diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-11:10.pam.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-11:10.pam.asc | 186 |
1 files changed, 0 insertions, 186 deletions
diff --git a/share/security/advisories/FreeBSD-SA-11:10.pam.asc b/share/security/advisories/FreeBSD-SA-11:10.pam.asc deleted file mode 100644 index f4b16e796d..0000000000 --- a/share/security/advisories/FreeBSD-SA-11:10.pam.asc +++ /dev/null @@ -1,186 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -============================================================================= -FreeBSD-SA-11:10.pam Security Advisory - The FreeBSD Project - -Topic: pam_start() does not validate service names - -Category: contrib -Module: pam -Announced: 2011-12-23 -Credits: Matthias Drochner -Affects: All supported versions of FreeBSD. -Corrected: 2011-12-13 13:03:11 UTC (RELENG_7, 7.4-STABLE) - 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) - 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) - 2011-12-13 13:02:52 UTC (RELENG_8, 8.2-STABLE) - 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) - 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) - 2011-12-13 12:59:39 UTC (RELENG_9, 9.0-STABLE) - 2011-12-13 13:02:31 UTC (RELENG_9_0, 9.0-RELEASE) -CVE Name: CVE-2011-4122 - -For general information regarding FreeBSD Security Advisories, -including descriptions of the fields above, security branches, and the -following sections, please visit <URL:http://security.FreeBSD.org/>. - -I. Background - -The PAM (Pluggable Authentication Modules) library provides a flexible -framework for user authentication and session setup / teardown. It is -used not only in the base system, but also by a large number of -third-party applications. - -Various authentication methods (UNIX, LDAP, Kerberos etc.) are -implemented in modules which are loaded and executed according to -predefined, named policies. These policies are defined in -/etc/pam.conf, /etc/pam.d/<policy name>, /usr/local/etc/pam.conf or -/usr/local/etc/pam.d/<policy name>. - -The PAM API is a de facto industry standard which has been implemented -by several parties. FreeBSD uses the OpenPAM implementation. - -II. Problem Description - -Some third-party applications, including KDE's kcheckpass command, -allow the user to specify the name of the policy on the command line. -Since OpenPAM treats the policy name as a path relative to /etc/pam.d -or /usr/local/etc/pam.d, users who are permitted to run such an -application can craft their own policies and cause the application -to load and execute their own modules. - -III. Impact - -If an application that runs with root privileges allows the user to -specify the name of the PAM policy to load, users who are permitted to -run that application will be able to execute arbitrary code with root -privileges. - -There are no vulnerable applications in the base system. - -IV. Workaround - -No workaround is available, but systems without untrusted users are -not vulnerable. - -Inspect any third-party setuid / setgid binaries which use the PAM -library and ascertain whether they allow the user to specify the -policy name, then either change the binary's permissions to prevent -its use or remove it altogether. - -The following command will output a non-zero number if a dynamically -linked binary uses libpam: - -# ldd /usr/local/bin/suspicious_binary | grep -c libpam - -The following command will output a non-zero number if a statically -linked binary uses libpam: - -# grep -acF "/etc/pam.d/" /usr/local/bin/suspicious_binary - -V. Solution - -Perform one of the following: - -1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to -the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security -branch dated after the correction date. - -2) To update your vulnerable system via a source code patch: - -The following patches have been verified to apply to FreeBSD 7.4, 7.3, -8.2 and 8.1 systems. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -# fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch -# fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch.asc - -b) Execute the following commands as root: - -# cd /usr/src -# patch < /path/to/patch -# cd /usr/src/lib/libpam -# make obj && make depend && make && make install - -NOTE: On the amd64 platform, the above procedure will not update the -lib32 (i386 compatibility) libraries. On amd64 systems where the i386 -compatibility libraries are used, the operating system should instead -be recompiled as described in -<URL:http://www.FreeBSD.org/handbook/makeworld.html> - -3) To update your vulnerable system via a binary patch: - -Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on -the i386 or amd64 platforms can be updated via the freebsd-update(8) -utility: - -# freebsd-update fetch -# freebsd-update install - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -CVS: - -Branch Revision - Path -- ------------------------------------------------------------------------- -RELENG_7 - src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.2 -RELENG_7_4 - src/UPDATING 1.507.2.36.2.7 - src/sys/conf/newvers.sh 1.72.2.18.2.10 - src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.8.1 -RELENG_7_3 - src/UPDATING 1.507.2.34.2.11 - src/sys/conf/newvers.sh 1.72.2.16.2.13 - src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.6.1 -RELENG_8 - src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.2.1 -RELENG_8_2 - src/UPDATING 1.632.2.19.2.7 - src/sys/conf/newvers.sh 1.83.2.12.2.10 - src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.8.1 -RELENG_8_1 - src/UPDATING 1.632.2.14.2.10 - src/sys/conf/newvers.sh 1.83.2.10.2.11 - src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.6.1 -RELENG_9 - src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.10.1 -RELENG_9_0 - src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.12.1 -- ------------------------------------------------------------------------- - -Subversion: - -Branch/path Revision -- ------------------------------------------------------------------------- -stable/7/ r228467 -releng/7.4/ r228843 -releng/7.3/ r228843 -stable/8/ r228466 -releng/8.2/ r228843 -releng/8.1/ r228843 -stable/9/ r228464 -releng/9.0/ r228465 -- ------------------------------------------------------------------------- - -VII. References - -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122 - -The latest revision of this advisory is available at -http://security.FreeBSD.org/advisories/FreeBSD-SA-11:10.pam.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.18 (FreeBSD) - -iEYEARECAAYFAk70nOoACgkQFdaIBMps37KEWgCgiD/7EymFrnFueD7yyLiI3hLV -lU4An2FUTQRJ0GakViobm9ejHdfmf2Vb -=9COS ------END PGP SIGNATURE----- |