Package: xlockmore Version: 5.13-2.1 Followup-For: Bug #318123 Tags: patch The general design issue here is that xlock (unlike e.g. xscreensaver which kills the X server along with) gives access to the screen when it is killed by a signal, i.e. any way to crash it becomes an authentication bypass right away instead of eventually just a DoS.
In this specific case, the error causing the crash (or abort, with glibc's malloc checking in unstable) lies in freeing non-allocated memory. In xlock/passwd.c/PAM_conv() reply, an array of pam_response structures, gets malloc()'ed and is unitialized. In the following loop xlock/xlock.c/PAM_putText() gets called with a pointer to each element of reply. In case of PAM_PROMPT_ECHO_ON and PAM_PROMPT_ECHO_OFF message styles (as used by the "normal" usser/password type pam modules), PAM_putText() sets the resp member of the reply element to the string the user entered. In all other cases, like in the case of the "No smart card present" message of pam_opensc which is of PAM_TEXT_INFO message style, PAM_putText() does not touch resp which thus still has its unitialized random value. The reply array is returned to the pam layer by PAM_conv(), where all non-NULL resp members of its entries get free()'d[1]. I've attached a simple patch fixing this specific issue, using calloc() the reply array entries are always initialized to zero, thus all resp members are NULL unless actually set to some address later. elmar [1] and at least in case of pam_opensc overwritten before that. -- .'"`. /"\ | :' : Elmar Hoffmann <[EMAIL PROTECTED]> ASCII Ribbon Campaign \ / `. `' GPG key available via pgp.net against HTML email X `- & vCards / \
diff -rNu xlockmore-5.13.orig/xlock/passwd.c xlockmore-5.13/xlock/passwd.c --- xlockmore-5.13.orig/xlock/passwd.c 2004-06-02 17:34:38.000000000 +0200 +++ xlockmore-5.13/xlock/passwd.c 2005-12-22 02:21:40.000000000 +0100 @@ -296,8 +296,8 @@ #define COPY_STRING(s) (s) ? strdup(s) : NULL - reply = (struct pam_response *) malloc(sizeof (struct pam_response) * - num_msg); + reply = (struct pam_response *) calloc(num_msg, + sizeof (struct pam_response)); if (!reply) return PAM_CONV_ERR;
signature.asc
Description: Digital signature