402391 – pam_xauth frees putenv'd string

Bug 402391 - pam_xauth frees putenv'd string

Summary: pam_xauth frees putenv'd string

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	5.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-28 08:27 UTC by Tomas Mraz
Modified:	2008-05-21 17:27 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHBA-2008-0336
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-21 17:27:13 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2008:0336	0	normal	SHIPPED_LIVE	pam bug fix, and enhancement update	2008-05-20 13:23:47 UTC

Description Tomas Mraz 2007-11-28 08:27:51 UTC

+++ This bug was initially created as a clone of Bug #402101 +++

Description of problem:

pam_xauth's pam_sm_open_session() calls putenv() to put a string into the
environment, and then frees that string, leaving the environment with a pointer
to free memory.  It also calls pam_putenv(), so the value it sets normally makes
it into the environment anyway, but the presence of the pointer to freed memory
can result in either complete garbage or a reallocated buffer finding its way
back into the environment.  It can also result in the same variable appearing
twice in the environment vector (see below), though the shell generally corrects
this by discarding all but one of the duplicates.

In our case, we noticed that when su called pam_getenvlist, one of the resulting
malloc'd strings was occupying the block freed by pam_xauth.  This meant the
string in question appeared already in the environment; in our case, prior to
another existing value, which meant that both values were exported.  Of course,
this is only one manifestation of the problem; however, we noticed debugging su
that the environment corruption first appeared while pam_open_session() was
running, and temporarily removing the entry in /etc/pam.d/su that invokes
pam_xauth made the problem go away.

We noticed this in pam-0.99.7.1-5.fc7 on i386 F7, but the problem is not
platform specific and CVS shows that the bug has been present in upstream
pam_xauth since at least Linux-PAM 0.80.

This problem was recently fixed upstream; the fix appears in Linux-PAM 0.99.9.


I am giving this severity "high" because it affects privileged code including
suid programs such as "su", and while I can't prove that an attacker can exploit
the bug to scribble on such a program's memory, I also cannot rule out that
possibility.

Comment 1 RHEL Program Management 2007-11-28 08:34:21 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 8 errata-xmlrpc 2008-05-21 17:27:13 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0336.html

Note You need to log in before you can comment on or make changes to this bug.