Package: libapache2-mod-auth-pgsql
Version: 2.0.3-6.1
Severity: normal
Dear Maintainer,
when setting "Auth_PG_encrypted" to "on" and "Auth_PG_hash_type" to
"CRYPT", the module uses crypt(3) to encrypt the given password and compare
it with what's in the database.
If your hashed password in the database uses a format not supported by
crypt(3), the function can return NULL. One example is if you have
something like "{SHA}gibberish". That is not one of the supported hash
mechanisms from crypt(3), so it will assume the first two bytes are the
salt for normal DES encryption. But "{" is not a valid character for that
type of salt, and crypt(3) will return NULL.
The mod-auth-pgsql code doesn't check for that case, and will use that NULL
value for a strcmp() later on, and crash.
case AUTH_PG_HASH_TYPE_CRYPT:
sent_pw = (char *) crypt(sent_pw, real_pw);
break;
(...)
strcmp(real_pw, sent_pw))
(or strcasecmp, it's in a conditional, but same bug)
I believe the following patch addresses the issue:
diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c
index 0a16e05..9282fe5 100644
--- a/mod_auth_pgsql.c
+++ b/mod_auth_pgsql.c
@@ -868,6 +868,12 @@ static authn_status check_password(request_rec *r,
const char *user,
break;
case AUTH_PG_HASH_TYPE_CRYPT:
sent_pw = (char *) crypt(sent_pw, real_pw);
+ if (!sent_pw) {
+ apr_snprintf(pg_errstr, MAX_STRING_LEN,
+ "PG user %s: unsupported CRYPT format", user);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR -
%s", pg_errstr);
+ return AUTH_DENIED;
+ }
break;
case AUTH_PG_HASH_TYPE_BASE64:
sent_pw = auth_pg_base64(sent_pw);
Ubuntu bug:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758
crypt(3) supported hashes, from its manpage:
$id$salt$encrypted
ID | Method
─────────────────────────────────────────────────────────
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)
Or, if the encrypted password does not start with $id$salt$, then:
* salt (the second argument to crypt()) is a two-character string chosen
from the set [a-zA-Z0-9./]
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-81-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libapache2-mod-auth-pgsql depends on:
ii apache2-bin [apache2-api-20120211] 2.4.25-4
ii libc6 2.24-12
ii libpq5 9.6.3-3
libapache2-mod-auth-pgsql recommends no packages.
libapache2-mod-auth-pgsql suggests no packages.
-- no debconf information
