Your message dated Wed, 25 Jan 2017 06:36:16 +0000
with message-id <e1cwhbo-0005e1...@fasolo.debian.org>
and subject line Bug#852039: fixed in pam-p11 0.1.5-7
has caused the Debian Bug report #852039,
regarding pam_p11: crashes with tokens that require login
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
852039: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852039
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: pam-p11
version: 0.1.5-6
severity: grave
tags: security, patch
justification: unusable in most secure configurations; DOS, possibly
exploitable
Hi.
I found that pam_p11_openssh was causing my login process to segfault.
Tracing the code through the debugger, I found the following in libp11:
if (relogin == 0) {
/* Calling PKCS11_login invalidates all cached
* keys we have */
if (slot->token) {
pkcs11_destroy_keys(slot->token, CKO_PRIVATE_KEY);
pkcs11_destroy_keys(slot->token, CKO_PUBLIC_KEY);
pkcs11_destroy_certs(slot->token);
}
That is, all certificate objects are invalidated on token login. That's
kind of expected: a pkcs11 token is likely to give you more objects when
you login than before you login.
Unfortunately, authcert is used in pam_sm_authenticate after the call to
PKCS11_login, so uninitialized memory is used. I'm surprised; I
actually managed it get it to work once yesterday, but it sure doesn't
work reliably, or on any machine but that one.
Here's a quick and dirty patch to rescan after login.
From 1392f5c0f1822e7c306ae6d9bdd3ede6f90b37c2 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartm...@debian.org>
Date: Fri, 20 Jan 2017 17:24:05 -0500
Subject: [PATCH] Read certs again on token login
PKCS11_login destroys all certs and keys retrieved from the token. So
after logging in it is necessary to enumerate the certificates again.
Without this, the library is very likely to crash.
---
debian/patches/reread_certs_on_token_login | 40 ++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 41 insertions(+)
create mode 100644 debian/patches/reread_certs_on_token_login
diff --git a/debian/patches/reread_certs_on_token_login b/debian/patches/reread_certs_on_token_login
new file mode 100644
index 0000000..f6c5557
--- /dev/null
+++ b/debian/patches/reread_certs_on_token_login
@@ -0,0 +1,40 @@
+Index: pam-p11/src/pam_p11.c
+===================================================================
+--- pam-p11.orig/src/pam_p11.c
++++ pam-p11/src/pam_p11.c
+@@ -56,6 +56,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ const char *user;
+ char *password;
+ char password_prompt[64];
++ int loggedin = 0;
+
+ struct pam_conv *conv;
+ struct pam_message msg;
+@@ -119,7 +120,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ }
+
+ /* get all certs */
+- rv = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
++ cert_scan: rv = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
+ if (rv) {
+ pam_syslog(pamh, LOG_ERR, "PKCS11_enumerate_certs failed");
+ rv = PAM_AUTHINFO_UNAVAIL;
+@@ -156,7 +157,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ goto out;
+ }
+
+- if (!slot->token->loginRequired)
++ if (!slot->token->loginRequired ||loggedin)
+ goto loggedin;
+
+ /* get password */
+@@ -209,6 +210,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ goto out;
+ }
+
++ loggedin = 1;
++ goto cert_scan;
++
+ loggedin:
+ /* get random bytes */
+ fd = open(RANDOM_SOURCE, O_RDONLY);
diff --git a/debian/patches/series b/debian/patches/series
index 2d7f923..04d6505 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Use-INSTALL-instead-of-libLTLIBRARIES_INSTALL.patch
+reread_certs_on_token_login
--
2.11.0
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: pam-p11
Source-Version: 0.1.5-7
We believe that the bug you reported is fixed in the latest version of
pam-p11, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 852...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <e...@debian.org> (supplier of updated pam-p11 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Jan 2017 01:08:12 -0500
Source: pam-p11
Binary: libpam-p11
Architecture: source amd64
Version: 0.1.5-7
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSC Maintainers <pkg-opensc-ma...@lists.alioth.debian.org>
Changed-By: Eric Dorland <e...@debian.org>
Description:
libpam-p11 - PAM module for using PKCS#11 smart cards
Closes: 852039
Changes:
pam-p11 (0.1.5-7) unstable; urgency=medium
.
* debian/patches/0002-Read-certs-again-on-token-login.patch: Read certs
again on token login. Thanks Sam Hartman. (Closes: #852039)
Checksums-Sha1:
ba8c6379611318d3183899750ae14ff9ca6c7c56 1964 pam-p11_0.1.5-7.dsc
06f1b06596e2e9b6856a2ea08888f31f4b965aa9 3660 pam-p11_0.1.5-7.debian.tar.xz
b808571d2649b8907102b61e4dfa20c337810895 37488
libpam-p11-dbgsym_0.1.5-7_amd64.deb
060d4b512c4f0079d3e034fcb8d43789f79ae439 20972 libpam-p11_0.1.5-7_amd64.deb
5eca5f9c6029ab253cd0eee9b6b450d831e15584 5146 pam-p11_0.1.5-7_amd64.buildinfo
Checksums-Sha256:
844d07f293854c6534e71bc2e73874d9e7d18553bceb4b118090cbfb3eac28b0 1964
pam-p11_0.1.5-7.dsc
1dd236c1621368e0386bb6b474ac340ca8c159030df5b755015ecc896ab25503 3660
pam-p11_0.1.5-7.debian.tar.xz
2509d2f9b15f05ad75fd75b74f65ac9642237d63ceb764884b40b61def976ddf 37488
libpam-p11-dbgsym_0.1.5-7_amd64.deb
b0bb87d0789974f3f52b2ca7e7bc9ce10a86d47e9b0ca42943b67ac0e146e9eb 20972
libpam-p11_0.1.5-7_amd64.deb
8650a298a5dfdae9343f9b0db0827a96c7c5ae84845c1168290eff817e4b786e 5146
pam-p11_0.1.5-7_amd64.buildinfo
Files:
b8529c2309c93df9bb2f18f79e8ba5be 1964 admin optional pam-p11_0.1.5-7.dsc
cbbe7ff2bc6490192be4c46f06e7a37d 3660 admin optional
pam-p11_0.1.5-7.debian.tar.xz
f78bd58043ef687da8a0d7dd826c24a2 37488 debug extra
libpam-p11-dbgsym_0.1.5-7_amd64.deb
239f38716d9d2b17cf452f5932eb91d0 20972 admin optional
libpam-p11_0.1.5-7_amd64.deb
786ba6e030eac92da7a517528fcbe262 5146 admin optional
pam-p11_0.1.5-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEQ88SKPcm/VtHTOliwlb71QAiHpMFAliIQb0ACgkQwlb71QAi
HpN7YQ/8CrmmoozxK/uLu0o5y062dPaPBqJDY0oRZqvUyW6nPNP6JJRgJ7WN7PYv
lMMhKu5uaCnzd08z6/zZZXHqeBdC36q6Sml2mu9TfD82a8akVOPzUHqU9k/g/PpL
VqoSVZboX8K6jEWn5u8KUVNVCqU8ZL/gbucYye4t2t1J3XTcldotO+ohaExGP8y3
dKV2Y90vkGjM9UN2KVgY2R90b/1uKepG78dqGM+imaL/2mACP0HVIWjXRnVLpcuY
Erln5uikC0W9/qw5zcHL2iSsVl12He+zjfarjafDy/3lTirWpS8XexeNWecRCt27
NOwnOKljIC0YTg9nuIY0fj68kat49X6PRCyuS95A+X11ZFUea+EVFRUNIRVtCgjU
p4VGdtBOddZq6WaR+yQQrUbE4lVVv2ey+YVIejlDFQvcmIGiUfuRWIZShej7CuZn
bLgyOoJujb02VQWjY29KvACqSIo8IM1wUso3Qntc8wmZYm3eP5bLJZlya32k0c5d
HQnoo5kGdb0q68x9ii/jFQh2pfB/JGmh9nmhP5t2SavwMMW+jPpnOCMOaVKFJJKV
fljeiZwRulOTtXlTbLTwzEYxlyuC4ei6FwLRv7fYX3e/NR+147bhXhW+D9LFTfNz
x84HJgt2wFtcvZhkc2wKeFA6BwD/rmBH4EJeq6kZg8dk3cGKhL8=
=5ga5
-----END PGP SIGNATURE-----
--- End Message ---
