doc/share/security/patches/SA-11:10/pam.patch

Index: contrib/openpam/lib/openpam_configure.c
===================================================================
--- contrib/openpam/lib/openpam_configure.c	(revision 228383)
+++ contrib/openpam/lib/openpam_configure.c	(revision 228384)
@@ -285,6 +285,13 @@
 	size_t len;
 	int r;
 
+	/* don't allow to escape from policy_path */
+	if (strchr(service, '/')) {
+		openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
+		    service);
+		return (-PAM_SYSTEM_ERR);
+	}
+
 	for (path = openpam_policy_path; *path != NULL; ++path) {
 		len = strlen(*path);
 		if ((*path)[len - 1] == '/') {