1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
$NetBSD: patch-ab,v 1.4 2011/12/13 15:57:08 spz Exp $
- pkgsrcification
- prevention of CVE-2011-4122 taken from NetBSD src
--- lib/openpam_configure.c.orig 2007-12-21 11:36:24.000000000 +0000
+++ lib/openpam_configure.c
@@ -70,7 +70,7 @@ static int
match_word(const char *str, const char *word)
{
- while (*str && tolower(*str) == tolower(*word))
+ while (*str && tolower((unsigned char)*str) == tolower((unsigned char)*word))
++str, ++word;
return (*str == ' ' && *word == '\0');
}
@@ -194,7 +194,7 @@ openpam_read_chain(pam_handle_t *pamh,
}
/* allocate new entry */
- if ((this = calloc(1, sizeof *this)) == NULL)
+ if ((this = calloc((size_t)1, sizeof *this)) == NULL)
goto syserr;
/* control flag */
@@ -230,7 +230,7 @@ openpam_read_chain(pam_handle_t *pamh,
++this->optc;
q = next_word(q);
}
- this->optv = calloc(this->optc + 1, sizeof(char *));
+ this->optv = calloc((size_t)(this->optc + 1), sizeof(char *));
if (this->optv == NULL)
goto syserr;
for (i = 0; i < this->optc; ++i) {
@@ -263,11 +263,13 @@ openpam_read_chain(pam_handle_t *pamh,
return (-1);
}
+#ifndef SYSCONFDIR
+#define SYSCONFDIR "/usr/local/etc"
+#endif
+
static const char *openpam_policy_path[] = {
- "/etc/pam.d/",
- "/etc/pam.conf",
- "/usr/local/etc/pam.d/",
- "/usr/local/etc/pam.conf",
+ SYSCONFDIR "/pam.d/",
+ SYSCONFDIR "/pam.conf",
NULL
};
@@ -285,6 +287,12 @@ openpam_load_chain(pam_handle_t *pamh,
size_t len;
int r;
+ /* Don't allow an escape from policy_path. */
+ if (strchr(service, '/') != NULL) {
+ openpam_log(PAM_LOG_ERROR, "illegal service \"%s\"", service);
+ return (-PAM_SYSTEM_ERR);
+ }
+
for (path = openpam_policy_path; *path != NULL; ++path) {
len = strlen(*path);
if ((*path)[len - 1] == '/') {
|