From f7f933a199be8bb7362c715e0040545b514cddca Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 2 Jun 2020 14:50:31 +0100 Subject: [PATCH] Taint: fix pam expansion condition. Bug 2587 --- doc/doc-txt/ChangeLog | 5 +++++ src/src/auths/call_pam.c | 5 ++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index a4526ca5c..93bd62cc4 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -10,6 +10,11 @@ JH/01 Bug 1329: Fix format of Maildir-format filenames to match other mail- related applications. Previously an "H" was used where available info says that "M" should be, so change to match. +JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used + as arguments, so an implementation trying to copy these into local + buffer was taking a taint-enformance trap. Fix by using dynamically + created buffers. + Exim version 4.94 ----------------- diff --git a/src/src/auths/call_pam.c b/src/src/auths/call_pam.c index 2959cbbf3..80bb23ec3 100644 --- a/src/src/auths/call_pam.c +++ b/src/src/auths/call_pam.c @@ -83,8 +83,7 @@ for (int i = 0; i < num_msg; i++) { case PAM_PROMPT_ECHO_ON: case PAM_PROMPT_ECHO_OFF: - arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size); - if (!arg) + if (!(arg = string_nextinlist(&pam_args, &sep, NULL, 0))) { arg = US""; pam_arg_ended = TRUE; @@ -155,7 +154,7 @@ pam_arg_ended = FALSE; fail. PAM doesn't support authentication with an empty user (it prompts for it, causing a potential mis-interpretation). */ -user = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size); +user = string_nextinlist(&pam_args, &sep, NULL, 0); if (user == NULL || user[0] == 0) return FAIL; /* Start off PAM interaction */ -- 2.30.2