stack buffer overflow in pam_env
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
pam_env reads ~/.pam_environment by default. The routine that parses this file does not correctly validate the size of leading whitespace, and can overflow a character array on the stack. This is currently caught by the stack protections on Ubuntu, but looks to be a more serious problem on Debian which, prior to current unstable, doesn't have pam built with stack protection.
Since this is a bug in a shared library, this will crash whatever is running the code. Most pam-using applications use a separate process for these calls, so the effects should be minimal on Ubuntu, but there could be applications that don't deal well with the pam libraries suddenly exploding.
To reproduce:
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print "A" x 256;' >> ~/.pam_environment
Logging in will be violently disabled:
*** stack smashing detected ***: sshd: kees [priv] terminated
Changed in pam (Ubuntu): | |
status: | New → Triaged |
visibility: | private → public |
visibility: | private → public |
Please use CVE-2011-3148.