Version 6 (modified by 7 years ago) (diff) | ,
---|
Errata
Character classification
- Date
- 2014-02-26
- Affects
- Nummularia
- Description
- The
is_upper()
character classification predicate only accepts the letterA
as an upper-case character instead of the entireA-Z
range. The result is that OpenPAM will not accept service names or module names or paths containing upper-case letters other thanA
.
- Workaround
- Rename affected services and modules.
- Fix
- Apply r761, and optionally r760 which adds unit tests for the character classification predicates.
Configuration parsing
- Date
- 2013-03-04
- Affects
- Micrampelis
- Description
- When
openpam_readword()
encounters a string in which unquoted text precedes quoted text, it will return an empty string. This affects the PAM policy parser as well as any third-party code that relies onopenpam_readword()
and / oropenpam_readlinev()
.
- Workaround
- Quote the entire string, e.g.
"text=hello world"
instead oftext="hello world"
.
Service name validation
- Date
- 2011-11-08
- Affects
- All releases prior to Lycopsida
- Description
- Some setuid programs (e.g. KDE's
kcheckpass
) allow the user to specify the service name. Due to insufficient validation in OpenPAM's configuration parser, this can be exploited to load a PAM policy from an arbitrary (user-crafted) file and thus execute arbitrary code with root privileges.
- Workaround
- Remove or restrict any program that allows the user to specify the service name.
- Fix
- OpenPAM Lycopsida features a completely rewritten configuration parser. If you are unable or unwilling to upgrade, apply the following patch (courtesy of NetBSD's Matthias Drochner):
--- lib/openpam_configure.c (revision 228464) +++ lib/openpam_configure.c (revision 228465) @@ -285,6 +285,13 @@ size_t len; int r; + /* don't allow to escape from policy_path */ + if (strchr(service, '/')) { + openpam_log(PAM_LOG_ERROR, "invalid service name: %s", + service); + return (-PAM_SYSTEM_ERR); + } + for (path = openpam_policy_path; *path != NULL; ++path) { len = strlen(*path); if ((*path)[len - 1] == '/') {