Your message dated Wed, 19 Jul 2006 13:51:00 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#364081: fixed in vlock 1.3-10 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: vlock Version: 1.3-9 Severity: normal Tags: patch i think there's a possible security problem in case pam_set_item(PAM_USER,...) or pam_set_item(PAM_USER_PROMPT,...) return with an error: in vlocks main() there's: /* get_password() sets the terminal characteristics and does not */ /* return until the correct password has been read. */ void get_password(void) { ... if (correct_password()) { restore_signals(); restore_terminal(); return; } ... } and: static int correct_password(void) { #ifdef USE_PAM /* Now use PAM to do authentication. */ #define PAM_BAIL_PRE if (pam_error != PAM_SUCCESS) { \ /* fix signals that may have been disordered by pam */ \ set_signal_mask(0); \ printf("SOMETHING IS VERY SERIOUSLY WRONG! '%s' BAILING!\n", \ pam_strerror(pamh, pam_error)); fflush(stdout); \ pam_end(pamh, PAM_SUCCESS); \ return -1; \ } ... pam_error = pam_set_item(pamh, PAM_USER_PROMPT, strdup(prompt)); PAM_BAIL_PRE; ... (several more calls like this) So whenever the if clause in PAM_BAIL_PRE is true (pam_set_item, call didn't return success) correct_password() will return -1, which get_password() thinks is fine and returns (password verified successfully). This isn't much of an issue at the moment since current libpam always returns PAM_SUCCESS for pam_set_item(PAM_USER{,PROMPT}, ...) but since that implementation might change under our feet without noticing it's worth fixing after all: --- vlock-1.3/input.c.orig 2006-04-21 14:47:27.000000000 +0200 +++ vlock-1.3/input.c 2006-04-21 14:47:31.000000000 +0200 @@ -189,7 +189,7 @@ } /* correct_password() sets the terminal status as necessary */ - if (correct_password()) { + if (correct_password() > 0) { restore_signals(); restore_terminal(); return; Cheers, -- Guido -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16.7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages vlock depends on: ii libc6 2.3.6-7 GNU C Library: Shared libraries ii libpam0g 0.79-3.1 Pluggable Authentication Modules l vlock recommends no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: vlock Source-Version: 1.3-10 We believe that the bug you reported is fixed in the latest version of vlock, which is due to be installed in the Debian FTP archive: vlock_1.3-10.diff.gz to pool/main/v/vlock/vlock_1.3-10.diff.gz vlock_1.3-10.dsc to pool/main/v/vlock/vlock_1.3-10.dsc vlock_1.3-10_i386.deb to pool/main/v/vlock/vlock_1.3-10_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alexander Wirt <[EMAIL PROTECTED]> (supplier of updated vlock package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 19 Jul 2006 20:26:23 +0200 Source: vlock Binary: vlock Architecture: source i386 Version: 1.3-10 Distribution: unstable Urgency: low Maintainer: Peter Palfrader <[EMAIL PROTECTED]> Changed-By: Alexander Wirt <[EMAIL PROTECTED]> Description: vlock - Virtual Console locking program Closes: 55834 265297 318507 364081 Changes: vlock (1.3-10) unstable; urgency=low . * Add a patch from Guido Guenther that adds better checking for the return code of correct_password() (Closes: #364081) * Add a patch Daniel Kahn Gillmor thats stats the PAM Session only after pressing enter. That prevents some problems with some exclusive-access PAM modules like opensc (Closes: #318507) * Include common-auth in the pam file (Closes: #265297) * Depend on libpam-modules (Closes: #55834) * Bump standards version Files: caa1a5d20a20c2587e1c80e97dc697e4 679 utils optional vlock_1.3-10.dsc 4e9335e4ab2dbd87c9d7fcb01870c00a 7594 utils optional vlock_1.3-10.diff.gz 3f9d17ae37e7dbea0a34b20818e9bd63 15012 utils optional vlock_1.3-10_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEvo2V01u8mbx9AgoRAvYtAJwL6dGgz9duMqRFQ2WOBPE9t6YNSgCgwX99 JnyFfu8UJ2T7M/AMK3viffY= =Yz8p -----END PGP SIGNATURE-----
--- End Message ---
