From b5fc5d942258a1007cfa9b750f5c5730aa0643ce Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 9 Jul 2008 10:54:05 +0000 Subject: [PATCH] - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM account check failure path. The vulnerable format buffer is supplied from PAM and should not contain attacker-supplied data. --- ChangeLog | 3 +++ auth1.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c096ec7c..ac4c403a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 20080709 - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass + - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM + account check failure path. The vulnerable format buffer is supplied + from PAM and should not contain attacker-supplied data. 20080705 - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed diff --git a/auth1.c b/auth1.c index 834ef045..b8a25587 100644 --- a/auth1.c +++ b/auth1.c @@ -354,7 +354,7 @@ do_authloop(Authctxt *authctxt) msg[len] = '\0'; else msg = "Access denied."; - packet_disconnect(msg); + packet_disconnect("%s", msg); } #endif -- 2.45.1