On Thu, 2019-10-17 at 13:33 +0200, Hugo Lefeuvre wrote:
> Could you provide some more information related to this
> vulnerability? an isolated patch would be ideal.
I've uploaded pam-python_1.0.6-1.1+deb9u1 for stretch which contains
just the changes you need. The patch is attached.
Now I've got pbuilder doing what I want for stretch it shouldn't be
difficult to to prepare a pam-python_1.0.4-1.1+deb8u1 for Jessie, if
that helps. The one difficulty is I don't know where to dput it.
Description: Backport of fix for cve-2019-16729.dpatch from 1.0.7.
Applied-Upstream: 1.0.7.
Origin: vendor,
https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/
--- a/src/pam_python.c
+++ b/src/pam_python.c
@@ -85,6 +85,11 @@
static void initialise_python(void)
{
#ifPY_MAJOR_VERSION*100 + PY_MINOR_VERSION >= 204
+ Py_DontWriteBytecodeFlag = 1;
+ Py_IgnoreEnvironmentFlag = 1;
+ /* Py_IsolatedFlag = 1; Python3 only */
+ Py_NoSiteFlag = 1;
+ Py_NoUserSiteDirectory = 1;
Py_InitializeEx(0);
#else
size_t signum;
@@ -2226,7 +2231,7 @@
goto error_exit;
}
dot = strrchr(user_module_name, '.');
- if (dot != 0 || strcmp(dot, ".py") == 0)
+ if (dot != 0 && strcmp(dot, ".py") == 0)
*dot = '\0';
*user_module = PyModule_New(user_module_name);
if (*user_module == 0)
signature.asc
Description: This is a digitally signed message part