apply security patch for CVE-2014-3879 which fixes an incorrect error

handling in PAM policy parser http://www.freebsd.org/security/advisories/FreeBSD-SA-14:13.pam.asc
2014-06-04 08:50:08 +00:00 · 2014-06-04 08:50:08 +00:00 · 092a3bc3d8
commit 092a3bc3d8
parent 68d1fbeda9
2 changed files with 129 additions and 2 deletions
--- a/security/openpam/Makefile
+++ b/security/openpam/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2013/03/11 11:41:26 espie Exp $
+# $OpenBSD: Makefile,v 1.4 2014/06/04 08:50:08 robert Exp $

 SHARED_ONLY=	Yes

@ -7,7 +7,7 @@ COMMENT=	Pluggable Authentication Module
 V=		20121009
 DISTNAME=	freebsd_pam-${V}
 PKGNAME=	openpam-${V}
-REVISION=	0
+REVISION=	1

 CATEGORIES=	security

--- a/security/openpam/patches/patch-openpam_lib_openpam_configure_c
+++ b/security/openpam/patches/patch-openpam_lib_openpam_configure_c
@ -0,0 +1,127 @@
+$OpenBSD: patch-openpam_lib_openpam_configure_c,v 1.1 2014/06/04 08:50:08 robert Exp $
+
+http://www.freebsd.org/security/advisories/FreeBSD-SA-14:13.pam.asc
+
+--- openpam/lib/openpam_configure.c.orig	Mon Sep 24 11:02:49 2012
+++ openpam/lib/openpam_configure.c	Wed Jun  4 10:46:14 2014
+@@ -1,6 +1,6 @@
+ /*-
+  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+- * Copyright (c) 2004-2012 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2014 Dag-Erling Smørgrav
+  * All rights reserved.
+  *
+  * This software was developed for the FreeBSD Project by ThinkSec AS and
+@@ -194,6 +194,7 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 			openpam_log(PAM_LOG_ERROR,
+ 			    "%s(%d): missing or invalid facility",
+ 			    filename, lineno);
+			errno = EINVAL;
+ 			goto fail;
+ 		}
+ 		if (facility != fclt && facility != PAM_FACILITY_ANY) {
+@@ -209,18 +210,28 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 				openpam_log(PAM_LOG_ERROR,
+ 				    "%s(%d): missing or invalid service name",
+ 				    filename, lineno);
+				errno = EINVAL;
+ 				goto fail;
+ 			}
+ 			if (wordv[i] != NULL) {
+ 				openpam_log(PAM_LOG_ERROR,
+ 				    "%s(%d): garbage at end of line",
+ 				    filename, lineno);
+				errno = EINVAL;
+ 				goto fail;
+ 			}
+ 			ret = openpam_load_chain(pamh, servicename, fclt);
+ 			FREEV(wordc, wordv);
+-			if (ret < 0)
+			if (ret < 0) {
+				/*
+				 * Bogus errno, but this ensures that the
+				 * outer loop does not just ignore the
+				 * error and keep searching.
+				 */
+				if (errno == ENOENT)
+					errno = EINVAL;
+ 				goto fail;
+			}
+ 			continue;
+ 		}
+ 
+@@ -230,6 +241,7 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 			openpam_log(PAM_LOG_ERROR,
+ 			    "%s(%d): missing or invalid control flag",
+ 			    filename, lineno);
+			errno = EINVAL;
+ 			goto fail;
+ 		}
+ 
+@@ -239,6 +251,7 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 			openpam_log(PAM_LOG_ERROR,
+ 			    "%s(%d): missing or invalid module name",
+ 			    filename, lineno);
+			errno = EINVAL;
+ 			goto fail;
+ 		}
+ 
+@@ -248,8 +261,11 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 		this->flag = ctlf;
+ 
+ 		/* load module */
+-		if ((this->module = openpam_load_module(modulename)) == NULL)
+		if ((this->module = openpam_load_module(modulename)) == NULL) {
+			if (errno == ENOENT)
+				errno = ENOEXEC;
+ 			goto fail;
+		}
+ 
+ 		/*
+ 		 * The remaining items in wordv are the module's
+@@ -282,7 +298,11 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 	 * The loop ended because openpam_readword() returned NULL, which
+ 	 * can happen for four different reasons: an I/O error (ferror(f)
+ 	 * is true), a memory allocation failure (ferror(f) is false,
+-	 * errno is non-zero)
+	 * feof(f) is false, errno is non-zero), the file ended with an
+	 * unterminated quote or backslash escape (ferror(f) is false,
+	 * feof(f) is true, errno is non-zero), or the end of the file was
+	 * reached without error (ferror(f) is false, feof(f) is true,
+	 * errno is zero).
+ 	 */
+ 	if (ferror(f) || errno != 0)
+ 		goto syserr;
+@@ -411,6 +431,9 @@ openpam_load_chain(pam_handle_t *pamh,
+ 		}
+ 		ret = openpam_load_file(pamh, service, facility,
+ 		    filename, style);
+		/* success */
+		if (ret > 0)
+			RETURNN(ret);
+ 		/* the file exists, but an error occurred */
+ 		if (ret == -1 && errno != ENOENT)
+ 			RETURNN(ret);
+@@ -420,7 +443,8 @@ openpam_load_chain(pam_handle_t *pamh,
+ 	}
+ 
+ 	/* no hit */
+-	RETURNN(0);
+	errno = ENOENT;
+	RETURNN(-1);
+ }
+ 
+ /*
+@@ -441,8 +465,10 @@ openpam_configure(pam_handle_t *pamh,
+ 		openpam_log(PAM_LOG_ERROR, "invalid service name");
+ 		RETURNC(PAM_SYSTEM_ERR);
+ 	}
+-	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0)
+-		goto load_err;
+	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
+		if (errno != ENOENT)
+			goto load_err;
+	}
+ 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
+ 		if (pamh->chains[fclt] != NULL)
+ 			continue;