+2008-06-26 Nicolas François <nicolas.francois@centraliens.net>
+
+ * NEWS, src/login.c: Fix an "audit log injection" vulnerability in
+ login. This is similar to CVE-2008-1926 (util-linux-ng's login).
+ This vulnerability makes it easier for attackers to hide
+ activities by modifying portions of log events, e.g. by appending
+ an addr= statement to the login name.
+ * lib/prototypes.h: Added definition of AUDIT_NO_ID.
+
2008-05-25 Nicolas François <nicolas.francois@centraliens.net>
Prepare the 4.1.2 release
$Id$
+shadow-4.1.2 -> shadow-4.1.2.1 UNRELEASED
+
+*** security
+- Fix an "audit log injection" vulnerability in login.
+ This vulnerability makes it easier for attackers to hide activities by
+ modifying portions of log events, e.g. by appending an addr= statement
+ to the login name.
+
shadow-4.1.1 -> shadow-4.1.2 25-05-2008
*** security:
#ifdef WITH_AUDIT
extern int audit_fd;
extern void audit_help_open (void);
+/* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */
+#define AUDIT_NO_ID ((unsigned int) -1)
extern void audit_logger (int type, const char *pgname, const char *op,
const char *name, unsigned int id, int result);
#endif
break;
#ifdef WITH_AUDIT
- {
- struct passwd *pw;
- char buf[64];
-
- audit_fd = audit_open ();
- /* local, no need for xgetpwnam */
- pw = getpwnam (username);
- if (pw) {
- snprintf (buf, sizeof (buf),
- "uid=%d", pw->pw_uid);
- audit_log_user_message
- (audit_fd, AUDIT_USER_LOGIN,
- buf, hostname, NULL,
- tty, 0);
- } else {
- snprintf (buf, sizeof (buf),
- "acct=%s", username);
- audit_log_user_message
- (audit_fd, AUDIT_USER_LOGIN,
- buf, hostname, NULL,
- tty, 0);
- }
- close (audit_fd);
- }
+ audit_fd = audit_open ();
+ audit_log_acct_message (audit_fd,
+ AUDIT_USER_LOGIN,
+ NULL, /* Prog. name */
+ "login",
+ (NULL!=username)?username
+ :"(unknown)",
+ AUDIT_NO_ID,
+ hostname,
+ NULL, /* addr */
+ tty,
+ 0); /* result */
+ close (audit_fd);
#endif /* WITH_AUDIT */
fprintf(stderr,"\nLogin incorrect\n");
}
#ifdef WITH_AUDIT
- {
- char buf[32];
-
- audit_fd = audit_open ();
- snprintf (buf, sizeof (buf), "uid=%d", pwd->pw_uid);
- audit_log_user_message (audit_fd, AUDIT_USER_LOGIN,
- buf, hostname, NULL, tty, 1);
- close (audit_fd);
- }
+ audit_fd = audit_open ();
+ audit_log_acct_message (audit_fd,
+ AUDIT_USER_LOGIN,
+ NULL, /* Prog. name */
+ "login",
+ NULL, /* user's name => use uid */
+ (unsigned int) pwd->pw_uid,
+ hostname,
+ NULL, /* addr */
+ tty,
+ 1); /* result */
+ close (audit_fd);
#endif /* WITH_AUDIT */
#ifndef USE_PAM /* pam_lastlog handles this */