Your message dated Sat, 15 Mar 2008 00:17:04 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#431371: fixed in pam-tmpdir 0.07-2 has caused the Debian Bug report #431371, regarding Multi-line config files crash libpam-tmpdir with memory faults to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 431371: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=431371 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: libpam-tmpdir Version: 0.07-1 Severity: normal Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I installed libpam-tmpdir on three of my machines. It worked fine on two of them, but on the third I was unable to log in until I disabled it. I found that pam-tmpdir-helper was crashing with errors like: > *** glibc detected *** /sbin/pam-tmpdir-helper: realloc(): invalid next size: > 0x0804b1a0 *** > ======= Backtrace: ========= > /lib/libc.so.6[0xb7e89afb] > /lib/libc.so.6(realloc+0xf8)[0xb7e8ba08] > /sbin/pam-tmpdir-helper[0x8049024] > /sbin/pam-tmpdir-helper[0x80490f0] > /sbin/pam-tmpdir-helper[0x80491dd] > /sbin/pam-tmpdir-helper[0x804893f] > /lib/libc.so.6(__libc_start_main+0xdc)[0xb7e35ebc] > /sbin/pam-tmpdir-helper[0x8048881] > ======= Memory map: ======== > 08048000-0804a000 r-xp 00000000 03:03 29653 /sbin/pam-tmpdir-helper > 0804a000-0804b000 rw-p 00001000 03:03 29653 /sbin/pam-tmpdir-helper > 0804b000-0806c000 rw-p 0804b000 00:00 0 [heap] > b7d00000-b7d21000 rw-p b7d00000 00:00 0 (blah blah blah) I discovered two distinct problems, both in util.c, and caused by the fact that I'd inadvertently added a second (blank) line in the config file. The first is in freadline(): > char buf[512]; > size_t alloc = 0; > char *ret = NULL; > char *t; > t = fgets(buf, sizeof(buf), stream); > if (t == NULL) { > return NULL; > } > ret = xmalloc(sizeof(buf)); > strcpy(ret, buf); > t = fgets(buf, sizeof(buf), stream); > while (t != NULL) { > alloc += (strlen(t)); > ret = xrealloc(ret, alloc); > strcat(ret,buf); > } > return ret; I'm a little puzzled by the comment about libc lacking a method to read a line from a file, since fgets() seems to do much the same thing as Python's f.readline, but maybe I've missed something. The problem here is the while() loop: this will loop forever if there's more than one line in the file, since t is never updated within the loop (in fact, you eventually get a memory fault). Additionally, alloc is never set to the original length of the first line. But since we're only interested in one line at a time, and fgets() reads until it encounters the supplied size OR an end-of-file OR a newline character, we don't need any second fgets() call nor the associated while loop. Unless, of course, we're looking for really long lines. (Apologies if I've missed some subtle point here). The second problem is in get_tmp_dir(), where the program checks for a comment or non-assignment line: > line = freadline(conf); > while (line) { > char *key, *value; > if ((line[0] == '#') || (strchr(line, '=') == NULL)) { > free(line); > continue; > } This will also loop forever, or at least till it gets a memory fault, since it doesn't read a fresh line if one of these lines is encountered. We need to add a 'line = freadline(conf);' before the continue statement. Patch attached. I didn't remove the extra lines in freadline(), just commented them out. .....Ron - -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.21.5-merlin-0 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-tmpdir depends on: ii libc6 2.5-9+b1 GNU C Library: Shared libraries ii libpam0g 0.79-4 Pluggable Authentication Modules l libpam-tmpdir recommends no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGiDpeitqjxNhsdN4RAtePAJ0QTq91SqRewfFAnWzGW3nY2PQCWQCghIqX 5y5q5dZPovZryIw1gLXcXxI= =JruA -----END PGP SIGNATURE-----*** ../util.c Mon Jul 17 05:13:04 2006 --- util.c Sun Jul 1 18:35:11 2007 *************** *** 41,52 **** } ret = xmalloc(sizeof(buf)); strcpy(ret, buf); ! t = fgets(buf, sizeof(buf), stream); while (t != NULL) { alloc += (strlen(t)); ret = xrealloc(ret, alloc); strcat(ret,buf); } return ret; } --- 41,53 ---- } ret = xmalloc(sizeof(buf)); strcpy(ret, buf); ! /* t = fgets(buf, sizeof(buf), stream); while (t != NULL) { alloc += (strlen(t)); ret = xrealloc(ret, alloc); strcat(ret,buf); } + */ return ret; } *************** *** 127,132 **** --- 128,134 ---- char *key, *value; if ((line[0] == '#') || (strchr(line, '=') == NULL)) { free(line); + line = freadline(conf); continue; } tmp = strchr(line, '=');
--- End Message ---
--- Begin Message ---Source: pam-tmpdir Source-Version: 0.07-2 We believe that the bug you reported is fixed in the latest version of pam-tmpdir, which is due to be installed in the Debian FTP archive: libpam-tmpdir_0.07-2_amd64.deb to pool/main/p/pam-tmpdir/libpam-tmpdir_0.07-2_amd64.deb pam-tmpdir_0.07-2.diff.gz to pool/main/p/pam-tmpdir/pam-tmpdir_0.07-2.diff.gz pam-tmpdir_0.07-2.dsc to pool/main/p/pam-tmpdir/pam-tmpdir_0.07-2.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Steve Kemp <[EMAIL PROTECTED]> (supplier of updated pam-tmpdir package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 14 Mar 2008 00:11:00 +0000 Source: pam-tmpdir Binary: libpam-tmpdir Architecture: source amd64 Version: 0.07-2 Distribution: unstable Urgency: low Maintainer: Tollef Fog Heen <[EMAIL PROTECTED]> Changed-By: Steve Kemp <[EMAIL PROTECTED]> Description: libpam-tmpdir - automatic per-user temporary directories Closes: 379832 431371 Changes: pam-tmpdir (0.07-2) unstable; urgency=low . * Avoid crashing on malformed configuration file. (Closes: #431371) * Update the configuration file to match documentation. - /etc/security/tmpdir.conf is used not /etc/pam-tmpdir.conf. (Closes: #379832) * Misc: - Updated standards version to 3.7.3: - Updated compatibility level to 4. - Don't ignore error in 'make clean' - Updated copyright file to be explicit, and pass lintian test. - Added lintian override for the setuid helper binary. - Added myself as an uploader. Files: 32d88b9e49b4e02272c6da65343b9e4c 625 admin optional pam-tmpdir_0.07-2.dsc f418a9a47d40694c337a12c6b7552457 3581 admin optional pam-tmpdir_0.07-2.diff.gz 600a98d563b316f89e38725c1916ec22 11632 admin optional libpam-tmpdir_0.07-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH2xHxwM/Gs81MDZ0RAu+NAJ9QBXNPoN262qvVYqphfQxVEYXA4QCeIlc/ hhnr73jYpNhBjVewRg/4wGs= =d+/G -----END PGP SIGNATURE-----
--- End Message ---
