Source: pam-shield Version: 0.9.6-1.1 Severity: important This package provides a configuration file called shield.conf. Within this file, lines may be added of this form:
allow 127.0.0.1/255.0.0.0 or of this form: allow hostname.and.domain.name Such a line causes pam-shield to ignore failed login attempts from the named host or network, whereas it would usually track such failed login attempts and eventually blackhole traffic originating from that host or network. However, the first form does not work correctly, in that attempts from a matching host or network ARE tracked and eventually blocked despite the "allow" line. This can be seen with the attached configuration file by repeatedly attempting to SSH into the local machine. The /var/log/auth.log file reports the following information during each connection attempt: PAM-shield[<pid>]: allowing from 127.0.0.1/255.0.0.0 But eventually, further attempts are locked out. With the provided configuration file, this happens after five attempts. Inspection of the source code shows that the following line should also be appearing in /var/log/auth.log: PAM-shield[<pid>]: whitelist match: 127.0.0.1 127.0.0.1 255.0.0.0 I took a very close look at the match_ipv4_list() function in pam_shield_lib.c, and noticed something strange. After building the package, the for loop on line 121 totally disappeared! By "disappeared," I mean that there was no assembler code emitted to implement the for loop, and instead the compiler just assumed that it would fail to match one IP address to another. After playing around with compiler options, I discovered that this was happening due to overzealous optimization by gcc. The offending optimization flag was -ftree-vrp, which is turned on by default when using the -O2 optimization level. Quite frankly, I have no clue why this option causes the for loop to be optimized away -- if I did, I would propose a code change for pam-shield or file a bug against gcc as appropriate. But since I'm stumped on that front, the best suggestion I have is to change the build sequence for pam-shield to include a new CFLAGS entry: -fno-tree-vrp. I verified that including this flag results in a working build. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
