Taint: fix pam expansion condition. Bug 2587

(cherry picked from commit f7f933a199be8bb7362c715e0040545b514cddca)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 585deb04241b5dfbf16458285e3fed49ed8d896a..dbdc221171c12e56eecdbe39f1c9fd0045f9deca 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -3,6 +3,15 @@ affect Exim's operation, with an unchanged configuration file.  For new
 options, and new features, see the NewStuff file next to this ChangeLog.
 
 
+Since Exim version 4.94
+-----------------------
+
+JH/02 Bug 2587: Fix pam expansion condition.  Tainted values are commonly used
+      as arguments, so an implementation trying to copy these into a local
+      buffer was taking a taint-enformance trap.  Fix by using dynamically
+      created buffers.
+
+
 Exim version 4.94
 -----------------
 

diff --git a/src/src/auths/call_pam.c b/src/src/auths/call_pam.c
index 2959cbbf382d0c84927933f8c35b885751f942bc..80bb23ec396759226b445759b4b639b4b2b8211d 100644 (file)
--- a/src/src/auths/call_pam.c
+++ b/src/src/auths/call_pam.c
@@ -83,8 +83,7 @@ for (int i = 0; i < num_msg; i++)
     {
     case PAM_PROMPT_ECHO_ON:
     case PAM_PROMPT_ECHO_OFF:
-      arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
-      if (!arg)
+      if (!(arg = string_nextinlist(&pam_args, &sep, NULL, 0)))
        {
        arg = US"";
        pam_arg_ended = TRUE;
@@ -155,7 +154,7 @@ pam_arg_ended = FALSE;
 fail. PAM doesn't support authentication with an empty user (it prompts for it,
 causing a potential mis-interpretation). */
 
-user = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
+user = string_nextinlist(&pam_args, &sep, NULL, 0);
 if (user == NULL || user[0] == 0) return FAIL;
 
 /* Start off PAM interaction */