Bug#603436: pam-pgsql: fix for reporting and crashes

[Kees Cook]

Package: pam-pgsql
Version: 0.7.1-4
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/patches/ipaddr-crash.patch: fix crash on long addresses that
    trigger signedness in "%d" (LP: #722386, Closes: 603436).

Thanks for considering the patch.

-Kees

-- System Information:
Debian Release: squeeze/sid
  APT prefers natty
  APT policy: (500, 'natty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-3-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru pam-pgsql-0.7.1/debian/changelog pam-pgsql-0.7.1/debian/changelog
diff -Nru pam-pgsql-0.7.1/debian/control pam-pgsql-0.7.1/debian/control
--- pam-pgsql-0.7.1/debian/control	2010-09-11 12:51:51.000000000 -0700
+++ pam-pgsql-0.7.1/debian/control	2011-02-21 11:08:27.000000000 -0800
@@ -1,7 +1,8 @@
 Source: pam-pgsql
 Section: admin
 Priority: extra
-Maintainer: Jan Dittberner <ja...@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com>
+XSBC-Original-Maintainer: Jan Dittberner <ja...@debian.org>
 Standards-Version: 3.9.1
 Build-Depends: debhelper (>= 7.0.50~), autotools-dev, libpam0g-dev,
  libpq-dev, libmhash-dev, autoconf, automake, libtool
diff -Nru pam-pgsql-0.7.1/debian/patches/ipaddr-crash.patch pam-pgsql-0.7.1/debian/patches/ipaddr-crash.patch
--- pam-pgsql-0.7.1/debian/patches/ipaddr-crash.patch	1969-12-31 16:00:00.000000000 -0800
+++ pam-pgsql-0.7.1/debian/patches/ipaddr-crash.patch	2011-02-21 11:06:47.000000000 -0800
@@ -0,0 +1,20 @@
+Description: this could crash the PAM stack when octets were greater
+ that 127 due to %d seeing the values as signed. For example,
+ 124.198.140.142 was 124.-58.-116.-114 and would overflow the buffer.
+Author: Kees Cook <k...@ubuntu.com>
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603436
+Bug-Ubuntu: https://bugs.launchpad.net/debian/+source/pam-pgsql/+bug/722386
+
+Index: pam-pgsql-0.7.1/src/backend_pgsql.c
+===================================================================
+--- pam-pgsql-0.7.1.orig/src/backend_pgsql.c	2011-02-21 11:02:01.988939251 -0800
++++ pam-pgsql-0.7.1/src/backend_pgsql.c	2011-02-21 11:04:32.410822785 -0800
+@@ -205,7 +205,7 @@
+ 	if(rhost != NULL && (hentry = gethostbyname(rhost)) != NULL) {
+ 		/* Make IP string */
+ 		raddr = malloc(16);
+-		sprintf(raddr, "%d.%d.%d.%d",
++		sprintf(raddr, "%hhu.%hhu.%hhu.%hhu",
+ 			hentry->h_addr_list[0][0],
+ 			hentry->h_addr_list[0][1],
+ 			hentry->h_addr_list[0][2],
diff -Nru pam-pgsql-0.7.1/debian/patches/series pam-pgsql-0.7.1/debian/patches/series
--- pam-pgsql-0.7.1/debian/patches/series	2010-09-11 12:51:51.000000000 -0700
+++ pam-pgsql-0.7.1/debian/patches/series	2011-02-21 11:01:56.000000000 -0800
@@ -1,3 +1,4 @@
 ftbfs_441679.patch
 md5_64bit_584683.patch
 md5postgres_594721.patch
+ipaddr-crash.patch