Package: vlock
Version: 1.3-9
Severity: normal
Tags: patch
i think there's a possible security problem in case
pam_set_item(PAM_USER,...) or pam_set_item(PAM_USER_PROMPT,...) return
with an error:
in vlocks main() there's:
/* get_password() sets the terminal characteristics and does not */
/* return until the correct password has been read. */
void
get_password(void)
{
...
if (correct_password()) {
restore_signals();
restore_terminal();
return;
}
...
}
and:
static int
correct_password(void)
{
#ifdef USE_PAM
/* Now use PAM to do authentication.
*/
#define PAM_BAIL_PRE if (pam_error != PAM_SUCCESS) { \
/* fix signals that may have been disordered by pam */ \
set_signal_mask(0); \
printf("SOMETHING IS VERY SERIOUSLY WRONG! '%s' BAILING!\n", \
pam_strerror(pamh, pam_error)); fflush(stdout); \
pam_end(pamh, PAM_SUCCESS); \
return -1; \
}
...
pam_error = pam_set_item(pamh, PAM_USER_PROMPT, strdup(prompt));
PAM_BAIL_PRE;
... (several more calls like this)
So whenever the if clause in PAM_BAIL_PRE is true (pam_set_item, call
didn't return success) correct_password() will return -1, which
get_password() thinks is fine and returns (password verified
successfully). This isn't much of an issue at the moment since current
libpam always returns PAM_SUCCESS for pam_set_item(PAM_USER{,PROMPT},
...) but since that implementation might change under our feet without
noticing it's worth fixing after all:
--- vlock-1.3/input.c.orig 2006-04-21 14:47:27.000000000 +0200
+++ vlock-1.3/input.c 2006-04-21 14:47:31.000000000 +0200
@@ -189,7 +189,7 @@
}
/* correct_password() sets the terminal status as necessary */
- if (correct_password()) {
+ if (correct_password() > 0) {
restore_signals();
restore_terminal();
return;
Cheers,
-- Guido
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages vlock depends on:
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii libpam0g 0.79-3.1 Pluggable Authentication Modules l
vlock recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]