This patch is courtesy of Andrey V. Savochkin.  Please apply it to all
and any version of Linux-PAM you are running.  It relates to an
exploitable problem in the pam_unix and pam_tally modules.

Bug announced: Dec 23, 1998 at 01:12:45PM +0100 by Michal Zalewski
Patch available: Thu, 24 Dec 1998 18:02:03 +0300 from Savochkin Andrey Vladimirovich

Cheers

  Andrew

diff -ru Linux-PAM-0.65.orig/modules/pam_tally/pam_tally.c Linux-PAM-0.65/modules/pam_tally/pam_tally.c
--- Linux-PAM-0.65.orig/modules/pam_tally/pam_tally.c   Thu Jan 15 01:08:33 1998
+++ Linux-PAM-0.65/modules/pam_tally/pam_tally.c        Thu Dec 24 17:12:21 1998
@@ -137,13 +137,16 @@
     int lstat_ret = lstat(filename,&fileinfo);
 
     if ( lstat_ret && *tally!=TALLY_HI ) {
-      if ( ( *TALLY=fopen(filename, "a") ) ) {  
-        /* Create file, or append-open in pathological case. */
+      int oldmask = umask(077);
+      *TALLY=fopen(filename, "a");
+      /* Create file, or append-open in pathological case. */
+      umask(oldmask);
+      if ( !*TALLY ) {  
         _pam_log(LOG_ALERT, "Couldn't create %s",filename);
         return PAM_AUTH_ERR;
       }
+      lstat_ret = fstat(fileno(*TALLY),&fileinfo);
       fclose(*TALLY);
-      lstat_ret = lstat(filename,&fileinfo);
     }
 
     if ( lstat_ret ) {
@@ -563,6 +566,8 @@
            *argv);
     exit(0);
   }
+
+  umask(077);
 
   /* 
    * Major difference between individual user and all users:
diff -ru Linux-PAM-0.65.orig/modules/pam_unix/pam_unix_passwd.c Linux-PAM-0.65/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-0.65.orig/modules/pam_unix/pam_unix_passwd.c      Thu Oct  9 06:59:04 1997
+++ Linux-PAM-0.65/modules/pam_unix/pam_unix_passwd.c   Thu Dec 24 16:53:30 1998
@@ -554,6 +554,7 @@
   int err = 0;
 #ifdef HAVE_SHADOW_H
   struct spwd *spwdent=NULL, *stmpent=NULL;
+  int oldmask;
 #endif
   if(flags & PPW_SHADOW) { retval |= PPW_SHADOW; }
   gettimeofday(&time1, NULL);
@@ -583,7 +584,9 @@
       return PPW_NOSUCHUSER;
     spwdent->sp_pwdp = towhat;
     spwdent->sp_lstchg = time(NULL)/(60*60*24);
+    oldmask = umask(077);
     pwfile = fopen(SH_TMPFILE,"w");
+    umask(oldmask);
     opwfile = fopen("/etc/shadow","r");
     if(pwfile == NULL || opwfile == NULL)
       return PPW_ERROR;
@@ -623,7 +626,9 @@
       unlink(SH_TMPFILE);
   } else {
     pwd->pw_passwd = towhat;
+    oldmask = umask(077);
     pwfile = fopen(PW_TMPFILE,"w");
+    umask(oldmask);
     opwfile = fopen("/etc/passwd","r");
     if(pwfile == NULL || opwfile == NULL)
       return PPW_ERROR;
@@ -659,7 +664,9 @@
   }
 #else
   pwd->pw_passwd = towhat;
+  oldmask = umask(077);
   pwfile = fopen(PW_TMPFILE,"w");
+  umask(oldmask);
   opwfile = fopen("/etc/passwd","r");
   if(pwfile == NULL || opwfile == NULL)
     return PPW_ERROR;