[exim-dev] [Bug 2587] pam expansion condition fails on taint…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2587] pam expansion condition fails on tainted data
https://bugs.exim.org/show_bug.cgi?id=2587

Git Commit <git@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |git@???


--- Comment #1 from Git Commit <git@???> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/f7f933a199be8bb7362c715e0040545b514cddca

commit f7f933a199be8bb7362c715e0040545b514cddca
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Jun 2 14:50:31 2020 +0100
Commit:     Jeremy Harris <jgh146exb@???>
CommitDate: Tue Jun 2 14:57:02 2020 +0100


    Taint: fix pam expansion condition.  Bug 2587
---
 doc/doc-txt/ChangeLog    | 5 +++++
 src/src/auths/call_pam.c | 5 ++---
 2 files changed, 7 insertions(+), 3 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a4526ca..93bd62c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -10,6 +10,11 @@ JH/01 Bug 1329: Fix format of Maildir-format filenames to
match other mail-
       related applications.  Previously an "H" was used where available info
       says that "M" should be, so change to match.


+JH/02 Bug 2587: Fix pam expansion condition.  Tainted values are commonly used
+      as arguments, so an implementation trying to copy these into local
+      buffer was taking a taint-enformance trap.  Fix by using dynamically
+      created buffers.
+


 Exim version 4.94
 -----------------
diff --git a/src/src/auths/call_pam.c b/src/src/auths/call_pam.c
index 2959cbb..80bb23e 100644
--- a/src/src/auths/call_pam.c
+++ b/src/src/auths/call_pam.c
@@ -83,8 +83,7 @@ for (int i = 0; i < num_msg; i++)
     {
     case PAM_PROMPT_ECHO_ON:
     case PAM_PROMPT_ECHO_OFF:
-      arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
-      if (!arg)
+      if (!(arg = string_nextinlist(&pam_args, &sep, NULL, 0)))
     {
     arg = US"";
     pam_arg_ended = TRUE;
@@ -155,7 +154,7 @@ pam_arg_ended = FALSE;
 fail. PAM doesn't support authentication with an empty user (it prompts for
it,
 causing a potential mis-interpretation). */


-user = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
+user = string_nextinlist(&pam_args, &sep, NULL, 0);
if (user == NULL || user[0] == 0) return FAIL;

/* Start off PAM interaction */

--
You are receiving this mail because:
You are on the CC list for the bug.