[openssh-commits] [openssh] 01/01: Prevent excessively long username going to PAM.
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Nov 11 14:11:18 AEDT 2020
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit fcf429a4c69d30d8725612a55b37181594da8ddf
Author: Darren Tucker <dtucker at dtucker.net>
Date: Wed Nov 11 12:30:46 2020 +1100
Prevent excessively long username going to PAM.
This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations. This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some other
PAM application.
Based on github PR#212 from Mike Scott but implemented slightly
differently. ok tim@ djm@
---
auth-pam.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/auth-pam.c b/auth-pam.c
index 83238215..d429ef13 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -689,6 +689,12 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
const char *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
+#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
+ /* Protect buggy PAM implementations from excessively long usernames */
+ if (strlen(user) >= PAM_MAX_RESP_SIZE)
+ fatal("Username too long from %s port %d",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+#endif
if (sshpam_handle == NULL) {
if (ssh == NULL) {
fatal("%s: called initially with no "
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list