Your message dated Fri, 22 Apr 2005 16:17:14 -0400 with message-id <[EMAIL PROTECTED]> and subject line Bug#301204: fixed in libpam-ssh 1.91.0-9 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 24 Mar 2005 12:55:10 +0000 >From [EMAIL PROTECTED] Thu Mar 24 04:55:10 2005 Return-path: <[EMAIL PROTECTED]> Received: from hobbit.corpit.ru [81.13.94.6] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DERrh-0007wH-00; Thu, 24 Mar 2005 04:55:09 -0800 Received: from localhost (localhost [127.0.0.1]) by hobbit.corpit.ru (Postfix) with ESMTP id 7FEF9295D8 for <[EMAIL PROTECTED]>; Thu, 24 Mar 2005 15:55:06 +0300 (MSK) (envelope-from [EMAIL PROTECTED]) Received: from paltus.tls.msk.ru (paltus.tls.msk.ru [192.168.1.1]) by hobbit.corpit.ru (Postfix) with ESMTP for <[EMAIL PROTECTED]>; Thu, 24 Mar 2005 15:55:06 +0300 (MSK) (envelope-from [EMAIL PROTECTED]) Received: by paltus.tls.msk.ru (Postfix, from userid 1000) id 57F3580E8; Thu, 24 Mar 2005 15:55:06 +0300 (MSK) From: Michael Tokarev <[EMAIL PROTECTED]> Subject: libpam-ssh: pam-ssh incorrectly re-uses values returned by getpwnam() To: [EMAIL PROTECTED] X-Mailer: bug 3.3.10.1 Message-Id: <[EMAIL PROTECTED]> Date: Thu, 24 Mar 2005 15:55:06 +0300 (MSK) Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: libpam-ssh Version: 1.91.0-5 Severity: critical A long time ago (circa 1998 or so) I looked at pam-ssh project and noticied several problems with it. And since it's now in Debian, the same problems applies to Debian too. Here's one. in pam_sm_authenticate() routine, pam_ssh saves struct passwd as a pam variable, this way (error checking removed for simplicitly): pwent = getpwnam(user); ... /* copy the passwd entry (in case successive calls are made) and save it for the session phase */ pwent_keep = malloc(sizeof *pwent); memcpy(pwent_keep, pwent, sizeof *pwent_keep); pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, ssh_cleanup); and later, in pam_sm_open_session(), it reuses the entry to create ~/.ssh/... files and to set user IDs: pam_get_data(pamh, "ssh_passwd_entry", (const void **)(void *)&pwent); openpam_borrow_cred(pamh, pwent); asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname); env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR); ... struct passwd contains pointers to strings (pw_dir, pw_name etc). So, any call to getpwent() and other getpw*() routines in between pam_sm_authenticate() and pam_sm_open_session() of this module poses a high risk of the strings to be overwritten (or even the whole internal pwent buffer re-allocated), so the module will create files in a wrong place using wrong userid. Luckly, most (depending on the other modules in the PAM stack) getpw* calls will be the same as this module does, and hence the problem will not occur. I pointed this problem out to the author the same time I looked at the module, but instead of an ACK he replied with something like "If you don't like my program write your own". Later on, he changed logic a bit -- previously he where saving the pwent pointer, now he saves the whole structure (as pwent_keep), but the same problem is still here. There where other issues with this package at that time, but by now I forgot which ones. -- System Information Debian Release: 3.0 Kernel Version: Linux paltus.tls.msk.ru 2.6.11-k7-0 #1 Wed Mar 2 20:04:17 MSK 2005 i686 GNU/Linux Versions of the packages libpam-ssh depends on: +++-==============-==============-============================================ ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries and Timezone ii libpam0g 0.76-22 Pluggable Authentication Modules library ii libssl0.9.7 0.9.7e-3 SSL shared libraries --------------------------------------- Received: (at 301204-close) by bugs.debian.org; 22 Apr 2005 20:23:03 +0000 >From [EMAIL PROTECTED] Fri Apr 22 13:23:03 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DP4g3-0004cc-00; Fri, 22 Apr 2005 13:23:03 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1DP4aQ-0003lk-00; Fri, 22 Apr 2005 16:17:14 -0400 From: Aurelien Labrosse <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#301204: fixed in libpam-ssh 1.91.0-9 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Fri, 22 Apr 2005 16:17:14 -0400 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: libpam-ssh Source-Version: 1.91.0-9 We believe that the bug you reported is fixed in the latest version of libpam-ssh, which is due to be installed in the Debian FTP archive: libpam-ssh_1.91.0-9.diff.gz to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.diff.gz libpam-ssh_1.91.0-9.dsc to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.dsc libpam-ssh_1.91.0-9_i386.deb to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Labrosse <[EMAIL PROTECTED]> (supplier of updated libpam-ssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 22 Apr 2005 21:37:21 +0200 Source: libpam-ssh Binary: libpam-ssh Architecture: source i386 Version: 1.91.0-9 Distribution: unstable Urgency: high Maintainer: Aurelien Labrosse <[EMAIL PROTECTED]> Changed-By: Aurelien Labrosse <[EMAIL PROTECTED]> Description: libpam-ssh - enable SSO behavior for ssh and pam Closes: 301204 Changes: libpam-ssh (1.91.0-9) unstable; urgency=high . * Urgency set to high due to a RC bugfix * Fix dpatch debian/rules integration * Add patch from Dmitry K. Butskoj <[EMAIL PROTECTED]> that closes: #301204 (usecure use of getpwnam()) * add a postinst script to remove trailing /etc/init.d/libpam-ssh script installed with a old version and no longer used Files: 8c71f53b9bc4afe79b84149390d076dc 687 admin optional libpam-ssh_1.91.0-9.dsc 08412d4f4c8f0a950a7e53e49da335f2 344350 admin optional libpam-ssh_1.91.0-9.diff.gz 86d1f6c4d9b10b686d032db1ed1a8cc5 46036 admin optional libpam-ssh_1.91.0-9_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCaVlhTx4JB6685x8RAjkNAJ4/n0aKI1I+1hyjZ8QjwW4mX9ML5QCgmip0 zdZxphPaWscKBw2/PU+jYtw= =xyLM -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]