---
- branch: netbsd-4-0
  date: Sat Nov 19 14:38:31 UTC 2011
  files:
  - new: 1.4.20.1
    old: '1.4'
    path: src/dist/openpam/lib/openpam_configure.c
    pathrev: src/dist/openpam/lib/openpam_configure.c@1.4.20.1
    type: modified
  id: 20111119T143831Z.c08f57a057a83859d18ca9a1d64619f8c9b813a1
  log: "Pull up following revision(s) (requested by drochner in ticket #1439):\n\tdist/openpam/lib/openpam_configure.c:
    revision 1.6\nDon't allow '/' characters in the \"service\" argument to pam_start()\nThe
    \"service\" is blindly appended to config directories (\"/etc/pam.d/\"),\nand
    if a user can control the \"service\" it can get PAM to read config\nfiles from
    any location.\nThis is not a problem with most software because the \"service\"
    is\nusually a constant string. The check protects 3rd party software\nfrom being
    abused.\n(CVE-2011-4122)\n"
  module: src
  subject: 'CVS commit: [netbsd-4-0] src/dist/openpam/lib'
  unixtime: '1321713511'
  user: bouyer