Package: libpam-script
Version: 1.1.7-1
Severity: important
Dear Maintainer,
When passed an incorrect password on stdin, the passwd program crashes
in libpam-script when libpam-script is not configured (that is,
installed, but no configuration has been done).
Here is a simple way to reproduce it. The gdb session comes from
re-building libpam-script leaving symbols. The crash is the same
in the standard package. This was seen when running as root. Presumably
would happen for a normal user with the original passwd supplied.
It would appear that the validity of the password variable is not checked.
# /bin/echo -e 'cn321\\ncn321' > /tmp/d # (note the extra backslash)
# gdb -q /usr/bin/passwd
Reading symbols from /usr/bin/passwd...(no debugging symbols found)...done.
(gdb) r < /tmp/d
Starting program: /usr/bin/passwd < /tmp/d
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
New password: New password (again):
Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse2 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strcmp_sse2 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x7f8e3a5979b9 in pam_sm_chauthtok (pamh=0x7f8e3cc5f2a0, flags=8192,
argc=0,
argv=0x7f8e3cc5fad0) at pam_script.c:392
#2 0x7f8e3b823f8f in ?? () from /lib/x86_64-linux-gnu/libpam.so.0
#3 0x7f8e3b828513 in pam_chauthtok () from
/lib/x86_64-linux-gnu/libpam.so.0
#4 0x7f8e3bc58032 in ?? ()
#5 0x7f8e3bc56c08 in ?? ()
#6 0x7f8e3ae4ab45 in __libc_start_main (main=0x7f8e3bc56160, argc=1,
argv=0x7ffd654951a8, init=, fini=,
rtld_fini=, stack_end=0x7ffd65495198) at libc-start.c:287
#7 0x7f8e3bc57028 in ?? ()
(gdb) up
#1 0x7f8e3a5979b9 in pam_sm_chauthtok (pamh=0x7f8e3cc5f2a0, flags=8192,
argc=0,
argv=0x7f8e3cc5fad0) at pam_script.c:392
392 if (strcmp(new_password, password)) {
(gdb) l
387 if (retval != PAM_SUCCESS)
388 return retval;
389 pam_get_item(pamh, PAM_AUTHTOK, (void*) );
390
391 /* Check if new password's are the same */
392 if (strcmp(new_password, password)) {
393 retval = pam_script_senderr(pamh, flags, argc, argv,
394 "You must enter the same password twice.");
395 if (retval != PAM_SUCCESS)
396 return retval;
(gdb) p password
$1 = 0x0
(gdb) p new_password
$2 = "cn321\\ncn321", '\000'
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/40 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)