clone 495806 -1 reassign -1 screen retitle -1 pam_authenticate segfault results in authentication success thanks
On 20-Aug-2008, Nico Golde wrote:
> It looks like a pam problem. I couldn't reproduce this with pam
> 0.99.7.1-7 but can with 1.0.1-2.
> From screen (attacher.c):
>
> 875 #ifdef USE_PAM
> 876 PAM_conversation.appdata_ptr = cp1;
> 877 pam_error = pam_start("screen", ppp->pw_name,
> &PAM_conversation, &pamh);
> 878 if (pam_error != PAM_SUCCESS)
> 879 AttacherFinit(SIGARG); /* goodbye */
> 880 pam_error = pam_authenticate(pamh, 0);
> 881 pam_end(pamh, pam_error);
> 882 PAM_conversation.appdata_ptr = 0;
> 883 if (pam_error == PAM_SUCCESS)
> 884 break;
> 885 #else
>
> This is done in a loop to check the password.
> A similar piece of code exists in
> /usr/share/doc/libpam0g-dev/examples/check_user.c.
>
> [EMAIL PROTECTED]:/tmp$] cp /usr/share/doc/libpam0g-dev/examples/check_user.c
> .
> [EMAIL PROTECTED]:/tmp$] gcc -lpam -lpam_misc check_user.c -o check_user
> [EMAIL PROTECTED]:/tmp$] ./check_user nion; date; tail -1 /var/log/kern.log
> Authenticated
> Mi 20. Aug 20:01:40 CEST 2008
> Aug 20 20:01:40 coredump kernel: [1073387.605090] check_user[20665]: segfault
> at 0 ip 7f9a2ebf40f9 sp 7fff37983980 error 4 in pam_unix.so[7f9a2ebea000+c000]
>
> The segfault happens on the pam_authenticate call as far as I can see.
>
> Reassigning to pam...
The segfault in pam_authenticate needs to be addressed in the pam
package.
However, screen's behaviour in this instance is also buggy and
insecure: i.e., that screen treats "segfault in pam_authenticate" as
"successful authentication".
Cloning and retitling for this screen bug.
--
\ “I used to work in a fire hydrant factory. You couldn't park |
`\ anywhere near the place.” —Steven Wright |
_o__) |
Ben Finney <[EMAIL PROTECTED]>
signature.asc
Description: Digital signature
