From: nekral-guest Date: Thu, 26 Jun 2008 20:28:31 +0000 (+0000) Subject: * NEWS, src/login.c: Fix an "audit log injection" vulnerability in X-Git-Tag: 4.1.2.1~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3021f35c3aa58e3a7f18d211e17f86c447cf840a;p=thirdparty%2Fshadow.git * NEWS, src/login.c: Fix an "audit log injection" vulnerability in login. This is similar to CVE-2008-1926 (util-linux-ng's login). This vulnerability makes it easier for attackers to hide activities by modifying portions of log events, e.g. by appending an addr= statement to the login name. * lib/prototypes.h: Added definition of AUDIT_NO_ID. --- diff --git a/ChangeLog b/ChangeLog index d5cd4b238..158b0d6de 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2008-06-26 Nicolas François + + * NEWS, src/login.c: Fix an "audit log injection" vulnerability in + login. This is similar to CVE-2008-1926 (util-linux-ng's login). + This vulnerability makes it easier for attackers to hide + activities by modifying portions of log events, e.g. by appending + an addr= statement to the login name. + * lib/prototypes.h: Added definition of AUDIT_NO_ID. + 2008-05-25 Nicolas François Prepare the 4.1.2 release diff --git a/NEWS b/NEWS index 276955754..5bf0c50d8 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,13 @@ $Id$ +shadow-4.1.2 -> shadow-4.1.2.1 UNRELEASED + +*** security +- Fix an "audit log injection" vulnerability in login. + This vulnerability makes it easier for attackers to hide activities by + modifying portions of log events, e.g. by appending an addr= statement + to the login name. + shadow-4.1.1 -> shadow-4.1.2 25-05-2008 *** security: diff --git a/lib/prototypes.h b/lib/prototypes.h index a96bbe87a..03f30d127 100644 --- a/lib/prototypes.h +++ b/lib/prototypes.h @@ -126,6 +126,8 @@ extern int hushed (const struct passwd *); #ifdef WITH_AUDIT extern int audit_fd; extern void audit_help_open (void); +/* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */ +#define AUDIT_NO_ID ((unsigned int) -1) extern void audit_logger (int type, const char *pgname, const char *op, const char *name, unsigned int id, int result); #endif diff --git a/src/login.c b/src/login.c index 9920840bc..689ae1d3d 100644 --- a/src/login.c +++ b/src/login.c @@ -694,30 +694,19 @@ int main (int argc, char **argv) break; #ifdef WITH_AUDIT - { - struct passwd *pw; - char buf[64]; - - audit_fd = audit_open (); - /* local, no need for xgetpwnam */ - pw = getpwnam (username); - if (pw) { - snprintf (buf, sizeof (buf), - "uid=%d", pw->pw_uid); - audit_log_user_message - (audit_fd, AUDIT_USER_LOGIN, - buf, hostname, NULL, - tty, 0); - } else { - snprintf (buf, sizeof (buf), - "acct=%s", username); - audit_log_user_message - (audit_fd, AUDIT_USER_LOGIN, - buf, hostname, NULL, - tty, 0); - } - close (audit_fd); - } + audit_fd = audit_open (); + audit_log_acct_message (audit_fd, + AUDIT_USER_LOGIN, + NULL, /* Prog. name */ + "login", + (NULL!=username)?username + :"(unknown)", + AUDIT_NO_ID, + hostname, + NULL, /* addr */ + tty, + 0); /* result */ + close (audit_fd); #endif /* WITH_AUDIT */ fprintf(stderr,"\nLogin incorrect\n"); @@ -978,15 +967,18 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT - { - char buf[32]; - - audit_fd = audit_open (); - snprintf (buf, sizeof (buf), "uid=%d", pwd->pw_uid); - audit_log_user_message (audit_fd, AUDIT_USER_LOGIN, - buf, hostname, NULL, tty, 1); - close (audit_fd); - } + audit_fd = audit_open (); + audit_log_acct_message (audit_fd, + AUDIT_USER_LOGIN, + NULL, /* Prog. name */ + "login", + NULL, /* user's name => use uid */ + (unsigned int) pwd->pw_uid, + hostname, + NULL, /* addr */ + tty, + 1); /* result */ + close (audit_fd); #endif /* WITH_AUDIT */ #ifndef USE_PAM /* pam_lastlog handles this */