Package: libpam-script Version: 1.1.7-1 Severity: important Dear Maintainer,
When passed an incorrect password on stdin, the passwd program crashes in libpam-script when libpam-script is not configured (that is, installed, but no configuration has been done). Here is a simple way to reproduce it. The gdb session comes from re-building libpam-script leaving symbols. The crash is the same in the standard package. This was seen when running as root. Presumably would happen for a normal user with the original passwd supplied. It would appear that the validity of the password variable is not checked. # /bin/echo -e 'cn321\\ncn321' > /tmp/d # (note the extra backslash) # gdb -q /usr/bin/passwd Reading symbols from /usr/bin/passwd...(no debugging symbols found)...done. (gdb) r < /tmp/d Starting program: /usr/bin/passwd < /tmp/d [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". New password: New password (again): Program received signal SIGSEGV, Segmentation fault. __strcmp_sse2 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210 210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory. (gdb) bt #0 __strcmp_sse2 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210 #1 0x00007f8e3a5979b9 in pam_sm_chauthtok (pamh=0x7f8e3cc5f2a0, flags=8192, argc=0, argv=0x7f8e3cc5fad0) at pam_script.c:392 #2 0x00007f8e3b823f8f in ?? () from /lib/x86_64-linux-gnu/libpam.so.0 #3 0x00007f8e3b828513 in pam_chauthtok () from /lib/x86_64-linux-gnu/libpam.so.0 #4 0x00007f8e3bc58032 in ?? () #5 0x00007f8e3bc56c08 in ?? () #6 0x00007f8e3ae4ab45 in __libc_start_main (main=0x7f8e3bc56160, argc=1, argv=0x7ffd654951a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd65495198) at libc-start.c:287 #7 0x00007f8e3bc57028 in ?? () (gdb) up #1 0x00007f8e3a5979b9 in pam_sm_chauthtok (pamh=0x7f8e3cc5f2a0, flags=8192, argc=0, argv=0x7f8e3cc5fad0) at pam_script.c:392 392 if (strcmp(new_password, password)) { (gdb) l 387 if (retval != PAM_SUCCESS) 388 return retval; 389 pam_get_item(pamh, PAM_AUTHTOK, (void*) &password); 390 391 /* Check if new password's are the same */ 392 if (strcmp(new_password, password)) { 393 retval = pam_script_senderr(pamh, flags, argc, argv, 394 "You must enter the same password twice."); 395 if (retval != PAM_SUCCESS) 396 return retval; (gdb) p password $1 = 0x0 (gdb) p new_password $2 = "cn321\\ncn321", '\000' <repeats 115 times> -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/40 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)