Your message dated Mon, 11 Apr 2011 09:16:33 +0000
with message-id <[email protected]>
and subject line Bug#622220: Removed package(s) from unstable
has caused the Debian Bug report #420404,
regarding libpam-opie: Memory leak, small but unnecessary information leak
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
420404: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=420404
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-opie
Version: 0.21-8
Severity: normal
Tags: security
There is a memory leak in pam_opie where the authentication token (the
OTP string) returned by the application is not freed. This means
leaking the size of the one-time password reply given at every
authentication attempt. Freeing that string is the responsibility of
the module, although the PAM Module Writers' Guide could be more clear
about it. I suggest using the _pam_drop_reply() macro to clean the
reply.
Also in addition to not clearing and freeing the token, a copy of the
OTP string is free()d without clearing. While due to the nature of
opie this is not critical, it's definitely not good practice (and
given enough resources, I think approximately O(2^64) effort, a single
challenge/response pair is enough to break the system). This
information leak could be, and should be, easily avoided.
I don't have a suitable test system available right now so I won't try
to write a patch without testing it, but I can point out what I think
needs to be done. From pam_opie.c, function pam_sm_authenticate():
------------------------------------------------------------
retval = converse(pamh, 1, pmsg, &resp);
if (retval != PAM_SUCCESS)
return retval;
tok = xstrdup(resp[0].resp);
if (resp != NULL) free(resp);
pam_set_item(pamh, PAM_AUTHTOK, tok);
/* test the response and return accordingly */
retval = opieverify(&opie, tok);
if (tok != NULL) free(tok);
------------------------------------------------------------
Here replace the
if (resp != NULL) free(resp);
with
_pam_drop_reply(resp, 1);
This macro resides in <security/_pam_macros.h>, so #include that. It
takes care of not only freeing resp, but also clearing and freeing the
returned string.
Also before the
if (tok != NULL) free(tok);
its memory should be overwritten with something like
int i, l;
l = strlen(tok);
for (i=0; i<l; i++)
tok[i]=0;
to prevent the OTP response leak.
Sami
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.20.4-grsec-sli
Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages libpam-opie depends on:
ii libc6 2.5-3 GNU C Library: Shared libraries
ii libpam0g 0.79-4 Pluggable Authentication Modules l
Versions of packages libpam-opie recommends:
ii opie-server 2.32-10.2 OPIE programs for maintaining an O
-- no debconf information
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 0.21-8+rm
Dear submitter,
as the package libpam-opie has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see http://bugs.debian.org/622220
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)
--- End Message ---
