rpms/util-linux-ng/devel util-linux-ng-2.13-login-audit.patch, NONE, 1.1 util-linux-ng.spec, 1.23, 1.24

Tue Apr 22 19:35:43 UTC 2008

Author: kzak

Update of /cvs/pkgs/rpms/util-linux-ng/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20857

Modified Files:
	util-linux-ng.spec 
Added Files:
	util-linux-ng-2.13-login-audit.patch 
Log Message:
* Tue Apr 22 2008 Karel Zak <kzak at redhat.com> 2.13.1-9
- fix audit log injection attack via login


util-linux-ng-2.13-login-audit.patch:

--- NEW FILE util-linux-ng-2.13-login-audit.patch ---
>From 8ccf0b253ac0f4f58d64bc9674de18bff5a88782 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb at redhat.com>
Date: Sat, 19 Apr 2008 11:49:02 -0400
Subject: [PATCH] login: audit log injection attack via login

A while back I found a couple audit log injection attacks which became
CVE-2007-3102. I forgot to look at login to see if its vulnerable and Mirek
found that it is. To verify the problem, type:

root addr=xyz.com

for the account name while logging in. It will look like root logged in with
an address of xyz.com.

Signed-off-by: Steve Grubb <sgrubb at redhat.com>
---
 login-utils/login.c |   10 +++-------
 1 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/login-utils/login.c b/login-utils/login.c
index aad2779..2301213 100644
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -324,7 +324,6 @@ static void
 logaudit(const char *tty, const char *username, const char *hostname,
 					struct passwd *pwd, int status)
 {
-	char buf[64];
 	int audit_fd;
 
 	audit_fd = audit_open();
@@ -332,13 +331,10 @@ logaudit(const char *tty, const char *username, const char *hostname,
 		return;
 	if (!pwd && username)
 		pwd = getpwnam(username);
-	if (pwd)
-		snprintf(buf, sizeof(buf), "uid=%d", pwd->pw_uid);
-	else
-		snprintf(buf, sizeof(buf), "acct=%s", username ? username : "(unknown)");
 
-	audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
-		buf, hostname, NULL, tty, status);
+	audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+		NULL, "login", username ? username : "(unknown)",
+		pwd ? pwd->pw_uid : -1, hostname, NULL, tty, status);
 
 	close(audit_fd);
 }
-- 
1.5.4.1



Index: util-linux-ng.spec
===================================================================
RCS file: /cvs/pkgs/rpms/util-linux-ng/devel/util-linux-ng.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- util-linux-ng.spec	16 Apr 2008 23:01:27 -0000	1.23
+++ util-linux-ng.spec	22 Apr 2008 19:35:02 -0000	1.24
@@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux-ng
 Version: 2.13.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2 and GPLv2+ and BSD with advertising and Public Domain
 Group: System Environment/Base
 URL: ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng
@@ -106,6 +106,8 @@
 Patch12: util-linux-ng-2.13-blockdev-rmpart.patch
 # 439984 - backport mkswap -U
 Patch13: util-linux-ng-2.13-mkswap-uuid.patch
+# CVE-2007-3102
+Patch14: util-linux-ng-2.13-login-audit.patch
 
 %description
 The util-linux-ng package contains a large variety of low-level system
@@ -131,6 +133,7 @@
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 %build
 unset LINGUAS || :
@@ -524,6 +527,9 @@
 /sbin/losetup
 
 %changelog
+* Tue Apr 22 2008 Karel Zak <kzak at redhat.com> 2.13.1-9
+- fix audit log injection attack via login
+
 * Thu Apr 17 2008 Karel Zak <kzak at redhat.com> 2.13.1-8
 - fix location of the command raw(8)
 


