stack buffer overflow in pam_env

Bug #874469 reported by Kees Cook
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Fix Released

Bug Description

pam_env reads ~/.pam_environment by default. The routine that parses this file does not correctly validate the size of leading whitespace, and can overflow a character array on the stack. This is currently caught by the stack protections on Ubuntu, but looks to be a more serious problem on Debian which, prior to current unstable, doesn't have pam built with stack protection.

Since this is a bug in a shared library, this will crash whatever is running the code. Most pam-using applications use a separate process for these calls, so the effects should be minimal on Ubuntu, but there could be applications that don't deal well with the pam libraries suddenly exploding.

To reproduce:

perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print "A" x 256;' >> ~/.pam_environment

Logging in will be violently disabled:
*** stack smashing detected ***: sshd: kees [priv] terminated

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Please use CVE-2011-3148.

Revision history for this message
Kees Cook (kees) wrote :

I've reported this privately to upstream; waiting for a reply.

Changed in pam (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.1.3-2ubuntu2.1

pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: possible code execution via incorrect environment file
    parsing (LP: #874469)
    - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
      whitespace when parsing environment file in modules/pam_env/pam_env.c.
    - CVE-2011-3148
  * SECURITY UPDATE: denial of service via overflowed environment variable
    expansion (LP: #874565)
    - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
      with PAM_BUF_ERR in modules/pam_env/pam_env.c.
    - CVE-2011-3149
  * SECURITY UPDATE: code execution via incorrect environment cleaning
    - debian/patches-applied/update-motd: updated to use clean environment
      and absolute paths in modules/pam_motd/pam_motd.c.
    - CVE-2011-XXXX
 -- Marc Deslauriers <email address hidden> Tue, 18 Oct 2011 09:33:47 -0400

Changed in pam (Ubuntu):
status: Triaged → Fix Released
visibility: private → public
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.