Bug 402101 - pam_xauth frees putenv'd string
pam_xauth frees putenv'd string
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-27 21:48 EST by Jeffrey Hutzelman
Modified: 2007-12-15 12:46 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-15 12:46:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeffrey Hutzelman 2007-11-27 21:48:03 EST
Description of problem:

pam_xauth's pam_sm_open_session() calls putenv() to put a string into the
environment, and then frees that string, leaving the environment with a pointer
to free memory.  It also calls pam_putenv(), so the value it sets normally makes
it into the environment anyway, but the presence of the pointer to freed memory
can result in either complete garbage or a reallocated buffer finding its way
back into the environment.  It can also result in the same variable appearing
twice in the environment vector (see below), though the shell generally corrects
this by discarding all but one of the duplicates.

In our case, we noticed that when su called pam_getenvlist, one of the resulting
malloc'd strings was occupying the block freed by pam_xauth.  This meant the
string in question appeared already in the environment; in our case, prior to
another existing value, which meant that both values were exported.  Of course,
this is only one manifestation of the problem; however, we noticed debugging su
that the environment corruption first appeared while pam_open_session() was
running, and temporarily removing the entry in /etc/pam.d/su that invokes
pam_xauth made the problem go away.

We noticed this in pam- on i386 F7, but the problem is not
platform specific and CVS shows that the bug has been present in upstream
pam_xauth since at least Linux-PAM 0.80.

This problem was recently fixed upstream; the fix appears in Linux-PAM 0.99.9.

I am giving this severity "high" because it affects privileged code including
suid programs such as "su", and while I can't prove that an attacker can exploit
the bug to scribble on such a program's memory, I also cannot rule out that
Comment 1 Tomas Mraz 2007-11-28 03:31:05 EST
I don't think this bug is exploitable at all, it just means that the environment
can contain some garbage. Manipulating it to contain some meaningful garbage
which would affect the suid program's execution would be pretty hard and
probably even impossible.  Although I agree that the bug is worth fixing.
Comment 2 Fedora Update System 2007-11-28 20:40:25 EST
pam- has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pam'
Comment 3 Fedora Update System 2007-12-15 12:46:23 EST
pam- has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.