From 430b952f8e781f57f9b863c7cddbd4112f0bfc7d Mon Sep 17 00:00:00 2001 From: Tomáš Mráz Date: Nov 02 2009 07:56:12 +0000 Subject: - pam_console: fix memory corruption when executing handlers (patch by Stas Sergeev) and a few more fixes in the handler execution code (#532302) --- diff --git a/pam-1.1.0-console-fixes.patch b/pam-1.1.0-console-fixes.patch new file mode 100644 index 0000000..08cd4c6 --- /dev/null +++ b/pam-1.1.0-console-fixes.patch @@ -0,0 +1,71 @@ +diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c +--- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100 +@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle + const char *flagptr; + const char **argv; + int i = 0; +- argv = malloc(sizeof(*argv)*nparams+2); +- ++ argv = malloc(sizeof(*argv)*(nparams+2)); ++ + if (argv == NULL) + return; +- ++ + argv[i++] = handler->executable; +- ++ + for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) { + switch (testflag(flagptr)) { + case HF_LOGFAIL: +@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru + } + + sighandler = signal(SIGCHLD, SIG_DFL); +- ++ + child = fork(); + switch (child) { + case -1: +@@ -246,30 +246,31 @@ execute_handler(pam_handle_t *pamh, stru + if (!wait_exit) { + switch(fork()) { + case 0: +- exit(0); ++ if(setsid() == -1) { ++ _exit(255); ++ } ++ break; + case -1: +- exit(255); ++ _exit(255); + default: +- if(setsid() == -1) { +- exit(255); +- } ++ _exit(0); + } + } + if (set_uid) { + struct passwd *pw; + pw = getpwnam(user); + if (pw == NULL) +- exit(255); ++ _exit(255); + if (setgid(pw->pw_gid) == -1 || + setuid(pw->pw_uid) == -1) +- exit(255); ++ _exit(255); + } + call_exec(handler, nparams, user, tty); +- exit(255); ++ _exit(255); + default: + break; + } +- ++ + waitpid(child, &rv, 0); + + if (sighandler != SIG_ERR) diff --git a/pam.spec b/pam.spec index 738acb2..2f53461 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.0 -Release: 6%{?dist} +Release: 7%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -27,6 +27,7 @@ Patch3: pam-1.1.0-cracklib-authtok.patch Patch4: pam-1.1.0-console-nochmod.patch Patch5: pam-1.1.0-notally.patch Patch6: pam-1.1.0-xauth-context.patch +Patch7: pam-1.1.0-console-fixes.patch %define _sbindir /sbin %define _moduledir /%{_lib}/security @@ -93,6 +94,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch4 -p1 -b .nochmod %patch5 -p1 -b .notally %patch6 -p1 -b .xauth-context +%patch7 -p1 -b .console-fixes libtoolize -f autoreconf @@ -325,6 +327,10 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Mon Nov 2 2009 Tomas Mraz 1.1.0-7 +- pam_console: fix memory corruption when executing handlers (patch by + Stas Sergeev) and a few more fixes in the handler execution code (#532302) + * Thu Oct 29 2009 Tomas Mraz 1.1.0-6 - pam_xauth: set the approprate context when creating .xauth files (#531530)