Bug#499479: libpam-krb5: Segfault with search_k5login and incorrect .k5login ownership

Thu, 18 Sep 2008 21:16:39 -0700 

Andrew Deason <[EMAIL PROTECTED]> writes:
> Russ Allbery <[EMAIL PROTECTED]> wrote:
>
>> I think this patch is the thorough fix.
>
> Agreed. However...
>
> $ patch -p1 < ~/pamk5-rra.patch 
> patching file auth.c
> Hunk #1 succeeded at 247 (offset -3 lines).
> Hunk #2 FAILED at 703.
> 1 out of 2 hunks FAILED -- saving rejects to file auth.c.rej
>
> This is libpam-krb5 3.11-2.

Sorry, patch was against 3.13 development.  Here's the 3.11-2 patch:

diff --git a/auth.c b/auth.c
index f591933..7b6b5e4 100644
--- a/auth.c
+++ b/auth.c
@@ -247,17 +247,20 @@ k5login_password_auth(struct pam_args *args, krb5_creds 
*creds,
      * Kerberos error code to errno.
      */
     k5login = fopen(filename, "r");
-    free(filename);
     if (k5login == NULL) {
         *retval = errno;
+        free(filename);
         return PAM_AUTH_ERR;
     }
+    free(filename);
     if (fstat(fileno(k5login), &st) != 0) {
         *retval = errno;
         goto fail;
     }
     if (st.st_uid != 0 && (st.st_uid != pwd->pw_uid)) {
-        *retval = errno;
+        *retval = EACCES;
+        pamk5_error(args, "unsafe .k5login ownership (saw %lu, expected %lu)",
+                    (unsigned long) st.st_uid, (unsigned long) pwd->pw_uid);
         goto fail;
     }
 
@@ -600,11 +603,10 @@ pamk5_password_auth(struct pam_args *args, const char 
*service,
                           (char *) service, opts);
             success = (retval == 0) ? PAM_SUCCESS : PAM_AUTH_ERR;
         }
-        if (success == PAM_SUCCESS) {
-            if (retval != 0)
-                goto done;
+        if (success == PAM_SUCCESS)
             break;
-        }
+        else if (retval == 0)
+            retval = PAM_SERVICE_ERR;
         pass = NULL;
     } while (retry && retval == KRB5KRB_AP_ERR_BAD_INTEGRITY);
     if (retval != 0)
diff --git a/debian/changelog b/debian/changelog
index 7f266c5..4f002a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libpam-krb5 (3.11-3) unstable; urgency=low
+
+  * Fix segfault after detection of unsafe .k5login ownership when
+    search_k5login is set.  Thanks, Andrew Deason.  (Closes: #499479)
+
+ -- Russ Allbery <[EMAIL PROTECTED]>  Thu, 18 Sep 2008 20:45:43 -0700
+
 libpam-krb5 (3.11-2) unstable; urgency=low
 
   * Fix double-free of the cache data structure if cache creation fails

-- 
Russ Allbery ([EMAIL PROTECTED])               <http://www.eyrie.org/~eagle/>



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to