stack buffer overflow in pam_env

Bug #874469 reported by Kees Cook
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)

Bug Description

pam_env reads ~/.pam_environment by default. The routine that parses this file does not correctly validate the size of leading whitespace, and can overflow a character array on the stack. This is currently caught by the stack protections on Ubuntu, but looks to be a more serious problem on Debian which, prior to current unstable, doesn't have pam built with stack protection.

Since this is a bug in a shared library, this will crash whatever is running the code. Most pam-using applications use a separate process for these calls, so the effects should be minimal on Ubuntu, but there could be applications that don't deal well with the pam libraries suddenly exploding.

To reproduce:

perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print " " x 256, "\\";' >> ~/.pam_environment
perl -e 'print "A" x 256;' >> ~/.pam_environment

Logging in will be violently disabled:
*** stack smashing detected ***: sshd: kees [priv] terminated

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Please use CVE-2011-3148.

Revision history for this message
Kees Cook (kees) wrote :

I've reported this privately to upstream; waiting for a reply.

Changed in pam (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.1.3-2ubuntu2.1

pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: possible code execution via incorrect environment file
    parsing (LP: #874469)
    - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
      whitespace when parsing environment file in modules/pam_env/pam_env.c.
    - CVE-2011-3148
  * SECURITY UPDATE: denial of service via overflowed environment variable
    expansion (LP: #874565)
    - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
      with PAM_BUF_ERR in modules/pam_env/pam_env.c.
    - CVE-2011-3149
  * SECURITY UPDATE: code execution via incorrect environment cleaning
    - debian/patches-applied/update-motd: updated to use clean environment
      and absolute paths in modules/pam_motd/pam_motd.c.
    - CVE-2011-XXXX
 -- Marc Deslauriers <email address hidden> Tue, 18 Oct 2011 09:33:47 -0400

Changed in pam (Ubuntu):
status: Triaged → Fix Released
visibility: private → public
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers