reassign 541449 libpam-ssh
found 541449 1.92-7
severity 541449 important
thanks
[ Sorry for the broken formatting in the last mail, seems I did
something wrong while playing with Gnus' support for format=flowed ]
Package: libpam-ssh
Version: 1.92-7
Severity: important
Hi,
pam_ssh.so segfaults in pam_sm_open_session if there is no controlling
terminal. You can reproduce this with at:
Make sure there is
auth optional pam_ssh.so use_first_pass
session optional pam_ssh.so
in the relevant files in /etc/pam.d, then attach gdb to atd and schedule
a job for immediate execution:
# gdb /usr/sbin/atd <pid>
(gdb) set follow-fork-mode child
$ echo echo foo | at now
The child created by at will now segfault:
[New Thread 0x7fb011fde6f0 (LWP 26525)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fb011fde6f0 (LWP 26525)]
0x00007fb0118f5210 in strlen () from /lib/libc.so.6
(gdb) bt
#0 0x00007fb0118f5210 in strlen () from /lib/libc.so.6
#1 0x00007fb0118f4f46 in strdup () from /lib/libc.so.6
#2 0x00007fb00fda6760 in pam_sm_open_session (pamh=0x1b78330, flags=32768,
argc=0, argv=0x0)
at pam_ssh.c:933
#3 0x00007fb011bcfc2a in ?? () from /lib/libpam.so.0
#4 0x000000000040218f in run_file (filename=0x1b76f0b "a00024013df45f",
uid=<value optimized out>, gid=1)
at atd.c:387
#5 0x0000000000402aa9 in run_loop () at atd.c:648
#6 0x0000000000402e07 in main (argc=1, argv=0x7fff4308ca78) at atd.c:797
The relevant lines from pam_ssh.c are:
925 if ((retval = pam_get_item(pamh, PAM_TTY,
926 (const void **)(void *)&tty_raw)) != PAM_SUCCESS) {
927 openpam_restore_cred(pamh);
928 return retval;
929 }
930
931 /* set tty_nodir to the tty with / replaced by _ */
932
933 if (!(tty_nodir = strdup(tty_raw))) {
But the call to pam_get_item may store NULL in tty_raw. At least a
quick glance at pam_securetty.so from the pam package shows an explicit
check for this[1]:
retval = pam_get_item(pamh, PAM_TTY, &void_uttyname);
uttyname = void_uttyname;
if (retval != PAM_SUCCESS || uttyname == NULL) {
pam_syslog (pamh, LOG_WARNING, "cannot determine user's tty");
return PAM_SERVICE_ERR;
}
Maybe pam_ssh can use "pid12345" instead of the tty name in case there
is no controlling terminal.
Regards,
Ansgar
[1] see modules/pam_securetty/pam_securetty.c in pam-1.0.1
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-ssh depends on:
ii libc6 2.9-23 GNU C Library: Shared libraries
ii libpam0g 1.0.1-10 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8k-3 SSL shared libraries
Versions of packages libpam-ssh recommends:
ii openssh-client [ssh-client] 1:5.1p1-6 secure shell client, an rlogin/rsh
libpam-ssh suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
