[len - 1] == '/') {
Last modified 7 weeks ago Last modified on Jun 4, 2014, 2:24:20 PM