https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272228
Bug ID: 272228
Summary: libpam's openpam_subst() can crash if prompt ends with
%
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
If a PAM user prompt ends with %, then openpam_subst() increments
template (the prompt) beyond the prompt's terminal '\0', and
(depending what's beyond the end) can eventually crash. One place such
a prompt could come from is a remote TACACS+ server.
while (*template && ret == PAM_SUCCESS) {
if (template[0] == '%') {
++template;
switch (*template) {
...;
case '\0':
subst_char('%');
break;
...;
}
++template;
}
}
--
You are receiving this mail because:
You are the assignee for the bug.
