commit caf5e7f61c8d9288daa49b4f61962e6b1239121d
Author: Kees Cook <kees(a)debian.org>
Date: Fri Oct 14 19:32:25 2011 +0000
pam_env: correctly count leading whitespace when parsing environment file
* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
whitespace.
Fixes CVE-2011-3148.
Bug-Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
ChangeLog | 7 +++++++
modules/pam_env/pam_env.c | 5 ++++-
2 files changed, 11 insertions(+), 1 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index bb859b9..f823d23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-10-14 Kees Cook <kees(a)debian.org>
+
+ * modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
+ whitespace.
+ Fixes CVE-2011-3148.
+ Bug-Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
+
2011-10-10 Tomas Mraz <tm(a)t8m.info>
* modules/pam_access/pam_access.c: Add hostname resolution
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 1ec01ca..b7cd387 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
char *p = buffer;
char *s, *os;
int used = 0;
+ int whitespace;
/* loop broken with a 'break' when a non-'\\n' ended line is read */
@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
/* skip leading spaces --- line may be blank */
- s = p + strspn(p, " \n\t");
+ whitespace = strspn(p, " \n\t");
+ s = p + whitespace;
if (*s && (*s != '#')) {
+ used += whitespace;
os = s;
/*