Changes between Initial Version and Version 1 of Errata


Ignore:
Timestamp:
Dec 18, 2011, 5:23:38 PM (9 years ago)
Author:
Dag-Erling Smørgrav
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Errata

    v1 v1  
     1= Errata =
     2
     3== Service name validation ==
     4
     5 Date:: 2012-11-08
     6
     7 Affects:: All releases prior to [[Releases/Lycopsida|Lycopsida]]
     8
     9 References:: http://c-skills.blogspot.com/2011/11/openpam-trickery.html
     10
     11 Description:: Some setuid programs (e.g. KDE's `kcheckpass`) allow the user to specify the service name.  Due to insufficient validation in OpenPAM's configuration parser, this can be exploited to load a PAM policy from an arbitrary (user-crafted) file and thus execute arbitrary code with root privileges.
     12
     13 Workaround:: Remove or restrict any program that allows the user to specify the service name.
     14
     15 Fix:: [[Releases/Lycopsida|OpenPAM Lycopsida]] features a completely rewritten configuration parser.  If you are unable or unwilling to upgrade, apply the following patch (courtesy of NetBSD's Matthias Drochner):
     16 {{{
     17--- lib/openpam_configure.c     (revision 228464)
     18+++ lib/openpam_configure.c     (revision 228465)
     19@@ -285,6 +285,13 @@
     20        size_t len;
     21        int r;
     22 
     23+       /* don't allow to escape from policy_path */
     24+       if (strchr(service, '/')) {
     25+               openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
     26+                   service);
     27+               return (-PAM_SYSTEM_ERR);
     28+       }
     29+
     30        for (path = openpam_policy_path; *path != NULL; ++path) {
     31                len = strlen(*path);
     32                if ((*path)[len - 1] == '/') {
     33 }}}