pam_env: correctly count leading whitespace when parsing environment file

* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
whitespace.
Fixes CVE-2011-3148.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469

diff --git a/ChangeLog b/ChangeLog
index bb859b9d6a99d91d313972d1e4445b48e686e2e0..f823d23e9e4de1b7b0a89e6eadbf4a409fb9a12f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-10-14  Kees Cook <kees@debian.org>
+
+       * modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
+       whitespace.
+       Fixes CVE-2011-3148.
+       Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
+
 2011-10-10  Tomas Mraz  <tm@t8m.info>
 
        * modules/pam_access/pam_access.c: Add hostname resolution

diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 1ec01ca5f47ce80d6c0a031e8d1d53dd66cde73c..b7cd387f570debf48e9f1b6b3d12230ddb9fb155 100644 (file)
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
     char *p = buffer;
     char *s, *os;
     int used = 0;
+    int whitespace;
 
     /* loop broken with a 'break' when a non-'\\n' ended line is read */
 
@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
 
        /* skip leading spaces --- line may be blank */
 
-       s = p + strspn(p, " \n\t");
+       whitespace = strspn(p, " \n\t");
+       s = p + whitespace;
        if (*s && (*s != '#')) {
+           used += whitespace;
            os = s;
 
            /*