rpms/util-linux-ng/F-8 util-linux-ng-2.13-login-audit.patch, NONE, 1.1 util-linux-ng.spec, 1.16, 1.17

Tue Apr 22 19:41:26 UTC 2008

Author: kzak

Update of /cvs/pkgs/rpms/util-linux-ng/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21171

Modified Files:
	util-linux-ng.spec 
Added Files:
	util-linux-ng-2.13-login-audit.patch 
Log Message:
* Tue Apr 22 2008 Karel Zak <kzak at redhat.com> 2.13.1-2
- fix audit log injection attack via login


util-linux-ng-2.13-login-audit.patch:

--- NEW FILE util-linux-ng-2.13-login-audit.patch ---
>From 8ccf0b253ac0f4f58d64bc9674de18bff5a88782 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb at redhat.com>
Date: Sat, 19 Apr 2008 11:49:02 -0400
Subject: [PATCH] login: audit log injection attack via login

A while back I found a couple audit log injection attacks which became
CVE-2007-3102. I forgot to look at login to see if its vulnerable and Mirek
found that it is. To verify the problem, type:

root addr=xyz.com

for the account name while logging in. It will look like root logged in with
an address of xyz.com.

Signed-off-by: Steve Grubb <sgrubb at redhat.com>
---
 login-utils/login.c |   10 +++-------
 1 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/login-utils/login.c b/login-utils/login.c
index aad2779..2301213 100644
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -324,7 +324,6 @@ static void
 logaudit(const char *tty, const char *username, const char *hostname,
 					struct passwd *pwd, int status)
 {
-	char buf[64];
 	int audit_fd;
 
 	audit_fd = audit_open();
@@ -332,13 +331,10 @@ logaudit(const char *tty, const char *username, const char *hostname,
 		return;
 	if (!pwd && username)
 		pwd = getpwnam(username);
-	if (pwd)
-		snprintf(buf, sizeof(buf), "uid=%d", pwd->pw_uid);
-	else
-		snprintf(buf, sizeof(buf), "acct=%s", username ? username : "(unknown)");
 
-	audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
-		buf, hostname, NULL, tty, status);
+	audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+		NULL, "login", username ? username : "(unknown)",
+		pwd ? pwd->pw_uid : -1, hostname, NULL, tty, status);
 
 	close(audit_fd);
 }
-- 
1.5.4.1



Index: util-linux-ng.spec
===================================================================
RCS file: /cvs/pkgs/rpms/util-linux-ng/F-8/util-linux-ng.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- util-linux-ng.spec	16 Jan 2008 13:39:20 -0000	1.16
+++ util-linux-ng.spec	22 Apr 2008 19:40:51 -0000	1.17
@@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux-ng
 Version: 2.13.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2 and GPLv2+ and BSD with advertising and Public Domain
 Group: System Environment/Base
 URL: ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng
@@ -104,6 +104,9 @@
 Patch11: util-linux-ng-2.13-floppy-locale.patch
 # remove partitions
 Patch12: util-linux-ng-2.13-blockdev-rmpart.patch
+# CVE-2007-3102
+Patch13: util-linux-ng-2.13-login-audit.patch
+
 
 %description
 The util-linux-ng package contains a large variety of low-level system
@@ -128,6 +131,7 @@
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 
 %build
 unset LINGUAS || :
@@ -524,6 +528,9 @@
 /sbin/losetup
 
 %changelog
+* Tue Apr 22 2008 Karel Zak <kzak at redhat.com> 2.13.1-2
+- fix audit log injection attack via login
+
 * Wed Jan 16 2008 Karel Zak <kzak at redhat.com> 2.13.1-1
 - upgrade to stable util-linux-ng 2.13.1
 - fix #427874 - util-linux-ng gets "excess command line argument" on update


