Package: libpam-mount Version: 0.44-1+lenny2 Severity: grave libpam-mount in lenny segfaults on trying to expand home directories in user="" attributes.
I don't have the backtrace at hand (it's kind of hard to write mail
when your $HOME cannot be mounted ;), but the problem is as follows:
expandconfig() tries to call expand_home() on the mountpoint member of
vpt. This field gets a low (text?) memory address, and dereferencing
*path segfaults.
Even if that worked, the later call free(path) would try to free an
array, not a pointer.
The broken code was introduced in -1+lenny2 in
08_expand_home_fix.dpatch with the fix for #502146.
rdconf1.c:
86 bool expandconfig(const struct config *config)
87 {
88 const char *u = config->user;
89 struct vol *vpt;
90
91 HXlist_for_each_entry(vpt, &config->volume_list, list) {
92 if (!expand_home(u, &vpt->mountpoint) ||
278 static bool expand_home(const char *user, char **path_pptr)
279 {
280 char *buf, *path = *path_pptr;
281 struct passwd *pe;
282 size_t size;
283
284 if (path == NULL)
285 return true;
286 if (*path != '~') <-- segfault
287 return true;
298 free(path); <-- tries to free an array
299 *path_pptr = buf;
300 return true;
301 }
private.h:
51 struct vol {
68 char mountpoint[PATH_MAX + 1]; <-- not a pointer
72 };
Christoph
--
[EMAIL PROTECTED] | http://www.df7cb.de/
signature.asc
Description: Digital signature
