Security fix for CVE-2013-7041

2025-02-23 16:32:51 +00:00 · 2014-08-28 17:54:44 +07:00 · 2014-08-28 17:54:44 +07:00 · ca3dc08c2f
commit ca3dc08c2f
parent 7e8e195c6a
3 changed files with 44 additions and 34 deletions
--- a/107.patch
+++ b/107.patch
@ -1,33 +0,0 @@
 diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
 index 5193733..b3f08b1 100644
 --- a/modules/pam_timestamp/pam_timestamp.c
 +++ b/modules/pam_timestamp/pam_timestamp.c
@@ -158,7 +158,7 @@ check_tty(const char *tty)
 		tty = strrchr(tty, '/') + 1;
 	}
 	/* Make sure the tty wasn't actually a directory (no basename). */
 -	if (strlen(tty) == 0) {
 +	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
 		return NULL;
 	}
 	return tty;
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
 		if (pwd != NULL) {
 			ruser = pwd->pw_name;
 		}
 +	} else {
 +		/*
 +		 * This ruser is used by format_timestamp_name as a component
 +		 * of constructed timestamp pathname, so ".", "..", and '/'
 +		 * are disallowed to avoid potential path traversal issues.
 +		 */
 +		if (!strcmp(ruser, ".") ||
 +		    !strcmp(ruser, "..") ||
 +		    strchr(ruser, '/')) {
 +			ruser = NULL;
 +		}
 	}
 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
 		*ruserbuf = '\0';
--- a/pam-CVE-2013-7041.patch
+++ b/pam-CVE-2013-7041.patch
@ -0,0 +1,36 @@
 diff -pruN a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
 --- a/modules/pam_userdb/pam_userdb.c	2011-06-21 16:04:56.000000000 +0700
 +++ b/modules/pam_userdb/pam_userdb.c	2014-08-28 17:41:35.243954732 +0700
@@ -214,24 +214,23 @@ user_lookup (pam_handle_t *pamh, const c
 	  /* crypt(3) password storage */
 	  char *cryptpw;
 -	  char salt[2];
 -	  if (data.dsize != 13) {
 +	  if (data.dsize < 13) {
 	    compare = -2;
 	  } else if (ctrl & PAM_ICASE_ARG) {
 	    compare = -2;
 	  } else {
 -	    salt[0] = *data.dptr;
 -	    salt[1] = *(data.dptr + 1);
 +	    cryptpw = crypt (pass, data.dptr);
 -	    cryptpw = crypt (pass, salt);
 -
 -	    if (cryptpw) {
 -	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);
 +	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
 +	      compare = memcmp(data.dptr, cryptpw, data.dsize);
 	    } else {
 	      compare = -2;
 	      if (ctrl & PAM_DEBUG_ARG) {
 -		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
 +		if (cryptpw)
 +		    pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
 +		else
 +		    pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
 	      }
 	    };
--- a/pam.spec
+++ b/pam.spec
@ -19,7 +19,7 @@ Epoch:	1
 Summary:	A security tool which provides authentication for applications
 Name:		pam
 Version:	1.1.4
-Release:	15
+Release:	16
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 License:	BSD and GPLv2+
@ -72,6 +72,7 @@ Patch702:	Linux-PAM-1.1.4-add-now-missing-nis-constant.patch
 # (akdengi> add user to default group users which need for Samba
 Patch801:	Linux-PAM-1.1.4-group_add_users.patch
 Patch802:	pam-CVE-2014-2583.patch
 Patch803:	pam-CVE-2013-7041.patch
 BuildRequires:	selinux-devel >= 2.1.6-7
 BuildRequires:	bison
@ -177,6 +178,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch702 -p1 -b .nis_const~
 %patch801 -p1 -b .group_users
 %patch802 -p1
 %patch803 -p1
 # 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this
 # just makes things easier but is not meant to be a permanent solution
@ -334,6 +336,11 @@ fi
 %changelog
 * Fri Aug 28 2014 Kuzma Kazygashev <kuzma.kazygashev@rosalab.ru> 1.1.14-16
 - Added security fix for CVE-2013-7041
 * Wed Jul 23 2014 Danila Leontiev <danila.leontiev@rosalab.ru> 1.1.14-15
 - Added security fix for CVE-2014-2583
 * Tue Feb 26 2013 Alexander Romanov <a.romanov@rosa-ntcit.ru>
 - Rosa initial commit