X Strike Force XFree86 SVN commit: rev 959 - in branches/4.1.0/woody/debian: . patches
Author: branden
Date: 2004-01-22 10:26:39 -0500 (Thu, 22 Jan 2004)
New Revision: 959
Added:
branches/4.1.0/woody/debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff
Modified:
branches/4.1.0/woody/debian/changelog
Log:
Patch xdm to call pam_strerror(), log the returned error, and exit the
StartClient() function with a zero exit status (failure) if pam_setcred()
returns a value other than PAM_SUCCESS. (Resolves CAN-2003-0690.)
Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog 2004-01-22 01:58:23 UTC (rev 958)
+++ branches/4.1.0/woody/debian/changelog 2004-01-22 15:26:39 UTC (rev 959)
@@ -1,3 +1,18 @@
+xfree86 (4.1.0-16woody2) stable-security; urgency=high
+
+ * Security update release. Resolves the following issue:
+ + CAN-2003-0690: xdm does not verify whether the pam_setcred function call
+ succeeds, which may allow attackers to gain root privileges by
+ triggering error conditions within PAM modules, as demonstrated in
+ certain configurations of the MIT pam_krb5 module.
+
+ * Patch xdm to call pam_strerror(), log the returned error, and exit the
+ StartClient() function with a zero exit status (failure) if pam_setcred()
+ returns a value other than PAM_SUCCESS.
+ - debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff
+
+ -- Branden Robinson <branden@debian.org> Wed, 21 Jan 2004 17:19:48 -0500
+
xfree86 (4.1.0-16woody1) stable-security; urgency=high
* Security update release. Resolves the following issues:
Added: branches/4.1.0/woody/debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff 2004-01-22 01:58:23 UTC (rev 958)
+++ branches/4.1.0/woody/debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff 2004-01-22 15:26:39 UTC (rev 959)
@@ -0,0 +1,33 @@
+$Id$
+
+xc/programs/xdm/session.c @ 3.36
+ Handle errors from pam_setcred(), reporting them with pam_strerror().
+ (Matthieu Herrb, Branden Robinson)
+
+--- xc/programs/xdm/session.c.orig 2004-01-21 17:07:49.000000000 -0500
++++ xc/programs/xdm/session.c 2004-01-21 17:09:21.000000000 -0500
+@@ -531,8 +531,9 @@
+ #ifdef HAS_SETUSERCONTEXT
+ struct passwd* pwd;
+ #endif
+-#ifdef USE_PAM
++#ifdef USE_PAM
+ pam_handle_t *pamh = thepamh();
++ int pam_error;
+ #endif
+
+ if (verify->argv) {
+@@ -595,7 +596,12 @@
+ #endif /* QNX4 doesn't support multi-groups, no initgroups() */
+ #ifdef USE_PAM
+ if (thepamh()) {
+- pam_setcred(thepamh(), PAM_ESTABLISH_CRED);
++ pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED);
++ if (pam_error != PAM_SUCCESS) {
++ LogError ("pam_setcred for \"%s\" failed: %s\n",
++ name, pam_strerror(pamh, pam_error));
++ return(0);
++ }
+ }
+ #endif
+ if (setuid(verify->uid) < 0)
Property changes on: branches/4.1.0/woody/debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff
___________________________________________________________________
Name: svn:keywords
+ Id
Reply to: