[src/trunk]: src/dist/openpam/lib Don't allow '/' characters in the "service"...

[drochner <drochner%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/32c07847f9eb
branches:  trunk
changeset: 771115:32c07847f9eb
user:      drochner <drochner%NetBSD.org@localhost>
date:      Wed Nov 09 20:26:41 2011 +0000

description:
Don't allow '/' characters in the "service" argument to pam_start()
The "service" is blindly appended to config directories ("/etc/pam.d/"),
and if a user can control the "service" it can get PAM to read config
files from any location.
This is not a problem with most software because the "service" is
usually a constant string. The check protects 3rd party software
from being abused.
(CVE-2011-4122)

diffstat:

 dist/openpam/lib/openpam_configure.c |  8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diffs (25 lines):

diff -r 2bf0675b2c25 -r 32c07847f9eb dist/openpam/lib/openpam_configure.c
--- a/dist/openpam/lib/openpam_configure.c      Wed Nov 09 20:17:44 2011 +0000
+++ b/dist/openpam/lib/openpam_configure.c      Wed Nov 09 20:26:41 2011 +0000
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_configure.c,v 1.5 2008/01/27 01:22:59 christos Exp $
+ * $Id: openpam_configure.c,v 1.6 2011/11/09 20:26:41 drochner Exp $
  */
 
 #include <ctype.h>
@@ -289,6 +289,12 @@
        size_t len;
        int r;
 
+       /* don't allow to escape from policy_path */
+       if (strchr(service, '/')) {
+               openpam_log(PAM_LOG_ERROR, "illegal service \"%s\"", service);
+               return (-PAM_SYSTEM_ERR);
+       }
+
        for (path = openpam_policy_path; *path != NULL; ++path) {
                len = strlen(*path);
                if ((*path)[len - 1] == '/') {