Re: [Dovecot] 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11
On Sun, 2008-03-09 at 03:50 -0400, Adam McDougall wrote: Mar 8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had missing parameters Thanks, I kept trying to figure out what caused this and then started wondering about password escaping and found the security hole. I still hadn't figured out what caused this though, until I realized that passwords can have linefeeds as well which can cause this. Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11 This still shouldn't happen though. I didn't try to reproduce this yet. It's anyway quite difficult to get core dumps out of login processes. I'm not sure if FreeBSD lets you do that in some special way, but there are at least two things in the way: 1. Kernel thinks it's a setuid program, and setuid programs don't core dump. 2. It's chrooted to a non-writable directory. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11
Timo Sirainen wrote: On Sun, 2008-03-09 at 03:50 -0400, Adam McDougall wrote: Mar 8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had missing parameters Thanks, I kept trying to figure out what caused this and then started wondering about password escaping and found the security hole. I still hadn't figured out what caused this though, until I realized that passwords can have linefeeds as well which can cause this. Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11 This still shouldn't happen though. I didn't try to reproduce this yet. It's anyway quite difficult to get core dumps out of login processes. I'm not sure if FreeBSD lets you do that in some special way, but there are at least two things in the way: 1. Kernel thinks it's a setuid program, and setuid programs don't core dump. 2. It's chrooted to a non-writable directory. 1. I could enable this: # sysctl -d kern.sugid_coredump kern.sugid_coredump: Enable coredumping set user/group ID processes 2. And add an absolute path infront of this that is world writable: # sysctl kern.corefile kern.corefile: %N.%P.boomhauer.core Can you think of a way that I could force the issue to be reproduced so I can get away with making these changes on less servers?
Re: [Dovecot] 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11
On Sun, 2008-03-09 at 11:48 -0400, Adam McDougall wrote: Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11 1. I could enable this: # sysctl -d kern.sugid_coredump kern.sugid_coredump: Enable coredumping set user/group ID processes 2. And add an absolute path infront of this that is world writable: # sysctl kern.corefile kern.corefile: %N.%P.boomhauer.core Interesting. I added these to: http://dovecot.org/bugreport.html Can you think of a way that I could force the issue to be reproduced so I can get away with making these changes on less servers? I think this fixes it: http://hg.dovecot.org/dovecot-1.1/rev/de4881149c0e signature.asc Description: This is a digitally signed message part
Re: [Dovecot] 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11
Timo Sirainen wrote: On Sun, 2008-03-09 at 11:48 -0400, Adam McDougall wrote: Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11 1. I could enable this: # sysctl -d kern.sugid_coredump kern.sugid_coredump: Enable coredumping set user/group ID processes 2. And add an absolute path infront of this that is world writable: # sysctl kern.corefile kern.corefile: %N.%P.boomhauer.core Interesting. I added these to: http://dovecot.org/bugreport.html Can you think of a way that I could force the issue to be reproduced so I can get away with making these changes on less servers? I think this fixes it: http://hg.dovecot.org/dovecot-1.1/rev/de4881149c0e Applied to my installation. Do you think the condition was it introduced around rc1, or older?
Re: [Dovecot] 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11
On Sun, 2008-03-09 at 23:39 -0400, Adam McDougall wrote: Timo Sirainen wrote: On Sun, 2008-03-09 at 11:48 -0400, Adam McDougall wrote: Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11 I think this fixes it: http://hg.dovecot.org/dovecot-1.1/rev/de4881149c0e Applied to my installation. Do you think the condition was it introduced around rc1, or older? The potential for PASSV had missing parameters has been there for a long time. The login process crash was added in beta14 I think. signature.asc Description: This is a digitally signed message part
[Dovecot] 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11
I don't know how this happened. I'm not sure if there is a coredump somewhere because I don't know what user, and I have nothing for 'root' or 'dovecot'. Any advice, or should I make all my coredumps go to a central writable directory so I have better chance of catching it if it happens again? Is it maybe from someone connecting to postfix and causing a SMTP-AUTH to timeout? Although that is unlikely because users should not know how to reach this server's SMTP ports. I cut most of the surrounding log entries below because they seemed unrelated normal activity, but two of the lines below I left because of the timestamp. socket: type: listen client: path: /var/spool/postfix/private/auth mode: 384 user: postfix group: postfix Mar 8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had missing parameters Mar 8 17:03:47 boomhauer dovecot: auth-worker(default): BUG: PASSV had missing parameters Mar 8 17:05:17 boomhauer dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11 Mar 8 17:06:47 boomhauer dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Mar 8 17:06:47 boomhauer dovecot: child 72857 (login) killed with signal 11
