Your message dated Fri, 19 Sep 2008 17:32:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#499479: fixed in libpam-krb5 3.11-3
has caused the Debian Bug report #499479,
regarding libpam-krb5: Segfault with search_k5login and incorrect .k5login
ownership
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
499479: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499479
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libpam-krb5
Tags: patch
If pam_krb5 is used with the search_k5login option, pam_krb5 checks the
ownership of the user's ~/.k5login. Unfortunately, if it deems
the .k5login ownership unsafe, it causes a segfault due to incorrectly
reporting the error. Attached is a patch to fix this, but I'm unsure if
it's the "correct" fix. Details below.
k5login_password_auth is what performs the check, in auth.c:259. It
sets *retval to errno, though, which is going to always be zero, since
we know that the previous call to fstat() succeeded. So, in
pamk5_password_auth in auth.c:595, retval gets set to zero, even though
success is set to PAM_AUTH_ERR. The error handling here seems to be
based almost entirely on retval, so this essentially gets determined as
a successful authentication. The *creds struct never got initialized to
anything, though, so pam_krb5 hands this off to the Kerberos library
full of zeroes. Something in the Kerberos library later just tries to
dereference something in the struct, and then a segfault occurs. I
could get a backtrace, but I didn't think it'd really matter.
At least, a segfault occurs when using pam_krb5.so in the 'auth'
section, and when using it for sudo. I haven't tested any other
configurations.
The patch sets *retval to PAM_AUTH_ERR and logs an error; no idea if
that's the right thing to do, but it gets rid of the bug for me.
--
Andrew Deason
[EMAIL PROTECTED]
--- libpam-krb5-3.11/auth.c 2008-09-18 21:10:11.000000000 -0500
+++ libpam-krb5-3.11.new/auth.c 2008-09-18 21:03:16.000000000 -0500
@@ -257,7 +257,8 @@
goto fail;
}
if (st.st_uid != 0 && (st.st_uid != pwd->pw_uid)) {
- *retval = errno;
+ pamk5_error(args, "unsafe .k5login ownership; owned by %d, should be %d", st.st_uid, pwd->pw_uid);
+ *retval = PAM_AUTH_ERR;
goto fail;
}
--- End Message ---
--- Begin Message ---
Source: libpam-krb5
Source-Version: 3.11-3
We believe that the bug you reported is fixed in the latest version of
libpam-krb5, which is due to be installed in the Debian FTP archive:
libpam-krb5_3.11-3.diff.gz
to pool/main/libp/libpam-krb5/libpam-krb5_3.11-3.diff.gz
libpam-krb5_3.11-3.dsc
to pool/main/libp/libpam-krb5/libpam-krb5_3.11-3.dsc
libpam-krb5_3.11-3_i386.deb
to pool/main/libp/libpam-krb5/libpam-krb5_3.11-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <[EMAIL PROTECTED]> (supplier of updated libpam-krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 18 Sep 2008 20:45:43 -0700
Source: libpam-krb5
Binary: libpam-krb5
Architecture: source i386
Version: 3.11-3
Distribution: unstable
Urgency: low
Maintainer: Russ Allbery <[EMAIL PROTECTED]>
Changed-By: Russ Allbery <[EMAIL PROTECTED]>
Description:
libpam-krb5 - PAM module for MIT Kerberos
Closes: 499479
Changes:
libpam-krb5 (3.11-3) unstable; urgency=low
.
* Fix segfault after detection of unsafe .k5login ownership when
search_k5login is set. Thanks, Andrew Deason. (Closes: #499479)
Checksums-Sha1:
b6ee166f24aa2662a5f7d7ff178aae11353bc14d 1214 libpam-krb5_3.11-3.dsc
5d3860eae709e42f4c4a32db209bd2a6ebab5189 13800 libpam-krb5_3.11-3.diff.gz
cff1f22c060d92301627d4dbbcd8f97bb5892a4a 61410 libpam-krb5_3.11-3_i386.deb
Checksums-Sha256:
939462b52b90ca38cfedba92dbc1692fe932ac847d8dbbd5519b755100270afa 1214
libpam-krb5_3.11-3.dsc
33ce7c5aad1655365d52edd05461e1e0e3274e3bfa3bf2841760fe0353a487c5 13800
libpam-krb5_3.11-3.diff.gz
2c2763cac8f506f8e31787dcd4884c8b403d74497537df6b160b3ab7362bef80 61410
libpam-krb5_3.11-3_i386.deb
Files:
7ec3be1d1031bb85d6610cd11e3ef8b0 1214 net optional libpam-krb5_3.11-3.dsc
0d551a49d936e184aa8460ce0b4b67f1 13800 net optional libpam-krb5_3.11-3.diff.gz
87cc70bf72346f1b1126730b381d757d 61410 net optional libpam-krb5_3.11-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjT4OsACgkQ+YXjQAr8dHbwSACgxLkQX16WUCSHZdx9hHAWBKCb
4OAAnizBK5EFd2OL3yOKpqnMsIq6cQ3C
=kkK7
-----END PGP SIGNATURE-----
--- End Message ---
