Your message dated Fri, 22 Apr 2005 16:17:14 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#301204: fixed in libpam-ssh 1.91.0-9
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 24 Mar 2005 12:55:10 +0000
>From [EMAIL PROTECTED] Thu Mar 24 04:55:10 2005
Return-path: <[EMAIL PROTECTED]>
Received: from hobbit.corpit.ru [81.13.94.6]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DERrh-0007wH-00; Thu, 24 Mar 2005 04:55:09 -0800
Received: from localhost (localhost [127.0.0.1])
by hobbit.corpit.ru (Postfix) with ESMTP id 7FEF9295D8
for <[EMAIL PROTECTED]>; Thu, 24 Mar 2005 15:55:06 +0300 (MSK)
(envelope-from [EMAIL PROTECTED])
Received: from paltus.tls.msk.ru (paltus.tls.msk.ru [192.168.1.1])
by hobbit.corpit.ru (Postfix) with ESMTP
for <[EMAIL PROTECTED]>; Thu, 24 Mar 2005 15:55:06 +0300 (MSK)
(envelope-from [EMAIL PROTECTED])
Received: by paltus.tls.msk.ru (Postfix, from userid 1000)
id 57F3580E8; Thu, 24 Mar 2005 15:55:06 +0300 (MSK)
From: Michael Tokarev <[EMAIL PROTECTED]>
Subject: libpam-ssh: pam-ssh incorrectly re-uses values returned by getpwnam()
To: [EMAIL PROTECTED]
X-Mailer: bug 3.3.10.1
Message-Id: <[EMAIL PROTECTED]>
Date: Thu, 24 Mar 2005 15:55:06 +0300 (MSK)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: libpam-ssh
Version: 1.91.0-5
Severity: critical
A long time ago (circa 1998 or so) I looked at pam-ssh project and
noticied several problems with it. And since it's now in Debian,
the same problems applies to Debian too.
Here's one.
in pam_sm_authenticate() routine, pam_ssh saves struct passwd as
a pam variable, this way (error checking removed for simplicitly):
pwent = getpwnam(user);
...
/* copy the passwd entry (in case successive calls are made) and
save it for the session phase */
pwent_keep = malloc(sizeof *pwent);
memcpy(pwent_keep, pwent, sizeof *pwent_keep);
pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, ssh_cleanup);
and later, in pam_sm_open_session(), it reuses the entry to create
~/.ssh/... files and to set user IDs:
pam_get_data(pamh, "ssh_passwd_entry", (const void **)(void *)&pwent);
openpam_borrow_cred(pamh, pwent);
asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname);
env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR);
...
struct passwd contains pointers to strings (pw_dir, pw_name etc).
So, any call to getpwent() and other getpw*() routines in between
pam_sm_authenticate() and pam_sm_open_session() of this module
poses a high risk of the strings to be overwritten (or even the
whole internal pwent buffer re-allocated), so the module will
create files in a wrong place using wrong userid.
Luckly, most (depending on the other modules in the PAM stack) getpw*
calls will be the same as this module does, and hence the problem
will not occur.
I pointed this problem out to the author the same time I looked at
the module, but instead of an ACK he replied with something like
"If you don't like my program write your own". Later on, he changed
logic a bit -- previously he where saving the pwent pointer, now
he saves the whole structure (as pwent_keep), but the same problem
is still here.
There where other issues with this package at that time, but
by now I forgot which ones.
-- System Information
Debian Release: 3.0
Kernel Version: Linux paltus.tls.msk.ru 2.6.11-k7-0 #1 Wed Mar 2 20:04:17 MSK
2005 i686 GNU/Linux
Versions of the packages libpam-ssh depends on:
+++-==============-==============-============================================
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries and Timezone
ii libpam0g 0.76-22 Pluggable Authentication Modules library
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
---------------------------------------
Received: (at 301204-close) by bugs.debian.org; 22 Apr 2005 20:23:03 +0000
>From [EMAIL PROTECTED] Fri Apr 22 13:23:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DP4g3-0004cc-00; Fri, 22 Apr 2005 13:23:03 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DP4aQ-0003lk-00; Fri, 22 Apr 2005 16:17:14 -0400
From: Aurelien Labrosse <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#301204: fixed in libpam-ssh 1.91.0-9
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 22 Apr 2005 16:17:14 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: libpam-ssh
Source-Version: 1.91.0-9
We believe that the bug you reported is fixed in the latest version of
libpam-ssh, which is due to be installed in the Debian FTP archive:
libpam-ssh_1.91.0-9.diff.gz
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.diff.gz
libpam-ssh_1.91.0-9.dsc
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.dsc
libpam-ssh_1.91.0-9_i386.deb
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Labrosse <[EMAIL PROTECTED]> (supplier of updated libpam-ssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 22 Apr 2005 21:37:21 +0200
Source: libpam-ssh
Binary: libpam-ssh
Architecture: source i386
Version: 1.91.0-9
Distribution: unstable
Urgency: high
Maintainer: Aurelien Labrosse <[EMAIL PROTECTED]>
Changed-By: Aurelien Labrosse <[EMAIL PROTECTED]>
Description:
libpam-ssh - enable SSO behavior for ssh and pam
Closes: 301204
Changes:
libpam-ssh (1.91.0-9) unstable; urgency=high
.
* Urgency set to high due to a RC bugfix
* Fix dpatch debian/rules integration
* Add patch from Dmitry K. Butskoj <[EMAIL PROTECTED]> that
closes: #301204 (usecure use of getpwnam())
* add a postinst script to remove trailing /etc/init.d/libpam-ssh script
installed
with a old version and no longer used
Files:
8c71f53b9bc4afe79b84149390d076dc 687 admin optional libpam-ssh_1.91.0-9.dsc
08412d4f4c8f0a950a7e53e49da335f2 344350 admin optional
libpam-ssh_1.91.0-9.diff.gz
86d1f6c4d9b10b686d032db1ed1a8cc5 46036 admin optional
libpam-ssh_1.91.0-9_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCaVlhTx4JB6685x8RAjkNAJ4/n0aKI1I+1hyjZ8QjwW4mX9ML5QCgmip0
zdZxphPaWscKBw2/PU+jYtw=
=xyLM
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
