| https://bugs.gentoo.org/505604 |
| |
| From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 |
| From: "Dmitry V. Levin" <ldv@altlinux.org> |
| Date: Wed, 26 Mar 2014 22:17:23 +0000 |
| Subject: [PATCH] pam_timestamp: fix potential directory traversal issue |
| (ticket #27) |
| |
| pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of |
| the timestamp pathname it creates, so extra care should be taken to |
| avoid potential directory traversal issues. |
| |
| * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat |
| "." and ".." tty values as invalid. |
| (get_ruser): Treat "." and ".." ruser values, as well as any ruser |
| value containing '/', as invalid. |
| |
| Fixes CVE-2014-2583. |
| |
| Reported-by: Sebastian Krahmer <krahmer@suse.de> |
| --- |
| modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- |
| 1 file changed, 12 insertions(+), 1 deletion(-) |
| |
| diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c |
| index 5193733..b3f08b1 100644 |
| --- a/modules/pam_timestamp/pam_timestamp.c |
| +++ b/modules/pam_timestamp/pam_timestamp.c |
| @@ -158,7 +158,7 @@ check_tty(const char *tty) |
| tty = strrchr(tty, '/') + 1; |
| } |
| /* Make sure the tty wasn't actually a directory (no basename). */ |
| - if (strlen(tty) == 0) { |
| + if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { |
| return NULL; |
| } |
| return tty; |
| @@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) |
| if (pwd != NULL) { |
| ruser = pwd->pw_name; |
| } |
| + } else { |
| + /* |
| + * This ruser is used by format_timestamp_name as a component |
| + * of constructed timestamp pathname, so ".", "..", and '/' |
| + * are disallowed to avoid potential path traversal issues. |
| + */ |
| + if (!strcmp(ruser, ".") || |
| + !strcmp(ruser, "..") || |
| + strchr(ruser, '/')) { |
| + ruser = NULL; |
| + } |
| } |
| if (ruser == NULL || strlen(ruser) >= ruserbuflen) { |
| *ruserbuf = '\0'; |
| -- |
| 2.4.0 |
| |