Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[systemd] Fix CVE-2019-3842. Fixes JB#46845
This is the backport of upstream commit
systemd/systemd@83d4ab5

From 83d4ab55336ff8a0643c6aa627b31e351a24040a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 4 Feb 2019 10:23:43 +0100
Subject: [PATCH] pam-systemd: use secure_getenv() rather than getenv()

Signed-off-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
  • Loading branch information
izh1979 committed Aug 5, 2019
1 parent 07abfdf commit ca65258
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 0 deletions.
@@ -0,0 +1,59 @@
This is the backport of upstream commit
https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a

It fixes CVE-2019-3842.

From 83d4ab55336ff8a0643c6aa627b31e351a24040a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 4 Feb 2019 10:23:43 +0100
Subject: [PATCH] pam-systemd: use secure_getenv() rather than getenv()

diff -purN systemd/src/login/pam_systemd.c systemd-izh/src/login/pam_systemd.c
--- systemd/src/login/pam_systemd.c 2019-08-05 05:38:44.107368495 -0400
+++ systemd-izh/src/login/pam_systemd.c 2019-08-05 14:00:21.968726200 -0400
@@ -284,29 +284,40 @@ _public_ PAM_EXTERN int pam_sm_open_sess
pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);

+ /* Looks for an environment variable, preferrably in the environment block associated with the
+ * specified PAM handle, falling back to the process' block instead. Why check both? Because we want
+ * to permit configuration of session properties from unit files that invoke PAM services, so that
+ * PAM services don't have to be reworked to set systemd-specific properties, but these properties
+ * can still be set from the unit file Environment= block.
+ *
+ * We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally
+ * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they
+ * currently don't (to be precise, they clean up the environment they pass to their children, but
+ * not their own environ[]). */
+
seat = pam_getenv(handle, "XDG_SEAT");
if (isempty(seat))
- seat = getenv("XDG_SEAT");
+ seat = secure_getenv("XDG_SEAT");

cvtnr = pam_getenv(handle, "XDG_VTNR");
if (isempty(cvtnr))
- cvtnr = getenv("XDG_VTNR");
+ cvtnr = secure_getenv("XDG_VTNR");

type = pam_getenv(handle, "XDG_SESSION_TYPE");
if (isempty(type))
- type = getenv("XDG_SESSION_TYPE");
+ type = secure_getenv("XDG_SESSION_TYPE");
if (isempty(type))
type = type_pam;

class = pam_getenv(handle, "XDG_SESSION_CLASS");
if (isempty(class))
- class = getenv("XDG_SESSION_CLASS");
+ class = secure_getenv("XDG_SESSION_CLASS");
if (isempty(class))
class = class_pam;

desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP");
if (isempty(desktop))
- desktop = getenv("XDG_SESSION_DESKTOP");
+ desktop = secure_getenv("XDG_SESSION_DESKTOP");

tty = strempty(tty);

2 changes: 2 additions & 0 deletions rpm/systemd.spec
Expand Up @@ -49,6 +49,7 @@ Patch35: systemd-backport-journald-set-a-limit-on-the-number-of-fields-1k
Patch36: systemd-backport-fuzz-decrease-DATA_SIZE_MAX.patch
Patch37: systemd-backport-journal-fix-syslog_parse_identifier.patch
Patch38: systemd-backport-If-the-notification-message-length-is-0-ignore-the-m.patch
Patch39: systemd-backport-pam-systemd-use-secure_getenv-rather-than-getenv.patch

Patch99: systemd-225_fix_build_with_glibc228.patch

Expand Down Expand Up @@ -229,6 +230,7 @@ This package includes tests for systemd.
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
#systemd-225_fix_build_with_glibc228.patch
%patch99 -p1

Expand Down

0 comments on commit ca65258

Please sign in to comment.