Bug#942514: pam-python: CVE-2019-16729: local root escalation

2019-10-27 Thread Russell Stuart 
On Thu, 2019-10-17 at 13:33 +0200, Hugo Lefeuvre wrote:
> Could you provide some more information related to this
> vulnerability? an isolated patch would be ideal.

I've uploaded pam-python_1.0.6-1.1+deb9u1 for stretch which contains
just the changes you need.  The patch is attached.

Now I've got pbuilder doing what I want for stretch it shouldn't be
difficult to to prepare a pam-python_1.0.4-1.1+deb8u1 for Jessie, if
that helps.  The one difficulty is I don't know where to dput it.
Description: Backport of fix for cve-2019-16729.dpatch from 1.0.7.
Applied-Upstream: 1.0.7.
Origin: vendor, 
https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/


--- a/src/pam_python.c
+++ b/src/pam_python.c
@@ -85,6 +85,11 @@
 static void initialise_python(void)
 {
 #ifPY_MAJOR_VERSION*100 + PY_MINOR_VERSION >= 204
+  Py_DontWriteBytecodeFlag = 1;
+  Py_IgnoreEnvironmentFlag = 1;
+  /* Py_IsolatedFlag = 1;  Python3 only */
+  Py_NoSiteFlag = 1;
+  Py_NoUserSiteDirectory = 1;
   Py_InitializeEx(0);
 #else
   size_t   signum;
@@ -2226,7 +2231,7 @@
 goto error_exit;
   }
   dot = strrchr(user_module_name, '.');
-  if (dot != 0 || strcmp(dot, ".py") == 0)
+  if (dot != 0 && strcmp(dot, ".py") == 0)
 *dot = '\0';
   *user_module = PyModule_New(user_module_name);
   if (*user_module == 0)


signature.asc
Description: This is a digitally signed message part

Bug#942514: pam-python: CVE-2019-16729: local root escalation

2019-10-17 Thread Hugo Lefeuvre 
Source: pam-python
Version: 1.0.6-1.1
Severity: important

Hi,

pam-python is affected by the following security issue:

CVE-2019-16729[0]: "pam-python before 1.0.7-1 has an issue in regard to the
default environment variable handling of Python, which could allow for
local root escalation in certain PAM setups."

Russell: I see that you are also upstream of pam-python. This vulnerability
was fixed in sid via 1.0.7-1 but since this is a local root exploit, we
should probably backport fixes for stable releases. However I am struggling
to find precise information about this issue and can't assess the severity
properly.

Could you provide some more information related to this vulnerability? an
isolated patch would be ideal.

thanks!

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/CVE-2019-16729

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C



signature.asc
Description: PGP signature