Your message dated Sun, 03 Sep 2006 20:02:21 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#385774: fixed in libpam-krb5 2.3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libpam-krb5
Version: 2.2-1
Severity: serious
Hello *,
The pam_krb5.so module provides a callback function that queries users
for their passwords or displays informational messages. This callback
is registered to various Kerberos functions. All of these Kerberos
functions usually call the callback with ONE message string only.
This works perfectly fine.
However, if a user is to change her password, Kerberos will call the
callback with THREE messages:
i) Password expired. You must change it now.
ii) Enter new password:
iii) Enter it again:
The array of pointers to these messages is handled incorrectly.
It is processed as:
one single pointer pointing to an array of pam_messages.
However, PAM expects it to be:
an array of pointers, each pointing to one single pam_message
This makes no difference for one single message, of course.
Hence, the module works perfectly in most circumstances.
However, in the above case, when three messages are to be displayed, it
fails.
Either authentication is denied or the module segfaults, which is no
better ;-)
Users who have to change their passwords are effectively locked out,
yielding a Denial Of Service.
Attached patches correct the pointer arithmetics and solve the problem.
I suggest that these patches are merged into the Debian and the Ubuntu
packages.
(For the debian report: the package has been built from the debian
sources on a Ubuntu system)
Reproduction:
[EMAIL PROTECTED]:~# kadmin.local -q "modprinc +needchange klbuch"
Authenticating as principal root/[EMAIL PROTECTED] with password.
Principal "[EMAIL PROTECTED]" modified.
[EMAIL PROTECTED]:~# login klbuch
Password:
Password expired. You must change it now.
erroneous conversation (491120)
Login incorrect
master login:
With patch applied:
[EMAIL PROTECTED]:~# kadmin.local -q "modprinc +needchange klbuch"
Authenticating as principal root/[EMAIL PROTECTED] with password.
Principal "[EMAIL PROTECTED]" modified.
[EMAIL PROTECTED]:~# login klbuch
Password:
Password expired. You must change it now.
Enter new password:
Enter it again:
Last login: Sun Sep 3 02:19:51 2006 on pts/4
Linux master 2.6.15-23-server #1 SMP Tue May 23 15:10:35 UTC 2006 i686
GNU/Linux
[...]
Regards,
Joachim
libpam-krb5-2.2.REQUIRED_PWCHANGE.patch
Description: Binary data
libpam-krb5_1.2.0.REQUIRED_PWCHANGE.patch
Description: Binary data
--- End Message ---
--- Begin Message ---
Source: libpam-krb5
Source-Version: 2.3-1
We believe that the bug you reported is fixed in the latest version of
libpam-krb5, which is due to be installed in the Debian FTP archive:
libpam-krb5_2.3-1.diff.gz
to pool/main/libp/libpam-krb5/libpam-krb5_2.3-1.diff.gz
libpam-krb5_2.3-1.dsc
to pool/main/libp/libpam-krb5/libpam-krb5_2.3-1.dsc
libpam-krb5_2.3-1_i386.deb
to pool/main/libp/libpam-krb5/libpam-krb5_2.3-1_i386.deb
libpam-krb5_2.3.orig.tar.gz
to pool/main/libp/libpam-krb5/libpam-krb5_2.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <[EMAIL PROTECTED]> (supplier of updated libpam-krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 3 Sep 2006 19:39:54 -0700
Source: libpam-krb5
Binary: libpam-krb5
Architecture: source i386
Version: 2.3-1
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <[EMAIL PROTECTED]>
Changed-By: Russ Allbery <[EMAIL PROTECTED]>
Description:
libpam-krb5 - PAM module for MIT Kerberos
Closes: 385774
Changes:
libpam-krb5 (2.3-1) unstable; urgency=low
.
* New upstream release.
- Fix prompting when the Kerberos library sends more than one prompt,
such as for changing an expired password. Thanks to Joachim Keltsch
for the analysis and an initial patch. (Closes: #385774)
- Add the retain_after_close option.
Files:
ea9199ff5be4068ed1a2a93af9156143 651 net optional libpam-krb5_2.3-1.dsc
5f57ceefe5a39a8f0bb67b6c31def979 115558 net optional
libpam-krb5_2.3.orig.tar.gz
b887e823729acc5aba19d70e47276fc5 9261 net optional libpam-krb5_2.3-1.diff.gz
90721b425a11a819c63222facd543d57 52658 net optional libpam-krb5_2.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE+5LD+YXjQAr8dHYRAn3YAJoDQyeaTcyXB1sf5/pP6ZQQICKvZQCdEoHq
NHljO8r1YBIdNz4g3YFh044=
=1K82
-----END PGP SIGNATURE-----
--- End Message ---
