Package: libpam-ssh Version: 1.91.0-5 Severity: critical A long time ago (circa 1998 or so) I looked at pam-ssh project and noticied several problems with it. And since it's now in Debian, the same problems applies to Debian too.
Here's one. in pam_sm_authenticate() routine, pam_ssh saves struct passwd as a pam variable, this way (error checking removed for simplicitly): pwent = getpwnam(user); ... /* copy the passwd entry (in case successive calls are made) and save it for the session phase */ pwent_keep = malloc(sizeof *pwent); memcpy(pwent_keep, pwent, sizeof *pwent_keep); pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, ssh_cleanup); and later, in pam_sm_open_session(), it reuses the entry to create ~/.ssh/... files and to set user IDs: pam_get_data(pamh, "ssh_passwd_entry", (const void **)(void *)&pwent); openpam_borrow_cred(pamh, pwent); asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname); env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR); ... struct passwd contains pointers to strings (pw_dir, pw_name etc). So, any call to getpwent() and other getpw*() routines in between pam_sm_authenticate() and pam_sm_open_session() of this module poses a high risk of the strings to be overwritten (or even the whole internal pwent buffer re-allocated), so the module will create files in a wrong place using wrong userid. Luckly, most (depending on the other modules in the PAM stack) getpw* calls will be the same as this module does, and hence the problem will not occur. I pointed this problem out to the author the same time I looked at the module, but instead of an ACK he replied with something like "If you don't like my program write your own". Later on, he changed logic a bit -- previously he where saving the pwent pointer, now he saves the whole structure (as pwent_keep), but the same problem is still here. There where other issues with this package at that time, but by now I forgot which ones. -- System Information Debian Release: 3.0 Kernel Version: Linux paltus.tls.msk.ru 2.6.11-k7-0 #1 Wed Mar 2 20:04:17 MSK 2005 i686 GNU/Linux Versions of the packages libpam-ssh depends on: +++-==============-==============-============================================ ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries and Timezone ii libpam0g 0.76-22 Pluggable Authentication Modules library ii libssl0.9.7 0.9.7e-3 SSL shared libraries -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]