2011-10-14 Kees Cook <kees@debian.org>
+ * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
+ overflowed environment variable expansion.
+ Fixes CVE-2011-3149.
+ Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
+
* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
whitespace.
Fixes CVE-2011-3148.
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
tmp, tmpptr);
+ return PAM_BUF_ERR;
}
continue;
}
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog (pamh, LOG_ERR,
"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+ return PAM_BUF_ERR;
}
}
} /* if ('{' != *orig++) */
D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
pam_syslog(pamh, LOG_ERR,
"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+ return PAM_BUF_ERR;
}
}
} /* for (;*orig;) */
projects / linux-pam / commitdiff