Changes between Version 7 and Version 8 of Errata


Ignore:
Timestamp:
Oct 23, 2014, 8:48:13 AM (6 years ago)
Author:
Dag-Erling Smørgrav
Comment:

Rework as a table pointing to the individual pages for each issue

Legend:

Unmodified
Added
Removed
Modified
  • Errata

    v7 v8  
    22= Errata =
    33
    4 == Policy loading ==
    5 
    6  Date:: 2014-06-02
    7 
    8  Affects:: [[Releases/Nummularia|Nummularia]] and [[Releases/Micrampelis|Micrampelis]]
    9 
    10  References:: http://www.freebsd.org/security/advisories/FreeBSD-SA-14:13.pam.asc, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3879
    11 
    12  Description:: When loading a module or processing an include directive, an {{{ENOENT}}} (file not found) error would incorrectly be propagated up the call stack and be interpreted as a missing policy, which is a soft error, rather than an invalid policy, which is a hard error.  Depending on the circumstances, this could result in a fail-open scenario.
    13 
    14  Workaround:: Verify the spelling of all policies.  When updating third-party modules (which will result in a brief window during which the module is missing), shut down affected services.
    15 
    16  Fix:: Apply r795.
    17 
    18 == Character classification ==
    19 
    20  Date:: 2014-02-26
    21 
    22  Affects:: [[Releases/Nummularia|Nummularia]]
    23 
    24  References:: http://blog.des.no/2013/03/on-testing-part-iii/
    25 
    26  Description:: The {{{is_upper()}}} character classification predicate only accepts the letter {{{A}}} as an upper-case character instead of the entire {{{A-Z}}} range.  The result is that OpenPAM will not accept service names or module names or paths containing upper-case letters other than {{{A}}}.
    27 
    28  Workaround:: Rename affected services and modules.
    29 
    30  Fix:: Apply r761, and optionally r760 which adds unit tests for the character classification predicates.
    31 
    32 == Configuration parsing ==
    33 
    34  Date:: 2013-03-04
    35 
    36  Affects:: [[Releases/Micrampelis|Micrampelis]]
    37 
    38  References:: http://blog.des.no/2013/03/on-testing-part-ii/
    39 
    40  Description:: When {{{openpam_readword()}}} encounters a string in which unquoted text precedes quoted text, it will return an empty string.  This affects the PAM policy parser as well as any third-party code that relies on {{{openpam_readword()}}} and / or {{{openpam_readlinev()}}}.
    41 
    42  Workaround:: Quote the entire string, e.g. {{{"text=hello world"}}} instead of {{{text="hello world"}}}.
    43 
    44  Fix:: Apply r634 and r636.
    45 
    46 == Service name validation ==
    47 
    48  Date:: 2011-11-08
    49 
    50  Affects:: All releases prior to [[Releases/Lycopsida|Lycopsida]]
    51 
    52  References:: http://c-skills.blogspot.com/2011/11/openpam-trickery.html
    53 
    54  Description:: Some setuid programs (e.g. KDE's `kcheckpass`) allow the user to specify the service name.  Due to insufficient validation in OpenPAM's configuration parser, this can be exploited to load a PAM policy from an arbitrary (user-crafted) file and thus execute arbitrary code with root privileges.
    55 
    56  Workaround:: Remove or restrict any program that allows the user to specify the service name.
    57 
    58  Fix:: [[Releases/Lycopsida|OpenPAM Lycopsida]] features a completely rewritten configuration parser.  If you are unable or unwilling to upgrade, apply the following patch (courtesy of NetBSD's Matthias Drochner):
    59  {{{
    60 --- lib/openpam_configure.c     (revision 228464)
    61 +++ lib/openpam_configure.c     (revision 228465)
    62 @@ -285,6 +285,13 @@
    63         size_t len;
    64         int r;
    65  
    66 +       /* don't allow to escape from policy_path */
    67 +       if (strchr(service, '/')) {
    68 +               openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
    69 +                   service);
    70 +               return (-PAM_SYSTEM_ERR);
    71 +       }
    72 +
    73         for (path = openpam_policy_path; *path != NULL; ++path) {
    74                 len = strlen(*path);
    75                 if ((*path)[len - 1] == '/') {
    76  }}}
     4||= Date =||= Affects =||= Description =||
     5|| 2014-10-22 || [[Releases/Ourouparia|Ourouparia]] || [[Errata/2014-10-22|Improper handling of line continuation in configuration parser]] ||
     6|| 2014-06-02 || [[Releases/Nummularia|Nummularia]] and [[Releases/Micrampelis|Micrampelis]] || [[Errata/2014-06-02|Fail-open when a module is missing]] ||
     7|| 2014-02-26 || [[Releases/Nummularia|Nummularia]] || [[Errata/2014-02-26|Character classification bug in configuration parser]] ||
     8|| 2013-03-04 || [[Releases/Micrampelis|Micrampelis]] || [[Errata/2013-03-04|Improper handling of quoted strings in configuration parser]] ||
     9|| 2011-11-08 || All releases prior to [[Releases/Lycopsida|Lycopsida]] || [[Errata/2011-11-08|Insufficient validation of service names]] ||