- (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM

account check failure path. The vulnerable format buffer is supplied from PAM and should not contain attacker-supplied data.
author: Damien Miller <djm@mindrot.org> 2008-07-09 20:54:05 +1000
committer: Damien Miller <djm@mindrot.org> 2008-07-09 20:54:05 +1000
commit: 773a7b98f9d4e0767dfdd270a339e9f31ca4edea (patch)
tree: a05f6443bb1691edc6140d65af6b0db73c89ccc6
parent: d9648eee7cacf633c79ad0f50d7e3215200d2920 (diff)
2 files changed, 5 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 726a613ae..6e6feb641 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 20080709
 - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass
+ - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM
+   account check failure path. The vulnerable format buffer is supplied
+   from PAM and should not contain attacker-supplied data.
 20080705
 - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed
@@ -4598,4 +4601,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.5066 2008/07/08 14:21:12 djm Exp $
+$Id: ChangeLog,v 1.5067 2008/07/09 10:54:05 djm Exp $
diff --git a/auth1.c b/auth1.c
index 834ef0452..b8a255872 100644
--- a/auth1.c
+++ b/auth1.c
@@ -354,7 +354,7 @@ do_authloop(Authctxt *authctxt)
                                        msg[len] = '\0';
                        else
                                msg = "Access denied.";
-                        packet_disconnect(msg);
+                        packet_disconnect("%s", msg);
                }
 #endif
author	Damien Miller <djm@mindrot.org>	2008-07-09 20:54:05 +1000
committer	Damien Miller <djm@mindrot.org>	2008-07-09 20:54:05 +1000
commit	773a7b98f9d4e0767dfdd270a339e9f31ca4edea (patch)
tree	a05f6443bb1691edc6140d65af6b0db73c89ccc6
parent	d9648eee7cacf633c79ad0f50d7e3215200d2920 (diff)