clone 495806 -1 reassign -1 screen retitle -1 pam_authenticate segfault results in authentication success thanks
On 20-Aug-2008, Nico Golde wrote: > It looks like a pam problem. I couldn't reproduce this with pam > 0.99.7.1-7 but can with 1.0.1-2. > From screen (attacher.c): > > 875 #ifdef USE_PAM > 876 PAM_conversation.appdata_ptr = cp1; > 877 pam_error = pam_start("screen", ppp->pw_name, > &PAM_conversation, &pamh); > 878 if (pam_error != PAM_SUCCESS) > 879 AttacherFinit(SIGARG); /* goodbye */ > 880 pam_error = pam_authenticate(pamh, 0); > 881 pam_end(pamh, pam_error); > 882 PAM_conversation.appdata_ptr = 0; > 883 if (pam_error == PAM_SUCCESS) > 884 break; > 885 #else > > This is done in a loop to check the password. > A similar piece of code exists in > /usr/share/doc/libpam0g-dev/examples/check_user.c. > > [EMAIL PROTECTED]:/tmp$] cp /usr/share/doc/libpam0g-dev/examples/check_user.c > . > [EMAIL PROTECTED]:/tmp$] gcc -lpam -lpam_misc check_user.c -o check_user > [EMAIL PROTECTED]:/tmp$] ./check_user nion; date; tail -1 /var/log/kern.log > Authenticated > Mi 20. Aug 20:01:40 CEST 2008 > Aug 20 20:01:40 coredump kernel: [1073387.605090] check_user[20665]: segfault > at 0 ip 7f9a2ebf40f9 sp 7fff37983980 error 4 in pam_unix.so[7f9a2ebea000+c000] > > The segfault happens on the pam_authenticate call as far as I can see. > > Reassigning to pam... The segfault in pam_authenticate needs to be addressed in the pam package. However, screen's behaviour in this instance is also buggy and insecure: i.e., that screen treats "segfault in pam_authenticate" as "successful authentication". Cloning and retitling for this screen bug. -- \ “I used to work in a fire hydrant factory. You couldn't park | `\ anywhere near the place.” —Steven Wright | _o__) | Ben Finney <[EMAIL PROTECTED]>
signature.asc
Description: Digital signature