Hi,
we have the following debian bug report about an security isuse in
libpam-oath (source oath-toolkit, upstream web page
http://www.nongnu.org/oath-toolkit/ ).
What is the appropriate process to get an CVE number on it? This issue
is already public, as it is documented in the debian bug tracking
system.
Andi
* Eero Häkkinen (eer...@bigfoot.com) [141106 14:31]:
> Package: libpam-oath
> Version: 2.0.2-2
> Severity: grave
> Tags: security upstream patch
>
> The OATH Toolkit PAM module does not check whether strdup allocations
> succeeded. This may result in null pointer dereference and application
> crash.
>
> Depending on the use of the PAM module, this may be remotely exploitable.
> diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
> index 8379358..e2d3363 100644
> --- a/pam_oath/pam_oath.c
> +++ b/pam_oath/pam_oath.c
> @@ -146,6 +146,12 @@ pam_sm_authenticate (pam_handle_t * pamh,
> char *query_prompt = NULL;
> char *onlypasswd = strdup (""); /* empty passwords never match */
>
> + if (!onlypasswd)
> + {
> + retval = PAM_BUF_ERR;
> + goto done;
> + }
> +
> parse_cfg (flags, argc, argv, &cfg);
>
> retval = pam_get_user (pamh, &user, NULL);
> @@ -265,6 +271,11 @@ pam_sm_authenticate (pam_handle_t * pamh,
> {
> free (onlypasswd);
> onlypasswd = strdup (password);
> + if (!onlypasswd)
> + {
> + retval = PAM_BUF_ERR;
> + goto done;
> + }
>
> /* user entered their system password followed by generated OTP? */
>
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
